Edit tour

Windows Analysis Report
6Sy6PrInNl.exe

Overview

General Information

Sample Name:	6Sy6PrInNl.exe
Analysis ID:	708240
MD5:	cd1ffe7c30311659ea1be07ed7923d65
SHA1:	310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:	842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
Tags:	exemorpheuspwtorun
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

File is packed with WinRar

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key

Process Tree

System is w10x64

6Sy6PrInNl.exe (PID: 2800 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" MD5: CD1FFE7C30311659EA1BE07ED7923D65)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6Sy6PrInNl.exe	ReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exe	Virustotal: Detection: 30%			Perma Link

Source: 6Sy6PrInNl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6Sy6PrInNl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_011DA69B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011FB348 FindFirstFileExA,	0_2_011FB348
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_011EC220

Source: 6Sy6PrInNl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011D848E	0_2_011D848E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E7153	0_2_011E7153
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011F51C9	0_2_011F51C9
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E4088	0_2_011E4088
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E00B7	0_2_011E00B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011D40FE	0_2_011D40FE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E43BF	0_2_011E43BF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E62CA	0_2_011E62CA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011D32F7	0_2_011D32F7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011DC426	0_2_011DC426
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011FD440	0_2_011FD440
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011DF461	0_2_011DF461
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E77EF	0_2_011E77EF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011DE9B7	0_2_011DE9B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_012019F4	0_2_012019F4
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011D286B	0_2_011D286B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011FD8EE	0_2_011FD8EE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E6CDC	0_2_011E6CDC
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011F4F9A	0_2_011F4F9A
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011DEFE2	0_2_011DEFE2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011E3E0B	0_2_011E3E0B

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: String function: 011EEB78 appears 39 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: String function: 011EF5F0 appears 31 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: String function: 011EEC50 appears 56 times

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_011D6FAA

Source: 6Sy6PrInNl.exe	ReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

File read: C:\Users\user\Desktop\6Sy6PrInNl.exe

Jump to behavior

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011D6C74 GetLastError,FormatMessageW,

0_2_011D6C74

Source: 6Sy6PrInNl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_011EA6C2

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Command line argument: sfxname	0_2_011EDF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Command line argument: sfxstime	0_2_011EDF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Command line argument: STARTDLG	0_2_011EDF1E

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7003046

Jump to behavior

Source: classification engine

Classification label: sus36.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 6Sy6PrInNl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Sy6PrInNl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Sy6PrInNl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Sy6PrInNl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Sy6PrInNl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Sy6PrInNl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6Sy6PrInNl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 6Sy6PrInNl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe

Source: 6Sy6PrInNl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Sy6PrInNl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Sy6PrInNl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Sy6PrInNl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Sy6PrInNl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EF640 push ecx; ret		0_2_011EF653
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EEB78 push eax; ret		0_2_011EEB96

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7003046

Jump to behavior

Source: 6Sy6PrInNl.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23656

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011EE6A3 VirtualQuery,GetSystemInfo,

0_2_011EE6A3

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_011DA69B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011FB348 FindFirstFileExA,	0_2_011FB348
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_011EC220

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

API call chain: ExitProcess graph end node

graph_0-23801

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_011EF838

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011F7DEE mov eax, dword ptr fs:[00000030h]

0_2_011F7DEE

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011FC030 GetProcessHeap,

0_2_011FC030

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EF9D5 SetUnhandledExceptionFilter,	0_2_011EF9D5
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_011EF838
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_011EFBCA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exe	Code function: 0_2_011F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_011F8EBD

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_011EAF0F

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011E0723 cpuid

0_2_011E0723

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011DB146 GetVersionExW,

0_2_011DB146

Source: C:\Users\user\Desktop\6Sy6PrInNl.exe

Code function: 0_2_011EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,

0_2_011EDF1E

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6Sy6PrInNl.exe	28%	ReversingLabs	Win32.Trojan.Generic
6Sy6PrInNl.exe	30%	Virustotal		Browse
6Sy6PrInNl.exe	11%	Metadefender		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	708240
Start date and time:	2022-09-23 07:56:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6Sy6PrInNl.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus36.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.7% (good quality ratio 92%) Quality average: 78.4% Quality standard deviation: 29.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 110 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): login.live.com, displaycatalog.mp.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.143158241689354
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6Sy6PrInNl.exe
File size:	788504
MD5:	cd1ffe7c30311659ea1be07ed7923d65
SHA1:	310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:	842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
SHA512:	588e21a2cefabfa2d20364e7b62d9d3448cc3c7295b34fffb481b64837ef49cb36510c36a75a300338d0d2f4b8ac42120ef26e4dab30ec2b946ceaf60f560170
SSDEEP:	12288:zToPWBv/cpGrU3yKszraraEoMgF/FEJJSJx:zTbBv5rUazram5MIx
TLSH:	8BF4E10EBAC198B2D073D9321A356725A53CB9201F668ADFE3DC465FDB215C0E7317A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	008039c4c4384000

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F2D8070A4FBh
jmp 00007F2D80709E0Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2D806FCC57h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F2D8070D29Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F2D80709F9Ch
push 0000000Ch
push esi
call 00007F2D80709559h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2D806FCBD2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2D8070CD59h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2D80709F18h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2D8070CD3Ch
int3
jmp 00007F2D8070E7D7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x4698c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xab000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x4698c	0x46a00	False	0.07180586283185841	data	2.00213285276512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xab000	0x233c	0x2400	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x64524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6506c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x66618	0x42028	data
RT_DIALOG	0xa8640	0x286	data	English	United States
RT_DIALOG	0xa88c8	0x13a	data	English	United States
RT_DIALOG	0xa8a04	0xec	data	English	United States
RT_DIALOG	0xa8af0	0x12e	data	English	United States
RT_DIALOG	0xa8c20	0x338	data	English	United States
RT_DIALOG	0xa8f58	0x252	data	English	United States
RT_STRING	0xa91ac	0x1e2	data	English	United States
RT_STRING	0xa9390	0x1cc	data	English	United States
RT_STRING	0xa955c	0x1b8	data	English	United States
RT_STRING	0xa9714	0x146	Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500	English	United States
RT_STRING	0xa985c	0x46c	data	English	United States
RT_STRING	0xa9cc8	0x166	data	English	United States
RT_STRING	0xa9e30	0x152	data	English	United States
RT_STRING	0xa9f84	0x10a	data	English	United States
RT_STRING	0xaa090	0xbc	data	English	United States
RT_STRING	0xaa14c	0xd6	data	English	United States
RT_GROUP_ICON	0xaa224	0x14	data
RT_MANIFEST	0xaa238	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 6Sy6PrInNl.exePID: 2800, Parent PID: 1244

General

Target ID:	0
Start time:	07:57:12
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\6Sy6PrInNl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6Sy6PrInNl.exe"
Imagebase:	0x11d0000
File size:	788504 bytes
MD5 hash:	CD1FFE7C30311659EA1BE07ED7923D65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 6Sy6PrInNl.exePID: 2800, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.7%
Total number of Nodes:	1380
Total number of Limit Nodes:	74

Executed Functions

Function 011EDF1E Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011E0863: GetModuleHandleW.KERNEL32(kernel32), ref: 011E087C
Part of subcall function 011E0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 011E088E
Part of subcall function 011E0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 011E08BF

Part of subcall function 011EA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 011EA655

Part of subcall function 011EAC16: OleInitialize.OLE32(00000000), ref: 011EAC2F
Part of subcall function 011EAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 011EAC66
Part of subcall function 011EAC16: SHGetMalloc.SHELL32(01218438), ref: 011EAC70

GetCommandLineW.KERNEL32 ref: 011EDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 011EDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 011EDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 011EDFCE

Part of subcall function 011EDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 011EDBF4
Part of subcall function 011EDBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 011EDC30

CloseHandle.KERNEL32(00000000), ref: 011EDFD7
GetModuleFileNameW.KERNEL32(00000000,0122EC90,00000800), ref: 011EDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0122EC90), ref: 011EDFFE
GetLocalTime.KERNEL32(?), ref: 011EE009
_swprintf.LIBCMT ref: 011EE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 011EE05A
GetModuleHandleW.KERNEL32(00000000), ref: 011EE061
LoadIconW.USER32(00000000,00000064), ref: 011EE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 011EE0C9
Sleep.KERNEL32(?), ref: 011EE0F7
CloseHandle.KERNEL32 ref: 011EE183

Strings

sfxname, xrefs: 011EDFF9
sfxstime, xrefs: 011EE055
STARTDLG, xrefs: 011EE0BE
C:\Users\user\Desktop, xrefs: 011EDF33
winrarsfxmappingfile.tmp, xrefs: 011EDF77
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 011EE039

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 2914129315-3743209390
Opcode ID: e98551319a8e260fb6e8cba51a2ff77daa3759c519ceae22c2e80a70a1f1858d
Instruction ID: ebe50558fcef2769d552349f0286be4144dc1de0d92ae0ea12c21df26c1e0504
Opcode Fuzzy Hash: e98551319a8e260fb6e8cba51a2ff77daa3759c519ceae22c2e80a70a1f1858d
Instruction Fuzzy Hash: 7361C071A04605AFD739EFF5B84CF6B7BE8BB68708F000419FA4592185EB749944C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011EA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E011EA6C2(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t27;
				char* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				long _t44;
				intOrPtr* _t45;
				struct HRSRC__* _t46;

				_t46 = FindResourceW( *0x1211028, _a4, "PNG");
				if(_t46 == 0) {
					L15:
					return 0;
				}
				_t44 = SizeofResource( *0x1211028, _t46);
				if(_t44 == 0) {
					goto L15;
				}
				_t17 = LoadResource( *0x1211028, _t46);
				if(_t17 == 0) {
					goto L15;
				}
				_t18 = LockResource(_t17);
				_t47 = _t18;
				if(_t18 == 0) {
					goto L15;
				}
				_v4 = 0;
				_t19 = GlobalAlloc(2, _t44); // executed
				_t36 = _t19;
				if(_t36 == 0) {
					L14:
					return _v4;
				}
				if(GlobalLock(_t36) == 0) {
					L13:
					GlobalFree(_t36);
					goto L14;
				}
				E011F0320(_t21, _t47, _t44);
				_v8 = 0;
				_push( &_v8);
				_push(0);
				_push(_t36);
				if( *0x1233180() == 0) {
					_t27 = E011EA626(_t25, _t38, _v20, 0); // executed
					_t39 = _v28;
					_t45 = _t27;
					 *0x1203278(_t39);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 8))))();
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45 + 8)) = 0;
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							_push(0xffffff);
							_t34 =  &_v20;
							_push(_t34);
							_push( *((intOrPtr*)(_t45 + 4)));
							L011EEB26(); // executed
							if(_t34 != 0) {
								 *((intOrPtr*)(_t45 + 8)) = _t34;
							}
						}
						 *0x1203278(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t45))))();
					}
				}
				GlobalUnlock(_t36);
				goto L13;
			}

0x011ea6db
0x011ea6df
0x011ea7db
0x00000000
0x011ea7db
0x011ea6f2
0x011ea6f6
0x00000000
0x00000000
0x011ea703
0x011ea70b
0x00000000
0x00000000
0x011ea712
0x011ea718
0x011ea71c
0x00000000
0x00000000
0x011ea729
0x011ea72d
0x011ea733
0x011ea737
0x011ea7d3
0x00000000
0x011ea7d8
0x011ea746
0x011ea7cc
0x011ea7cd
0x00000000
0x011ea7cd
0x011ea74f
0x011ea757
0x011ea75f
0x011ea760
0x011ea761
0x011ea76a
0x011ea771
0x011ea776
0x011ea77a
0x011ea784
0x011ea78a
0x011ea78e
0x011ea793
0x011ea798
0x011ea79a
0x011ea79f
0x011ea7a3
0x011ea7a4
0x011ea7a7
0x011ea7ae
0x011ea7b0
0x011ea7b0
0x011ea7ae
0x011ea7bb
0x011ea7c3
0x011ea7c3
0x011ea78e
0x011ea7c6
0x00000000

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,011EB73D,00000066), ref: 011EA6D5
SizeofResource.KERNEL32(00000000,?,?,?,011EB73D,00000066), ref: 011EA6EC
LoadResource.KERNEL32(00000000,?,?,?,011EB73D,00000066), ref: 011EA703
LockResource.KERNEL32(00000000,?,?,?,011EB73D,00000066), ref: 011EA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,011EB73D,00000066), ref: 011EA72D
GlobalLock.KERNEL32 ref: 011EA73E
GlobalUnlock.KERNEL32(00000000), ref: 011EA7C6

Part of subcall function 011EA626: GdipAlloc.GDIPLUS(00000010), ref: 011EA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 011EA7A7
GlobalFree.KERNEL32 ref: 011EA7CD

Strings

PNG, xrefs: 011EA6C6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: c1f8b3de7b117905021bab5aef38df7a367e11fcc4ea10fbc7e6d9a3a0e7e62e
Instruction ID: 87ff8a43180b6028edebfdad0f6f01424196999b862c7afba060cafca7668c43
Opcode Fuzzy Hash: c1f8b3de7b117905021bab5aef38df7a367e11fcc4ea10fbc7e6d9a3a0e7e62e
Instruction Fuzzy Hash: 6E316276A00B02AFD725DF65FC8C91BBFF9FF89650B040619F90683615DB32D8148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 011DA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E011DA69B(void* _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				int _t44;
				int _t49;
				signed int _t61;
				signed int _t62;
				void* _t63;
				long _t66;
				signed int _t78;
				void* _t79;
				intOrPtr _t80;
				void* _t81;

				E011EEC50(0x1250);
				_t81 = _a4;
				_t79 = _t78 | 0xffffffff;
				_push( &_v596);
				if(_t81 != _t79) {
					_t44 = FindNextFileW(_t81, ??);
					__eflags = _t44;
					if(_t44 != 0) {
						L12:
						_t80 = _a12;
						E011E0602(_t80, _a8, 0x800);
						_push(0x800);
						E011DC310(__eflags, _t80,  &(_v596.cFileName));
						_t49 = 0 + _v596.nFileSizeLow;
						__eflags = _t49;
						 *(_t80 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *(_t80 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t80 + 0x1004)) = _v596.nFileSizeHigh;
						 *((intOrPtr*)(_t80 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t80 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t80 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t80 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t80 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t80 + 0x103c)) = _v572;
						E011E15DA(_t80 + 0x1010,  &(_v596.ftLastWriteTime));
						E011E15DA(_t80 + 0x1018,  &(_v596.ftCreationTime));
						E011E15DA(_t80 + 0x1020,  &(_v596.ftLastAccessTime));
						L13:
						 *(_t80 + 0x1040) =  *(_t80 + 0x1040) & 0x00000000;
						return _t81;
					}
					_t81 = _t79;
					_t61 = GetLastError();
					__eflags = _t61 - 0x12;
					_t62 = _t61 & 0xffffff00 | _t61 != 0x00000012;
					L9:
					_t80 = _a12;
					 *(_t80 + 0x1044) = _t62;
					goto L13;
				}
				_t63 = FindFirstFileW(_a8, ??); // executed
				_t81 = _t63;
				if(_t81 != _t79) {
					goto L12;
				}
				if(E011DBB03(_a8,  &_v4692, 0x800) == 0) {
					L4:
					_t66 = GetLastError();
					if(_t66 == 2 || _t66 == 3 || _t66 == 0x12) {
						_t62 = 0;
						__eflags = 0;
					} else {
						_t62 = 1;
					}
					goto L9;
				}
				_t81 = FindFirstFileW( &_v4692,  &_v596);
				if(_t81 != _t79) {
					goto L12;
				}
				goto L4;
			}

0x011da6a3
0x011da6aa
0x011da6b4
0x011da6bc
0x011da6bf
0x011da728
0x011da72e
0x011da730
0x011da742
0x011da742
0x011da74a
0x011da74f
0x011da758
0x011da765
0x011da765
0x011da76b
0x011da777
0x011da77a
0x011da786
0x011da792
0x011da79e
0x011da7aa
0x011da7b6
0x011da7c2
0x011da7ce
0x011da7db
0x011da7ed
0x011da7ff
0x011da804
0x011da804
0x011da811
0x011da811
0x011da732
0x011da734
0x011da73a
0x011da73d
0x011da719
0x011da719
0x011da71c
0x00000000
0x011da71c
0x011da6c4
0x011da6ca
0x011da6ce
0x00000000
0x00000000
0x011da6e2
0x011da6fe
0x011da6fe
0x011da707
0x011da717
0x011da717
0x011da713
0x011da713
0x011da713
0x00000000
0x011da707
0x011da6f8
0x011da6fc
0x00000000
0x00000000
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA6C4

Part of subcall function 011DBB03: _wcslen.LIBCMT ref: 011DBB27

FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA728
GetLastError.KERNEL32(?,?,?,?,011DA592,000000FF,?,?), ref: 011DA734

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: d22e52481c0a12d8837fe7cfff567a27c26f9d6d1bb3b5447b5d497e788efcf9
Instruction ID: 8fabd59316af77cc984003830ff2e9b4a5ec9a8d4a1004593bbb68a17f39f549
Opcode Fuzzy Hash: d22e52481c0a12d8837fe7cfff567a27c26f9d6d1bb3b5447b5d497e788efcf9
Instruction Fuzzy Hash: 5E419372901515AFCB29DF68DC88AEAB7B9FF48350F054296E55EE3200D734AE94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011D848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E011D848E(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t383;
				signed int _t387;
				signed int _t392;
				signed int _t398;
				void* _t400;
				signed int _t401;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t442;
				signed int _t445;
				signed int _t446;
				char _t448;
				signed int _t449;
				signed int _t473;
				signed int _t482;
				intOrPtr _t485;
				signed int _t495;
				char _t500;
				char _t501;
				void* _t508;
				void* _t515;
				void* _t517;
				signed int _t525;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t536;
				signed int _t543;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t558;
				signed char _t559;
				signed int _t562;
				void* _t567;
				signed int _t573;
				intOrPtr* _t582;
				signed int _t585;
				signed int _t586;
				signed int _t595;
				signed int _t596;
				intOrPtr _t599;
				signed int _t602;
				signed int _t611;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				signed int _t625;
				signed int _t628;
				void* _t637;
				intOrPtr _t645;
				char _t646;
				signed int _t649;
				signed int _t650;
				void* _t657;
				void* _t658;
				signed int _t675;
				intOrPtr _t686;
				void* _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t695;
				intOrPtr _t697;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				void* _t712;
				signed int _t713;
				signed int _t716;
				signed int _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;

				E011EEB78(0x1202858, _t721);
				E011EEC50(0x60ac);
				_t582 =  *((intOrPtr*)(_t721 + 8));
				_t684 = 0;
				_t697 = __ecx;
				 *((intOrPtr*)(_t721 - 0x1c)) = __ecx;
				_t585 =  *( *((intOrPtr*)(__ecx + 8)) + 0x92fa) & 0x0000ffff;
				 *(_t721 - 0x18) = _t585;
				if( *((intOrPtr*)(_t721 + 0xc)) != 0) {
					_t704 = __ecx + 0x10;
					 *(_t721 - 0x20) = _t704;
					L5:
					_t383 =  *((intOrPtr*)(_t582 + 0x21f4));
					if(_t383 == 2) {
						 *(_t697 + 0x10ff) = _t684;
						__eflags =  *(_t582 + 0x32f4) - _t684;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t582 + 0x32fc) - _t684;
							if(__eflags > 0) {
								L26:
								_t586 =  *(_t697 + 8);
								__eflags =  *((intOrPtr*)(_t586 + 0x7164)) - _t684;
								if( *((intOrPtr*)(_t586 + 0x7164)) != _t684) {
									L29:
									 *(_t721 - 0x13) = _t684;
									_t37 = _t721 - 0x60b8; // -22712
									_t38 = _t721 - 0x13; // 0x7ed
									_t387 = E011D5D1A(_t582 + 0x2298, _t38, 6, _t684, _t37, 0x800);
									__eflags = _t387;
									 *(_t721 - 0x11) = _t387 != 0;
									__eflags = _t387;
									if(_t387 != 0) {
										__eflags =  *(_t721 - 0x13);
										if( *(_t721 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t697 + 0xf9)) = 0;
										}
									}
									E011D2112(_t582);
									_push(0x800);
									_t43 = _t721 - 0x30b8; // -10424
									_push(_t582 + 0x22c0);
									E011DB76C(_t582);
									__eflags =  *((char*)(_t582 + 0x338b));
									 *(_t721 - 0x24) = 1;
									if( *((char*)(_t582 + 0x338b)) == 0) {
										_t392 = E011D2209(_t582);
										__eflags = _t392;
										if(_t392 == 0) {
											_t559 =  *(_t697 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t559 + 0x82c4));
											asm("sbb al, al");
											_t61 = _t721 - 0x11;
											 *_t61 =  *(_t721 - 0x11) &  !_t559;
											__eflags =  *_t61;
										}
									} else {
										_t562 =  *( *(_t697 + 8) + 0x82c4);
										__eflags = _t562 - 1;
										if(_t562 != 1) {
											__eflags =  *(_t721 - 0x13);
											if( *(_t721 - 0x13) == 0) {
												__eflags = _t562;
												 *(_t721 - 0x11) =  *(_t721 - 0x11) & (_t562 & 0xffffff00 | _t562 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t721 - 0x30b8; // -10424
												_t567 = E011DC249(_t54);
												_t675 =  *(_t697 + 8);
												__eflags =  *((intOrPtr*)(_t675 + 0x82c4)) - 1 - _t567;
												if( *((intOrPtr*)(_t675 + 0x82c4)) - 1 != _t567) {
													 *(_t721 - 0x11) = 0;
												} else {
													_t57 = _t721 - 0x30b8; // -10424
													_push(1);
													E011DC249(_t57);
												}
											}
										}
									}
									 *((char*)(_t697 + 0x67)) =  *((intOrPtr*)(_t582 + 0x3331));
									 *((char*)(_t697 + 0x68)) = 0;
									asm("sbb eax, [ebx+0x32f4]");
									 *0x1203278( *((intOrPtr*)(_t582 + 0x6cc0)) -  *(_t582 + 0x32f0),  *((intOrPtr*)(_t582 + 0x6cc4)), 0);
									 *((intOrPtr*)( *_t582 + 0x10))();
									_t685 = 0;
									_t398 = 0;
									_t595 = 0;
									 *(_t721 - 0xd) = 0;
									 *(_t721 - 0x28) = 0;
									__eflags =  *(_t582 + 0x3333);
									if( *(_t582 + 0x3333) == 0) {
										L44:
										__eflags =  *(_t721 - 0x11) - _t595;
										if( *(_t721 - 0x11) != _t595) {
											L47:
											_t707 =  *(_t721 - 0x18);
											_t596 =  *((intOrPtr*)( *(_t697 + 8) + 0x7201));
											_t400 = 0x49;
											__eflags = _t596;
											if(_t596 == 0) {
												L49:
												_t401 = _t685;
												L50:
												__eflags = _t596;
												_t88 = _t721 - 0x30b8; // -10424
												_t405 = L011E1B7F(_t596, _t88, (_t401 & 0xffffff00 | _t596 == 0x00000000) & 0x000000ff, _t401,  *(_t721 - 0x28)); // executed
												__eflags = _t405;
												if(__eflags == 0) {
													L14:
													_t406 = 0;
													__eflags = 0;
													L15:
													 *[fs:0x0] =  *((intOrPtr*)(_t721 - 0xc));
													return _t406;
												}
												_push(0x800);
												_t407 = _t697 + 0x1100;
												_push(_t407);
												 *((intOrPtr*)(_t721 - 0x38)) = _t407;
												_t91 = _t721 - 0x30b8; // -10424
												_push(_t582);
												E011D8167(__eflags);
												__eflags =  *(_t721 - 0xd);
												if( *(_t721 - 0xd) != 0) {
													L54:
													 *(_t721 - 0xe) = 0;
													L55:
													_t411 =  *(_t697 + 8);
													_t599 = 0x45;
													__eflags =  *((char*)(_t411 + 0x715b));
													_t686 = 0x58;
													 *((intOrPtr*)(_t721 - 0x34)) = _t599;
													 *((intOrPtr*)(_t721 - 0x30)) = _t686;
													if( *((char*)(_t411 + 0x715b)) != 0) {
														L57:
														__eflags = _t707 - _t599;
														if(_t707 == _t599) {
															L59:
															_t102 = _t721 - 0x20b8; // -6328
															E011D6EDB(_t102);
															_push(0);
															_t103 = _t721 - 0x20b8; // -6328
															_t416 = E011DA56D(_t102, __eflags, _t697 + 0x1100, _t103);
															__eflags = _t416;
															if(_t416 == 0) {
																_t417 =  *(_t697 + 8);
																__eflags =  *((char*)(_t417 + 0x715b));
																_t114 = _t721 - 0xe;
																 *_t114 =  *(_t721 - 0xe) & (_t417 & 0xffffff00 |  *((char*)(_t417 + 0x715b)) != 0x00000000) - 0x00000001;
																__eflags =  *_t114;
																L65:
																_t116 = _t721 - 0x30b8; // -10424
																_t421 = E011D7C0D(_t582, _t116);
																__eflags = _t421;
																if(_t421 != 0) {
																	while(1) {
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			goto L69;
																		}
																		_t121 = _t721 - 0x30b8; // -10424
																		_t552 = E011D8117(_t697, _t582, _t121); // executed
																		__eflags = _t552;
																		if(_t552 == 0) {
																			 *((char*)(_t697 + 0x2100)) = 1;
																			goto L14;
																		}
																		L69:
																		_t123 = _t721 - 0x1174; // -2420
																		_t602 = 0x40;
																		memcpy(_t123,  *(_t697 + 8) + 0x6024, _t602 << 2);
																		_t725 = _t723 + 0xc;
																		asm("movsw");
																		_t125 = _t721 - 0x2c; // 0x7d4
																		 *(_t721 - 4) = 0;
																		asm("sbb ecx, ecx");
																		_t132 = _t721 - 0x1174; // -2420
																		E011DD051( *(_t721 - 0x20), 0,  *((intOrPtr*)(_t582 + 0x3334)), _t132,  ~( *(_t582 + 0x3338) & 0x000000ff) & _t582 + 0x00003339, _t582 + 0x3349,  *((intOrPtr*)(_t582 + 0x3384)), _t582 + 0x3363, _t125);
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			L77:
																			_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																			L78:
																			 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																			_t153 = _t721 - 0x1174; // -2420
																			L011DF204(_t153);
																			_t154 = _t721 - 0x1070; // -2160
																			E011D9556(_t154);
																			_t611 =  *(_t582 + 0x3398);
																			_t431 = 1;
																			 *(_t721 - 0x20) = _t611;
																			 *(_t721 - 4) = 1;
																			_t688 = 0x50;
																			__eflags = _t611;
																			if(_t611 == 0) {
																				L88:
																				_t432 = E011D2209(_t582);
																				__eflags = _t432;
																				if(_t432 == 0) {
																					_t613 =  *(_t721 - 0xe);
																					__eflags = _t613;
																					if(_t613 == 0) {
																						L98:
																						_t431 = 1;
																						__eflags = 1;
																						L99:
																						__eflags =  *(_t582 + 0x6ccc);
																						if(__eflags == 0) {
																							__eflags = _t613;
																							if(_t613 == 0) {
																								L218:
																								 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																								_t368 = _t721 - 0x1070; // -2160
																								_t398 = E011D959A(_t368);
																								__eflags =  *(_t721 - 0x11);
																								_t595 =  *(_t721 - 0xe);
																								_t689 =  *(_t721 - 0xd);
																								if( *(_t721 - 0x11) != 0) {
																									_t372 = _t697 + 0xf4;
																									 *_t372 =  *(_t697 + 0xf4) + 1;
																									__eflags =  *_t372;
																								}
																								L220:
																								__eflags =  *((char*)(_t697 + 0x68));
																								if( *((char*)(_t697 + 0x68)) != 0) {
																									goto L14;
																								}
																								__eflags = _t595;
																								if(_t595 != 0) {
																									L17:
																									_t406 = 1;
																									goto L15;
																								}
																								__eflags =  *(_t582 + 0x6ccc) - _t595;
																								if( *(_t582 + 0x6ccc) == _t595) {
																									L9:
																									E011D1F47(_t582);
																									goto L17;
																								}
																								__eflags = _t689;
																								_t406 = _t398 & 0xffffff00 | _t689 != 0x00000000;
																								goto L15;
																							}
																							L104:
																							_t616 =  *(_t721 - 0x18);
																							L105:
																							_t435 =  *(_t697 + 8);
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) == 0) {
																								L107:
																								_t436 =  *(_t721 - 0xd);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									L112:
																									 *((char*)(_t721 - 0x12)) = 1;
																									__eflags = _t436;
																									if(_t436 != 0) {
																										L114:
																										 *((intOrPtr*)(_t697 + 0xf0)) =  *((intOrPtr*)(_t697 + 0xf0)) + 1;
																										 *((intOrPtr*)(_t697 + 0x80)) = 0;
																										 *((intOrPtr*)(_t697 + 0x84)) = 0;
																										 *((intOrPtr*)(_t697 + 0x88)) = 0;
																										 *((intOrPtr*)(_t697 + 0x8c)) = 0;
																										E011DAB1A(_t697 + 0xd0, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										E011DAB1A(_t697 + 0xa8, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										_t442 =  *(_t582 + 0x32f0);
																										_t712 = _t697 + 0x10;
																										_t619 =  *(_t582 + 0x32f4);
																										 *(_t697 + 0x38) = _t442;
																										 *(_t697 + 0x30) = _t442;
																										_t222 = _t721 - 0x1070; // -2160
																										 *(_t697 + 0x3c) = _t619;
																										 *(_t697 + 0x34) = _t619;
																										E011DD099(_t712, _t582, _t222);
																										_t621 =  *((intOrPtr*)(_t721 - 0x12));
																										_t690 = 0;
																										_t445 =  *(_t721 - 0xd);
																										 *((char*)(_t697 + 0x41)) = _t621;
																										 *((char*)(_t697 + 0x42)) = _t445;
																										 *(_t721 - 0x28) = 0;
																										 *(_t721 - 0x24) = 0;
																										__eflags = _t621;
																										if(_t621 != 0) {
																											L132:
																											_t622 =  *(_t697 + 8);
																											__eflags =  *((char*)(_t622 + 0x71a0));
																											 *((char*)(_t721 - 0x1053)) =  *((char*)(_t622 + 0x71a0)) == 0;
																											__eflags =  *((char*)(_t721 - 0x12));
																											if( *((char*)(_t721 - 0x12)) != 0) {
																												L136:
																												_t446 = _t690;
																												 *((char*)(_t721 - 0x10)) = _t690;
																												L137:
																												__eflags =  *(_t721 - 0x20);
																												 *((char*)(_t721 - 0x14)) = 1;
																												 *((char*)(_t721 - 0xf)) = 1;
																												if( *(_t721 - 0x20) == 0) {
																													__eflags =  *(_t582 + 0x3330);
																													if( *(_t582 + 0x3330) == 0) {
																														__eflags =  *((char*)(_t582 + 0x22b8));
																														if(__eflags != 0) {
																															_push( *(_t582 + 0x3388) & 0x000000ff);
																															_push( *((intOrPtr*)(_t582 + 0x338c)));
																															E011E3377(_t582,  *((intOrPtr*)(_t697 + 0xe8)));
																															_t485 =  *((intOrPtr*)(_t697 + 0xe8));
																															 *(_t485 + 0x4c48) =  *(_t582 + 0x32f8);
																															__eflags = 0;
																															 *(_t485 + 0x4c4c) =  *(_t582 + 0x32fc);
																															 *((char*)(_t485 + 0x4c60)) = 0;
																															E011E3020( *((intOrPtr*)(_t697 + 0xe8)),  *((intOrPtr*)(_t582 + 0x22b4)),  *(_t582 + 0x3388) & 0x000000ff);
																														} else {
																															_push( *(_t582 + 0x32fc));
																															_push( *(_t582 + 0x32f8));
																															_push(_t712);
																															E011D9215(_t582, _t697, __eflags);
																														}
																													}
																													L169:
																													E011D1F47(_t582);
																													__eflags =  *((char*)(_t582 + 0x3331));
																													if( *((char*)(_t582 + 0x3331)) != 0) {
																														L172:
																														_t448 = 0;
																														__eflags = 0;
																														_t624 = 0;
																														L173:
																														__eflags =  *(_t582 + 0x3388);
																														if( *(_t582 + 0x3388) != 0) {
																															__eflags =  *((char*)(_t582 + 0x22b8));
																															if( *((char*)(_t582 + 0x22b8)) == 0) {
																																L181:
																																__eflags =  *(_t721 - 0xd);
																																 *((char*)(_t721 - 0x10)) = _t448;
																																if( *(_t721 - 0xd) != 0) {
																																	L191:
																																	__eflags =  *(_t721 - 0x20);
																																	_t691 =  *((intOrPtr*)(_t721 - 0xf));
																																	if( *(_t721 - 0x20) == 0) {
																																		L195:
																																		_t625 = 0;
																																		__eflags = 0;
																																		L196:
																																		__eflags =  *((char*)(_t721 - 0x12));
																																		if( *((char*)(_t721 - 0x12)) != 0) {
																																			goto L218;
																																		}
																																		_t713 =  *(_t721 - 0x18);
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x30));
																																		if(_t713 ==  *((intOrPtr*)(_t721 - 0x30))) {
																																			L199:
																																			__eflags =  *(_t721 - 0x20);
																																			if( *(_t721 - 0x20) == 0) {
																																				L203:
																																				__eflags = _t448;
																																				if(_t448 == 0) {
																																					L206:
																																					__eflags = _t625;
																																					if(_t625 != 0) {
																																						L214:
																																						_t449 =  *(_t697 + 8);
																																						__eflags =  *((char*)(_t449 + 0x71a8));
																																						if( *((char*)(_t449 + 0x71a8)) == 0) {
																																							_t714 = _t697 + 0x1100;
																																							__eflags = E011DA4ED(_t697 + 0x1100,  *((intOrPtr*)(_t582 + 0x22bc)));
																																							if(__eflags == 0) {
																																								E011D2021(__eflags, 0x11, _t582 + 0x32, _t714);
																																								E011D6DCB(0x1211098, __eflags);
																																							}
																																						}
																																						 *(_t697 + 0x10ff) = 1;
																																						goto L218;
																																					}
																																					_t692 =  *(_t721 - 0x24);
																																					__eflags = _t692;
																																					_t628 =  *(_t721 - 0x28);
																																					if(_t692 > 0) {
																																						L209:
																																						__eflags = _t448;
																																						if(_t448 != 0) {
																																							L212:
																																							_t341 = _t721 - 0x1070; // -2160
																																							E011D9F09(_t341);
																																							L213:
																																							_t702 = _t582 + 0x32d8;
																																							asm("sbb eax, eax");
																																							asm("sbb ecx, ecx");
																																							asm("sbb eax, eax");
																																							_t349 = _t721 - 0x1070; // -2160
																																							E011D9DA2(_t349, _t582 + 0x32e8,  ~( *( *(_t697 + 8) + 0x82d0)) & _t702,  ~( *( *(_t697 + 8) + 0x82d4)) & _t582 + 0x000032e0,  ~( *( *(_t697 + 8) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t350 = _t721 - 0x1070; // -2160
																																							E011D9620(_t350);
																																							E011D7A78( *((intOrPtr*)(_t721 - 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)), _t582,  *((intOrPtr*)(_t721 - 0x38)));
																																							asm("sbb eax, eax");
																																							asm("sbb eax, eax");
																																							__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702;
																																							E011D9D9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																																							goto L214;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x88)) - _t628;
																																						if( *((intOrPtr*)(_t697 + 0x88)) != _t628) {
																																							goto L212;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x8c)) - _t692;
																																						if( *((intOrPtr*)(_t697 + 0x8c)) == _t692) {
																																							goto L213;
																																						}
																																						goto L212;
																																					}
																																					__eflags = _t628;
																																					if(_t628 == 0) {
																																						goto L213;
																																					}
																																					goto L209;
																																				}
																																				_t473 =  *(_t697 + 8);
																																				__eflags =  *((char*)(_t473 + 0x71a0));
																																				if( *((char*)(_t473 + 0x71a0)) == 0) {
																																					goto L218;
																																				}
																																				_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																				goto L206;
																																			}
																																			__eflags = _t625;
																																			if(_t625 != 0) {
																																				goto L203;
																																			}
																																			__eflags =  *(_t582 + 0x3398) - 5;
																																			if( *(_t582 + 0x3398) != 5) {
																																				goto L218;
																																			}
																																			__eflags = _t691;
																																			if(_t691 == 0) {
																																				goto L218;
																																			}
																																			goto L203;
																																		}
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x34));
																																		if(_t713 !=  *((intOrPtr*)(_t721 - 0x34))) {
																																			goto L218;
																																		}
																																		goto L199;
																																	}
																																	__eflags =  *(_t582 + 0x3398) - 4;
																																	if( *(_t582 + 0x3398) != 4) {
																																		goto L195;
																																	}
																																	__eflags = _t691;
																																	if(_t691 == 0) {
																																		goto L195;
																																	}
																																	_t625 = 1;
																																	goto L196;
																																}
																																__eflags =  *((char*)(_t721 - 0x14));
																																if( *((char*)(_t721 - 0x14)) == 0) {
																																	goto L191;
																																}
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	goto L191;
																																}
																																__eflags =  *(_t582 + 0x3333) - _t624;
																																if(__eflags == 0) {
																																	L189:
																																	_push(3);
																																	L190:
																																	_pop(_t637);
																																	_t321 = _t721 - 0x30b8; // -10424
																																	E011D2021(__eflags, _t637, _t582 + 0x32, _t321);
																																	 *((char*)(_t721 - 0x10)) = 1;
																																	E011D6D83(0x1211098, 3);
																																	_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																	goto L191;
																																}
																																__eflags =  *((intOrPtr*)(_t582 + 0x3359)) - _t624;
																																if( *((intOrPtr*)(_t582 + 0x3359)) == _t624) {
																																	L187:
																																	__eflags =  *((char*)(_t697 + 0xfc));
																																	if(__eflags != 0) {
																																		goto L189;
																																	}
																																	_push(4);
																																	goto L190;
																																}
																																__eflags =  *(_t582 + 0x6cdc) - _t624;
																																if(__eflags == 0) {
																																	goto L189;
																																}
																																goto L187;
																															}
																															__eflags =  *(_t582 + 0x32fc) - _t448;
																															if(__eflags < 0) {
																																goto L181;
																															}
																															if(__eflags > 0) {
																																L179:
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	 *((char*)(_t697 + 0xfc)) = 1;
																																}
																																goto L181;
																															}
																															__eflags =  *(_t582 + 0x32f8) - _t448;
																															if( *(_t582 + 0x32f8) <= _t448) {
																																goto L181;
																															}
																															goto L179;
																														}
																														 *((char*)(_t697 + 0xfc)) = _t448;
																														goto L181;
																													}
																													asm("sbb eax, eax");
																													_t482 = E011DAAEA(_t582, _t697 + 0xd0, _t582 + 0x3308,  ~( *(_t582 + 0x3362) & 0x000000ff) & _t582 + 0x00003363);
																													__eflags = _t482;
																													if(_t482 == 0) {
																														goto L172;
																													}
																													_t624 = 1;
																													_t448 = 0;
																													goto L173;
																												}
																												_t716 =  *(_t582 + 0x3398);
																												__eflags = _t716 - 4;
																												if(_t716 == 4) {
																													L151:
																													_push(0x800);
																													_t270 = _t721 - 0x50b8; // -18616
																													_push(_t582 + 0x339c);
																													E011DB76C(_t582);
																													_push(0x800);
																													_t272 = _t721 - 0x40b8; // -14520
																													_t645 = _t697;
																													_t273 = _t721 - 0x50b8; // -18616
																													_push(_t582);
																													E011D8167(__eflags);
																													_t446 =  *((intOrPtr*)(_t721 - 0x10));
																													__eflags = _t446;
																													if(_t446 == 0) {
																														L159:
																														_t646 =  *((intOrPtr*)(_t721 - 0xf));
																														L160:
																														__eflags =  *((intOrPtr*)(_t582 + 0x6cc8)) - 2;
																														if( *((intOrPtr*)(_t582 + 0x6cc8)) != 2) {
																															L146:
																															__eflags = _t446;
																															if(_t446 == 0) {
																																L163:
																																_t495 = 0;
																																__eflags = 0;
																																L164:
																																 *(_t697 + 0x10ff) = _t495;
																																goto L169;
																															}
																															L147:
																															__eflags = _t646;
																															if(_t646 == 0) {
																																goto L163;
																															}
																															_t495 = 1;
																															goto L164;
																														}
																														__eflags = _t446;
																														if(_t446 != 0) {
																															goto L147;
																														}
																														L145:
																														 *((char*)(_t721 - 0x14)) = 0;
																														goto L146;
																													}
																													__eflags =  *((short*)(_t721 - 0x40b8));
																													if( *((short*)(_t721 - 0x40b8)) == 0) {
																														goto L159;
																													}
																													_t276 = _t721 - 0x40b8; // -14520
																													_push(0x800);
																													_push(_t697 + 0x1100);
																													__eflags = _t716 - 4;
																													if(__eflags != 0) {
																														_push(_t582 + 0x32);
																														_t281 = _t721 - 0x1070; // -2160
																														_t500 = E011D9155(_t690, _t697, _t716, __eflags);
																														_t646 = _t500;
																														 *((char*)(_t721 - 0xf)) = _t500;
																														L157:
																														__eflags = _t646;
																														if(_t646 == 0) {
																															L144:
																															_t446 =  *((intOrPtr*)(_t721 - 0x10));
																															goto L145;
																														}
																														_t446 =  *((intOrPtr*)(_t721 - 0x10));
																														goto L160;
																													}
																													_push( *(_t697 + 8));
																													_t501 = E011D7542(_t645, _t697, __eflags);
																													L155:
																													_t646 = _t501;
																													 *((char*)(_t721 - 0xf)) = _t646;
																													goto L157;
																												}
																												__eflags = _t716 - 5;
																												if(_t716 == 5) {
																													goto L151;
																												}
																												__eflags = _t716 - 1;
																												if(_t716 == 1) {
																													L149:
																													__eflags = _t446;
																													if(_t446 == 0) {
																														goto L159;
																													}
																													_push(_t697 + 0x1100);
																													_t501 = E011D77B8(_t622, _t697 + 0x10, _t582);
																													goto L155;
																												}
																												__eflags = _t716 - 2;
																												if(_t716 == 2) {
																													goto L149;
																												}
																												__eflags = _t716 - 3;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												E011D2021(__eflags, 0x47, _t582 + 0x32, _t697 + 0x1100);
																												__eflags = 0;
																												_t646 = 0;
																												 *((char*)(_t721 - 0xf)) = 0;
																												goto L144;
																											}
																											__eflags = _t445;
																											if(_t445 != 0) {
																												goto L136;
																											}
																											_t508 = 0x50;
																											__eflags =  *(_t721 - 0x18) - _t508;
																											if( *(_t721 - 0x18) == _t508) {
																												goto L136;
																											}
																											_t446 = 1;
																											 *((char*)(_t721 - 0x10)) = 1;
																											goto L137;
																										}
																										__eflags =  *(_t582 + 0x6cdc);
																										if( *(_t582 + 0x6cdc) != 0) {
																											goto L132;
																										}
																										_t717 =  *(_t582 + 0x32fc);
																										_t695 =  *(_t582 + 0x32f8);
																										__eflags = _t717;
																										if(__eflags < 0) {
																											L131:
																											_t690 = 0;
																											__eflags = 0;
																											_t712 = _t697 + 0x10;
																											goto L132;
																										}
																										if(__eflags > 0) {
																											L119:
																											_t649 =  *(_t582 + 0x32f0);
																											_t650 = _t649 << 0xa;
																											__eflags = ( *(_t582 + 0x32f4) << 0x00000020 | _t649) << 0xa - _t717;
																											if(__eflags < 0) {
																												L130:
																												_t445 =  *(_t721 - 0xd);
																												goto L131;
																											}
																											if(__eflags > 0) {
																												L122:
																												__eflags =  *((intOrPtr*)(_t582 + 0x10)) - 1;
																												if( *((intOrPtr*)(_t582 + 0x10)) == 1) {
																													goto L130;
																												}
																												__eflags = _t717;
																												if(__eflags < 0) {
																													L129:
																													_t244 = _t721 - 0x1070; // -2160
																													E011D9A3C(_t244,  *(_t582 + 0x32f8),  *(_t582 + 0x32fc));
																													 *(_t721 - 0x28) =  *(_t582 + 0x32f8);
																													 *(_t721 - 0x24) =  *(_t582 + 0x32fc);
																													goto L130;
																												}
																												if(__eflags > 0) {
																													L126:
																													_t515 = E011D981A(_t695);
																													__eflags = _t695 -  *(_t582 + 0x32f4);
																													if(__eflags < 0) {
																														goto L130;
																													}
																													if(__eflags > 0) {
																														goto L129;
																													}
																													__eflags = _t515 -  *(_t582 + 0x32f0);
																													if(_t515 <=  *(_t582 + 0x32f0)) {
																														goto L130;
																													}
																													goto L129;
																												}
																												__eflags = _t695 - 0x5f5e100;
																												if(_t695 < 0x5f5e100) {
																													goto L129;
																												}
																												goto L126;
																											}
																											__eflags = _t650 - _t695;
																											if(_t650 <= _t695) {
																												goto L130;
																											}
																											goto L122;
																										}
																										__eflags = _t695 - 0xf4240;
																										if(_t695 <= 0xf4240) {
																											goto L131;
																										}
																										goto L119;
																									}
																									L113:
																									_t202 = _t697 + 0xec;
																									 *_t202 =  *(_t697 + 0xec) + 1;
																									__eflags =  *_t202;
																									goto L114;
																								}
																								 *((char*)(_t721 - 0x12)) = 0;
																								_t517 = 0x50;
																								__eflags = _t616 - _t517;
																								if(_t616 != _t517) {
																									_t196 = _t721 - 0x1070; // -2160
																									__eflags = E011D98BC(_t196);
																									if(__eflags != 0) {
																										E011D2021(__eflags, 0x3b, _t582 + 0x32, _t697 + 0x1100);
																										E011D6E98(0x1211098, _t721, _t582 + 0x32, _t697 + 0x1100);
																									}
																								}
																								goto L113;
																							}
																							 *(_t697 + 0x10ff) = 1;
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) != 0) {
																								_t436 =  *(_t721 - 0xd);
																								goto L112;
																							}
																							goto L107;
																						}
																						 *(_t721 - 0xd) = _t431;
																						 *(_t721 - 0xe) = _t431;
																						_t185 = _t721 - 0x30b8; // -10424
																						_t525 = L011E1B7F(__eflags, _t185, 0, 0, _t431);
																						__eflags = _t525;
																						if(_t525 != 0) {
																							goto L104;
																						}
																						__eflags = 0;
																						 *(_t721 - 0x24) = 0;
																						L102:
																						_t187 = _t721 - 0x1070; // -2160
																						E011D959A(_t187);
																						_t406 =  *(_t721 - 0x24);
																						goto L15;
																					}
																					_t180 = _t721 - 0x1070; // -2160
																					_push(_t582);
																					_t529 = E011D7FC0(_t697);
																					_t613 = _t529;
																					 *(_t721 - 0xe) = _t529;
																					L97:
																					__eflags = _t613;
																					if(_t613 != 0) {
																						goto L104;
																					}
																					goto L98;
																				}
																				__eflags =  *(_t721 - 0xe);
																				if( *(_t721 - 0xe) != 0) {
																					_t530 =  *(_t721 - 0x18);
																					__eflags = _t530 - 0x50;
																					if(_t530 != 0x50) {
																						_t657 = 0x49;
																						__eflags = _t530 - _t657;
																						if(_t530 != _t657) {
																							_t658 = 0x45;
																							__eflags = _t530 - _t658;
																							if(_t530 != _t658) {
																								_t531 =  *(_t697 + 8);
																								__eflags =  *((intOrPtr*)(_t531 + 0x7160)) - 1;
																								if( *((intOrPtr*)(_t531 + 0x7160)) != 1) {
																									 *(_t697 + 0xec) =  *(_t697 + 0xec) + 1;
																									_t178 = _t721 - 0x30b8; // -10424
																									_push(_t582);
																									E011D7DB2(_t697);
																								}
																							}
																						}
																					}
																				}
																				goto L102;
																			}
																			__eflags = _t611 - 5;
																			if(_t611 == 5) {
																				goto L88;
																			}
																			_t613 =  *(_t721 - 0xe);
																			__eflags = _t613;
																			if(_t613 == 0) {
																				goto L99;
																			}
																			_t616 =  *(_t721 - 0x18);
																			__eflags = _t616 - _t688;
																			if(_t616 == _t688) {
																				goto L105;
																			}
																			_t534 =  *(_t697 + 8);
																			__eflags =  *((char*)(_t534 + 0x7201));
																			if( *((char*)(_t534 + 0x7201)) != 0) {
																				goto L105;
																			}
																			_t719 = _t697 + 0x1100;
																			 *((char*)(_t721 - 0x12)) = 0;
																			_t536 = E011DA231(_t719);
																			__eflags = _t536;
																			if(_t536 == 0) {
																				L86:
																				__eflags =  *((char*)(_t721 - 0x12));
																				if( *((char*)(_t721 - 0x12)) == 0) {
																					goto L104;
																				}
																				L87:
																				_t613 = 0;
																				 *(_t721 - 0xe) = 0;
																				goto L97;
																			}
																			__eflags =  *((char*)(_t721 - 0x12));
																			if( *((char*)(_t721 - 0x12)) != 0) {
																				goto L87;
																			}
																			__eflags = 0;
																			_push(0);
																			_push(_t582 + 0x32d8);
																			_push( *(_t582 + 0x32fc));
																			_t167 = _t721 - 0x12; // 0x7ee
																			_push( *(_t582 + 0x32f8));
																			_push(0x800);
																			_push(_t719);
																			_push(0);
																			_push( *(_t697 + 8));
																			E011D92A3();
																			goto L86;
																		}
																		__eflags =  *((char*)(_t582 + 0x3359));
																		if( *((char*)(_t582 + 0x3359)) == 0) {
																			goto L77;
																		}
																		_t137 = _t721 - 0x2c; // 0x7d4
																		_t543 = E011F0C4A(_t582 + 0x335a, _t137, 8);
																		_t723 = _t725 + 0xc;
																		__eflags = _t543;
																		if(_t543 == 0) {
																			goto L77;
																		}
																		__eflags =  *(_t582 + 0x6cdc);
																		_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																		if( *(_t582 + 0x6cdc) != 0) {
																			goto L78;
																		}
																		__eflags =  *((char*)(_t697 + 0x10fe));
																		_t142 = _t721 - 0x30b8; // -10424
																		_push(_t582 + 0x32);
																		if(__eflags != 0) {
																			_push(6);
																			E011D2021(__eflags);
																			E011D6D83(0x1211098, 0xb);
																			 *(_t721 - 0xe) = 0;
																			goto L78;
																		}
																		_push(0x83); // executed
																		E011D2021(__eflags); // executed
																		E011DF279( *(_t697 + 8) + 0x6024);
																		 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																		_t147 = _t721 - 0x1174; // -2420
																		L011DF204(_t147);
																	}
																}
																E011D6D83(0x1211098, 2);
																_t554 = E011D1F47(_t582);
																__eflags =  *(_t582 + 0x6ccc);
																_t406 = _t554 & 0xffffff00 |  *(_t582 + 0x6ccc) == 0x00000000;
																goto L15;
															}
															_t106 = _t721 - 0x10a8; // -2216
															_t556 = E011D7BE7(_t106, _t582 + 0x32d8);
															__eflags = _t556;
															if(_t556 == 0) {
																goto L65;
															}
															__eflags =  *((char*)(_t721 - 0x10ac));
															if( *((char*)(_t721 - 0x10ac)) == 0) {
																L63:
																 *(_t721 - 0xe) = 0;
																goto L65;
															}
															_t108 = _t721 - 0x10a8; // -2216
															_t558 = E011D7BCA(_t108, _t697);
															__eflags = _t558;
															if(_t558 == 0) {
																goto L65;
															}
															goto L63;
														}
														__eflags = _t707 - _t686;
														if(_t707 != _t686) {
															goto L65;
														}
														goto L59;
													}
													__eflags =  *((char*)(_t411 + 0x715c));
													if( *((char*)(_t411 + 0x715c)) == 0) {
														goto L65;
													}
													goto L57;
												}
												__eflags =  *(_t697 + 0x1100);
												if( *(_t697 + 0x1100) == 0) {
													goto L54;
												}
												 *(_t721 - 0xe) = 1;
												__eflags =  *(_t582 + 0x3330);
												if( *(_t582 + 0x3330) == 0) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t707 - _t400;
											_t401 = 1;
											if(_t707 != _t400) {
												goto L50;
											}
											goto L49;
										}
										L45:
										_t689 =  *(_t582 + 0x6ccc);
										 *(_t721 - 0xd) = _t689;
										 *(_t721 - 0x28) = _t689;
										__eflags = _t689;
										if(_t689 == 0) {
											goto L220;
										}
										_t685 = 0;
										__eflags = 0;
										goto L47;
									}
									_t398 =  *(_t697 + 8);
									__eflags =  *(_t398 + 0x6127);
									if( *(_t398 + 0x6127) == 0) {
										goto L44;
									}
									__eflags =  *(_t582 + 0x6ccc);
									if( *(_t582 + 0x6ccc) != 0) {
										goto L14;
									}
									 *(_t721 - 0x11) = 0;
									goto L45;
								}
								__eflags =  *(_t697 + 0xf4) -  *((intOrPtr*)(_t586 + 0xb334));
								if( *(_t697 + 0xf4) <  *((intOrPtr*)(_t586 + 0xb334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t697 + 0xf9));
								if( *((char*)(_t697 + 0xf9)) != 0) {
									goto L14;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t582 + 0x32f8) = _t684;
								 *(_t582 + 0x32fc) = _t684;
								goto L26;
							}
							__eflags =  *(_t582 + 0x32f8) - _t684;
							if( *(_t582 + 0x32f8) >= _t684) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t582 + 0x32f0) = _t684;
							 *(_t582 + 0x32f4) = _t684;
							goto L22;
						}
						__eflags =  *(_t582 + 0x32f0) - _t684;
						if( *(_t582 + 0x32f0) >= _t684) {
							goto L22;
						}
						goto L21;
					}
					if(_t383 != 3) {
						__eflags = _t383 - 5;
						if(_t383 != 5) {
							goto L9;
						}
						__eflags =  *((char*)(_t582 + 0x45c4));
						if( *((char*)(_t582 + 0x45c4)) == 0) {
							goto L14;
						}
						_push(_t585);
						_push(_t684);
						_push(_t704);
						_push(_t582);
						_t573 = E011E8C8D();
						__eflags = _t573;
						if(_t573 != 0) {
							__eflags = 0;
							 *0x1203278( *((intOrPtr*)(_t582 + 0x6cb8)),  *((intOrPtr*)(_t582 + 0x6cbc)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t582 + 0x10))))();
							goto L17;
						}
						L13:
						E011D6D83(0x1211098, 1);
						goto L14;
					} else {
						if( *(_t697 + 0x10ff) != 0) {
							E011D7A0D(_t582, _t721,  *(_t697 + 8), _t582, _t697 + 0x1100);
						}
						goto L9;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x67)) == 0) {
					goto L14;
				}
				_push(_t585);
				_push(0);
				_t704 = __ecx + 0x10;
				_push(_t704);
				_push(_t582);
				 *(_t721 - 0x20) = _t704;
				if(E011E8C8D() == 0) {
					goto L13;
				} else {
					_t585 =  *(_t721 - 0x18);
					_t684 = 0;
					goto L5;
				}
			}

0x011d8493
0x011d849d
0x011d84a3
0x011d84a6
0x011d84aa
0x011d84ac
0x011d84b2
0x011d84b9
0x011d84bf
0x011d84e0
0x011d84e3
0x011d84e6
0x011d84e6
0x011d84ef
0x011d857a
0x011d8580
0x011d8586
0x011d859e
0x011d859e
0x011d85a4
0x011d85bc
0x011d85bc
0x011d85bf
0x011d85c5
0x011d85e2
0x011d85e7
0x011d85eb
0x011d85f5
0x011d8600
0x011d8605
0x011d8607
0x011d860b
0x011d860d
0x011d860f
0x011d8613
0x011d8615
0x011d8617
0x011d8617
0x011d8613
0x011d861f
0x011d8624
0x011d8625
0x011d8632
0x011d8633
0x011d863b
0x011d8642
0x011d8645
0x011d869c
0x011d86a1
0x011d86a3
0x011d86a5
0x011d86ab
0x011d86b1
0x011d86b5
0x011d86b5
0x011d86b5
0x011d86b5
0x011d8647
0x011d864a
0x011d8650
0x011d8652
0x011d8654
0x011d8658
0x011d865a
0x011d8661
0x011d8666
0x011d8667
0x011d866e
0x011d8673
0x011d867d
0x011d867f
0x011d8695
0x011d8681
0x011d8683
0x011d868a
0x011d868c
0x011d868c
0x011d867f
0x011d8658
0x011d8652
0x011d86be
0x011d86c3
0x011d86db
0x011d86e6
0x011d86ee
0x011d86f1
0x011d86f3
0x011d86f5
0x011d86f7
0x011d86fa
0x011d86fd
0x011d8703
0x011d8721
0x011d8721
0x011d8724
0x011d873c
0x011d873f
0x011d8744
0x011d874a
0x011d874b
0x011d874d
0x011d8756
0x011d8756
0x011d8758
0x011d875b
0x011d8765
0x011d876c
0x011d8771
0x011d8773
0x011d8543
0x011d8543
0x011d8543
0x011d8545
0x011d854b
0x011d8553
0x011d8553
0x011d8779
0x011d877e
0x011d8786
0x011d8787
0x011d878a
0x011d8791
0x011d8792
0x011d8799
0x011d879c
0x011d87b3
0x011d87b3
0x011d87b6
0x011d87b6
0x011d87bb
0x011d87be
0x011d87c5
0x011d87c6
0x011d87c9
0x011d87cc
0x011d87d7
0x011d87d7
0x011d87da
0x011d87e1
0x011d87e1
0x011d87e7
0x011d87ee
0x011d87ef
0x011d87fd
0x011d8802
0x011d8804
0x011d883c
0x011d883f
0x011d884b
0x011d884b
0x011d884b
0x011d884e
0x011d884e
0x011d8858
0x011d885d
0x011d885f
0x011d8883
0x011d8883
0x011d888a
0x00000000
0x00000000
0x011d888c
0x011d8896
0x011d889b
0x011d889d
0x011d897f
0x00000000
0x011d897f
0x011d88a3
0x011d88a6
0x011d88b4
0x011d88b5
0x011d88b5
0x011d88b7
0x011d88b9
0x011d88d5
0x011d88df
0x011d88e9
0x011d88fb
0x011d8900
0x011d8907
0x011d89a5
0x011d89a5
0x011d89a8
0x011d89a8
0x011d89ac
0x011d89b2
0x011d89b7
0x011d89bd
0x011d89c2
0x011d89ca
0x011d89cb
0x011d89ce
0x011d89d3
0x011d89d4
0x011d89d6
0x011d8a5f
0x011d8a61
0x011d8a66
0x011d8a68
0x011d8ab6
0x011d8ab9
0x011d8abb
0x011d8ad5
0x011d8ad7
0x011d8ad7
0x011d8ad8
0x011d8ad8
0x011d8adf
0x011d8b14
0x011d8b16
0x011d910c
0x011d910c
0x011d9110
0x011d9116
0x011d911b
0x011d911f
0x011d9122
0x011d9125
0x011d9127
0x011d9127
0x011d9127
0x011d9127
0x011d912d
0x011d912d
0x011d9131
0x00000000
0x00000000
0x011d9137
0x011d9139
0x011d8576
0x011d8576
0x00000000
0x011d8576
0x011d913f
0x011d9145
0x011d8513
0x011d8515
0x00000000
0x011d8515
0x011d914b
0x011d914d
0x00000000
0x011d914d
0x011d8b1c
0x011d8b1c
0x011d8b1f
0x011d8b1f
0x011d8b22
0x011d8b29
0x011d8b3b
0x011d8b3b
0x011d8b3e
0x011d8b40
0x011d8b87
0x011d8b87
0x011d8b8b
0x011d8b8d
0x011d8b95
0x011d8b95
0x011d8ba9
0x011d8baf
0x011d8bb5
0x011d8bbb
0x011d8bcc
0x011d8be2
0x011d8be7
0x011d8bed
0x011d8bf0
0x011d8bf6
0x011d8bf9
0x011d8bfc
0x011d8c03
0x011d8c06
0x011d8c0c
0x011d8c11
0x011d8c14
0x011d8c16
0x011d8c19
0x011d8c1c
0x011d8c1f
0x011d8c22
0x011d8c25
0x011d8c27
0x011d8cd6
0x011d8cd6
0x011d8cd9
0x011d8ce0
0x011d8ce7
0x011d8ceb
0x011d8d01
0x011d8d01
0x011d8d03
0x011d8d06
0x011d8d06
0x011d8d0a
0x011d8d0e
0x011d8d12
0x011d8e40
0x011d8e47
0x011d8e49
0x011d8e50
0x011d8e73
0x011d8e74
0x011d8e7a
0x011d8e7f
0x011d8e91
0x011d8e97
0x011d8e99
0x011d8e9f
0x011d8eb9
0x011d8e52
0x011d8e52
0x011d8e58
0x011d8e5e
0x011d8e5f
0x011d8e5f
0x011d8e50
0x011d8ebe
0x011d8ec0
0x011d8ec5
0x011d8ecc
0x011d8efe
0x011d8efe
0x011d8efe
0x011d8f00
0x011d8f02
0x011d8f02
0x011d8f09
0x011d8f13
0x011d8f1a
0x011d8f39
0x011d8f39
0x011d8f3d
0x011d8f40
0x011d8f98
0x011d8f98
0x011d8f9c
0x011d8f9f
0x011d8fb2
0x011d8fb2
0x011d8fb2
0x011d8fb4
0x011d8fb4
0x011d8fb8
0x00000000
0x00000000
0x011d8fbe
0x011d8fc1
0x011d8fc5
0x011d8fd1
0x011d8fd1
0x011d8fd5
0x011d8ff0
0x011d8ff0
0x011d8ff2
0x011d9007
0x011d9007
0x011d9009
0x011d90cd
0x011d90cd
0x011d90d0
0x011d90d7
0x011d90df
0x011d90eb
0x011d90ed
0x011d90f6
0x011d9100
0x011d9100
0x011d90ed
0x011d9105
0x00000000
0x011d9105
0x011d900f
0x011d9014
0x011d9016
0x011d9019
0x011d901f
0x011d901f
0x011d9021
0x011d9033
0x011d9033
0x011d9039
0x011d903e
0x011d9047
0x011d905b
0x011d9062
0x011d9075
0x011d9077
0x011d9080
0x011d9085
0x011d908b
0x011d909a
0x011d90ad
0x011d90c0
0x011d90c2
0x011d90c5
0x011d90ca
0x00000000
0x011d90ca
0x011d9023
0x011d9029
0x00000000
0x00000000
0x011d902b
0x011d9031
0x00000000
0x00000000
0x00000000
0x011d9031
0x011d901b
0x011d901d
0x00000000
0x00000000
0x00000000
0x011d901d
0x011d8ff4
0x011d8ff7
0x011d8ffe
0x00000000
0x00000000
0x011d9004
0x00000000
0x011d9004
0x011d8fd7
0x011d8fd9
0x00000000
0x00000000
0x011d8fdb
0x011d8fe2
0x00000000
0x00000000
0x011d8fe8
0x011d8fea
0x00000000
0x00000000
0x00000000
0x011d8fea
0x011d8fc7
0x011d8fcb
0x00000000
0x00000000
0x00000000
0x011d8fcb
0x011d8fa1
0x011d8fa8
0x00000000
0x00000000
0x011d8faa
0x011d8fac
0x00000000
0x00000000
0x011d8fae
0x00000000
0x011d8fae
0x011d8f42
0x011d8f46
0x00000000
0x00000000
0x011d8f48
0x011d8f4a
0x00000000
0x00000000
0x011d8f4c
0x011d8f52
0x011d8f71
0x011d8f71
0x011d8f73
0x011d8f73
0x011d8f74
0x011d8f80
0x011d8f8c
0x011d8f90
0x011d8f95
0x00000000
0x011d8f95
0x011d8f54
0x011d8f5a
0x011d8f64
0x011d8f64
0x011d8f6b
0x00000000
0x00000000
0x011d8f6d
0x00000000
0x011d8f6d
0x011d8f5c
0x011d8f62
0x00000000
0x00000000
0x00000000
0x011d8f62
0x011d8f1c
0x011d8f22
0x00000000
0x00000000
0x011d8f24
0x011d8f2e
0x011d8f2e
0x011d8f30
0x011d8f32
0x011d8f32
0x00000000
0x011d8f30
0x011d8f26
0x011d8f2c
0x00000000
0x00000000
0x00000000
0x011d8f2c
0x011d8f0b
0x00000000
0x011d8f0b
0x011d8edd
0x011d8eef
0x011d8ef4
0x011d8ef6
0x00000000
0x00000000
0x011d8ef8
0x011d8efa
0x00000000
0x011d8efa
0x011d8d18
0x011d8d1e
0x011d8d21
0x011d8d8a
0x011d8d8a
0x011d8d8f
0x011d8d9c
0x011d8d9d
0x011d8da2
0x011d8da7
0x011d8dad
0x011d8db0
0x011d8db7
0x011d8db8
0x011d8dbd
0x011d8dc0
0x011d8dc2
0x011d8e19
0x011d8e19
0x011d8e1c
0x011d8e1c
0x011d8e23
0x011d8d57
0x011d8d57
0x011d8d59
0x011d8e36
0x011d8e36
0x011d8e36
0x011d8e38
0x011d8e38
0x00000000
0x011d8e38
0x011d8d5f
0x011d8d5f
0x011d8d61
0x00000000
0x00000000
0x011d8d67
0x00000000
0x011d8d67
0x011d8e29
0x011d8e2b
0x00000000
0x00000000
0x011d8d53
0x011d8d53
0x00000000
0x011d8d53
0x011d8dc4
0x011d8dcc
0x00000000
0x00000000
0x011d8dce
0x011d8dd4
0x011d8de0
0x011d8de1
0x011d8de4
0x011d8dfa
0x011d8dfb
0x011d8e02
0x011d8e07
0x011d8e09
0x011d8e0c
0x011d8e0c
0x011d8e0e
0x011d8d50
0x011d8d50
0x00000000
0x011d8d50
0x011d8e14
0x00000000
0x011d8e14
0x011d8de6
0x011d8de9
0x011d8dee
0x011d8dee
0x011d8df0
0x00000000
0x011d8df0
0x011d8d23
0x011d8d26
0x00000000
0x00000000
0x011d8d28
0x011d8d2b
0x011d8d6e
0x011d8d6e
0x011d8d70
0x00000000
0x00000000
0x011d8d7c
0x011d8d83
0x00000000
0x011d8d83
0x011d8d2d
0x011d8d30
0x00000000
0x00000000
0x011d8d32
0x011d8d35
0x00000000
0x00000000
0x011d8d44
0x011d8d49
0x011d8d4b
0x011d8d4d
0x00000000
0x011d8d4d
0x011d8ced
0x011d8cef
0x00000000
0x00000000
0x011d8cf3
0x011d8cf4
0x011d8cf8
0x00000000
0x00000000
0x011d8cfa
0x011d8cfc
0x00000000
0x011d8cfc
0x011d8c2d
0x011d8c33
0x00000000
0x00000000
0x011d8c39
0x011d8c41
0x011d8c47
0x011d8c49
0x011d8cd1
0x011d8cd1
0x011d8cd1
0x011d8cd3
0x00000000
0x011d8cd3
0x011d8c4f
0x011d8c59
0x011d8c59
0x011d8c69
0x011d8c6c
0x011d8c6e
0x011d8cce
0x011d8cce
0x00000000
0x011d8cce
0x011d8c70
0x011d8c76
0x011d8c76
0x011d8c7a
0x00000000
0x00000000
0x011d8c7e
0x011d8c80
0x011d8ca5
0x011d8cab
0x011d8cb7
0x011d8cc2
0x011d8ccb
0x00000000
0x011d8ccb
0x011d8c82
0x011d8c8c
0x011d8c8e
0x011d8c93
0x011d8c99
0x00000000
0x00000000
0x011d8c9b
0x00000000
0x00000000
0x011d8c9d
0x011d8ca3
0x00000000
0x00000000
0x00000000
0x011d8ca3
0x011d8c84
0x011d8c8a
0x00000000
0x00000000
0x00000000
0x011d8c8a
0x011d8c72
0x011d8c74
0x00000000
0x00000000
0x00000000
0x011d8c74
0x011d8c51
0x011d8c57
0x00000000
0x00000000
0x00000000
0x011d8c57
0x011d8b8f
0x011d8b8f
0x011d8b8f
0x011d8b8f
0x00000000
0x011d8b8f
0x011d8b46
0x011d8b49
0x011d8b4a
0x011d8b4d
0x011d8b4f
0x011d8b5a
0x011d8b5c
0x011d8b6b
0x011d8b7d
0x011d8b7d
0x011d8b5c
0x00000000
0x011d8b4d
0x011d8b2b
0x011d8b32
0x011d8b39
0x011d8b84
0x00000000
0x011d8b84
0x00000000
0x011d8b39
0x011d8ae2
0x011d8ae5
0x011d8aec
0x011d8af3
0x011d8af8
0x011d8afa
0x00000000
0x00000000
0x011d8afc
0x011d8afe
0x011d8b01
0x011d8b01
0x011d8b07
0x011d8b0c
0x00000000
0x011d8b0c
0x011d8abd
0x011d8ac6
0x011d8ac7
0x011d8acc
0x011d8ace
0x011d8ad1
0x011d8ad1
0x011d8ad3
0x00000000
0x00000000
0x00000000
0x011d8ad3
0x011d8a6a
0x011d8a6e
0x011d8a74
0x011d8a77
0x011d8a7b
0x011d8a83
0x011d8a84
0x011d8a87
0x011d8a8b
0x011d8a8c
0x011d8a8f
0x011d8a91
0x011d8a97
0x011d8a9d
0x011d8a9f
0x011d8aa5
0x011d8aac
0x011d8aaf
0x011d8aaf
0x011d8a9d
0x011d8a8f
0x011d8a87
0x011d8a7b
0x00000000
0x011d8a6e
0x011d89dc
0x011d89df
0x00000000
0x00000000
0x011d89e1
0x011d89e4
0x011d89e6
0x00000000
0x00000000
0x011d89ec
0x011d89ef
0x011d89f2
0x00000000
0x00000000
0x011d89f8
0x011d89fb
0x011d8a02
0x00000000
0x00000000
0x011d8a0a
0x011d8a11
0x011d8a14
0x011d8a19
0x011d8a1b
0x011d8a4c
0x011d8a4c
0x011d8a50
0x00000000
0x00000000
0x011d8a56
0x011d8a58
0x011d8a5a
0x00000000
0x011d8a5a
0x011d8a1d
0x011d8a21
0x00000000
0x00000000
0x011d8a23
0x011d8a2b
0x011d8a2c
0x011d8a2d
0x011d8a33
0x011d8a36
0x011d8a3d
0x011d8a42
0x011d8a43
0x011d8a44
0x011d8a47
0x00000000
0x011d8a47
0x011d890d
0x011d8914
0x00000000
0x00000000
0x011d891c
0x011d8927
0x011d892c
0x011d892f
0x011d8931
0x00000000
0x00000000
0x011d8933
0x011d893a
0x011d893d
0x00000000
0x00000000
0x011d893f
0x011d8946
0x011d8950
0x011d8951
0x011d898b
0x011d898d
0x011d8999
0x011d89a0
0x00000000
0x011d89a0
0x011d8953
0x011d8958
0x011d8966
0x011d896b
0x011d896f
0x011d8975
0x011d8975
0x011d8883
0x011d8868
0x011d886f
0x011d8874
0x011d887b
0x00000000
0x011d887b
0x011d880d
0x011d8813
0x011d8818
0x011d881a
0x00000000
0x00000000
0x011d881c
0x011d8823
0x011d8835
0x011d8837
0x00000000
0x011d8837
0x011d8826
0x011d882c
0x011d8831
0x011d8833
0x00000000
0x00000000
0x00000000
0x011d8833
0x011d87dc
0x011d87df
0x00000000
0x00000000
0x00000000
0x011d87df
0x011d87ce
0x011d87d5
0x00000000
0x00000000
0x00000000
0x011d87d5
0x011d879e
0x011d87a5
0x00000000
0x00000000
0x011d87a7
0x011d87ab
0x011d87b1
0x00000000
0x00000000
0x00000000
0x011d87b1
0x011d874f
0x011d8752
0x011d8754
0x00000000
0x00000000
0x00000000
0x011d8754
0x011d8726
0x011d8726
0x011d872c
0x011d872f
0x011d8732
0x011d8734
0x00000000
0x00000000
0x011d873a
0x011d873a
0x00000000
0x011d873a
0x011d8705
0x011d8708
0x011d870e
0x00000000
0x00000000
0x011d8710
0x011d8716
0x00000000
0x00000000
0x011d871c
0x00000000
0x011d871c
0x011d85cd
0x011d85d3
0x00000000
0x00000000
0x011d85d5
0x011d85dc
0x00000000
0x00000000
0x00000000
0x011d85dc
0x011d85a6
0x011d85b0
0x011d85b0
0x011d85b6
0x00000000
0x011d85b6
0x011d85a8
0x011d85ae
0x00000000
0x00000000
0x00000000
0x011d85ae
0x011d8588
0x011d8592
0x011d8592
0x011d8598
0x00000000
0x011d8598
0x011d858a
0x011d8590
0x00000000
0x00000000
0x00000000
0x011d8590
0x011d84f8
0x011d851c
0x011d851f
0x00000000
0x00000000
0x011d8521
0x011d8528
0x00000000
0x00000000
0x011d852a
0x011d852b
0x011d852c
0x011d852d
0x011d852e
0x011d8533
0x011d8535
0x011d8558
0x011d856c
0x011d8574
0x00000000
0x011d8574
0x011d8537
0x011d853e
0x00000000
0x011d84fa
0x011d8501
0x011d850e
0x011d850e
0x00000000
0x011d8501
0x011d84f8
0x011d84c4
0x00000000
0x00000000
0x011d84c6
0x011d84c7
0x011d84c8
0x011d84cb
0x011d84cc
0x011d84cd
0x011d84d7
0x00000000
0x011d84d9
0x011d84d9
0x011d84dc
0x00000000
0x011d84dc

APIs

__EH_prolog.LIBCMT ref: 011D8493

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ce958ab7f294ac626b4d9dae94b9fd0329d1f968ea052948455eec00080a4c1e
Instruction ID: c46d4595f3a275cf4b2b3018409af515857c16d0788f250b82c15422b9dcc444
Opcode Fuzzy Hash: ce958ab7f294ac626b4d9dae94b9fd0329d1f968ea052948455eec00080a4c1e
Instruction Fuzzy Hash: 09821B70904246AEDF1EDF78C894BFEBBB9BF15304F0841B9D9499B282D7315688CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011EF9D5 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EF9D5() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E011EF9F0); // executed
				return _t1;
			}

0x011ef9da
0x011ef9e0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F9F0,011EF3A5), ref: 011EF9DA

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b24dd377eb42b3bd41c2b3fee701729eda6cb9bfbe4b52ac6662dfadb9796b6
Instruction ID: 9073e4720c69101a9c142d5026c22afd5241e86285cd6c142d9687f92d455f9e
Opcode Fuzzy Hash: 5b24dd377eb42b3bd41c2b3fee701729eda6cb9bfbe4b52ac6662dfadb9796b6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 011EB7E0 Relevance: 98.7, APIs: 46, Strings: 10, Instructions: 731
windowfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E011EB7E0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* _t105;
				int _t106;
				long _t108;
				long _t109;
				struct HWND__* _t110;
				struct HWND__* _t114;
				void* _t117;
				void* _t118;
				void* _t135;
				void* _t139;
				signed int _t152;
				struct HWND__* _t155;
				void* _t173;
				int _t186;
				signed int _t201;
				void* _t202;
				long _t210;
				void* _t220;
				void* _t234;
				signed int _t244;
				void* _t245;
				void* _t260;
				long _t262;
				long _t263;
				long _t264;
				int _t278;
				int _t280;
				void* _t285;
				void* _t289;
				int _t293;
				void* _t296;
				WCHAR* _t298;
				intOrPtr _t299;
				intOrPtr _t300;
				struct HWND__* _t311;
				intOrPtr _t314;
				void* _t316;
				struct HWND__* _t317;
				void* _t318;
				struct HWND__* _t320;
				long _t321;
				struct HWND__* _t322;
				intOrPtr _t323;
				void* _t325;
				void* _t327;
				void* _t328;
				void* _t330;

				_t309 = __edx;
				_t296 = __ecx;
				E011EEB78(0x1202b04, _t328);
				E011EEC50(0xfe80);
				_t314 =  *((intOrPtr*)(_t328 + 0xc));
				_t311 =  *(_t328 + 8);
				_t105 = E011D1316(__edx, _t311, _t314,  *(_t328 + 0x10),  *((intOrPtr*)(_t328 + 0x14)), L"STARTDLG", 0, 0);
				_t293 = 1;
				if(_t105 != 0) {
					L128:
					_t106 = _t293;
					L129:
					 *[fs:0x0] =  *((intOrPtr*)(_t328 - 0xc));
					return _t106;
				}
				_t316 = _t314 - 0x110;
				if(_t316 == 0) {
					_push(_t311);
					E011ED69E(_t296, __edx, __eflags, __fp0);
					_t108 =  *0x1227b7c;
					 *0x1218450 = _t311;
					 *0x1218458 = _t311;
					__eflags = _t108;
					if(_t108 != 0) {
						SendMessageW(_t311, 0x80, 1, _t108); // executed
					}
					_t109 =  *0x122ec84;
					__eflags = _t109;
					if(_t109 != 0) {
						SendDlgItemMessageW(_t311, 0x6c, 0x172, 0, _t109); // executed
					}
					_t110 = GetDlgItem(_t311, 0x68);
					 *(_t328 - 0x14) = _t110;
					SendMessageW(_t110, 0x435, 0, 0x400000);
					E011EA64D(_t328 - 0x3474, 0x800);
					_t114 = GetDlgItem(_t311, 0x66);
					__eflags =  *0x121a472;
					_t317 = _t114;
					 *(_t328 - 0x18) = _t317;
					_t298 = 0x121a472;
					if( *0x121a472 == 0) {
						_t298 = _t328 - 0x3474;
					}
					SetWindowTextW(_t317, _t298);
					E011EABAB(_t317); // executed
					_push(0x122fca0);
					_push(0x122fc90);
					_push(0x122ec90);
					_push(_t311);
					 *0x1218463 = 0; // executed
					_t117 = E011EB093(_t298, _t309, __eflags); // executed
					__eflags = _t117;
					if(_t117 == 0) {
						 *0x1218456 = _t293;
					}
					__eflags =  *0x122fca0;
					if( *0x122fca0 > 0) {
						_push(7);
						_push( *0x122fc90);
						_push(_t311);
						E011EC73F(_t309, _t311);
					}
					__eflags =  *0x121c577;
					if( *0x121c577 == 0) {
						SetDlgItemTextW(_t311, 0x6b, E011DE617(0xbf));
						SetDlgItemTextW(_t311, _t293, E011DE617(0xbe));
					}
					__eflags =  *0x122fca0;
					if( *0x122fca0 <= 0) {
						L104:
						__eflags =  *0x1218463;
						if( *0x1218463 != 0) {
							L116:
							__eflags =  *0x121a46c - 2;
							if( *0x121a46c == 2) {
								 *0x123315c(_t317, 0);
							}
							__eflags =  *0x1219468;
							if( *0x1219468 != 0) {
								E011D12D3(_t311, 0x67, 0);
								E011D12D3(_t311, 0x66, 0);
							}
							_t118 =  *0x121a46c;
							__eflags = _t118;
							if(_t118 != 0) {
								__eflags =  *0x1218454;
								if( *0x1218454 == 0) {
									_push(0);
									_push(_t293);
									_push(0x111);
									_push(_t311);
									__eflags = _t118 - _t293;
									if(_t118 != _t293) {
										 *0x12330a0();
									} else {
										SendMessageW(); // executed
									}
								}
							}
							__eflags =  *0x1218456;
							if( *0x1218456 != 0) {
								_push(E011DE617(0x90));
								_push(_t293);
								L127:
								SetDlgItemTextW(_t311, ??, ??);
							}
							goto L128;
						}
						__eflags =  *0x122fc94;
						if( *0x122fc94 != 0) {
							goto L116;
						}
						__eflags =  *0x121a46c;
						if( *0x121a46c != 0) {
							goto L116;
						}
						__eflags = 0;
						_t318 = 0xaa;
						 *((short*)(_t328 - 0x7874)) = 0;
						goto L108;
						do {
							while(1) {
								L108:
								__eflags = _t318 - 0xaa;
								if(_t318 != 0xaa) {
									goto L110;
								}
								__eflags =  *0x121c577;
								if( *0x121c577 == 0) {
									break;
								}
								L110:
								__eflags = _t318 - 0xab;
								if(__eflags != 0) {
									L113:
									E011E05DA(__eflags, _t328 - 0x7874, " ", 0x2000);
									E011E05DA(__eflags, _t328 - 0x7874, E011DE617(_t318), 0x2000);
									break;
								}
								__eflags =  *0x121c577;
								if(__eflags == 0) {
									goto L113;
								}
								_t318 = _t318 + 1;
							}
							_t318 = _t318 + 1;
							__eflags = _t318 - 0xb0;
						} while (__eflags <= 0);
						_t299 =  *0x1218440; // 0x116fcf8
						E011E9ED5(_t299, __eflags,  *0x121102c,  *(_t328 - 0x14), _t328 - 0x7874, 0, 0);
						_t317 =  *(_t328 - 0x18);
						goto L116;
					} else {
						_push(0);
						_push( *0x122fc90);
						_push(_t311);
						E011EC73F(_t309, _t311);
						_t135 =  *0x122fc94;
						__eflags = _t135;
						if(_t135 != 0) {
							__eflags =  *0x121a46c;
							if(__eflags == 0) {
								_t300 =  *0x1218440; // 0x116fcf8
								E011E9ED5(_t300, __eflags,  *0x121102c,  *(_t328 - 0x14), _t135, 0, 0);
								L011F3E2E( *0x122fc94);
							}
						}
						__eflags =  *0x121a46c - _t293;
						if( *0x121a46c == _t293) {
							L103:
							_push(_t293);
							_push( *0x122fc90);
							_push(_t311);
							E011EC73F(_t309, _t311);
							goto L104;
						} else {
							 *0x12330c0(_t311);
							__eflags =  *0x121a46c - _t293;
							if( *0x121a46c == _t293) {
								goto L103;
							}
							__eflags =  *0x121a471;
							if( *0x121a471 != 0) {
								goto L103;
							}
							_push(3);
							_push( *0x122fc90);
							_push(_t311);
							E011EC73F(_t309, _t311);
							__eflags =  *0x122fc98;
							if( *0x122fc98 == 0) {
								goto L103;
							}
							_t139 = DialogBoxParamW( *0x121102c, L"LICENSEDLG", 0, E011EB5C0, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								L23:
								 *0x1218454 = _t293;
								L24:
								_push(_t293);
								L25:
								EndDialog(_t311, ??);
								goto L128;
							}
							goto L103;
						}
					}
				}
				if(_t316 != 1) {
					L6:
					_t106 = 0;
					goto L129;
				}
				_t152 = ( *(_t328 + 0x10) & 0x0000ffff) - 1;
				if(_t152 == 0) {
					__eflags =  *0x1218455;
					if( *0x1218455 != 0) {
						L21:
						GetDlgItemTextW(_t311, 0x66, _t328 - 0x2474, 0x800);
						__eflags =  *0x1218455;
						if( *0x1218455 == 0) {
							__eflags =  *0x1218456;
							if( *0x1218456 == 0) {
								_t155 = GetDlgItem(_t311, 0x68);
								__eflags =  *0x121845c;
								_t320 = _t155;
								if( *0x121845c == 0) {
									SendMessageW(_t320, 0xb1, 0, 0xffffffff);
									SendMessageW(_t320, 0xc2, 0, 0x12035f4);
								}
								SetFocus(_t320);
								__eflags =  *0x1219468;
								if( *0x1219468 == 0) {
									_t321 = 0x800;
									E011E0602(_t328 - 0x1474, _t328 - 0x2474, 0x800);
									E011ED453(_t296, _t328 - 0x1474, 0x800);
									E011D4092(_t328 - 0x4974, 0x880, E011DE617(0xb9), _t328 - 0x1474);
									_t330 = _t330 + 0x10;
									_push(_t328 - 0x4974);
									_push(0);
									E011ED4D4();
								} else {
									_push(E011DE617(0xba));
									_push(0);
									E011ED4D4();
									_t321 = 0x800;
								}
								__eflags =  *0x121a471;
								if( *0x121a471 == 0) {
									E011EDB4B(_t328 - 0x2474);
								}
								 *(_t328 - 0xd) = 0;
								E011DA0B1(_t293, _t296, _t311, _t328, _t328 - 0x2474, 0, 0);
								__eflags = 0;
								if(0 != 0) {
									L39:
									_t302 = E011EAC04(_t328 - 0x2474);
									 *((char*)(_t328 - 0xe)) = _t302;
									__eflags = _t302;
									if(_t302 == 0) {
										_t263 = GetLastError();
										_t302 =  *((intOrPtr*)(_t328 - 0xe));
										__eflags = _t263 - 5;
										if(_t263 == 5) {
											 *(_t328 - 0xd) = _t293;
										}
									}
									_t173 =  *0x121a471;
									__eflags = _t173;
									if(_t173 != 0) {
										L48:
										__eflags =  *((char*)(_t328 - 0xe));
										if( *((char*)(_t328 - 0xe)) != 0) {
											 *0x121844c = _t293;
											E011D12F1(_t311, 0x67, 0);
											E011D12F1(_t311, 0x66, 0);
											SetDlgItemTextW(_t311, _t293, E011DE617(0xe6)); // executed
											E011D12F1(_t311, 0x69, _t293);
											SetDlgItemTextW(_t311, 0x65, 0x12035f4); // executed
											_t322 = GetDlgItem(_t311, 0x65);
											__eflags = _t322;
											if(_t322 != 0) {
												_t210 = GetWindowLongW(_t322, 0xfffffff0) | 0x00000080;
												__eflags = _t210;
												SetWindowLongW(_t322, 0xfffffff0, _t210);
											}
											_push(5);
											_push( *0x122fc90);
											_push(_t311);
											E011EC73F(_t309, _t311);
											_push(2);
											_push( *0x122fc90);
											_push(_t311);
											E011EC73F(_t309, _t311);
											_push(0x122ec90);
											_push(_t311);
											 *0x1231cbc = _t293;
											E011EDA52(_t302, _t309, __eflags);
											_push(6);
											_push( *0x122fc90);
											 *0x1231cbc = 0;
											_push(_t311);
											E011EC73F(_t309, _t311);
											__eflags =  *0x1218454;
											if( *0x1218454 == 0) {
												__eflags =  *0x121845c;
												if( *0x121845c == 0) {
													__eflags =  *0x122fcac;
													if( *0x122fcac == 0) {
														_push(4);
														_push( *0x122fc90);
														_push(_t311);
														E011EC73F(_t309, _t311);
													}
												}
											}
											E011D12D3(_t311, _t293, _t293);
											 *0x121844c =  *0x121844c & 0x00000000;
											__eflags =  *0x121844c;
											_t186 =  *0x1218454; // 0x0
											goto L73;
										}
										__eflags = _t173;
										if(_t173 != 0) {
											goto L65;
										}
										goto L50;
									} else {
										__eflags = _t302;
										if(_t302 == 0) {
											L50:
											_t220 =  *(_t328 - 0xd);
											__eflags = _t220;
											 *(_t328 - 0xd) = _t220 == 0;
											__eflags = _t220;
											if(_t220 == 0) {
												L64:
												__eflags =  *(_t328 - 0xd);
												if( *(_t328 - 0xd) == 0) {
													L11:
													_push(0);
													goto L25;
												}
												L65:
												_push(E011DE617(0x9a));
												E011D4092(_t328 - 0x3874, 0xa00, L"\"%s\"\n%s", _t328 - 0x2474);
												E011D6D83(0x1211098, _t293);
												E011EA7E4(_t311, _t328 - 0x3874, E011DE617(0x96), 0x30);
												 *0x121845c =  *0x121845c + 1;
												goto L11;
											}
											GetModuleFileNameW(0, _t328 - 0x3474, _t321);
											E011DF28C(0x121c472, _t328 - 0x574, 0x80);
											_push(0x121b472);
											E011D4092(_t328 - 0xfe8c, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t328 - 0x2474);
											_t330 = _t330 + 0x14;
											 *((intOrPtr*)(_t328 - 0x58)) = 0x3c;
											 *((intOrPtr*)(_t328 - 0x54)) = 0x40;
											 *((intOrPtr*)(_t328 - 0x48)) = _t328 - 0x3474;
											 *((intOrPtr*)(_t328 - 0x44)) = _t328 - 0xfe8c;
											 *(_t328 - 0x50) = _t311;
											 *((intOrPtr*)(_t328 - 0x4c)) = L"runas";
											 *(_t328 - 0x3c) = _t293;
											 *((intOrPtr*)(_t328 - 0x38)) = 0;
											 *((intOrPtr*)(_t328 - 0x40)) = 0x1218468;
											_t325 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
											 *(_t328 - 0x14) = _t325;
											__eflags = _t325;
											if(_t325 == 0) {
												 *(_t328 - 0x1c) =  *(_t328 - 0x14);
											} else {
												 *0x1227b80 = 0;
												_t245 = GetCommandLineW();
												__eflags = _t245;
												if(_t245 != 0) {
													E011E0602(0x1227b82, _t245, 0x2000);
												}
												E011EB425(0x121c472, 0x122bb82, 7);
												E011EB425(0x121c472, 0x122cb82, 2);
												E011EB425(0x121c472, 0x122db82, 0x10);
												 *0x122ec83 = _t293;
												E011DF3FA(_t293, 0x122eb82, _t328 - 0x574);
												 *(_t328 - 0x1c) = MapViewOfFile(_t325, 2, 0, 0, 0);
												E011F0320(_t252, 0x1227b80, 0x7104);
												_t330 = _t330 + 0xc;
											}
											_t234 =  *0x1233078(_t328 - 0x58);
											E011DF445(_t328 - 0x574, 0x80);
											E011DF445(_t328 - 0xfe8c, 0x430c);
											__eflags = _t234;
											if(_t234 == 0) {
												_t327 =  *(_t328 - 0x1c);
												 *(_t328 - 0xd) = _t293;
												goto L62;
											} else {
												 *0x12330a4( *(_t328 - 0x20), 0x2710);
												_t67 = _t328 - 0x18;
												 *_t67 =  *(_t328 - 0x18) & 0x00000000;
												__eflags =  *_t67;
												_t327 =  *(_t328 - 0x1c);
												while(1) {
													__eflags =  *_t327;
													if( *_t327 != 0) {
														break;
													}
													Sleep(0x64);
													_t244 =  *(_t328 - 0x18) + 1;
													 *(_t328 - 0x18) = _t244;
													__eflags = _t244 - 0x64;
													if(_t244 < 0x64) {
														continue;
													}
													break;
												}
												 *0x122fcac =  *(_t328 - 0x20);
												L62:
												__eflags =  *(_t328 - 0x14);
												if( *(_t328 - 0x14) != 0) {
													UnmapViewOfFile(_t327);
													CloseHandle( *(_t328 - 0x14));
												}
												goto L64;
											}
										}
										E011D4092(_t328 - 0x1474, _t321, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
										_t330 = _t330 + 0x10;
										E011D9556(_t328 - 0x34ac);
										 *(_t328 - 4) =  *(_t328 - 4) & 0x00000000;
										_t260 = E011D966E(_t328 - 0x34ac, _t328 - 0x1474, 0x11);
										 *((char*)(_t328 - 0xe)) = _t260;
										__eflags = _t260;
										if(_t260 == 0) {
											_t262 = GetLastError();
											__eflags = _t262 - 5;
											if(_t262 == 5) {
												 *(_t328 - 0xd) = _t293;
											}
										}
										_t37 = _t328 - 4;
										 *_t37 =  *(_t328 - 4) | 0xffffffff;
										__eflags =  *_t37;
										_t302 = _t328 - 0x34ac;
										E011D959A(_t328 - 0x34ac); // executed
										_t173 =  *0x121a471;
										goto L48;
									}
								} else {
									_t264 = GetLastError();
									__eflags = _t264 - 5;
									if(_t264 == 5) {
										L38:
										 *(_t328 - 0xd) = _t293;
										goto L39;
									}
									__eflags = _t264 - 3;
									if(_t264 != 3) {
										goto L39;
									}
									goto L38;
								}
							} else {
								_t186 = _t293;
								 *0x1218454 = _t186;
								L73:
								__eflags =  *0x121845c;
								if( *0x121845c <= 0) {
									goto L24;
								}
								__eflags = _t186;
								if(_t186 != 0) {
									goto L24;
								}
								 *0x1218455 = _t293;
								SetDlgItemTextW(_t311, _t293, E011DE617(0x90));
								_t323 =  *0x1211098;
								__eflags = _t323 - 9;
								if(_t323 != 9) {
									__eflags = _t323 - 3;
									_t193 = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
									__eflags = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
								} else {
									_t193 = 0xa0;
								}
								E011E0602(_t328 - 0x474, E011DE617(_t193), 0x200);
								__eflags = _t323 - 9;
								if(_t323 == 9) {
									__eflags =  *0x121c574;
									if( *0x121c574 != 0) {
										_t201 = E011F3E13(_t328 - 0x474);
										_t202 = E011DE617(0xa1);
										__eflags = 0x200;
										E011D4092(_t328 - 0x474 + _t201 * 2, 0x200 - _t201, L"\n%s", _t202);
									}
								}
								E011EA7E4(_t311, _t328 - 0x474, E011DE617(0x96), 0x30);
								goto L128;
							}
						}
						_t293 = 1;
						__eflags =  *0x1218456;
						if( *0x1218456 == 0) {
							goto L24;
						}
						goto L23;
					}
					__eflags =  *0x1231cbc;
					if( *0x1231cbc == 0) {
						goto L21;
					} else {
						__eflags =  *0x1231cbd;
						 *0x1231cbd = _t152 & 0xffffff00 |  *0x1231cbd == 0x00000000;
						SetDlgItemTextW(_t311, 1, E011DE617(((_t152 & 0xffffff00 |  *0x1231cbd == 0x00000000) & 0x000000ff) + 0xe6));
						while(1) {
							__eflags =  *0x1231cbd;
							if( *0x1231cbd == 0) {
								goto L128;
							}
							__eflags =  *0x1218454;
							if( *0x1218454 != 0) {
								goto L128;
							}
							_t278 = GetMessageW(_t328 - 0x74, 0, 0, 0);
							__eflags = _t278;
							if(_t278 == 0) {
								goto L128;
							} else {
								_t280 = IsDialogMessageW(_t311, _t328 - 0x74);
								__eflags = _t280;
								if(_t280 == 0) {
									TranslateMessage(_t328 - 0x74);
									DispatchMessageW(_t328 - 0x74);
								}
								continue;
							}
						}
						goto L128;
					}
				}
				_t285 = _t152 - 1;
				if(_t285 == 0) {
					__eflags =  *0x121844c;
					 *0x1218454 = 1;
					if( *0x121844c == 0) {
						goto L11;
					}
					__eflags =  *0x121845c;
					if( *0x121845c != 0) {
						goto L128;
					}
					goto L11;
				}
				if(_t285 == 0x65) {
					_push(0x800);
					_t289 = E011D124F(_t311, E011DE617(0x64), _t328 - 0x1474);
					__eflags = _t289;
					if(_t289 == 0) {
						goto L128;
					} else {
						_push(_t328 - 0x1474);
						_push(0x66);
						goto L127;
					}
				}
				goto L6;
			}

0x011eb7e0
0x011eb7e0
0x011eb7e5
0x011eb7ef
0x011eb7f6
0x011eb7fa
0x011eb80e
0x011eb815
0x011eb818
0x011ec203
0x011ec203
0x011ec205
0x011ec20b
0x011ec213
0x011ec213
0x011eb81e
0x011eb824
0x011ebf0f
0x011ebf10
0x011ebf15
0x011ebf1a
0x011ebf20
0x011ebf26
0x011ebf28
0x011ebf32
0x011ebf32
0x011ebf38
0x011ebf3d
0x011ebf3f
0x011ebf4c
0x011ebf4c
0x011ebf55
0x011ebf68
0x011ebf6b
0x011ebf7d
0x011ebf85
0x011ebf8b
0x011ebf93
0x011ebf95
0x011ebf98
0x011ebf9d
0x011ebf9f
0x011ebf9f
0x011ebfa7
0x011ebfae
0x011ebfb3
0x011ebfb8
0x011ebfbd
0x011ebfc2
0x011ebfc3
0x011ebfca
0x011ebfcf
0x011ebfd1
0x011ebfd3
0x011ebfd3
0x011ebfd9
0x011ebfe0
0x011ebfe2
0x011ebfe4
0x011ebfea
0x011ebfeb
0x011ebfeb
0x011ebff0
0x011ebff7
0x011ec007
0x011ec01a
0x011ec01a
0x011ec020
0x011ec027
0x011ec0d8
0x011ec0d8
0x011ec0df
0x011ec18b
0x011ec18b
0x011ec192
0x011ec197
0x011ec197
0x011ec19d
0x011ec1a4
0x011ec1ab
0x011ec1b5
0x011ec1b5
0x011ec1ba
0x011ec1bf
0x011ec1c1
0x011ec1c3
0x011ec1ca
0x011ec1cc
0x011ec1ce
0x011ec1cf
0x011ec1d4
0x011ec1d5
0x011ec1d7
0x011ec1e1
0x011ec1d9
0x011ec1d9
0x011ec1d9
0x011ec1d7
0x011ec1ca
0x011ec1e7
0x011ec1ee
0x011ec1fa
0x011ec1fb
0x011ec1fc
0x011ec1fd
0x011ec1fd
0x00000000
0x011ec1ee
0x011ec0e5
0x011ec0ec
0x00000000
0x00000000
0x011ec0f2
0x011ec0f9
0x00000000
0x00000000
0x011ec0ff
0x011ec101
0x011ec106
0x011ec106
0x011ec10d
0x011ec10d
0x011ec10d
0x011ec10d
0x011ec113
0x00000000
0x00000000
0x011ec115
0x011ec11c
0x00000000
0x00000000
0x011ec11e
0x011ec11e
0x011ec124
0x011ec132
0x011ec143
0x011ec15b
0x00000000
0x011ec15b
0x011ec126
0x011ec12d
0x00000000
0x00000000
0x011ec12f
0x011ec12f
0x011ec160
0x011ec161
0x011ec161
0x011ec169
0x011ec183
0x011ec188
0x00000000
0x011ec02d
0x011ec02d
0x011ec02f
0x011ec035
0x011ec036
0x011ec03b
0x011ec040
0x011ec042
0x011ec044
0x011ec04b
0x011ec04d
0x011ec061
0x011ec06c
0x011ec071
0x011ec04b
0x011ec072
0x011ec078
0x011ec0cb
0x011ec0cb
0x011ec0cc
0x011ec0d2
0x011ec0d3
0x00000000
0x011ec07a
0x011ec07b
0x011ec081
0x011ec087
0x00000000
0x00000000
0x011ec089
0x011ec090
0x00000000
0x00000000
0x011ec092
0x011ec094
0x011ec09a
0x011ec09b
0x011ec0a0
0x011ec0a7
0x00000000
0x00000000
0x011ec0bd
0x011ec0c3
0x011ec0c5
0x011eb958
0x011eb958
0x011eb95e
0x011eb95e
0x011eb95f
0x011eb960
0x00000000
0x011eb960
0x00000000
0x011ec0c5
0x011ec078
0x011ec027
0x011eb82c
0x011eb841
0x011eb841
0x00000000
0x011eb841
0x011eb834
0x011eb836
0x011eb89b
0x011eb8a2
0x011eb92e
0x011eb93d
0x011eb943
0x011eb94a
0x011eb96b
0x011eb972
0x011eb983
0x011eb989
0x011eb990
0x011eb992
0x011eb99e
0x011eb9b1
0x011eb9b1
0x011eb9b8
0x011eb9be
0x011eb9c5
0x011eb9e0
0x011eb9f4
0x011eba01
0x011eba24
0x011eba29
0x011eba32
0x011eba33
0x011eba35
0x011eb9c7
0x011eb9d1
0x011eb9d2
0x011eb9d4
0x011eb9d9
0x011eb9d9
0x011eba3a
0x011eba41
0x011eba4a
0x011eba4a
0x011eba53
0x011eba5f
0x011eba64
0x011eba66
0x011eba7b
0x011eba87
0x011eba89
0x011eba8c
0x011eba8e
0x011eba90
0x011eba96
0x011eba99
0x011eba9c
0x011eba9e
0x011eba9e
0x011eba9c
0x011ebaa1
0x011ebaa6
0x011ebaa8
0x011ebb16
0x011ebb16
0x011ebb1a
0x011ebd5b
0x011ebd61
0x011ebd6b
0x011ebd7d
0x011ebd87
0x011ebd94
0x011ebda3
0x011ebda5
0x011ebda7
0x011ebdb2
0x011ebdb2
0x011ebdbb
0x011ebdbb
0x011ebdc1
0x011ebdc3
0x011ebdc9
0x011ebdca
0x011ebdcf
0x011ebdd1
0x011ebdd7
0x011ebdd8
0x011ebddd
0x011ebde2
0x011ebde3
0x011ebde9
0x011ebdee
0x011ebdf0
0x011ebdf6
0x011ebdfd
0x011ebdfe
0x011ebe03
0x011ebe0a
0x011ebe0c
0x011ebe13
0x011ebe15
0x011ebe1c
0x011ebe1e
0x011ebe20
0x011ebe26
0x011ebe27
0x011ebe27
0x011ebe1c
0x011ebe13
0x011ebe2f
0x011ebe34
0x011ebe34
0x011ebe3b
0x00000000
0x011ebe3b
0x011ebb20
0x011ebb22
0x00000000
0x00000000
0x00000000
0x011ebaaa
0x011ebaaa
0x011ebaac
0x011ebb28
0x011ebb28
0x011ebb2b
0x011ebb2d
0x011ebb31
0x011ebb33
0x011ebcf1
0x011ebcf1
0x011ebcf5
0x011eb894
0x011eb894
0x00000000
0x011eb894
0x011ebcfb
0x011ebd05
0x011ebd1e
0x011ebd2c
0x011ebd46
0x011ebd4b
0x00000000
0x011ebd4b
0x011ebb43
0x011ebb5a
0x011ebb5f
0x011ebb7c
0x011ebb81
0x011ebb84
0x011ebb91
0x011ebb98
0x011ebba1
0x011ebbb9
0x011ebbbc
0x011ebbc3
0x011ebbc6
0x011ebbc9
0x011ebbd6
0x011ebbd8
0x011ebbdb
0x011ebbdd
0x011ebc68
0x011ebbe3
0x011ebbe3
0x011ebbea
0x011ebbf0
0x011ebbf2
0x011ebbff
0x011ebbff
0x011ebc0b
0x011ebc17
0x011ebc23
0x011ebc2e
0x011ebc3a
0x011ebc58
0x011ebc5b
0x011ebc60
0x011ebc60
0x011ebc6f
0x011ebc83
0x011ebc94
0x011ebc99
0x011ebc9b
0x011ebcd5
0x011ebcd8
0x00000000
0x011ebc9d
0x011ebca5
0x011ebcab
0x011ebcab
0x011ebcab
0x011ebcaf
0x011ebcb2
0x011ebcb2
0x011ebcb5
0x00000000
0x00000000
0x011ebcb9
0x011ebcc2
0x011ebcc3
0x011ebcc6
0x011ebcc9
0x00000000
0x00000000
0x00000000
0x011ebcc9
0x011ebcce
0x011ebcdb
0x011ebcdb
0x011ebcdf
0x011ebce2
0x011ebceb
0x011ebceb
0x00000000
0x011ebcdf
0x011ebc9b
0x011ebac2
0x011ebac7
0x011ebad0
0x011ebad5
0x011ebae8
0x011ebaed
0x011ebaf0
0x011ebaf2
0x011ebaf4
0x011ebafa
0x011ebafd
0x011ebaff
0x011ebaff
0x011ebafd
0x011ebb02
0x011ebb02
0x011ebb02
0x011ebb06
0x011ebb0c
0x011ebb11
0x00000000
0x011ebb11
0x011eba68
0x011eba68
0x011eba6e
0x011eba71
0x011eba78
0x011eba78
0x00000000
0x011eba78
0x011eba73
0x011eba76
0x00000000
0x00000000
0x00000000
0x011eba76
0x011eb974
0x011eb974
0x011eb976
0x011ebe40
0x011ebe40
0x011ebe47
0x00000000
0x00000000
0x011ebe4d
0x011ebe4f
0x00000000
0x00000000
0x011ebe5a
0x011ebe68
0x011ebe6e
0x011ebe74
0x011ebe77
0x011ebe82
0x011ebe8c
0x011ebe8c
0x011ebe79
0x011ebe79
0x011ebe79
0x011ebea4
0x011ebea9
0x011ebeac
0x011ebeae
0x011ebeb5
0x011ebebe
0x011ebecb
0x011ebed6
0x011ebee8
0x011ebeed
0x011ebeb5
0x011ebf05
0x00000000
0x011ebf05
0x011eb972
0x011eb94e
0x011eb94f
0x011eb956
0x00000000
0x00000000
0x00000000
0x011eb956
0x011eb8a8
0x011eb8af
0x00000000
0x011eb8b1
0x011eb8b1
0x011eb8bb
0x011eb8d1
0x011eb920
0x011eb920
0x011eb927
0x011eb929
0x011eb929
0x011eb8d9
0x011eb8e0
0x00000000
0x00000000
0x011eb8ef
0x011eb8f5
0x011eb8f7
0x00000000
0x011eb8fd
0x011eb902
0x011eb908
0x011eb90a
0x011eb910
0x011eb91a
0x011eb91a
0x00000000
0x011eb90a
0x011eb8f7
0x00000000
0x011eb920
0x011eb8af
0x011eb838
0x011eb83a
0x011eb878
0x011eb87f
0x011eb885
0x00000000
0x00000000
0x011eb887
0x011eb88e
0x00000000
0x00000000
0x00000000
0x011eb88e
0x011eb83f
0x011eb848
0x011eb85d
0x011eb862
0x011eb864
0x00000000
0x011eb86a
0x011eb870
0x011eb871
0x00000000
0x011eb871
0x011eb864
0x00000000

APIs

__EH_prolog.LIBCMT ref: 011EB7E5

Part of subcall function 011D1316: GetDlgItem.USER32(00000000,00003021), ref: 011D135A
Part of subcall function 011D1316: SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 011EB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 011EB8EF
IsDialogMessageW.USER32(?,?), ref: 011EB902
TranslateMessage.USER32(?), ref: 011EB910
DispatchMessageW.USER32(?), ref: 011EB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 011EB93D
EndDialog.USER32(?,00000001), ref: 011EB960
GetDlgItem.USER32(?,00000068), ref: 011EB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 011EB99E
SendMessageW.USER32(00000000,000000C2,00000000,012035F4), ref: 011EB9B1

Part of subcall function 011ED453: _wcslen.LIBCMT ref: 011ED47D

SetFocus.USER32(00000000), ref: 011EB9B8
_swprintf.LIBCMT ref: 011EBA24

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

Part of subcall function 011ED4D4: GetDlgItem.USER32(00000068,0122FCB8), ref: 011ED4E8
Part of subcall function 011ED4D4: ShowWindow.USER32(00000000,00000005,?,?,?,011EAF07,00000001,?,?,011EB7B9,0120506C,0122FCB8,0122FCB8,00001000,00000000,00000000), ref: 011ED510
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 011ED51B
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,012035F4), ref: 011ED529
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 011ED53F
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 011ED559
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 011ED59D
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 011ED5AB
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 011ED5BA
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 011ED5E1
Part of subcall function 011ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,012043F4), ref: 011ED5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 011EBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 011EBA90
GetTickCount.KERNEL32 ref: 011EBAAE
_swprintf.LIBCMT ref: 011EBAC2
GetLastError.KERNEL32(?,00000011), ref: 011EBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 011EBB43
_swprintf.LIBCMT ref: 011EBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 011EBBD0
GetCommandLineW.KERNEL32 ref: 011EBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 011EBC47
Sleep.KERNEL32(00000064), ref: 011EBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 011EBCE2
CloseHandle.KERNEL32(00000000), ref: 011EBCEB
_swprintf.LIBCMT ref: 011EBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 011EBD7D
SetDlgItemTextW.USER32(?,00000065,012035F4), ref: 011EBD94
GetDlgItem.USER32(?,00000065), ref: 011EBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 011EBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 011EBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 011EBE68
_wcslen.LIBCMT ref: 011EBEBE
_swprintf.LIBCMT ref: 011EBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 011EBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 011EBF4C
GetDlgItem.USER32(?,00000068), ref: 011EBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 011EBF6B
GetDlgItem.USER32(?,00000066), ref: 011EBF85
SetWindowTextW.USER32(00000000,0121A472), ref: 011EBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 011EC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 011EC01A
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 011EC1D9

Part of subcall function 011EC73F: __EH_prolog.LIBCMT ref: 011EC744

DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 011EC0BD
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 011EC1FD

Strings

LICENSEDLG, xrefs: 011EC0B2
"%s"%s, xrefs: 011EBD0D
STARTDLG, xrefs: 011EB801
__tmp_rar_sfx_access_check_%u, xrefs: 011EBAB5
<, xrefs: 011EBB84
%s, xrefs: 011EBED8
C:\Users\user\Desktop, xrefs: 011EBBC9
winrarsfxmappingfile.tmp, xrefs: 011EBBA6
-el -s2 "-d%s" "-sp%s", xrefs: 011EBB6B
@, xrefs: 011EBB91

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Message$ItemSend$Text$Window_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchFocusHandleLineMappingModuleNameParamShowSleepTickTranslateUnmap__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 452360596-2238251102
Opcode ID: 98577fd14e26cb498286f8ff16b15617121fe2370b1569db006b7bc0f81f0343
Instruction ID: f6b980d47044dde09980482945ee60f4c8070725baefe3e081a77b1045ba8d1d
Opcode Fuzzy Hash: 98577fd14e26cb498286f8ff16b15617121fe2370b1569db006b7bc0f81f0343
Instruction Fuzzy Hash: 5D42F371988645BEEB3ADBF4AC4DFBE7BFCAB11704F000158F644A6086CB749A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 011E0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E011E0863(void* __edx, char _a3, long _a4, short* _a8, short* _a12, short* _a16, short* _a20, short* _a24, short* _a28, short* _a32, short* _a36, short* _a40, short* _a44, short* _a48, short* _a52, short* _a56, short* _a60, short* _a64, short* _a68, short* _a72, short* _a76, short* _a80, short* _a84, short* _a88, short* _a92, short* _a96, short* _a100, short* _a104, short* _a108, short* _a112, short* _a116, short* _a120, short* _a124, short* _a128, short* _a132, short* _a136, short* _a140, short* _a144, short* _a148, short* _a152, short* _a156, short* _a160, short* _a164, short* _a168, short* _a172, short* _a176, short* _a180, short* _a184, short* _a188, short* _a192, short* _a196, short* _a200, short* _a204, short* _a208, short* _a212, short* _a216, short* _a220, short* _a224, short* _a228, short* _a232, short* _a236, short* _a240, short* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t111;
				int _t122;
				long _t133;
				void* _t149;
				_Unknown_base(*)()* _t168;
				struct _OVERLAPPED* _t174;
				struct _OVERLAPPED* _t175;
				signed char _t176;
				_Unknown_base(*)()* _t177;
				struct _OVERLAPPED* _t189;
				long _t190;
				void* _t191;
				_Unknown_base(*)()* _t192;
				struct HINSTANCE__* _t193;
				signed int _t195;
				struct _OVERLAPPED* _t196;
				signed int _t197;
				void* _t198;
				_Unknown_base(*)()* _t199;
				signed int _t200;
				int _t201;
				void* _t202;

				E011EEC50(0xb3cc);
				_t174 = 0;
				_a3 = 0;
				_t193 = GetModuleHandleW(L"kernel32");
				if(_t193 != 0) {
					_t168 = GetProcAddress(_t193, "SetDllDirectoryW");
					_t176 = _a46032;
					_t192 = _t168;
					if(_t192 != 0) {
						asm("sbb ecx, ecx");
						_t177 = _t192;
						 *0x1203278( ~(_t176 & 0x000000ff) & 0x012035f4);
						 *_t192();
					}
					_t199 = GetProcAddress(_t193, "SetDefaultDllDirectories");
					if(_t199 != 0) {
						_t177 = _t199;
						 *0x1203278((_t176 & 0x000000ff ^ 0x00000001) + 1 << 0xb);
						 *_t199();
						_v1 = 1;
					}
					_t174 = 0;
				}
				_t111 =  *0x120e1a4; // 0x1203c2c
				_t201 = _t200 | 0xffffffff;
				_a8 = L"version.dll";
				_t194 = 0x800;
				_a12 = L"DXGIDebug.dll";
				_a16 = L"sfc_os.dll";
				_a20 = L"SSPICLI.DLL";
				_a24 = L"rsaenh.dll";
				_a28 = L"UXTheme.dll";
				_a32 = L"dwmapi.dll";
				_a36 = L"cryptbase.dll";
				_a40 = L"lpk.dll";
				_a44 = L"usp10.dll";
				_a48 = L"clbcatq.dll";
				_a52 = L"comres.dll";
				_a56 = L"ws2_32.dll";
				_a60 = L"ws2help.dll";
				_a64 = L"psapi.dll";
				_a68 = L"ieframe.dll";
				_a72 = L"ntshrui.dll";
				_a76 = L"atl.dll";
				_a80 = L"setupapi.dll";
				_a84 = L"apphelp.dll";
				_a88 = L"userenv.dll";
				_a92 = L"netapi32.dll";
				_a96 = L"shdocvw.dll";
				_a100 = L"crypt32.dll";
				_a104 = L"msasn1.dll";
				_a108 = L"cryptui.dll";
				_a112 = L"wintrust.dll";
				_a116 = L"shell32.dll";
				_a120 = L"secur32.dll";
				_a124 = L"cabinet.dll";
				_a128 = L"oleaccrc.dll";
				_a132 = L"ntmarta.dll";
				_a136 = L"profapi.dll";
				_a140 = L"WindowsCodecs.dll";
				_a144 = L"srvcli.dll";
				_a148 = L"cscapi.dll";
				_a152 = L"slc.dll";
				_a156 = L"imageres.dll";
				_a160 = L"dnsapi.DLL";
				_a164 = L"iphlpapi.DLL";
				_a168 = L"WINNSI.DLL";
				_a172 = L"netutils.dll";
				_a176 = L"mpr.dll";
				_a180 = L"devrtl.dll";
				_a184 = L"propsys.dll";
				_a188 = L"mlang.dll";
				_a192 = L"samcli.dll";
				_a196 = L"samlib.dll";
				_a200 = L"wkscli.dll";
				_a204 = L"dfscli.dll";
				_a208 = L"browcli.dll";
				_a212 = L"rasadhlp.dll";
				_a216 = L"dhcpcsvc6.dll";
				_a220 = L"dhcpcsvc.dll";
				_a224 = L"XmlLite.dll";
				_a228 = L"linkinfo.dll";
				_a232 = L"cryptsp.dll";
				_a236 = L"RpcRtRemote.dll";
				_a240 = L"aclui.dll";
				_a244 = L"dsrole.dll";
				_a248 = L"peerdist.dll";
				if( *_t111 == 0x78) {
					L15:
					GetModuleFileNameW(_t174,  &_a772, _t194);
					E011E0602( &_a9160, E011DC29A(_t215,  &_a772), _t194);
					_t189 = _t174;
					do {
						_t195 = _t174;
						if(E011DB146() < 0x600) {
							L19:
							_t196 =  *(_t202 + 0x18 + _t195 * 4);
							_push(0x800);
							E011DC310(_t218,  &_a772, _t196);
							_t122 = GetFileAttributesW( &_a760); // executed
							if(_t122 != _t201) {
								_t189 = _t196;
								L23:
								if(_v1 != 0) {
									L29:
									_t225 = _t189;
									if(_t189 == 0) {
										return _t122;
									}
									E011DC2E4(_t225,  &_a768);
									if(E011DB146() < 0x600) {
										_push( &_a9160);
										_push( &_a768);
										E011D4092( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t189);
										_t202 = _t202 + 0x18;
										_t122 = AllocConsole();
										__eflags = _t122;
										if(_t122 != 0) {
											__imp__AttachConsole(GetCurrentProcessId());
											_t133 = E011F3E13( &_a4860);
											WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t133,  &_v4, 0);
											Sleep(0x2710);
											_t122 = FreeConsole();
										}
									} else {
										E011E081B(L"dwmapi.dll");
										E011E081B(L"uxtheme.dll");
										_push( &_a9152);
										_push( &_a760);
										E011D4092( &_a4852, 0x864, E011DE617(0xf1), _t189);
										_t202 = _t202 + 0x18;
										_t122 = E011EA7E4(0,  &_a4848, E011DE617(0xf0), 0x30);
									}
									ExitProcess(0);
								}
								_t197 = 0;
								while(1) {
									_t175 =  *(_t202 + 0x38 + _t197 * 4);
									_push(0x800);
									E011DC310(0,  &_a768, _t175);
									_t122 = GetFileAttributesW( &_a756);
									if(_t122 != _t201) {
										break;
									}
									_t197 = _t197 + 1;
									if(_t197 < 0x35) {
										continue;
									}
									goto L29;
								}
								_t189 = _t175;
								goto L29;
							}
							goto L20;
						}
						_t149 = E011E081B( *(_t202 + 0x18 + _t195 * 4)); // executed
						if(_t149 == 0) {
							goto L19;
						}
						_t122 = CompareStringW(0x400, 0x1001,  *(_t202 + 0x24 + _t195 * 4), _t201, L"DXGIDebug.dll", _t201); // executed
						_t218 = _t122 - 2;
						if(_t122 != 2) {
							goto L20;
						}
						goto L19;
						L20:
						_t174 =  &(_t174->Internal);
					} while (_t174 < 8);
					goto L23;
				} else {
					_t190 = E011F75FB(_t177, _t111);
					if(_t190 == 0) {
						goto L15;
					}
					GetModuleFileNameW(_t174,  &_a4868, 0x800);
					_t198 = CreateFileW( &_a4868, 0x80000000, 1, _t174, 3, _t174, _t174);
					if(_t198 == _t201 || SetFilePointer(_t198, _t190, _t174, _t174) != _t190 || ReadFile(_t198,  &_a13260, 0x7ffe,  &_a4, _t174) == 0) {
						L14:
						CloseHandle(_t198);
						_t194 = 0x800;
						goto L15;
					} else {
						_push(0x104);
						 *((short*)(_t202 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t191 = E011E0371();
							_t215 = _t191;
							if(_t191 == 0) {
								goto L14;
							}
							E011E081B( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t191);
						}
						goto L14;
					}
				}
			}

0x011e0868
0x011e0871
0x011e0878
0x011e0882
0x011e0886
0x011e088e
0x011e0894
0x011e089b
0x011e089f
0x011e08a6
0x011e08af
0x011e08b1
0x011e08b7
0x011e08b7
0x011e08c5
0x011e08c9
0x011e08d6
0x011e08d8
0x011e08de
0x011e08e0
0x011e08e0
0x011e08e5
0x011e08e5
0x011e08e7
0x011e08ec
0x011e08ef
0x011e08f7
0x011e08fc
0x011e0904
0x011e090f
0x011e0917
0x011e091f
0x011e0927
0x011e092f
0x011e0937
0x011e093f
0x011e0947
0x011e094f
0x011e0957
0x011e095f
0x011e0967
0x011e096f
0x011e0977
0x011e097f
0x011e0987
0x011e098f
0x011e0997
0x011e099f
0x011e09a7
0x011e09af
0x011e09b7
0x011e09bf
0x011e09c7
0x011e09d2
0x011e09dd
0x011e09e8
0x011e09f3
0x011e09fe
0x011e0a09
0x011e0a14
0x011e0a1f
0x011e0a2a
0x011e0a35
0x011e0a40
0x011e0a4b
0x011e0a56
0x011e0a61
0x011e0a6c
0x011e0a77
0x011e0a82
0x011e0a8d
0x011e0a98
0x011e0aa3
0x011e0aae
0x011e0ab9
0x011e0ac4
0x011e0acf
0x011e0ada
0x011e0ae5
0x011e0af0
0x011e0afb
0x011e0b06
0x011e0b11
0x011e0b1c
0x011e0b27
0x011e0b32
0x011e0b3d
0x011e0b48
0x011e0c14
0x011e0c1e
0x011e0c3b
0x011e0c40
0x011e0c42
0x011e0c42
0x011e0c4e
0x011e0c7d
0x011e0c7d
0x011e0c88
0x011e0c8f
0x011e0c9c
0x011e0ca4
0x011e0cae
0x011e0cb0
0x011e0cb5
0x011e0cec
0x011e0cec
0x011e0cee
0x011e0e05
0x011e0e05
0x011e0cfc
0x011e0d0b
0x011e0d7a
0x011e0d82
0x011e0d96
0x011e0d9b
0x011e0d9e
0x011e0da4
0x011e0da6
0x011e0daf
0x011e0dc4
0x011e0ddc
0x011e0de7
0x011e0ded
0x011e0ded
0x011e0d0d
0x011e0d12
0x011e0d1c
0x011e0d28
0x011e0d30
0x011e0d4a
0x011e0d4f
0x011e0d69
0x011e0d69
0x011e0df5
0x011e0df5
0x011e0cb7
0x011e0cb9
0x011e0cb9
0x011e0cc4
0x011e0ccb
0x011e0cd8
0x011e0ce0
0x00000000
0x00000000
0x011e0ce2
0x011e0ce6
0x00000000
0x00000000
0x00000000
0x011e0ce8
0x011e0cea
0x00000000
0x011e0cea
0x00000000
0x011e0ca4
0x011e0c54
0x011e0c5b
0x00000000
0x00000000
0x011e0c72
0x011e0c78
0x011e0c7b
0x00000000
0x00000000
0x00000000
0x011e0ca6
0x011e0ca6
0x011e0ca7
0x00000000
0x011e0b4e
0x011e0b54
0x011e0b59
0x00000000
0x00000000
0x011e0b69
0x011e0b89
0x011e0b8d
0x011e0c08
0x011e0c09
0x011e0c0f
0x00000000
0x011e0bbb
0x011e0bc3
0x011e0bc8
0x011e0bd7
0x011e0bdf
0x011e0bfd
0x011e0c02
0x011e0c04
0x011e0c06
0x00000000
0x00000000
0x011e0bea
0x011e0bef
0x011e0bfb
0x011e0bfc
0x011e0bfc
0x00000000
0x011e0bfd
0x011e0b8d

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 011E087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 011E088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 011E08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 011E0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 011E0B93
ReadFile.KERNEL32(00000000,?,00007FFE,01203C7C,00000000), ref: 011E0BB1
CloseHandle.KERNEL32(00000000), ref: 011E0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 011E0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,01203C7C,?,00000000,?,00000800), ref: 011E0C72
GetFileAttributesW.KERNELBASE(?,?,01203C7C,00000800,?,00000000,?,00000800), ref: 011E0C9C
GetFileAttributesW.KERNEL32(?,?,01203D44,00000800), ref: 011E0CD8

Part of subcall function 011E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 011E0836
Part of subcall function 011E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,011DF2D8,Crypt32.dll,00000000,011DF35C,?,?,011DF33E,?,?,?), ref: 011E0858

_swprintf.LIBCMT ref: 011E0D4A
_swprintf.LIBCMT ref: 011E0D96

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

AllocConsole.KERNEL32 ref: 011E0D9E
GetCurrentProcessId.KERNEL32 ref: 011E0DA8
AttachConsole.KERNEL32(00000000), ref: 011E0DAF
_wcslen.LIBCMT ref: 011E0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 011E0DD5
WriteConsoleW.KERNEL32(00000000), ref: 011E0DDC
Sleep.KERNEL32(00002710), ref: 011E0DE7
FreeConsole.KERNEL32 ref: 011E0DED
ExitProcess.KERNEL32 ref: 011E0DF5

Strings

Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 011E0D84
SetDllDirectoryW, xrefs: 011E0888
uxtheme.dll, xrefs: 011E0D17
DXGIDebug.dll, xrefs: 011E08FC, 011E0C5E
SetDefaultDllDirectories, xrefs: 011E08B9
dwmapi.dll, xrefs: 011E0927, 011E0D0D
kernel32, xrefs: 011E0873

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: b61e2125265433c2dddb9ab0057e4b147b5a5393bd81ec7bbdb26c7a763af285
Instruction ID: 3bf9e560e933e8415382e77f530b4d5eb49a366d5d768e3f0e69148e79b8446d
Opcode Fuzzy Hash: b61e2125265433c2dddb9ab0057e4b147b5a5393bd81ec7bbdb26c7a763af285
Instruction Fuzzy Hash: 0AD173B1118385AFD33AEF91984CB9FBBE9BF85704F504A1DF28597182C7708549CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E011DDA67(char* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t245;
				void* _t246;
				WCHAR* _t247;
				void* _t252;
				unsigned int _t258;
				signed int _t264;
				signed int _t268;
				void* _t279;
				signed short* _t283;
				void* _t284;
				void* _t290;
				signed short* _t294;
				void* _t295;
				signed int _t299;
				signed int _t303;
				signed int _t318;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				signed int _t333;
				char* _t334;
				signed int _t338;
				short _t341;
				void* _t342;
				signed int _t346;
				char* _t348;
				char* _t350;
				char* _t355;
				void* _t358;
				void* _t360;
				void* _t363;
				signed int _t372;
				char* _t374;
				unsigned int _t385;
				unsigned int _t389;
				signed int _t392;
				signed int _t397;
				signed int _t399;
				void* _t400;
				signed int _t401;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				char* _t421;
				signed int _t424;
				signed int _t425;
				void* _t430;
				char* _t434;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				char* _t451;
				signed int _t453;
				signed int _t455;
				void* _t456;
				intOrPtr* _t459;
				signed int _t461;
				signed int _t462;
				char* _t463;
				signed int _t466;
				signed int _t467;
				char** _t468;
				void* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t478;

				_t443 = __edx;
				_t471 = _t470 - 0x54;
				E011EEB78(0x12029bd, _t468);
				E011EEC50(0x41fc);
				_t245 = 0x5c;
				_push(_t245);
				_push(_t468[0x18]);
				_t459 = __ecx;
				_t468[4] = _t245;
				_t468[0xe] = __ecx;
				_t246 = E011F22C6(__ecx);
				_t372 = 0;
				_t475 = _t246;
				_t247 = _t468 - 0x31d0;
				if(_t246 != 0) {
					E011E0602(_t247, _t468[0x18], 0x800);
				} else {
					GetModuleFileNameW(0, _t247, 0x800);
					 *((short*)(E011DC29A(_t475, _t468 - 0x31d0))) = 0;
					E011E05DA(_t475, _t468 - 0x31d0, _t468[0x18], 0x800);
				}
				E011D9556(_t468 - 0x4208);
				_push(4);
				 *(_t468 - 4) = _t372;
				_push(_t468 - 0x31d0);
				if(E011D98E0(_t468 - 0x4208, _t459) == 0) {
					L125:
					_t252 = E011D959A(_t468 - 0x4208); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t468 - 0xc));
					__eflags =  &(_t468[0x16]);
					return _t252;
				} else {
					_t447 = _t372;
					_t477 =  *0x120e720 - _t447; // 0x64
					if(_t477 <= 0) {
						L7:
						E011F6310(_t372,  *_t459,  *((intOrPtr*)(_t459 + 4)), 4, E011DD6E0);
						E011F6310(_t372,  *((intOrPtr*)(_t459 + 0x14)),  *((intOrPtr*)(_t459 + 0x18)), 4, E011DD640);
						_t473 = _t471 + 0x20;
						_t468[0x14] = _t372;
						_t448 = _t447 | 0xffffffff;
						_t468[0xf] = _t372;
						while(_t448 == 0xffffffff) {
							_t348 = E011D9E80(_t468 - 0x4208); // executed
							_t468[0x12] = _t348;
							_t350 = E011D9BD0(_t468 - 0x4208, _t443, _t468 - 0x21d0, 0x2000);
							_t468[0x11] = _t350;
							_t467 = _t372;
							_t24 = _t350 - 0x10; // -16
							_t434 = _t24;
							_t468[0xa] = _t434;
							if(_t434 < 0) {
								L25:
								_t351 = _t468[0x12];
								L26:
								E011D9D70(_t468 - 0x4208, _t468,  &(_t351[ &(_t468[0x11][0xfffffffffffffff0])]), _t372, _t372);
								_t355 =  &(_t468[0xf][1]);
								_t468[0xf] = _t355;
								__eflags = _t355 - 0x100;
								if(_t355 < 0x100) {
									continue;
								}
								__eflags = _t448 - 0xffffffff;
								if(_t448 == 0xffffffff) {
									goto L125;
								}
								break;
							} else {
								goto L10;
							}
							L12:
							_t363 = E011F6740(_t468 - 0x21ce + _t467, "*messages***", 0xb);
							_t473 = _t473 + 0xc;
							if(_t363 == 0) {
								L24:
								_t351 = _t468[0x12];
								_t448 =  &(_t468[0x12][_t467]);
								goto L26;
							} else {
								_t350 = _t468[0x11];
							}
							L14:
							_t443 = 0x2a;
							if( *((intOrPtr*)(_t468 + _t467 - 0x21d0)) != _t443) {
								L18:
								if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x52 ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x61) {
									L21:
									_t467 = _t467 + 1;
									if(_t467 > _t468[0xa]) {
										goto L25;
									} else {
										_t350 = _t468[0x11];
										L10:
										if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x2a ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x2a) {
											goto L14;
										} else {
											goto L12;
										}
									}
								} else {
									_t358 = E011F6740(_t468 - 0x21ce + _t467, 0x12039c8, 4);
									_t473 = _t473 + 0xc;
									if(_t358 == 0) {
										goto L125;
									}
									goto L21;
								}
							}
							_t439 = _t468 - 0x21cc + _t467;
							if( *((intOrPtr*)(_t468 - 0x21cc + _t467 - 2)) == _t443 && _t467 <=  &(_t350[0xffffffffffffffe0])) {
								_t360 = E011F6088(_t439, L"*messages***", 0xb);
								_t473 = _t473 + 0xc;
								if(_t360 == 0) {
									_t468[0x14] = 1;
									goto L24;
								}
							}
							goto L18;
						}
						asm("cdq");
						E011D9D70(_t468 - 0x4208, _t468, _t448, _t443, _t372);
						_push(0x200002);
						_t461 = E011F3E33(_t468 - 0x4208);
						_t468[0x13] = _t461;
						__eflags = _t461;
						if(_t461 == 0) {
							goto L125;
						}
						_t258 = E011D9BD0(_t468 - 0x4208, _t443, _t461, 0x200000);
						__eflags = _t468[0x14];
						_t385 = _t258;
						_t468[0x12] = _t385;
						if(_t468[0x14] == 0) {
							_push(2 + _t385 * 2);
							_t449 = E011F3E33(_t385);
							__eflags = _t449;
							if(_t449 == 0) {
								goto L125;
							}
							_t468[0x12][_t461] = _t372;
							E011E1B84(_t461, _t449,  &(_t468[0x12][1]));
							L011F3E2E(_t461);
							_t389 = _t468[0x12];
							_t461 = _t449;
							_t468[0x13] = _t461;
							L33:
							_t264 = 0x100000;
							__eflags = _t389 - 0x100000;
							if(_t389 <= 0x100000) {
								_t264 = _t389;
							}
							 *((short*)(_t461 + _t264 * 2)) = 0;
							E011E05A7(_t468 - 0x108, 0x12039d0, 0x64);
							_push(0x20002);
							_t450 = E011F3E33(0);
							_t468[0x11] = _t450;
							__eflags = _t450;
							if(_t450 != 0) {
								__eflags = _t468[0x12];
								_t462 = _t372;
								_t392 = _t372;
								_t468[0xc] = _t462;
								_t268 = _t372;
								 *(_t468 - 0x40) = _t372;
								_t468[0xb] = _t392;
								_t468[0x15] = _t268;
								_t468[0xa] = 0x20;
								_t468[0xf] = 9;
								if(_t468[0x12] <= 0) {
									L109:
									__eflags =  *(_t468 - 0x40);
									if( *(_t468 - 0x40) == 0) {
										_t463 = _t468[0xe];
										L122:
										L011F3E2E(_t468[0x13]);
										L011F3E2E(_t468[0x11]);
										_t451 =  &(_t463[0x3c]);
										__eflags = _t463[0x2c] - _t372;
										if(_t463[0x2c] <= _t372) {
											L124:
											 *0x12110b8 = _t463[0x28];
											E011F6310(_t372,  *_t451, _t463[0x40], 4, E011DD7A0);
											E011F6310(_t372, _t463[0x50], _t463[0x54], 4, E011DD7D0);
											goto L125;
										} else {
											goto L123;
										}
										do {
											L123:
											E011DE261(_t451, _t443, _t372);
											E011DE261( &(_t463[0x50]), _t443, _t372);
											_t372 = _t372 + 1;
											__eflags = _t372 - _t463[0x2c];
										} while (_t372 < _t463[0x2c]);
										goto L124;
									}
									_t468[7] = _t392;
									_t468[8] = E011F8CCE(_t372, _t462, _t468 - 0x40);
									_pop(_t397);
									__eflags = _t462;
									if(_t462 == 0) {
										L118:
										 *(_t450 + _t462 * 2) = 0;
										_t279 = 0x22;
										__eflags =  *_t450 - _t279;
										if( *_t450 == _t279) {
											__eflags = _t450;
										}
										_t468[9] = E011F7625(_t372, _t450);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t463 = _t468[0xe];
										E011DE27C( &(_t463[0x28]), _t443, _t397, _t397, _t450);
										goto L122;
									}
									_t212 = _t462 - 1; // -1
									_t283 = _t450 + _t212 * 2;
									_t443 = 0x20;
									do {
										_t397 =  *_t283 & 0x0000ffff;
										__eflags = _t397 - _t443;
										if(_t397 == _t443) {
											goto L114;
										}
										__eflags = _t397 - _t468[0xf];
										if(_t397 != _t468[0xf]) {
											break;
										}
										L114:
										_t397 = 0;
										 *_t283 = 0;
										_t283 = _t283 - 2;
										_t462 = _t462 - 1;
										__eflags = _t462;
									} while (_t462 != 0);
									__eflags = _t462;
									if(_t462 != 0) {
										_t284 = 0x22;
										__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t284;
										if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t284) {
											__eflags = 0;
											 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
										}
									}
									goto L118;
								}
								_t468[6] = 0xd;
								_t468[5] = 0xa;
								do {
									_t399 = _t468[0x13];
									__eflags = _t268;
									if(_t268 == 0) {
										L75:
										_t443 =  *(_t399 + _t268 * 2) & 0x0000ffff;
										_t268 = _t268 + 1;
										_t468[0x15] = _t268;
										__eflags = _t443;
										if(_t443 == 0) {
											break;
										}
										__eflags = _t443 - _t468[4];
										if(_t443 != _t468[4]) {
											_t400 = 0xd;
											__eflags = _t443 - _t400;
											if(_t443 == _t400) {
												L93:
												__eflags =  *(_t468 - 0x40);
												if( *(_t468 - 0x40) == 0) {
													L105:
													 *(_t468 - 0x40) = _t372;
													_t462 = _t372;
													_t468[0xb] = _t372;
													L106:
													_t468[0xc] = _t462;
													goto L107;
												}
												_t468[7] = _t468[0xb];
												_t468[8] = E011F8CCE(_t372, _t462, _t468 - 0x40);
												_pop(_t401);
												__eflags = _t462;
												if(_t462 == 0) {
													L102:
													 *(_t450 + _t462 * 2) = 0;
													_t290 = 0x22;
													__eflags =  *_t450 - _t290;
													if( *_t450 == _t290) {
														__eflags = _t450;
													}
													_t468[9] = E011F7625(_t372, _t450);
													asm("movsd");
													asm("movsd");
													asm("movsd");
													E011DE27C( &(_t468[0xe][0x28]), _t443, _t401, _t401, _t450);
													_t450 = _t468[0x11];
													_t268 = _t468[0x15];
													goto L105;
												}
												_t185 = _t462 - 1; // -1
												_t294 = _t450 + _t185 * 2;
												_t443 = 0x20;
												do {
													_t401 =  *_t294 & 0x0000ffff;
													__eflags = _t401 - _t443;
													if(_t401 == _t443) {
														goto L98;
													}
													__eflags = _t401 - _t468[0xf];
													if(_t401 != _t468[0xf]) {
														break;
													}
													L98:
													_t401 = 0;
													 *_t294 = 0;
													_t294 = _t294 - 2;
													_t462 = _t462 - 1;
													__eflags = _t462;
												} while (_t462 != 0);
												__eflags = _t462;
												if(_t462 != 0) {
													_t295 = 0x22;
													__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t295;
													if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t295) {
														__eflags = 0;
														 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
													}
												}
												goto L102;
											}
											_t404 = 0xa;
											__eflags = _t443 - _t404;
											if(_t443 == _t404) {
												goto L93;
											}
											__eflags = _t462 - 0x10000;
											if(_t462 >= 0x10000) {
												goto L107;
											}
											L92:
											 *(_t450 + _t462 * 2) = _t443;
											_t462 = _t462 + 1;
											goto L106;
										}
										__eflags = _t462 - 0x10000;
										if(_t462 >= 0x10000) {
											goto L107;
										}
										_t406 = ( *(_t399 + _t268 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t406;
										if(_t406 == 0) {
											_push(0x22);
											L88:
											_pop(_t407);
											 *(_t450 + _t462 * 2) = _t407;
											_t268 = _t268 + 1;
											_t468[0x15] = _t268;
											_t462 = _t462 + 1;
											goto L106;
										}
										_t410 = _t406 - 0x3a;
										__eflags = _t410;
										if(_t410 == 0) {
											_push(0x5c);
											goto L88;
										}
										_t411 = _t410 - 0x12;
										__eflags = _t411;
										if(_t411 == 0) {
											_push(0xa);
											goto L88;
										}
										_t412 = _t411 - 4;
										__eflags = _t412;
										if(_t412 == 0) {
											_push(0xd);
											goto L88;
										}
										__eflags = _t412 != 0;
										if(_t412 != 0) {
											goto L92;
										}
										_push(9);
										goto L88;
									}
									_t444 =  *(_t399 + _t268 * 2 - 2) & 0x0000ffff;
									__eflags = _t444 - _t468[6];
									if(_t444 == _t468[6]) {
										L42:
										_t443 = 0x3a;
										__eflags =  *(_t399 + _t268 * 2) - _t443;
										if( *(_t399 + _t268 * 2) != _t443) {
											L65:
											_t468[0x10] = _t399 + _t268 * 2;
											_t299 = E011E045B( *(_t399 + _t268 * 2) & 0x0000ffff);
											__eflags = _t299;
											if(_t299 == 0) {
												L74:
												_t399 = _t468[0x13];
												_t268 = _t468[0x15];
												goto L75;
											}
											E011E0602(_t468 - 0x298, _t468[0x10], 0x64);
											_t303 = E011F6105(_t468 - 0x298, L" \t,");
											_t468[0x10] = _t303;
											__eflags = _t303;
											if(_t303 == 0) {
												goto L74;
											}
											 *_t303 = 0;
											E011E1DA7(_t468 - 0x298, _t468 - 0x16c, 0x64);
											E011E05A7(_t468 - 0xa4, _t468 - 0x108, 0x64);
											E011E0580(__eflags, _t468 - 0xa4, _t468 - 0x16c, 0x64);
											E011E05A7(_t468 - 0x40, _t468 - 0xa4, 0x32);
											_t318 = E011F6159(_t372, 0, _t443, _t462, _t468 - 0xa4,  *(_t468[0xe]), _t468[0xe][4], 4, E011DD780);
											_t473 = _t473 + 0x14;
											__eflags = _t318;
											if(_t318 != 0) {
												_t322 =  *_t318 * 0xc;
												__eflags = _t322;
												_t156 = _t322 + 0x120e270; // 0x28b64ee0
												_t468[0xb] =  *_t156;
											}
											_t268 =  &(( &(_t468[0x15][1]))[_t468[0x10] - _t468 - 0x298 >> 1]);
											__eflags = _t268;
											_t421 = _t468[0x13];
											while(1) {
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												L71:
												__eflags = _t443 - _t468[0xf];
												if(_t443 != _t468[0xf]) {
													_t468[0x15] = _t268;
													goto L107;
												}
												L72:
												_t268 = _t268 + 1;
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												goto L71;
											}
										}
										_t453 = _t468[0x15];
										_t324 = _t268 | 0xffffffff;
										__eflags = _t324;
										_t466 = _t372;
										_t468[0xd] = _t324;
										_t374 = _t468[0x13];
										 *_t468 = L"STRINGS";
										_t468[1] = L"DIALOG";
										_t468[2] = L"MENU";
										_t468[3] = L"DIRECTION";
										do {
											_t468[0x10] = E011F3E13(_t468[_t466]);
											_t326 = E011F6088( &(_t374[2]) + _t453 * 2, _t468[_t466], _t325);
											_t473 = _t473 + 0x10;
											__eflags = _t326;
											if(_t326 != 0) {
												L47:
												_t424 = _t468[0xd];
												goto L48;
											}
											_t346 =  &(_t468[0x10][_t453]);
											_t430 = 0x20;
											__eflags = _t374[2 + _t346 * 2] - _t430;
											if(_t374[2 + _t346 * 2] > _t430) {
												goto L47;
											}
											_t424 = _t466;
											_t453 = _t346 + 1;
											_t468[0xd] = _t424;
											L48:
											_t466 = _t466 + 1;
											__eflags = _t466 - 4;
										} while (_t466 < 4);
										_t462 = _t468[0xc];
										_t372 = 0;
										_t468[0x15] = _t453;
										_t450 = _t468[0x11];
										__eflags = _t424;
										if(__eflags != 0) {
											_t268 = _t468[0x15];
											_t399 = _t468[0x13];
											if(__eflags <= 0) {
												goto L65;
											} else {
												goto L53;
											}
											while(1) {
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												L54:
												__eflags = _t455 - _t468[0xf];
												if(_t455 != _t468[0xf]) {
													_t468[0x15] = _t268;
													_t425 = _t372;
													_t456 = 0x20;
													__eflags = ( *_t443 & 0x0000ffff) - _t456;
													_t468[0x10] = _t372;
													_t450 = _t468[0x11];
													if(( *_t443 & 0x0000ffff) <= _t456) {
														L60:
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = 0;
														E011E1DA7(_t468 - 0x1d0, _t468 - 0xa4, 0x64);
														_t468[0x15] =  &(_t468[0x15][_t468[0x10]]);
														_t333 = _t468[0xd];
														__eflags = _t333 - 3;
														if(_t333 != 3) {
															__eflags = _t333 - 1;
															_t334 = "$%s:";
															if(_t333 != 1) {
																_t334 = "@%s:";
															}
															E011DE5B1(_t468 - 0x108, 0x64, _t334, _t468 - 0xa4);
															_t473 = _t473 + 0x10;
														} else {
															_t338 = E011F3E49(_t468 - 0x1d0, _t468 - 0x1d0, L"RTL");
															asm("sbb al, al");
															_t468[0xe][0x64] =  ~_t338 + 1;
														}
														L51:
														_t268 = _t468[0x15];
														goto L107;
													} else {
														goto L57;
													}
													while(1) {
														L57:
														__eflags = _t425 - 0x63;
														if(_t425 >= 0x63) {
															break;
														}
														_t341 =  *_t443;
														_t443 = _t443 + 2;
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = _t341;
														_t425 = _t425 + 1;
														_t342 = 0x20;
														__eflags =  *_t443 - _t342;
														if( *_t443 > _t342) {
															continue;
														}
														break;
													}
													_t468[0x10] = _t425;
													goto L60;
												}
												L55:
												_t268 = _t268 + 1;
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												goto L54;
											}
										}
										E011E05A7(_t468 - 0x108, 0x12039d0, 0x64);
										goto L51;
									}
									__eflags = _t444 - _t468[5];
									if(_t444 != _t468[5]) {
										goto L75;
									}
									goto L42;
									L107:
									__eflags = _t268 - _t468[0x12];
								} while (_t268 < _t468[0x12]);
								_t392 = _t468[0xb];
								goto L109;
							} else {
								L011F3E2E(_t461);
								goto L125;
							}
						}
						_t389 = _t385 >> 1;
						_t468[0x12] = _t389;
						goto L33;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E011DE261(_t459, _t443, _t447);
					E011DE261(_t459 + 0x14, _t443, _t447);
					_t447 = _t447 + 1;
					_t478 = _t447 -  *0x120e720; // 0x64
					if(_t478 < 0) {
						goto L5;
					} else {
						_t372 = 0;
						goto L7;
					}
				}
			}

0x011dda67
0x011dda68
0x011dda70
0x011dda7a
0x011dda84
0x011dda85
0x011dda86
0x011dda89
0x011dda8b
0x011dda8e
0x011dda91
0x011dda97
0x011dda99
0x011dda9c
0x011ddaa2
0x011ddade
0x011ddaa4
0x011ddaac
0x011ddac4
0x011ddace
0x011ddace
0x011ddae9
0x011ddaee
0x011ddaf6
0x011ddaf9
0x011ddb07
0x011de242
0x011de248
0x011de252
0x011de25a
0x011de25e
0x011ddb0d
0x011ddb0d
0x011ddb0f
0x011ddb15
0x011ddb33
0x011ddb3f
0x011ddb51
0x011ddb56
0x011ddb59
0x011ddb5c
0x011ddb5f
0x011ddb62
0x011ddb71
0x011ddb76
0x011ddb8b
0x011ddb90
0x011ddb93
0x011ddb95
0x011ddb95
0x011ddb98
0x011ddb9d
0x011ddc5a
0x011ddc5a
0x011ddc5d
0x011ddc6e
0x011ddc76
0x011ddc77
0x011ddc7a
0x011ddc7f
0x00000000
0x00000000
0x011ddc85
0x011ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011ddbb7
0x011ddbc7
0x011ddbcc
0x011ddbd1
0x011ddc52
0x011ddc52
0x011ddc55
0x00000000
0x011ddbd3
0x011ddbd3
0x011ddbd3
0x011ddbd6
0x011ddbd8
0x011ddbe1
0x011ddc0c
0x011ddc14
0x011ddc40
0x011ddc40
0x011ddc44
0x00000000
0x011ddc46
0x011ddc46
0x011ddba3
0x011ddbab
0x00000000
0x00000000
0x00000000
0x00000000
0x011ddbab
0x011ddc20
0x011ddc30
0x011ddc35
0x011ddc3a
0x00000000
0x00000000
0x00000000
0x011ddc3a
0x011ddc14
0x011ddbe9
0x011ddbef
0x011ddc00
0x011ddc05
0x011ddc0a
0x011ddc4e
0x00000000
0x011ddc4e
0x011ddc0a
0x00000000
0x011ddbef
0x011ddc97
0x011ddc9a
0x011ddc9f
0x011ddca9
0x011ddcab
0x011ddcaf
0x011ddcb1
0x00000000
0x00000000
0x011ddcc3
0x011ddcc8
0x011ddccc
0x011ddcce
0x011ddcd1
0x011ddce1
0x011ddce7
0x011ddcea
0x011ddcec
0x00000000
0x00000000
0x011ddcf8
0x011ddcfe
0x011ddd04
0x011ddd0a
0x011ddd0d
0x011ddd0f
0x011ddd12
0x011ddd12
0x011ddd17
0x011ddd19
0x011ddd1b
0x011ddd1b
0x011ddd21
0x011ddd31
0x011ddd36
0x011ddd40
0x011ddd42
0x011ddd46
0x011ddd48
0x011ddd56
0x011ddd5a
0x011ddd5c
0x011ddd5e
0x011ddd61
0x011ddd63
0x011ddd66
0x011ddd69
0x011ddd6c
0x011ddd73
0x011ddd7a
0x011de15c
0x011de15c
0x011de160
0x011de1e0
0x011de1e3
0x011de1e6
0x011de1ee
0x011de1f3
0x011de1f8
0x011de1fb
0x011de214
0x011de221
0x011de228
0x011de23a
0x00000000
0x00000000
0x00000000
0x00000000
0x011de1fd
0x011de1fd
0x011de200
0x011de209
0x011de20e
0x011de20f
0x011de20f
0x00000000
0x011de1fd
0x011de165
0x011de16e
0x011de171
0x011de172
0x011de174
0x011de1af
0x011de1b1
0x011de1b7
0x011de1b8
0x011de1bb
0x011de1bd
0x011de1bd
0x011de1ca
0x011de1d0
0x011de1d1
0x011de1d2
0x011de1d3
0x011de1d9
0x00000000
0x011de1d9
0x011de176
0x011de17b
0x011de17e
0x011de17f
0x011de17f
0x011de182
0x011de185
0x00000000
0x00000000
0x011de187
0x011de18b
0x00000000
0x00000000
0x011de18d
0x011de18d
0x011de18f
0x011de192
0x011de195
0x011de195
0x011de195
0x011de19a
0x011de19c
0x011de1a0
0x011de1a1
0x011de1a6
0x011de1a8
0x011de1aa
0x011de1aa
0x011de1a6
0x00000000
0x011de19c
0x011ddd80
0x011ddd87
0x011ddd8e
0x011ddd8e
0x011ddd91
0x011ddd93
0x011de02a
0x011de02a
0x011de02e
0x011de02f
0x011de032
0x011de035
0x00000000
0x00000000
0x011de03b
0x011de03f
0x011de092
0x011de093
0x011de096
0x011de0b6
0x011de0b6
0x011de0ba
0x011de145
0x011de145
0x011de148
0x011de14a
0x011de14d
0x011de14d
0x00000000
0x011de14d
0x011de0c3
0x011de0cf
0x011de0d2
0x011de0d3
0x011de0d5
0x011de110
0x011de112
0x011de118
0x011de119
0x011de11c
0x011de11e
0x011de11e
0x011de131
0x011de137
0x011de138
0x011de139
0x011de13a
0x011de13f
0x011de142
0x00000000
0x011de142
0x011de0d7
0x011de0dc
0x011de0df
0x011de0e0
0x011de0e0
0x011de0e3
0x011de0e6
0x00000000
0x00000000
0x011de0e8
0x011de0ec
0x00000000
0x00000000
0x011de0ee
0x011de0ee
0x011de0f0
0x011de0f3
0x011de0f6
0x011de0f6
0x011de0f6
0x011de0fb
0x011de0fd
0x011de101
0x011de102
0x011de107
0x011de109
0x011de10b
0x011de10b
0x011de107
0x00000000
0x011de0fd
0x011de09a
0x011de09b
0x011de09e
0x00000000
0x00000000
0x011de0a0
0x011de0a6
0x00000000
0x00000000
0x011de0ac
0x011de0ac
0x011de0b0
0x00000000
0x011de0b0
0x011de041
0x011de047
0x00000000
0x00000000
0x011de051
0x011de051
0x011de054
0x011de07b
0x011de07d
0x011de07d
0x011de07e
0x011de085
0x011de086
0x011de089
0x00000000
0x011de089
0x011de056
0x011de056
0x011de059
0x011de077
0x00000000
0x011de077
0x011de05b
0x011de05b
0x011de05e
0x011de073
0x00000000
0x011de073
0x011de060
0x011de060
0x011de063
0x011de06f
0x00000000
0x011de06f
0x011de066
0x011de069
0x00000000
0x00000000
0x011de06b
0x00000000
0x011de06b
0x011ddd99
0x011ddd9e
0x011ddda2
0x011dddae
0x011dddb0
0x011dddb1
0x011dddb5
0x011ddf29
0x011ddf2c
0x011ddf33
0x011ddf38
0x011ddf3a
0x011de024
0x011de024
0x011de027
0x00000000
0x011de027
0x011ddf4c
0x011ddf5d
0x011ddf62
0x011ddf67
0x011ddf69
0x00000000
0x00000000
0x011ddf71
0x011ddf84
0x011ddf99
0x011ddfae
0x011ddfc0
0x011ddfdb
0x011ddfe0
0x011ddfe3
0x011ddfe5
0x011ddfe7
0x011ddfe7
0x011ddfea
0x011ddff0
0x011ddff0
0x011de004
0x011de004
0x011de006
0x011de009
0x011de009
0x011de00d
0x011de011
0x00000000
0x00000000
0x011de013
0x011de013
0x011de017
0x011de01c
0x00000000
0x011de01c
0x011de019
0x011de019
0x011de009
0x011de00d
0x011de011
0x00000000
0x00000000
0x00000000
0x011de011
0x011de009
0x011dddbb
0x011dddbe
0x011dddbe
0x011dddc1
0x011dddc3
0x011dddc6
0x011dddc9
0x011dddd0
0x011dddd7
0x011dddde
0x011ddde5
0x011dddf6
0x011dddfd
0x011dde02
0x011dde05
0x011dde07
0x011dde22
0x011dde22
0x00000000
0x011dde22
0x011dde0c
0x011dde10
0x011dde11
0x011dde16
0x00000000
0x00000000
0x011dde18
0x011dde1a
0x011dde1d
0x011dde25
0x011dde25
0x011dde26
0x011dde26
0x011dde2b
0x011dde2e
0x011dde30
0x011dde33
0x011dde36
0x011dde38
0x011dde55
0x011dde58
0x011dde5b
0x00000000
0x00000000
0x00000000
0x00000000
0x011dde61
0x011dde61
0x011dde61
0x011dde64
0x011dde67
0x011dde6b
0x00000000
0x00000000
0x011dde6d
0x011dde6d
0x011dde71
0x011dde78
0x011dde7b
0x011dde80
0x011dde81
0x011dde84
0x011dde87
0x011dde8a
0x011ddeab
0x011ddead
0x011ddec5
0x011ddecd
0x011dded0
0x011dded3
0x011dded6
0x011ddefc
0x011ddeff
0x011ddf04
0x011ddf06
0x011ddf06
0x011ddf1c
0x011ddf21
0x011dded8
0x011ddee4
0x011ddef0
0x011ddef4
0x011ddef4
0x011dde4d
0x011dde4d
0x00000000
0x00000000
0x00000000
0x00000000
0x011dde8c
0x011dde8c
0x011dde8c
0x011dde8f
0x00000000
0x00000000
0x011dde91
0x011dde94
0x011dde97
0x011dde9f
0x011ddea2
0x011ddea3
0x011ddea6
0x00000000
0x00000000
0x00000000
0x011ddea6
0x011ddea8
0x00000000
0x011ddea8
0x011dde73
0x011dde73
0x011dde61
0x011dde61
0x011dde64
0x011dde67
0x011dde6b
0x00000000
0x00000000
0x00000000
0x011dde6b
0x011dde61
0x011dde48
0x00000000
0x011dde48
0x011ddda4
0x011ddda8
0x00000000
0x00000000
0x00000000
0x011de150
0x011de150
0x011de150
0x011de159
0x00000000
0x011ddd4a
0x011ddd4b
0x00000000
0x011ddd50
0x011ddd48
0x011ddcd3
0x011ddcd5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011ddb17
0x011ddb1a
0x011ddb23
0x011ddb28
0x011ddb29
0x011ddb2f
0x00000000
0x011ddb31
0x011ddb31
0x00000000
0x011ddb31
0x011ddb2f

APIs

__EH_prolog.LIBCMT ref: 011DDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 011DDAAC

Part of subcall function 011DC29A: _wcslen.LIBCMT ref: 011DC2A2

Part of subcall function 011E05DA: _wcslen.LIBCMT ref: 011E05E0

Part of subcall function 011E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,011DBAE9,00000000,?,?,?,000103AC), ref: 011E1BA0

_wcslen.LIBCMT ref: 011DDDE9
__fprintf_l.LIBCMT ref: 011DDF1C

Strings

$%s:, xrefs: 011DDEFF
RTL, xrefs: 011DDEDE
, xrefs: 011DDD6C
*messages***, xrefs: 011DDBFA
@%s:, xrefs: 011DDF06, 011DDF12
a, xrefs: 011DDC16
R, xrefs: 011DDC0C
,, xrefs: 011DDF57
*messages***, xrefs: 011DDBC1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 789bbc90162c6c2fecb3ef1f7ea0ad351d4a02f447c5f0eb35a35336dcc9c619
Instruction ID: 25b089922d231c2a565763952a831cb4fafa0d860292a1af55fef0cec02f3a77
Opcode Fuzzy Hash: 789bbc90162c6c2fecb3ef1f7ea0ad351d4a02f447c5f0eb35a35336dcc9c619
Instruction Fuzzy Hash: C632DF71A00219AFDF2DEFA8D845AEE7BB4FF18304F44015AFA059B281E771E985CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011ED4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E011ED4D4() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E011EB568(); // executed
				_t46 = GetDlgItem( *0x1218458, 0x68);
				_t49 =  *0x1218463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0x1218440; // 0x116fcf8
					E011E9285(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0x12035f4);
					 *0x1218463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x011ed4db
0x011ed4f5
0x011ed4fa
0x011ed500
0x011ed502
0x011ed508
0x011ed510
0x011ed51b
0x011ed529
0x011ed52f
0x011ed52f
0x011ed53f
0x011ed549
0x011ed559
0x011ed561
0x011ed565
0x011ed56a
0x011ed570
0x011ed57b
0x011ed585
0x011ed58d
0x011ed58d
0x011ed59d
0x011ed5ab
0x011ed5ba
0x011ed5c2
0x011ed5d0
0x011ed5e1
0x011ed5e1
0x011ed5fd

APIs

Part of subcall function 011EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 011EB579
Part of subcall function 011EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 011EB58A
Part of subcall function 011EB568: IsDialogMessageW.USER32(000103AC,?), ref: 011EB59E
Part of subcall function 011EB568: TranslateMessage.USER32(?), ref: 011EB5AC
Part of subcall function 011EB568: DispatchMessageW.USER32(?), ref: 011EB5B6

GetDlgItem.USER32(00000068,0122FCB8), ref: 011ED4E8
ShowWindow.USER32(00000000,00000005,?,?,?,011EAF07,00000001,?,?,011EB7B9,0120506C,0122FCB8,0122FCB8,00001000,00000000,00000000), ref: 011ED510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 011ED51B
SendMessageW.USER32(00000000,000000C2,00000000,012035F4), ref: 011ED529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 011ED53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 011ED559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 011ED59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 011ED5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 011ED5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 011ED5E1
SendMessageW.USER32(00000000,000000C2,00000000,012043F4), ref: 011ED5F0

Strings

\, xrefs: 011ED549

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 968aa0d26065d8d55fd9e18084c6d60e16094e333a83fa594fcd86b23cc9670e
Instruction ID: e0f0a54f1c2923ef668abecea5d90be76fc406b186cd6369f3aecb854d49f669
Opcode Fuzzy Hash: 968aa0d26065d8d55fd9e18084c6d60e16094e333a83fa594fcd86b23cc9670e
Instruction Fuzzy Hash: 4C31AF71145742AFE321DF24BC4EFABBFACFB96708F000508F691D6185DB659A0487B6

Uniqueness

Uniqueness Score: -1.00%

Function 011FA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E011FA95B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t70;
				int _t79;
				void* _t81;
				short* _t82;
				signed int _t88;
				signed int _t91;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				int _t105;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t79 = E011FEF4C(_a16, _t103);
					_t110 = _t79 - _t103;
					_t4 = _t79 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t79;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t81);
					return E011EFBBC(_t54, _t81, _v8 ^ _t106, _t96, _t99, _t104);
				} else {
					_t96 = _t54 + _t54;
					_t86 = _t96 + 8;
					asm("sbb eax, eax");
					if((_t96 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t105 = 0;
							L37:
							E011FABC3(_t82);
							_t54 = _t105;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t82, _v12);
						_t121 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t59 = E011FAF6C(_t82, _t86, _v12, _t121, _a8, _a12, _t82, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t59;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t88 = _t96 + 8;
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							__eflags = _t88 & _t59;
							if((_t88 & _t59) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E011FABC3(_t101);
									goto L36;
								}
								_t61 = E011FAF6C(_t82, _t88, _t101, __eflags, _a8, _a12, _t82, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E011FABC3(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t91 = _t96 + 8;
							__eflags = _t96 - _t91;
							asm("sbb eax, eax");
							_t65 = _t59 & _t91;
							_t88 = _t96 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t96 - _t88;
								asm("sbb eax, eax");
								_t101 = E011F8E06(_t88, _t65 & _t88);
								_pop(_t88);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							E01202010(_t65 & _t88);
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t105 = E011FAF6C(_t82, 0, _t100, _t125, _a8, _a12, _t82, _t100, _a24, _t70, 0, 0, 0);
						if(_t105 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t96 + 0x00000008;
					_t86 = _t96 + 8;
					if((_t54 & _t96 + 0x00000008) > 0x400) {
						__eflags = _t96 - _t86;
						asm("sbb eax, eax");
						_t82 = E011F8E06(_t86, _t72 & _t86);
						_pop(_t86);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E01202010(_t72 & _t86);
					_t82 = _t107;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}

0x011fa960
0x011fa961
0x011fa962
0x011fa969
0x011fa96e
0x011fa974
0x011fa97a
0x011fa980
0x011fa983
0x011fa983
0x011fa986
0x011fa988
0x011fa988
0x011fa986
0x011fa98a
0x011fa98f
0x011fa996
0x011fa999
0x011fa999
0x011fa9b5
0x011fa9bb
0x011fa9c0
0x011fab53
0x011fab56
0x011fab57
0x011fab58
0x011fab66
0x011fa9c6
0x011fa9c6
0x011fa9c9
0x011fa9ce
0x011fa9d2
0x011faa26
0x011faa26
0x011faa28
0x011faa2a
0x011fab48
0x011fab48
0x011fab4a
0x011fab4b
0x011fab51
0x00000000
0x011fab51
0x011faa3b
0x011faa41
0x011faa43
0x00000000
0x00000000
0x011faa49
0x011faa5b
0x011faa60
0x011faa64
0x00000000
0x00000000
0x011faa71
0x011faaab
0x011faaae
0x011faab1
0x011faab3
0x011faab5
0x011faab7
0x011fab03
0x011fab03
0x011fab05
0x011fab05
0x011fab07
0x011fab41
0x011fab42
0x00000000
0x011fab47
0x011fab1b
0x011fab20
0x011fab22
0x00000000
0x00000000
0x011fab26
0x011fab27
0x011fab28
0x011fab2b
0x011fab67
0x011fab6a
0x011fab2d
0x011fab2d
0x011fab2e
0x011fab2e
0x011fab3b
0x011fab3d
0x011fab3f
0x011fab70
0x00000000
0x00000000
0x00000000
0x00000000
0x011fab3f
0x011faab9
0x011faabc
0x011faabe
0x011faac0
0x011faac2
0x011faac5
0x011faaca
0x011faae5
0x011faae7
0x011faaf1
0x011faaf3
0x011faaf4
0x011faaf6
0x00000000
0x00000000
0x011faaf8
0x011faafe
0x011faafe
0x00000000
0x011faafe
0x011faacc
0x011faace
0x011faad2
0x011faad7
0x011faad9
0x011faadb
0x00000000
0x00000000
0x011faadd
0x00000000
0x011faadd
0x011faa73
0x011faa78
0x00000000
0x00000000
0x011faa7e
0x011faa80
0x00000000
0x00000000
0x011faa9c
0x011faaa0
0x00000000
0x00000000
0x00000000
0x011faaa6
0x011fa9d9
0x011fa9db
0x011fa9dd
0x011fa9e5
0x011faa04
0x011faa06
0x011faa10
0x011faa12
0x011faa13
0x011faa15
0x00000000
0x00000000
0x011faa1b
0x011faa21
0x011faa21
0x00000000
0x011faa21
0x011fa9e9
0x011fa9ed
0x011fa9f2
0x011fa9f6
0x00000000
0x00000000
0x011fa9fc
0x00000000
0x011fa9fc

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,011F5695,011F5695,?,?,?,011FABAC,00000001,00000001,2DE85006), ref: 011FA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,011FABAC,00000001,00000001,2DE85006,?,?,?), ref: 011FAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 011FAB35
__freea.LIBCMT ref: 011FAB42

Part of subcall function 011F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,011FCA2C,00000000,?,011F6CBE,?,00000008,?,011F91E0,?,?,?), ref: 011F8E38

__freea.LIBCMT ref: 011FAB4B
__freea.LIBCMT ref: 011FAB70

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 58b58ce0dc1cc668fe991a5c5ceb88c0c60260a5d16ef1cda4a3b833201a3855
Instruction ID: 3333e2a443e2bafeb5d65eebea933ab8185f29472f8d7b2ca04b93e4a5a4ff08
Opcode Fuzzy Hash: 58b58ce0dc1cc668fe991a5c5ceb88c0c60260a5d16ef1cda4a3b833201a3855
Instruction Fuzzy Hash: 3F51B87261021AAFEB2D8E64EC45EBFBBAAEF44650F154A6DFE08D7140D738DC44C650

Uniqueness

Uniqueness Score: -1.00%

Function 011F3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E011F3B72(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x12320e0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x12062b4 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E011F6088(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x011f3b79
0x011f3bee
0x011f3b7e
0x011f3b80
0x011f3b87
0x011f3b8c
0x011f3b95
0x011f3ba4
0x011f3ba7
0x011f3bad
0x011f3bb1
0x011f3bfa
0x011f3bfc
0x011f3c00
0x011f3c03
0x011f3c03
0x011f3c09
0x011f3c09
0x011f3bf5
0x011f3bf9
0x011f3bf9
0x011f3bb3
0x011f3bbc
0x011f3be6
0x011f3be9
0x011f3beb
0x011f3beb
0x00000000
0x011f3beb
0x011f3bbe
0x011f3bc9
0x011f3bce
0x011f3bd3
0x00000000
0x00000000
0x011f3bda
0x011f3be0
0x011f3be4
0x00000000
0x00000000
0x00000000
0x011f3be4
0x011f3b91
0x00000000
0x00000000
0x00000000
0x011f3b93
0x011f3bf3
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,011F3C35,?,?,01232088,00000000,?,011F3D60,00000004,InitializeCriticalSectionEx,01206394,InitializeCriticalSectionEx,00000000), ref: 011F3C03

Strings

api-ms-, xrefs: 011F3BC3

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 49c5d06d421b6857e85d24e193482f07765722907bc61ce6199dbe0eb4594936
Instruction ID: 58aefc00ddc13b8f684b02d4ddee0bcf5876df7d2a82edab529e7c3faf53dff8
Opcode Fuzzy Hash: 49c5d06d421b6857e85d24e193482f07765722907bc61ce6199dbe0eb4594936
Instruction Fuzzy Hash: 52112331A15229ABDB378B6CAC44B497BA4BF01770F150218EA25EB285E331EC00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 011EABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E011EABAB(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E011E1FBB( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x011eabbb
0x011eabc2
0x011eabca
0x011eabcd
0x011eabda
0x011eabe1
0x011eabe9
0x011eabef
0x011eabef
0x011eabf1
0x011eabf4
0x011eabf9
0x00000000
0x011eabf9
0x011eac01

APIs

GetClassNameW.USER32(?,?,00000050), ref: 011EABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 011EABF9

Part of subcall function 011E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,011DC116,00000000,.exe,?,?,00000800,?,?,?,011E8E3C), ref: 011E1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 011EABE9

Strings

EDIT, xrefs: 011EABCD, 011EABD8, 011EABE5
plt, xrefs: 011EABF9

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT$plt
API String ID: 4243998846-3533433962
Opcode ID: ab3c0a3e5964eed23db351082dc8fea9d2794833136ef7038cfb0396ed2eedda
Instruction ID: 077360db60ba1d860ccedf2a71014dfeded941ffa98bead8daec4337e4e47047
Opcode Fuzzy Hash: ab3c0a3e5964eed23db351082dc8fea9d2794833136ef7038cfb0396ed2eedda
Instruction Fuzzy Hash: 08F08236600A2977EB30A668AC0DF9BB6ECAF46B41F484411BA05A31C4D761DA8586B6

Uniqueness

Uniqueness Score: -1.00%

Function 011D98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E011D98E0(void* __ecx, void* __esi, signed int _a4, short _a8, WCHAR* _a4180, unsigned int _a4184) {
				struct _FILETIME _v0;
				char _t38;
				void* _t40;
				long _t52;
				unsigned int _t53;
				long _t56;
				signed int _t57;
				void* _t61;
				void* _t62;
				long _t68;
				void* _t70;

				_t62 = __esi;
				E011EEC50(0x1050);
				_t53 = _a4184;
				_t61 = __ecx;
				 *(__ecx + 0x1034) =  *(__ecx + 0x1034) & 0x00000000;
				if( *((char*)(__ecx + 0x30)) != 0 || (_t53 & 0x00000004) != 0) {
					_t38 = 1;
				} else {
					_t38 = 0;
				}
				_push(_t62);
				_t68 = ( !(_t53 >> 1) & 0x00000001) + 1 << 0x1e;
				if((_t53 & 0x00000001) != 0) {
					_t68 = _t68 | 0x40000000;
				}
				_t56 =  !(_t53 >> 3) & 0x00000001;
				if(_t38 != 0) {
					_t56 = _t56 | 0x00000002;
				}
				E011D6EDB( &_a8);
				if( *((char*)(_t61 + 0x24)) != 0) {
					_t68 = _t68 | 0x00000100;
				}
				_t40 = CreateFileW(_a4180, _t68, _t56, 0, 3, 0x8000000, 0); // executed
				_t70 = _t40;
				if(_t70 != 0xffffffff) {
					goto L15;
				} else {
					_v0.dwLowDateTime = GetLastError();
					if(E011DBB03(_a4180,  &_a8, 0x800) == 0) {
						L16:
						if(_v0.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t61 + 0x1034)) = 1;
						}
						L18:
						if( *((char*)(_t61 + 0x24)) != 0 && _t70 != 0xffffffff) {
							_v0.dwLowDateTime = _v0.dwLowDateTime | 0xffffffff;
							_a4 = _a4 | 0xffffffff;
							SetFileTime(_t70, 0,  &_v0, 0);
						}
						 *((char*)(_t61 + 0x1c)) = 0;
						 *((intOrPtr*)(_t61 + 0x10)) = 0;
						_t30 = _t70 != 0xffffffff;
						_t57 = _t56 & 0xffffff00 | _t30;
						 *((char*)(_t61 + 0x15)) = 0;
						if(_t30 != 0) {
							 *(_t61 + 8) = _t70;
							E011E0602(_t61 + 0x32, _a4180, 0x800);
							 *((char*)(_t61 + 0x25)) = 0;
						}
						return _t57;
					}
					_t70 = CreateFileW( &_a8, _t68, _t56, 0, 3, 0x8000000, 0);
					_t52 = GetLastError();
					if(_t52 == 2) {
						_v0.dwLowDateTime = _t52;
					}
					L15:
					if(_t70 != 0xffffffff) {
						goto L18;
					}
					goto L16;
				}
			}

0x011d98e0
0x011d98e5
0x011d98eb
0x011d98f4
0x011d98f6
0x011d9901
0x011d990c
0x011d9908
0x011d9908
0x011d9908
0x011d990e
0x011d9919
0x011d991f
0x011d9921
0x011d9921
0x011d992c
0x011d9931
0x011d9933
0x011d9933
0x011d993a
0x011d9943
0x011d9945
0x011d9945
0x011d995f
0x011d9965
0x011d996a
0x00000000
0x011d996c
0x011d9972
0x011d998e
0x011d99c8
0x011d99cd
0x011d99cf
0x011d99cf
0x011d99d9
0x011d99de
0x011d99e5
0x011d99ee
0x011d99f9
0x011d99f9
0x011d9a04
0x011d9a07
0x011d9a0a
0x011d9a0a
0x011d9a0d
0x011d9a10
0x011d9a21
0x011d9a25
0x011d9a2a
0x011d9a2a
0x011d9a39
0x011d9a39
0x011d99a8
0x011d99aa
0x011d99b3
0x011d99b5
0x011d99b5
0x011d99c3
0x011d99c6
0x00000000
0x00000000
0x00000000
0x011d99c6

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,011D7760,?,00000005,?,00000011), ref: 011D995F
GetLastError.KERNEL32(?,?,011D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 011D996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,011D7760,?,00000005,?), ref: 011D99A2
GetLastError.KERNEL32(?,?,011D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 011D99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,011D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 011D99F9

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 01f5ea624709af49794c52f1e3e098ef4ee99c5b54f10a39b818bb2a1f9d64f7
Instruction ID: 9f35abefafb43e9e831cb6c139a58ae2aa0c8dd48a6da6e8826597da61649dcf
Opcode Fuzzy Hash: 01f5ea624709af49794c52f1e3e098ef4ee99c5b54f10a39b818bb2a1f9d64f7
Instruction Fuzzy Hash: A231483054474A6FE739DF28CC49BEABBD4BB04328F100B19FAE1961C1E3B4A044CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011EB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E011EB568() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x1218458; // 0x103ac
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x011eb579
0x011eb581
0x011eb58a
0x011eb590
0x011eb597
0x011eb5a8
0x011eb5ac
0x011eb5b6
0x00000000
0x011eb5b6
0x011eb59e
0x011eb5a6
0x00000000
0x00000000
0x011eb5a6
0x011eb5be

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 011EB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 011EB58A
IsDialogMessageW.USER32(000103AC,?), ref: 011EB59E
TranslateMessage.USER32(?), ref: 011EB5AC
DispatchMessageW.USER32(?), ref: 011EB5B6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 35802fc392b2070fd67732ddc6afc8ac6ad31421bfb37852a02a47ad0b322132
Instruction ID: baa74f4fc5a968c394a99589bdff289266f6bf11290b3410a9bd02d413c85632
Opcode Fuzzy Hash: 35802fc392b2070fd67732ddc6afc8ac6ad31421bfb37852a02a47ad0b322132
Instruction Fuzzy Hash: EEF0DA71A0122AABDB30EBE6EC8CDDBBFBCEE052917004415B91AD2004EB34D205CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 011E15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E011E15FE(intOrPtr* __ecx) {
				char _v516;
				char _v5124;
				signed int _t33;
				void* _t40;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				void* _t61;
				void* _t62;

				E011EEC50(0x1400);
				_t57 = __ecx;
				_t33 =  *(__ecx + 0x48);
				_t61 = _t33 - 0x74;
				if(_t61 > 0) {
					__eflags = _t33 - 0x83;
					if(_t33 == 0x83) {
						E011ED694();
						__eflags =  *(_t57 + 4);
						if( *(_t57 + 4) == 0) {
							E011E0602( &_v5124, E011DE617(0xc9), 0xa00);
						} else {
							E011D4092( &_v5124, 0xa00, E011DE617(0xca),  *(_t57 + 4));
						}
						_t40 = E011EA7E4( *0x1218450,  &_v5124, E011DE617(0x96), 0); // executed
						return _t40;
					}
				} else {
					if(_t61 == 0) {
						_push(0x456);
						L38:
						_push(E011DE617());
						_push( *_t57);
						L19:
						_t45 = E011EB776();
						L11:
						return _t45;
					}
					_t62 = _t33 - 0x16;
					if(_t62 > 0) {
						__eflags = _t33 - 0x38;
						if(__eflags > 0) {
							_t46 = _t33 - 0x39;
							__eflags = _t46;
							if(_t46 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t47 = _t46 - 1;
							__eflags = _t47;
							if(_t47 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t48 = _t47 - 1;
							__eflags = _t48;
							if(_t48 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t51 = _t48 - 9;
							__eflags = _t51;
							if(_t51 == 0) {
								_push(0x343);
								goto L38;
							}
							_t33 = _t51 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t33 = _t33 - 0x17;
							__eflags = _t33 - 0xb;
							if(_t33 <= 0xb) {
								switch( *((intOrPtr*)(_t33 * 4 +  &M011E190E))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L64;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E011DE617(0xc8) =  &_v516;
										__eax = E011D4092( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E011EB776( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t62 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E011DE617();
							L7:
							_push(0);
							L8:
							return E011EB776();
						}
						if(_t33 <= 0x15) {
							switch( *((intOrPtr*)(_t33 * 4 +  &M011E18B6))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E011EAECD();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E011DE617());
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L64;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E011DE617(0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E011DE617());
									_push( *_t57);
									goto L8;
							}
						}
					}
				}
				L64:
				return _t33;
			}

0x011e1606
0x011e160c
0x011e160e
0x011e1611
0x011e1614
0x011e183f
0x011e1844
0x011e1846
0x011e184b
0x011e184f
0x011e188c
0x011e1851
0x011e186b
0x011e1870
0x011e18ab
0x00000000
0x011e18ab
0x011e161a
0x011e161a
0x011e1835
0x011e175e
0x011e1763
0x011e1764
0x011e16a1
0x011e16a1
0x011e166a
0x00000000
0x011e166a
0x011e1620
0x011e1623
0x011e1723
0x011e1726
0x011e17e6
0x011e17e6
0x011e17e9
0x011e182b
0x00000000
0x011e182b
0x011e17eb
0x011e17eb
0x011e17ee
0x011e1824
0x00000000
0x011e1824
0x011e17f0
0x011e17f0
0x011e17f3
0x011e1817
0x011e181a
0x00000000
0x011e181a
0x011e17f5
0x011e17f5
0x011e17f8
0x011e180d
0x00000000
0x011e180d
0x011e17fa
0x011e17fa
0x011e17fd
0x011e1803
0x00000000
0x011e1803
0x011e172c
0x011e172c
0x011e17df
0x00000000
0x011e17df
0x011e1732
0x011e1735
0x011e1738
0x011e173e
0x00000000
0x011e1745
0x00000000
0x00000000
0x011e174f
0x00000000
0x00000000
0x011e1759
0x00000000
0x00000000
0x011e176b
0x00000000
0x00000000
0x011e176f
0x00000000
0x00000000
0x011e1773
0x011e1776
0x00000000
0x00000000
0x011e177d
0x00000000
0x00000000
0x011e1784
0x00000000
0x00000000
0x011e178b
0x011e178e
0x00000000
0x00000000
0x00000000
0x00000000
0x011e1798
0x011e179b
0x00000000
0x00000000
0x011e17b0
0x011e17bc
0x011e17c1
0x011e17c4
0x011e17ca
0x00000000
0x00000000
0x011e173e
0x011e1738
0x011e1629
0x011e1629
0x011e171a
0x011e171c
0x011e16be
0x011e16be
0x011e1646
0x011e1646
0x011e1648
0x00000000
0x011e164d
0x011e1632
0x011e1638
0x00000000
0x011e1655
0x011e1657
0x011e165c
0x00000000
0x00000000
0x011e163f
0x011e1641
0x00000000
0x00000000
0x011e1663
0x011e1665
0x00000000
0x00000000
0x011e1670
0x011e1673
0x00000000
0x00000000
0x011e167f
0x011e1682
0x00000000
0x00000000
0x011e1686
0x011e1689
0x00000000
0x00000000
0x011e168d
0x011e1690
0x00000000
0x00000000
0x011e1697
0x011e1699
0x011e169e
0x011e169f
0x00000000
0x00000000
0x011e16a9
0x011e16ac
0x00000000
0x00000000
0x011e16b0
0x011e16b3
0x00000000
0x00000000
0x011e16b7
0x011e16b9
0x00000000
0x00000000
0x011e16c6
0x011e16c8
0x00000000
0x00000000
0x011e16cf
0x011e16d2
0x00000000
0x00000000
0x011e16d9
0x011e16dc
0x00000000
0x00000000
0x00000000
0x00000000
0x011e16e3
0x011e16e6
0x011e16ee
0x00000000
0x00000000
0x011e1703
0x011e1706
0x00000000
0x00000000
0x011e170d
0x011e1710
0x011e1675
0x011e167a
0x011e167b
0x00000000
0x00000000
0x011e1638
0x011e1632
0x011e1623
0x011e18b2
0x011e18b2

APIs

_swprintf.LIBCMT ref: 011E17BC
_swprintf.LIBCMT ref: 011E186B

Strings

%s: %s, xrefs: 011E17CB
%ls, xrefs: 011E1641, 011E1657

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: b443361fd07e0c8d70a048f9503c41c98224c05552461c6c17f156a8124328f1
Instruction ID: d20939e4f54cead90d2997f80c86611781c77c94a2d399ca37275dc75da2b476
Opcode Fuzzy Hash: b443361fd07e0c8d70a048f9503c41c98224c05552461c6c17f156a8124328f1
Instruction Fuzzy Hash: D6510475688F01F6F62E2AE48D4DF3576E5AB18F08F054606F387684E0DBF2A4108B1B

Uniqueness

Uniqueness Score: -1.00%

Function 011EB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E011EB270(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E011D1316(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16); // executed
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E011DF3FA(_t24, 0x1227a78,  &_v260);
					E011DF445( &_v260, 0x80);
					_push(1);
					L7:
					 *0x12330b0(_t28); // executed
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x011eb27a
0x011eb27e
0x011eb282
0x011eb29b
0x011eb30a
0x00000000
0x011eb30c
0x011eb29d
0x011eb2a3
0x011eb304
0x00000000
0x011eb304
0x011eb2a8
0x011eb2b7
0x00000000
0x011eb2b7
0x011eb2ad
0x011eb2b0
0x011eb2d6
0x011eb2e8
0x011eb2f5
0x011eb2fa
0x011eb2bd
0x011eb2be
0x00000000
0x011eb2be
0x011eb2b5
0x011eb2bb
0x00000000
0x011eb2bb
0x00000000

APIs

Part of subcall function 011D1316: GetDlgItem.USER32(00000000,00003021), ref: 011D135A
Part of subcall function 011D1316: SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 011EB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 011EB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 011EB304

Strings

GETPASSWORD1, xrefs: 011EB289

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ItemText$CallbackDispatcherUserWindow
String ID: GETPASSWORD1
API String ID: 1076754736-3292211884
Opcode ID: 1ead113b4f318fd41432b5220c6f679b0053b40d241d705acdf80d39bc6c52d2
Instruction ID: e4a3a870be591134290e8bd0db3fc864603a78a583fe3cb78f4f27cfcea78c3f
Opcode Fuzzy Hash: 1ead113b4f318fd41432b5220c6f679b0053b40d241d705acdf80d39bc6c52d2
Instruction Fuzzy Hash: 3811083290811676DB2A9AE8AC4DFFF3BBCFF19710F000010FA46B20C0C7A0EA4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 011EAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E011EAC16(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E011E081B(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x1233174(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x1233034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L011EEB2C(); // executed
				 *0x1233090(0x1218438,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x011eac25
0x011eac2c
0x011eac2f
0x011eac38
0x011eac40
0x011eac47
0x011eac51
0x011eac5c
0x011eac60
0x011eac63
0x011eac66
0x011eac70
0x011eac7b

APIs

Part of subcall function 011E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 011E0836
Part of subcall function 011E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,011DF2D8,Crypt32.dll,00000000,011DF35C,?,?,011DF33E,?,?,?), ref: 011E0858

OleInitialize.OLE32(00000000), ref: 011EAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 011EAC66
SHGetMalloc.SHELL32(01218438), ref: 011EAC70

Strings

riched20.dll, xrefs: 011EAC1E

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 1227a6128c6ef0fa6c8ed664373812bab56ef096bfe1a24892386218eb61dd71
Instruction ID: 9bd2ccf6da51a0f9d0c59d2c037636bbc89c771441294ee82e9cebbcb2106309
Opcode Fuzzy Hash: 1227a6128c6ef0fa6c8ed664373812bab56ef096bfe1a24892386218eb61dd71
Instruction Fuzzy Hash: E0F0FFB1D00209ABCB10EFA9D94899FFBFCEF94704F00415AE455E2205DBB456458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 011EDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E011EDBDE(void* __eflags, WCHAR* _a4) {
				char _v8196;
				WCHAR* _t8;
				int _t11;
				WCHAR* _t13;

				E011EEC50(0x2000);
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t8 = E011E0371(_a4,  &_v8196, 0x1000);
				_t13 = _t8;
				if(_t13 != 0) {
					_push( *_t13 & 0x0000ffff);
					while(E011E048D() != 0) {
						_t13 =  &(_t13[1]);
						_push( *_t13 & 0x0000ffff);
					}
					_t11 = SetEnvironmentVariableW(L"sfxpar", _t13); // executed
					return _t11;
				}
				return _t8;
			}

0x011edbe6
0x011edbf4
0x011edc09
0x011edc0e
0x011edc12
0x011edc17
0x011edc21
0x011edc1a
0x011edc20
0x011edc20
0x011edc30
0x00000000
0x011edc30
0x011edc38

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 011EDBF4
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 011EDC30

Strings

sfxcmd, xrefs: 011EDBEF
sfxpar, xrefs: 011EDC2B

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: cd3cd11e5f0a2c6272c10abe8a53b1d31bd5f560f6353518ef6caf09ec876954
Instruction ID: 226cd7b1da396d0167e8ec911430ac5f47d16f787a5f3c385caca877d616a1ad
Opcode Fuzzy Hash: cd3cd11e5f0a2c6272c10abe8a53b1d31bd5f560f6353518ef6caf09ec876954
Instruction Fuzzy Hash: B2F02772404625ABCF252BD5AC0DBABBBE8AF18A81B040018FD8596042D7F08440CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 011D9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E011D9785(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 1) {
					 *(_t25 + 8) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 8), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E011D98BC(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0x10)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0x10)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E011D9785(_t25);
						}
					}
				}
				return _t15;
			}

0x011d9788
0x011d978a
0x011d9791
0x011d979b
0x011d979b
0x011d97ad
0x011d97b5
0x011d9811
0x011d97b7
0x011d97b9
0x011d97c0
0x011d97d9
0x011d97dd
0x011d97ee
0x011d97f2
0x011d980c
0x011d980c
0x011d97fe
0x011d97fe
0x011d9807
0x00000000
0x011d9809
0x011d9809
0x00000000
0x011d9809
0x011d9807
0x011d97df
0x011d97df
0x011d97e8
0x00000000
0x011d97ea
0x011d97ea
0x011d97ea
0x011d97e8
0x011d97c2
0x011d97c2
0x011d97ca
0x00000000
0x011d97cc
0x011d97cc
0x011d97cd
0x011d97cd
0x011d97d2
0x011d97d2
0x011d97ca
0x011d97c0
0x011d9817

APIs

GetStdHandle.KERNEL32(000000F6), ref: 011D9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 011D97AD
GetLastError.KERNEL32 ref: 011D97DF
GetLastError.KERNEL32 ref: 011D97FE

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 0cde1013af0d669c61a05ab1d7f100f443491c5da13481089709f442db505bbe
Instruction ID: 12e00d88fde615b33fd1f099a8186e770d5c520127acda0d25e1812d61986651
Opcode Fuzzy Hash: 0cde1013af0d669c61a05ab1d7f100f443491c5da13481089709f442db505bbe
Instruction Fuzzy Hash: 6611E53090061CEFDF3A9F68D80566937A9FB0073CF118629E816D5181D774CA44CF62

Uniqueness

Uniqueness Score: -1.00%

Function 011FAD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E011FAD34(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x12325d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x12073f0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xc166b63c
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x011fad39
0x011fad3d
0x011fad44
0x011fad48
0x011fad56
0x011fad66
0x011fad6c
0x011fad70
0x011fad99
0x011fad9b
0x011fad9f
0x011fada2
0x011fada2
0x011fada8
0x011fadaa
0x00000000
0x011fadab
0x011fad72
0x011fad7b
0x011fad8a
0x011fad7d
0x011fad80
0x011fad86
0x011fad86
0x011fad8e
0x00000000
0x011fad90
0x011fad93
0x011fad95
0x00000000
0x011fad95
0x011fad8e
0x011fad4a
0x011fad4f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,011DD710,00000000,00000000,?,011FACDB,011DD710,00000000,00000000,00000000,?,011FAED8,00000006,FlsSetValue), ref: 011FAD66
GetLastError.KERNEL32(?,011FACDB,011DD710,00000000,00000000,00000000,?,011FAED8,00000006,FlsSetValue,01207970,FlsSetValue,00000000,00000364,?,011F98B7), ref: 011FAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,011FACDB,011DD710,00000000,00000000,00000000,?,011FAED8,00000006,FlsSetValue,01207970,FlsSetValue,00000000), ref: 011FAD80

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3e8dab515b0e5e7755d7eddbc96ebab99883341e5a2022990f6de769cdf621a9
Instruction ID: 6593656893002ec69f6929336a878d3531f8e52292b94ccd74aad33360d52afe
Opcode Fuzzy Hash: 3e8dab515b0e5e7755d7eddbc96ebab99883341e5a2022990f6de769cdf621a9
Instruction Fuzzy Hash: A401D436211226AFC73ACA6CBC48A5A7B58EF456A27110728FA0ED31C6D724D801C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 011DA2B2 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DA2B2(void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t11;
				void* _t14;
				void* _t17;
				int _t24;
				long _t25;
				WCHAR* _t26;
				void* _t27;

				_t27 = __eflags;
				E011EEC50(0x1000);
				_t26 = _a4;
				_t11 =  *(E011DC27E(_t27, _t26)) & 0x0000ffff;
				if(_t11 != 0x2e && _t11 != 0x20) {
					_t24 = CreateDirectoryW(_t26, 0); // executed
					if(_t24 != 0) {
						L6:
						if(_a8 != 0) {
							E011DA4ED(_t26, _a12);
						}
						return 0;
					}
				}
				if(E011DA231(_t26) == 0 && E011DBB03(_t26,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					goto L6;
				}
				_t25 = GetLastError();
				_t14 = 2;
				__eflags = _t25 - _t14;
				if(_t25 != _t14) {
					__eflags = _t25 - 3;
					_t17 = (0 | _t25 == 0x00000003) + 1;
					__eflags = _t17;
					return _t17;
				}
				return _t14;
			}

0x011da2b2
0x011da2ba
0x011da2c0
0x011da2c9
0x011da2cf
0x011da2d9
0x011da2e1
0x011da316
0x011da31a
0x011da320
0x011da320
0x00000000
0x011da325
0x011da2e1
0x011da2eb
0x00000000
0x00000000
0x011da32f
0x011da333
0x011da334
0x011da336
0x011da33a
0x011da340
0x011da340
0x00000000
0x011da340
0x011da343

APIs

Part of subcall function 011DC27E: _wcslen.LIBCMT ref: 011DC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA30C
GetLastError.KERNEL32(?,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA329

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: d2b5eea28eaf419469642d176c73f773afc06307fd045fed4ed1b436af54abab
Instruction ID: e07b6c5a6924a26490503e6ce9fc8970a5cfc06cd410e99ef23ccc769835af0f
Opcode Fuzzy Hash: d2b5eea28eaf419469642d176c73f773afc06307fd045fed4ed1b436af54abab
Instruction Fuzzy Hash: 3301D8351052207AFF3AEA797C48BFD3759AF0A684F044414FA01D70C5DBA4C681C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 011FB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E011FB893(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t87;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				char* _t94;
				intOrPtr _t96;
				signed int _t97;

				_t63 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t63 ^ _t97;
				_t96 = _a4;
				_t4 = _t96 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t96 + 0x119; // 0x11fbee6
					_t93 = _t47;
					_t87 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t87;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t72 = _t96 + _t87;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t87 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000010;
							_t54 = _t87 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t94 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t96 + 0x119; // 0x11fbee6
						_t93 = _t61;
						_t87 = _t87 + 1;
						__eflags = _t87 - 0x100;
					} while (_t87 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t97 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t90 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t103 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t90 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t97 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t90 = _t90 + 2;
						__eflags = _t90;
						_t75 =  *_t90;
					}
					_t13 = _t96 + 4; // 0x5efc4d8b
					E011FC988(_t93, _t103, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t96 + 4; // 0x5efc4d8b
					_t19 = _t96 + 0x21c; // 0xdb855708
					E011FAB78(0, _t103, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t96 + 4; // 0x5efc4d8b
					_t23 = _t96 + 0x21c; // 0xdb855708
					E011FAB78(0, _t103, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t91 = 0;
					do {
						_t68 =  *(_t97 + _t91 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t96 + _t91 + 0x119) = 0;
							} else {
								_t37 = _t96 + _t91 + 0x19;
								 *_t37 =  *(_t96 + _t91 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x304));
								goto L15;
							}
						} else {
							 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x204));
							L15:
							 *(_t96 + _t91 + 0x119) = _t68;
						}
						_t91 = _t91 + 1;
					} while (_t91 < 0x100);
				}
				return E011EFBBC(_t68, 0, _v8 ^ _t97, _t93, 0x100, _t96);
			}

0x011fb89e
0x011fb8a5
0x011fb8aa
0x011fb8b5
0x011fb8c7
0x011fb9bf
0x011fb9bf
0x011fb9c5
0x011fb9c7
0x011fb9c8
0x011fb9c8
0x011fb9ca
0x011fb9d0
0x011fb9d0
0x011fb9d2
0x011fb9d4
0x011fb9dd
0x011fb9e0
0x011fb9ec
0x011fb9f3
0x011fba03
0x011fb9f5
0x011fb9f5
0x011fb9f8
0x011fb9f8
0x011fb9f8
0x011fb9fc
0x011fb9fc
0x00000000
0x011fb9fc
0x011fb9e2
0x011fb9e2
0x011fb9e7
0x011fb9e7
0x011fb9ff
0x011fb9ff
0x011fb9ff
0x011fba05
0x011fba0b
0x011fba0b
0x011fba11
0x011fba12
0x011fba12
0x011fb8cd
0x011fb8cd
0x011fb8cf
0x011fb8cf
0x011fb8d6
0x011fb8d7
0x011fb8db
0x011fb8e1
0x011fb8e7
0x011fb90f
0x011fb90f
0x011fb911
0x00000000
0x00000000
0x011fb8f0
0x011fb8f4
0x011fb906
0x011fb906
0x011fb908
0x00000000
0x00000000
0x011fb8f9
0x011fb8fb
0x011fb8fd
0x011fb905
0x011fb905
0x00000000
0x011fb905
0x00000000
0x011fb8fb
0x011fb90a
0x011fb90a
0x011fb90d
0x011fb90d
0x011fb914
0x011fb929
0x011fb92f
0x011fb943
0x011fb94a
0x011fb959
0x011fb96b
0x011fb972
0x011fb97a
0x011fb97c
0x011fb97c
0x011fb986
0x011fb996
0x011fb998
0x011fb9af
0x011fb99a
0x011fb99a
0x011fb99a
0x011fb99a
0x011fb99f
0x00000000
0x011fb99f
0x011fb988
0x011fb988
0x011fb98d
0x011fb9a6
0x011fb9a6
0x011fb9a6
0x011fb9b6
0x011fb9b7
0x011fb9bb
0x011fba26

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 011FB8B8

Strings

, xrefs: 011FB8FD

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 108e6935d39f526b8c63e2b9a0aa3444abe334c98d28324a2d127157f1c10f33
Instruction ID: 9bcbd62eb2c664c4e69d54e6e61e34138c0280948dd9d69c05cdf4eef790864f
Opcode Fuzzy Hash: 108e6935d39f526b8c63e2b9a0aa3444abe334c98d28324a2d127157f1c10f33
Instruction Fuzzy Hash: 60411CB050824C9EDB2A8E28CC94BF6BBB9EF55204F1804ECD69A87142E3359A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 011EDDA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E011EDDA0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				void* _v4100;
				void* __ebx;
				int _t19;
				void* _t21;
				signed int _t24;
				void* _t26;
				void* _t28;
				signed int _t31;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t46;
				void* _t50;

				E011EEC50(0x1000);
				if( *0x121c572 == 0) {
					_t46 =  *0x1218458; // 0x103ac
					if(_a4 == 2) {
						_t24 =  *0x12330a8(_t46);
						asm("sbb eax, eax");
						_t46 = _t46 &  ~_t24;
					}
					E011DBAAD(_a8, _a12,  &_v4100, 0x800);
					_t19 = DialogBoxParamW( *0x121102c, L"GETPASSWORD1", _t46, E011EB270,  &_v4100); // executed
					_t28 = _a16;
					if(_t19 == 0) {
						E011DF3FA(_t28, _t28, 0x12035f4);
						 *0x1218454 = 1;
						_t21 = 0;
					} else {
						_t33 = 0x40;
						memcpy(_t28, 0x1227a78, _t33 << 2);
						_t50 = _t50 + 0xc;
						_t21 = 1;
						asm("movsw");
					}
					if( *((char*)(_t28 + 0x100)) != 0) {
						_t31 = 0x40;
						_t21 = memcpy(0x121c472, _t28, _t31 << 2);
						asm("movsw");
					}
					return _t21;
				}
				_t35 = 0x40;
				_t26 = memcpy(_a16, 0x121c472, _t35 << 2);
				asm("movsw");
				return _t26;
			}

0x011edda8
0x011eddb9
0x011eddd3
0x011eddd9
0x011edddc
0x011edde4
0x011edde6
0x011edde6
0x011eddfb
0x011ede18
0x011ede1e
0x011ede23
0x011ede3f
0x011ede44
0x011ede4b
0x011ede25
0x011ede27
0x011ede2f
0x011ede2f
0x011ede33
0x011ede34
0x011ede34
0x011ede54
0x011ede58
0x011ede60
0x011ede62
0x011ede62
0x00000000
0x011ede64
0x011eddc5
0x011eddc6
0x011eddc8
0x00000000

APIs

DialogBoxParamW.USER32(GETPASSWORD1,000103AC,011EB270,?,?), ref: 011EDE18

Strings

GETPASSWORD1, xrefs: 011EDE0D

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1
API String ID: 665744214-3292211884
Opcode ID: f4fd41b4af35fbe05b8c678b898116c6e75f44bd0bf37c6eea9c88830c358947
Instruction ID: 37c7643636e774903da2ded7d4ff2b4ba03281a7687cc7f5eb3952d3b2b751ab
Opcode Fuzzy Hash: f4fd41b4af35fbe05b8c678b898116c6e75f44bd0bf37c6eea9c88830c358947
Instruction Fuzzy Hash: 83112B32654254AAEF26D9B8BC4DBAF37D8FB19355F044028FE45AB084CBB4AC54C764

Uniqueness

Uniqueness Score: -1.00%

Function 011FAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 35%

			E011FAF6C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				void* _t30;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t26 = __ecx;
				_t25 = __ebx;
				_push(__ecx);
				_t18 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t18 ^ _t35;
				_t20 = E011FAC98(0x16, "LCMapStringEx", 0x12079c4, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					_t22 = LCMapStringW(E011FAFF4(__ebx, _t26, _t30, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x1203278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t33();
				}
				_pop(_t34);
				return E011EFBBC(_t22, _t25, _v8 ^ _t35, _t30, _t31, _t34);
			}

0x011faf6c
0x011faf6c
0x011faf6c
0x011faf71
0x011faf72
0x011faf79
0x011faf8e
0x011faf93
0x011faf9a
0x011fafdd
0x011faf9c
0x011fafb9
0x011fafbf
0x011fafbf
0x011fafe8
0x011faff1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 011FAFDD

Strings

LCMapStringEx, xrefs: 011FAF7D, 011FAF87

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: a0954d141c1112c390a879e051bc21647ee4f0d7cda8344eb3e06bcfff3c66b6
Instruction ID: 39c3b42f55e71d72d50453be09ef5fcc3ac00984a6a154467bf1a30a1c1da8c7
Opcode Fuzzy Hash: a0954d141c1112c390a879e051bc21647ee4f0d7cda8344eb3e06bcfff3c66b6
Instruction Fuzzy Hash: FD01133250020EBBCF169F91EC05DAE7F62EF08754F014258FE1826161CB369931EB91

Uniqueness

Uniqueness Score: -1.00%

Function 011FAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E011FAF0A(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t14 = __ebx;
				_push(__ecx);
				_t8 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t8 ^ _t24;
				_t10 = E011FAC98(0x14, "InitializeCriticalSectionEx", 0x12079a0, "InitializeCriticalSectionEx"); // executed
				_t22 = _t10;
				if(_t22 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x1203278(_a4, _a8, _a12);
					_t11 =  *_t22();
				}
				_pop(_t23);
				return E011EFBBC(_t11, _t14, _v8 ^ _t24, _t19, _t20, _t23);
			}

0x011faf0a
0x011faf0a
0x011faf0f
0x011faf10
0x011faf17
0x011faf2c
0x011faf31
0x011faf38
0x011faf55
0x011faf3a
0x011faf45
0x011faf4b
0x011faf4b
0x011faf60
0x011faf69

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,011FA56F), ref: 011FAF55

Strings

InitializeCriticalSectionEx, xrefs: 011FAF1B, 011FAF25

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: eee636824a6ca791d1d982f18f45fae361822098f87b086273cc3d374e139844
Instruction ID: befdf3241539a7591b89428b129a0bab5106e2c6f94320ca003802e4e71966f7
Opcode Fuzzy Hash: eee636824a6ca791d1d982f18f45fae361822098f87b086273cc3d374e139844
Instruction Fuzzy Hash: FEF0903164120CBFCB1B9F55EC09D9EBF61EF48711B414258FD099A251DB315A1097D5

Uniqueness

Uniqueness Score: -1.00%

Function 011FADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E011FADAF(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t10 = __ebx;
				_push(__ecx);
				_t4 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t4 ^ _t20;
				_t6 = E011FAC98(3, "FlsAlloc", 0x1207938, "FlsAlloc"); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0x1203278(_a4);
					_t7 =  *_t18();
				}
				_pop(_t19);
				return E011EFBBC(_t7, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}

0x011fadaf
0x011fadaf
0x011fadb4
0x011fadb5
0x011fadbc
0x011fadd1
0x011fadd6
0x011faddd
0x011fadee
0x011faddf
0x011fade4
0x011fadea
0x011fadea
0x011fadf9
0x011fae02

APIs

TlsAlloc.KERNEL32 ref: 011FADEE

Strings

FlsAlloc, xrefs: 011FADC0, 011FADCA

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: c1a695ca3476681aaa5bc9bf3a75da2a662b9fd456a129e79d559186cc7e9c11
Instruction ID: 44dd7bd9563782b01caaebe18e5d8d0b0d5eb649ca2bedfe2880b7f521445d4b
Opcode Fuzzy Hash: c1a695ca3476681aaa5bc9bf3a75da2a662b9fd456a129e79d559186cc7e9c11
Instruction Fuzzy Hash: 21E0553064020C7FC72BAB66AC0AD2EBB94DF18620B0102ACFE0993281CE746E0183C5

Uniqueness

Uniqueness Score: -1.00%

Function 011EE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE282() {

				E011EE85D(0x120c5ec, 0x1233124); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Strings

`, xrefs: 011EE282

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: `
API String ID: 1269201914-2679148245
Opcode ID: abff4944caee80205e510f178e4abe8f6bac846f27d881b5fdce37c855c691f8
Instruction ID: 5466372261da5280c0d7d11c0f12378ad5381d557b6e54791f74681bcc8fb3be
Opcode Fuzzy Hash: abff4944caee80205e510f178e4abe8f6bac846f27d881b5fdce37c855c691f8
Instruction Fuzzy Hash: 4BB012E527A401AC310CA2862D09C3701DCE0C0911320422EF805C0080EF429D850832

Uniqueness

Uniqueness Score: -1.00%

Function 011FBBF0 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E011FBBF0(void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t75;
				signed int _t78;
				signed char* _t79;
				short* _t80;
				int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t91 = __edi;
				_t48 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t48 ^ _t96;
				_t95 = _a8;
				_t75 = E011FB7BB(__eflags, _a4);
				if(_t75 != 0) {
					_push(__edi);
					_t92 = 0;
					__eflags = 0;
					_t78 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x120e978)) - _t75;
						if( *((intOrPtr*)(_t51 + 0x120e978)) == _t75) {
							break;
						}
						_t78 = _t78 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t78;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t75 - 0xfde8;
							if(_t75 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t75 - 0xfde9;
								if(_t75 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t75 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t75,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x12326c4 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E011FB82E(_t95);
												goto L37;
											}
										} else {
											E011EFFF0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t75;
											 *(_t95 + 0x21c) = _t92;
											_t75 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t95 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t85 = _t71[1];
														__eflags = _t85;
														if(_t85 == 0) {
															goto L16;
														}
														_t89 = _t85 & 0x000000ff;
														_t86 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t86 - _t89;
															if(_t86 > _t89) {
																break;
															}
															 *(_t95 + _t86 + 0x19) =  *(_t95 + _t86 + 0x19) | 0x00000004;
															_t86 = _t86 + 1;
															__eflags = _t86;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t95 + 0x1a;
												_t84 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t84 = _t84 - 1;
													__eflags = _t84;
												} while (_t84 != 0);
												 *(_t95 + 0x21c) = E011FB77D( *(_t95 + 4));
												 *(_t95 + 8) = _t75;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E011FB893(_t89, _t95); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t91);
						goto L39;
					}
					E011EFFF0(_t92, _t95 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x120e988;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t79 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t79[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t79 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0x120e970; // 0x8040201
										 *(_t95 + _t90 + 0x19) =  *(_t95 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t79[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t79 =  &(_t79[2]);
								__eflags =  *_t79;
								if( *_t79 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t75;
					 *(_t95 + 8) = 1;
					 *(_t95 + 0x21c) = E011FB77D(_t75);
					_t80 = _t95 + 0xc;
					_t89 = _v36 + 0x120e97c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t80 = _t58;
						_t80 = _t80 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E011FB82E(_t95);
					_t60 = 0;
				}
				L39:
				return E011EFBBC(_t60, _t75, _v8 ^ _t96, _t89, _t91, _t95);
			}

0x011fbbf0
0x011fbbf8
0x011fbbff
0x011fbc07
0x011fbc0f
0x011fbc14
0x011fbc24
0x011fbc25
0x011fbc25
0x011fbc27
0x011fbc29
0x011fbc2b
0x011fbc2e
0x011fbc2e
0x011fbc34
0x00000000
0x00000000
0x011fbc3a
0x011fbc3b
0x011fbc3e
0x011fbc41
0x011fbc46
0x00000000
0x011fbc48
0x011fbc48
0x011fbc4e
0x011fbd1c
0x011fbd1c
0x011fbc54
0x011fbc54
0x011fbc5a
0x00000000
0x011fbc60
0x011fbc64
0x011fbc6a
0x011fbc6c
0x00000000
0x011fbc72
0x011fbc77
0x011fbc7d
0x011fbc7f
0x011fbd09
0x011fbd0f
0x00000000
0x011fbd11
0x011fbd12
0x00000000
0x011fbd12
0x011fbc85
0x011fbc8f
0x011fbc94
0x011fbc9c
0x011fbca2
0x011fbca3
0x011fbca6
0x011fbcf9
0x011fbca8
0x011fbca8
0x011fbcac
0x011fbcaf
0x011fbcb1
0x011fbcb1
0x011fbcb4
0x011fbcb6
0x00000000
0x00000000
0x011fbcb8
0x011fbcbb
0x011fbcc6
0x011fbcc6
0x011fbcc8
0x00000000
0x00000000
0x011fbcc0
0x011fbcc5
0x011fbcc5
0x011fbcc5
0x011fbcca
0x011fbccd
0x011fbcd0
0x00000000
0x00000000
0x00000000
0x011fbcd0
0x011fbcb1
0x011fbcd2
0x011fbcd2
0x011fbcd5
0x011fbcda
0x011fbcda
0x011fbcdd
0x011fbcde
0x011fbcde
0x011fbcde
0x011fbcee
0x011fbcf4
0x011fbcf4
0x011fbd01
0x011fbd02
0x011fbd03
0x011fbdc7
0x011fbdc8
0x011fbdcd
0x011fbdce
0x011fbdce
0x011fbdce
0x011fbc7f
0x011fbc6c
0x011fbc5a
0x011fbc4e
0x011fbdd0
0x00000000
0x011fbdd0
0x011fbd2e
0x011fbd36
0x011fbd36
0x011fbd3a
0x011fbd3d
0x011fbd43
0x011fbd46
0x011fbd46
0x011fbd49
0x011fbd4b
0x011fbd4d
0x011fbd4d
0x011fbd50
0x011fbd52
0x00000000
0x00000000
0x011fbd54
0x011fbd57
0x011fbd73
0x011fbd73
0x011fbd75
0x00000000
0x00000000
0x011fbd5c
0x011fbd62
0x011fbd64
0x011fbd6a
0x011fbd6e
0x011fbd6e
0x011fbd6f
0x00000000
0x011fbd6f
0x00000000
0x011fbd62
0x011fbd77
0x011fbd7a
0x011fbd7d
0x00000000
0x00000000
0x00000000
0x011fbd7d
0x011fbd7f
0x011fbd7f
0x011fbd82
0x011fbd83
0x011fbd86
0x011fbd89
0x011fbd89
0x011fbd8f
0x011fbd92
0x011fbda1
0x011fbdaa
0x011fbdaf
0x011fbdb5
0x011fbdb6
0x011fbdb6
0x011fbdb9
0x011fbdbc
0x011fbdbf
0x011fbdc2
0x011fbdc2
0x011fbdc2
0x00000000
0x011fbc16
0x011fbc17
0x011fbc1d
0x011fbc1d
0x011fbdd1
0x011fbde0

APIs

Part of subcall function 011FB7BB: GetOEMCP.KERNEL32(00000000,?,?,011FBA44,?), ref: 011FB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,011FBA89,?,00000000), ref: 011FBC64
GetCPInfo.KERNEL32(00000000,011FBA89,?,?,?,011FBA89,?,00000000), ref: 011FBC77

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 47c657bdd4cf2f5b41f8fd0fe11c35723c6680e795f2103fb9a474257b8ed2b3
Instruction ID: d9a1c4c39de28e25b35d95adac9ad265a0a24a5d42e058040d9368a289ae7ff2
Opcode Fuzzy Hash: 47c657bdd4cf2f5b41f8fd0fe11c35723c6680e795f2103fb9a474257b8ed2b3
Instruction Fuzzy Hash: 1D5189709082469EEB2DCF38C4846BFBBE0EF41208F18456EC6968B291D7349141CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 011D9A74 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E011D9A74(signed int __ecx, long* _a4, signed int _a8, long _a12, signed int _a20, char _a24, long _a4124, long _a4128, long _a4132) {
				signed int _v0;
				long* _v4;
				intOrPtr _v8;
				void* _t30;
				long _t32;
				signed int _t33;
				void* _t35;
				long* _t38;
				void* _t41;
				long _t42;
				signed int _t46;
				long _t50;
				void* _t51;
				long _t52;
				intOrPtr* _t53;
				void* _t57;
				void* _t63;
				signed int _t67;
				signed int _t70;

				E011EEC50(0x1018);
				_t50 = _a4132;
				_t42 = _a4128;
				_t53 = __ecx;
				_t52 = _a4124;
				_v0 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0xffffffff) {
					L21:
					_t30 = 1;
					L22:
					return _t30;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 1) {
					__eflags = _t42;
					if(__eflags > 0) {
						L32:
						_a12 = _t42;
						_t32 = SetFilePointer( *(_t53 + 8), _t52,  &_a12, _t50); // executed
						__eflags = _t32 - 0xffffffff;
						if(_t32 != 0xffffffff) {
							goto L21;
						}
						_t33 = GetLastError();
						asm("sbb al, al");
						_t30 =  ~_t33 + 1;
						goto L22;
					}
					if(__eflags < 0) {
						L27:
						__eflags = _t50;
						if(_t50 == 0) {
							goto L32;
						}
						__eflags = _t50 - 1;
						if(_t50 != 1) {
							_t35 = E011D981A(_t50);
						} else {
							 *0x1203278();
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0x14))))();
							_t53 = _v0;
						}
						_t52 = _t52 + _t35;
						asm("adc ebx, edx");
						_t50 = 0;
						__eflags = 0;
						goto L32;
					}
					__eflags = _t52;
					if(_t52 >= 0) {
						goto L32;
					}
					goto L27;
				}
				_t38 = __ecx + 0x28;
				_a4 = _t38;
				if(_t50 != 1) {
					__eflags = _t50;
					if(_t50 != 0) {
						L23:
						_t30 = 0;
						goto L22;
					}
					L5:
					_t63 = _t42 - _t38[1];
					if(_t63 < 0 || _t63 <= 0 && _t52 <  *_t38) {
						goto L23;
					} else {
						_t46 = _t42;
						_t57 = _t52 -  *_t38;
						asm("sbb ecx, [eax+0x4]");
						_a8 = _t46;
						if(_t57 != 0 || _t57 != 0) {
							do {
								_t67 = _t46;
								if(_t67 > 0 || _t67 >= 0 && _t57 >= 0x1000) {
									L14:
									_t12 =  &_a20;
									 *_t12 = _a20 & 0x00000000;
									__eflags =  *_t12;
									_t51 = 0x1000;
									goto L15;
								} else {
									_t51 = _t57;
									_a20 = _t46;
									L15:
									 *0x1203278( &_a24, _t51);
									_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))();
									if(_t41 <= 0) {
										goto L23;
									}
									_t46 = _v0;
									_t53 = _v8;
									asm("cdq");
									_t57 = _t57 - _t41;
									asm("sbb ecx, edx");
									_v0 = _t46;
									_t70 = _t46;
									if(_t70 > 0) {
										goto L14;
									}
								}
							} while (_t70 >= 0 && _t57 != 0);
							_t38 = _v4;
							goto L20;
						} else {
							L20:
							 *_t38 = _t52;
							_t38[1] = _t42;
							goto L21;
						}
					}
				}
				_t52 = _t52 +  *_t38;
				asm("adc ebx, [eax+0x4]");
				goto L5;
			}

0x011d9a79
0x011d9a7e
0x011d9a86
0x011d9a8f
0x011d9a92
0x011d9a99
0x011d9aa1
0x011d9b53
0x011d9b53
0x011d9b59
0x011d9b5f
0x011d9b5f
0x011d9aab
0x011d9b66
0x011d9b68
0x011d9b9d
0x011d9ba2
0x011d9bab
0x011d9bb1
0x011d9bb4
0x00000000
0x00000000
0x011d9bb6
0x011d9bbe
0x011d9bc0
0x00000000
0x011d9bc0
0x011d9b6a
0x011d9b70
0x011d9b70
0x011d9b72
0x00000000
0x00000000
0x011d9b74
0x011d9b77
0x011d9b92
0x011d9b79
0x011d9b80
0x011d9b8a
0x011d9b8c
0x011d9b8c
0x011d9b97
0x011d9b99
0x011d9b9b
0x011d9b9b
0x00000000
0x011d9b9b
0x011d9b6c
0x011d9b6e
0x00000000
0x00000000
0x00000000
0x011d9b6e
0x011d9ab1
0x011d9ab4
0x011d9abb
0x011d9ac4
0x011d9ac6
0x011d9b62
0x011d9b62
0x00000000
0x011d9b62
0x011d9acc
0x011d9acc
0x011d9acf
0x00000000
0x011d9adf
0x011d9ae1
0x011d9ae3
0x011d9ae5
0x011d9ae8
0x011d9aec
0x011d9af2
0x011d9af2
0x011d9af4
0x011d9b08
0x011d9b08
0x011d9b08
0x011d9b08
0x011d9b0d
0x00000000
0x011d9b00
0x011d9b00
0x011d9b02
0x011d9b12
0x011d9b1f
0x011d9b29
0x011d9b2d
0x00000000
0x00000000
0x011d9b2f
0x011d9b33
0x011d9b37
0x011d9b38
0x011d9b3a
0x011d9b3c
0x011d9b40
0x011d9b42
0x00000000
0x00000000
0x011d9b42
0x011d9b44
0x011d9b4a
0x00000000
0x011d9b4e
0x011d9b4e
0x011d9b4e
0x011d9b50
0x00000000
0x011d9b50
0x011d9aec
0x011d9acf
0x011d9abd
0x011d9abf
0x00000000

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,011D9A50,?,?,00000000,?,?,011D8CBC,?), ref: 011D9BAB
GetLastError.KERNEL32(?,00000000,011D8411,-00009570,00000000,000007F3), ref: 011D9BB6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b4559c434d95d9765f9129071bb6160922b66236b04fdcdc800cf35a4fb8d4ee
Instruction ID: b917b07a090509152ecb598e91e6712cc5ee9eddfb53986b9eacc2b92a3fe050
Opcode Fuzzy Hash: b4559c434d95d9765f9129071bb6160922b66236b04fdcdc800cf35a4fb8d4ee
Instruction Fuzzy Hash: 9941D2316043099FDB2CDF19C584C6ABBE5FFD5328F4A8A2DE88587251D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011FBA27 Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E011FBA27(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_t68 = __edx;
				_v8 = E011F97E5(__ebx, __ecx, __edx);
				E011FBB4E(__ebx, __ecx, __edx, __edi, __esi, _t81);
				_t31 = E011FB7BB(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t70 = E011F8E06(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E011FBBF0(_t68, _t70, __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E011F8B6F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x120ec70;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x120ec70) {
								E011F8DCC( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x120eef0 & 0x00000001;
							if(( *0x120eef0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E011FB691(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x120ee90; // 0x3622590
									 *0x120e964 = _t44;
								}
							}
						}
						L6:
						E011F8DCC(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E011F91A8())) = 0x16;
						goto L5;
					}
				}
			}

0x011fba27
0x011fba27
0x011fba34
0x011fba37
0x011fba3f
0x011fba48
0x011fba4b
0x011fba51
0x00000000
0x011fba53
0x011fba57
0x011fba58
0x011fba59
0x011fba64
0x011fba66
0x011fba6a
0x011fba6c
0x011fba9c
0x011fba9c
0x00000000
0x011fba6e
0x011fba7b
0x011fba81
0x011fba84
0x011fba89
0x011fba8d
0x011fba8f
0x011fbaae
0x011fbab2
0x011fbab4
0x011fbab4
0x011fbabf
0x011fbac3
0x011fbac4
0x011fbac6
0x011fbac9
0x011fbad0
0x011fbad5
0x011fbada
0x011fbad0
0x011fbadb
0x011fbae1
0x011fbae6
0x011fbae8
0x011fbaeb
0x011fbaee
0x011fbaf5
0x011fbaf7
0x011fbafe
0x011fbb03
0x011fbb0c
0x011fbb11
0x011fbb17
0x011fbb19
0x011fbb1e
0x011fbb1e
0x011fbb17
0x011fbafe
0x011fba9e
0x011fba9f
0x00000000
0x011fba91
0x011fba96
0x00000000
0x011fba96
0x011fba8f

APIs

Part of subcall function 011F97E5: GetLastError.KERNEL32(?,01211030,011F4674,01211030,?,?,011F3F73,00000050,?,01211030,00000200), ref: 011F97E9
Part of subcall function 011F97E5: _free.LIBCMT ref: 011F981C
Part of subcall function 011F97E5: SetLastError.KERNEL32(00000000,?,01211030,00000200), ref: 011F985D
Part of subcall function 011F97E5: _abort.LIBCMT ref: 011F9863

Part of subcall function 011FBB4E: _abort.LIBCMT ref: 011FBB80
Part of subcall function 011FBB4E: _free.LIBCMT ref: 011FBBB4

Part of subcall function 011FB7BB: GetOEMCP.KERNEL32(00000000,?,?,011FBA44,?), ref: 011FB7E6

_free.LIBCMT ref: 011FBA9F
_free.LIBCMT ref: 011FBAD5

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 9dd007c15c70d374491f572d5e0d58a9e7686973336918b8b2648e7caae57708
Instruction ID: bef34c2acd7ab1a2fa4eb5300b3bf560add0b4b1b3f7b545db2983bef5ed2550
Opcode Fuzzy Hash: 9dd007c15c70d374491f572d5e0d58a9e7686973336918b8b2648e7caae57708
Instruction Fuzzy Hash: 1B312931908209AFDB19EFA8D440B9D77F5EF40325F25419DE7049B292EB325D44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011D1E50 Relevance: 3.1, APIs: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E011D1E50(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t38;
				intOrPtr _t47;
				void* _t68;
				unsigned int _t70;
				signed int _t72;
				intOrPtr* _t74;
				void* _t76;

				_t68 = __edx;
				E011EEB78(0x1202673, _t76);
				_t55 = 0;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t76 - 0x24)) = 0;
				 *(_t76 - 0x20) = 0;
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((char*)(_t76 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				_push(_t76 - 0x24);
				_t38 = E011D3BBA(__ecx); // executed
				if(_t38 != 0) {
					_t70 =  *(_t76 - 0x20);
					E011D1732(_t76 - 0x24, _t68, 1);
					_t74 =  *((intOrPtr*)(_t76 + 8));
					 *((char*)( *(_t76 - 0x20) +  *((intOrPtr*)(_t76 - 0x24)) - 1)) = 0;
					_t16 = _t70 + 1; // 0x1
					E011D18A9(_t74, _t16);
					_t47 =  *((intOrPtr*)(_t76 - 0x10));
					if( *((intOrPtr*)(_t47 + 0x6cc8)) != 3) {
						if(( *(_t47 + 0x460c) & 0x00000001) == 0) {
							E011E1B84( *((intOrPtr*)(_t76 - 0x24)),  *_t74,  *((intOrPtr*)(_t74 + 4)));
						} else {
							_t72 = _t70 >> 1;
							E011E1BFD( *((intOrPtr*)(_t76 - 0x24)),  *_t74, _t72);
							 *((short*)( *_t74 + _t72 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t74 + 4)));
						_push( *_t74);
						_push( *((intOrPtr*)(_t76 - 0x24)));
						E011E1C3B();
					}
					E011D18A9(_t74, E011F3E13( *_t74));
					_t55 = 1;
				}
				_t39 =  *((intOrPtr*)(_t76 - 0x24));
				 *((intOrPtr*)(_t76 - 4)) = 2;
				if( *((intOrPtr*)(_t76 - 0x24)) != 0) {
					if( *((char*)(_t76 - 0x14)) != 0) {
						E011DF445(_t39,  *((intOrPtr*)(_t76 - 0x1c)));
						_t39 =  *((intOrPtr*)(_t76 - 0x24));
					}
					L011F3E2E(_t39);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t55;
			}

0x011d1e50
0x011d1e55
0x011d1e5e
0x011d1e62
0x011d1e65
0x011d1e68
0x011d1e6b
0x011d1e6e
0x011d1e71
0x011d1e74
0x011d1e75
0x011d1e79
0x011d1e7c
0x011d1e7f
0x011d1e86
0x011d1e8e
0x011d1e96
0x011d1ea1
0x011d1ea4
0x011d1ea8
0x011d1eae
0x011d1eb3
0x011d1ebd
0x011d1ed5
0x011d1ef6
0x011d1ed7
0x011d1ed7
0x011d1edf
0x011d1ee8
0x011d1ee8
0x011d1ebf
0x011d1ebf
0x011d1ec2
0x011d1ec4
0x011d1ec7
0x011d1ec7
0x011d1f06
0x011d1f0c
0x011d1f0e
0x011d1f0f
0x011d1f12
0x011d1f1b
0x011d1f21
0x011d1f27
0x011d1f2c
0x011d1f2c
0x011d1f30
0x011d1f35
0x011d1f3c
0x011d1f44

APIs

__EH_prolog.LIBCMT ref: 011D1E55

Part of subcall function 011D3BBA: __EH_prolog.LIBCMT ref: 011D3BBF

_wcslen.LIBCMT ref: 011D1EFD

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 7fbb2810af199bb395905b7b0e8b67ece3bf968c4a1aa716538fa30cc50f82d1
Instruction ID: c46dc0b9f86777600df2ecc003cab989094cf51519e22d45d0fc20f233c11715
Opcode Fuzzy Hash: 7fbb2810af199bb395905b7b0e8b67ece3bf968c4a1aa716538fa30cc50f82d1
Instruction Fuzzy Hash: 01314B7290421AAFDF19DF98C944AEEFBF6BF68204F10009EE545B7250CB325E55CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011D966E Relevance: 3.1, APIs: 2, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D966E(void* __ecx, WCHAR* _a4100, signed char _a4104) {
				short _v0;
				signed int _t27;
				void* _t29;
				signed char _t38;
				signed int _t42;
				long _t45;
				void* _t46;
				long _t48;

				E011EEC50(0x1000);
				_t38 = _a4104;
				_t46 = __ecx;
				_t42 = _t38 >> 1;
				if((_t38 & 0x00000010) != 0) {
					L3:
					_t48 = 1;
					__eflags = 1;
				} else {
					_t52 =  *((char*)(__ecx + 0x30));
					if( *((char*)(__ecx + 0x30)) != 0) {
						goto L3;
					} else {
						_t48 = 0;
					}
				}
				 *(_t46 + 0x20) = _t38;
				_t45 = ((_t42 ^ 0x00000001) << 0x1f) + 0x40000000;
				_t27 =  *(E011DC27E(_t52, _a4100)) & 0x0000ffff;
				if(_t27 == 0x2e || _t27 == 0x20) {
					if((_t38 & 0x00000020) != 0) {
						goto L8;
					} else {
						_t39 = _a4100;
						_t29 = _t27 | 0xffffffff;
					}
				} else {
					L8:
					_t39 = _a4100;
					__eflags = 0;
					_t29 = CreateFileW(_a4100, _t45, _t48, 0, 2, 0, 0); // executed
				}
				 *(_t46 + 8) = _t29;
				if(_t29 == 0xffffffff && E011DBB03(_t39,  &_v0, 0x800) != 0) {
					 *(_t46 + 8) = CreateFileW( &_v0, _t45, _t48, 0, 2, 0, 0);
				}
				 *(_t46 + 0x10) =  *(_t46 + 0x10) & 0x00000000;
				 *((char*)(_t46 + 0x1c)) = 1;
				 *((char*)(_t46 + 0x15)) = 0;
				return E011E0602(_t46 + 0x32, _t39, 0x800) & 0xffffff00 |  *(_t46 + 8) != 0xffffffff;
			}

0x011d9673
0x011d9679
0x011d9685
0x011d9687
0x011d968c
0x011d9698
0x011d969a
0x011d969a
0x011d968e
0x011d968e
0x011d9692
0x00000000
0x011d9694
0x011d9694
0x011d9694
0x011d9692
0x011d96a9
0x011d96ac
0x011d96b7
0x011d96bd
0x011d96c7
0x00000000
0x011d96c9
0x011d96c9
0x011d96d0
0x011d96d0
0x011d96d5
0x011d96d5
0x011d96d5
0x011d96dc
0x011d96e6
0x011d96e6
0x011d96ec
0x011d96f2
0x011d971c
0x011d971c
0x011d971f
0x011d972d
0x011d9731
0x011d974b

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,011D9F27,?,?,011D771A), ref: 011D96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,011D9F27,?,?,011D771A), ref: 011D9716

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7344aaf2a553a9e8e6943a4cb1a365a79919bd2731e5003b0b8dd1529c5c9d2e
Instruction ID: fe5e4775e064b91782ff84218c65e3624cc865252f376a54bc8eff3d5125828e
Opcode Fuzzy Hash: 7344aaf2a553a9e8e6943a4cb1a365a79919bd2731e5003b0b8dd1529c5c9d2e
Instruction Fuzzy Hash: F321A1B15047486FE3349A69C888FF777DCEB49328F014A19FA95C65C2C7B4A884CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011FA3D0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011FA3D0(void* __ebx, signed int __ecx, void* __edx) {
				void* __edi;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				void* _t23;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr _t32;

				_t24 = __ecx;
				_t23 = __ebx;
				_t9 =  *0x1232274; // 0x200
				_t31 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t31;
					if(_t9 < _t31) {
						_t9 = _t31;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x1232274 = _t9;
				}
				_t10 = E011FB136(_t24, _t9, 4); // executed
				 *0x1232278 = _t10;
				E011F8DCC(0);
				if( *0x1232278 != 0) {
					L8:
					_t29 = 0;
					__eflags = 0;
					_t32 = 0x120e800;
					do {
						_t1 = _t32 + 0x20; // 0x120e820
						E011FAF0A(_t23, _t24, _t29, __eflags, _t1, 0xfa0, 0);
						_t14 =  *0x1232278; // 0x3624e38
						 *((intOrPtr*)(_t14 + _t29 * 4)) = _t32;
						_t24 = (_t29 & 0x0000003f) * 0x30;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x1232290 + (_t29 >> 6) * 4)) + 0x18 + (_t29 & 0x0000003f) * 0x30));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t32 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t32 = _t32 + 0x38;
						_t29 = _t29 + 1;
						__eflags = _t32 - 0x120e8a8;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x1232274 = _t31;
					 *0x1232278 = E011FB136(_t24, _t31, 4);
					_t21 = E011F8DCC(0);
					if( *0x1232278 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x011fa3d0
0x011fa3d0
0x011fa3d0
0x011fa3d8
0x011fa3db
0x011fa3e4
0x011fa3e6
0x011fa3e8
0x00000000
0x011fa3e8
0x011fa3dd
0x011fa3dd
0x011fa3ea
0x011fa3ea
0x011fa3ea
0x011fa3f2
0x011fa3f9
0x011fa3fe
0x011fa40d
0x011fa43a
0x011fa43b
0x011fa43b
0x011fa43d
0x011fa442
0x011fa449
0x011fa44d
0x011fa452
0x011fa45c
0x011fa464
0x011fa46e
0x011fa472
0x011fa475
0x011fa480
0x011fa480
0x011fa477
0x011fa477
0x011fa47a
0x00000000
0x011fa47c
0x011fa47c
0x011fa47e
0x00000000
0x00000000
0x011fa47e
0x011fa47a
0x011fa487
0x011fa48a
0x011fa48b
0x011fa48b
0x011fa494
0x011fa497
0x011fa40f
0x011fa412
0x011fa41f
0x011fa424
0x011fa433
0x00000000
0x011fa435
0x011fa439
0x011fa439
0x011fa433

APIs

_free.LIBCMT ref: 011FA3FE
_free.LIBCMT ref: 011FA424

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2f968848373971dd45d7f50bd9a0bd4f06f4e79ce32184f8a3adbcec287cc8c2
Instruction ID: 3afeb8172f646fd85614e1c927bce2897100b9bfabb3bb924494e8f57d575a22
Opcode Fuzzy Hash: 2f968848373971dd45d7f50bd9a0bd4f06f4e79ce32184f8a3adbcec287cc8c2
Instruction Fuzzy Hash: 7F119871A2831296EB399A3CBC8CB5537A4AF50734F19072AFB18CB1D5E374D8818741

Uniqueness

Uniqueness Score: -1.00%

Function 011D9E80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E011D9E80(void* __ecx) {
				long _v8;
				void* __ebp;
				long _t13;
				long _t15;
				signed int _t17;
				char* _t33;
				void* _t36;
				long _t37;
				void* _t39;

				_push(__ecx);
				_t36 = __ecx;
				_t33 = __ecx + 0x1e;
				if( *((intOrPtr*)(__ecx + 8)) != 0xffffffff) {
					_t21 = __ecx + 0x32;
					goto L4;
				} else {
					if( *_t33 == 0) {
						L12:
						_t17 = _t13 | 0xffffffff;
					} else {
						_t21 = __ecx + 0x32;
						E011D6D5B(0x1211098, _t39, __ecx + 0x32);
						L4:
						if( *((intOrPtr*)(_t36 + 0x10)) != 1) {
							_v8 = _v8 & 0x00000000;
							_t15 = SetFilePointer( *(_t36 + 8), 0,  &_v8, 1); // executed
							_t37 = _t15;
							if(_t37 != 0xffffffff) {
								L10:
								asm("cdq");
								_t17 = 0 + _t37;
								asm("adc edx, 0x0");
							} else {
								_t13 = GetLastError();
								if(_t13 == 0) {
									goto L10;
								} else {
									if( *_t33 == 0) {
										goto L12;
									} else {
										E011D6D5B(0x1211098, _t39, _t21);
										goto L10;
									}
								}
							}
						} else {
							_t17 =  *(_t36 + 0x28);
						}
					}
				}
				return _t17;
			}

0x011d9e83
0x011d9e86
0x011d9e8d
0x011d9e90
0x011d9ea7
0x00000000
0x011d9e92
0x011d9e95
0x011d9f02
0x011d9f02
0x011d9e97
0x011d9e97
0x011d9ea0
0x011d9eaa
0x011d9eae
0x011d9eb8
0x011d9ec7
0x011d9ecd
0x011d9ed2
0x011d9eee
0x011d9ef3
0x011d9ef8
0x011d9efa
0x011d9ed4
0x011d9ed4
0x011d9edc
0x00000000
0x011d9ede
0x011d9ee1
0x00000000
0x011d9ee3
0x011d9ee9
0x00000000
0x011d9ee9
0x011d9ee1
0x011d9edc
0x011d9eb0
0x011d9eb0
0x011d9eb3
0x011d9eae
0x011d9e95
0x011d9f01

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 011D9EC7
GetLastError.KERNEL32 ref: 011D9ED4

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0459309d45a2a5d88889f37334a237d0cead6cefead644941e99ca215edb44a1
Instruction ID: 10343a750002ad7d40aac6673467dc6293dd6332f5c36dd9b525f860eb95beec
Opcode Fuzzy Hash: 0459309d45a2a5d88889f37334a237d0cead6cefead644941e99ca215edb44a1
Instruction Fuzzy Hash: 48112531600728ABE73DCA38C844BA6B7E9AB05328F500B19E552D26D4D370E945C760

Uniqueness

Uniqueness Score: -1.00%

Function 011F8E54 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E011F8E54(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x12326e4, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E011F8C34();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E011F7A5E(_t10, _t13, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E011F91A8())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E011F8DCC(_t14);
					goto L6;
				}
				_t9 = E011F8E06(__ecx, _a8); // executed
				return _t9;
			}

0x011f8e54
0x011f8e54
0x011f8e5a
0x011f8e5f
0x011f8e6d
0x011f8e70
0x011f8e72
0x011f8e7d
0x011f8e80
0x011f8ea7
0x011f8eb1
0x011f8eb7
0x011f8eb9
0x00000000
0x00000000
0x011f8e98
0x011f8e9a
0x00000000
0x00000000
0x011f8e9d
0x011f8ea2
0x011f8ea3
0x011f8ea5
0x00000000
0x00000000
0x011f8ea5
0x011f8e8f
0x00000000
0x011f8e8f
0x011f8e82
0x011f8e87
0x011f8e8d
0x011f8e8d
0x011f8e8d
0x00000000
0x011f8e8d
0x011f8e75
0x00000000
0x011f8e7a
0x011f8e64
0x00000000

APIs

_free.LIBCMT ref: 011F8E75

Part of subcall function 011F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,011FCA2C,00000000,?,011F6CBE,?,00000008,?,011F91E0,?,?,?), ref: 011F8E38

RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000007,01211098,011D17CE,?,?,00000007,?,?,?,011D13D6,?,00000000), ref: 011F8EB1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: e9a2e83e07ab354d5e99e807255b938c81b4e94b009bc0003f2ea929cebb5639
Instruction ID: 25fd32f76aa0adedcea762dc1fec7beff612a42cd013c852df48e824edcf5012
Opcode Fuzzy Hash: e9a2e83e07ab354d5e99e807255b938c81b4e94b009bc0003f2ea929cebb5639
Instruction Fuzzy Hash: 22F02B322111367ADB3D7E29AC04FAF3B589FD1A74F15012DFB18A6193DB70C90081A1

Uniqueness

Uniqueness Score: -1.00%

Function 011E109E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011E109E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 != 0) {
					_t14 = 0;
					_t17 = _v8;
					_t15 = 1;
					do {
						if((_t17 & _t15) != 0) {
							_t14 = _t14 + 1;
						}
						_t15 = _t15 + _t15;
					} while (_t15 != 0);
					if(_t14 >= 1) {
						return _t14;
					}
					return 1;
				} else {
					return _t8 + 1;
				}
			}

0x011e10b2
0x011e10ba
0x011e10c1
0x011e10c5
0x011e10c8
0x011e10ca
0x011e10cc
0x011e10ce
0x011e10ce
0x011e10cf
0x011e10cf
0x011e10d6
0x00000000
0x011e10d8
0x011e10db
0x011e10bc
0x011e10be
0x011e10be

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 011E10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 011E10B2

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: a5c204cb2987dbf74afdd1d9d4f0da63388afb05a394f9d2216ac5c1a3031a82
Instruction ID: 46da5bca88a6e16aa4e1147b63564d510c114abff1da128dd5dc0f85821bb368
Opcode Fuzzy Hash: a5c204cb2987dbf74afdd1d9d4f0da63388afb05a394f9d2216ac5c1a3031a82
Instruction Fuzzy Hash: FDE09232B10645BB9F1ECAE8980D9EB7ADEEA441047144275E503D3102FA30D9014760

Uniqueness

Uniqueness Score: -1.00%

Function 011DA1E0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DA1E0(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E011EEC50(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t11 == 0 && E011DBB03(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}

0x011da1e8
0x011da1f1
0x011da1f9
0x011da1fe
0x011da227
0x011da227
0x011da22e

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,011D977F,?,?,011D95CF,?,?,?,?,?,01202641,000000FF), ref: 011DA1F1

Part of subcall function 011DBB03: _wcslen.LIBCMT ref: 011DBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,011D977F,?,?,011D95CF,?,?,?,?,?,01202641), ref: 011DA21F

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: da6f11164e7490888d1f3639a03195d2d23607121c546255544ce1fcf47a7e80
Instruction ID: 5ce800cd6bf43ee0091cd9f739342c64adbcd1140dc13d97182a9aa72cd5d448
Opcode Fuzzy Hash: da6f11164e7490888d1f3639a03195d2d23607121c546255544ce1fcf47a7e80
Instruction Fuzzy Hash: 89E092311412197BEB12DE65EC48FE9379CBF08385F484021B945D2054EB61D994DB50

Uniqueness

Uniqueness Score: -1.00%

Function 011DA243 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DA243(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t13;

				E011EEC50(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E011DBB03(_a4,  &_v4100, 0x800) != 0) {
					_t13 = GetFileAttributesW( &_v4100);
				}
				return _t13;
			}

0x011da24b
0x011da254
0x011da25a
0x011da25f
0x011da286
0x011da286
0x011da28c

APIs

GetFileAttributesW.KERNELBASE(?,?,?,011DA23A,?,011D755C,?,?,?,?), ref: 011DA254

Part of subcall function 011DBB03: _wcslen.LIBCMT ref: 011DBB27

GetFileAttributesW.KERNEL32(?,?,?,00000800,?,011DA23A,?,011D755C,?,?,?,?), ref: 011DA280

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d90083237743ecd9dd709868cafa16c66a8a67a90a56da9c2e635d1c61da95d4
Instruction ID: 885e8f0c5bfd90f371db261b86ae3b8cc505a1e23977122a2c9d4ebd22106f66
Opcode Fuzzy Hash: d90083237743ecd9dd709868cafa16c66a8a67a90a56da9c2e635d1c61da95d4
Instruction Fuzzy Hash: E4E092325001245BDB21EB68EC08BD97B98AB193E5F044261FE45E3184D770DD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011EDEC2 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EDEC2(void* __eflags, intOrPtr _a4, signed char _a16) {
				short _v5124;

				E011EEC50(0x1400);
				E011D4092( &_v5124, 0xa00, E011DE617((_a16 & 0x000000ff) + 0x65), _a4);
				SetDlgItemTextW( *0x1218458, 0x65,  &_v5124); // executed
				return E011EB568() & 0xffffff00 |  *0x1218454 == 0x00000000;
			}

0x011edeca
0x011edeec
0x011edf03
0x011edf19

APIs

_swprintf.LIBCMT ref: 011EDEEC

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

SetDlgItemTextW.USER32(00000065,?), ref: 011EDF03

Part of subcall function 011EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 011EB579
Part of subcall function 011EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 011EB58A
Part of subcall function 011EB568: IsDialogMessageW.USER32(000103AC,?), ref: 011EB59E
Part of subcall function 011EB568: TranslateMessage.USER32(?), ref: 011EB5AC
Part of subcall function 011EB568: DispatchMessageW.USER32(?), ref: 011EB5B6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: b40d8a60386c483b75a6e20f54236b9cac658a215298214c6b7282486071a590
Instruction ID: f709c93758bfd2b5b63ae6f3bb2e76e02dd07a59f8200036aafbc16b5a79a681
Opcode Fuzzy Hash: b40d8a60386c483b75a6e20f54236b9cac658a215298214c6b7282486071a590
Instruction Fuzzy Hash: 39E092B650424926DF12EBA0EC0DFDE3BAC9B25789F040855B240DB0A1DA78EA108761

Uniqueness

Uniqueness Score: -1.00%

Function 011E081B Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011E081B(intOrPtr _a4) {
				short _v4100;
				int _t8;
				struct HINSTANCE__* _t12;

				E011EEC50(0x1000);
				_t8 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t8;
				if(_t8 != 0) {
					E011DBDF3(_t14,  &_v4100, _a4,  &_v4100, 0x800);
					_t12 = LoadLibraryW( &_v4100); // executed
					return _t12;
				}
				return _t8;
			}

0x011e0823
0x011e0836
0x011e083c
0x011e083e
0x011e084c
0x011e0858
0x00000000
0x011e0858
0x011e0860

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 011E0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,011DF2D8,Crypt32.dll,00000000,011DF35C,?,?,011DF33E,?,?,?), ref: 011E0858

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 49081582afbd1edd4adb68204719847f71a63a350b17053ef9356701fec1ec8f
Instruction ID: e818409b6dcb05d34ab7bfc9b2d25be532186f6c8e9ed18af38c3425a7969a44
Opcode Fuzzy Hash: 49081582afbd1edd4adb68204719847f71a63a350b17053ef9356701fec1ec8f
Instruction Fuzzy Hash: 16E048769015586BDB11E695EC0CFDA7BACFF0D3D5F040065B645D2008D7B4D684CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 011EA3B9 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E011EA3B9(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x1204740;
				if(_a8 == 0) {
					L011EEB1A(); // executed
				} else {
					L011EEB20();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x011ea3bc
0x011ea3be
0x011ea3c0
0x011ea3c3
0x011ea3c6
0x011ea3ce
0x011ea3cf
0x011ea3d2
0x011ea3d8
0x011ea3e1
0x011ea3da
0x011ea3da
0x011ea3da
0x011ea3e6
0x011ea3ec
0x011ea3f3

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 011EA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 011EA3E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: d9ee8f728249b78e902dd263b66d823db2519b6db8a4ce3626ecfa982188e841
Instruction ID: e3e16611911c32e47410146cf1be50ccb269c80c7b66b879f1b11e556409add7
Opcode Fuzzy Hash: d9ee8f728249b78e902dd263b66d823db2519b6db8a4ce3626ecfa982188e841
Instruction Fuzzy Hash: 3CE09271905708EFCB18DF89C40479DBBF8EF04224F10C05AE94693200E3B0AE00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011F2B8C Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E011F2B8C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E011F3C57(__ecx, __eflags, E011F2AD0); // executed
				 *0x120e7d0 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E011F3D08(_t7, __eflags, _t1, 0x1232060);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E011F2BBF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x011f2b91
0x011f2b96
0x011f2b9b
0x011f2b9f
0x011f2baa
0x011f2bb0
0x011f2bb1
0x011f2bb3
0x011f2bbe
0x011f2bb5
0x011f2bb5
0x00000000
0x011f2bb5
0x011f2ba1
0x011f2ba1
0x011f2ba3
0x011f2ba3

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 011F2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 011F2BB5

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 7e9d0d3ba8bd8163436cda682200efc04eda2325d083e9d791157c4853cf9cf9
Instruction ID: b5e201e60eb461553b011da21a5d1ea484b311e249e1072437fb17393f029bfd
Opcode Fuzzy Hash: 7e9d0d3ba8bd8163436cda682200efc04eda2325d083e9d791157c4853cf9cf9
Instruction Fuzzy Hash: D1D0227417830A188C3C2E7A390964C3346FCA1ABABE0078EDF30858C1EF30C084D512

Uniqueness

Uniqueness Score: -1.00%

Function 011D12F1 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E011D12F1(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x011d12f8
0x011d130d
0x011d1313

APIs

GetDlgItem.USER32(?,?), ref: 011D1306
ShowWindow.USER32(00000000), ref: 011D130D

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 1d8a312fe01e290d885d9b981d5d0ad41cbceacb474b5110defaa08f1f66f42a
Instruction ID: 7463320b9ff4c8dd190b5f5ef98ab0d5d64f95554ac1785450fefcde1646325b
Opcode Fuzzy Hash: 1d8a312fe01e290d885d9b981d5d0ad41cbceacb474b5110defaa08f1f66f42a
Instruction Fuzzy Hash: 7CC0123205C200BECB018BB4EC0DC2BBBB8BBA5312F04C908B4E5C0054C238C110DB11

Uniqueness

Uniqueness Score: -1.00%

Function 011D1A04 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E011D1A04(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				char _t101;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t119;
				signed int _t125;
				intOrPtr _t126;
				char _t127;
				char _t137;
				intOrPtr _t142;
				signed int _t143;
				void* _t146;
				signed int _t151;
				signed int _t155;
				void* _t160;
				void* _t162;
				void* _t166;
				intOrPtr* _t167;
				signed int _t181;
				void* _t182;
				signed int _t184;
				char* _t198;
				intOrPtr _t199;
				signed int _t200;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				void* _t214;
				char* _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t224;
				void* _t226;

				_t210 = __edx;
				E011EEB78(0x120265a, _t226);
				_t167 = __ecx;
				_t212 = 7;
				 *((char*)(__ecx + 0x6cd4)) = 0;
				 *((char*)(__ecx + 0x6cdc)) = 0;
				 *0x1203278(__ecx + 0x2210, _t212, _t211, _t217, _t166);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xc))))() != _t212) {
					L23:
					_t101 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
					return _t101;
				}
				_t220 = 0;
				 *((intOrPtr*)(__ecx + 0x6cd8)) = 0;
				_t103 = E011D1DF8(__ecx + 0x2210, _t212);
				if(_t103 == 0) {
					E011D13BA(_t226 - 0x38, 0x200000);
					 *(_t226 - 4) = 0;
					 *0x1203278();
					_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
					 *((intOrPtr*)(_t226 - 0x18)) = _t107;
					 *0x1203278( *((intOrPtr*)(_t226 - 0x38)),  *((intOrPtr*)(_t226 - 0x34)) + 0xfffffff0);
					_t109 =  *( *_t167 + 0xc)();
					_t181 = _t109;
					_t220 = 0;
					 *(_t226 - 0x14) = _t181;
					__eflags = _t181;
					if(_t181 <= 0) {
						L21:
						__eflags =  *(_t167 + 0x6cd8);
						_t182 = _t226 - 0x38;
						if( *(_t167 + 0x6cd8) != 0) {
							_t38 = _t226 - 4; // executed
							 *_t38 =  *(_t226 - 4) | 0xffffffff;
							__eflags =  *_t38;
							E011D15FB(_t182); // executed
							L26:
							_t111 =  *(_t167 + 0x6cc8);
							_t234 = _t111 - 4;
							if(_t111 != 4) {
								__eflags = _t111 - 3;
								if(_t111 != 3) {
									L32:
									 *((intOrPtr*)(_t167 + 0x2218)) = _t212;
									 *((char*)(_t226 - 0xd)) = 0;
									_t113 = E011D3B2D(_t167, _t210, _t220);
									__eflags = _t113;
									 *((char*)(_t226 - 0xe)) = _t113 != 0;
									__eflags = _t113;
									if(_t113 == 0) {
										L38:
										_t114 =  *((intOrPtr*)(_t226 - 0xd));
										L39:
										_t184 =  *((intOrPtr*)(_t167 + 0x6cdd));
										__eflags = _t184;
										if(_t184 == 0) {
											L41:
											__eflags =  *((char*)(_t167 + 0x6cdc));
											if( *((char*)(_t167 + 0x6cdc)) != 0) {
												L43:
												__eflags = _t184;
												if(__eflags == 0) {
													E011D138B(__eflags, 0x1b, _t167 + 0x32);
												}
												__eflags =  *((char*)(_t226 + 8));
												if( *((char*)(_t226 + 8)) == 0) {
													goto L23;
												} else {
													L46:
													__eflags =  *((char*)(_t226 - 0xe));
													 *((char*)(_t167 + 0x6cce)) =  *((intOrPtr*)(_t167 + 0x223c));
													if( *((char*)(_t226 - 0xe)) == 0) {
														L69:
														__eflags =  *((char*)(_t167 + 0x6ccd));
														if( *((char*)(_t167 + 0x6ccd)) == 0) {
															L71:
															E011E0602(_t167 + 0x6d12, _t167 + 0x32, 0x800);
															L72:
															_t101 = 1;
															goto L24;
														}
														__eflags =  *((char*)(_t167 + 0x6cd1));
														if( *((char*)(_t167 + 0x6cd1)) == 0) {
															goto L72;
														}
														goto L71;
													}
													__eflags =  *((char*)(_t167 + 0x21f8));
													if( *((char*)(_t167 + 0x21f8)) == 0) {
														L49:
														__eflags =  *((intOrPtr*)(_t167 + 0x10)) - 1;
														if( *((intOrPtr*)(_t167 + 0x10)) == 1) {
															goto L69;
														}
														 *0x1203278();
														_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
														_t224 = _t119;
														_t214 = _t210;
														 *((intOrPtr*)(_t226 - 0x18)) =  *((intOrPtr*)(_t167 + 0x6cb8));
														 *(_t226 - 0x14) =  *(_t167 + 0x6cbc);
														 *((intOrPtr*)(_t226 - 0x1c)) =  *((intOrPtr*)(_t167 + 0x6cc0));
														 *((intOrPtr*)(_t226 - 0x20)) =  *((intOrPtr*)(_t167 + 0x6cc4));
														 *((intOrPtr*)(_t226 - 0x24)) =  *((intOrPtr*)(_t167 + 0x21f4));
														while(1) {
															_t125 = E011D3B2D(_t167, _t210, _t224);
															__eflags = _t125;
															if(_t125 == 0) {
																break;
															}
															_t126 =  *((intOrPtr*)(_t167 + 0x21f4));
															__eflags = _t126 - 3;
															if(_t126 != 3) {
																__eflags = _t126 - 2;
																if(_t126 == 2) {
																	__eflags =  *((char*)(_t167 + 0x6ccd));
																	if( *((char*)(_t167 + 0x6ccd)) == 0) {
																		L66:
																		_t127 = 0;
																		__eflags = 0;
																		L67:
																		 *((char*)(_t167 + 0x6cd1)) = _t127;
																		L68:
																		 *((intOrPtr*)(_t167 + 0x6cb8)) =  *((intOrPtr*)(_t226 - 0x18));
																		 *(_t167 + 0x6cbc) =  *(_t226 - 0x14);
																		 *((intOrPtr*)(_t167 + 0x6cc0)) =  *((intOrPtr*)(_t226 - 0x1c));
																		 *((intOrPtr*)(_t167 + 0x6cc4)) =  *((intOrPtr*)(_t226 - 0x20));
																		 *((intOrPtr*)(_t167 + 0x21f4)) =  *((intOrPtr*)(_t226 - 0x24));
																		 *0x1203278(_t224, _t214, 0);
																		 *( *( *_t167 + 0x10))();
																		goto L69;
																	}
																	__eflags =  *((char*)(_t167 + 0x3330));
																	if( *((char*)(_t167 + 0x3330)) != 0) {
																		goto L66;
																	}
																	_t127 = 1;
																	goto L67;
																}
																__eflags = _t126 - 5;
																if(_t126 == 5) {
																	goto L68;
																}
																L60:
																E011D1F47(_t167);
																continue;
															}
															__eflags =  *((char*)(_t167 + 0x6ccd));
															if( *((char*)(_t167 + 0x6ccd)) == 0) {
																L56:
																_t137 = 0;
																__eflags = 0;
																L57:
																 *((char*)(_t167 + 0x6cd1)) = _t137;
																goto L60;
															}
															__eflags =  *((char*)(_t167 + 0x5680));
															if( *((char*)(_t167 + 0x5680)) != 0) {
																goto L56;
															}
															_t137 = 1;
															goto L57;
														}
														goto L68;
													}
													__eflags =  *((char*)(_t167 + 0x6cd4));
													if( *((char*)(_t167 + 0x6cd4)) != 0) {
														goto L69;
													}
													goto L49;
												}
											}
											__eflags = _t114;
											if(_t114 != 0) {
												goto L46;
											}
											goto L43;
										}
										__eflags =  *((char*)(_t226 + 8));
										if( *((char*)(_t226 + 8)) == 0) {
											goto L23;
										}
										goto L41;
									}
									__eflags = 0;
									 *((char*)(_t226 - 0xd)) = 0;
									while(1) {
										E011D1F47(_t167);
										_t142 =  *((intOrPtr*)(_t167 + 0x21f4));
										__eflags = _t142 - 1;
										if(_t142 == 1) {
											break;
										}
										__eflags =  *((char*)(_t167 + 0x21f8));
										if( *((char*)(_t167 + 0x21f8)) == 0) {
											L37:
											_t143 = E011D3B2D(_t167, _t210, _t220);
											__eflags = _t143;
											 *((char*)(_t226 - 0xe)) = _t143 != 0;
											__eflags = _t143;
											if(_t143 != 0) {
												continue;
											}
											goto L38;
										}
										__eflags = _t142 - 4;
										if(_t142 == 4) {
											break;
										}
										goto L37;
									}
									_t114 = 1;
									goto L39;
								}
								_t215 = _t167 + 0x2217;
								_t220 =  *( *_t167 + 0xc);
								 *0x1203278(_t215, 1);
								_t146 =  *( *( *_t167 + 0xc))();
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									goto L23;
								}
								__eflags =  *_t215;
								if( *_t215 != 0) {
									goto L23;
								}
								_t212 = 8;
								goto L32;
							}
							E011D138B(_t234, 0x3c, _t167 + 0x32);
							goto L23;
						}
						E011D15FB(_t182);
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						_t198 =  *((intOrPtr*)(_t226 - 0x38)) + _t220;
						__eflags =  *_t198 - 0x52;
						if( *_t198 != 0x52) {
							goto L16;
						}
						_t151 = E011D1DF8(_t198, _t109 - _t220);
						__eflags = _t151;
						if(_t151 == 0) {
							L15:
							_t109 =  *(_t226 - 0x14);
							goto L16;
						}
						_t199 =  *((intOrPtr*)(_t226 - 0x18));
						 *(_t167 + 0x6cc8) = _t151;
						__eflags = _t151 - 1;
						if(_t151 != 1) {
							L18:
							_t200 = _t199 + _t220;
							 *(_t167 + 0x6cd8) = _t200;
							_t220 =  *( *_t167 + 0x10);
							 *0x1203278(_t200, 0, 0);
							 *( *( *_t167 + 0x10))();
							_t155 =  *(_t167 + 0x6cc8);
							__eflags = _t155 - 2;
							if(_t155 == 2) {
								L20:
								_t220 =  *( *_t167 + 0xc);
								 *0x1203278(_t167 + 0x2210, _t212);
								 *( *( *_t167 + 0xc))();
								goto L21;
							}
							__eflags = _t155 - 3;
							if(_t155 != 3) {
								goto L21;
							}
							goto L20;
						}
						__eflags = _t220;
						if(_t220 <= 0) {
							goto L18;
						}
						__eflags = _t199 - 0x1c;
						if(_t199 >= 0x1c) {
							goto L18;
						}
						__eflags =  *(_t226 - 0x14) - 0x1f;
						if( *(_t226 - 0x14) <= 0x1f) {
							goto L18;
						}
						_t160 =  *((intOrPtr*)(_t226 - 0x38)) - _t199;
						__eflags =  *((char*)(_t160 + 0x1c)) - 0x52;
						if( *((char*)(_t160 + 0x1c)) != 0x52) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1d)) - 0x53;
						if( *((char*)(_t160 + 0x1d)) != 0x53) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1e)) - 0x46;
						if( *((char*)(_t160 + 0x1e)) != 0x46) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1f)) - 0x58;
						if( *((char*)(_t160 + 0x1f)) == 0x58) {
							goto L18;
						}
						goto L15;
						L16:
						_t220 = _t220 + 1;
						__eflags = _t220 - _t109;
					} while (_t220 < _t109);
					goto L21;
				}
				 *(_t167 + 0x6cc8) = _t103;
				if(_t103 == 1) {
					_t216 =  *_t167;
					_t220 =  *(_t216 + 0x14);
					 *0x1203278(0);
					_t162 =  *( *(_t216 + 0x14))();
					asm("sbb edx, 0x0");
					 *0x1203278(_t162 - 7, __edx);
					 *((intOrPtr*)(_t216 + 0x10))();
					_t212 = 7;
				}
				goto L26;
			}

0x011d1a04
0x011d1a09
0x011d1a13
0x011d1a18
0x011d1a23
0x011d1a2f
0x011d1a36
0x011d1a42
0x011d1ba0
0x011d1ba0
0x011d1ba2
0x011d1ba8
0x011d1bb0
0x011d1bb0
0x011d1a4f
0x011d1a52
0x011d1a58
0x011d1a5f
0x011d1aa8
0x011d1aaf
0x011d1ab7
0x011d1abf
0x011d1acd
0x011d1ad3
0x011d1adb
0x011d1ade
0x011d1ae0
0x011d1ae2
0x011d1ae5
0x011d1ae7
0x011d1b8f
0x011d1b8f
0x011d1b96
0x011d1b99
0x011d1bb3
0x011d1bb3
0x011d1bb3
0x011d1bb7
0x011d1bbc
0x011d1bbc
0x011d1bc2
0x011d1bc5
0x011d1bd4
0x011d1bd7
0x011d1c00
0x011d1c02
0x011d1c0a
0x011d1c0d
0x011d1c12
0x011d1c14
0x011d1c18
0x011d1c1a
0x011d1c5a
0x011d1c5a
0x011d1c5d
0x011d1c5d
0x011d1c63
0x011d1c65
0x011d1c71
0x011d1c71
0x011d1c78
0x011d1c7e
0x011d1c7e
0x011d1c80
0x011d1c88
0x011d1c88
0x011d1c8d
0x011d1c91
0x00000000
0x011d1c97
0x011d1c97
0x011d1c97
0x011d1ca1
0x011d1ca7
0x011d1dc1
0x011d1dc1
0x011d1dc8
0x011d1dd3
0x011d1de3
0x011d1de8
0x011d1de8
0x00000000
0x011d1de8
0x011d1dca
0x011d1dd1
0x00000000
0x00000000
0x00000000
0x011d1dd1
0x011d1cad
0x011d1cb4
0x011d1cc3
0x011d1cc3
0x011d1cc7
0x00000000
0x00000000
0x011d1cd4
0x011d1cdc
0x011d1cde
0x011d1ce0
0x011d1ce8
0x011d1cf1
0x011d1cfa
0x011d1d03
0x011d1d0c
0x011d1d54
0x011d1d56
0x011d1d5b
0x011d1d5d
0x00000000
0x00000000
0x011d1d18
0x011d1d1e
0x011d1d21
0x011d1d43
0x011d1d46
0x011d1d61
0x011d1d68
0x011d1d77
0x011d1d77
0x011d1d77
0x011d1d79
0x011d1d79
0x011d1d7f
0x011d1d82
0x011d1d8b
0x011d1d94
0x011d1d9d
0x011d1da6
0x011d1db7
0x011d1dbf
0x00000000
0x011d1dbf
0x011d1d6a
0x011d1d71
0x00000000
0x00000000
0x011d1d73
0x00000000
0x011d1d73
0x011d1d48
0x011d1d4b
0x00000000
0x00000000
0x011d1d4d
0x011d1d4f
0x00000000
0x011d1d4f
0x011d1d23
0x011d1d2a
0x011d1d39
0x011d1d39
0x011d1d39
0x011d1d3b
0x011d1d3b
0x00000000
0x011d1d3b
0x011d1d2c
0x011d1d33
0x00000000
0x00000000
0x011d1d35
0x00000000
0x011d1d35
0x00000000
0x011d1d5f
0x011d1cb6
0x011d1cbd
0x00000000
0x00000000
0x00000000
0x011d1cbd
0x011d1c91
0x011d1c7a
0x011d1c7c
0x00000000
0x00000000
0x00000000
0x011d1c7c
0x011d1c67
0x011d1c6b
0x00000000
0x00000000
0x00000000
0x011d1c6b
0x011d1c1c
0x011d1c1e
0x011d1c21
0x011d1c23
0x011d1c28
0x011d1c2e
0x011d1c31
0x00000000
0x00000000
0x011d1c37
0x011d1c3e
0x011d1c49
0x011d1c4b
0x011d1c50
0x011d1c52
0x011d1c56
0x011d1c58
0x00000000
0x00000000
0x00000000
0x011d1c58
0x011d1c40
0x011d1c43
0x00000000
0x00000000
0x00000000
0x011d1c43
0x011d1d11
0x00000000
0x011d1d11
0x011d1bdb
0x011d1be4
0x011d1be9
0x011d1bf1
0x011d1bf3
0x011d1bf6
0x00000000
0x00000000
0x011d1bf8
0x011d1bfb
0x00000000
0x00000000
0x011d1bff
0x00000000
0x011d1bff
0x011d1bcd
0x00000000
0x011d1bcd
0x011d1b9b
0x00000000
0x00000000
0x00000000
0x00000000
0x011d1aed
0x011d1aed
0x011d1af0
0x011d1af2
0x011d1af5
0x00000000
0x00000000
0x011d1afb
0x011d1b00
0x011d1b02
0x011d1b3e
0x011d1b3e
0x00000000
0x011d1b3e
0x011d1b04
0x011d1b07
0x011d1b0d
0x011d1b10
0x011d1b48
0x011d1b4a
0x011d1b50
0x011d1b56
0x011d1b5c
0x011d1b64
0x011d1b66
0x011d1b6c
0x011d1b6f
0x011d1b76
0x011d1b80
0x011d1b85
0x011d1b8d
0x00000000
0x011d1b8d
0x011d1b71
0x011d1b74
0x00000000
0x00000000
0x00000000
0x011d1b74
0x011d1b12
0x011d1b14
0x00000000
0x00000000
0x011d1b16
0x011d1b19
0x00000000
0x00000000
0x011d1b1b
0x011d1b1f
0x00000000
0x00000000
0x011d1b24
0x011d1b26
0x011d1b2a
0x00000000
0x00000000
0x011d1b2c
0x011d1b30
0x00000000
0x00000000
0x011d1b32
0x011d1b36
0x00000000
0x00000000
0x011d1b38
0x011d1b3c
0x00000000
0x00000000
0x00000000
0x011d1b41
0x011d1b41
0x011d1b42
0x011d1b42
0x00000000
0x011d1b46
0x011d1a61
0x011d1a6a
0x011d1a70
0x011d1a73
0x011d1a78
0x011d1a80
0x011d1a88
0x011d1a8d
0x011d1a95
0x011d1a9a
0x011d1a9a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 011D1A09

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8774b953bfc89813df7a84d12cea5314d45d2be55a6eec58827cabea08820e33
Instruction ID: fc1ecc00f89c29e9b0724329258ccbc75072a3de2c58d6a9bef4555be18adfac
Opcode Fuzzy Hash: 8774b953bfc89813df7a84d12cea5314d45d2be55a6eec58827cabea08820e33
Instruction Fuzzy Hash: FCC1A170A00655BFEF2EDF68C498BAD7BB5AF09314F0801B9DD469B386DB309944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011D3BBA Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E011D3BBA(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t79;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t124;
				char _t125;
				intOrPtr _t133;
				signed int _t135;
				intOrPtr _t149;
				signed int _t152;
				void* _t155;
				void* _t157;

				E011EEB78(0x12026da, _t157);
				E011EEC50(0xe6e0);
				_t155 = __ecx;
				_t160 =  *((char*)(__ecx + 0x6cdc));
				if( *((char*)(__ecx + 0x6cdc)) == 0) {
					__eflags =  *((char*)(__ecx + 0x4608)) - 5;
					if(__eflags > 0) {
						L26:
						E011D138B(__eflags, 0x1e, _t155 + 0x32);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cc8)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x4604)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cc8)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t86 =  *(__ecx + 0x5640) |  *(__ecx + 0x5644);
					__eflags = _t86;
					if(_t86 != 0) {
						L7:
						_t124 = _t155 + 0x20f8;
						E011DCFD4(_t86, _t124);
						_push(_t124);
						E011E2089(_t157 - 0xe6ec, __eflags);
						_t125 = 0;
						_push(0);
						_push( *((intOrPtr*)(_t155 + 0x56dc)));
						 *((intOrPtr*)(_t157 - 4)) = 0;
						E011E3377(0, _t157 - 0xe6ec);
						_t152 =  *(_t157 + 8);
						__eflags =  *(_t157 + 0xc);
						if( *(_t157 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t155 + 0x5683)) - _t125;
							if( *((intOrPtr*)(_t155 + 0x5683)) == _t125) {
								L18:
								E011DAB1A(_t155 + 0x21b8, _t149,  *((intOrPtr*)(_t155 + 0x5658)), 1);
								_t133 =  *((intOrPtr*)(_t155 + 0x5644));
								_t91 =  *((intOrPtr*)(_t155 + 0x5640));
								 *((intOrPtr*)(_t155 + 0x2124)) = _t133;
								 *((intOrPtr*)(_t155 + 0x211c)) = _t133;
								 *((intOrPtr*)(_t155 + 0x2120)) = _t91;
								 *((intOrPtr*)(_t155 + 0x2118)) = _t91;
								 *((char*)(_t155 + 0x2128)) = _t125;
								E011DD099(_t155 + 0x20f8, _t155,  *(_t157 + 0xc));
								 *((char*)(_t155 + 0x2129)) =  *((intOrPtr*)(_t157 + 0x10));
								 *((char*)(_t155 + 0x214f)) =  *((intOrPtr*)(_t155 + 0x5681));
								 *((intOrPtr*)(_t155 + 0x2138)) = _t155 + 0x45e8;
								 *((intOrPtr*)(_t155 + 0x213c)) = _t125;
								_t96 =  *((intOrPtr*)(_t155 + 0x5648));
								_t135 =  *(_t155 + 0x564c);
								 *((intOrPtr*)(_t157 - 0x9aa4)) = _t96;
								 *(_t157 - 0x9aa0) = _t135;
								 *((char*)(_t157 - 0x9a8c)) = _t125;
								__eflags =  *((intOrPtr*)(_t155 + 0x4608)) - _t125;
								if(__eflags != 0) {
									E011E3020(_t157 - 0xe6ec,  *((intOrPtr*)(_t155 + 0x4604)), _t125);
								} else {
									_push(_t135);
									_push(_t96);
									_push(_t155 + 0x20f8); // executed
									E011D9215(_t125, _t152, __eflags); // executed
								}
								asm("sbb eax, eax");
								__eflags = E011DAAEA(_t125, _t155 + 0x21b8, _t155 + 0x5658,  ~( *(_t155 + 0x56b2) & 0x000000ff) & _t155 + 0x000056b3);
								if(__eflags != 0) {
									_t125 = 1;
								} else {
									E011D2021(__eflags, 0x1f, _t155 + 0x32, _t155 + 0x4610);
									E011D6D83(0x1211098, 3);
									__eflags = _t152;
									if(_t152 != 0) {
										E011D3EDE(_t152);
									}
								}
								L25:
								E011E2297(_t157 - 0xe6ec, _t152, _t155);
								_t79 = _t125;
								goto L28;
							}
							_t149 =  *((intOrPtr*)(_t155 + 0x21d4));
							__eflags =  *((intOrPtr*)(_t149 + 0x6124)) - _t125;
							if( *((intOrPtr*)(_t149 + 0x6124)) == _t125) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t144 =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							__eflags =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							E011DD051(_t155 + 0x20f8, _t125,  *((intOrPtr*)(_t155 + 0x5684)), _t149 + 0x6024, _t144, _t155 + 0x5699,  *((intOrPtr*)(_t155 + 0x56d4)), _t155 + 0x56b3, _t155 + 0x56aa);
							goto L18;
						}
						__eflags =  *(_t155 + 0x564c);
						if(__eflags < 0) {
							L12:
							__eflags = _t152;
							if(_t152 != 0) {
								E011D20BD(_t152,  *((intOrPtr*)(_t155 + 0x5648)));
								E011DD0B6(_t155 + 0x20f8,  *_t152,  *((intOrPtr*)(_t155 + 0x5648)));
							} else {
								 *((char*)(_t155 + 0x2129)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E011D138B(__eflags, 0x1e, _t155 + 0x32);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t155 + 0x5648)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5681)) - _t86;
					if( *((intOrPtr*)(__ecx + 0x5681)) != _t86) {
						goto L7;
					} else {
						_t79 = 1;
						goto L28;
					}
				} else {
					E011D138B(_t160, 0x1d, __ecx + 0x32);
					E011D6D83(0x1211098, 3);
					L27:
					_t79 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
					return _t79;
				}
			}

0x011d3bbf
0x011d3bc9
0x011d3bcf
0x011d3bd1
0x011d3bd8
0x011d3bf6
0x011d3bfd
0x011d3e51
0x011d3e57
0x00000000
0x011d3e57
0x011d3c05
0x011d3c16
0x011d3c1c
0x00000000
0x00000000
0x011d3c28
0x011d3c28
0x011d3c2e
0x011d3c3f
0x011d3c40
0x011d3c49
0x011d3c4e
0x011d3c55
0x011d3c5a
0x011d3c62
0x011d3c63
0x011d3c69
0x011d3c6c
0x011d3c71
0x011d3c74
0x011d3c77
0x011d3ccc
0x011d3ccc
0x011d3cd2
0x011d3d2e
0x011d3d3c
0x011d3d41
0x011d3d4a
0x011d3d50
0x011d3d56
0x011d3d63
0x011d3d69
0x011d3d6f
0x011d3d75
0x011d3d7d
0x011d3d89
0x011d3d95
0x011d3d9b
0x011d3da1
0x011d3da7
0x011d3dad
0x011d3db3
0x011d3db9
0x011d3dbf
0x011d3dc5
0x011d3de4
0x011d3dc7
0x011d3dc7
0x011d3dc8
0x011d3dcf
0x011d3dd0
0x011d3dd0
0x011d3dfe
0x011d3e0f
0x011d3e11
0x011d3e3e
0x011d3e13
0x011d3e20
0x011d3e2c
0x011d3e31
0x011d3e33
0x011d3e37
0x011d3e37
0x011d3e33
0x011d3e40
0x011d3e46
0x011d3e4c
0x00000000
0x011d3e4e
0x011d3cd4
0x011d3cda
0x011d3ce0
0x00000000
0x00000000
0x011d3d10
0x011d3d12
0x011d3d12
0x011d3d29
0x00000000
0x011d3d29
0x011d3c79
0x011d3c7f
0x011d3c9f
0x011d3c9f
0x011d3ca1
0x011d3cb4
0x011d3cc7
0x011d3ca3
0x011d3ca3
0x011d3ca3
0x00000000
0x011d3ca1
0x011d3c81
0x011d3c8f
0x011d3c95
0x00000000
0x011d3c95
0x011d3c83
0x011d3c8d
0x00000000
0x00000000
0x00000000
0x011d3c8d
0x011d3c30
0x011d3c36
0x00000000
0x011d3c38
0x011d3c38
0x00000000
0x011d3c38
0x011d3bda
0x011d3be0
0x011d3bec
0x011d3e5c
0x011d3e5c
0x011d3e5e
0x011d3e62
0x011d3e6a
0x011d3e6a

APIs

__EH_prolog.LIBCMT ref: 011D3BBF

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 605078dacee585bb8fedc7e2aa7cd733944ea72939bd5fabc5a694c7b32df01e
Instruction ID: 49d5790fafbf433fd6b8c22641ec35f8cc2421df63a50b2d6fbc59477b6b508c
Opcode Fuzzy Hash: 605078dacee585bb8fedc7e2aa7cd733944ea72939bd5fabc5a694c7b32df01e
Instruction Fuzzy Hash: 9C71C2B1500F459EDB29DB74C8549EBB7E9AF24205F44092EE6BB87281EB327584CF12

Uniqueness

Uniqueness Score: -1.00%

Function 011D8284 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E011D8284(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				char _t48;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				char _t58;
				signed int _t84;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t99;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edi;
				_t92 = __edx;
				E011EEB78(0x1202831, _t99);
				E011EEC50(0x9d64);
				_t97 = __ecx;
				_t1 = _t99 - 0x9d70; // -38256
				_push( *((intOrPtr*)(__ecx + 8)));
				E011D13DC(_t1, __edi, _t102);
				 *((intOrPtr*)(_t99 - 4)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 0x82de)) == 0) {
					_t8 = _t99 - 0x9d70; // -38256
					_t48 = E011D9F42(_t8, __edi, __ecx, __ecx + 0xfe);
					__eflags = _t48;
					if(_t48 != 0) {
						goto L3;
					}
				} else {
					 *((intOrPtr*)(_t99 - 0x9d60)) = 1;
					L3:
					_t9 = _t99 - 0x9d70; // -38256, executed
					_t51 = E011D1A04(_t9, _t92, 1); // executed
					if(_t51 != 0) {
						__eflags =  *((intOrPtr*)(_t99 - 0x3093));
						if( *((intOrPtr*)(_t99 - 0x3093)) == 0) {
							_push(_t94);
							_t95 = 0;
							__eflags =  *((intOrPtr*)(_t99 - 0x30a3));
							if(__eflags != 0) {
								_t12 = _t99 - 0x9d3e; // -38206
								_t13 = _t99 - 0x1010; // -2064
								_t65 = E011E0602(_t13, _t12, 0x800);
								__eflags =  *((intOrPtr*)(_t99 - 0x309e));
								while(1) {
									_t19 = _t99 - 0x1010; // -2064
									E011DC0C5(_t19, 0x800, (_t65 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t20 = _t99 - 0x2058; // -6232
									E011D6EDB(_t20);
									_push(0);
									_t21 = _t99 - 0x2058; // -6232
									_t22 = _t99 - 0x1010; // -2064
									__eflags = E011DA56D(_t20, __eflags, _t22, _t21);
									if(__eflags == 0) {
										break;
									}
									_t95 = _t95 +  *((intOrPtr*)(_t99 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *((char*)(_t99 - 0x309e));
								}
								 *((intOrPtr*)(_t97 + 0xa0)) =  *((intOrPtr*)(_t97 + 0xa0)) + _t95;
								asm("adc [esi+0xa4], ebx");
							}
							_t25 = _t99 - 0x9d70; // -38256
							E011D8430(_t97, __eflags, _t25);
							_t54 =  *((intOrPtr*)(_t97 + 8));
							_t93 = 0x49;
							_pop(_t94);
							_t84 =  *(_t54 + 0x92fa) & 0x0000ffff;
							__eflags = _t84 - 0x54;
							if(_t84 == 0x54) {
								L13:
								 *((char*)(_t54 + 0x7201)) = 1;
							} else {
								__eflags = _t84 - _t93;
								if(_t84 == _t93) {
									goto L13;
								}
							}
							_t85 =  *((intOrPtr*)(_t97 + 8));
							__eflags =  *((intOrPtr*)(_t85 + 0x92fa)) - _t93;
							if( *((intOrPtr*)(_t85 + 0x92fa)) != _t93) {
								 *((char*)(_t85 + 0x7201)) =  *((char*)(_t85 + 0x7201)) == 0;
								E011E1B66((_t97 + 0x000000fe & 0xffffff00 |  *((char*)(_t85 + 0x7201)) == 0x00000000) & 0x000000ff, _t97 + 0xfe);
							}
							_t35 = _t99 - 0x9d70; // -38256
							E011D1F6D(_t35, _t93);
							do {
								_t36 = _t99 - 0x9d70; // -38256
								_t56 = E011D3B2D(_t36, _t93, _t97);
								_t37 = _t99 - 0xd; // 0x7f3
								_t38 = _t99 - 0x9d70; // -38256
								_t58 = E011D848E(_t97, _t38, _t56, _t37); // executed
								__eflags = _t58;
							} while (_t58 != 0);
						}
					} else {
						E011D6D83(0x1211098, 1);
					}
				}
				_t39 = _t99 - 0x9d70; // -38256
				E011D1692(_t39, _t94, _t97);
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return 0;
			}

0x011d8284
0x011d8284
0x011d8284
0x011d8289
0x011d8293
0x011d829a
0x011d829c
0x011d82a2
0x011d82a5
0x011d82af
0x011d82b9
0x011d82ce
0x011d82d4
0x011d82d9
0x011d82db
0x00000000
0x00000000
0x011d82bb
0x011d82bb
0x011d82e1
0x011d82e3
0x011d82e9
0x011d82f0
0x011d8303
0x011d8309
0x011d830f
0x011d8310
0x011d8312
0x011d8318
0x011d831f
0x011d8326
0x011d832d
0x011d8332
0x011d834d
0x011d8359
0x011d8360
0x011d8365
0x011d836b
0x011d8370
0x011d8372
0x011d8379
0x011d8385
0x011d8387
0x00000000
0x00000000
0x011d833a
0x011d8340
0x011d8346
0x011d8346
0x011d8389
0x011d838f
0x011d838f
0x011d8395
0x011d839e
0x011d83a3
0x011d83a8
0x011d83a9
0x011d83aa
0x011d83b1
0x011d83b4
0x011d83bb
0x011d83bb
0x011d83b6
0x011d83b6
0x011d83b9
0x00000000
0x00000000
0x011d83b9
0x011d83c2
0x011d83c5
0x011d83cc
0x011d83dc
0x011d83e3
0x011d83e3
0x011d83e8
0x011d83ee
0x011d83f3
0x011d83f3
0x011d83f9
0x011d83fe
0x011d8403
0x011d840c
0x011d8411
0x011d8411
0x011d83f3
0x011d82f2
0x011d82f9
0x011d82f9
0x011d82f0
0x011d8415
0x011d841b
0x011d8427
0x011d842f

APIs

__EH_prolog.LIBCMT ref: 011D8289

Part of subcall function 011D13DC: __EH_prolog.LIBCMT ref: 011D13E1

Part of subcall function 011DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 011DA598

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: d9e6821807248704c9f4f480d1b9b7066a1664cb55ac0de33ed7af3997e8855c
Instruction ID: cd52e2f2832a7660c292d6ee9024f142904a970b6b53937ab6c079b917eceed5
Opcode Fuzzy Hash: d9e6821807248704c9f4f480d1b9b7066a1664cb55ac0de33ed7af3997e8855c
Instruction Fuzzy Hash: 1D41D971944659AADB29DBA4CC54BEEB7B8BF10308F4404EBD18E57092EB745BC8CF10

Uniqueness

Uniqueness Score: -1.00%

Function 011D13E1 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E011D13E1(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t55;
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E011EEB78(_t55, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E011D9556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0x12035f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E011D5E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E011DCE40(__ecx + 0x20f8, __edx, _t96); // executed
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E011D157A();
				_t61 = E011D157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0); // executed
					_t73 = E011EEB38(__edx, _t98); // executed
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E011DB505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E011EFFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E011EFFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E011EFFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x011d13e1
0x011d13e1
0x011d13e1
0x011d13e6
0x011d13e7
0x011d13ea
0x011d13ec
0x011d13ef
0x011d13f6
0x011d1402
0x011d1405
0x011d1410
0x011d1414
0x011d141f
0x011d1425
0x011d142b
0x011d1436
0x011d143b
0x011d1440
0x011d1447
0x011d144d
0x011d1453
0x011d1455
0x011d147a
0x011d1457
0x011d1457
0x011d145c
0x011d1462
0x011d1465
0x011d146b
0x011d1476
0x011d146d
0x011d146f
0x011d146f
0x011d146b
0x011d147c
0x011d1488
0x011d148f
0x011d1496
0x011d149f
0x011d14aa
0x011d14b4
0x011d14ba
0x011d14c0
0x011d14c6
0x011d14cc
0x011d14d2
0x011d14d8
0x011d14df
0x011d14e5
0x011d14eb
0x011d14f1
0x011d14f7
0x011d14fd
0x011d150c
0x011d151b
0x011d1526
0x011d152e
0x011d1534
0x011d153a
0x011d1540
0x011d1546
0x011d154c
0x011d1552
0x011d155b
0x011d1561
0x011d1567
0x011d156f
0x011d1577

APIs

__EH_prolog.LIBCMT ref: 011D13E1

Part of subcall function 011D5E37: __EH_prolog.LIBCMT ref: 011D5E3C

Part of subcall function 011DCE40: __EH_prolog.LIBCMT ref: 011DCE45

Part of subcall function 011DB505: __EH_prolog.LIBCMT ref: 011DB50A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 820ac0566eece1d386e3e0867186cd09558c5c2727396f49fc2cf5ee77c75e94
Instruction ID: 5fd7475c1cf022d685c0c6737ad179d7435583e78da4346ad30b21adb32ac467
Opcode Fuzzy Hash: 820ac0566eece1d386e3e0867186cd09558c5c2727396f49fc2cf5ee77c75e94
Instruction Fuzzy Hash: F0415BB0905B41AEE728DF798884AE6FBE5BF29304F50492ED5FF83281CB316654CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011D13DC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E011D13DC(intOrPtr __ecx, void* __edi, void* __eflags) {
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E011EEB78(0x1202635, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E011D9556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0x12035f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E011D5E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E011DCE40(__ecx + 0x20f8, _t86, _t96); // executed
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E011D157A();
				_t61 = E011D157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0); // executed
					_t73 = E011EEB38(_t86, _t98); // executed
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E011DB505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E011EFFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E011EFFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E011EFFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x011d13dc
0x011d13dc
0x011d13e1
0x011d13e6
0x011d13e7
0x011d13ea
0x011d13ec
0x011d13ef
0x011d13f6
0x011d1402
0x011d1405
0x011d1410
0x011d1414
0x011d141f
0x011d1425
0x011d142b
0x011d1436
0x011d143b
0x011d1440
0x011d1447
0x011d144d
0x011d1453
0x011d1455
0x011d147a
0x011d1457
0x011d1457
0x011d145c
0x011d1462
0x011d1465
0x011d146b
0x011d1476
0x011d146d
0x011d146f
0x011d146f
0x011d146b
0x011d147c
0x011d1488
0x011d148f
0x011d1496
0x011d149f
0x011d14aa
0x011d14b4
0x011d14ba
0x011d14c0
0x011d14c6
0x011d14cc
0x011d14d2
0x011d14d8
0x011d14df
0x011d14e5
0x011d14eb
0x011d14f1
0x011d14f7
0x011d14fd
0x011d150c
0x011d151b
0x011d1526
0x011d152e
0x011d1534
0x011d153a
0x011d1540
0x011d1546
0x011d154c
0x011d1552
0x011d155b
0x011d1561
0x011d1567
0x011d156f
0x011d1577

APIs

__EH_prolog.LIBCMT ref: 011D13E1

Part of subcall function 011D5E37: __EH_prolog.LIBCMT ref: 011D5E3C

Part of subcall function 011DCE40: __EH_prolog.LIBCMT ref: 011DCE45

Part of subcall function 011DB505: __EH_prolog.LIBCMT ref: 011DB50A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8aaec924b275f0b06ca8fb8e14d2072ac88aa8ea59e75b49c374ee691f9d883
Instruction ID: b7eca9281852af41cdf23ac60cc855b404a0b7f548f5880eb076caac58350fa8
Opcode Fuzzy Hash: e8aaec924b275f0b06ca8fb8e14d2072ac88aa8ea59e75b49c374ee691f9d883
Instruction Fuzzy Hash: CB415BB0905B419EE728DF798884AE6FBE5BF29304F50492ED5FF83281CB316254CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011EB093 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E011EB093(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				char _t39;
				char _t41;
				char _t60;
				char _t65;
				signed int _t70;
				void* _t72;
				intOrPtr _t74;
				void* _t77;

				_t77 = __eflags;
				E011EEB78(0x1202ae8, _t72);
				_push(__ecx);
				E011EEC50(0x7d2c);
				_push(_t70);
				_push(_t68);
				 *((intOrPtr*)(_t72 - 0x10)) = _t74;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E011D13DC(_t72 - 0x7d3c, _t68, _t77, 0); // executed
				 *((char*)(_t72 - 4)) = 1;
				E011D1FDC(_t72 - 0x7d3c, __edx, _t70, _t72, _t77,  *((intOrPtr*)(_t72 + 0xc)));
				if( *((intOrPtr*)(_t72 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t72 - 0x24)) = 0;
					 *(_t72 - 0x20) = 0;
					 *((intOrPtr*)(_t72 - 0x1c)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *((char*)(_t72 - 0x14)) = 0;
					 *((char*)(_t72 - 4)) = 2;
					_push(_t72 - 0x24);
					_t59 = _t72 - 0x7d3c;
					_t39 = E011D19AF(_t72 - 0x7d3c, __edx);
					__eflags = _t39;
					if(_t39 != 0) {
						_t70 =  *(_t72 - 0x20);
						_t68 = _t70 + _t70;
						_push(_t70 + _t70 + 2);
						_t65 = E011F3E33(_t59);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x10)))) = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags = 0;
							 *((short*)(_t65 + _t70 * 2)) = 0;
							E011F0320(_t65,  *((intOrPtr*)(_t72 - 0x24)), _t68);
						} else {
							_t70 = 0;
						}
						 *( *(_t72 + 0x14)) = _t70;
					}
					_t60 =  *((intOrPtr*)(_t72 - 0x24));
					 *((char*)(_t72 - 4)) = 3;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags =  *((char*)(_t72 - 0x14));
						if( *((char*)(_t72 - 0x14)) != 0) {
							__eflags =  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c));
							E011DF445(_t60,  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c)));
							_t60 =  *((intOrPtr*)(_t72 - 0x24));
						}
						L011F3E2E(_t60);
					}
					E011D1692(_t72 - 0x7d3c, _t68, _t70); // executed
					_t41 = 1;
				} else {
					E011D1692(_t72 - 0x7d3c, _t68, _t70);
					_t41 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t41;
			}

0x011eb093
0x011eb098
0x011eb09d
0x011eb0a3
0x011eb0a9
0x011eb0aa
0x011eb0ad
0x011eb0b7
0x011eb0ba
0x011eb0c8
0x011eb0cc
0x011eb0d7
0x011eb0eb
0x011eb0ee
0x011eb0f1
0x011eb0f4
0x011eb0f7
0x011eb0fd
0x011eb101
0x011eb102
0x011eb108
0x011eb10d
0x011eb10f
0x011eb111
0x011eb114
0x011eb11a
0x011eb121
0x011eb126
0x011eb128
0x011eb12a
0x011eb130
0x011eb133
0x011eb13b
0x011eb12c
0x011eb12c
0x011eb12c
0x011eb146
0x011eb146
0x011eb148
0x011eb14b
0x011eb14f
0x011eb151
0x011eb153
0x011eb157
0x011eb15c
0x011eb160
0x011eb165
0x011eb165
0x011eb169
0x011eb16e
0x011eb175
0x011eb17a
0x011eb0d9
0x011eb0df
0x011eb0e4
0x011eb0e4
0x011eb181
0x011eb18a

APIs

__EH_prolog.LIBCMT ref: 011EB098

Part of subcall function 011D13DC: __EH_prolog.LIBCMT ref: 011D13E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4037dcd01c3d5b667f3153b235730efeba76dec9dddf9f8f5cdddb83c76cfc19
Instruction ID: 570e6ee7a7bead6e197e2347dc5405a69ea910fb4700141e09d56d9dd41aea76
Opcode Fuzzy Hash: 4037dcd01c3d5b667f3153b235730efeba76dec9dddf9f8f5cdddb83c76cfc19
Instruction Fuzzy Hash: 87319C71C1424AEFDF19DFA8D9449EEBBF4AF19208F10449EE409B7241DB75AE04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011FAC98 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E011FAC98(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x1232628 + _a4 * 4;
				_t27 =  *0x120e7ac; // 0xc166b63b
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x120e7ac; // 0xc166b63b
							goto L13;
						}
						 *_t20 = E011F7CA3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E011FAD34( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x120e7ac; // 0xc166b63b
						goto L7;
					}
					_t27 =  *0x120e7ac; // 0xc166b63b
					goto L8;
				}
				L2:
				return _t33;
			}

0x011faca3
0x011facac
0x011facb2
0x011facbc
0x011facbe
0x011facc2
0x011fad2d
0x00000000
0x011fad2d
0x011facc6
0x011faccc
0x011facd2
0x011facee
0x011facee
0x011facf0
0x011facf2
0x011fad1d
0x011fad1f
0x011fad27
0x011fad2b
0x00000000
0x011fad2b
0x011facfe
0x011fad02
0x011fad17
0x00000000
0x011fad17
0x011fad0b
0x00000000
0x00000000
0x00000000
0x00000000
0x011facd4
0x011facd4
0x011facd6
0x011facde
0x00000000
0x00000000
0x011face0
0x011face6
0x00000000
0x00000000
0x011face8
0x00000000
0x011face8
0x011fad0f
0x00000000
0x011fad0f
0x011facc8
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,01203A34), ref: 011FACF8

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 36f32c35a4146b1e501bc4661331011c494b2395b52e0f4ea39c2e2e84fe923d
Instruction ID: 5aaa7dd1dc03ab42fe2ffe13413a416210fea1124975baccc5bd062109e6557e
Opcode Fuzzy Hash: 36f32c35a4146b1e501bc4661331011c494b2395b52e0f4ea39c2e2e84fe923d
Instruction Fuzzy Hash: 3D11E7336006255FAB3F9D1CFC5495A7795AF8426071B4628EF19AB289D734EC4187D0

Uniqueness

Uniqueness Score: -1.00%

Function 011DCE40 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E011DCE40(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t46;
				void* _t49;

				_t49 = __eflags;
				_t39 = __edx;
				E011EEB78(0x12029a1, _t46);
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				 *((intOrPtr*)(_t46 - 0x10)) = __ecx;
				E011DA8CE(__ecx + 0x98);
				_t41 = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E011DA8CE(__ecx + 0xac);
				 *((char*)(_t46 - 4)) = 1;
				E011DA8CE(__ecx + 0xc0);
				 *((char*)(_t46 - 4)) = 2;
				_push(0x10c0); // executed
				_t21 = E011EEB38(__edx, _t49); // executed
				 *((intOrPtr*)(_t46 - 0x14)) = _t21;
				 *((char*)(_t46 - 4)) = 3;
				_t50 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
				} else {
					_t22 = E011D5E37(_t21, _t50);
				}
				_push(0x10c0);
				 *((char*)(_t46 - 4)) = 2;
				 *((intOrPtr*)(_t44 + 0x48)) = _t22;
				_t23 = E011EEB38(_t39, _t50);
				 *((intOrPtr*)(_t46 - 0x14)) = _t23;
				 *((char*)(_t46 - 4)) = 4;
				if(_t23 != 0) {
					_t41 = _t23;
				}
				 *((intOrPtr*)(_t44 + 0x4c)) = _t41;
				E011DCFD4(_t23, _t44);
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				return _t44;
			}

0x011dce40
0x011dce40
0x011dce45
0x011dce4a
0x011dce4b
0x011dce4e
0x011dce51
0x011dce5a
0x011dce5f
0x011dce67
0x011dce6a
0x011dce75
0x011dce79
0x011dce83
0x011dce87
0x011dce88
0x011dce8e
0x011dce91
0x011dce95
0x011dce97
0x011dcea2
0x011dce99
0x011dce9b
0x011dce9b
0x011dcea4
0x011dcea5
0x011dcea9
0x011dceac
0x011dceb2
0x011dceb5
0x011dcebb
0x011dcec4
0x011dcec4
0x011dcec8
0x011dcecb
0x011dced8
0x011dcee0

APIs

__EH_prolog.LIBCMT ref: 011DCE45

Part of subcall function 011D5E37: __EH_prolog.LIBCMT ref: 011D5E3C

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b0c590c09a16193d4bf7db468d19028b6269ce99ae9ec329e696727ce3adf6e8
Instruction ID: e62330877866cb2192a1e6f839a27389117b883a6b89abba369363063d4f2e4a
Opcode Fuzzy Hash: b0c590c09a16193d4bf7db468d19028b6269ce99ae9ec329e696727ce3adf6e8
Instruction Fuzzy Hash: A811C671A01355DEEB18EBB9D5047AEBBE89F54204F10445ED446D3281DB744A00C762

Uniqueness

Uniqueness Score: -1.00%

Function 011D9215 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E011D9215(void* __ebx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				void* _t48;

				E011EEB78(0x1202895, _t41);
				E011D13BA(_t41 - 0x20, E011D7C64());
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t39 = E011DD114( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 - 0x20)),  *((intOrPtr*)(_t41 - 0x1c)), _t38);
				if(_t39 > 0) {
					_t27 =  *((intOrPtr*)(_t41 + 0x10));
					_t36 =  *((intOrPtr*)(_t41 + 0xc));
					do {
						_t48 = 0 - _t27;
						if(_t48 > 0 || _t48 >= 0 && _t39 >= _t36) {
							_t39 = _t36;
						}
						if(_t39 > 0) {
							E011DD300( *((intOrPtr*)(_t41 + 8)), _t41,  *((intOrPtr*)(_t41 - 0x20)), _t39);
							asm("cdq");
							_t36 = _t36 - _t39;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t41 - 0x1c)));
						_push( *((intOrPtr*)(_t41 - 0x20)));
						_t39 = E011DD114( *((intOrPtr*)(_t41 + 8)));
					} while (_t39 > 0);
				}
				_t21 = E011D15FB(_t41 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t21;
			}

0x011d921a
0x011d922c
0x011d923a
0x011d9243
0x011d9247
0x011d924a
0x011d924e
0x011d9251
0x011d9253
0x011d9255
0x011d925d
0x011d925d
0x011d9261
0x011d926a
0x011d9271
0x011d9272
0x011d9274
0x011d9274
0x011d9276
0x011d927c
0x011d9284
0x011d9286
0x011d928b
0x011d928f
0x011d9298
0x011d92a0

APIs

__EH_prolog.LIBCMT ref: 011D921A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: abcb92c394cbe03abfc1ecae43a8e908279e35d9837ecb33605f73384206bd6d
Instruction ID: c963d7b4dedbc29203205f62d8c56a63ffc844a40777d6787bb940141e7986d8
Opcode Fuzzy Hash: abcb92c394cbe03abfc1ecae43a8e908279e35d9837ecb33605f73384206bd6d
Instruction Fuzzy Hash: 5701C833900579ABCF1AABA8CC809DEB735FFA8658F054215E812B7150DB34D900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 011FB136 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E011FB136(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x12326e4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E011F8C34();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E011F91A8())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E011F7A5E(_t15, _t16, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x011fb136
0x011fb13c
0x011fb141
0x011fb14f
0x011fb14f
0x011fb155
0x011fb157
0x011fb157
0x011fb16e
0x011fb177
0x011fb17f
0x00000000
0x00000000
0x011fb15f
0x011fb161
0x011fb183
0x011fb188
0x011fb18e
0x00000000
0x011fb18e
0x011fb164
0x011fb169
0x011fb16a
0x011fb16c
0x00000000
0x00000000
0x011fb16c
0x00000000
0x011fb16e
0x011fb147
0x011fb148
0x011fb14d
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,01203A34,00000000,?,011F989A,00000001,00000364,?,?,?,011DD984,?,?,?,00000004,011DD710), ref: 011FB177

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2c247e352f5d3f67a195df32433c3b2574b614aa77d30a11d283a293940c4691
Instruction ID: 3f57b7f1416c9c2dd61a2b8f806011b9bd4efe78893a0444f5865a9e15b35998
Opcode Fuzzy Hash: 2c247e352f5d3f67a195df32433c3b2574b614aa77d30a11d283a293940c4691
Instruction Fuzzy Hash: BAF0B43250D125BBEB2D9A25FC09B9B3B48AF81670B0D822DEB0896180CB20D90186E8

Uniqueness

Uniqueness Score: -1.00%

Function 011F3C0D Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011F3C0D(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0x12320ec + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E011F3B72(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}

0x011f3c15
0x011f3c1c
0x011f3c1f
0x011f3c24
0x011f3c51
0x00000000
0x011f3c51
0x011f3c28
0x011f3c30
0x011f3c39
0x011f3c4f
0x011f3c4f
0x00000000
0x011f3c4f
0x011f3c3f
0x011f3c47
0x00000000
0x00000000
0x011f3c4b
0x00000000
0x011f3c4b
0x011f3c56

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 011F3C3F

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b0e40635b75266109dfa70b8508176db9d79483115d51020bb127fdb349ee1ff
Instruction ID: 15aafc1ea2c9c87e241c050608e7b99ad0c4f5fc5de9fe1f11bff9a824f6df97
Opcode Fuzzy Hash: b0e40635b75266109dfa70b8508176db9d79483115d51020bb127fdb349ee1ff
Instruction Fuzzy Hash: 49F0A0322202169FDF2A8EAEFC04A9A7BA9FF41B20714412AFB25C71C0DB31D420C790

Uniqueness

Uniqueness Score: -1.00%

Function 011F8E06 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E011F8E06(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E011F91A8())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x12326e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E011F8C34();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E011F7A5E(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x011f8e06
0x011f8e0c
0x011f8e12
0x011f8e44
0x011f8e49
0x011f8e4f
0x00000000
0x011f8e4f
0x011f8e16
0x011f8e18
0x011f8e18
0x011f8e2f
0x011f8e38
0x011f8e40
0x00000000
0x00000000
0x011f8e20
0x011f8e22
0x00000000
0x00000000
0x011f8e25
0x011f8e2a
0x011f8e2b
0x011f8e2d
0x00000000
0x00000000
0x011f8e2d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,011FCA2C,00000000,?,011F6CBE,?,00000008,?,011F91E0,?,?,?), ref: 011F8E38

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 53edae46fffef3d30828039e444f81c762a4c442356bca9076c906b5c16ce444
Instruction ID: be8874a4bd6d3aa84c569e4f3713a5ec62d196667b052b4b6911dea12c527765
Opcode Fuzzy Hash: 53edae46fffef3d30828039e444f81c762a4c442356bca9076c906b5c16ce444
Instruction Fuzzy Hash: 79E065356061355BE67E2E6D9D08B9B7A489F916B8F06012DAF1896086DB30CC0082E1

Uniqueness

Uniqueness Score: -1.00%

Function 011D5ABD Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E011D5ABD(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E011EEB78(0x1202739, _t36);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E011DB505(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E011E0637();
				 *(_t36 - 4) = 1;
				E011E0637();
				 *(_t36 - 4) = 2;
				E011E0637();
				 *(_t36 - 4) = 3;
				E011E0637();
				 *(_t36 - 4) = 4;
				E011E0637();
				 *(_t36 - 4) = 5;
				E011D5CAC(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}

0x011d5ac2
0x011d5ac7
0x011d5acb
0x011d5ace
0x011d5ad3
0x011d5add
0x011d5ae8
0x011d5aec
0x011d5af7
0x011d5afb
0x011d5b06
0x011d5b0a
0x011d5b15
0x011d5b19
0x011d5b20
0x011d5b24
0x011d5b2f
0x011d5b37

APIs

__EH_prolog.LIBCMT ref: 011D5AC2

Part of subcall function 011DB505: __EH_prolog.LIBCMT ref: 011DB50A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e71d70e9a83db0c52a4c7ebae597a449d6215d4ec8c04f3ab66a3bfbfce4d27b
Instruction ID: 1d4a2f7bceea638596f2d49b756e8b561ac728706897890096dc2fda19fdce42
Opcode Fuzzy Hash: e71d70e9a83db0c52a4c7ebae597a449d6215d4ec8c04f3ab66a3bfbfce4d27b
Instruction Fuzzy Hash: C4018130511A91DAD719E7F8C0487DDF7E49FB8208F64458DD45653281CBF81B08DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011D9620 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E011D9620(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 8) != 0xffffffff) {
					if( *((char*)(__ecx + 0x15)) == 0 &&  *((intOrPtr*)(__ecx + 0x10)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 8)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
				}
				 *(_t21 + 0x10) =  *(_t21 + 0x10) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1e)) != _t16) {
					E011D6BD5(0x1211098, _t21 + 0x32);
				}
				return _t16;
			}

0x011d9622
0x011d9624
0x011d962a
0x011d9630
0x011d9641
0x011d9646
0x011d9648
0x011d9648
0x011d964a
0x011d964a
0x011d964e
0x011d9654
0x011d9664
0x011d9664
0x011d966d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,011D95D6,?,?,?,?,?,01202641,000000FF), ref: 011D963B

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7cd32df4c2c47581d6a55e1125d1356d89eee702bb935b1402ffbb219a52d4c7
Instruction ID: 0dec2a790cf8dc7489a24955cb82663f5c679ee2b5b85f71212e26e7c58ef62c
Opcode Fuzzy Hash: 7cd32df4c2c47581d6a55e1125d1356d89eee702bb935b1402ffbb219a52d4c7
Instruction Fuzzy Hash: 28F0E230486B099FEB398A38C448B92B7E9AB12229F040B0ED0E7429E4D370618DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 011DA56D Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DA56D(void* __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _t13;
				intOrPtr _t19;

				_t19 = _a8;
				 *((char*)(_t19 + 0x1044)) = 0;
				if(E011DBDB4(_a4) != 0) {
					L3:
					return 0;
				}
				_t13 = E011DA69B(0xffffffff, _a4, _t19); // executed
				if(_t13 == 0xffffffff) {
					goto L3;
				}
				FindClose(_t13); // executed
				 *(_t19 + 0x1040) =  *(_t19 + 0x1040) & 0x00000000;
				 *((char*)(_t19 + 0x100c)) = E011DA28F( *((intOrPtr*)(_t19 + 0x1008)));
				 *((char*)(_t19 + 0x100d)) = E011DA2A6( *((intOrPtr*)(_t19 + 0x1008)));
				return 1;
			}

0x011da56e
0x011da576
0x011da584
0x011da5cb
0x00000000
0x011da5cb
0x011da58d
0x011da595
0x00000000
0x00000000
0x011da598
0x011da5a4
0x011da5b6
0x011da5c1
0x00000000

APIs

Part of subcall function 011DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA6C4
Part of subcall function 011DA69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA6F2
Part of subcall function 011DA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,011DA592,000000FF,?,?), ref: 011DA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 011DA598

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 8cf30d5cf506d6a03e0c0d1b52c7ef45a64f1cc06a83bdc60bd9975b0c6a56c2
Instruction ID: 467dfe575e28d161e1d8bba4aca42fa3168fbbbf9e0163687be2fe4e523ed115
Opcode Fuzzy Hash: 8cf30d5cf506d6a03e0c0d1b52c7ef45a64f1cc06a83bdc60bd9975b0c6a56c2
Instruction Fuzzy Hash: 39F08232009790AACF26D7B8A904BCB7B906F2A335F048B49F1FD53195C37550948B22

Uniqueness

Uniqueness Score: -1.00%

Function 011E0E08 Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E011E0E08() {
				void* __esi;
				void* _t2;

				L011E1B58(); // executed
				_t2 = E011E1B5D();
				if(_t2 != 0) {
					_t2 = E011D6C31(_t2, 0x1211098, 0xff, 0xff);
				}
				if( *0x12110a4 != 0) {
					_t2 = E011D6C31(_t2, 0x1211098, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x011e0e0a
0x011e0e0f
0x011e0e20
0x011e0e25
0x011e0e25
0x011e0e31
0x011e0e36
0x011e0e36
0x011e0e3d
0x011e0e45

APIs

SetThreadExecutionState.KERNEL32 ref: 011E0E3D

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 86ee137f6f28d4ae919c15cf7a8cfe009dee5562e968739094628dc181fc7269
Instruction ID: 6671b93bbb3ff3f49cf32c486c1e77b1f187a025737b5c1d4fe89e85dfd958e5
Opcode Fuzzy Hash: 86ee137f6f28d4ae919c15cf7a8cfe009dee5562e968739094628dc181fc7269
Instruction Fuzzy Hash: 99D0C200F110666AEE29B378341C7FE2A878FFB214F0D0026E60957185CFA80442A261

Uniqueness

Uniqueness Score: -1.00%

Function 011EA626 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E011EA626(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L011EEB02();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E011EA3B9(__eax, _a4, _a8); // executed
				return _t6;
			}

0x011ea629
0x011ea62a
0x011ea62c
0x011ea631
0x011ea636
0x00000000
0x011ea647
0x011ea640
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 011EA62C

Part of subcall function 011EA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 011EA3DA

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: a21383414c0c7ee9e2a8885e9f8e3eed7a5210c40803d55fadc3000497a0d284
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: C3D0A730200609B6DF096BA19C0996E79D6FF51244F008021A842C6140EBB1DD109561

Uniqueness

Uniqueness Score: -1.00%

Function 011EE5BB Relevance: 1.5, APIs: 1, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E011EE5BB(void* __esi) {
				void* _t2;
				intOrPtr _t5;
				void* _t6;
				void* _t11;

				_t11 = __esi;
				if(( *0x1205650 & 0x00001000) == 0) {
					return _t2;
				} else {
					E011EE664();
					_t5 =  *0x1231ce8 + 1;
					 *0x1231ce8 = _t5;
					if(_t5 == 1) {
						E011EE78D(4, 0x1231cec); // executed
					}
					_t6 = E011EE5EE();
					if(_t6 == 0) {
						 *0x1231ce4 = 0;
						return _t6;
					} else {
						 *0x1203278(0x1231ce4, _t11);
						return  *((intOrPtr*)( *0x1231ce0))();
					}
				}
			}

0x011ee5bb
0x011ee5c5
0x011ee5ed
0x011ee5c7
0x011ee5c7
0x011ee5d1
0x011ee5d2
0x011ee5da
0x011ee5e3
0x011ee5e3
0x011ee831
0x011ee838
0x011ee852
0x011ee85c
0x011ee83a
0x011ee848
0x011ee851
0x011ee851
0x011ee838

APIs

DloadProtectSection.DELAYIMP ref: 011EE5E3

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 6ea1d3d8f4e252fc907b71001b45751d47d1229f80fbf2b2cabec5068b9f1502
Instruction ID: 70e086c79b9b123fa2194002396cff0a9e6c8844711627dd204e7f5083ec15e4
Opcode Fuzzy Hash: 6ea1d3d8f4e252fc907b71001b45751d47d1229f80fbf2b2cabec5068b9f1502
Instruction Fuzzy Hash: 1DD012B4582A519FD72EEBECB44DB1537D4B724F06F804905F245D1459EB644090CF67

Uniqueness

Uniqueness Score: -1.00%

Function 011EA7E4 Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EA7E4(struct HWND__* _a4, WCHAR* _a8, WCHAR* _a12, int _a16) {
				int _t5;
				int _t6;

				_t5 = _a16;
				if( *0x1211094 != 0) {
					_t5 = _t5 | 0x00180000;
				}
				_t6 = MessageBoxW(_a4, _a8, _a12, _t5); // executed
				return _t6;
			}

0x011ea7ee
0x011ea7f1
0x011ea7f3
0x011ea7f3
0x011ea802
0x011ea809

APIs

MessageBoxW.USER32(011D13B6,?,?,00000A00), ref: 011EA802

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: d09a75903c9ce5ab71001d73b730bbf13adf483188b7d9a6241cb65876ccb8c0
Instruction ID: 7e8e2b70cfe543b7eef62db227968af366baf5c535392b7988dd6dc5543cb2b4
Opcode Fuzzy Hash: d09a75903c9ce5ab71001d73b730bbf13adf483188b7d9a6241cb65876ccb8c0
Instruction Fuzzy Hash: 0BD0C93290064DBBEB12DF94FE09BAA3FA9FB14300F044410FE1995025C772AA70ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 011EE1D1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE1D1() {

				E011EE85D(0x120c5ec, 0x123316c); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33cf91d9b7446db818f1ab6f0833d30bfd5559dc93a50c74c2b121a31c15d15b
Instruction ID: be0eab66139f4e187056d27ed362709f65e5e0ea202613544c1f3b7ebb4e0d02
Opcode Fuzzy Hash: 33cf91d9b7446db818f1ab6f0833d30bfd5559dc93a50c74c2b121a31c15d15b
Instruction Fuzzy Hash: EFB012D927A501BC310C62C62C59C37015CD0C1A11320862EFC01D0480EA41DC440432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE1F6 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE1F6() {

				E011EE85D(0x120c5ec, 0x123315c); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6587ea8763e648b307201045d5a540554ab2cb91745418a434438063b8ae3ffb
Instruction ID: 3d36a6280c68dbe414c2080579641af1f3b4be248904fe2d30147358c071c24d
Opcode Fuzzy Hash: 6587ea8763e648b307201045d5a540554ab2cb91745418a434438063b8ae3ffb
Instruction Fuzzy Hash: 02B012D627A401AC310CA3862C09C37019CD0C1A11320C22EFC05C0180EA41DC4C0432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE1EC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE1EC() {

				E011EE85D(0x120c5ec, 0x1233160); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 044707eca55dc038434150a9ca4daf561876ff46caba01a20d9a1a8ab05eeea3
Instruction ID: 946cd931575edeb0d3d28e35a39a9ce3edfe3c3bf10a0b945350d52bce672b9c
Opcode Fuzzy Hash: 044707eca55dc038434150a9ca4daf561876ff46caba01a20d9a1a8ab05eeea3
Instruction Fuzzy Hash: 53B012D927E501AC310CA2CA2C49C37019CE0C0911320422EFC05C0080EB419C440532

Uniqueness

Uniqueness Score: -1.00%

Function 011EE21E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE21E() {

				E011EE85D(0x120c5ec, 0x123314c); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd84a020adffdc241ac26ae61ef6e7a6aecebd425daad1fd140f7fa3fb919b3b
Instruction ID: ada1a1b81b6421fc5fd2fdfcb273d0b0ed5792caef1427c2ff57f95ea670d5f5
Opcode Fuzzy Hash: dd84a020adffdc241ac26ae61ef6e7a6aecebd425daad1fd140f7fa3fb919b3b
Instruction Fuzzy Hash: 47B012E537A401BC310CA2862C09D3701ACD0C1E21320822EFC05C0080EA41DD440432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE20A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE20A() {

				E011EE85D(0x120c5ec, 0x1233154); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 02983ab768159f8f12937edae4bef497690e73a66351f1e41ebe15241d19a669
Instruction ID: 32e9569ddb33da7a95f6660f5a339b28af50d350bc6a32219b7d2d9e73bb0825
Opcode Fuzzy Hash: 02983ab768159f8f12937edae4bef497690e73a66351f1e41ebe15241d19a669
Instruction Fuzzy Hash: AFB012D627A401AC310CA3872D09C37019CD0C0911320822EF805C0180EE429D8D0432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE200 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE200() {

				E011EE85D(0x120c5ec, 0x1233158); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6522976bf652edfe78816842df2f19ae8ecb00dee04ddf7310cb4c4fc42f89dd
Instruction ID: 8a6f3f96985afcc66688d72a3855578d01b5f1212f391aeed33e1c00f3291cf9
Opcode Fuzzy Hash: 6522976bf652edfe78816842df2f19ae8ecb00dee04ddf7310cb4c4fc42f89dd
Instruction Fuzzy Hash: 40B012D637A541BC314CA3862C09C37019CD0C0912320832EF805C0180EA819C880432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE23C Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE23C() {

				E011EE85D(0x120c5ec, 0x1233140); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ff47d61524346c2e05392ddf6ba9e4541ca2874d696243185ed590106b91aab
Instruction ID: 51e79b2c49adcbd5cfe6a5fddf8a2917dc89b4936ca6bcdea330da0817703ae5
Opcode Fuzzy Hash: 7ff47d61524346c2e05392ddf6ba9e4541ca2874d696243185ed590106b91aab
Instruction Fuzzy Hash: D5B012E537A401AC310CA2872C09D3701ACE0C0D21320422EF805C0080EA419D440432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE232 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE232() {

				E011EE85D(0x120c5ec, 0x1233144); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f61553237495833e5748251bbfefa13ed706ff950242d9fe00f886b391030b00
Instruction ID: 84851632db8adf8ec97ea43cc9ad806e693c5fda8a7fb27139992ceecfe530f7
Opcode Fuzzy Hash: f61553237495833e5748251bbfefa13ed706ff950242d9fe00f886b391030b00
Instruction Fuzzy Hash: 24B012E537A401AC310CA2862D09D3701ACD0C0D21320422EF805C0080EE429E850432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE228 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE228() {

				E011EE85D(0x120c5ec, 0x1233148); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 997b5873385d942afd51b560cd19ddf777d14fc675117f2b76564af31f7f836a
Instruction ID: 106a3fb92685154425d658080569c06b4cec359247e25a2e52bc66bdd7def543
Opcode Fuzzy Hash: 997b5873385d942afd51b560cd19ddf777d14fc675117f2b76564af31f7f836a
Instruction Fuzzy Hash: 45B012E537A501BC314CA2862C09D3701ACD0C0D22320432EF805C0080EA829D840432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE250 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE250() {

				E011EE85D(0x120c5ec, 0x1233138); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1c29a47e82325d73b1f1efb9b976c7692ea3a07db2f064624ebe3b16b8f310b2
Instruction ID: 601447b4cfa7b893ecb620f159d1ebbc3c4b025b9e0340eab90eb13d0ebf284a
Opcode Fuzzy Hash: 1c29a47e82325d73b1f1efb9b976c7692ea3a07db2f064624ebe3b16b8f310b2
Instruction Fuzzy Hash: B3B012E527B541BC314CA3862C09C37019DD0C0922320432EF805C0080EA81DC880432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE246 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE246() {

				E011EE85D(0x120c5ec, 0x123313c); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 608f860ce69bcdb7a330264f953b1e776d39a71c158c39be2f162e8cddf572e3
Instruction ID: 2d4c6d505f6a08b7a4da8393bf43c5cd998507e3b64b1328a45a6e8cfea2b73f
Opcode Fuzzy Hash: 608f860ce69bcdb7a330264f953b1e776d39a71c158c39be2f162e8cddf572e3
Instruction Fuzzy Hash: 78B012D537B441AC310CA2862C09C37019DD0C1A21320822EFC05C0080EA41DC440432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE26E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE26E() {

				E011EE85D(0x120c5ec, 0x123312c); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1de8f6d14a95113ed0a622d9e25b3266efc7f687e1649e0949da1a4867bdac33
Instruction ID: 05edd6e51868b09018e7053c5883353cc9f5de874a2d11f849a9f08299bf2d07
Opcode Fuzzy Hash: 1de8f6d14a95113ed0a622d9e25b3266efc7f687e1649e0949da1a4867bdac33
Instruction Fuzzy Hash: 23B012D527A401AC310CA2962C09C3701DCE0C1A11320822EFC05C0080EB42DC440832

Uniqueness

Uniqueness Score: -1.00%

Function 011EE264 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE264() {

				E011EE85D(0x120c5ec, 0x1233130); // executed
				goto __eax;
			}

0x011ee1e3
0x011ee1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 903f967ca95523f2618fa96f262552972712b41bf380c553658e0404b0b42165
Instruction ID: 74a7e38a85edb299fa6322a97dae202ba322ab815d87413f72e3ae4a8b2cdc6f
Opcode Fuzzy Hash: 903f967ca95523f2618fa96f262552972712b41bf380c553658e0404b0b42165
Instruction Fuzzy Hash: 49B012D527B441AC310CA2862C09C3701DDE4C0921320422EF846C0080EA41DC440432

Uniqueness

Uniqueness Score: -1.00%

Function 011EEAE7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EEAE7() {

				E011EE85D(0x120c6cc, 0x1233034); // executed
				goto __eax;
			}

0x011eeaf9
0x011eeb00

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EEAF9

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1f96afda9b035dad45f75547851526e25ba746ca56a7e5f4c79775d2683d17a
Instruction ID: 5726357ec1891d4aafea9a52bdf96e3bff673d272cc36e326a029c07cedd109c
Opcode Fuzzy Hash: b1f96afda9b035dad45f75547851526e25ba746ca56a7e5f4c79775d2683d17a
Instruction Fuzzy Hash: 28B012C62BF8437C310CA2815D49C37414CE0D09A0320821EF404C40C1DE809C850432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE50D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE50D() {

				E011EE85D(0x120c66c, 0x1233090); // executed
				goto __eax;
			}

0x011ee51f
0x011ee526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d3bf8adbfbedbf06171c212522bf368115532c8ec92c2f1b494dd8f5b172a94
Instruction ID: f0ac36bf5d23fe99530aecef18d7dc6f251ba018f1547bf49867a4137cc368ab
Opcode Fuzzy Hash: 9d3bf8adbfbedbf06171c212522bf368115532c8ec92c2f1b494dd8f5b172a94
Instruction Fuzzy Hash: 8AB012C527AC017C310C61A51D0DC3B019CE4D1E10720422EF450C0481FA405D080432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE532 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE532() {

				E011EE85D(0x120c66c, 0x1233080); // executed
				goto __eax;
			}

0x011ee51f
0x011ee526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78433a627d3c03a67991f08315d371a3344cf7884d159afdfb95f0d2d47fcfde
Instruction ID: 35a5f31740d3a4f33b53bdc20420678cbecdecc4a0291ff76d6f3ee292444f63
Opcode Fuzzy Hash: 78433a627d3c03a67991f08315d371a3344cf7884d159afdfb95f0d2d47fcfde
Instruction Fuzzy Hash: CFB012C527AD017D310CA1891D09D3B01CCE4C1D10320421EF404C4080FA405C040432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE528 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE528() {

				E011EE85D(0x120c66c, 0x1233084); // executed
				goto __eax;
			}

0x011ee51f
0x011ee526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ad351a1e46b6e28d2dd158212f3827f7f4b240dcd3cfa106bfb3f751169ef91
Instruction ID: 4ab67ebe585b5bc021271ad159b0db20a8d5020a432335691351bd07d4d2e6e3
Opcode Fuzzy Hash: 2ad351a1e46b6e28d2dd158212f3827f7f4b240dcd3cfa106bfb3f751169ef91
Instruction Fuzzy Hash: 48B012C527AC417C310CA1891D09C3B45CCD4C1E10320821EF404C4080FA405C450432

Uniqueness

Uniqueness Score: -1.00%

Function 011EE593 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE593() {

				E011EE85D(0x120c68c, 0x1233180); // executed
				goto __eax;
			}

0x011ee580
0x011ee587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE580

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d27b328a61bb1ff315f96c00daaccc858ac49a4fdc64e87391cb486d3147cec7
Instruction ID: b1d5a98b800003252c32b88d801519a32779a5ae6850eefc5658fe690258dcd8
Opcode Fuzzy Hash: d27b328a61bb1ff315f96c00daaccc858ac49a4fdc64e87391cb486d3147cec7
Instruction Fuzzy Hash: 6EB012C52BE5017D310C92D51C09C37019CE4C0910321431EF404C5480FA401C180932

Uniqueness

Uniqueness Score: -1.00%

Function 011EE5A7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE5A7() {

				E011EE85D(0x120c68c, 0x1233174); // executed
				goto __eax;
			}

0x011ee580
0x011ee587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE580

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb4e41cd51d2cf9be65701d088f16b82ad407ca050b874ce9cb14458cf12c723
Instruction ID: 451b9d5eac9bc2b30035d5e78f55dbeababa5e6a07191ad6c1e2c99aef21d3d2
Opcode Fuzzy Hash: cb4e41cd51d2cf9be65701d088f16b82ad407ca050b874ce9cb14458cf12c723
Instruction Fuzzy Hash: A0B012C52BE4017C310C92D55D09C3701ACD4C0910321431EF444C1480FE401D590932

Uniqueness

Uniqueness Score: -1.00%

Function 011EE423 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE423() {

				E011EE85D(0x120c60c, 0x123304c); // executed
				goto __eax;
			}

0x011ee3fc
0x011ee403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dac3bede54337ab7a20c3dc60df39faad2cbc2e069bcc1f5b35fdfcc3502fa7e
Instruction ID: 79bf1f7cefbc8598bfaaec4a65a5673f70ad0257ed76c67291c8e4783847edbe
Opcode Fuzzy Hash: dac3bede54337ab7a20c3dc60df39faad2cbc2e069bcc1f5b35fdfcc3502fa7e
Instruction Fuzzy Hash: 3EB012F137E401BC311CD1851C09C37028CD0C0E30330831EF804C0080DA405E440833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE44B Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EE44B() {

				E011EE85D(0x120c60c, 0x123305c); // executed
				goto __eax;
			}

0x011ee3fc
0x011ee403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8427ee60ae2fc6979e0ade75475f832c997515ba2044286fa520d72fe4a542fc
Instruction ID: df2be92b15aeebbef1d1edda781783bbcee2a43baaf39e3f5b90a051bf9a25db
Opcode Fuzzy Hash: 8427ee60ae2fc6979e0ade75475f832c997515ba2044286fa520d72fe4a542fc
Instruction Fuzzy Hash: CFB012E227E401BC311CD1851C09C37028CD0C0920330C31EF804C0080DA405C4C0433

Uniqueness

Uniqueness Score: -1.00%

Function 011EE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 912565b6a805ce3d137674924c9881278d626edb2cbb51c826e7b1543b51d501
Instruction ID: 851c98353560501dc51179046da82f02f5f1c8d61804d13ae38f176a65836ae9
Opcode Fuzzy Hash: 912565b6a805ce3d137674924c9881278d626edb2cbb51c826e7b1543b51d501
Instruction Fuzzy Hash: FAA011E22AA8023C322C22822C0AC3B028CC0C0A28330832EF820A0080AE8028880833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f61b0678c8cb0646cb6007592e117e19f03abcab6206804a4c343ba0ceb1606
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 7f61b0678c8cb0646cb6007592e117e19f03abcab6206804a4c343ba0ceb1606
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 65f8c88f9bd9d88552d0827d9a0dcb60871a01faea2eb7a7028c12da6aee5b6a
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 65f8c88f9bd9d88552d0827d9a0dcb60871a01faea2eb7a7028c12da6aee5b6a
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eab2b292587afb3d3b6db3d44f6a5131d02a307366b37c4de5f102b566300c8a
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: eab2b292587afb3d3b6db3d44f6a5131d02a307366b37c4de5f102b566300c8a
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: efe71c2ab1314bed0ec36e8490ea0c36d935ac5db47660299c8626c543c41265
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: efe71c2ab1314bed0ec36e8490ea0c36d935ac5db47660299c8626c543c41265
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a5b91ff2a54f69cb641de24a8cd98ff432f2042cfc6fd5da2bd5bbee16aaac6a
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: a5b91ff2a54f69cb641de24a8cd98ff432f2042cfc6fd5da2bd5bbee16aaac6a
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40fbbac46132e7a8f19b54ab4acba1eca05a971c9744f667ad9f19b931b79b13
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 40fbbac46132e7a8f19b54ab4acba1eca05a971c9744f667ad9f19b931b79b13
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b10706ce40c12e9244b788961520b8ad2e7bad34e706af026a8e1f835bb621b
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 1b10706ce40c12e9244b788961520b8ad2e7bad34e706af026a8e1f835bb621b
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60fcd1cc11eac1c3372244b0682f74ae252ea06fc7d84298b3342bfc7fc36796
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 60fcd1cc11eac1c3372244b0682f74ae252ea06fc7d84298b3342bfc7fc36796
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14fed9d516e2b407c1a589b572211d94464d49eba58fff6a67b62d289fae7685
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 14fed9d516e2b407c1a589b572211d94464d49eba58fff6a67b62d289fae7685
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 89255f99fd348179ccbe7156ffc2547c50e0fb792919cf0121232ff4321b6354
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 89255f99fd348179ccbe7156ffc2547c50e0fb792919cf0121232ff4321b6354
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE1E3

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1f8c77e3cc19ff53016ae9249bf93da363f11d7851b36eb1a29f2e03ee4194ff
Instruction ID: 742786694e1fb79a7e5563a0ba94f6c2811438a9ce4ea0deec5b4071fe9bce9b
Opcode Fuzzy Hash: 1f8c77e3cc19ff53016ae9249bf93da363f11d7851b36eb1a29f2e03ee4194ff
Instruction Fuzzy Hash: E5A012D516A402BC310C22822C09C37014CC0C0911320462DE802C0080AA4158440431

Uniqueness

Uniqueness Score: -1.00%

Function 011EE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ce0ef14be8620acc7283d24c099915db72851c1821a94c445d5f6358e86e85d1
Instruction ID: 4558265098c12012a38447cb944631c72b3a16c1a4320f860deffdc759a6f98a
Opcode Fuzzy Hash: ce0ef14be8620acc7283d24c099915db72851c1821a94c445d5f6358e86e85d1
Instruction Fuzzy Hash: DDA011CA2AAC02BC320C22822C0AC3B028CC8C2E203208A2EE80280080BA802C080832

Uniqueness

Uniqueness Score: -1.00%

Function 011EE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 726182a1ec435591d0708012340ebb2728bf1dd3fdee18ab9056b4a98356fd99
Instruction ID: 4558265098c12012a38447cb944631c72b3a16c1a4320f860deffdc759a6f98a
Opcode Fuzzy Hash: 726182a1ec435591d0708012340ebb2728bf1dd3fdee18ab9056b4a98356fd99
Instruction Fuzzy Hash: DDA011CA2AAC02BC320C22822C0AC3B028CC8C2E203208A2EE80280080BA802C080832

Uniqueness

Uniqueness Score: -1.00%

Function 011EE54B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e57d5eefb046d5a0378d1f5089a351f7128ae3afd6c0805fef8f688c7afde26c
Instruction ID: 4558265098c12012a38447cb944631c72b3a16c1a4320f860deffdc759a6f98a
Opcode Fuzzy Hash: e57d5eefb046d5a0378d1f5089a351f7128ae3afd6c0805fef8f688c7afde26c
Instruction Fuzzy Hash: DDA011CA2AAC02BC320C22822C0AC3B028CC8C2E203208A2EE80280080BA802C080832

Uniqueness

Uniqueness Score: -1.00%

Function 011EE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1d9eb0ae85af6b556d955b96ed8dc2f77bb950f89fdf836d70273cb52ad92650
Instruction ID: 4558265098c12012a38447cb944631c72b3a16c1a4320f860deffdc759a6f98a
Opcode Fuzzy Hash: 1d9eb0ae85af6b556d955b96ed8dc2f77bb950f89fdf836d70273cb52ad92650
Instruction Fuzzy Hash: DDA011CA2AAC02BC320C22822C0AC3B028CC8C2E203208A2EE80280080BA802C080832

Uniqueness

Uniqueness Score: -1.00%

Function 011EE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE580

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b426bcc46b14ba54b59773c84aae4955063b9b46effc2a1615c65d1d514724bc
Instruction ID: cf9217f3aa4db59390b3021458ee918f16c37ebf191c4421a31a37a521940020
Opcode Fuzzy Hash: b426bcc46b14ba54b59773c84aae4955063b9b46effc2a1615c65d1d514724bc
Instruction Fuzzy Hash: ECA012C51EA4013C310C12E11C09C37014CC4D0911321431DF40080480BA4018180831

Uniqueness

Uniqueness Score: -1.00%

Function 011EE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE51F

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5aca274387e41df8c763a9a15884b780191ebf869d23bd0f2e6a464aa1969710
Instruction ID: 4558265098c12012a38447cb944631c72b3a16c1a4320f860deffdc759a6f98a
Opcode Fuzzy Hash: 5aca274387e41df8c763a9a15884b780191ebf869d23bd0f2e6a464aa1969710
Instruction Fuzzy Hash: DDA011CA2AAC02BC320C22822C0AC3B028CC8C2E203208A2EE80280080BA802C080832

Uniqueness

Uniqueness Score: -1.00%

Function 011EE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE580

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d35f117831f41ebfa6b33960bd9e1f7e39da59424a4783ad0bf6b7562475e40a
Instruction ID: f5e34cd9b9ffebd4d0e97fa413f3ff2007512083a39e997944195a39dd8c835f
Opcode Fuzzy Hash: d35f117831f41ebfa6b33960bd9e1f7e39da59424a4783ad0bf6b7562475e40a
Instruction Fuzzy Hash: 51A012C51AE4027C310C12D11C09C37014CC4C0910321471DE40180480BA4018180831

Uniqueness

Uniqueness Score: -1.00%

Function 011EE5B6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE580

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a6c41bd8b83a1b84181ed176ec3d595b7b183c407ae75b84a7db65f0ad8bc7a6
Instruction ID: f5e34cd9b9ffebd4d0e97fa413f3ff2007512083a39e997944195a39dd8c835f
Opcode Fuzzy Hash: a6c41bd8b83a1b84181ed176ec3d595b7b183c407ae75b84a7db65f0ad8bc7a6
Instruction Fuzzy Hash: 51A012C51AE4027C310C12D11C09C37014CC4C0910321471DE40180480BA4018180831

Uniqueness

Uniqueness Score: -1.00%

Function 011EE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE580

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe60b02257751442463475247c10702136993844ce642bab6e48bd59b6f4b29c
Instruction ID: f5e34cd9b9ffebd4d0e97fa413f3ff2007512083a39e997944195a39dd8c835f
Opcode Fuzzy Hash: fe60b02257751442463475247c10702136993844ce642bab6e48bd59b6f4b29c
Instruction Fuzzy Hash: 51A012C51AE4027C310C12D11C09C37014CC4C0910321471DE40180480BA4018180831

Uniqueness

Uniqueness Score: -1.00%

Function 011EE41E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c82c11a8aa5db8703ef49c0aff1a87ef73a0bb3b0fe231be5f8885d327a2d81c
Instruction ID: 49beef6b11a571b0272eaa0ebc874aa9d0a2615cad8dfbf125017f5940e402f3
Opcode Fuzzy Hash: c82c11a8aa5db8703ef49c0aff1a87ef73a0bb3b0fe231be5f8885d327a2d81c
Instruction Fuzzy Hash: EFA011E22AE802BC322C22822C0AC3B028CC0C0A203308B2EE80280080AA8028880833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a18f7722763debe57acb12852bdd4f1118b8dd5a17405ae023b8e94fa05e6bd1
Instruction ID: 49beef6b11a571b0272eaa0ebc874aa9d0a2615cad8dfbf125017f5940e402f3
Opcode Fuzzy Hash: a18f7722763debe57acb12852bdd4f1118b8dd5a17405ae023b8e94fa05e6bd1
Instruction Fuzzy Hash: EFA011E22AE802BC322C22822C0AC3B028CC0C0A203308B2EE80280080AA8028880833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 452b473e57185d6b004b7b594d88c364f368d3d4eb468c59e2cbe852e257f98f
Instruction ID: 49beef6b11a571b0272eaa0ebc874aa9d0a2615cad8dfbf125017f5940e402f3
Opcode Fuzzy Hash: 452b473e57185d6b004b7b594d88c364f368d3d4eb468c59e2cbe852e257f98f
Instruction Fuzzy Hash: EFA011E22AE802BC322C22822C0AC3B028CC0C0A203308B2EE80280080AA8028880833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fac38ce815fcee97aa415213c8a843a4560611f1e1075bb7eba4e6a63f095012
Instruction ID: 49beef6b11a571b0272eaa0ebc874aa9d0a2615cad8dfbf125017f5940e402f3
Opcode Fuzzy Hash: fac38ce815fcee97aa415213c8a843a4560611f1e1075bb7eba4e6a63f095012
Instruction Fuzzy Hash: EFA011E22AE802BC322C22822C0AC3B028CC0C0A203308B2EE80280080AA8028880833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 97e253030a5a20dd9750e6aeb1d718b2e7a6c8acc8312dd8488233d45fe051b4
Instruction ID: 49beef6b11a571b0272eaa0ebc874aa9d0a2615cad8dfbf125017f5940e402f3
Opcode Fuzzy Hash: 97e253030a5a20dd9750e6aeb1d718b2e7a6c8acc8312dd8488233d45fe051b4
Instruction Fuzzy Hash: EFA011E22AE802BC322C22822C0AC3B028CC0C0A203308B2EE80280080AA8028880833

Uniqueness

Uniqueness Score: -1.00%

Function 011EE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 011EE3FC

Part of subcall function 011EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 011EE8D0
Part of subcall function 011EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 011EE8E1

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a66ed8eb932270ab2c677f5bcc7b5ae596edb85c5cd6eb154ea0e093ff21d0d0
Instruction ID: 49beef6b11a571b0272eaa0ebc874aa9d0a2615cad8dfbf125017f5940e402f3
Opcode Fuzzy Hash: a66ed8eb932270ab2c677f5bcc7b5ae596edb85c5cd6eb154ea0e093ff21d0d0
Instruction Fuzzy Hash: EFA011E22AE802BC322C22822C0AC3B028CC0C0A203308B2EE80280080AA8028880833

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011EC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E011EC220(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t74;
				void* _t137;
				long _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				signed short _t148;
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t158;
				intOrPtr _t159;
				void* _t160;
				int _t162;
				int _t165;
				void* _t168;
				void* _t170;

				_t156 = __edx;
				E011EEC50(0x1a50);
				_t148 = _a6748;
				_t159 = _a6744;
				_t158 = _a6740;
				if(E011D1316(__edx, _t158, _t159, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t160 = _t159 - 0x110;
					if(_t160 == 0) {
						SetFocus(GetDlgItem(_t158, 0x6c));
						E011E0602( &_a2640, _a6752, 0x800);
						E011DC36E( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t158, 0x65,  &_a2616);
						 *0x1233074( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t158, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t162 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E011D4092( &_a900, 0x200, L"%s %s %s", E011DE617(0x99));
							_t170 = _t168 + 0x18;
							SetDlgItemTextW(_t158, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t150 = 0x200;
							} else {
								asm("adc eax, ebp");
								E011EAF0F(0 + _a344, _a340,  &_a212, 0x32);
								_push(E011DE617(0x98));
								_t150 = 0x200;
								E011D4092( &_a884, 0x200, L"%s %s",  &_a192);
								_t170 = _t170 + 0x14;
								SetDlgItemTextW(_t158, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t158, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x1218464; // 0x0
							E011E138A(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t162,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E011D4092( &_a896, _t150, L"%s %s %s", E011DE617(0x99));
							_t168 = _t170 + 0x18;
							SetDlgItemTextW(_t158, 0x6b,  &_a896);
							_t153 =  *0x122ec8c;
							_t157 =  *0x122ec88;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E011EAF0F(_t157, _t153,  &_a212, 0x32);
								_push(E011DE617(0x98));
								E011D4092( &_a884, _t150, L"%s %s",  &_a192);
								_t168 = _t168 + 0x14;
								SetDlgItemTextW(_t158, 0x69,  &_a884);
							}
						}
						L27:
						_t74 = 0;
						L28:
						return _t74;
					}
					if(_t160 != 1) {
						goto L27;
					}
					_t165 = 2;
					_t137 = (_t148 & 0x0000ffff) - _t165;
					if(_t137 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t165);
						L13:
						_t138 = SendDlgItemMessageW(_t158, 0x66, 0x171, 0, 0);
						if(_t138 != 0) {
							 *0x12330d0(_t138);
						}
						EndDialog(_t158, _t165);
						goto L1;
					}
					_t142 = _t137 - 0x6a;
					if(_t142 == 0) {
						_t165 = 0;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_t165 = 1;
						goto L13;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						_push(4);
						goto L12;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						goto L13;
					}
					_t146 = _t145 - 1;
					if(_t146 == 0) {
						_push(3);
						goto L12;
					}
					if(_t146 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t74 = 1;
				goto L28;
			}

0x011ec220
0x011ec225
0x011ec22b
0x011ec234
0x011ec23e
0x011ec25d
0x011ec267
0x011ec26d
0x011ec2e7
0x011ec302
0x011ec311
0x011ec321
0x011ec342
0x011ec358
0x011ec374
0x011ec379
0x011ec38c
0x011ec39c
0x011ec3a2
0x011ec3a8
0x011ec3a9
0x011ec3ae
0x011ec3b1
0x011ec3b8
0x011ec3d4
0x011ec3de
0x011ec3e6
0x011ec404
0x011ec409
0x011ec417
0x011ec41e
0x011ec42c
0x011ec492
0x011ec42e
0x011ec448
0x011ec44c
0x011ec45b
0x011ec463
0x011ec477
0x011ec47c
0x011ec48a
0x011ec48a
0x011ec4a7
0x011ec4ad
0x011ec4b8
0x011ec4c7
0x011ec4d7
0x011ec4f1
0x011ec509
0x011ec513
0x011ec51b
0x011ec535
0x011ec53a
0x011ec548
0x011ec556
0x011ec55c
0x011ec562
0x011ec576
0x011ec585
0x011ec59c
0x011ec5a1
0x011ec5af
0x011ec5af
0x011ec562
0x011ec5b5
0x011ec5b5
0x011ec5bb
0x011ec5c1
0x011ec5c1
0x011ec272
0x00000000
0x00000000
0x011ec27d
0x011ec27e
0x011ec280
0x011ec2a4
0x011ec2a4
0x011ec2a6
0x011ec2a6
0x011ec2a7
0x011ec2b1
0x011ec2b9
0x011ec2bc
0x011ec2bc
0x011ec2c4
0x00000000
0x011ec2c4
0x011ec282
0x011ec285
0x011ec2d9
0x00000000
0x011ec2d9
0x011ec287
0x011ec28a
0x011ec2d6
0x00000000
0x011ec2d6
0x011ec28c
0x011ec28f
0x011ec2d0
0x00000000
0x011ec2d0
0x011ec291
0x011ec294
0x00000000
0x00000000
0x011ec296
0x011ec299
0x011ec2cc
0x00000000
0x011ec2cc
0x011ec29e
0x00000000
0x00000000
0x00000000
0x011ec29e
0x011ec25f
0x011ec261
0x00000000

APIs

Part of subcall function 011D1316: GetDlgItem.USER32(00000000,00003021), ref: 011D135A
Part of subcall function 011D1316: SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 011EC2B1
EndDialog.USER32(?,00000006), ref: 011EC2C4
GetDlgItem.USER32(?,0000006C), ref: 011EC2E0
SetFocus.USER32(00000000), ref: 011EC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 011EC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 011EC358
FindFirstFileW.KERNEL32(?,?), ref: 011EC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 011EC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 011EC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 011EC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 011EC3D4
_swprintf.LIBCMT ref: 011EC404

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 011EC417
FindClose.KERNEL32(00000000), ref: 011EC41E
_swprintf.LIBCMT ref: 011EC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 011EC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 011EC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 011EC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 011EC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 011EC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 011EC509
_swprintf.LIBCMT ref: 011EC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 011EC548
_swprintf.LIBCMT ref: 011EC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 011EC5AF

Part of subcall function 011EAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 011EAF35
Part of subcall function 011EAF0F: GetNumberFormatW.KERNEL32 ref: 011EAF84

Strings

%s %s, xrefs: 011EC469, 011EC58E
%s %s %s, xrefs: 011EC3F2, 011EC527
REPLACEFILEDLG, xrefs: 011EC247

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 58d0b6bc6a8483fb689ad2bd56a04863b6e6b9ff1d63674346bfeea64d6bb6ee
Instruction ID: 58b5d87f3572bca9265561f38ccd5338ef92f37ceee2c6a55da614eacd721940
Opcode Fuzzy Hash: 58d0b6bc6a8483fb689ad2bd56a04863b6e6b9ff1d63674346bfeea64d6bb6ee
Instruction Fuzzy Hash: EE91AF72248349BFE235DAE4DC4DFEB7BECEB49704F044919B789D6081D771A6048B62

Uniqueness

Uniqueness Score: -1.00%

Function 011D6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E011D6FAA(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t98;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E011EEB78(_t98, _t253);
				E011EEC50(0x30a8);
				if( *0x1211023 == 0) {
					E011D7A9C(L"SeRestorePrivilege");
					E011D7A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0x1211023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E011D13BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E011E0602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E011F3E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E011F6088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E011F6088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E011F6066(_t199, _t236);
				_t112 = E011F3E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L11:
					E011DA0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E011DA231(_t200) != 0) {
						_t186 = E011DA28F(E011DA243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E011DA1E0();
						} else {
							E011DA18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L20;
						}
						_t201 = 0;
						E011D2021(__eflags, 0x14, 0, _t200);
						E011D6D83(0x1211098, 9);
						goto L41;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L20:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L26:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E011F6066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E011F6066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L27:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E011D9556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E011D7A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E011D9DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E011D9620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E011DA4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E011D959A(_t253 - 0x30b4);
											L41:
											E011D15FB(_t253 - 0x2c);
											 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
											return _t201;
										}
										CloseHandle(_t239);
										E011D2021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L32:
											__eflags = E011E07BC();
											if(__eflags == 0) {
												E011D15C6(_t253 - 0x7c, 0x18);
												E011E15FE(_t253 - 0x7c);
											}
											L34:
											E011D6DCB(0x1211098, __eflags);
											E011D6D83(0x1211098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											L37:
											_t201 = 0;
											goto L41;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L34;
										}
										goto L32;
									}
									E011D6C23(_t200);
									E011D6D83(0x1211098, 9);
									goto L37;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L37;
								}
								goto L26;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E011F6066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E011F6066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L27;
						}
						E011D6C23(_t200);
						goto L37;
					}
				}
				if( *(_t253 - 0xd) != 0) {
					goto L37;
				}
				_t190 = E011DBCC3(_t244 + 0x1104);
				_t269 = _t190;
				if(_t190 != 0) {
					goto L37;
				}
				_push(_t244 + 0x1104);
				_push(_t200);
				_push(_t244 + 0x28);
				_push(_t237);
				if(E011D7861(_t269) == 0) {
					goto L37;
				}
				goto L11;
			}

0x011d6faa
0x011d6fb4
0x011d6fc0
0x011d6fc7
0x011d6fd1
0x011d6fd6
0x011d6fd6
0x011d6fe5
0x011d6fe8
0x011d6fed
0x011d6ff0
0x011d7007
0x011d701a
0x011d701d
0x011d7025
0x011d7031
0x011d7036
0x011d703b
0x011d703e
0x011d7043
0x011d7045
0x011d7045
0x011d704d
0x011d7057
0x011d705c
0x011d7061
0x011d7065
0x011d7066
0x011d706d
0x011d7073
0x011d7073
0x011d7061
0x011d7078
0x011d7084
0x011d7089
0x011d708f
0x011d7092
0x011d709c
0x011d70d6
0x011d70e1
0x011d70ee
0x011d70f7
0x011d70fc
0x011d70ff
0x011d7108
0x011d7101
0x011d7101
0x011d7101
0x011d70ff
0x011d7114
0x011d71e1
0x011d71e3
0x00000000
0x00000000
0x011d71ea
0x011d71ef
0x011d71fb
0x00000000
0x011d7127
0x011d7139
0x011d7142
0x011d7155
0x011d715b
0x011d715b
0x011d7161
0x011d7164
0x011d7205
0x011d7208
0x011d7213
0x011d7216
0x011d7219
0x011d721f
0x011d7222
0x011d7228
0x011d722b
0x011d7239
0x011d723f
0x011d724d
0x011d7255
0x011d7258
0x011d725f
0x011d7274
0x011d7280
0x011d7280
0x011d7283
0x011d7286
0x011d729e
0x011d72a0
0x011d72a3
0x011d72de
0x011d72e0
0x011d735d
0x011d7369
0x011d736d
0x011d7372
0x011d7375
0x011d7386
0x011d7399
0x011d73ac
0x011d73b7
0x011d73c2
0x011d73c7
0x011d73ce
0x011d73d4
0x011d73d4
0x011d73df
0x011d73e1
0x011d73e6
0x011d73e9
0x011d73f6
0x011d73fe
0x011d73fe
0x011d72e3
0x011d72ee
0x011d72f3
0x011d72f9
0x011d72fc
0x011d7305
0x011d730a
0x011d730c
0x011d7313
0x011d731b
0x011d731b
0x011d7320
0x011d7327
0x011d7330
0x011d7335
0x011d7338
0x011d7339
0x011d7340
0x011d734a
0x011d7342
0x011d7342
0x011d7342
0x011d7350
0x011d7350
0x00000000
0x011d7350
0x011d72fe
0x011d7303
0x00000000
0x00000000
0x00000000
0x011d7303
0x011d72ad
0x011d72b6
0x00000000
0x011d72b6
0x011d720a
0x011d720d
0x00000000
0x00000000
0x00000000
0x011d720d
0x011d716d
0x011d7170
0x011d7176
0x011d7179
0x011d717f
0x011d7182
0x011d7190
0x011d7196
0x011d71a4
0x011d71ac
0x011d71af
0x011d71b6
0x011d71cb
0x00000000
0x011d71d0
0x011d714a
0x00000000
0x011d714a
0x011d7114
0x011d70a2
0x00000000
0x00000000
0x011d70af
0x011d70b4
0x011d70b6
0x00000000
0x00000000
0x011d70c2
0x011d70c3
0x011d70c7
0x011d70c8
0x011d70d0
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 011D6FAA
_wcslen.LIBCMT ref: 011D7013
_wcslen.LIBCMT ref: 011D7084

Part of subcall function 011D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 011D7AAB
Part of subcall function 011D7A9C: GetLastError.KERNEL32 ref: 011D7AF1
Part of subcall function 011D7A9C: CloseHandle.KERNEL32(?), ref: 011D7B00

Part of subcall function 011DA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,011D977F,?,?,011D95CF,?,?,?,?,?,01202641,000000FF), ref: 011DA1F1
Part of subcall function 011DA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,011D977F,?,?,011D95CF,?,?,?,?,?,01202641), ref: 011DA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 011D7139
CloseHandle.KERNEL32(00000000), ref: 011D7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 011D7298

Part of subcall function 011D9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,011D73BC,?,?,?,00000000), ref: 011D9DBC
Part of subcall function 011D9DA2: SetFileTime.KERNEL32(?,?,?,?), ref: 011D9E70

Part of subcall function 011D9620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,011D95D6,?,?,?,?,?,01202641,000000FF), ref: 011D963B

Part of subcall function 011DA4ED: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,011DA325,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA501
Part of subcall function 011DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,011DA325,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA532

Strings

SeRestorePrivilege, xrefs: 011D6FC2
UNC\, xrefs: 011D7051
\??\, xrefs: 011D702B
SeCreateSymbolicLinkPrivilege, xrefs: 011D6FCC

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: c629d490c17f6f1d2cfe988fe9a4405b14248f63df373650ffbbde93db589fdf
Instruction ID: 7fe070029bc5c7e4b9688c8d414c482dc9bfec63a1e85f74625c8a7cdc9c7714
Opcode Fuzzy Hash: c629d490c17f6f1d2cfe988fe9a4405b14248f63df373650ffbbde93db589fdf
Instruction Fuzzy Hash: D2C11771D00605AEEB29DB74DC85FEEB3B8BF14308F00455AEA56E32C1DB34A644CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011FD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 68%

			E011FD8EE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				void* _t789;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void* _t1056;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				void* _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				signed int _t1151;
				signed int _t1152;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				unsigned int _t1168;
				void* _t1172;
				void* _t1173;
				unsigned int _t1174;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				intOrPtr* _t1185;
				signed int _t1186;
				void* _t1187;
				signed int _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1194;
				signed int _t1195;
				void* _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				void* _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr* _t1217;
				signed int _t1219;
				signed int _t1221;
				signed int _t1224;
				signed int _t1230;
				signed int _t1234;
				signed int _t1235;
				void* _t1236;
				signed int _t1240;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1271;
				signed int _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1286;

				_t1142 = __edx;
				_t1271 = _t1273;
				_t1274 = _t1273 - 0x964;
				_t743 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t743 ^ _t1271;
				_push(__ebx);
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1185 = _a16;
				_v1924 = _t1185;
				_v1920 = _t1055;
				E011FD416( &_v1944, __eflags);
				_t1234 = _a8;
				_t748 = 0x2d;
				if((_t1234 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1185 = _t748;
				 *((intOrPtr*)(_t1185 + 8)) = _t1055;
				_t1186 = _a4;
				if((_t1234 & 0x7ff00000) != 0) {
					L5:
					_t753 = E011F9994( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1186;
									_a8 = _t1234 & 0x7fffffff;
									_t1286 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1188 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1188 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1189 = _t1188 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1240 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1240;
									E011FF460(_t1078, _t1286);
									_push(_t1078);
									 *_t1274 = _t1286;
									_t789 = E011FF570();
									_t1080 = _t1078;
									_t790 = L012023A0(_t789, _t1058, _t1080, _t1143);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1189;
									_v464 = _t1189;
									_t1061 = (0 | _t1189 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1240;
									if(_t1240 < 0) {
										__eflags = _t1240 - 0xfffffc02;
										if(_t1240 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E011FBDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1258 = _t1109;
														_t1216 =  &_v468 + _t1109 * 4;
														_v1880 = _t1216;
														while(1) {
															__eflags = _t1258 - _t1061;
															if(_t1258 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1216;
															}
															_t210 = _t1258 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1168 = 0;
																__eflags = 0;
															} else {
																_t1168 =  *(_t1216 - 4);
															}
															_t1216 = _t1216 - 4;
															_t972 = _v1880;
															_t1258 = _t1258 - 1;
															 *_t972 = _t1168 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1258 - 0xffffffff;
															if(_t1258 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1240 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1192 = 1 - _t1240;
											E011EFFF0(_t1192,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1271 + 0xbad63d) = 1 << (_t1192 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1172 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1271 + _t1172 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0))) {
														goto L101;
													}
													_t1172 = _t1172 + 4;
													__eflags = _t1172 - 8;
													if(_t1172 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1173 = 0;
															__eflags = 0;
														} else {
															_t1173 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1259 = _t1110;
														__eflags = _t975 - _t1173 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1217 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1173 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1259 - _t1061;
															if(_t1259 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1217;
															}
															_t175 = _t1259 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1174 = 0;
																__eflags = 0;
															} else {
																_t1174 =  *(_t1217 - 4);
															}
															_t1217 = _t1217 - 4;
															_t981 = _v1880;
															_t1259 = _t1259 - 1;
															 *_t981 = _t1174 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1259 - 0xffffffff;
															if(_t1259 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1219 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1261 = _t1219 << 2;
														E011EFFF0(_t1219,  &_v1396, 0, _t1261);
														 *(_t1271 + _t1261 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1219 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E011FBDE1( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1277 =  &(_t1274[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1262 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1262;
										__eflags = _t1061 - _t1262;
										if(_t1061 != _t1262) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1221 = _t992 >> 5;
											_v1872 = _t1221;
											_v1908 = _t1114 - _t993;
											_t996 = E011EF0C0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1179 = _t1061 + _t1221;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1179;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1179 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1179 - 0x00000073 > 0x00000000;
											__eflags = _t1179 - 0x73;
											if(_t1179 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E011FBDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1179 - _t1119;
													if(_t1179 >= _t1119) {
														_t1179 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1179;
													_v1880 = _t1012;
													__eflags = _t1179 - 0xffffffff;
													if(_t1179 != 0xffffffff) {
														_t1180 = _v1872;
														_t1264 = _t1179 - _t1180;
														__eflags = _t1264;
														_t1123 =  &_v468 + _t1264 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1180;
															if(_t1012 < _t1180) {
																break;
															}
															__eflags = _t1264 - _t1061;
															if(_t1264 >= _t1061) {
																_t1224 = 0;
																__eflags = 0;
															} else {
																_t1224 =  *_t1123;
															}
															__eflags = _t1264 - 1 - _t1061;
															if(_t1264 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1271 + _t1020 * 4 - 0x1d0) = (_t1224 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1264 = _t1264 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1179 = _v1892;
														_t1221 = _v1872;
														_t1262 = 2;
													}
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1221 << 2);
														_t1274 =  &(_t1274[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1179;
													} else {
														_v472 = _t1179 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1262;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1271 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1271 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1266 = _t1023 >> 5;
													_v1876 = _t1266;
													_v1908 = _t1129;
													_t1027 = E011EF0C0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1182 = _t1266 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1182;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1182 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1182 - 0x00000073 > 0x00000000;
													__eflags = _t1182 - 0x73;
													if(_t1182 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E011FBDE1( &_v468, 0x1cc,  &_v1396, 0);
														_t1274 =  &(_t1274[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1182 - _t1134;
															if(_t1182 >= _t1134) {
																_t1182 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1182;
															_v1892 = _t1135;
															__eflags = _t1182 - 0xffffffff;
															if(_t1182 != 0xffffffff) {
																_t1183 = _v1876;
																_t1268 = _t1182 - _t1183;
																__eflags = _t1268;
																_t1043 =  &_v468 + _t1268 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1183;
																	if(_t1135 < _t1183) {
																		break;
																	}
																	__eflags = _t1268 - _t1061;
																	if(_t1268 >= _t1061) {
																		_t1230 = 0;
																		__eflags = 0;
																	} else {
																		_t1230 =  *_t1043;
																	}
																	__eflags = _t1268 - 1 - _t1061;
																	if(_t1268 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1271 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1230 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1268 = _t1268 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1182 = _v1880;
																_t1266 = _v1876;
															}
															__eflags = _t1266;
															if(_t1266 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1266 << 2);
																_t1274 =  &(_t1274[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1182;
															} else {
																_v472 = _t1182 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E011FBDE1();
										_t1277 =  &(_t1274[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0x12083dc + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1199 = 0;
															_t1248 = 0;
															__eflags = 0;
															do {
																_t1153 = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) >> 0x20;
																 *(_t1271 + _t1248 * 4 - 0x1d0) = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) + _t1199;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1248 = _t1248 + 1;
																_t1199 = _t1153;
																__eflags = _t1248 - _t1096;
															} while (_t1248 != _t1096);
															__eflags = _t1199;
															if(_t1199 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1271 + _t856 * 4 - 0x1d0) = _t1199;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0x1208346 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0x1208346 + _t812 * 4) & 0x000000ff) + ( *(0x1208347 + _t812 * 4) & 0x000000ff);
												E011EFFF0(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E011F0320( &(( &_v1396)[_t1097]), 0x1207a40 + ( *(0x1208344 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x1208347 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1202 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1154 =  &_v468;
														} else {
															_t1202 =  &_v468;
															_t1154 =  &_v1396;
														}
														_v1908 = _t1154;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1155 = 0;
														_t1250 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1155;
															_t870 = _t1155 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1203 = _t1202 -  &_v1860;
															__eflags = _t1203;
															_v1928 = _t1203;
															do {
																_t878 =  *(_t1271 + _t1203 + _t1250 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1204 = 0;
																	_t1099 = _t1250;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1203 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1155;
																			if(_t1099 == _t1155) {
																				 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1250;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1204;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1204 = _t886 * _v1896 >> 0x20;
																			_t1155 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1204;
																				if(_t1204 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1155;
																					if(_t1099 == _t1155) {
																						_t558 = _t1271 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1204;
																					_t1204 = 0;
																					 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t884;
																					_t1155 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1250 - _t1155;
																	if(_t1250 == _t1155) {
																		 *(_t1271 + _t1250 * 4 - 0x740) =  *(_t1271 + _t1250 * 4 - 0x740) & _t878;
																		_t526 = _t1250 + 1; // 0x1
																		_t1155 = _t526;
																		_v1864 = _t1155;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1250 = _t1250 + 1;
																__eflags = _t1250 - _t1098;
															} while (_t1250 != _t1098);
															goto L243;
														}
													} else {
														_t1205 = _v468;
														_v472 = _t1098;
														E011FBDE1( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1251 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1205;
																		_t1156 = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) >> 0x20;
																		 *(_t1271 + _t1251 * 4 - 0x1d0) = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1251 = _t1251 + 1;
																		_t1100 = _t1156;
																		__eflags = _t1251 - _v1896;
																	} while (_t1251 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1206 = _v1396;
													__eflags = _t1206;
													if(_t1206 != 0) {
														__eflags = _t1206 - 1;
														if(_t1206 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1252 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1206;
																	_t1157 = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) >> 0x20;
																	 *(_t1271 + _t1252 * 4 - 0x1d0) = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1252 = _t1252 + 1;
																	_t1101 = _t1157;
																	__eflags = _t1252 - _v1896;
																} while (_t1252 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E011FBDE1( &_v468, _t1064,  &_v2404, 0);
																		_t1277 =  &(_t1277[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1271 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E011FBDE1();
														_t1277 =  &(_t1277[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1207 =  *(0x12083dc + _t1102 * 4);
												__eflags = _t1207;
												if(_t1207 != 0) {
													__eflags = _t1207 - 1;
													if(_t1207 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1253 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1207;
																_t1161 = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1271 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) + _t1253;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1253 = _t1161;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1253;
															if(_t1253 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1271 + _t913 * 4 - 0x3a0) = _t1253;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0x1208346 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0x1208346 + _t908 * 4) & 0x000000ff) + ( *(0x1208347 + _t908 * 4) & 0x000000ff);
												E011EFFF0(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E011F0320( &(( &_v1396)[_t1104]), 0x1207a40 + ( *(0x1208344 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x1208347 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1210 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1162 =  &_v932;
														} else {
															_t1210 =  &_v932;
															_t1162 =  &_v1396;
														}
														_v1876 = _t1162;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1163 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1163;
															_t929 = _t1163 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1211 = _t1210 -  &_v1860;
															__eflags = _t1211;
															_v1928 = _t1211;
															do {
																_t937 =  *(_t1271 + _t1211 + _t1255 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1212 = 0;
																	_t1106 = _t1255;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1211 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1163;
																			if(_t1106 == _t1163) {
																				 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1255;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1212;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1212 = _t945 * _v1884 >> 0x20;
																			_t1163 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1212;
																				if(_t1212 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1163;
																					if(_t1106 == _t1163) {
																						_t370 = _t1271 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1212;
																					_t1212 = 0;
																					 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t943;
																					_t1163 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1255 - _t1163;
																	if(_t1255 == _t1163) {
																		 *(_t1271 + _t1255 * 4 - 0x740) =  *(_t1271 + _t1255 * 4 - 0x740) & _t937;
																		_t338 = _t1255 + 1; // 0x1
																		_t1163 = _t338;
																		_v1864 = _t1163;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1105;
															} while (_t1255 != _t1105);
															goto L177;
														}
													} else {
														_t1213 = _v932;
														_v936 = _t1105;
														E011FBDE1( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1213;
														if(_t1213 != 0) {
															__eflags = _t1213 - 1;
															if(_t1213 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1213;
																		_t1164 = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) >> 0x20;
																		 *(_t1271 + _t1256 * 4 - 0x3a0) = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1107 = _t1164;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1214 = _v1396;
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = _t1214 - 1;
														if(_t1214 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1214;
																	_t1165 = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) >> 0x20;
																	 *(_t1271 + _t1257 * 4 - 0x3a0) = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1108 = _t1165;
																	__eflags = _t1257 - _v1884;
																} while (_t1257 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1271 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E011FBDE1();
																		_t1277 =  &(_t1277[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E011FBDE1();
														_t1277 =  &(_t1277[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E011FBDE1();
													_t1277 =  &(_t1277[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1194 = _v1920;
									_t1243 = _t1194;
									_t1086 = _v472;
									_v1872 = _t1243;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1247 = 0;
										_t1198 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1271 + _t1198 * 4 - 0x1d0);
											_t1151 = 0xa;
											_t1152 = _t841 * _t1151 >> 0x20;
											 *(_t1271 + _t1198 * 4 - 0x1d0) = _t841 * _t1151 + _t1247;
											asm("adc edx, 0x0");
											_t1198 = _t1198 + 1;
											_t1247 = _t1152;
											__eflags = _t1198 - _t1086;
										} while (_t1198 != _t1086);
										_v1896 = _t1247;
										__eflags = _t1247;
										_t1243 = _v1872;
										if(_t1247 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E011FBDE1( &_v468, _t1064,  &_v2404, 0);
												_t1277 =  &(_t1277[4]);
											} else {
												 *(_t1271 + _t1095 * 4 - 0x1d0) = _t1152;
												_v472 = _v472 + 1;
											}
										}
										_t1194 = _t1243;
									}
									_t815 = E011FD440( &_v472,  &_v936);
									_t1142 = 0xa;
									__eflags = _t815 - _t1142;
									if(_t815 != _t1142) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1243 = _t1194 + 1;
											 *_t1194 = _t816;
											_v1872 = _t1243;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1243 = _t1194 + 1;
										_t832 = _v936;
										 *_t1194 = 0x31;
										_v1872 = _t1243;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1197 = 0;
											_t1246 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1271 + _t1094 * 4 - 0x3a0);
												 *(_t1271 + _t1094 * 4 - 0x3a0) = _t833 * _t1142 + _t1197;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1197 = _t833 * _t1142 >> 0x20;
												_t1142 = 0xa;
												__eflags = _t1094 - _t1246;
											} while (_t1094 != _t1246);
											_t1243 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E011FBDE1( &_v932, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t836 * 4 - 0x3a0) = _t1197;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1243 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1195 = 0;
											_t1244 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1271 + _t1090 * 4 - 0x1d0);
												 *(_t1271 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1195;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1195 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1244;
											} while (_t1090 != _t1244);
											_t1245 = _v1872;
											__eflags = _t1195;
											if(_t1195 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E011FBDE1( &_v468, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t826 * 4 - 0x1d0) = _t1195;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E011FD440( &_v472,  &_v936);
											_t1196 = 8;
											_t1070 = _v1916 - _t1245;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1142 = _t708 + 0x30;
												__eflags = _t1070 - _t1196;
												if(_t1070 >= _t1196) {
													 *(_t1196 + _t1245) = _t1142;
												}
												_t1196 = _t1196 - 1;
												__eflags = _t1196 - 0xffffffff;
											} while (_t1196 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1243 = _t1245 + _t1070;
											_v1872 = _t1243;
											__eflags = _t1243 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1243 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1234 & 0x000fffff;
					if((_t1186 | _t1234 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x1208404);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E011F8D67() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E011F9097();
							asm("int3");
							_push(0x10);
							E011EF5F0(_t1055, _t1186, _t1234);
							_v32 = _v32 & 0x00000000;
							E011FAC31(8);
							_t1071 = 0x120c4e8;
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1235 = 3;
							while(1) {
								_v36 = _t1235;
								__eflags = _t1235 -  *0x1232274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x1232278; // 0x3624e38
								_t764 =  *(_t763 + _t1235 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x1232278; // 0x3624e38
										_push( *((intOrPtr*)(_t773 + _t1235 * 4)));
										_t774 = E01200023(_t1055, _t1071, _t1142, _t1186, _t1235, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x1232278; // 0x3624e38
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1235 * 4)) + 0x20);
									_t770 =  *0x1232278; // 0x3624e38
									E011F8DCC( *((intOrPtr*)(_t770 + _t1235 * 4)));
									_pop(_t1071);
									_t772 =  *0x1232278; // 0x3624e38
									_t737 = _t772 + _t1235 * 4;
									 *_t737 =  *(_t772 + _t1235 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1235 = _t1235 + 1;
							}
							_v8 = 0xfffffffe;
							E011FED21();
							return E011EF640(_v32);
						} else {
							L309:
							_t1284 = _v1936;
							_pop(_t1187);
							_pop(_t1236);
							_pop(_t1056);
							if(_v1936 != 0) {
								_t755 = E011FF381(_t1070, _t1284,  &_v1944);
							}
							return E011EFBBC(_t755, _t1056, _v8 ^ _t1271, _t1142, _t1187, _t1236);
						}
					}
				}
			}

0x011fd8ee
0x011fd8f1
0x011fd8f3
0x011fd8f9
0x011fd900
0x011fd903
0x011fd904
0x011fd90d
0x011fd90e
0x011fd90f
0x011fd912
0x011fd918
0x011fd91e
0x011fd923
0x011fd932
0x011fd934
0x011fd936
0x011fd936
0x011fd93d
0x011fd947
0x011fd94c
0x011fd94f
0x011fd973
0x011fd977
0x011fd97c
0x011fd97d
0x011fd97f
0x011fd981
0x011fd987
0x011fd987
0x011fd98e
0x011fd98e
0x011fd991
0x011fec41
0x00000000
0x011fd997
0x011fd997
0x011fd997
0x011fd99a
0x011fec3a
0x00000000
0x011fd9a0
0x011fd9a0
0x011fd9a0
0x011fd9a3
0x011fec33
0x00000000
0x011fd9a9
0x011fd9a9
0x011fd9ac
0x011fec2c
0x00000000
0x011fd9b2
0x011fd9bb
0x011fd9c3
0x011fd9c6
0x011fd9c9
0x011fd9cc
0x011fd9d2
0x011fd9da
0x011fd9e0
0x011fd9ea
0x011fd9ea
0x011fd9ed
0x011fd9f5
0x011fd9fc
0x011fd9fc
0x011fd9ef
0x011fd9ef
0x011fd9f1
0x011fda04
0x011fda0a
0x011fda0c
0x011fda10
0x011fda15
0x011fda22
0x011fda24
0x011fda2a
0x011fda2f
0x011fda31
0x011fda34
0x011fda3a
0x011fda3b
0x011fda40
0x011fda46
0x011fda4b
0x011fda54
0x011fda54
0x011fda56
0x011fda4d
0x011fda4d
0x011fda52
0x00000000
0x00000000
0x011fda52
0x011fda5c
0x011fda64
0x011fda66
0x011fda6f
0x011fda70
0x011fda76
0x011fda78
0x011fde6b
0x011fde71
0x011fdf90
0x011fdf90
0x011fdf97
0x011fdf97
0x011fdf97
0x011fdf9e
0x011fdfa1
0x011fdfa8
0x011fdfa8
0x011fdfa3
0x011fdfa3
0x011fdfa3
0x011fdfac
0x011fdfad
0x011fdfaf
0x011fdfb2
0x011fdfb5
0x011fdfb8
0x011fdfbe
0x011fdfc1
0x011fdfc4
0x011fdfce
0x011fdfce
0x011fdfce
0x011fdfc6
0x011fdfc6
0x011fdfc8
0x00000000
0x011fdfca
0x011fdfca
0x011fdfca
0x011fdfc8
0x011fdfd0
0x011fdfd2
0x011fe073
0x011fe073
0x011fe080
0x011fe080
0x011fe080
0x011fe096
0x011fe09b
0x011fdfd8
0x011fdfd8
0x011fdfda
0x00000000
0x011fdfe0
0x011fdfe2
0x011fdfe3
0x011fdfe5
0x011fdfe7
0x011fdfe7
0x011fdfe9
0x011fdfec
0x011fdff4
0x011fdff6
0x011fdff9
0x011fdfff
0x011fdfff
0x011fe001
0x011fe00d
0x011fe00d
0x011fe00d
0x011fe003
0x011fe005
0x011fe005
0x011fe014
0x011fe017
0x011fe019
0x011fe020
0x011fe020
0x011fe01b
0x011fe01b
0x011fe01b
0x011fe028
0x011fe032
0x011fe038
0x011fe039
0x011fe03e
0x011fe044
0x011fe047
0x00000000
0x00000000
0x011fe049
0x011fe049
0x011fe051
0x011fe051
0x011fe057
0x011fe05e
0x011fe06b
0x011fe060
0x011fe060
0x011fe063
0x011fe063
0x011fe05e
0x011fdfda
0x011fe0a7
0x011fe0b7
0x011fe0c4
0x011fe0c6
0x011fe0cd
0x011fde77
0x011fde77
0x011fde80
0x011fde81
0x011fde8b
0x011fde91
0x011fde93
0x011fde99
0x011fde99
0x011fde9b
0x011fde9b
0x011fdea2
0x011fdea9
0x00000000
0x00000000
0x011fdeaf
0x011fdeb2
0x011fdeb5
0x00000000
0x011fdeb7
0x011fdeb7
0x011fdeb7
0x011fdeb7
0x011fdebe
0x011fdec1
0x011fdec8
0x011fdec8
0x011fdec3
0x011fdec3
0x011fdec3
0x011fdecc
0x011fdecf
0x011fded1
0x011fded3
0x011fded9
0x011fdedf
0x011fdee1
0x011fdee1
0x011fdee1
0x011fdee8
0x011fdee8
0x011fdeea
0x011fdef6
0x011fdef6
0x011fdef6
0x011fdeec
0x011fdeee
0x011fdeee
0x011fdefd
0x011fdf00
0x011fdf02
0x011fdf09
0x011fdf09
0x011fdf04
0x011fdf04
0x011fdf04
0x011fdf11
0x011fdf1c
0x011fdf22
0x011fdf23
0x011fdf28
0x011fdf2e
0x011fdf31
0x00000000
0x00000000
0x011fdf33
0x011fdf33
0x011fdf3d
0x011fdf48
0x011fdf50
0x011fdf56
0x011fdf61
0x011fdf67
0x011fdf6e
0x011fdf81
0x011fdf88
0x011fdf88
0x00000000
0x011fdeb5
0x011fde9b
0x00000000
0x011fde93
0x011fe0d0
0x011fe0d0
0x011fe0d6
0x011fe0db
0x011fe0e1
0x011fe0f4
0x011fe0f9
0x011fda7e
0x011fda7e
0x011fda87
0x011fda88
0x011fda92
0x011fda98
0x011fda9a
0x011fdca0
0x011fdca8
0x011fdcab
0x011fdcb0
0x011fdcb3
0x011fdcbb
0x011fdcbf
0x011fdcc5
0x011fdccb
0x011fdcd0
0x011fdcd7
0x011fdcd8
0x011fdcd8
0x011fdcd8
0x011fdcdf
0x011fdce2
0x011fdcea
0x011fdcf0
0x011fdcf5
0x011fdcf5
0x011fdcf2
0x011fdcf2
0x011fdcf2
0x011fdcf9
0x011fdcfa
0x011fdcfc
0x011fdcff
0x011fdd05
0x011fdd0b
0x011fdd0e
0x011fdd11
0x011fdd17
0x011fdd1a
0x011fdd1d
0x011fdd27
0x011fdd27
0x011fdd27
0x011fdd1f
0x011fdd1f
0x011fdd21
0x00000000
0x011fdd23
0x011fdd23
0x011fdd23
0x011fdd21
0x011fdd29
0x011fdd2b
0x011fde1d
0x011fde1d
0x011fde1f
0x011fde25
0x011fde2b
0x011fde40
0x011fde45
0x011fdd31
0x011fdd31
0x011fdd33
0x00000000
0x011fdd39
0x011fdd3b
0x011fdd3c
0x011fdd3e
0x011fdd40
0x011fdd42
0x011fdd42
0x011fdd48
0x011fdd4a
0x011fdd50
0x011fdd53
0x011fdd61
0x011fdd67
0x011fdd67
0x011fdd69
0x011fdd6c
0x011fdd72
0x011fdd72
0x011fdd74
0x00000000
0x00000000
0x011fdd76
0x011fdd78
0x011fdd7e
0x011fdd7e
0x011fdd7a
0x011fdd7a
0x011fdd7a
0x011fdd83
0x011fdd85
0x011fdd8c
0x011fdd8c
0x011fdd87
0x011fdd87
0x011fdd87
0x011fddb2
0x011fddb8
0x011fddbb
0x011fddc1
0x011fddc8
0x011fddc9
0x011fddca
0x011fddd0
0x011fddd3
0x011fddd5
0x00000000
0x011fddd5
0x00000000
0x011fddd3
0x011fdddd
0x011fdde3
0x011fddeb
0x011fddeb
0x011fddec
0x011fddee
0x011fddf2
0x011fddfa
0x011fddfa
0x011fddfa
0x011fddfc
0x011fde03
0x011fde08
0x011fde15
0x011fde0a
0x011fde0d
0x011fde0d
0x011fde08
0x011fdd33
0x011fde48
0x011fde52
0x011fde58
0x011fde5e
0x011fde64
0x011fdaa0
0x011fdaa0
0x011fdaa0
0x011fdaa2
0x011fdaa9
0x011fdab0
0x00000000
0x00000000
0x011fdab6
0x011fdab9
0x011fdabc
0x00000000
0x011fdabe
0x011fdac6
0x011fdacb
0x011fdad0
0x011fdad1
0x011fdad3
0x011fdadb
0x011fdadf
0x011fdae5
0x011fdaeb
0x011fdaf0
0x011fdaf7
0x011fdaf7
0x011fdaf8
0x011fdafb
0x011fdb03
0x011fdb09
0x011fdb0e
0x011fdb0e
0x011fdb0b
0x011fdb0b
0x011fdb0b
0x011fdb12
0x011fdb13
0x011fdb15
0x011fdb18
0x011fdb1e
0x011fdb24
0x011fdb27
0x011fdb2a
0x011fdb30
0x011fdb33
0x011fdb36
0x011fdb40
0x011fdb40
0x011fdb40
0x011fdb38
0x011fdb38
0x011fdb3a
0x00000000
0x011fdb3c
0x011fdb3c
0x011fdb3c
0x011fdb3a
0x011fdb42
0x011fdb44
0x011fdc39
0x011fdc39
0x011fdc3b
0x011fdc41
0x011fdc47
0x011fdc5c
0x011fdc61
0x011fdb4a
0x011fdb4a
0x011fdb4c
0x00000000
0x011fdb52
0x011fdb54
0x011fdb55
0x011fdb57
0x011fdb59
0x011fdb5b
0x011fdb5b
0x011fdb61
0x011fdb63
0x011fdb69
0x011fdb6c
0x011fdb7a
0x011fdb80
0x011fdb80
0x011fdb82
0x011fdb85
0x011fdb8b
0x011fdb8b
0x011fdb8d
0x00000000
0x00000000
0x011fdb8f
0x011fdb91
0x011fdb97
0x011fdb97
0x011fdb93
0x011fdb93
0x011fdb93
0x011fdb9c
0x011fdb9e
0x011fdbab
0x011fdbab
0x011fdba0
0x011fdba6
0x011fdba6
0x011fdbc9
0x011fdbd1
0x011fdbd8
0x011fdbdf
0x011fdbe0
0x011fdbe3
0x011fdbe9
0x011fdbef
0x011fdbf2
0x011fdbf4
0x00000000
0x011fdbf4
0x00000000
0x011fdbf2
0x011fdbfc
0x011fdc02
0x011fdc02
0x011fdc08
0x011fdc0a
0x011fdc14
0x011fdc16
0x011fdc16
0x011fdc16
0x011fdc18
0x011fdc1f
0x011fdc24
0x011fdc31
0x011fdc26
0x011fdc29
0x011fdc29
0x011fdc24
0x011fdb4c
0x011fdc64
0x011fdc6f
0x011fdc70
0x011fdc71
0x011fdc77
0x011fdc7d
0x011fdc83
0x011fdc83
0x00000000
0x011fdabc
0x00000000
0x011fdaa2
0x011fdc84
0x011fdc8a
0x011fdc91
0x011fdc92
0x011fdc93
0x011fdc98
0x011fdc98
0x011fe0fc
0x011fe106
0x011fe107
0x011fe10d
0x011fe10f
0x011fe578
0x011fe57a
0x011fe57c
0x011fe582
0x011fe584
0x011fe58a
0x011fe58c
0x011fe8de
0x011fe8de
0x011fe8e0
0x011fe8e6
0x011fe8ed
0x011fe8f3
0x011fe8f5
0x011fe993
0x011fe993
0x011fe995
0x011fe996
0x011fe99c
0x00000000
0x011fe8fb
0x011fe8fb
0x011fe8fe
0x011fe904
0x011fe90a
0x011fe90c
0x011fe912
0x011fe914
0x011fe914
0x011fe916
0x011fe916
0x011fe91f
0x011fe926
0x011fe92c
0x011fe92f
0x011fe930
0x011fe932
0x011fe932
0x011fe936
0x011fe938
0x011fe93a
0x011fe940
0x011fe943
0x00000000
0x011fe945
0x011fe945
0x011fe94c
0x011fe94c
0x011fe943
0x011fe938
0x011fe90c
0x011fe8fe
0x011fe8f5
0x011fe592
0x011fe592
0x011fe592
0x011fe595
0x011fe599
0x011fe599
0x011fe59a
0x011fe5ac
0x011fe5b9
0x011fe5c8
0x011fe5f2
0x011fe5f7
0x011fe5fd
0x011fe600
0x011fe606
0x011fe609
0x011fe6a2
0x011fe6a9
0x011fe727
0x011fe72d
0x011fe733
0x011fe736
0x011fe738
0x011fe7c1
0x011fe73e
0x011fe73e
0x011fe744
0x011fe744
0x011fe74a
0x011fe750
0x011fe752
0x011fe754
0x011fe754
0x011fe75a
0x011fe760
0x011fe762
0x011fe76a
0x011fe76a
0x011fe770
0x011fe772
0x011fe774
0x011fe77a
0x011fe77c
0x011fe893
0x011fe895
0x011fe89b
0x011fe89b
0x011fe89e
0x011fe89f
0x00000000
0x011fe782
0x011fe788
0x011fe788
0x011fe78a
0x011fe790
0x011fe793
0x011fe79a
0x011fe7a0
0x011fe7a2
0x011fe7c9
0x011fe7cb
0x011fe7cd
0x011fe7cf
0x011fe7d5
0x011fe7db
0x011fe875
0x011fe875
0x011fe878
0x00000000
0x011fe87e
0x011fe87e
0x011fe884
0x00000000
0x011fe884
0x011fe7e1
0x011fe7e1
0x011fe7e1
0x011fe7e4
0x00000000
0x00000000
0x011fe7e6
0x011fe7e8
0x011fe7ea
0x011fe7f3
0x011fe7f3
0x011fe7f5
0x011fe7fb
0x011fe7fb
0x011fe807
0x011fe812
0x011fe815
0x011fe822
0x011fe825
0x011fe826
0x011fe827
0x011fe82d
0x011fe82f
0x011fe835
0x011fe83b
0x00000000
0x00000000
0x00000000
0x00000000
0x011fe83d
0x011fe83d
0x011fe83d
0x011fe83f
0x00000000
0x00000000
0x011fe841
0x011fe844
0x00000000
0x011fe84a
0x011fe84a
0x011fe84c
0x011fe84e
0x011fe84e
0x011fe84e
0x011fe856
0x011fe859
0x011fe859
0x011fe85f
0x011fe861
0x011fe863
0x011fe86a
0x011fe870
0x011fe872
0x00000000
0x011fe872
0x00000000
0x011fe844
0x00000000
0x011fe83d
0x00000000
0x011fe7e1
0x011fe7a4
0x011fe7a4
0x011fe7a6
0x011fe7ac
0x011fe7b3
0x011fe7b3
0x011fe7b6
0x011fe7b6
0x00000000
0x011fe7a6
0x00000000
0x011fe88a
0x011fe88a
0x011fe88b
0x011fe88b
0x00000000
0x011fe790
0x011fe6ab
0x011fe6ab
0x011fe6bd
0x011fe6cc
0x011fe6d1
0x011fe6d4
0x011fe6d6
0x00000000
0x011fe6dc
0x011fe6dc
0x011fe6df
0x00000000
0x011fe6e5
0x011fe6e5
0x011fe6ec
0x00000000
0x011fe6f2
0x011fe6f8
0x011fe6fa
0x011fe700
0x011fe700
0x011fe702
0x011fe702
0x011fe704
0x011fe70d
0x011fe714
0x011fe717
0x011fe718
0x011fe71a
0x011fe71a
0x00000000
0x011fe722
0x011fe6ec
0x011fe6df
0x011fe6d6
0x011fe60f
0x011fe60f
0x011fe615
0x011fe617
0x011fe633
0x011fe636
0x00000000
0x011fe63c
0x011fe63c
0x011fe643
0x00000000
0x011fe649
0x011fe64f
0x011fe651
0x011fe657
0x011fe657
0x011fe659
0x011fe659
0x011fe65b
0x011fe664
0x011fe66b
0x011fe66e
0x011fe66f
0x011fe671
0x011fe671
0x011fe679
0x011fe679
0x011fe67b
0x00000000
0x011fe681
0x011fe681
0x011fe687
0x011fe68a
0x011fe954
0x011fe957
0x011fe95d
0x011fe972
0x011fe977
0x011fe97a
0x011fe690
0x011fe690
0x011fe697
0x00000000
0x011fe697
0x011fe68a
0x011fe67b
0x011fe643
0x011fe619
0x011fe619
0x011fe61b
0x011fe621
0x011fe627
0x011fe628
0x011fe8a5
0x011fe8a5
0x011fe8ac
0x011fe8ad
0x011fe8ae
0x011fe8b3
0x011fe8b6
0x011fe8b6
0x011fe8b6
0x011fe617
0x011fe8b8
0x011fe8b8
0x011fe8ba
0x011fe981
0x011fe988
0x011fe98f
0x011fe9a2
0x011fe9a8
0x011fe9a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011fe8c0
0x011fe8c6
0x011fe8c6
0x011fe8cc
0x011fe8cc
0x011fe8d8
0x00000000
0x011fe8d8
0x011fe115
0x011fe115
0x011fe117
0x011fe11d
0x011fe11f
0x011fe125
0x011fe127
0x011fe49e
0x011fe49e
0x011fe4a0
0x011fe4a6
0x011fe4ad
0x011fe4af
0x011fe50e
0x011fe511
0x011fe517
0x011fe51d
0x011fe523
0x011fe525
0x011fe52b
0x011fe52d
0x011fe52d
0x011fe52f
0x011fe52f
0x011fe531
0x011fe53a
0x011fe541
0x011fe544
0x011fe545
0x011fe547
0x011fe547
0x011fe54f
0x011fe551
0x011fe557
0x011fe55d
0x011fe560
0x00000000
0x011fe566
0x011fe566
0x011fe56d
0x011fe56d
0x011fe560
0x011fe551
0x011fe525
0x011fe4b1
0x011fe4b1
0x011fe4b3
0x011fe4b9
0x011fe4bf
0x00000000
0x011fe4bf
0x011fe4af
0x011fe12d
0x011fe12d
0x011fe12d
0x011fe130
0x011fe134
0x011fe134
0x011fe135
0x011fe147
0x011fe154
0x011fe163
0x011fe18d
0x011fe192
0x011fe198
0x011fe19b
0x011fe1a1
0x011fe1a4
0x011fe220
0x011fe227
0x011fe2eb
0x011fe2f1
0x011fe2f7
0x011fe2fa
0x011fe2fc
0x011fe385
0x011fe302
0x011fe302
0x011fe308
0x011fe308
0x011fe30e
0x011fe314
0x011fe316
0x011fe318
0x011fe318
0x011fe31e
0x011fe324
0x011fe326
0x011fe32e
0x011fe32e
0x011fe334
0x011fe336
0x011fe338
0x011fe33e
0x011fe340
0x011fe457
0x011fe459
0x011fe45f
0x011fe45f
0x00000000
0x011fe346
0x011fe34c
0x011fe34c
0x011fe34e
0x011fe354
0x011fe357
0x011fe35e
0x011fe364
0x011fe366
0x011fe38d
0x011fe38f
0x011fe391
0x011fe393
0x011fe399
0x011fe39f
0x011fe439
0x011fe439
0x011fe43c
0x00000000
0x011fe442
0x011fe442
0x011fe448
0x00000000
0x011fe448
0x011fe3a5
0x011fe3a5
0x011fe3a5
0x011fe3a8
0x00000000
0x00000000
0x011fe3aa
0x011fe3ac
0x011fe3ae
0x011fe3b7
0x011fe3b7
0x011fe3b9
0x011fe3bf
0x011fe3bf
0x011fe3cb
0x011fe3d6
0x011fe3d9
0x011fe3e6
0x011fe3e9
0x011fe3ea
0x011fe3eb
0x011fe3f1
0x011fe3f3
0x011fe3f9
0x011fe3ff
0x00000000
0x00000000
0x00000000
0x00000000
0x011fe401
0x011fe401
0x011fe401
0x011fe403
0x00000000
0x00000000
0x011fe405
0x011fe408
0x011fe4c2
0x011fe4c2
0x011fe4c4
0x011fe4ca
0x011fe4d0
0x011fe4d1
0x00000000
0x011fe40e
0x011fe40e
0x011fe410
0x011fe412
0x011fe412
0x011fe412
0x011fe41a
0x011fe41d
0x011fe41d
0x011fe423
0x011fe425
0x011fe427
0x011fe42e
0x011fe434
0x011fe436
0x00000000
0x011fe436
0x00000000
0x011fe408
0x00000000
0x011fe401
0x00000000
0x011fe3a5
0x011fe368
0x011fe368
0x011fe36a
0x011fe370
0x011fe377
0x011fe377
0x011fe37a
0x011fe37a
0x00000000
0x011fe36a
0x00000000
0x011fe44e
0x011fe44e
0x011fe44f
0x011fe44f
0x00000000
0x011fe354
0x011fe22d
0x011fe22d
0x011fe23f
0x011fe24e
0x011fe253
0x011fe256
0x011fe258
0x011fe274
0x011fe277
0x00000000
0x011fe27d
0x011fe27d
0x011fe284
0x00000000
0x011fe28a
0x011fe290
0x011fe292
0x011fe298
0x011fe298
0x011fe29a
0x011fe29a
0x011fe29c
0x011fe2a5
0x011fe2ac
0x011fe2af
0x011fe2b0
0x011fe2b2
0x011fe2b2
0x00000000
0x011fe29a
0x011fe284
0x011fe25a
0x011fe25c
0x011fe262
0x011fe268
0x011fe269
0x00000000
0x011fe269
0x011fe258
0x011fe1a6
0x011fe1a6
0x011fe1ac
0x011fe1ae
0x011fe1c3
0x011fe1c6
0x00000000
0x011fe1cc
0x011fe1cc
0x011fe1d3
0x00000000
0x011fe1d9
0x011fe1df
0x011fe1e1
0x011fe1e7
0x011fe1e7
0x011fe1e9
0x011fe1e9
0x011fe1eb
0x011fe1f4
0x011fe1fb
0x011fe1fe
0x011fe1ff
0x011fe201
0x011fe201
0x011fe2ba
0x011fe2ba
0x011fe2bc
0x00000000
0x011fe2c2
0x011fe2c2
0x011fe2c8
0x011fe2cb
0x011fe20e
0x011fe215
0x00000000
0x011fe2d1
0x011fe2d3
0x011fe2d9
0x011fe2df
0x011fe2e0
0x011fe4d7
0x011fe4d7
0x011fe4de
0x011fe4df
0x011fe4e0
0x011fe4e5
0x011fe4e8
0x011fe4e8
0x011fe2cb
0x011fe2bc
0x011fe1d3
0x011fe1b0
0x011fe1b0
0x011fe1b2
0x011fe1b8
0x011fe462
0x011fe462
0x011fe463
0x011fe469
0x011fe469
0x011fe470
0x011fe471
0x011fe472
0x011fe477
0x011fe47a
0x011fe47a
0x011fe47a
0x011fe1ae
0x011fe47c
0x011fe47c
0x011fe47e
0x011fe4ec
0x011fe4f3
0x011fe4f3
0x011fe4f3
0x011fe4fa
0x011fe4fc
0x011fe502
0x011fe503
0x011fe9af
0x011fe9af
0x011fe9b0
0x011fe9b1
0x011fe9b6
0x00000000
0x00000000
0x00000000
0x00000000
0x011fe480
0x011fe486
0x011fe486
0x011fe48c
0x011fe48c
0x011fe498
0x00000000
0x011fe498
0x011fe127
0x011fe9b9
0x011fe9b9
0x011fe9bf
0x011fe9c1
0x011fe9c7
0x011fe9cd
0x011fe9cf
0x011fe9d1
0x011fe9d3
0x011fe9d3
0x011fe9d5
0x011fe9d5
0x011fe9de
0x011fe9df
0x011fe9e3
0x011fe9ea
0x011fe9ed
0x011fe9ee
0x011fe9f0
0x011fe9f0
0x011fe9f4
0x011fe9fa
0x011fe9fc
0x011fea02
0x011fea04
0x011fea0a
0x011fea0d
0x011fea20
0x011fea23
0x011fea29
0x011fea3e
0x011fea43
0x011fea0f
0x011fea11
0x011fea18
0x011fea18
0x011fea0d
0x011fea46
0x011fea46
0x011fea56
0x011fea5f
0x011fea60
0x011fea62
0x011feaf9
0x011feafb
0x011feb06
0x011feb06
0x011feb08
0x011feb0b
0x011feb0d
0x00000000
0x011feafd
0x011feb03
0x011feb03
0x011fea68
0x011fea68
0x011fea6e
0x011fea71
0x011fea77
0x011fea7a
0x011fea80
0x011fea82
0x011fea88
0x011fea8a
0x011fea8c
0x011fea8c
0x011fea8e
0x011fea8e
0x011fea9b
0x011feaa2
0x011feaa5
0x011feaa6
0x011feaa8
0x011feaa9
0x011feaa9
0x011feaad
0x011feab3
0x011feab5
0x011feab7
0x011feabd
0x011feac0
0x011fead4
0x011feada
0x011feaef
0x011feaf4
0x011feac2
0x011feac2
0x011feac9
0x011feac9
0x011feac0
0x011feab5
0x011feb13
0x011feb13
0x011feb13
0x011feb1f
0x011feb22
0x011feb28
0x011feb2a
0x011feb2c
0x011feb32
0x011feb34
0x011feb34
0x011feb34
0x011feb32
0x011feb39
0x011feb3a
0x011feb3c
0x011feb3e
0x011feb3e
0x011feb40
0x011feb46
0x011feb4c
0x011feb4e
0x011feb54
0x011feb54
0x011feb5a
0x011feb5c
0x00000000
0x00000000
0x011feb62
0x011feb64
0x011feb66
0x011feb66
0x011feb68
0x011feb68
0x011feb78
0x011feb7f
0x011feb82
0x011feb83
0x011feb85
0x011feb85
0x011feb89
0x011feb8f
0x011feb91
0x011feb93
0x011feb99
0x011feb9c
0x011febad
0x011febb0
0x011febb6
0x011febcb
0x011febd0
0x011feb9e
0x011feb9e
0x011feba5
0x011feba5
0x011feb9c
0x011febe1
0x011febf0
0x011febf1
0x011febf1
0x011febf3
0x011febf5
0x011febf5
0x011febfb
0x011febfe
0x011fec00
0x011fec02
0x011fec02
0x011fec05
0x011fec06
0x011fec06
0x011fec0b
0x011fec0e
0x011fec12
0x011fec12
0x011fec13
0x011fec15
0x011fec1b
0x011fec21
0x00000000
0x00000000
0x00000000
0x011fec21
0x011feb54
0x011fec27
0x011fec27
0x00000000
0x011fec27
0x011fd9ac
0x011fd9a3
0x011fd99a
0x011fd951
0x011fd955
0x011fd95d
0x00000000
0x011fd95f
0x011fd965
0x011fd96a
0x011fec46
0x011fec46
0x011fec49
0x011fec54
0x011fec7f
0x011fec80
0x011fec81
0x011fec82
0x011fec83
0x011fec84
0x011fec89
0x011fec8a
0x011fec91
0x011fec96
0x011fec9c
0x011feca1
0x011feca2
0x011feca2
0x011feca2
0x011feca8
0x011feca9
0x011feca9
0x011fecac
0x011fecb2
0x00000000
0x00000000
0x011fecb4
0x011fecb9
0x011fecbc
0x011fecbe
0x011fecc6
0x011fecc8
0x011fecca
0x011feccf
0x011fecd2
0x011fecd8
0x011fecdb
0x011fecdd
0x011fecdd
0x011fecdd
0x011fecdd
0x011fecdb
0x011fece0
0x011fecec
0x011fecf2
0x011fecfa
0x011fecff
0x011fed00
0x011fed05
0x011fed05
0x011fed05
0x011fed05
0x011fed09
0x011fed09
0x011fed0c
0x011fed13
0x011fed20
0x011fec56
0x011fec56
0x011fec56
0x011fec5d
0x011fec5e
0x011fec5f
0x011fec60
0x011fec69
0x011fec6e
0x011fec7c
0x011fec7c
0x011fec54
0x011fd95d

APIs

__floor_pentium4.LIBCMT ref: 011FDA34

Strings

1#INF, xrefs: 011FEC41
1#IND, xrefs: 011FEC2C
1#QNAN, xrefs: 011FEC3A
1#SNAN, xrefs: 011FEC33

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c8101895256bb49e3c83086b49a99a72ce2d46422cfd1b6c428ead5fe5fb542b
Instruction ID: 6962648f445d8df07e0e941bacadf0f6b18a0f965f612678ab167572c9e826a4
Opcode Fuzzy Hash: c8101895256bb49e3c83086b49a99a72ce2d46422cfd1b6c428ead5fe5fb542b
Instruction Fuzzy Hash: C9C26A71E096288FDF29CE28DD407EAB7B5EB84304F1641EED60DE7251E774AA818F41

Uniqueness

Uniqueness Score: -1.00%

Function 011D32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E011D32F7(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t237;
				signed int _t240;
				void* _t246;
				unsigned int _t248;
				unsigned int _t252;
				void* _t253;
				signed int _t257;
				char _t269;
				signed int _t277;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t319;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t363;
				intOrPtr _t370;
				void* _t373;
				intOrPtr _t374;
				void* _t381;
				signed int _t383;
				void* _t384;
				signed int _t395;
				intOrPtr* _t399;
				signed int _t414;
				signed int _t423;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				signed int _t502;
				signed char _t503;
				signed int _t504;
				unsigned int _t505;
				intOrPtr _t514;
				void* _t515;
				void* _t522;
				signed int _t525;
				void* _t526;
				signed int _t536;
				void* _t542;
				void* _t544;
				intOrPtr _t547;
				void* _t548;
				void* _t550;
				void* _t551;
				intOrPtr _t561;

				_t551 = _t550 - 0x68;
				E011EEB78(0x12026be, _t548);
				E011EEC50(0x2068);
				_t399 = __ecx;
				E011DCB83(_t548 + 0x30, __ecx);
				 *(_t548 + 0x64) = 0;
				 *((intOrPtr*)(_t548 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L18:
					 *((char*)(_t548 + 0x6a)) = 0;
					L19:
					_push(7);
					_t237 = E011DCD8A();
					__eflags = _t237 - 7;
					if(_t237 >= 7) {
						 *(_t399 + 0x220c) = 0;
						 *(_t399 + 0x21fc) = E011DCBFB(_t548 + 0x30);
						_t536 = E011DCD66(_t548 + 0x30, 4);
						_t240 = E011DCCFB();
						__eflags = _t240 | _t500;
						if((_t240 | _t500) == 0) {
							L88:
							E011D20D7(_t399);
							L89:
							E011D15FB(_t548 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t548 - 0xc));
							return  *(_t548 + 0x64);
						}
						__eflags = _t536;
						if(_t536 == 0) {
							goto L88;
						}
						_t46 = _t536 + 4; // 0x4
						_t47 = _t536 - 3; // -3
						_t514 = _t46 + _t240;
						_t414 = _t47 + _t240;
						__eflags = _t414;
						if(_t414 < 0) {
							goto L88;
						}
						__eflags = _t514 - 7;
						if(_t514 < 7) {
							goto L88;
						}
						_push(_t414);
						E011DCD8A();
						__eflags =  *(_t548 + 0x48) - _t514;
						if( *(_t548 + 0x48) < _t514) {
							goto L20;
						}
						_t246 = E011DCCDB(_t548 + 0x30);
						 *(_t399 + 0x2200) = E011DCCFB();
						_t248 = E011DCCFB();
						 *(_t399 + 0x2204) = _t248;
						 *((intOrPtr*)(_t399 + 0x2208)) = _t514;
						_t515 = _t399 + 0x21fc;
						 *(_t399 + 0x220c) = _t248 >> 0x00000002 & 0x00000001;
						__eflags =  *_t515 - _t246;
						 *(_t399 + 0x21f4) =  *(_t399 + 0x2200);
						_t60 = _t548 + 0x6b;
						 *_t60 =  *_t515 != _t246;
						__eflags =  *_t60;
						if( *_t60 == 0) {
							L29:
							_t252 = 0;
							__eflags =  *(_t399 + 0x2204) & 0x00000001;
							 *(_t548 + 0x58) = 0;
							 *(_t548 + 0x54) = 0;
							if(( *(_t399 + 0x2204) & 0x00000001) == 0) {
								L33:
								__eflags =  *(_t399 + 0x2204) & 0x00000002;
								_t539 = _t252;
								 *(_t548 + 0x60) = _t252;
								 *(_t548 + 0x5c) = _t252;
								if(( *(_t399 + 0x2204) & 0x00000002) != 0) {
									_t363 = E011DCCFB();
									_t539 = _t363;
									 *(_t548 + 0x60) = _t363;
									 *(_t548 + 0x5c) = _t500;
								}
								_t253 = E011D1983(_t399,  *((intOrPtr*)(_t399 + 0x2208)));
								asm("adc ecx, edx");
								 *((intOrPtr*)(_t399 + 0x6cc0)) = E011D3EFB(_t253 +  *((intOrPtr*)(_t399 + 0x6cb8)),  *((intOrPtr*)(_t399 + 0x6cbc)), _t539,  *(_t548 + 0x5c), 0, 0);
								 *((intOrPtr*)(_t399 + 0x6cc4)) = 0;
								_t502 =  *(_t399 + 0x2200);
								_t257 = _t502 - 1;
								__eflags = _t257;
								if(_t257 == 0) {
									E011DAD5E(_t399 + 0x2220);
									_t423 = 5;
									memcpy(_t399 + 0x2220, _t515, _t423 << 2);
									_t503 = E011DCCFB();
									 *(_t399 + 0x6ccd) = _t503 & 1;
									 *(_t399 + 0x6ccc) = _t503 >> 0x00000002 & 1;
									_t432 = 1;
									 *((char*)(_t399 + 0x6cd2)) = 1;
									 *(_t399 + 0x6ccf) = _t503 >> 0x00000004 & 1;
									 *(_t399 + 0x6cd3) = _t503 >> 0x00000003 & 1;
									_t269 = 0;
									 *((char*)(_t399 + 0x6cd0)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										_t504 = 0;
									} else {
										_t504 = E011DCCFB();
										_t269 = 0;
										_t432 = 1;
									}
									 *(_t399 + 0x6cf0) = _t504;
									__eflags =  *(_t399 + 0x6ccd);
									if( *(_t399 + 0x6ccd) == 0) {
										L84:
										_t432 = _t269;
										goto L85;
									} else {
										__eflags = _t504;
										if(_t504 == 0) {
											L85:
											 *((char*)(_t399 + 0x6cd1)) = _t432;
											_t433 =  *(_t548 + 0x58);
											__eflags = _t433 |  *(_t548 + 0x54);
											if((_t433 |  *(_t548 + 0x54)) != 0) {
												E011D2210(_t399, _t504, _t548 + 0x30, _t433, _t399 + 0x2220);
											}
											goto L87;
										}
										goto L84;
									}
								} else {
									_t277 = _t257 - 1;
									__eflags = _t277;
									if(_t277 == 0) {
										L49:
										__eflags = _t502 - 2;
										_t121 = (0 | _t502 == 0x00000002) - 1; // -1
										_t522 = (_t121 & 0x00002350) + 0x2298 + _t399;
										 *(_t548 + 0x2c) = _t522;
										E011DACC4(_t522, 0);
										_t438 = 5;
										memcpy(_t522, _t399 + 0x21fc, _t438 << 2);
										_t542 =  *(_t548 + 0x2c);
										 *(_t548 + 0x64) =  *(_t399 + 0x2200);
										 *(_t542 + 0x1058) =  *(_t548 + 0x60);
										 *((char*)(_t542 + 0x10f9)) = 1;
										 *(_t542 + 0x105c) =  *(_t548 + 0x5c);
										 *(_t542 + 0x1094) = E011DCCFB();
										 *(_t542 + 0x1060) = E011DCCFB();
										_t289 =  *(_t542 + 0x1094) >> 0x00000003 & 0x00000001;
										__eflags = _t289;
										 *(_t542 + 0x1064) = _t502;
										 *(_t542 + 0x109a) = _t289;
										if(_t289 != 0) {
											 *(_t542 + 0x1060) = 0x7fffffff;
											 *(_t542 + 0x1064) = 0x7fffffff;
										}
										_t442 =  *(_t542 + 0x105c);
										_t525 =  *(_t542 + 0x1064);
										_t290 =  *(_t542 + 0x1058);
										_t505 =  *(_t542 + 0x1060);
										__eflags = _t442 - _t525;
										if(__eflags < 0) {
											L54:
											_t290 = _t505;
											_t442 = _t525;
											goto L55;
										} else {
											if(__eflags > 0) {
												L55:
												 *(_t542 + 0x106c) = _t442;
												 *(_t542 + 0x1068) = _t290;
												_t291 = E011DCCFB();
												__eflags =  *(_t542 + 0x1094) & 0x00000002;
												 *((intOrPtr*)(_t542 + 0x24)) = _t291;
												if(( *(_t542 + 0x1094) & 0x00000002) != 0) {
													E011E158F(_t542 + 0x1040, E011DCBFB(_t548 + 0x30), 0);
												}
												 *(_t542 + 0x1070) =  *(_t542 + 0x1070) & 0x00000000;
												__eflags =  *(_t542 + 0x1094) & 0x00000004;
												if(( *(_t542 + 0x1094) & 0x00000004) != 0) {
													 *(_t542 + 0x1070) = 2;
													 *((intOrPtr*)(_t542 + 0x1074)) = E011DCBFB(_t548 + 0x30);
												}
												 *(_t542 + 0x1100) =  *(_t542 + 0x1100) & 0x00000000;
												_t292 = E011DCCFB();
												 *(_t548 + 0x60) = _t292;
												 *(_t542 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
												_t450 = (_t292 & 0x0000003f) + 0x32;
												 *((intOrPtr*)(_t542 + 0x1c)) = _t450;
												__eflags = _t450 - 0x32;
												if(_t450 != 0x32) {
													 *((intOrPtr*)(_t542 + 0x1c)) = 0x270f;
												}
												 *((char*)(_t542 + 0x18)) = E011DCCFB();
												_t526 = E011DCCFB();
												 *(_t542 + 0x10fc) = 2;
												_t295 =  *((intOrPtr*)(_t542 + 0x18));
												 *(_t542 + 0x10f8) =  *(_t399 + 0x2204) >> 0x00000006 & 1;
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295;
													if(_t295 == 0) {
														_t178 = _t542 + 0x10fc;
														 *_t178 =  *(_t542 + 0x10fc) & 0x00000000;
														__eflags =  *_t178;
													}
												} else {
													 *(_t542 + 0x10fc) = 1;
												}
												_t456 =  *(_t542 + 8);
												 *(_t542 + 0x1098) = _t456 >> 0x00000003 & 1;
												 *(_t542 + 0x10fa) = _t456 >> 0x00000005 & 1;
												__eflags =  *(_t548 + 0x64) - 2;
												_t459 =  *(_t548 + 0x60);
												 *(_t542 + 0x1099) = _t456 >> 0x00000004 & 1;
												if( *(_t548 + 0x64) != 2) {
													L68:
													_t302 = 0;
													__eflags = 0;
													goto L69;
												} else {
													__eflags = _t459 & 0x00000040;
													if((_t459 & 0x00000040) == 0) {
														goto L68;
													}
													_t302 = 1;
													L69:
													 *((char*)(_t542 + 0x10f0)) = _t302;
													_t304 =  *(_t542 + 0x1094) & 1;
													 *(_t542 + 0x10f1) = _t304;
													_t509 = 0x20000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x109c) =  ~( *(_t542 + 0x109b) & 0x000000ff) & 0x00000005;
													__eflags = _t526 - 0x1fff;
													if(_t526 >= 0x1fff) {
														_t526 = 0x1fff;
													}
													E011DCC5D(_t548 + 0x30, _t548 - 0x2074, _t526);
													 *((char*)(_t548 + _t526 - 0x2074)) = 0;
													_push(0x800);
													_t527 = _t542 + 0x28;
													_push(_t542 + 0x28);
													_push(_t548 - 0x2074);
													E011E1C3B();
													_t463 =  *(_t548 + 0x58);
													_t318 = _t463 |  *(_t548 + 0x54);
													__eflags = _t463 |  *(_t548 + 0x54);
													if((_t463 |  *(_t548 + 0x54)) != 0) {
														_t318 = E011D2210(_t399, _t509, _t548 + 0x30, _t463, _t542);
													}
													__eflags =  *(_t548 + 0x64) - 2;
													if( *(_t548 + 0x64) != 2) {
														_t319 = E011F3E49(_t318, _t527, L"CMT");
														__eflags = _t319;
														if(_t319 == 0) {
															 *((char*)(_t399 + 0x6cce)) = 1;
														}
													} else {
														E011D2134(_t399, _t542);
													}
													__eflags =  *(_t548 + 0x6b);
													if(__eflags != 0) {
														E011D2021(__eflags, 0x1c, _t399 + 0x32, _t527);
													}
													L87:
													 *(_t548 + 0x64) =  *(_t548 + 0x48);
													goto L89;
												}
											}
											__eflags = _t290 - _t505;
											if(_t290 > _t505) {
												goto L55;
											}
											goto L54;
										}
									}
									_t328 = _t277 - 1;
									__eflags = _t328;
									if(_t328 == 0) {
										goto L49;
									}
									_t329 = _t328 - 1;
									__eflags = _t329;
									if(_t329 == 0) {
										_t471 = 5;
										memcpy(_t399 + 0x2260, _t399 + 0x21fc, _t471 << 2);
										_t331 = E011DCCFB();
										__eflags = _t331;
										if(_t331 == 0) {
											 *(_t399 + 0x2274) = E011DCCFB() & 0x00000001;
											_t335 = E011DCBAF(_t548 + 0x30) & 0x000000ff;
											 *(_t399 + 0x2278) = _t335;
											__eflags = _t335 - 0x18;
											if(_t335 <= 0x18) {
												E011DCC5D(_t548 + 0x30, _t399 + 0x227c, 0x10);
												__eflags =  *(_t399 + 0x2274);
												if( *(_t399 + 0x2274) != 0) {
													_t544 = _t399 + 0x228c;
													E011DCC5D(_t548 + 0x30, _t544, 8);
													E011DCC5D(_t548 + 0x30, _t548 + 0x64, 4);
													E011E0016(_t548 - 0x74);
													_push(8);
													_push(_t544);
													_push(_t548 - 0x74);
													E011E005C();
													_push(_t548 + 8);
													E011DFF33(_t548 - 0x74);
													_t350 = E011F0C4A(_t548 + 0x64, _t548 + 8, 4);
													asm("sbb al, al");
													_t352 =  ~_t350 + 1;
													__eflags = _t352;
													 *(_t399 + 0x2274) = _t352;
												}
												 *((char*)(_t399 + 0x6cd4)) = 1;
												goto L87;
											}
											_push(_t335);
											_push(L"hc%u");
											L43:
											_push(0x14);
											_push(_t548);
											E011D4092();
											E011D403D(_t399, _t399 + 0x32, _t548);
											goto L89;
										}
										_push(_t331);
										_push(L"h%u");
										goto L43;
									}
									__eflags = _t329 == 1;
									if(_t329 == 1) {
										_t480 = 5;
										memcpy(_t399 + 0x45a8, _t399 + 0x21fc, _t480 << 2);
										 *(_t399 + 0x45c4) = E011DCCFB() & 0x00000001;
										 *((short*)(_t399 + 0x45c6)) = 0;
										 *((char*)(_t399 + 0x45c5)) = 0;
									}
									goto L87;
								}
							}
							_t485 = E011DCCFB();
							 *(_t548 + 0x54) = _t500;
							_t252 = 0;
							 *(_t548 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L33;
							}
							if(__eflags > 0) {
								goto L88;
							}
							__eflags = _t485 -  *((intOrPtr*)(_t399 + 0x2208));
							if(_t485 >=  *((intOrPtr*)(_t399 + 0x2208))) {
								goto L88;
							}
							goto L33;
						}
						E011D20D7(_t399);
						 *((char*)(_t399 + 0x6cdc)) = 1;
						E011D6D83(0x1211098, 3);
						__eflags =  *((char*)(_t548 + 0x6a));
						if(__eflags == 0) {
							goto L29;
						} else {
							E011D2021(__eflags, 4, _t399 + 0x32, _t399 + 0x32);
							L6:
							 *((char*)(_t399 + 0x6cdd)) = 1;
							goto L89;
						}
					}
					L20:
					E011D3FFC(_t399, _t500);
					goto L89;
				}
				_t500 =  *((intOrPtr*)(__ecx + 0x6cd8)) + 8;
				asm("adc eax, ecx");
				_t561 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t561 < 0 || _t561 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t500) {
					goto L18;
				} else {
					_t370 =  *((intOrPtr*)(_t399 + 0x21d4));
					 *((char*)(_t548 + 0x6a)) = 1;
					_t563 =  *((intOrPtr*)(_t370 + 0x6127));
					if( *((intOrPtr*)(_t370 + 0x6127)) == 0) {
						 *0x1203278(_t548 + 0x18, 0x10);
						_t373 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xc))))();
						__eflags = _t373 - 0x10;
						if(_t373 != 0x10) {
							goto L20;
						}
						_t374 =  *((intOrPtr*)(_t399 + 0x21d4));
						__eflags =  *((char*)(_t374 + 0x6124));
						if( *((char*)(_t374 + 0x6124)) != 0) {
							L10:
							 *(_t548 + 0x6b) = 1;
							L11:
							E011D3E6D(_t399);
							_t534 = _t399 + 0x227c;
							_t547 = _t399 + 0x1038;
							E011D603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t399 + 0x227c, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
							__eflags =  *(_t399 + 0x2274);
							if( *(_t399 + 0x2274) == 0) {
								L16:
								 *((intOrPtr*)(_t548 + 0x50)) = _t547;
								goto L19;
							} else {
								_t381 = _t399 + 0x228c;
								while(1) {
									_t383 = E011F0C4A(_t548 + 0x28, _t381, 8);
									_t551 = _t551 + 0xc;
									__eflags = _t383;
									if(_t383 == 0) {
										goto L16;
									}
									__eflags =  *(_t548 + 0x6b);
									_t384 = _t399 + 0x32;
									_push(_t384);
									_push(_t384);
									if(__eflags != 0) {
										_push(6);
										E011D2021(__eflags);
										 *((char*)(_t399 + 0x6cdd)) = 1;
										E011D6D83(0x1211098, 0xb);
										goto L89;
									}
									_push(0x83);
									E011D2021(__eflags);
									E011DF279( *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024);
									E011D3E6D(_t399);
									E011D603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t534, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
									__eflags =  *(_t399 + 0x2274);
									_t381 = _t399 + 0x228c;
									if( *(_t399 + 0x2274) != 0) {
										continue;
									}
									goto L16;
								}
								goto L16;
							}
						}
						_t395 = E011E1B63();
						 *(_t548 + 0x6b) = 0;
						__eflags = _t395;
						if(_t395 == 0) {
							goto L11;
						}
						goto L10;
					} else {
						E011D138B(_t563, 0x7f, _t399 + 0x32);
						goto L6;
					}
				}
			}

0x011d32f8
0x011d3300
0x011d330a
0x011d3311
0x011d3318
0x011d331f
0x011d3322
0x011d332b
0x011d34a6
0x011d34a6
0x011d34a9
0x011d34a9
0x011d34ae
0x011d34b3
0x011d34b6
0x011d34c7
0x011d34d8
0x011d34e6
0x011d34e8
0x011d34ef
0x011d34f1
0x011d3b09
0x011d3b0b
0x011d3b10
0x011d3b13
0x011d3b21
0x011d3b2c
0x011d3b2c
0x011d34f7
0x011d34f9
0x00000000
0x00000000
0x011d34ff
0x011d3502
0x011d3505
0x011d3507
0x011d3507
0x011d3509
0x00000000
0x00000000
0x011d350f
0x011d3512
0x00000000
0x00000000
0x011d3518
0x011d351c
0x011d3521
0x011d3524
0x00000000
0x00000000
0x011d3529
0x011d353b
0x011d3541
0x011d3546
0x011d3551
0x011d3557
0x011d355d
0x011d3563
0x011d356b
0x011d3571
0x011d3571
0x011d3571
0x011d3575
0x011d35a8
0x011d35a8
0x011d35aa
0x011d35b1
0x011d35b4
0x011d35b7
0x011d35e1
0x011d35e1
0x011d35e8
0x011d35ea
0x011d35ed
0x011d35f0
0x011d35f5
0x011d35fa
0x011d35fc
0x011d35ff
0x011d35ff
0x011d360a
0x011d3622
0x011d362c
0x011d3632
0x011d3638
0x011d3640
0x011d3640
0x011d3643
0x011d3a50
0x011d3a5f
0x011d3a60
0x011d3a6a
0x011d3a73
0x011d3a85
0x011d3a8d
0x011d3a90
0x011d3a96
0x011d3aa3
0x011d3aa9
0x011d3aab
0x011d3ab1
0x011d3ab4
0x011d3ac7
0x011d3ab6
0x011d3abe
0x011d3ac2
0x011d3ac4
0x011d3ac4
0x011d3ac9
0x011d3acf
0x011d3ad6
0x011d3adc
0x011d3adc
0x00000000
0x011d3ad8
0x011d3ad8
0x011d3ada
0x011d3ade
0x011d3ade
0x011d3ae4
0x011d3ae9
0x011d3aec
0x011d3afc
0x011d3afc
0x00000000
0x011d3aec
0x00000000
0x011d3ada
0x011d3649
0x011d3649
0x011d3649
0x011d364c
0x011d3796
0x011d3798
0x011d37a0
0x011d37af
0x011d37b3
0x011d37b6
0x011d37bd
0x011d37c4
0x011d37cf
0x011d37d2
0x011d37d8
0x011d37e1
0x011d37e8
0x011d37f6
0x011d3801
0x011d3810
0x011d3810
0x011d3812
0x011d3818
0x011d381e
0x011d3825
0x011d382b
0x011d382b
0x011d3831
0x011d3837
0x011d383d
0x011d3843
0x011d3849
0x011d384b
0x011d3853
0x011d3853
0x011d3855
0x00000000
0x011d384d
0x011d384d
0x011d3857
0x011d3857
0x011d3860
0x011d3866
0x011d386b
0x011d3872
0x011d3875
0x011d3888
0x011d3888
0x011d388d
0x011d3894
0x011d389b
0x011d38a0
0x011d38af
0x011d38af
0x011d38b5
0x011d38bf
0x011d38c6
0x011d38cf
0x011d38d7
0x011d38da
0x011d38dd
0x011d38e0
0x011d38e2
0x011d38e2
0x011d38f4
0x011d3908
0x011d390a
0x011d3914
0x011d3919
0x011d391f
0x011d3921
0x011d392b
0x011d392d
0x011d392f
0x011d392f
0x011d392f
0x011d392f
0x011d3923
0x011d3923
0x011d3923
0x011d3936
0x011d3940
0x011d3952
0x011d3958
0x011d395c
0x011d395f
0x011d3965
0x011d3970
0x011d3970
0x011d3970
0x00000000
0x011d3967
0x011d3967
0x011d396a
0x00000000
0x00000000
0x011d396c
0x011d3972
0x011d3972
0x011d397e
0x011d3983
0x011d3994
0x011d3998
0x011d399e
0x011d39ad
0x011d39b2
0x011d39bd
0x011d39bf
0x011d39c1
0x011d39c1
0x011d39ce
0x011d39d3
0x011d39e1
0x011d39e6
0x011d39e9
0x011d39ea
0x011d39eb
0x011d39f0
0x011d39f5
0x011d39f5
0x011d39f8
0x011d3a02
0x011d3a02
0x011d3a07
0x011d3a0b
0x011d3a1d
0x011d3a24
0x011d3a26
0x011d3a28
0x011d3a28
0x011d3a0d
0x011d3a10
0x011d3a10
0x011d3a2f
0x011d3a33
0x011d3a40
0x011d3a40
0x011d3b01
0x011d3b04
0x00000000
0x011d3b04
0x011d3965
0x011d384f
0x011d3851
0x00000000
0x00000000
0x00000000
0x011d3851
0x011d384b
0x011d3652
0x011d3652
0x011d3655
0x00000000
0x00000000
0x011d365b
0x011d365b
0x011d365e
0x011d36a0
0x011d36ad
0x011d36b2
0x011d36b7
0x011d36b9
0x011d36f0
0x011d36fb
0x011d36fe
0x011d3704
0x011d3707
0x011d371d
0x011d3722
0x011d3729
0x011d372d
0x011d3737
0x011d3745
0x011d374e
0x011d3753
0x011d3755
0x011d3759
0x011d375a
0x011d3762
0x011d3767
0x011d3776
0x011d3780
0x011d3782
0x011d3782
0x011d3784
0x011d3784
0x011d378a
0x00000000
0x011d378a
0x011d3709
0x011d370a
0x011d36c1
0x011d36c4
0x011d36c6
0x011d36c7
0x011d36d9
0x00000000
0x011d36d9
0x011d36bb
0x011d36bc
0x00000000
0x011d36bc
0x011d3660
0x011d3663
0x011d366b
0x011d3678
0x011d3684
0x011d368c
0x011d3693
0x011d3693
0x00000000
0x011d3663
0x011d3643
0x011d35c1
0x011d35c3
0x011d35c6
0x011d35c8
0x011d35cb
0x011d35cd
0x00000000
0x00000000
0x011d35cf
0x00000000
0x00000000
0x011d35d5
0x011d35db
0x00000000
0x00000000
0x00000000
0x011d35db
0x011d3579
0x011d3585
0x011d358c
0x011d3591
0x011d3595
0x00000000
0x011d3597
0x011d359e
0x011d3375
0x011d3375
0x00000000
0x011d3375
0x011d3595
0x011d34b8
0x011d34ba
0x00000000
0x011d34ba
0x011d3339
0x011d333c
0x011d333e
0x011d3344
0x00000000
0x011d3358
0x011d3358
0x011d335e
0x011d3362
0x011d3368
0x011d338e
0x011d3396
0x011d3398
0x011d339b
0x00000000
0x00000000
0x011d33a1
0x011d33a7
0x011d33ae
0x011d33bd
0x011d33bd
0x011d33c1
0x011d33c3
0x011d33df
0x011d33eb
0x011d33f7
0x011d33fc
0x011d3403
0x011d3482
0x011d3482
0x00000000
0x011d3405
0x011d3405
0x011d340b
0x011d3412
0x011d3417
0x011d341a
0x011d341c
0x00000000
0x00000000
0x011d341e
0x011d3422
0x011d3425
0x011d3426
0x011d3427
0x011d3487
0x011d3489
0x011d3495
0x011d349c
0x00000000
0x011d349c
0x011d3429
0x011d342e
0x011d343f
0x011d3446
0x011d346e
0x011d3473
0x011d347a
0x011d3480
0x00000000
0x00000000
0x00000000
0x011d3480
0x00000000
0x011d340b
0x011d3403
0x011d33b0
0x011d33b5
0x011d33b9
0x011d33bb
0x00000000
0x00000000
0x00000000
0x011d336a
0x011d3370
0x00000000
0x011d3370
0x011d3368

APIs

__EH_prolog.LIBCMT ref: 011D3300
_swprintf.LIBCMT ref: 011D36C7

Strings

h%u, xrefs: 011D36BC
CMT, xrefs: 011D3A17
hc%u, xrefs: 011D370A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: f48c2d42f80317223b8153702c277f0d506a717fb50e26c304a6acac9df3e64d
Instruction ID: a75fe90bbd66731a9d0a8a2c79d644b66b1ab32f2b1208458cb42df868fb096a
Opcode Fuzzy Hash: f48c2d42f80317223b8153702c277f0d506a717fb50e26c304a6acac9df3e64d
Instruction Fuzzy Hash: B93215B15203859FDF1CDF74C894AEA3BA5BF25304F08047DEE9A8B282DB749549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011D286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E011D286B(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t329;
				signed int _t334;
				void* _t335;
				void* _t337;
				signed int _t340;
				char _t354;
				signed short _t361;
				signed int _t364;
				signed int _t371;
				signed char _t374;
				signed char _t377;
				signed int _t378;
				signed int _t395;
				signed int _t396;
				signed int _t400;
				signed char _t413;
				intOrPtr _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				signed int _t424;
				signed int _t427;
				signed int _t432;
				signed short _t437;
				signed short _t442;
				unsigned int _t447;
				signed int _t450;
				signed int _t455;
				signed int _t469;
				void* _t470;
				void* _t478;
				signed char _t484;
				signed int _t488;
				signed int _t498;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr* _t516;
				signed int _t520;
				signed int _t521;
				signed int _t533;
				signed int _t537;
				signed int _t539;
				unsigned int _t548;
				signed int _t550;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				intOrPtr* _t585;
				void* _t593;
				signed int _t597;
				intOrPtr _t609;
				signed int _t612;
				signed int _t624;
				signed char _t628;
				void* _t639;
				signed char _t640;
				signed int _t643;
				unsigned int _t644;
				signed int _t647;
				signed int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t653;
				signed int _t657;
				void* _t659;
				void* _t665;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed int _t672;
				void* _t673;
				signed int _t675;
				intOrPtr* _t676;
				signed int _t688;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				intOrPtr _t707;
				intOrPtr* _t708;
				intOrPtr _t718;

				E011EEB78(0x12026a5, _t708);
				E011EEC50(0x2024);
				_t516 = __ecx;
				 *((intOrPtr*)(_t708 + 0x14)) = __ecx;
				E011DCB83(_t708 + 0x1c, __ecx);
				 *(_t708 + 0x10) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t657 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L7:
					 *((char*)(_t708 + 0x5a)) = 0;
					L8:
					_push(_t657);
					E011DCD8A();
					__eflags =  *(_t708 + 0x34);
					if( *(_t708 + 0x34) == 0) {
						L5:
						E011D3FFC(_t516, _t639);
						L131:
						E011D15FB(_t708 + 0x1c);
						 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
						return  *(_t708 + 0x10);
					}
					 *(_t516 + 0x21fc) = E011DCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x220c) = 0;
					_t688 = E011DCBAF(_t708 + 0x1c) & 0x000000ff;
					_t329 = E011DCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2204) = _t329;
					 *(_t516 + 0x220c) = _t329 >> 0x0000000e & 0x00000001;
					_t533 = E011DCBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2208) = _t533;
					 *(_t516 + 0x2200) = _t688;
					__eflags = _t533 - _t657;
					if(_t533 >= _t657) {
						_t640 = 2;
						_t334 = _t688 - 0x73;
						__eflags = _t334;
						if(_t334 == 0) {
							 *(_t516 + 0x2200) = 1;
							_t688 = 1;
							__eflags = 1;
							L20:
							 *(_t516 + 0x21f4) = _t688;
							__eflags = _t688 - 0x75;
							if(_t688 == 0x75) {
								L23:
								_t335 = 6;
								L25:
								_push(_t335);
								E011DCD8A();
								_t337 = E011D1983(_t516,  *(_t516 + 0x2208));
								asm("adc ecx, 0x0");
								 *((intOrPtr*)(_t516 + 0x6cc0)) = _t337 +  *((intOrPtr*)(_t516 + 0x6cb8));
								 *(_t516 + 0x6cc4) =  *(_t516 + 0x6cbc);
								_t537 =  *(_t516 + 0x2200);
								 *(_t708 + 0x18) = _t537;
								_t340 = _t537 - 1;
								__eflags = _t340;
								if(_t340 == 0) {
									_t659 = _t516 + 0x2220;
									E011DAD5E(_t659);
									_t539 = 5;
									memcpy(_t659, _t516 + 0x21fc, _t539 << 2);
									 *(_t516 + 0x2234) = E011DCBC6(_t708 + 0x1c);
									_t640 = E011DCBFB(_t708 + 0x1c);
									 *(_t516 + 0x2238) = _t640;
									 *(_t516 + 0x6ccd) =  *(_t516 + 0x2228) & 0x00000001;
									 *(_t516 + 0x6ccc) =  *(_t516 + 0x2228) >> 0x00000003 & 0x00000001;
									_t548 =  *(_t516 + 0x2228);
									 *(_t516 + 0x6ccf) = _t548 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x6cd3) = _t548 >> 0x00000006 & 0x00000001;
									 *(_t516 + 0x6cd4) = _t548 >> 0x00000007 & 0x00000001;
									__eflags = _t640;
									if(_t640 != 0) {
										L117:
										_t354 = 1;
										L118:
										 *((char*)(_t516 + 0x6cd0)) = _t354;
										 *(_t516 + 0x223c) = _t548 >> 0x00000001 & 0x00000001;
										_t550 = _t548 >> 0x00000004 & 0x00000001;
										__eflags = _t550;
										 *(_t516 + 0x6cd1) = _t548 >> 0x00000008 & 0x00000001;
										 *(_t516 + 0x6cd2) = _t550;
										L119:
										_t657 = 7;
										L120:
										_t361 = E011DCCAC(_t708 + 0x1c, 0);
										__eflags =  *(_t516 + 0x21fc) - (_t361 & 0x0000ffff);
										if( *(_t516 + 0x21fc) == (_t361 & 0x0000ffff)) {
											L130:
											 *(_t708 + 0x10) =  *(_t708 + 0x34);
											goto L131;
										}
										_t364 =  *(_t516 + 0x2200);
										__eflags = _t364 - 0x79;
										if(_t364 == 0x79) {
											goto L130;
										}
										__eflags = _t364 - 0x76;
										if(_t364 == 0x76) {
											goto L130;
										}
										__eflags = _t364 - 5;
										if(_t364 != 5) {
											L128:
											 *((char*)(_t516 + 0x6cdc)) = 1;
											E011D6D83(0x1211098, 3);
											__eflags =  *((char*)(_t708 + 0x5a));
											if(__eflags == 0) {
												goto L130;
											}
											E011D2021(__eflags, 4, _t516 + 0x32, _t516 + 0x32);
											 *((char*)(_t516 + 0x6cdd)) = 1;
											goto L131;
										}
										__eflags =  *(_t516 + 0x45c6);
										if( *(_t516 + 0x45c6) == 0) {
											goto L128;
										}
										 *0x1203278();
										_t371 =  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))() - _t657;
										__eflags = _t371;
										asm("sbb edx, ecx");
										 *0x1203278(_t371, _t640, 0);
										 *((intOrPtr*)( *_t516 + 0x10))();
										 *(_t708 + 0x5b) = 1;
										do {
											_t374 = E011D9892(_t516);
											asm("sbb al, al");
											_t377 =  !( ~_t374) &  *(_t708 + 0x5b);
											 *(_t708 + 0x5b) = _t377;
											_t657 = _t657 - 1;
											__eflags = _t657;
										} while (_t657 != 0);
										__eflags = _t377;
										if(_t377 != 0) {
											goto L130;
										}
										goto L128;
									}
									_t354 = 0;
									__eflags =  *(_t516 + 0x2234);
									if( *(_t516 + 0x2234) == 0) {
										goto L118;
									}
									goto L117;
								}
								_t378 = _t340 - 1;
								__eflags = _t378;
								if(_t378 == 0) {
									L35:
									__eflags = _t537 - 2;
									_t68 = (0 | _t537 == 0x00000002) - 1; // -1
									_t665 = (_t68 & 0x00002350) + 0x2298 + _t516;
									 *(_t708 + 0x4c) = _t665;
									E011DACC4(_t665, 0);
									_t560 = 5;
									memcpy(_t665, _t516 + 0x21fc, _t560 << 2);
									_t694 =  *(_t708 + 0x4c);
									_t668 =  *(_t708 + 0x18);
									_t562 =  *(_t694 + 8);
									 *(_t694 + 0x1098) =  *(_t694 + 8) & 1;
									 *(_t694 + 0x1099) = _t562 >> 0x00000001 & 1;
									 *(_t694 + 0x109b) = _t562 >> 0x00000002 & 1;
									 *(_t694 + 0x10a0) = _t562 >> 0x0000000a & 1;
									_t395 = _t562 & 0x00000010;
									__eflags = _t668 - 2;
									if(_t668 != 2) {
										L38:
										_t643 = 0;
										__eflags = 0;
										 *(_t708 + 0x5b) = 0;
										L39:
										 *((char*)(_t694 + 0x10f0)) =  *(_t708 + 0x5b);
										_t516 =  *((intOrPtr*)(_t708 + 0x14));
										__eflags = _t668 - 2;
										if(_t668 == 2) {
											L41:
											_t396 = _t643;
											L42:
											 *(_t694 + 0x10fa) = _t396;
											_t563 = _t562 & 0x000000e0;
											__eflags = _t563 - 0xe0;
											 *((char*)(_t694 + 0x10f1)) = 0 | _t563 == 0x000000e0;
											__eflags = _t563 - 0xe0;
											if(_t563 != 0xe0) {
												_t644 =  *(_t694 + 8);
												_t400 = 0x10000 << (_t644 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t400 = _t643;
												_t644 =  *(_t694 + 8);
											}
											 *(_t694 + 0x10f4) = _t400;
											 *(_t694 + 0x10f3) = _t644 >> 0x0000000b & 0x00000001;
											 *(_t694 + 0x10f2) = _t644 >> 0x00000003 & 0x00000001;
											 *((intOrPtr*)(_t694 + 0x14)) = E011DCBFB(_t708 + 0x1c);
											 *((intOrPtr*)(_t708 + 0x54)) = E011DCBFB(_t708 + 0x1c);
											 *((char*)(_t694 + 0x18)) = E011DCBAF(_t708 + 0x1c);
											 *(_t694 + 0x1070) = 2;
											 *((intOrPtr*)(_t694 + 0x1074)) = E011DCBFB(_t708 + 0x1c);
											 *(_t708 + 0x44) = E011DCBFB(_t708 + 0x1c);
											 *(_t694 + 0x1c) = E011DCBAF(_t708 + 0x1c) & 0x000000ff;
											 *((char*)(_t694 + 0x20)) = E011DCBAF(_t708 + 0x1c) - 0x30;
											 *(_t708 + 0x50) = E011DCBC6(_t708 + 0x1c) & 0x0000ffff;
											_t413 = E011DCBFB(_t708 + 0x1c);
											_t647 =  *(_t694 + 0x1c);
											 *(_t708 + 0x48) = _t413;
											 *(_t694 + 0x24) = _t413;
											__eflags = _t647 - 0x14;
											if(_t647 < 0x14) {
												__eflags = _t413 & 0x00000010;
												if((_t413 & 0x00000010) != 0) {
													 *((char*)(_t694 + 0x10f1)) = 1;
												}
											}
											 *(_t694 + 0x109c) = 0;
											__eflags =  *(_t694 + 0x109b);
											if( *(_t694 + 0x109b) == 0) {
												L57:
												_t414 =  *((intOrPtr*)(_t694 + 0x18));
												 *(_t694 + 0x10fc) = 2;
												__eflags = _t414 - 3;
												if(_t414 == 3) {
													L61:
													 *(_t694 + 0x10fc) = 1;
													L62:
													 *(_t694 + 0x1100) = 0;
													__eflags = _t414 - 3;
													if(_t414 == 3) {
														__eflags = ( *(_t708 + 0x48) & 0x0000f000) - 0xa000;
														if(( *(_t708 + 0x48) & 0x0000f000) == 0xa000) {
															__eflags = 0;
															 *(_t694 + 0x1100) = 1;
															 *((short*)(_t694 + 0x1104)) = 0;
														}
													}
													__eflags = _t668 - 2;
													if(_t668 == 2) {
														L67:
														_t415 = 0;
														goto L68;
													} else {
														_t415 = 1;
														__eflags =  *(_t694 + 0x24);
														if( *(_t694 + 0x24) < 0) {
															L68:
															 *((char*)(_t694 + 0x10f8)) = _t415;
															_t418 =  *(_t694 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t418;
															 *(_t694 + 0x10f9) = _t418;
															if(_t418 == 0) {
																__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
																_t640 = 0;
																_t669 = 0;
																_t141 =  *((intOrPtr*)(_t708 + 0x54)) == 0xffffffff;
																__eflags = _t141;
																_t419 = _t418 & 0xffffff00 | _t141;
																L74:
																 *(_t694 + 0x109a) = _t419;
																 *(_t708 + 0x5b) = _t419;
																 *((intOrPtr*)(_t694 + 0x1058)) = 0 +  *((intOrPtr*)(_t694 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t694 + 0x105c)) = _t669;
																asm("adc edx, ecx");
																 *(_t694 + 0x1060) = 0 +  *((intOrPtr*)(_t708 + 0x54));
																__eflags =  *(_t708 + 0x5b);
																 *(_t694 + 0x1064) = _t640;
																if( *(_t708 + 0x5b) != 0) {
																	 *(_t694 + 0x1060) = 0x7fffffff;
																	 *(_t694 + 0x1064) = 0x7fffffff;
																}
																_t424 =  *(_t708 + 0x50);
																_t670 = 0x1fff;
																__eflags = _t424 - 0x1fff;
																if(_t424 < 0x1fff) {
																	_t670 = _t424;
																}
																E011DCC5D(_t708 + 0x1c, _t708 - 0x2030, _t670);
																_t427 = 0;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((char*)(_t708 + _t670 - 0x2030)) = 0;
																_t585 = ((0 |  *(_t708 + 0x18) == 0x00000002) - 0x00000001 & 0x00002350) + 0x22c0 + _t516;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((intOrPtr*)(_t708 + 0x54)) = _t585;
																if( *(_t708 + 0x18) != 2) {
																	E011E1B84(_t708 - 0x2030, _t585, 0x800);
																	_t431 =  *((intOrPtr*)(_t694 + 0xc)) -  *(_t708 + 0x50);
																	__eflags =  *(_t694 + 8) & 0x00000400;
																	_t671 = _t431 - 0x20;
																	if(( *(_t694 + 8) & 0x00000400) != 0) {
																		_t671 = _t431 - 0x28;
																	}
																	__eflags = _t671;
																	if(_t671 > 0) {
																		E011D20BD(_t694 + 0x1028, _t671);
																		_t676 = _t694 + 0x1028;
																		_t431 = E011F3E49(E011DCC5D(_t708 + 0x1c,  *_t676, _t671),  *((intOrPtr*)(_t708 + 0x54)), L"RR");
																		__eflags = _t431;
																		if(_t431 == 0) {
																			__eflags =  *((intOrPtr*)(_t694 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t694 + 0x102c)) >= 0x14) {
																				_t609 =  *_t676;
																				_t184 = _t609 + 0xb; // 0x7500
																				asm("cdq");
																				_t695 =  *_t184 & 0x000000ff;
																				_t185 = _t609 + 0xa; // 0x750025
																				asm("cdq");
																				_t697 = (_t695 << 8) + ( *_t185 & 0x000000ff);
																				_t190 = _t609 + 9; // 0x75002500
																				asm("adc edi, edx");
																				asm("cdq");
																				_t699 = (_t697 << 8) + ( *_t190 & 0x000000ff);
																				_t195 = _t609 + 8; // 0x250068
																				asm("adc edi, edx");
																				asm("cdq");
																				_t701 = (_t699 << 8) + ( *_t195 & 0x000000ff);
																				asm("adc edi, edx");
																				 *(_t516 + 0x21d8) = _t701 << 9;
																				 *(_t516 + 0x21dc) = ((((_t640 << 0x00000020 | _t695) << 0x8 << 0x00000020 | _t697) << 0x8 << 0x00000020 | _t699) << 0x8 << 0x00000020 | _t701) << 9;
																				 *0x1203278();
																				_t469 = E011E0264( *(_t516 + 0x21d8),  *(_t516 + 0x21dc),  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))(), _t640);
																				 *(_t516 + 0x21e0) = _t469;
																				 *(_t708 + 0x48) = _t469;
																				_t470 = E011EEBA0(_t468, _t640, 0xc8, 0);
																				asm("adc edx, [ebx+0x21dc]");
																				_t431 = E011E0264(_t470 +  *(_t516 + 0x21d8), _t640, _t468, _t640);
																				_t612 =  *(_t708 + 0x48);
																				_t694 =  *(_t708 + 0x4c);
																				__eflags = _t431 - _t612;
																				if(_t431 > _t612) {
																					_t431 = _t612 + 1;
																					 *(_t516 + 0x21e0) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t432 = E011F3E49(_t431,  *((intOrPtr*)(_t708 + 0x54)), L"CMT");
																	__eflags = _t432;
																	if(_t432 == 0) {
																		 *((char*)(_t516 + 0x6cce)) = 1;
																	}
																} else {
																	_t640 = 0;
																	 *_t585 = 0;
																	__eflags =  *(_t694 + 8) & 0x00000200;
																	if(( *(_t694 + 8) & 0x00000200) != 0) {
																		E011D6976(_t708);
																		_t478 = E011F3E90(_t708 - 0x2030) + 1;
																		__eflags = _t670 - _t478;
																		if(_t670 > _t478) {
																			__eflags = _t478 + _t708 - 0x2030;
																			E011D6986(_t708, _t708 - 0x2030, _t670, _t478 + _t708 - 0x2030, _t670 - _t478,  *((intOrPtr*)(_t708 + 0x54)), 0x800);
																		}
																		_t585 =  *((intOrPtr*)(_t708 + 0x54));
																		_t427 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t585 - _t427;
																	if( *_t585 == _t427) {
																		_push(1);
																		_push(0x800);
																		_push(_t585);
																		_push(_t708 - 0x2030);
																		E011E02BA();
																	}
																	E011D2134(_t516, _t694);
																}
																__eflags =  *(_t694 + 8) & 0x00000400;
																if(( *(_t694 + 8) & 0x00000400) != 0) {
																	E011DCC5D(_t708 + 0x1c, _t694 + 0x10a1, 8);
																}
																E011E140E( *(_t708 + 0x44));
																__eflags =  *(_t694 + 8) & 0x00001000;
																if(( *(_t694 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t516 + 0x6cc0)) = E011D3EFB( *((intOrPtr*)(_t516 + 0x6cc0)),  *(_t516 + 0x6cc4),  *((intOrPtr*)(_t694 + 0x1058)),  *((intOrPtr*)(_t694 + 0x105c)), 0, 0);
																	 *(_t516 + 0x6cc4) = _t640;
																	 *(_t708 + 0x44) =  *(_t694 + 0x10f2);
																	_t437 = E011DCCAC(_t708 + 0x1c,  *(_t708 + 0x44));
																	__eflags =  *_t694 - (_t437 & 0x0000ffff);
																	if( *_t694 != (_t437 & 0x0000ffff)) {
																		 *((char*)(_t516 + 0x6cdc)) = 1;
																		E011D6D83(0x1211098, 1);
																		__eflags =  *((char*)(_t708 + 0x5a));
																		if(__eflags == 0) {
																			E011D2021(__eflags, 0x1c, _t516 + 0x32,  *((intOrPtr*)(_t708 + 0x54)));
																		}
																	}
																	goto L119;
																} else {
																	_t442 = E011DCBC6(_t708 + 0x1c);
																	 *_t708 = _t516 + 0x32d8;
																	 *((intOrPtr*)(_t708 + 4)) = _t516 + 0x32e0;
																	 *((intOrPtr*)(_t708 + 8)) = _t516 + 0x32e8;
																	__eflags = 0;
																	_t672 = 0;
																	 *((intOrPtr*)(_t708 + 0xc)) = 0;
																	_t447 = _t442 & 0x0000ffff;
																	 *(_t708 + 0x50) = 0;
																	 *(_t708 + 0x44) = _t447;
																	do {
																		_t593 = 3;
																		_t520 = _t447 >> _t593 - _t672 << 2;
																		__eflags = _t520 & 0x00000008;
																		if((_t520 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + _t672 * 4);
																		if( *(_t708 + _t672 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t672;
																		if(__eflags != 0) {
																			E011E140E(E011DCBFB(_t708 + 0x1c));
																		}
																		E011E1218( *(_t708 + _t672 * 4), _t640, _t708, __eflags, _t708 - 0x30);
																		__eflags = _t520 & 0x00000004;
																		if((_t520 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t521 = _t520 & 0x00000003;
																		__eflags = _t521;
																		if(_t521 <= 0) {
																			L109:
																			_t450 = _t597 * 0x64;
																			__eflags = _t450;
																			 *(_t708 - 0x18) = _t450;
																			E011E146A( *(_t708 + _t672 * 4), _t640, _t708 - 0x30);
																			_t447 =  *(_t708 + 0x44);
																		} else {
																			_t673 = 3;
																			_t675 = _t673 - _t521 << 3;
																			__eflags = _t675;
																			do {
																				_t455 = (E011DCBAF(_t708 + 0x1c) & 0x000000ff) << _t675;
																				_t675 = _t675 + 8;
																				_t597 =  *(_t708 - 0x18) | _t455;
																				 *(_t708 - 0x18) = _t597;
																				_t521 = _t521 - 1;
																				__eflags = _t521;
																			} while (_t521 != 0);
																			_t672 =  *(_t708 + 0x50);
																			goto L109;
																		}
																		L110:
																		_t672 = _t672 + 1;
																		 *(_t708 + 0x50) = _t672;
																		__eflags = _t672 - 4;
																	} while (_t672 < 4);
																	_t516 =  *((intOrPtr*)(_t708 + 0x14));
																	goto L112;
																}
															}
															_t669 = E011DCBFB(_t708 + 0x1c);
															_t484 = E011DCBFB(_t708 + 0x1c);
															__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
															_t640 = _t484;
															if( *((intOrPtr*)(_t708 + 0x54)) != 0xffffffff) {
																L72:
																_t419 = 0;
																goto L74;
															}
															__eflags = _t640 - 0xffffffff;
															if(_t640 != 0xffffffff) {
																goto L72;
															}
															_t419 = 1;
															goto L74;
														}
														goto L67;
													}
												}
												__eflags = _t414 - 5;
												if(_t414 == 5) {
													goto L61;
												}
												__eflags = _t414 - 6;
												if(_t414 < 6) {
													 *(_t694 + 0x10fc) = 0;
												}
												goto L62;
											} else {
												_t648 = _t647 - 0xd;
												__eflags = _t648;
												if(_t648 == 0) {
													 *(_t694 + 0x109c) = 1;
													goto L57;
												}
												_t650 = _t648;
												__eflags = _t650;
												if(_t650 == 0) {
													 *(_t694 + 0x109c) = 2;
													goto L57;
												}
												_t651 = _t650 - 5;
												__eflags = _t651;
												if(_t651 == 0) {
													L54:
													 *(_t694 + 0x109c) = 3;
													goto L57;
												}
												__eflags = _t651 == 6;
												if(_t651 == 6) {
													goto L54;
												}
												 *(_t694 + 0x109c) = 4;
												goto L57;
											}
										}
										__eflags = _t395;
										_t396 = 1;
										if(_t395 != 0) {
											goto L42;
										}
										goto L41;
									}
									__eflags = _t395;
									if(_t395 == 0) {
										goto L38;
									}
									 *(_t708 + 0x5b) = 1;
									_t643 = 0;
									goto L39;
								}
								_t488 = _t378 - 1;
								__eflags = _t488;
								if(_t488 == 0) {
									goto L35;
								}
								__eflags = _t488 == 0;
								if(_t488 == 0) {
									_t624 = 5;
									memcpy(_t516 + 0x45a8, _t516 + 0x21fc, _t624 << 2);
									_t653 =  *(_t516 + 0x45b0);
									 *(_t516 + 0x45c4) =  *(_t516 + 0x45b0) & 0x00000001;
									_t628 = _t653 >> 0x00000001 & 0x00000001;
									_t640 = _t653 >> 0x00000003 & 0x00000001;
									 *(_t516 + 0x45c5) = _t628;
									 *(_t516 + 0x45c6) = _t653 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x45c7) = _t640;
									__eflags = _t628;
									if(_t628 != 0) {
										 *((intOrPtr*)(_t516 + 0x45bc)) = E011DCBFB(_t708 + 0x1c);
									}
									__eflags =  *(_t516 + 0x45c7);
									if( *(_t516 + 0x45c7) != 0) {
										_t498 = E011DCBC6(_t708 + 0x1c) & 0x0000ffff;
										 *(_t516 + 0x45c0) = _t498;
										 *(_t516 + 0x6cf0) = _t498;
									}
									goto L119;
								} else {
									__eflags =  *(_t516 + 0x2204) & 0x00008000;
									if(( *(_t516 + 0x2204) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t516 + 0x6cc0)) =  *((intOrPtr*)(_t516 + 0x6cc0)) + E011DCBFB(_t708 + 0x1c);
										asm("adc dword [ebx+0x6cc4], 0x0");
									}
									goto L120;
								}
							}
							__eflags = _t688 - 1;
							if(_t688 != 1) {
								L24:
								_t335 = _t533 - 7;
								goto L25;
							}
							__eflags =  *(_t516 + 0x2204) & 0x00000002;
							if(( *(_t516 + 0x2204) & 0x00000002) == 0) {
								goto L24;
							}
							goto L23;
						}
						_t501 = _t334 - 1;
						__eflags = _t501;
						if(_t501 == 0) {
							 *(_t516 + 0x2200) = _t640;
							_t688 = _t640;
							goto L20;
						}
						_t502 = _t501 - 6;
						__eflags = _t502;
						if(_t502 == 0) {
							_push(3);
							L17:
							_pop(_t503);
							 *(_t516 + 0x2200) = _t503;
							_t688 = _t503;
							goto L20;
						}
						__eflags = _t502 != 1;
						if(_t502 != 1) {
							goto L20;
						} else {
							_push(5);
							goto L17;
						}
					} else {
						E011D20D7(_t516);
						goto L131;
					}
				}
				_t639 =  *((intOrPtr*)(__ecx + 0x6cd8)) + _t657;
				asm("adc eax, ecx");
				_t718 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t718 < 0 || _t718 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t639) {
					goto L7;
				} else {
					 *((char*)(_t708 + 0x5a)) = 1;
					E011D3E6D(_t516);
					 *0x1203278(_t708 + 0x40, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0xc))))() == 8) {
						_t707 = _t516 + 0x1038;
						E011D603A(_t707, 0, 4,  *((intOrPtr*)(_t516 + 0x21d4)) + 0x6024, _t708 + 0x40, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x3c)) = _t707;
						goto L8;
					}
					goto L5;
				}
			}

0x011d2874
0x011d287e
0x011d2885
0x011d288c
0x011d288f
0x011d2898
0x011d289b
0x011d289e
0x011d28a5
0x011d2923
0x011d2923
0x011d2926
0x011d2926
0x011d292a
0x011d292f
0x011d2933
0x011d28ec
0x011d28ee
0x011d32da
0x011d32dd
0x011d32eb
0x011d32f6
0x011d32f6
0x011d2943
0x011d2949
0x011d2958
0x011d2960
0x011d2966
0x011d2971
0x011d297c
0x011d297f
0x011d2985
0x011d298b
0x011d298d
0x011d299f
0x011d29a0
0x011d29a0
0x011d29a3
0x011d29d1
0x011d29db
0x011d29db
0x011d29dc
0x011d29dc
0x011d29e2
0x011d29e5
0x011d29f5
0x011d29f7
0x011d29fd
0x011d29fd
0x011d2a01
0x011d2a0e
0x011d2a1f
0x011d2a22
0x011d2a28
0x011d2a2e
0x011d2a36
0x011d2a39
0x011d2a39
0x011d2a3c
0x011d3159
0x011d3161
0x011d3168
0x011d316f
0x011d317c
0x011d318e
0x011d3193
0x011d3199
0x011d31ab
0x011d31b1
0x011d31be
0x011d31cb
0x011d31d8
0x011d31de
0x011d31e0
0x011d31ed
0x011d31ed
0x011d31ef
0x011d31ef
0x011d31fb
0x011d320b
0x011d320b
0x011d320e
0x011d3214
0x011d321a
0x011d321c
0x011d321d
0x011d3222
0x011d322a
0x011d3230
0x011d32d4
0x011d32d7
0x00000000
0x011d32d7
0x011d3236
0x011d323c
0x011d323f
0x00000000
0x00000000
0x011d3245
0x011d3248
0x00000000
0x00000000
0x011d324e
0x011d3251
0x011d32a6
0x011d32ad
0x011d32b4
0x011d32b9
0x011d32bd
0x00000000
0x00000000
0x011d32c6
0x011d32cb
0x00000000
0x011d32cb
0x011d3253
0x011d325a
0x00000000
0x00000000
0x011d3263
0x011d3271
0x011d3271
0x011d3274
0x011d327b
0x011d3283
0x011d3286
0x011d328a
0x011d328c
0x011d3293
0x011d3297
0x011d329a
0x011d329d
0x011d329d
0x011d329d
0x011d32a2
0x011d32a4
0x00000000
0x00000000
0x00000000
0x011d32a4
0x011d31e2
0x011d31e4
0x011d31eb
0x00000000
0x00000000
0x00000000
0x011d31eb
0x011d2a42
0x011d2a42
0x011d2a45
0x011d2b0a
0x011d2b0c
0x011d2b14
0x011d2b23
0x011d2b27
0x011d2b2a
0x011d2b31
0x011d2b3a
0x011d2b3c
0x011d2b40
0x011d2b46
0x011d2b4b
0x011d2b57
0x011d2b64
0x011d2b71
0x011d2b79
0x011d2b7c
0x011d2b7f
0x011d2b8c
0x011d2b8c
0x011d2b8c
0x011d2b8e
0x011d2b91
0x011d2b94
0x011d2b9a
0x011d2b9d
0x011d2ba0
0x011d2ba8
0x011d2ba8
0x011d2baa
0x011d2baa
0x011d2bb5
0x011d2bb7
0x011d2bbc
0x011d2bc2
0x011d2bc8
0x011d2bd1
0x011d2be1
0x011d2be1
0x011d2bca
0x011d2bca
0x011d2bcc
0x011d2bcc
0x011d2be3
0x011d2bf9
0x011d2bff
0x011d2c0d
0x011d2c18
0x011d2c23
0x011d2c26
0x011d2c38
0x011d2c46
0x011d2c51
0x011d2c61
0x011d2c6c
0x011d2c72
0x011d2c77
0x011d2c7a
0x011d2c7d
0x011d2c80
0x011d2c83
0x011d2c85
0x011d2c87
0x011d2c89
0x011d2c89
0x011d2c87
0x011d2c92
0x011d2c98
0x011d2c9e
0x011d2ce3
0x011d2ce3
0x011d2ce6
0x011d2cf0
0x011d2cf2
0x011d2d04
0x011d2d04
0x011d2d0e
0x011d2d0e
0x011d2d14
0x011d2d16
0x011d2d20
0x011d2d25
0x011d2d27
0x011d2d29
0x011d2d33
0x011d2d33
0x011d2d25
0x011d2d3a
0x011d2d3d
0x011d2d46
0x011d2d46
0x00000000
0x011d2d3f
0x011d2d3f
0x011d2d41
0x011d2d44
0x011d2d48
0x011d2d48
0x011d2d54
0x011d2d54
0x011d2d56
0x011d2d5c
0x011d2d89
0x011d2d8d
0x011d2d8f
0x011d2d91
0x011d2d91
0x011d2d91
0x011d2d94
0x011d2d94
0x011d2d9a
0x011d2da2
0x011d2da8
0x011d2daf
0x011d2db5
0x011d2db7
0x011d2dbd
0x011d2dc1
0x011d2dc7
0x011d2dce
0x011d2dd4
0x011d2dd4
0x011d2dda
0x011d2ddd
0x011d2de2
0x011d2de4
0x011d2de6
0x011d2de6
0x011d2df3
0x011d2dfa
0x011d2dfc
0x011d2e00
0x011d2e17
0x011d2e19
0x011d2e1d
0x011d2e20
0x011d2ea4
0x011d2eac
0x011d2eaf
0x011d2eb6
0x011d2eb9
0x011d2ebb
0x011d2ebb
0x011d2ebe
0x011d2ec0
0x011d2ecd
0x011d2ed3
0x011d2eeb
0x011d2ef2
0x011d2ef4
0x011d2efa
0x011d2f01
0x011d2f07
0x011d2f09
0x011d2f0d
0x011d2f0e
0x011d2f12
0x011d2f1a
0x011d2f1e
0x011d2f20
0x011d2f24
0x011d2f26
0x011d2f2e
0x011d2f30
0x011d2f34
0x011d2f36
0x011d2f3e
0x011d2f42
0x011d2f4b
0x011d2f56
0x011d2f5c
0x011d2f78
0x011d2f88
0x011d2f8e
0x011d2f91
0x011d2f9c
0x011d2fa4
0x011d2fa9
0x011d2fac
0x011d2faf
0x011d2fb1
0x011d2fb3
0x011d2fb6
0x011d2fb6
0x011d2fb1
0x011d2f01
0x011d2ef4
0x011d2fc4
0x011d2fcb
0x011d2fcd
0x011d2fcf
0x011d2fcf
0x011d2e22
0x011d2e22
0x011d2e24
0x011d2e27
0x011d2e2e
0x011d2e33
0x011d2e44
0x011d2e46
0x011d2e48
0x011d2e5d
0x011d2e67
0x011d2e67
0x011d2e6c
0x011d2e6f
0x011d2e6f
0x011d2e6f
0x011d2e71
0x011d2e74
0x011d2e76
0x011d2e78
0x011d2e7d
0x011d2e84
0x011d2e85
0x011d2e85
0x011d2e8d
0x011d2e8d
0x011d2fd6
0x011d2fdd
0x011d2feb
0x011d2feb
0x011d2ff9
0x011d2ffe
0x011d3005
0x011d30dd
0x011d30fe
0x011d3107
0x011d3113
0x011d3119
0x011d3121
0x011d3123
0x011d3130
0x011d3137
0x011d313c
0x011d3140
0x011d314f
0x011d314f
0x011d3140
0x00000000
0x011d300b
0x011d300e
0x011d301c
0x011d3025
0x011d302e
0x011d3031
0x011d3033
0x011d3035
0x011d3038
0x011d303a
0x011d303d
0x011d3040
0x011d3042
0x011d304a
0x011d304c
0x011d304f
0x00000000
0x00000000
0x011d3051
0x011d3056
0x00000000
0x00000000
0x011d3058
0x011d305a
0x011d3069
0x011d3069
0x011d3076
0x011d307b
0x011d307e
0x011d3080
0x011d3080
0x011d3080
0x011d3080
0x011d3083
0x011d3085
0x011d3088
0x011d3088
0x011d308b
0x011d30b7
0x011d30b7
0x011d30b7
0x011d30be
0x011d30c5
0x011d30ca
0x011d308d
0x011d308f
0x011d3092
0x011d3092
0x011d3095
0x011d30a2
0x011d30a4
0x011d30aa
0x011d30ac
0x011d30af
0x011d30af
0x011d30af
0x011d30b4
0x00000000
0x011d30b4
0x011d30cd
0x011d30cd
0x011d30ce
0x011d30d1
0x011d30d1
0x011d30da
0x00000000
0x011d30da
0x011d3005
0x011d2d69
0x011d2d6b
0x011d2d70
0x011d2d74
0x011d2d76
0x011d2d83
0x011d2d85
0x00000000
0x011d2d85
0x011d2d78
0x011d2d7b
0x00000000
0x00000000
0x011d2d7d
0x00000000
0x011d2d7f
0x00000000
0x011d2d44
0x011d2d3d
0x011d2cf4
0x011d2cf6
0x00000000
0x00000000
0x011d2cf8
0x011d2cfa
0x011d2cfc
0x011d2cfc
0x00000000
0x011d2ca0
0x011d2ca0
0x011d2ca0
0x011d2ca3
0x011d2cd9
0x00000000
0x011d2cd9
0x011d2ca6
0x011d2ca6
0x011d2ca9
0x011d2ccd
0x00000000
0x011d2ccd
0x011d2cab
0x011d2cab
0x011d2cae
0x011d2cc1
0x011d2cc1
0x00000000
0x011d2cc1
0x011d2cb0
0x011d2cb3
0x00000000
0x00000000
0x011d2cb5
0x00000000
0x011d2cb5
0x011d2c9e
0x011d2ba2
0x011d2ba4
0x011d2ba6
0x00000000
0x00000000
0x00000000
0x011d2ba6
0x011d2b81
0x011d2b83
0x00000000
0x00000000
0x011d2b85
0x011d2b88
0x00000000
0x011d2b88
0x011d2a4b
0x011d2a4b
0x011d2a4e
0x00000000
0x00000000
0x011d2a55
0x011d2a58
0x011d2a8c
0x011d2a93
0x011d2a9b
0x011d2aa3
0x011d2ab2
0x011d2aba
0x011d2abd
0x011d2ac3
0x011d2ac9
0x011d2acf
0x011d2ad1
0x011d2adb
0x011d2adb
0x011d2ae1
0x011d2ae8
0x011d2af6
0x011d2af9
0x011d2aff
0x011d2aff
0x00000000
0x011d2a5a
0x011d2a5a
0x011d2a64
0x011d2a72
0x011d2a78
0x011d2a78
0x00000000
0x011d2a64
0x011d2a58
0x011d29e7
0x011d29ea
0x011d29fa
0x011d29fa
0x00000000
0x011d29fa
0x011d29ec
0x011d29f3
0x00000000
0x00000000
0x00000000
0x011d29f3
0x011d29a5
0x011d29a5
0x011d29a8
0x011d29c5
0x011d29cb
0x00000000
0x011d29cb
0x011d29aa
0x011d29aa
0x011d29ad
0x011d29b8
0x011d29ba
0x011d29ba
0x011d29bb
0x011d29c1
0x00000000
0x011d29c1
0x011d29af
0x011d29b2
0x00000000
0x011d29b4
0x011d29b4
0x00000000
0x011d29b4
0x011d298f
0x011d2991
0x00000000
0x011d2991
0x011d298d
0x011d28af
0x011d28b1
0x011d28b3
0x011d28b9
0x00000000
0x011d28c5
0x011d28c7
0x011d28cb
0x011d28dd
0x011d28ea
0x011d2908
0x011d2919
0x011d291e
0x00000000
0x011d291e
0x00000000
0x011d28ea

APIs

__EH_prolog.LIBCMT ref: 011D2874
_strlen.LIBCMT ref: 011D2E3F

Part of subcall function 011E02BA: __EH_prolog.LIBCMT ref: 011E02BF

Part of subcall function 011E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,011DBAE9,00000000,?,?,?,000103AC), ref: 011E1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011D2F91

Strings

CMT, xrefs: 011D2FBC

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: a0036e918dfb5e52d4028a39022cc77493e76eb8534ff35d2c71ab3b0d38d279
Instruction ID: 5c2060693469be479a6e0adcbe6ca42880d207a527f1db2c6ca43879b2371473
Opcode Fuzzy Hash: a0036e918dfb5e52d4028a39022cc77493e76eb8534ff35d2c71ab3b0d38d279
Instruction Fuzzy Hash: A6622671A002458FDB1DDF78C884BEA3BA1FF64304F08457EEDAA8B282DB759545CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011EF838 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E011EF838(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E011EFA46(_t34);
				 *_t60 = 0x2cc;
				_v632 = E011EFFF0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E011EFFF0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E011EFA46(_t49);
				}
				return _t49;
			}

0x011ef838
0x011ef838
0x011ef838
0x011ef84c
0x011ef84e
0x011ef851
0x011ef851
0x011ef855
0x011ef85a
0x011ef872
0x011ef878
0x011ef87e
0x011ef884
0x011ef88a
0x011ef890
0x011ef896
0x011ef89d
0x011ef8a4
0x011ef8ab
0x011ef8b2
0x011ef8b9
0x011ef8c0
0x011ef8c1
0x011ef8ca
0x011ef8d0
0x011ef8d3
0x011ef8d9
0x011ef8e8
0x011ef8f4
0x011ef8ff
0x011ef906
0x011ef90d
0x011ef918
0x011ef920
0x011ef929
0x011ef92b
0x011ef92e
0x011ef930
0x011ef93a
0x011ef942
0x011ef948
0x00000000
0x011ef94f
0x011ef952

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 011EF844
IsDebuggerPresent.KERNEL32 ref: 011EF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 011EF930
UnhandledExceptionFilter.KERNEL32(?), ref: 011EF93A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 61748dc54c7e12af2bfef3d7cf16474167b3e61ed642e54bd7dd757a9af8e55c
Instruction ID: 2fc3523952b9631b6257904b01838fec662a7cba62abf41bdb1c68afabeeefd6
Opcode Fuzzy Hash: 61748dc54c7e12af2bfef3d7cf16474167b3e61ed642e54bd7dd757a9af8e55c
Instruction Fuzzy Hash: 83312775D0521A9FDB21DFA4D98DBCCBBF8BF08304F1041AAE40CAB250EB719A859F45

Uniqueness

Uniqueness Score: -1.00%

Function 011EE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E011EE6A3(signed int _a4, signed int _a8) {
				struct _MEMORY_BASIC_INFORMATION _v32;
				struct _SYSTEM_INFO _v68;
				long _t20;
				signed int _t28;
				void* _t30;
				signed int _t32;
				signed int _t40;
				signed int _t45;

				_t20 = VirtualQuery(_a4,  &_v32, 0x1c);
				if(_t20 == 0) {
					_push(0x19);
					asm("int 0x29");
				}
				if((_v32.Protect & 0x00000044) != 0) {
					GetSystemInfo( &_v68);
					_t40 = _v68.dwPageSize;
					_t32 = _t40 - 1;
					_t45 =  !_t32 & _a4;
					_t28 = _a8 / _t40;
					_t30 = ((_t32 & _a4) + _t40 + (_t32 & _a8) - 1) / _t40 + _t28;
					if(_t30 == 0) {
						L5:
						return _t28;
					} else {
						goto L4;
					}
					do {
						L4:
						_t28 = 0;
						asm("lock or [esi], eax");
						_t45 = _t45 + _t40;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					goto L5;
				}
				return _t20;
			}

0x011ee6b4
0x011ee6bc
0x011ee6be
0x011ee6c1
0x011ee6c1
0x011ee6c7
0x011ee6cf
0x011ee6d5
0x011ee6d8
0x011ee6ea
0x011ee6fa
0x011ee6fc
0x011ee6fe
0x011ee70c
0x00000000
0x00000000
0x00000000
0x00000000
0x011ee700
0x011ee700
0x011ee700
0x011ee702
0x011ee705
0x011ee707
0x011ee707
0x00000000
0x011ee700
0x011ee70f

APIs

VirtualQuery.KERNEL32(80000000,011EE5E8,0000001C,011EE7DD,00000000,?,?,?,?,?,?,?,011EE5E8,00000004,01231CEC,011EE86D), ref: 011EE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,011EE5E8,00000004,01231CEC,011EE86D), ref: 011EE6CF

Strings

D, xrefs: 011EE6C3

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: b86ce8756f55e7f77701653af2c5a8ad672756474cbbc7312de3635c36b76db1
Instruction ID: 9bbd55d554ddc52f0f1611624ccb9cdb1f2ed0befad203bde1a8eef7011a5dd1
Opcode Fuzzy Hash: b86ce8756f55e7f77701653af2c5a8ad672756474cbbc7312de3635c36b76db1
Instruction Fuzzy Hash: 9801D436A405096BDB28DE69DC0DADE7BFAAFC8324F0CC220ED19D6145D734D9058680

Uniqueness

Uniqueness Score: -1.00%

Function 011F8EBD Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E011F8EBD(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x120e7ac; // 0xc166b63b
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E011EFA46(_t41);
					_pop(_t61);
				}
				E011EFFF0(_t66,  &_v804, 0, 0x50);
				E011EFFF0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E011EFA46(_t57);
				}
				return E011EFBBC(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x011f8ebd
0x011f8ebd
0x011f8ebd
0x011f8ec8
0x011f8ecd
0x011f8ecf
0x011f8ed7
0x011f8ed9
0x011f8edc
0x011f8ee1
0x011f8ee1
0x011f8eed
0x011f8f00
0x011f8f0e
0x011f8f14
0x011f8f1a
0x011f8f20
0x011f8f26
0x011f8f2c
0x011f8f32
0x011f8f38
0x011f8f3e
0x011f8f44
0x011f8f4b
0x011f8f52
0x011f8f59
0x011f8f60
0x011f8f67
0x011f8f6e
0x011f8f6f
0x011f8f78
0x011f8f7e
0x011f8f81
0x011f8f87
0x011f8f94
0x011f8f9d
0x011f8fa6
0x011f8faf
0x011f8fbd
0x011f8fbf
0x011f8fd4
0x011f8fe0
0x011f8fe3
0x011f8fe8
0x011f8ff7

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 011F8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 011F8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 011F8FCC

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e23e3cd92768b8947360699c62f81a931e34426e4b7465e4959a22194dbec9ab
Instruction ID: b6410ebe906778d97501c2a6e7f591e363f021b8e7bdc1d2456825d4cc1d0452
Opcode Fuzzy Hash: e23e3cd92768b8947360699c62f81a931e34426e4b7465e4959a22194dbec9ab
Instruction Fuzzy Hash: 8531E87590121DABCB25DF68D888B9CBBF8BF48310F5042DAE91CA7290E7309F818F45

Uniqueness

Uniqueness Score: -1.00%

Function 011F7DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011F7DEE(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E011FB076(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E011F7E73(_t15, _a4);
				ExitProcess(_a4);
			}

0x011f7dfa
0x011f7e16
0x011f7e16
0x011f7e1f
0x011f7e28

APIs

GetCurrentProcess.KERNEL32(00000000,?,011F7DC4,00000000,0120C300,0000000C,011F7F1B,00000000,00000002,00000000), ref: 011F7E0F
TerminateProcess.KERNEL32(00000000,?,011F7DC4,00000000,0120C300,0000000C,011F7F1B,00000000,00000002,00000000), ref: 011F7E16
ExitProcess.KERNEL32 ref: 011F7E28

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: af25895ff189e6a87ed600547720274baee53a8119e414628fffa52415ccc0c2
Instruction ID: e6fcaa8e188c069b667a7e8f912837d961aed43a2f5388ea676c589e1e6afaa6
Opcode Fuzzy Hash: af25895ff189e6a87ed600547720274baee53a8119e414628fffa52415ccc0c2
Instruction Fuzzy Hash: 44E04631000148AFCF26AF24ED0CA897F6AFB20241F104519FA198A167CB76DD52CB80

Uniqueness

Uniqueness Score: -1.00%

Function 011FB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E011FB348(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t109 = E011FB136(_t84, _t77, 1);
					_t86 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t103;
						_t40 = E011FF101(_t86, _t109 + _t103, _t77, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E011FB587(_a16, _t100, __eflags, _t109);
							E011F8DCC(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t103);
						_t74 = E011FF101(_t86, _t109, _t77, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E011F9097();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0x120e7ac; // 0xc166b63b
							_v48 = _t43 ^ _t116;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E011FF150(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E011EFFF0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t78, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E011FB348(_t92,  &(_v332.cFileName), _t78, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t111,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t101 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E011F6310(_t78, _t101 + _t95 * 4, _t65 - _t95, 4, E011FB1A0);
									}
								} else {
									_push(_t55);
									_t57 = E011FB348(_t89, _t78, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E011FB348(_t87, _t78, 0, 0);
								}
							}
							_pop(_t105);
							_pop(_t112);
							__eflags = _v12 ^ _t116;
							_pop(_t79);
							return E011EFBBC(_t58, _t79, _v12 ^ _t116, _t101, _t105, _t112);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}

0x011fb34d
0x011fb34e
0x011fb351
0x011fb351
0x011fb354
0x011fb354
0x011fb356
0x011fb357
0x011fb361
0x011fb364
0x011fb367
0x011fb36c
0x011fb375
0x011fb378
0x011fb382
0x011fb385
0x011fb386
0x011fb388
0x011fb39c
0x011fb39c
0x011fb39f
0x011fb3a9
0x011fb3ae
0x011fb3b1
0x011fb3b3
0x00000000
0x011fb3b5
0x011fb3b9
0x011fb3c2
0x011fb3c8
0x00000000
0x011fb3cb
0x011fb38a
0x011fb38a
0x011fb390
0x011fb395
0x011fb398
0x011fb39a
0x011fb3d1
0x011fb3d3
0x011fb3d4
0x011fb3d5
0x011fb3d6
0x011fb3d7
0x011fb3d8
0x011fb3dd
0x011fb3e1
0x011fb3e3
0x011fb3e9
0x011fb3f0
0x011fb3f3
0x011fb3f6
0x011fb3f7
0x011fb3fa
0x011fb3fb
0x011fb3fe
0x011fb3ff
0x011fb420
0x011fb420
0x011fb422
0x00000000
0x00000000
0x011fb407
0x011fb409
0x011fb40b
0x011fb40d
0x011fb40f
0x011fb411
0x011fb413
0x011fb41e
0x00000000
0x011fb41e
0x011fb413
0x011fb40f
0x00000000
0x011fb40b
0x011fb424
0x011fb426
0x011fb429
0x011fb442
0x011fb442
0x011fb444
0x011fb447
0x011fb457
0x011fb459
0x011fb459
0x011fb449
0x011fb449
0x011fb44c
0x00000000
0x011fb44e
0x011fb44e
0x011fb451
0x00000000
0x011fb453
0x011fb453
0x011fb453
0x011fb451
0x011fb44c
0x011fb45f
0x011fb467
0x011fb46b
0x011fb479
0x011fb47e
0x011fb493
0x011fb495
0x011fb49b
0x011fb49e
0x011fb4d0
0x011fb4d0
0x011fb4d2
0x011fb4d5
0x011fb4db
0x011fb4db
0x011fb4e2
0x011fb4fc
0x011fb4fc
0x011fb50b
0x011fb510
0x011fb513
0x011fb515
0x00000000
0x00000000
0x00000000
0x00000000
0x011fb4e4
0x011fb4e4
0x011fb4ea
0x011fb4ec
0x00000000
0x011fb4ee
0x011fb4ee
0x011fb4f1
0x00000000
0x011fb4f3
0x011fb4f3
0x011fb4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x011fb4fa
0x011fb4f1
0x011fb4ec
0x00000000
0x011fb517
0x011fb51f
0x011fb525
0x011fb527
0x011fb527
0x011fb52f
0x011fb534
0x011fb53c
0x011fb53f
0x011fb541
0x011fb555
0x011fb55a
0x011fb4a0
0x011fb4a0
0x011fb4a4
0x011fb4ac
0x011fb4ac
0x011fb4ac
0x011fb4ae
0x011fb4b1
0x011fb4b4
0x011fb4b4
0x011fb4ba
0x011fb42b
0x011fb42e
0x011fb430
0x00000000
0x011fb432
0x011fb432
0x011fb438
0x011fb43d
0x011fb430
0x011fb4bf
0x011fb4c0
0x011fb4c1
0x011fb4c3
0x011fb4cc
0x00000000
0x00000000
0x00000000
0x011fb39a
0x011fb36e
0x011fb370
0x011fb3cc
0x011fb3d0
0x011fb3d0
0x00000000

Strings

., xrefs: 011FB4DB

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 59f9d5f5dac3532a0582dcca4b94adcc310d8398d16ed7059a26d6763cc33b28
Instruction ID: 4ff637591a15177b88ba5655e544dafd8db8aa867baba9cac59ce4f84c1f4468
Opcode Fuzzy Hash: 59f9d5f5dac3532a0582dcca4b94adcc310d8398d16ed7059a26d6763cc33b28
Instruction Fuzzy Hash: 5A31267290824AAFDB2DDE78CC84EFB7BBDDB85304F0401ACEA19D7242E73099458B50

Uniqueness

Uniqueness Score: -1.00%

Function 011FD440 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E011FD440(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E011EF0C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E012021C0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E011EF0E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E011EF0E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x11fea5d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E012021C0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E011FBDE1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E011FBDE1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E011FBDE1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x011fd44c
0x011fd44f
0x011fd453
0x011fd45d
0x011fd460
0x011fd462
0x011fd464
0x011fd471
0x011fd471
0x011fd474
0x011fd474
0x011fd477
0x011fd47a
0x011fd47c
0x011fd5af
0x011fd5b1
0x011fd5fa
0x011fd5fe
0x011fd604
0x011fd5b3
0x011fd5b5
0x011fd5b8
0x011fd5ba
0x011fd5bd
0x011fd5bf
0x011fd5c1
0x011fd5f5
0x011fd5f5
0x011fd5f5
0x011fd5c3
0x011fd5c8
0x011fd5ce
0x011fd5ce
0x011fd5d1
0x011fd5d3
0x011fd5d5
0x00000000
0x00000000
0x011fd5d7
0x011fd5d8
0x011fd5db
0x011fd5de
0x011fd5e0
0x00000000
0x011fd5e2
0x00000000
0x011fd5e2
0x00000000
0x011fd5e0
0x011fd5e4
0x011fd5eb
0x011fd5ef
0x011fd5f3
0x00000000
0x00000000
0x011fd5f3
0x011fd5f6
0x011fd5f6
0x011fd5f8
0x011fd605
0x011fd608
0x011fd60b
0x011fd60e
0x011fd60e
0x011fd612
0x011fd615
0x011fd618
0x011fd61b
0x011fd626
0x011fd61d
0x011fd622
0x011fd622
0x011fd630
0x011fd635
0x011fd638
0x011fd63a
0x011fd644
0x011fd647
0x011fd64e
0x011fd651
0x011fd654
0x011fd65c
0x011fd662
0x011fd662
0x011fd662
0x011fd662
0x011fd654
0x011fd667
0x011fd66e
0x011fd66e
0x011fd671
0x011fd674
0x011fd8a6
0x011fd8a6
0x011fd67a
0x011fd67a
0x011fd680
0x011fd683
0x011fd686
0x011fd689
0x011fd68c
0x011fd68f
0x011fd692
0x011fd692
0x011fd695
0x011fd69c
0x011fd69c
0x011fd697
0x011fd697
0x011fd697
0x011fd69e
0x011fd6a2
0x011fd6a5
0x011fd6a7
0x011fd6aa
0x011fd6b1
0x011fd6b4
0x011fd6b7
0x011fd6c2
0x011fd6c5
0x011fd6ca
0x011fd6cf
0x011fd6d6
0x011fd6db
0x011fd6dd
0x011fd6df
0x011fd6e3
0x011fd6e6
0x011fd6e9
0x011fd6f1
0x011fd6fa
0x011fd6fa
0x011fd6fc
0x011fd6ff
0x011fd6ff
0x011fd6e9
0x011fd709
0x011fd70e
0x011fd713
0x011fd715
0x011fd718
0x011fd71a
0x011fd71d
0x011fd720
0x011fd722
0x011fd725
0x011fd728
0x011fd72a
0x011fd731
0x011fd736
0x011fd739
0x011fd743
0x011fd745
0x011fd747
0x011fd74a
0x011fd74a
0x011fd74c
0x011fd74f
0x011fd752
0x011fd755
0x011fd758
0x011fd72c
0x011fd72c
0x011fd72f
0x00000000
0x00000000
0x011fd72f
0x011fd75b
0x011fd75d
0x011fd75f
0x00000000
0x011fd761
0x011fd761
0x011fd764
0x011fd766
0x011fd766
0x011fd774
0x011fd777
0x011fd77c
0x011fd77e
0x00000000
0x00000000
0x011fd780
0x011fd787
0x011fd787
0x011fd78a
0x011fd78d
0x011fd790
0x011fd793
0x011fd793
0x011fd796
0x011fd799
0x011fd79d
0x011fd7a0
0x011fd7a2
0x011fd7a5
0x00000000
0x00000000
0x011fd7a7
0x011fd7a5
0x011fd782
0x011fd782
0x011fd785
0x00000000
0x00000000
0x00000000
0x00000000
0x011fd785
0x011fd7ac
0x011fd7ac
0x00000000
0x011fd7ac
0x011fd7a9
0x00000000
0x011fd7a9
0x011fd764
0x011fd75f
0x011fd7af
0x011fd7af
0x011fd7b1
0x011fd7bb
0x011fd7bb
0x011fd7be
0x011fd7c0
0x011fd7c2
0x011fd7c4
0x011fd7c9
0x011fd7cc
0x011fd7cc
0x011fd7cf
0x011fd7d2
0x011fd7d5
0x011fd7d7
0x011fd7ec
0x011fd7ee
0x011fd7f0
0x011fd7f2
0x011fd7f4
0x011fd7f6
0x011fd7f8
0x011fd7fa
0x011fd7fd
0x011fd7fd
0x011fd801
0x011fd803
0x011fd809
0x011fd80c
0x011fd80c
0x011fd80c
0x011fd810
0x011fd810
0x011fd815
0x011fd818
0x011fd818
0x011fd81d
0x011fd81f
0x011fd821
0x011fd828
0x011fd828
0x011fd82a
0x011fd82f
0x011fd831
0x011fd834
0x011fd834
0x011fd837
0x011fd840
0x011fd840
0x011fd842
0x011fd842
0x011fd847
0x011fd84d
0x011fd851
0x011fd854
0x011fd857
0x011fd859
0x011fd859
0x011fd859
0x011fd85e
0x011fd85e
0x011fd861
0x011fd864
0x011fd823
0x011fd823
0x011fd826
0x00000000
0x00000000
0x011fd826
0x011fd821
0x011fd86b
0x011fd86b
0x011fd86c
0x011fd7b3
0x011fd7b3
0x011fd7b5
0x00000000
0x00000000
0x011fd7b5
0x011fd87c
0x011fd881
0x011fd884
0x011fd888
0x011fd889
0x011fd88c
0x011fd88f
0x011fd890
0x011fd893
0x011fd896
0x011fd899
0x011fd89c
0x011fd89c
0x011fd8a4
0x011fd8ab
0x011fd8ac
0x011fd8ae
0x011fd8b0
0x011fd8b2
0x011fd8b5
0x011fd8c0
0x011fd8c0
0x011fd8c6
0x011fd8c6
0x011fd8c9
0x011fd8ca
0x011fd8ca
0x011fd8c0
0x011fd8ce
0x011fd8d0
0x011fd8d2
0x011fd8d4
0x011fd8d4
0x011fd8d6
0x011fd8da
0x00000000
0x00000000
0x011fd8dc
0x011fd8dc
0x011fd8df
0x011fd8e1
0x00000000
0x00000000
0x00000000
0x011fd8e1
0x011fd8d4
0x011fd8e3
0x011fd8ed
0x00000000
0x00000000
0x00000000
0x011fd5f8
0x011fd482
0x011fd482
0x011fd482
0x011fd485
0x011fd488
0x011fd48b
0x011fd4bc
0x011fd4be
0x011fd509
0x011fd50b
0x011fd512
0x011fd519
0x011fd51c
0x011fd51f
0x011fd525
0x011fd525
0x011fd526
0x011fd529
0x011fd530
0x011fd539
0x011fd53e
0x011fd541
0x011fd546
0x011fd549
0x011fd54b
0x011fd550
0x011fd553
0x011fd556
0x011fd556
0x011fd556
0x011fd55a
0x011fd55d
0x011fd55d
0x011fd562
0x011fd562
0x011fd56d
0x011fd578
0x011fd578
0x011fd57b
0x011fd587
0x011fd58c
0x011fd597
0x011fd599
0x011fd59b
0x011fd5a1
0x011fd5a6
0x011fd5a8
0x011fd5ae
0x011fd4c0
0x011fd4cc
0x011fd4cc
0x011fd4cf
0x011fd4df
0x011fd4e5
0x011fd4ec
0x011fd4ee
0x011fd4f6
0x011fd4f8
0x011fd4fa
0x011fd4ff
0x011fd502
0x011fd508
0x011fd508
0x011fd48d
0x011fd490
0x011fd494
0x011fd49a
0x011fd4a9
0x011fd4b3
0x011fd4bb
0x011fd4bb
0x011fd48b
0x011fd466
0x011fd469
0x011fd46f
0x011fd46f
0x011fd455
0x011fd45b
0x011fd45b

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 6b88f03a23979091a163a1686e98516ff06e5b70a07d9a9fe60fc9591a4184b5
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: C3023E71E002199FDF19CFA9D8906ADBBF1EF88324F15826DD919EB381D730A941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011EAF0F Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EAF0F(signed int _a4, signed int _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x120e73c == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x122fcb0 = _v304;
					 *0x122fcb2 = 0;
					 *0x120e73c = 0x122fcb0;
				}
				E011E04BD(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x120e72c, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x011eaf27
0x011eaf35
0x011eaf42
0x011eaf4a
0x011eaf50
0x011eaf50
0x011eaf66
0x011eaf6b
0x011eaf70
0x011eaf7a
0x011eaf84
0x011eaf8c
0x011eaf95

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 011EAF35
GetNumberFormatW.KERNEL32 ref: 011EAF84

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 8666e7d2fea95b89bfa51984e6eee39b071e26cc41568862fad072cca4c2ec2a
Instruction ID: eddded2e9fbb1036097640c1670a16c5a5afe54a024a4f464a66bf7e480e734f
Opcode Fuzzy Hash: 8666e7d2fea95b89bfa51984e6eee39b071e26cc41568862fad072cca4c2ec2a
Instruction Fuzzy Hash: 82015A3A150308BAD722DFB4ED49F9EB7B8FF08710F005522FA05A7195E370A9548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 011D6C74 Relevance: 3.0, APIs: 2, Instructions: 16
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011D6C74(WCHAR* _a4, long _a8) {
				long _t5;

				_t5 = GetLastError();
				if(_t5 == 0) {
					return 0;
				}
				return FormatMessageW(0x1200, 0, _t5, 0x400, _a4, _a8, 0) & 0xffffff00 | _t7 != 0x00000000;
			}

0x011d6c74
0x011d6c7c
0x00000000
0x011d6ca2
0x00000000

APIs

GetLastError.KERNEL32(011D6DDF,00000000,00000400), ref: 011D6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 011D6C95

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b07b57013381eb6b058bc9f6756dcee53cf07294faf402256dd2c5ff85641d10
Instruction ID: fbaa1f542e21e840750866972e99180b92da4099681927150384e2cd5c5d3067
Opcode Fuzzy Hash: b07b57013381eb6b058bc9f6756dcee53cf07294faf402256dd2c5ff85641d10
Instruction Fuzzy Hash: D8D0C931385300BFFA268A619D0AF2F7B9ABF45B51F18C504B755E80D1CB749424E729

Uniqueness

Uniqueness Score: -1.00%

Function 012019F4 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E012019F4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E011FF352(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E011FF2B8(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x01201a02
0x01201a09
0x01201a0e
0x01201a14
0x01201a17
0x01201a1d
0x01201a22
0x01201a27
0x01201a27
0x01201a2d
0x01201a32
0x01201a37
0x01201a37
0x01201a3e
0x01201a43
0x01201a48
0x01201a48
0x01201a4f
0x01201a54
0x01201a59
0x01201a59
0x01201a60
0x01201a65
0x01201a6a
0x01201a6a
0x01201a72
0x01201a82
0x01201a94
0x01201aa6
0x01201ab9
0x01201acb
0x01201ad3
0x01201ad8
0x01201add
0x01201add
0x01201ae4
0x01201ae9
0x01201ae9
0x01201af0
0x01201af5
0x01201af5
0x01201afc
0x01201b01
0x01201b01
0x01201b08
0x01201b0d
0x01201b0d
0x01201b17
0x01201b19
0x01201b53
0x01201b1b
0x01201b20
0x01201b44
0x01201b4c
0x01201b40
0x01201b40
0x01201b56
0x01201b5d
0x01201b5f
0x01201b81
0x01201b89
0x01201b8c
0x01201b8c
0x01201b8e
0x01201b8e
0x01201b99
0x01201b9f
0x01201ba4
0x01201bab
0x01201be5
0x01201bf0
0x01201bf6
0x01201bf9
0x01201bfc
0x01201c08
0x01201c10
0x01201bad
0x01201bb0
0x01201bbc
0x01201bc2
0x01201bc8
0x01201bcb
0x01201bd4
0x01201bd4
0x01201c13
0x01201c21
0x01201c27
0x01201c2e
0x01201c30
0x01201c30
0x01201c37
0x01201c39
0x01201c39
0x01201c40
0x01201c42
0x01201c42
0x01201c49
0x01201c4b
0x01201c4b
0x01201c52
0x01201c54
0x01201c54
0x01201c61
0x01201c64
0x01201c9b
0x01201c66
0x01201c66
0x01201c69
0x01201c94
0x01201c89
0x01201c89
0x01201c9d
0x01201ca5
0x01201ca8
0x01201cc7
0x01201ccc
0x01201ccc
0x01201cce
0x01201cd3
0x01201cdf
0x01201cd5
0x01201cd8
0x01201cd8
0x01201ce4
0x01201ce4
0x01201caa
0x01201cad
0x01201cbc
0x00000000
0x01201cbc
0x01201caf
0x01201cb2
0x01201cb4
0x01201cb4
0x00000000
0x01201cb2
0x01201c6b
0x01201c6e
0x01201c84
0x00000000
0x01201c84
0x01201c73
0x01201c75
0x01201c75
0x01201c73
0x00000000
0x01201c64
0x01201b66
0x01201b74
0x01201b7c
0x00000000
0x01201b7c
0x01201b6a
0x01201b6f
0x01201b6f
0x00000000
0x01201b6a
0x01201b27
0x01201b35
0x01201b3d
0x00000000
0x01201b3d
0x01201b2b
0x01201b30
0x01201b30
0x01201b2b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,012019EF,?,?,00000008,?,?,0120168F,00000000), ref: 01201C21

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6cbdc2012b46b03d457e09aaff707f12a5e417ab97febbd2f299e80ec9c90047
Instruction ID: b54ef2a53bb8a7e93d4124de09feabc497459809bfa7f5daf74aaab19d802570
Opcode Fuzzy Hash: 6cbdc2012b46b03d457e09aaff707f12a5e417ab97febbd2f299e80ec9c90047
Instruction Fuzzy Hash: E0B12B312206099FE716CF2CC48AB657BE0FF45364F258658EA99CF2E2D375D9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 011DB146 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DB146() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x120e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x12110a8;
					_t13 =  *0x12110ac;
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x120e020 = _t12;
					 *0x12110a8 = _t6;
					 *0x12110ac = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x011db149
0x011db158
0x011db196
0x011db19b
0x011db15a
0x011db160
0x011db16b
0x011db171
0x011db177
0x011db17d
0x011db183
0x011db189
0x011db18e
0x011db18e
0x011db1a4
0x011db1b3
0x011db1a6
0x011db1ac
0x011db1ac

APIs

GetVersionExW.KERNEL32(?), ref: 011DB16B

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 163b3cd83457aa8104f1ef05fa2813b41091db7c65a34b8ebc00f0cd31a1410f
Instruction ID: 179ae78ab91318bfcebb32dc6481f5646f3879c2705eec021045d5616696001f
Opcode Fuzzy Hash: 163b3cd83457aa8104f1ef05fa2813b41091db7c65a34b8ebc00f0cd31a1410f
Instruction Fuzzy Hash: 78F030B4E002088FDB29CB28F8896D973F2F759315F114699DA1693385C770A9818F65

Uniqueness

Uniqueness Score: -1.00%

Function 011D40FE Relevance: 1.5, Strings: 1, Instructions: 276
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E011D40FE() {
				signed int* _t187;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t216;
				signed int _t217;
				signed int _t224;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t239;
				signed int _t240;
				signed int _t245;
				signed int _t246;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t286;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t310;
				void* _t311;
				signed int _t320;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				intOrPtr _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;

				_t295 =  *((intOrPtr*)(_t362 + 0xd0));
				_t187 =  *(_t295 + 0xf8);
				_t258 =  *_t187 ^ 0x510e527f;
				_t352 = _t187[1] ^ 0x9b05688c;
				_t266 = 0x10;
				memcpy(_t362 + 0xa0,  *(_t362 + 0xe0), _t266 << 2);
				_t363 = _t362 + 0xc;
				_push(8);
				_t190 = memcpy(_t363 + 0x5c,  *(_t295 + 0xf4), 0 << 2);
				_t364 = _t363 + 0xc;
				 *(_t364 + 0x20) =  *_t190 ^ 0x1f83d9ab;
				_t272 =  *(_t364 + 0x6c);
				_t335 = 0;
				 *(_t364 + 0x28) =  *(_t190 + 4) ^ 0x5be0cd19;
				 *(_t364 + 0x1c) =  *(_t364 + 0x78);
				 *(_t364 + 0x38) =  *(_t364 + 0x74);
				 *(_t364 + 0x18) = 0x6a09e667;
				 *(_t364 + 0x24) = 0xbb67ae85;
				 *(_t364 + 0x2c) = 0x3c6ef372;
				 *(_t364 + 0x34) = 0xa54ff53a;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				 *(_t364 + 0x30) =  *(_t364 + 0x70);
				 *(_t364 + 0x10) = _t272;
				do {
					_t27 = _t335 + 0x12036c0; // 0x3020100
					_t31 = _t364 + 0x18; // 0x6a09e667
					_t320 =  *((intOrPtr*)(_t364 + 0x9c + ( *_t27 & 0x000000ff) * 4)) + _t272 +  *(_t364 + 0x5c);
					_t297 = _t320 ^ _t258;
					_t259 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t274 =  *_t31 + _t297;
					_t337 = _t274 ^  *(_t364 + 0x10);
					asm("ror esi, 0xc");
					_t200 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x12036c1) & 0x000000ff) * 4)) + _t337 + _t320;
					 *(_t364 + 0x18) = _t200;
					_t201 = _t200 ^ _t297;
					asm("ror eax, 0x8");
					 *(_t364 + 0x3c) = _t201;
					_t202 = _t201 + _t274;
					 *(_t364 + 0x48) = _t202;
					asm("ror eax, 0x7");
					 *(_t364 + 0x50) = _t202 ^ _t337;
					_t323 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x12036c2) & 0x000000ff) * 4)) +  *(_t364 + 0x30) +  *(_t364 + 0x60);
					_t299 = _t323 ^ _t352;
					_t353 =  *(_t364 + 0x38);
					asm("rol edx, 0x10");
					_t276 =  *(_t364 + 0x24) + _t299;
					_t339 = _t276 ^  *(_t364 + 0x30);
					asm("ror esi, 0xc");
					_t208 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x12036c3) & 0x000000ff) * 4)) + _t339 + _t323;
					 *(_t364 + 0x10) = _t208;
					_t209 = _t208 ^ _t299;
					asm("ror eax, 0x8");
					 *(_t364 + 0x44) = _t209;
					_t210 = _t209 + _t276;
					 *(_t364 + 0x58) = _t210;
					asm("ror eax, 0x7");
					 *(_t364 + 0x24) = _t210 ^ _t339;
					_t342 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x12036c4) & 0x000000ff) * 4)) + _t353 +  *(_t364 + 0x64);
					_t301 = _t342 ^  *(_t364 + 0x20);
					asm("rol edx, 0x10");
					_t278 =  *(_t364 + 0x2c) + _t301;
					_t354 = _t353 ^ _t278;
					asm("ror ebp, 0xc");
					_t216 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0x12036c5) & 0x000000ff) * 4)) + _t354 + _t342;
					 *(_t364 + 0x40) = _t216;
					_t217 = _t216 ^ _t301;
					asm("ror eax, 0x8");
					 *(_t364 + 0x54) = _t217;
					_t260 = _t217 + _t278;
					_t355 =  *((intOrPtr*)(_t364 + 0x14));
					asm("ror eax, 0x7");
					 *(_t364 + 0x20) = _t260 ^ _t354;
					_t326 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0x12036c6) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x68);
					_t303 = _t326 ^  *(_t364 + 0x28);
					asm("rol edx, 0x10");
					_t280 =  *(_t364 + 0x34) + _t303;
					_t344 = _t280 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t224 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0x12036c7) & 0x000000ff) * 4)) + _t344 + _t326;
					 *(_t364 + 0x4c) = _t224;
					_t328 = _t224 ^ _t303;
					asm("ror edi, 0x8");
					_t356 = _t328 + _t280;
					asm("ror eax, 0x7");
					 *(_t364 + 0x1c) = _t356 ^ _t344;
					_t98 = _t364 + 0x18; // 0x6a09e667
					_t283 =  *((intOrPtr*)(_t364 + 0x9c + ( *( *((intOrPtr*)(_t364 + 0x14)) + 0x12036c8) & 0x000000ff) * 4)) +  *(_t364 + 0x24) +  *_t98;
					_t305 = _t283 ^ _t328;
					_t329 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t345 = _t305 + _t260;
					_t262 = _t345 ^  *(_t364 + 0x24);
					asm("ror ebx, 0xc");
					_t232 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x12036c9) & 0x000000ff) * 4)) + _t262 + _t283;
					 *(_t364 + 0x5c) = _t232;
					_t233 = _t232 ^ _t305;
					asm("ror eax, 0x8");
					 *(_t364 + 0x28) = _t233;
					 *(_t364 + 0x98) = _t233;
					_t234 = _t233 + _t345;
					_t263 = _t262 ^ _t234;
					 *(_t364 + 0x2c) = _t234;
					 *(_t364 + 0x84) = _t234;
					asm("ror ebx, 0x7");
					 *(_t364 + 0x30) = _t263;
					 *(_t364 + 0x70) = _t263;
					_t286 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x12036ca) & 0x000000ff) * 4)) +  *(_t364 + 0x20) +  *(_t364 + 0x10);
					_t265 = _t286 ^  *(_t364 + 0x3c);
					asm("rol ebx, 0x10");
					_t306 = _t265 + _t356;
					_t358 = _t306 ^  *(_t364 + 0x20);
					asm("ror ebp, 0xc");
					_t239 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x12036cb) & 0x000000ff) * 4)) + _t358 + _t286;
					_t258 = _t265 ^ _t239;
					 *(_t364 + 0x60) = _t239;
					asm("ror ebx, 0x8");
					_t240 = _t306 + _t258;
					_t359 = _t358 ^ _t240;
					 *(_t364 + 0x34) = _t240;
					 *(_t364 + 0x88) = _t240;
					asm("ror ebp, 0x7");
					 *(_t364 + 0x38) = _t359;
					 *(_t364 + 0x74) = _t359;
					_t289 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x12036cc) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x40);
					_t361 = _t289 ^  *(_t364 + 0x44);
					asm("rol ebp, 0x10");
					_t308 =  *(_t364 + 0x48) + _t361;
					_t347 = _t308 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t245 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x12036cd) & 0x000000ff) * 4)) + _t347 + _t289;
					_t352 = _t361 ^ _t245;
					 *(_t364 + 0x64) = _t245;
					asm("ror ebp, 0x8");
					_t246 = _t308 + _t352;
					_t348 = _t347 ^ _t246;
					 *(_t364 + 0x18) = _t246;
					 *(_t364 + 0x7c) = _t246;
					asm("ror esi, 0x7");
					 *(_t364 + 0x1c) = _t348;
					 *(_t364 + 0x78) = _t348;
					_t292 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0x12036ce) & 0x000000ff) * 4)) +  *(_t364 + 0x4c) +  *(_t364 + 0x50);
					_t349 =  *((intOrPtr*)(_t364 + 0x14));
					_t331 = _t292 ^  *(_t364 + 0x54);
					asm("rol edi, 0x10");
					_t310 =  *(_t364 + 0x58) + _t331;
					asm("ror eax, 0xc");
					 *(_t364 + 0x10) = _t310 ^  *(_t364 + 0x50);
					_t335 = _t349 + 0x10;
					 *((intOrPtr*)(_t364 + 0x14)) = _t335;
					_t253 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t349 + 0x12036cf) & 0x000000ff) * 4)) +  *(_t364 + 0x10) + _t292;
					_t332 = _t331 ^ _t253;
					 *(_t364 + 0x68) = _t253;
					asm("ror edi, 0x8");
					 *(_t364 + 0x20) = _t332;
					 *(_t364 + 0x94) = _t332;
					_t254 = _t310 + _t332;
					_t272 =  *(_t364 + 0x10) ^ _t254;
					 *(_t364 + 0x24) = _t254;
					asm("ror ecx, 0x7");
					 *(_t364 + 0x80) = _t254;
					 *(_t364 + 0x10) = _t272;
					 *(_t364 + 0x6c) = _t272;
				} while (_t335 <= 0x90);
				_t350 =  *((intOrPtr*)(_t364 + 0xe0));
				_t311 = 0;
				 *(_t364 + 0x8c) = _t258;
				 *(_t364 + 0x90) = _t352;
				do {
					_t256 =  *(_t364 + _t311 + 0x7c) ^  *(_t364 + _t311 + 0x5c);
					 *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) =  *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) ^ _t256;
					_t311 = _t311 + 4;
				} while (_t311 < 0x20);
				return _t256;
			}

0x011d4104
0x011d410e
0x011d412a
0x011d4136
0x011d413c
0x011d413d
0x011d413d
0x011d4149
0x011d414c
0x011d414c
0x011d415e
0x011d4162
0x011d4166
0x011d4168
0x011d4170
0x011d4178
0x011d4180
0x011d4188
0x011d4190
0x011d4198
0x011d41a0
0x011d41a4
0x011d41a8
0x011d41ac
0x011d41ac
0x011d41bc
0x011d41c0
0x011d41c6
0x011d41c8
0x011d41cc
0x011d41cf
0x011d41d3
0x011d41de
0x011d41ea
0x011d41ec
0x011d41f0
0x011d41f2
0x011d41f5
0x011d41f9
0x011d41fb
0x011d4201
0x011d4204
0x011d421e
0x011d422b
0x011d422d
0x011d4231
0x011d4234
0x011d423f
0x011d4243
0x011d4248
0x011d424a
0x011d424e
0x011d4250
0x011d4253
0x011d4257
0x011d4259
0x011d4263
0x011d4266
0x011d4281
0x011d4287
0x011d4292
0x011d4295
0x011d4297
0x011d4299
0x011d429e
0x011d42a0
0x011d42a4
0x011d42a6
0x011d42a9
0x011d42ad
0x011d42b4
0x011d42b8
0x011d42bb
0x011d42d1
0x011d42de
0x011d42e6
0x011d42f0
0x011d42f4
0x011d42f8
0x011d42fd
0x011d4301
0x011d4305
0x011d4307
0x011d430a
0x011d4311
0x011d4314
0x011d432e
0x011d432e
0x011d4334
0x011d4336
0x011d433a
0x011d4344
0x011d4349
0x011d4354
0x011d4359
0x011d435b
0x011d435f
0x011d4361
0x011d4364
0x011d4368
0x011d436f
0x011d4371
0x011d4373
0x011d4377
0x011d4385
0x011d4388
0x011d438c
0x011d439b
0x011d43a8
0x011d43ac
0x011d43b6
0x011d43bb
0x011d43bf
0x011d43c4
0x011d43c6
0x011d43c8
0x011d43cc
0x011d43cf
0x011d43d2
0x011d43d4
0x011d43d8
0x011d43e6
0x011d43e9
0x011d43ed
0x011d43fc
0x011d4402
0x011d4411
0x011d4414
0x011d441f
0x011d4423
0x011d4428
0x011d442a
0x011d442c
0x011d4430
0x011d4433
0x011d443a
0x011d443c
0x011d4440
0x011d444b
0x011d444e
0x011d4452
0x011d4461
0x011d4465
0x011d446b
0x011d446f
0x011d4472
0x011d447a
0x011d447d
0x011d4488
0x011d448b
0x011d449a
0x011d44a0
0x011d44a2
0x011d44a6
0x011d44a9
0x011d44ad
0x011d44b4
0x011d44b7
0x011d44b9
0x011d44bd
0x011d44c0
0x011d44c7
0x011d44cb
0x011d44cf
0x011d44db
0x011d44e2
0x011d44e4
0x011d44eb
0x011d44f2
0x011d44fc
0x011d4500
0x011d4503
0x011d4506
0x011d4515

Strings

gj, xrefs: 011D41BC

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: f0ef504aa644fe0c4bc137956cdce5741facb19455bea3e7bb70b680cb73a07d
Instruction ID: 1c052e2d5d5bdd8ab3149aa19abebd8b462d77d3c6b6538b29e7a4374fe1d362
Opcode Fuzzy Hash: f0ef504aa644fe0c4bc137956cdce5741facb19455bea3e7bb70b680cb73a07d
Instruction Fuzzy Hash: 58C127769183418FC354CF29D88065AFBE2BFC8208F19892DE998D7312D734E955CB96

Uniqueness

Uniqueness Score: -1.00%

Function 011E0723 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E011E0723(intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _t25;
				signed int _t26;
				unsigned int _t29;
				intOrPtr _t31;
				signed int _t34;
				intOrPtr _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;

				_t37 = __edx;
				asm("cpuid");
				_t39 =  &_v20;
				 *_t39 = 0x80000000;
				 *((intOrPtr*)(_t39 + 4)) = _t31;
				 *((intOrPtr*)(_t39 + 8)) = 0;
				 *((intOrPtr*)(_t39 + 0xc)) = __edx;
				_t34 = _v20 & 0x7fffffff;
				_t25 = 7;
				if(_t34 < 0x80000000) {
					if(_t34 < 1) {
						_t26 = 0;
					} else {
						goto L5;
					}
				} else {
					asm("cpuid");
					 *_t39 = _t25;
					 *((intOrPtr*)(_t39 + 4)) = _t31;
					 *((intOrPtr*)(_t39 + 8)) = 0;
					 *((intOrPtr*)(_t39 + 0xc)) = __edx;
					if((_v16 & 0x00000020) == 0) {
						L5:
						_t41 =  &_v20;
						asm("cpuid");
						 *_t41 = 1;
						 *((intOrPtr*)(_t41 + 4)) = _t31;
						 *((intOrPtr*)(_t41 + 8)) = 0;
						 *((intOrPtr*)(_t41 + 0xc)) = _t37;
						if((_v12 & 0x00080000) == 0) {
							if((_v12 & 0x00000200) == 0) {
								_t29 = _v8;
								if((_t29 & 0x04000000) == 0) {
									_t26 = _t29 >> 0x00000019 & 0x00000001;
								} else {
									_push(2);
									goto L3;
								}
							} else {
								_push(3);
								goto L3;
							}
						} else {
							_push(4);
							goto L3;
						}
					} else {
						_push(5);
						L3:
						_pop(_t26);
					}
				}
				return _t26;
			}

0x011e0723
0x011e0731
0x011e0734
0x011e0737
0x011e0739
0x011e073c
0x011e073f
0x011e0747
0x011e074d
0x011e0750
0x011e076f
0x011e07b6
0x00000000
0x00000000
0x00000000
0x011e0752
0x011e0754
0x011e0756
0x011e0758
0x011e075b
0x011e075e
0x011e0765
0x011e0771
0x011e0773
0x011e0779
0x011e077b
0x011e077d
0x011e0780
0x011e0783
0x011e078d
0x011e079a
0x011e07a0
0x011e07a8
0x011e07b1
0x011e07aa
0x011e07aa
0x00000000
0x011e07aa
0x011e079c
0x011e079c
0x00000000
0x011e079c
0x011e078f
0x011e078f
0x00000000
0x011e078f
0x011e0767
0x011e0767
0x011e0769
0x011e0769
0x011e0769
0x011e0765
0x011e07bb

Strings

, xrefs: 011E0761

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction ID: 060702af3404a230edf63ec62ba9ee8779aad0506bb8617b00b66438ca9f55ad
Opcode Fuzzy Hash: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction Fuzzy Hash: DA116671F44F069ED76C8F9DD859766BBE4AB08710F15C82EE6EBD2680C3B0A1408F01

Uniqueness

Uniqueness Score: -1.00%

Function 011FC030 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011FC030() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x12326e4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x011fc030
0x011fc038
0x011fc040

APIs

GetProcessHeap.KERNEL32 ref: 011FC030

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: dc7a7cf808c04a3ae4ac6631a778f4eeb6e612e05e0b2a17335f1148cdbadff7
Instruction ID: e652435f2981aa3e5f3dc486d942c59921545967d753bfcf26a4490a5d30900b
Opcode Fuzzy Hash: dc7a7cf808c04a3ae4ac6631a778f4eeb6e612e05e0b2a17335f1148cdbadff7
Instruction Fuzzy Hash: ECA01130202200CFC320CE30BB0C2083AA8AA0AA80308002AA008C0008EA2080A0AB00

Uniqueness

Uniqueness Score: -1.00%

Function 011E62CA Relevance: .8, Instructions: 829
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E011E62CA(intOrPtr __esi) {
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				signed int _t361;
				intOrPtr _t363;
				signed int _t372;
				char _t381;
				void* _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t389;
				signed int _t399;
				char _t408;
				unsigned int _t409;
				void* _t417;
				signed int _t418;
				signed int _t419;
				intOrPtr _t421;
				signed int _t424;
				char _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed short _t449;
				signed int _t450;
				signed int _t454;
				unsigned int _t459;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t468;
				signed int _t469;
				signed short _t470;
				unsigned int _t475;
				signed int _t480;
				unsigned int _t482;
				signed int _t496;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				intOrPtr* _t512;
				intOrPtr* _t513;
				signed int _t514;
				intOrPtr* _t515;
				signed int _t516;
				signed int _t522;
				signed int _t524;
				signed int* _t525;
				intOrPtr _t526;
				void* _t529;
				signed int _t532;
				signed int* _t535;
				unsigned int _t538;
				signed int _t539;
				void* _t540;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t551;
				signed int _t554;
				void* _t556;
				signed int _t559;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t565;
				signed int _t568;
				unsigned int _t575;
				signed int _t576;
				void* _t577;
				signed int _t580;
				void* _t583;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				void* _t593;
				signed int _t596;
				intOrPtr* _t598;
				void* _t599;
				signed int _t602;
				void* _t605;
				signed int _t609;
				signed int _t610;
				intOrPtr* _t612;
				void* _t613;
				void* _t616;
				signed int _t619;
				intOrPtr* _t625;
				void* _t626;
				unsigned int _t633;
				signed int _t636;
				signed int _t637;
				unsigned int _t639;
				signed int _t642;
				void* _t645;
				signed int _t646;
				void* _t649;
				signed int _t650;
				signed int _t651;
				void* _t654;
				unsigned int _t656;
				unsigned int _t660;
				signed int _t663;
				signed int _t665;
				unsigned int _t666;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed short _t672;
				signed int _t673;
				signed int _t674;
				unsigned int _t678;
				signed int _t680;
				intOrPtr _t684;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int* _t689;
				char* _t692;
				char* _t693;
				signed int _t696;
				void* _t697;
				void* _t700;

				L0:
				while(1) {
					L0:
					_t684 = __esi;
					_t525 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
						if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
							goto L11;
						} else {
							_t513 = _t684 + 0x8c;
							goto L3;
						}
						while(1) {
							L3:
							_t700 =  *_t689 -  *((intOrPtr*)(_t684 + 0x94)) - 1 +  *_t513;
							if(_t700 <= 0 && (_t700 != 0 ||  *((intOrPtr*)(_t684 + 8)) <  *((intOrPtr*)(_t684 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t684 + 0x9c)) != 0) {
								L97:
								_t360 = E011E5202(_t684);
								L98:
								return _t360;
							}
							L7:
							_push(_t513);
							_push(_t689);
							_t360 = E011E3E0B(_t684);
							if(_t360 == 0) {
								goto L98;
							}
							L8:
							_push(_t684 + 0xa0);
							_push(_t513);
							_push(_t689);
							_t360 = E011E43BF(_t684);
							if(_t360 != 0) {
								continue;
							} else {
								goto L98;
							}
						}
						L10:
						_t496 = E011E4E52(_t684);
						__eflags = _t496;
						if(_t496 == 0) {
							goto L97;
						}
						L11:
						_t526 =  *((intOrPtr*)(_t684 + 0x4b3c));
						__eflags = (_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) - 0x1004;
						if((_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) >= 0x1004) {
							L17:
							_t344 = E011DA89D(_t689);
							_t345 =  *(_t684 + 0x124);
							_t633 = _t344 & 0x0000fffe;
							__eflags = _t633 -  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4));
							if(_t633 >=  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4))) {
								L19:
								_t671 = 0xf;
								_t346 = _t345 + 1;
								__eflags = _t346 - _t671;
								if(_t346 >= _t671) {
									L25:
									_t499 = _t689[1] + _t671;
									_t348 = _t499 >> 3;
									 *_t689 =  *_t689 + _t348;
									 *(_t697 + 0x10) =  *_t689;
									_t689[1] = _t499 & 0x00000007;
									_t529 = 0x10;
									_t532 =  *((intOrPtr*)(_t684 + 0xe4 + _t671 * 4)) + (_t633 -  *((intOrPtr*)(_t684 + 0xa0 + _t671 * 4)) >> _t529 - _t671);
									__eflags = _t532 -  *((intOrPtr*)(_t684 + 0xa0));
									asm("sbb eax, eax");
									_t349 = _t348 & _t532;
									__eflags = _t349;
									_t672 =  *(_t684 + 0xd28 + _t349 * 2) & 0x0000ffff;
									_t350 =  *(_t697 + 0x10);
									goto L26;
								} else {
									_t625 = _t684 + (_t346 + 0x29) * 4;
									while(1) {
										L21:
										__eflags = _t633 -  *_t625;
										if(_t633 <  *_t625) {
											_t671 = _t346;
											goto L25;
										}
										L22:
										_t346 = _t346 + 1;
										_t625 = _t625 + 4;
										__eflags = _t346 - 0xf;
										if(_t346 < 0xf) {
											continue;
										} else {
											goto L25;
										}
									}
									goto L25;
								}
							} else {
								_t626 = 0x10;
								_t670 = _t633 >> _t626 - _t345;
								_t508 = ( *(_t670 + _t684 + 0x128) & 0x000000ff) + _t689[1];
								 *_t689 =  *_t689 + (_t508 >> 3);
								_t504 = _t508 & 0x00000007;
								_t350 =  *_t689;
								_t689[1] = _t504;
								_t672 =  *(_t684 + 0x528 + _t670 * 2) & 0x0000ffff;
								 *(_t697 + 0x10) = _t350;
								L26:
								_t636 = _t672 & 0x0000ffff;
								__eflags = _t636 - 0x100;
								if(_t636 >= 0x100) {
									L30:
									__eflags = _t636 - 0x106;
									if(_t636 < 0x106) {
										L94:
										__eflags = _t636 - 0x100;
										if(_t636 != 0x100) {
											L100:
											__eflags = _t636 - 0x101;
											if(_t636 != 0x101) {
												L125:
												_t637 = _t636 + 0xfffffefe;
												__eflags = _t637;
												_t535 = _t684 + (_t637 + 0x18) * 4;
												_t501 =  *_t535;
												 *(_t697 + 0x18) = _t501;
												if(_t637 == 0) {
													L127:
													 *(_t684 + 0x60) = _t501;
													_t351 = E011DA89D(_t689);
													_t352 =  *(_t684 + 0x2de8);
													_t639 = _t351 & 0x0000fffe;
													__eflags = _t639 -  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4));
													if(_t639 >=  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4))) {
														L129:
														_t673 = 0xf;
														_t353 = _t352 + 1;
														__eflags = _t353 - _t673;
														if(_t353 >= _t673) {
															L135:
															_t538 = _t689[1] + _t673;
															_t539 = _t538 & 0x00000007;
															_t689[1] = _t539;
															_t355 = _t538 >> 3;
															 *_t689 =  *_t689 + _t355;
															 *(_t697 + 0x20) = _t539;
															_t540 = 0x10;
															_t543 =  *((intOrPtr*)(_t684 + 0x2da8 + _t673 * 4)) + (_t639 -  *((intOrPtr*)(_t684 + 0x2d64 + _t673 * 4)) >> _t540 - _t673);
															__eflags = _t543 -  *((intOrPtr*)(_t684 + 0x2d64));
															asm("sbb eax, eax");
															_t356 = _t355 & _t543;
															__eflags = _t356;
															_t357 =  *(_t684 + 0x39ec + _t356 * 2) & 0x0000ffff;
															L136:
															_t674 = _t357 & 0x0000ffff;
															__eflags = _t674 - 8;
															if(_t674 >= 8) {
																_t504 = (_t674 >> 2) - 1;
																_t678 = ((_t674 & 0x00000003 | 0x00000004) << _t504) + 2;
																__eflags = _t504;
																if(_t504 != 0) {
																	_t409 = E011DA89D(_t689);
																	_t556 = 0x10;
																	_t678 = _t678 + (_t409 >> _t556 - _t504);
																	_t559 =  *(_t697 + 0x20) + _t504;
																	 *_t689 =  *_t689 + (_t559 >> 3);
																	_t560 = _t559 & 0x00000007;
																	__eflags = _t560;
																	_t689[1] = _t560;
																}
															} else {
																_t678 = _t674 + 2;
															}
															__eflags =  *((char*)(_t684 + 0x4c44));
															_t545 =  *(_t697 + 0x18);
															 *(_t684 + 0x74) = _t678;
															if( *((char*)(_t684 + 0x4c44)) == 0) {
																L142:
																_t642 =  *(_t684 + 0x7c);
																_t506 = _t642 - _t545;
																_t359 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t506 - _t359;
																if(_t506 >= _t359) {
																	goto L152;
																}
																L143:
																__eflags = _t642 - _t359;
																if(_t642 >= _t359) {
																	goto L152;
																}
																L144:
																_t363 =  *((intOrPtr*)(_t684 + 0x4b40));
																_t512 = _t506 + _t363;
																_t692 = _t642 + _t363;
																_t645 = 8;
																 *(_t684 + 0x7c) = _t642 + _t678;
																__eflags = _t678 - _t645;
																if(_t678 < _t645) {
																	L114:
																	_t525 = _t684 + 0x7c;
																	__eflags = _t678;
																	if(_t678 == 0) {
																		L89:
																		_t689 = _t684 + 4;
																		continue;
																	}
																	L115:
																	_t525 = _t684 + 0x7c;
																	 *_t692 =  *_t512;
																	__eflags = _t678 - 1;
																	if(_t678 <= 1) {
																		goto L89;
																	}
																	L116:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	__eflags = _t678 - 2;
																	if(_t678 <= 2) {
																		goto L89;
																	}
																	L117:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 <= 3) {
																		goto L89;
																	}
																	L118:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	__eflags = _t678 - 4;
																	if(_t678 <= 4) {
																		goto L89;
																	}
																	L119:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	__eflags = _t678 - 5;
																	if(_t678 <= 5) {
																		goto L89;
																	}
																	L120:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	__eflags = _t678 - 6;
																	if(_t678 <= 6) {
																		goto L89;
																	}
																	L121:
																	_t360 =  *((intOrPtr*)(_t512 + 6));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	goto L155;
																}
																L145:
																__eflags = _t545 - _t678;
																if(_t545 >= _t678) {
																	L149:
																	_t372 = _t678 >> 3;
																	__eflags = _t372;
																	 *(_t697 + 0x20) = _t372;
																	_t686 = _t372;
																	do {
																		L150:
																		E011F0320(_t692, _t512, _t645);
																		_t697 = _t697 + 0xc;
																		_t645 = 8;
																		_t512 = _t512 + _t645;
																		_t692 = _t692 + _t645;
																		_t678 = _t678 - _t645;
																		_t686 = _t686 - 1;
																		__eflags = _t686;
																	} while (_t686 != 0);
																	L113:
																	_t684 =  *((intOrPtr*)(_t697 + 0x1c));
																	goto L114;
																}
																L146:
																_t548 = _t678 >> 3;
																__eflags = _t548;
																do {
																	L147:
																	_t678 = _t678 - _t645;
																	 *_t692 =  *_t512;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	_t381 =  *((intOrPtr*)(_t512 + 7));
																	_t512 = _t512 + _t645;
																	 *((char*)(_t692 + 7)) = _t381;
																	_t692 = _t692 + _t645;
																	_t548 = _t548 - 1;
																	__eflags = _t548;
																} while (_t548 != 0);
																goto L114;
															} else {
																L141:
																_push( *(_t684 + 0xe6dc));
																_push(_t684 + 0x7c);
																_push(_t545);
																L70:
																_push(_t678);
																E011E2C30();
																while(1) {
																	L0:
																	_t684 = __esi;
																	_t525 = __esi + 0x7c;
																	do {
																		do {
																			goto L3;
																			L152:
																			_t525 = _t684 + 0x7c;
																			__eflags = _t678;
																		} while (_t678 == 0);
																		_t360 =  *(_t684 + 0xe6dc);
																		do {
																			L154:
																			_t361 = _t360 & _t506;
																			_t506 = _t506 + 1;
																			 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t642)) =  *((intOrPtr*)(_t361 +  *((intOrPtr*)(_t684 + 0x4b40))));
																			_t360 =  *(_t684 + 0xe6dc);
																			_t642 =  *(_t684 + 0x7c) + 0x00000001 & _t360;
																			 *(_t684 + 0x7c) = _t642;
																			_t678 = _t678 - 1;
																			__eflags = _t678;
																		} while (_t678 != 0);
																		L155:
																		goto L0;
																		do {
																			while(1) {
																				L0:
																				_t684 = __esi;
																				_t525 = __esi + 0x7c;
																				L1:
																				 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
																				if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
																					goto L11;
																				} else {
																					_t513 = _t684 + 0x8c;
																					goto L3;
																				}
																			}
																			L96:
																			_t438 = E011E253E(_t684, _t697 + 0x28);
																			__eflags = _t438;
																		} while (_t438 != 0);
																		goto L97;
																		L90:
																		_t525 = _t684 + 0x7c;
																		__eflags = _t678;
																	} while (_t678 == 0);
																	_t386 =  *(_t684 + 0xe6dc);
																	_t514 =  *(_t697 + 0x20);
																	do {
																		L92:
																		_t387 = _t386 & _t514;
																		_t514 = _t514 + 1;
																		 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t387 +  *((intOrPtr*)(_t684 + 0x4b40))));
																		_t386 =  *(_t684 + 0xe6dc);
																		_t646 =  *(_t684 + 0x7c) + 0x00000001 & _t386;
																		 *(_t684 + 0x7c) = _t646;
																		_t678 = _t678 - 1;
																		__eflags = _t678;
																	} while (_t678 != 0);
																	goto L155;
																}
															}
														}
														L130:
														_t562 = _t684 + (_t353 + 0xb5a) * 4;
														while(1) {
															L131:
															__eflags = _t639 -  *_t562;
															if(_t639 <  *_t562) {
																break;
															}
															L132:
															_t353 = _t353 + 1;
															_t562 = _t562 + 4;
															__eflags = _t353 - 0xf;
															if(_t353 < 0xf) {
																continue;
															}
															L133:
															goto L135;
														}
														L134:
														_t673 = _t353;
														goto L135;
													}
													L128:
													_t563 = 0x10;
													_t650 = _t639 >> _t563 - _t352;
													_t524 = ( *(_t650 + _t684 + 0x2dec) & 0x000000ff) + _t689[1];
													 *_t689 =  *_t689 + (_t524 >> 3);
													_t504 = _t524 & 0x00000007;
													_t689[1] = _t504;
													_t357 =  *(_t684 + 0x31ec + _t650 * 2) & 0x0000ffff;
													 *(_t697 + 0x20) = _t504;
													goto L136;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t535 =  *(_t535 - 4);
													_t535 = _t535 - 4;
													_t637 = _t637 - 1;
													__eflags = _t637;
												} while (_t637 != 0);
												goto L127;
											}
											L101:
											_t678 =  *(_t684 + 0x74);
											__eflags = _t678;
											if(_t678 == 0) {
												while(1) {
													L0:
													_t684 = __esi;
													_t525 = __esi + 0x7c;
													goto L1;
												}
											}
											L102:
											__eflags =  *((char*)(_t684 + 0x4c44));
											if( *((char*)(_t684 + 0x4c44)) == 0) {
												L104:
												_t651 =  *(_t684 + 0x7c);
												_t565 =  *(_t684 + 0x60);
												_t417 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
												_t510 = _t651 - _t565;
												__eflags = _t510 - _t417;
												if(_t510 >= _t417) {
													L122:
													_t418 =  *(_t684 + 0xe6dc);
													do {
														L123:
														_t419 = _t418 & _t510;
														_t510 = _t510 + 1;
														 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t651)) =  *((intOrPtr*)(_t419 +  *((intOrPtr*)(_t684 + 0x4b40))));
														_t418 =  *(_t684 + 0xe6dc);
														_t651 =  *(_t684 + 0x7c) + 0x00000001 & _t418;
														 *(_t684 + 0x7c) = _t651;
														_t678 = _t678 - 1;
														__eflags = _t678;
													} while (_t678 != 0);
													goto L155;
												}
												L105:
												__eflags = _t651 - _t417;
												if(_t651 >= _t417) {
													goto L122;
												}
												L106:
												_t421 =  *((intOrPtr*)(_t684 + 0x4b40));
												_t512 = _t510 + _t421;
												_t692 = _t651 + _t421;
												_t654 = 8;
												 *(_t684 + 0x7c) = _t651 + _t678;
												__eflags = _t678 - _t654;
												if(_t678 < _t654) {
													goto L114;
												}
												L107:
												__eflags = _t565 - _t678;
												if(_t565 >= _t678) {
													L111:
													_t424 = _t678 >> 3;
													__eflags = _t424;
													 *(_t697 + 0x20) = _t424;
													_t688 = _t424;
													do {
														L112:
														E011F0320(_t692, _t512, _t654);
														_t697 = _t697 + 0xc;
														_t654 = 8;
														_t512 = _t512 + _t654;
														_t692 = _t692 + _t654;
														_t678 = _t678 - _t654;
														_t688 = _t688 - 1;
														__eflags = _t688;
													} while (_t688 != 0);
													goto L113;
												}
												L108:
												_t568 = _t678 >> 3;
												__eflags = _t568;
												do {
													L109:
													_t678 = _t678 - _t654;
													 *_t692 =  *_t512;
													 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
													 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
													 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
													 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
													 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
													 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
													_t433 =  *((intOrPtr*)(_t512 + 7));
													_t512 = _t512 + _t654;
													 *((char*)(_t692 + 7)) = _t433;
													_t692 = _t692 + _t654;
													_t568 = _t568 - 1;
													__eflags = _t568;
												} while (_t568 != 0);
												goto L114;
											}
											L103:
											_push( *(_t684 + 0xe6dc));
											_push(_t684 + 0x7c);
											_push( *(_t684 + 0x60));
											goto L70;
										}
										L95:
										_push(_t697 + 0x28);
										_t436 = E011E3F9D(_t684, _t689);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L97;
										}
										goto L96;
									}
									L31:
									_t680 = _t636 - 0x106;
									__eflags = _t680 - 8;
									if(_t680 >= 8) {
										_t441 = (_t680 >> 2) - 1;
										 *(_t697 + 0x20) = _t441;
										_t678 = ((_t680 & 0x00000003 | 0x00000004) << _t441) + 2;
										__eflags = _t441;
										if(_t441 != 0) {
											_t482 = E011DA89D(_t689);
											_t522 = _t504 +  *(_t697 + 0x20);
											_t616 = 0x10;
											_t678 = _t678 + (_t482 >> _t616 -  *(_t697 + 0x20));
											_t619 =  *(_t697 + 0x10) + (_t522 >> 3);
											_t504 = _t522 & 0x00000007;
											__eflags = _t504;
											 *(_t697 + 0x10) = _t619;
											 *_t689 = _t619;
											_t689[1] = _t504;
										}
									} else {
										 *(_t697 + 0x10) = _t350;
										_t678 = _t680 + 2;
									}
									_t442 = E011DA89D(_t689);
									_t443 =  *(_t684 + 0x1010);
									_t656 = _t442 & 0x0000fffe;
									__eflags = _t656 -  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4));
									if(_t656 >=  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4))) {
										L37:
										_t516 = 0xf;
										_t444 = _t443 + 1;
										__eflags = _t444 - _t516;
										if(_t444 >= _t516) {
											L43:
											_t575 = _t689[1] + _t516;
											_t576 = _t575 & 0x00000007;
											_t689[1] = _t576;
											 *_t689 =  *_t689 + (_t575 >> 3);
											_t447 =  *_t689;
											 *(_t697 + 0x10) = _t576;
											_t577 = 0x10;
											 *(_t697 + 0x14) = _t447;
											_t580 =  *((intOrPtr*)(_t684 + 0xfd0 + _t516 * 4)) + (_t656 -  *((intOrPtr*)(_t684 + 0xf8c + _t516 * 4)) >> _t577 - _t516);
											__eflags = _t580 -  *((intOrPtr*)(_t684 + 0xf8c));
											asm("sbb eax, eax");
											_t448 = _t447 & _t580;
											__eflags = _t448;
											_t449 =  *(_t684 + 0x1c14 + _t448 * 2) & 0x0000ffff;
											goto L44;
										}
										L38:
										_t612 = _t684 + (_t444 + 0x3e4) * 4;
										while(1) {
											L39:
											__eflags = _t656 -  *_t612;
											if(_t656 <  *_t612) {
												break;
											}
											L40:
											_t444 = _t444 + 1;
											_t612 = _t612 + 4;
											__eflags = _t444 - 0xf;
											if(_t444 < 0xf) {
												continue;
											}
											L41:
											goto L43;
										}
										L42:
										_t516 = _t444;
										goto L43;
									} else {
										L36:
										_t613 = 0x10;
										_t666 = _t656 >> _t613 - _t443;
										 *(_t697 + 0x20) = _t666;
										_t668 = ( *(_t666 + _t684 + 0x1014) & 0x000000ff) + _t504;
										_t480 = (_t668 >> 3) +  *(_t697 + 0x10);
										_t669 = _t668 & 0x00000007;
										 *(_t697 + 0x14) = _t480;
										 *_t689 = _t480;
										_t689[1] = _t669;
										 *(_t697 + 0x10) = _t669;
										_t449 =  *(_t684 + 0x1414 +  *(_t697 + 0x20) * 2) & 0x0000ffff;
										L44:
										_t450 = _t449 & 0x0000ffff;
										__eflags = _t450 - 4;
										if(_t450 >= 4) {
											L46:
											_t696 = (_t450 >> 1) - 1;
											_t454 = ((_t450 & 0x00000001 | 0x00000002) << _t696) + 1;
											 *(_t697 + 0x20) = _t454;
											_t504 = _t454;
											 *(_t697 + 0x18) = _t504;
											__eflags = _t696;
											if(_t696 == 0) {
												L63:
												_t689 = _t684 + 4;
												L64:
												__eflags = _t504 - 0x100;
												if(_t504 > 0x100) {
													_t678 = _t678 + 1;
													__eflags = _t504 - 0x2000;
													if(_t504 > 0x2000) {
														_t678 = _t678 + 1;
														__eflags = _t504 - 0x40000;
														if(_t504 > 0x40000) {
															_t678 = _t678 + 1;
															__eflags = _t678;
														}
													}
												}
												 *(_t684 + 0x6c) =  *(_t684 + 0x68);
												 *(_t684 + 0x68) =  *(_t684 + 0x64);
												 *(_t684 + 0x64) =  *(_t684 + 0x60);
												 *(_t684 + 0x60) = _t504;
												__eflags =  *((char*)(_t684 + 0x4c44));
												 *(_t684 + 0x74) = _t678;
												if( *((char*)(_t684 + 0x4c44)) == 0) {
													L71:
													_t646 =  *(_t684 + 0x7c);
													_t551 = _t646 - _t504;
													_t385 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
													 *(_t697 + 0x20) = _t551;
													__eflags = _t551 - _t385;
													if(_t551 >= _t385) {
														goto L90;
													}
													L72:
													__eflags = _t646 - _t385;
													if(_t646 >= _t385) {
														goto L90;
													}
													L73:
													_t389 =  *((intOrPtr*)(_t684 + 0x4b40));
													_t515 = _t389 + _t551;
													_t693 = _t646 + _t389;
													_t649 = 8;
													_t525 = _t684 + 0x7c;
													 *_t525 = _t646 + _t678;
													__eflags = _t678 - _t649;
													if(_t678 < _t649) {
														L81:
														__eflags = _t678;
														if(_t678 != 0) {
															 *_t693 =  *_t515;
															__eflags = _t678 - 1;
															if(_t678 > 1) {
																 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
																__eflags = _t678 - 2;
																if(_t678 > 2) {
																	 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 > 3) {
																		 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
																		__eflags = _t678 - 4;
																		if(_t678 > 4) {
																			 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
																			__eflags = _t678 - 5;
																			if(_t678 > 5) {
																				 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
																				__eflags = _t678 - 6;
																				if(_t678 > 6) {
																					 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L89;
													}
													L74:
													__eflags =  *(_t697 + 0x18) - _t678;
													if( *(_t697 + 0x18) >= _t678) {
														L78:
														_t399 = _t678 >> 3;
														__eflags = _t399;
														 *(_t697 + 0x20) = _t399;
														_t687 = _t399;
														do {
															L79:
															E011F0320(_t693, _t515, _t649);
															_t697 = _t697 + 0xc;
															_t649 = 8;
															_t515 = _t515 + _t649;
															_t693 = _t693 + _t649;
															_t678 = _t678 - _t649;
															_t687 = _t687 - 1;
															__eflags = _t687;
														} while (_t687 != 0);
														_t684 =  *((intOrPtr*)(_t697 + 0x1c));
														_t525 =  *(_t697 + 0x24);
														goto L81;
													}
													L75:
													_t554 = _t678 >> 3;
													__eflags = _t554;
													do {
														L76:
														_t678 = _t678 - _t649;
														 *_t693 =  *_t515;
														 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
														 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
														 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
														 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
														 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
														 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
														_t408 =  *((intOrPtr*)(_t515 + 7));
														_t515 = _t515 + _t649;
														 *((char*)(_t693 + 7)) = _t408;
														_t693 = _t693 + _t649;
														_t554 = _t554 - 1;
														__eflags = _t554;
													} while (_t554 != 0);
													_t525 = _t684 + 0x7c;
													goto L81;
												} else {
													L69:
													_push( *(_t684 + 0xe6dc));
													_push(_t684 + 0x7c);
													_push(_t504);
													goto L70;
												}
											}
											L47:
											__eflags = _t696 - 4;
											if(__eflags < 0) {
												L62:
												_t459 = E011E8934(_t684 + 4);
												_t583 = 0x20;
												_t504 = (_t459 >> _t583 - _t696) +  *(_t697 + 0x20);
												_t586 =  *(_t697 + 0x10) + _t696;
												 *(_t697 + 0x18) = _t504;
												_t689 = _t684 + 4;
												 *_t689 = (_t586 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t586 & 0x00000007;
												goto L64;
											}
											L48:
											if(__eflags <= 0) {
												_t689 = _t684 + 4;
											} else {
												_t475 = E011E8934(_t684 + 4);
												_t605 = 0x24;
												_t504 = (_t475 >> _t605 - _t696 << 4) +  *(_t697 + 0x20);
												_t609 =  *(_t697 + 0x10) + 0xfffffffc + _t696;
												_t689 = _t684 + 4;
												_t665 =  *(_t697 + 0x14) + (_t609 >> 3);
												_t610 = _t609 & 0x00000007;
												 *(_t697 + 0x14) = _t665;
												 *_t689 = _t665;
												 *(_t697 + 0x10) = _t610;
												_t689[1] = _t610;
											}
											_t463 = E011DA89D(_t689);
											_t464 =  *(_t684 + 0x1efc);
											_t660 = _t463 & 0x0000fffe;
											__eflags = _t660 -  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4));
											if(_t660 >=  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4))) {
												L53:
												_t589 = 0xf;
												_t465 = _t464 + 1;
												 *(_t697 + 0x18) = _t589;
												__eflags = _t465 - _t589;
												if(_t465 >= _t589) {
													L59:
													_t591 = _t689[1] +  *(_t697 + 0x18);
													 *_t689 =  *_t689 + (_t591 >> 3);
													_t468 =  *(_t697 + 0x18);
													_t689[1] = _t591 & 0x00000007;
													_t593 = 0x10;
													_t596 =  *((intOrPtr*)(_t684 + 0x1ebc + _t468 * 4)) + (_t660 -  *((intOrPtr*)(_t684 + 0x1e78 + _t468 * 4)) >> _t593 - _t468);
													__eflags = _t596 -  *((intOrPtr*)(_t684 + 0x1e78));
													asm("sbb eax, eax");
													_t469 = _t468 & _t596;
													__eflags = _t469;
													_t470 =  *(_t684 + 0x2b00 + _t469 * 2) & 0x0000ffff;
													goto L60;
												}
												L54:
												_t598 = _t684 + (_t465 + 0x79f) * 4;
												while(1) {
													L55:
													__eflags = _t660 -  *_t598;
													if(_t660 <  *_t598) {
														break;
													}
													L56:
													_t465 = _t465 + 1;
													_t598 = _t598 + 4;
													__eflags = _t465 - 0xf;
													if(_t465 < 0xf) {
														continue;
													}
													L57:
													goto L59;
												}
												L58:
												 *(_t697 + 0x18) = _t465;
												goto L59;
											} else {
												L52:
												_t599 = 0x10;
												_t663 = _t660 >> _t599 - _t464;
												_t602 = ( *(_t663 + _t684 + 0x1f00) & 0x000000ff) +  *(_t697 + 0x10);
												 *_t689 = (_t602 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t602 & 0x00000007;
												_t470 =  *(_t684 + 0x2300 + _t663 * 2) & 0x0000ffff;
												L60:
												_t504 = _t504 + (_t470 & 0x0000ffff);
												__eflags = _t504;
												L61:
												 *(_t697 + 0x18) = _t504;
												goto L64;
											}
										}
										L45:
										_t504 = _t450 + 1;
										goto L61;
									}
								}
								L27:
								__eflags =  *((char*)(_t684 + 0x4c44));
								if( *((char*)(_t684 + 0x4c44)) == 0) {
									 *( *((intOrPtr*)(_t684 + 0x4b40)) +  *(_t684 + 0x7c)) = _t636;
									_t525 = _t684 + 0x7c;
									 *_t525 =  *_t525 + 1;
									continue;
								} else {
									 *(_t684 + 0x7c) =  *(_t684 + 0x7c) + 1;
									 *((char*)(E011E2391(_t684 + 0x4b44,  *(_t684 + 0x7c)))) = _t672 & 0x0000ffff;
									goto L0;
								}
							}
						}
						L12:
						__eflags = _t526 -  *(_t684 + 0x7c);
						if(_t526 ==  *(_t684 + 0x7c)) {
							goto L17;
						}
						L13:
						E011E5202(_t684);
						_t360 =  *(_t684 + 0x4c5c);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c4c));
						if(__eflags > 0) {
							goto L98;
						}
						L14:
						if(__eflags < 0) {
							L16:
							__eflags =  *((char*)(_t684 + 0x4c50));
							if( *((char*)(_t684 + 0x4c50)) != 0) {
								L156:
								 *((char*)(_t684 + 0x4c60)) = 0;
								goto L98;
							}
							goto L17;
						}
						L15:
						_t360 =  *(_t684 + 0x4c58);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c48));
						if(_t360 >  *((intOrPtr*)(_t684 + 0x4c48))) {
							goto L98;
						}
						goto L16;
					}
				}
			}

0x011e62ca
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62cd
0x011e62cd
0x011e62d3
0x011e62de
0x00000000
0x011e62e0
0x011e62e0
0x00000000
0x011e62e0
0x011e62e6
0x011e62e6
0x011e62ef
0x011e62f2
0x00000000
0x00000000
0x011e6301
0x011e6308
0x011e690f
0x011e6911
0x011e6916
0x011e691d
0x011e691d
0x011e630e
0x011e630e
0x011e630f
0x011e6312
0x011e6319
0x00000000
0x00000000
0x011e631f
0x011e6327
0x011e6328
0x011e6329
0x011e632a
0x011e6331
0x00000000
0x011e6333
0x00000000
0x011e6333
0x011e6331
0x011e6338
0x011e633a
0x011e633f
0x011e6341
0x00000000
0x00000000
0x011e6347
0x011e6347
0x011e6358
0x011e635d
0x011e639e
0x011e63a0
0x011e63a7
0x011e63ad
0x011e63b3
0x011e63ba
0x011e63ed
0x011e63ef
0x011e63f0
0x011e63f1
0x011e63f3
0x011e640c
0x011e640f
0x011e6416
0x011e6419
0x011e641f
0x011e6423
0x011e642f
0x011e643b
0x011e643d
0x011e6443
0x011e6445
0x011e6445
0x011e6447
0x011e644f
0x00000000
0x011e63f5
0x011e63f8
0x011e63fb
0x011e63fb
0x011e63fb
0x011e63fd
0x011e640a
0x011e640a
0x011e640a
0x011e63ff
0x011e63ff
0x011e6400
0x011e6403
0x011e6406
0x00000000
0x011e6408
0x00000000
0x011e6408
0x011e6406
0x00000000
0x011e63fb
0x011e63bc
0x011e63be
0x011e63c1
0x011e63cb
0x011e63d3
0x011e63d6
0x011e63d9
0x011e63dc
0x011e63df
0x011e63e7
0x011e6453
0x011e6453
0x011e645b
0x011e645d
0x011e649d
0x011e649d
0x011e64a3
0x011e68e6
0x011e68e6
0x011e68e8
0x011e6920
0x011e6920
0x011e6926
0x011e6aab
0x011e6aab
0x011e6aab
0x011e6ab4
0x011e6ab7
0x011e6ab9
0x011e6abd
0x011e6acc
0x011e6ace
0x011e6ad1
0x011e6ad8
0x011e6ade
0x011e6ae4
0x011e6aeb
0x011e6b1b
0x011e6b1d
0x011e6b1e
0x011e6b1f
0x011e6b21
0x011e6b3d
0x011e6b40
0x011e6b44
0x011e6b47
0x011e6b4a
0x011e6b4d
0x011e6b57
0x011e6b5d
0x011e6b69
0x011e6b6b
0x011e6b71
0x011e6b73
0x011e6b73
0x011e6b75
0x011e6b7d
0x011e6b7d
0x011e6b80
0x011e6b83
0x011e6b95
0x011e6b9a
0x011e6b9d
0x011e6b9f
0x011e6ba3
0x011e6baa
0x011e6bb3
0x011e6bb5
0x011e6bbc
0x011e6bbf
0x011e6bbf
0x011e6bc2
0x011e6bc2
0x011e6b85
0x011e6b85
0x011e6b85
0x011e6bc5
0x011e6bcc
0x011e6bd0
0x011e6bd3
0x011e6be5
0x011e6be5
0x011e6bf0
0x011e6bf2
0x011e6bf7
0x011e6bf9
0x00000000
0x00000000
0x011e6bff
0x011e6bff
0x011e6c01
0x00000000
0x00000000
0x011e6c07
0x011e6c07
0x011e6c0d
0x011e6c11
0x011e6c17
0x011e6c18
0x011e6c1b
0x011e6c1d
0x011e69fc
0x011e69fc
0x011e69ff
0x011e6a01
0x011e68a1
0x011e68a1
0x00000000
0x011e68a1
0x011e6a07
0x011e6a09
0x011e6a0c
0x011e6a0f
0x011e6a12
0x00000000
0x00000000
0x011e6a18
0x011e6a1b
0x011e6a1e
0x011e6a21
0x011e6a24
0x00000000
0x00000000
0x011e6a2a
0x011e6a2d
0x011e6a30
0x011e6a33
0x011e6a36
0x00000000
0x00000000
0x011e6a3c
0x011e6a3f
0x011e6a42
0x011e6a45
0x011e6a48
0x00000000
0x00000000
0x011e6a4e
0x011e6a51
0x011e6a54
0x011e6a57
0x011e6a5a
0x00000000
0x00000000
0x011e6a60
0x011e6a63
0x011e6a66
0x011e6a69
0x011e6a6c
0x00000000
0x00000000
0x011e6a72
0x011e6a72
0x011e6a75
0x00000000
0x011e6a75
0x011e6c23
0x011e6c23
0x011e6c25
0x011e6c6b
0x011e6c6d
0x011e6c6d
0x011e6c70
0x011e6c74
0x011e6c76
0x011e6c76
0x011e6c79
0x011e6c7e
0x011e6c83
0x011e6c84
0x011e6c86
0x011e6c88
0x011e6c8a
0x011e6c8a
0x011e6c8a
0x011e69f8
0x011e69f8
0x00000000
0x011e69f8
0x011e6c27
0x011e6c29
0x011e6c29
0x011e6c2c
0x011e6c2c
0x011e6c2e
0x011e6c30
0x011e6c36
0x011e6c3c
0x011e6c42
0x011e6c48
0x011e6c4e
0x011e6c54
0x011e6c57
0x011e6c5a
0x011e6c5c
0x011e6c5f
0x011e6c61
0x011e6c61
0x011e6c61
0x00000000
0x011e6bd5
0x011e6bd5
0x011e6bd5
0x011e6bde
0x011e6bdf
0x011e678e
0x011e678e
0x011e6795
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62cd
0x011e62cd
0x00000000
0x011e6c94
0x011e6c94
0x011e6c97
0x011e6c97
0x011e6c9f
0x011e6ca5
0x011e6ca5
0x011e6cab
0x011e6cad
0x011e6cb1
0x011e6cb7
0x011e6cbe
0x011e6cc0
0x011e6cc3
0x011e6cc3
0x011e6cc3
0x011e6cc8
0x011e6ccb
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62cd
0x011e62d3
0x011e62de
0x00000000
0x011e62e0
0x011e62e0
0x00000000
0x011e62e0
0x011e62de
0x011e68fb
0x011e6902
0x011e6907
0x011e6907
0x00000000
0x011e68a9
0x011e68a9
0x011e68ac
0x011e68ac
0x011e68b4
0x011e68ba
0x011e68be
0x011e68be
0x011e68c4
0x011e68c6
0x011e68ca
0x011e68d0
0x011e68d7
0x011e68d9
0x011e68dc
0x011e68dc
0x011e68dc
0x00000000
0x011e68e1
0x011e62ca
0x011e6bd3
0x011e6b23
0x011e6b29
0x011e6b2c
0x011e6b2c
0x011e6b2c
0x011e6b2e
0x00000000
0x00000000
0x011e6b30
0x011e6b30
0x011e6b31
0x011e6b34
0x011e6b37
0x00000000
0x00000000
0x011e6b39
0x00000000
0x011e6b39
0x011e6b3b
0x011e6b3b
0x00000000
0x011e6b3b
0x011e6aed
0x011e6aef
0x011e6af2
0x011e6afc
0x011e6b04
0x011e6b07
0x011e6b0a
0x011e6b0d
0x011e6b15
0x00000000
0x00000000
0x00000000
0x00000000
0x011e6abf
0x011e6abf
0x011e6ac2
0x011e6ac4
0x011e6ac7
0x011e6ac7
0x011e6ac7
0x00000000
0x011e6abf
0x011e692c
0x011e692c
0x011e692f
0x011e6931
0x011e62ca
0x011e62ca
0x011e62ca
0x011e62ca
0x00000000
0x011e62ca
0x011e62ca
0x011e6937
0x011e6937
0x011e693e
0x011e6952
0x011e6952
0x011e695d
0x011e6960
0x011e6965
0x011e6967
0x011e6969
0x011e6a7d
0x011e6a7d
0x011e6a83
0x011e6a83
0x011e6a89
0x011e6a8b
0x011e6a8f
0x011e6a95
0x011e6a9c
0x011e6a9e
0x011e6aa1
0x011e6aa1
0x011e6aa1
0x00000000
0x011e6aa6
0x011e696f
0x011e696f
0x011e6971
0x00000000
0x00000000
0x011e6977
0x011e6977
0x011e697d
0x011e6981
0x011e6987
0x011e6988
0x011e698b
0x011e698d
0x00000000
0x00000000
0x011e698f
0x011e698f
0x011e6991
0x011e69d4
0x011e69d6
0x011e69d6
0x011e69d9
0x011e69dd
0x011e69df
0x011e69df
0x011e69e2
0x011e69e7
0x011e69ec
0x011e69ed
0x011e69ef
0x011e69f1
0x011e69f3
0x011e69f3
0x011e69f3
0x00000000
0x011e69df
0x011e6993
0x011e6995
0x011e6995
0x011e6998
0x011e6998
0x011e699a
0x011e699c
0x011e69a2
0x011e69a8
0x011e69ae
0x011e69b4
0x011e69ba
0x011e69c0
0x011e69c3
0x011e69c6
0x011e69c8
0x011e69cb
0x011e69cd
0x011e69cd
0x011e69cd
0x00000000
0x011e69d2
0x011e6940
0x011e6940
0x011e6949
0x011e694a
0x00000000
0x011e694a
0x011e68ea
0x011e68f0
0x011e68f2
0x011e68f7
0x011e68f9
0x00000000
0x00000000
0x00000000
0x011e68f9
0x011e64a9
0x011e64a9
0x011e64af
0x011e64b2
0x011e64c8
0x011e64cb
0x011e64d1
0x011e64d4
0x011e64d6
0x011e64da
0x011e64df
0x011e64e5
0x011e64f0
0x011e64f7
0x011e64f9
0x011e64f9
0x011e64fc
0x011e6500
0x011e6503
0x011e6503
0x011e64b4
0x011e64b4
0x011e64b8
0x011e64b8
0x011e6508
0x011e650f
0x011e6515
0x011e651b
0x011e6522
0x011e6561
0x011e6563
0x011e6564
0x011e6565
0x011e6567
0x011e6583
0x011e6586
0x011e658a
0x011e658d
0x011e6593
0x011e659d
0x011e65a0
0x011e65a6
0x011e65a9
0x011e65b6
0x011e65b8
0x011e65be
0x011e65c0
0x011e65c0
0x011e65c2
0x00000000
0x011e65c2
0x011e6569
0x011e656f
0x011e6572
0x011e6572
0x011e6572
0x011e6574
0x00000000
0x00000000
0x011e6576
0x011e6576
0x011e6577
0x011e657a
0x011e657d
0x00000000
0x00000000
0x011e657f
0x00000000
0x011e657f
0x011e6581
0x011e6581
0x00000000
0x011e6524
0x011e6524
0x011e6526
0x011e6529
0x011e652b
0x011e6537
0x011e653e
0x011e6542
0x011e6545
0x011e6549
0x011e6550
0x011e6553
0x011e6557
0x011e65ca
0x011e65ca
0x011e65cd
0x011e65d0
0x011e65da
0x011e65e4
0x011e65e9
0x011e65ea
0x011e65ee
0x011e65f0
0x011e65f4
0x011e65f6
0x011e6744
0x011e6744
0x011e6747
0x011e6747
0x011e674d
0x011e674f
0x011e6750
0x011e6756
0x011e6758
0x011e6759
0x011e675f
0x011e6761
0x011e6761
0x011e6761
0x011e675f
0x011e6756
0x011e6765
0x011e676b
0x011e6771
0x011e6774
0x011e6777
0x011e677e
0x011e6781
0x011e679f
0x011e679f
0x011e67aa
0x011e67ac
0x011e67b1
0x011e67b5
0x011e67b7
0x00000000
0x00000000
0x011e67bd
0x011e67bd
0x011e67bf
0x00000000
0x00000000
0x011e67c5
0x011e67c5
0x011e67cd
0x011e67d0
0x011e67d6
0x011e67d7
0x011e67da
0x011e67dc
0x011e67de
0x011e6856
0x011e6856
0x011e6858
0x011e685c
0x011e685f
0x011e6862
0x011e6867
0x011e686a
0x011e686d
0x011e6872
0x011e6875
0x011e6878
0x011e687d
0x011e6880
0x011e6883
0x011e6888
0x011e688b
0x011e688e
0x011e6893
0x011e6896
0x011e6899
0x011e689e
0x011e689e
0x011e6899
0x011e688e
0x011e6883
0x011e6878
0x011e686d
0x011e6862
0x00000000
0x011e6858
0x011e67e0
0x011e67e0
0x011e67e4
0x011e682a
0x011e682c
0x011e682c
0x011e682f
0x011e6833
0x011e6835
0x011e6835
0x011e6838
0x011e683d
0x011e6842
0x011e6843
0x011e6845
0x011e6847
0x011e6849
0x011e6849
0x011e6849
0x011e684e
0x011e6852
0x00000000
0x011e6852
0x011e67e6
0x011e67e8
0x011e67e8
0x011e67eb
0x011e67eb
0x011e67ed
0x011e67ef
0x011e67f5
0x011e67fb
0x011e6801
0x011e6807
0x011e680d
0x011e6813
0x011e6816
0x011e6819
0x011e681b
0x011e681e
0x011e6820
0x011e6820
0x011e6820
0x011e6825
0x00000000
0x011e6783
0x011e6783
0x011e6783
0x011e678c
0x011e678d
0x00000000
0x011e678d
0x011e6781
0x011e65fc
0x011e65fc
0x011e65ff
0x011e670e
0x011e6711
0x011e671a
0x011e6723
0x011e6727
0x011e672b
0x011e6732
0x011e673c
0x011e673f
0x00000000
0x011e673f
0x011e6605
0x011e6605
0x011e6649
0x011e6607
0x011e660a
0x011e6617
0x011e6626
0x011e662a
0x011e662e
0x011e6634
0x011e6636
0x011e6639
0x011e663d
0x011e6640
0x011e6644
0x011e6644
0x011e664e
0x011e6655
0x011e665b
0x011e6661
0x011e6668
0x011e6699
0x011e669b
0x011e669c
0x011e669d
0x011e66a1
0x011e66a3
0x011e66c1
0x011e66c4
0x011e66d0
0x011e66d3
0x011e66d7
0x011e66dc
0x011e66ef
0x011e66f1
0x011e66f7
0x011e66f9
0x011e66f9
0x011e66fb
0x00000000
0x011e66fb
0x011e66a5
0x011e66ab
0x011e66ae
0x011e66ae
0x011e66ae
0x011e66b0
0x00000000
0x00000000
0x011e66b2
0x011e66b2
0x011e66b3
0x011e66b6
0x011e66b9
0x00000000
0x00000000
0x011e66bb
0x00000000
0x011e66bb
0x011e66bd
0x011e66bd
0x00000000
0x011e666a
0x011e666a
0x011e666c
0x011e666f
0x011e6679
0x011e6689
0x011e668c
0x011e668f
0x011e6703
0x011e6706
0x011e6706
0x011e6708
0x011e6708
0x00000000
0x011e6708
0x011e6668
0x011e65d2
0x011e65d2
0x00000000
0x011e65d2
0x011e6522
0x011e645f
0x011e645f
0x011e6466
0x011e6490
0x011e6493
0x011e6496
0x00000000
0x011e6468
0x011e6475
0x011e6480
0x00000000
0x011e6480
0x011e6466
0x011e63ba
0x011e635f
0x011e635f
0x011e6362
0x00000000
0x00000000
0x011e6364
0x011e6366
0x011e636b
0x011e6371
0x011e6377
0x00000000
0x00000000
0x011e637d
0x011e637d
0x011e6391
0x011e6391
0x011e6398
0x011e6cd0
0x011e6cd0
0x00000000
0x011e6cd0
0x00000000
0x011e6398
0x011e637f
0x011e637f
0x011e6385
0x011e638b
0x00000000
0x00000000
0x00000000
0x011e638b
0x011e62cd

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 4f002064a146910c12fafbce595533c71b1fbb0c537ccd37f2a66aa1adbfef5a
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 8A621771604B858FCB2DCF68C8946B9BBE1BFA5304F48896DD8EA8B346D730E545CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011E77EF Relevance: .8, Instructions: 817
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E011E77EF(signed int __ecx) {
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				void* _t385;
				signed int _t388;
				signed int _t389;
				intOrPtr _t391;
				signed int _t401;
				char _t410;
				unsigned int _t411;
				void* _t421;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t428;
				char _t437;
				signed int _t439;
				signed int _t441;
				signed int _t444;
				signed int* _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				void* _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t466;
				signed int _t469;
				char _t478;
				unsigned int _t479;
				signed int* _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t491;
				signed int _t492;
				signed short _t493;
				unsigned int _t499;
				signed int _t500;
				signed int* _t506;
				unsigned int _t507;
				intOrPtr _t520;
				intOrPtr* _t521;
				intOrPtr _t523;
				signed int* _t524;
				signed int _t525;
				intOrPtr _t526;
				signed int _t528;
				void* _t529;
				signed int _t532;
				signed int* _t534;
				unsigned int _t537;
				signed int _t538;
				void* _t539;
				signed int _t542;
				signed int _t544;
				signed int _t547;
				void* _t549;
				unsigned int _t552;
				signed int _t553;
				intOrPtr* _t555;
				void* _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t564;
				signed int* _t569;
				void* _t570;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t580;
				void* _t582;
				unsigned int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				void* _t592;
				signed int _t595;
				intOrPtr* _t597;
				void* _t598;
				signed int _t601;
				void* _t604;
				signed int _t607;
				signed int _t608;
				intOrPtr* _t610;
				void* _t611;
				signed int _t614;
				signed int _t615;
				void* _t617;
				signed int _t620;
				intOrPtr* _t623;
				void* _t624;
				signed int _t628;
				unsigned int _t630;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				unsigned int _t637;
				signed int _t640;
				void* _t643;
				signed int* _t644;
				signed int _t645;
				signed int _t646;
				void* _t649;
				unsigned int _t651;
				signed int _t654;
				signed int _t658;
				void* _t661;
				signed int* _t662;
				unsigned int _t664;
				signed int _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				intOrPtr* _t672;
				signed int _t673;
				signed int* _t674;
				signed int _t676;
				signed int _t677;
				unsigned int _t681;
				signed int _t682;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int* _t690;
				signed int* _t691;
				signed int* _t692;
				signed int _t694;
				unsigned int _t696;
				signed int _t697;
				signed int _t698;
				signed int* _t699;
				signed int _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				char* _t710;
				signed int _t711;
				unsigned int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t723;
				signed int _t724;
				void* _t725;

				_t520 =  *((intOrPtr*)(_t725 + 0x40));
				_t686 = __ecx;
				_t692 = _t520 + 4;
				 *(_t725 + 0x24) = __ecx;
				_t672 = _t520 + 0x18;
				 *(_t725 + 0x10) = _t692;
				if( *((char*)(_t520 + 0x2c)) != 0) {
					 *(_t725 + 0x10) = _t692;
					L4:
					_t523 =  *_t672;
					if( *_t692 <=  *((intOrPtr*)(_t520 + 0x24)) + _t523) {
						_t363 =  *((intOrPtr*)(_t520 + 0x20)) - 1 + _t523;
						_t694 =  *((intOrPtr*)(_t520 + 0x4acc)) - 0x10;
						 *(_t725 + 0x18) = _t363;
						 *(_t725 + 0x14) = _t694;
						 *(_t725 + 0x2c) = _t363;
						__eflags = _t363 - _t694;
						if(_t363 >= _t694) {
							 *(_t725 + 0x2c) = _t694;
						}
						_t524 =  *(_t725 + 0x10);
						while(1) {
							_t673 =  *(_t686 + 0xe6dc);
							_t628 =  *(_t686 + 0x7c) & _t673;
							 *(_t686 + 0x7c) = _t628;
							_t525 =  *_t524;
							__eflags = _t525 -  *(_t725 + 0x2c);
							if(_t525 <  *(_t725 + 0x2c)) {
								goto L19;
							}
							L13:
							__eflags = _t525 - _t363;
							if(__eflags > 0) {
								L145:
								return 1;
							}
							if(__eflags != 0) {
								L16:
								__eflags = _t525 - _t705;
								if(_t525 < _t705) {
									L18:
									__eflags = _t525 -  *((intOrPtr*)(_t520 + 0x4acc));
									if(_t525 >=  *((intOrPtr*)(_t520 + 0x4acc))) {
										L144:
										 *((char*)(_t520 + 0x4ad3)) = 1;
										goto L145;
									}
									goto L19;
								}
								__eflags =  *((char*)(_t520 + 0x4ad2));
								if( *((char*)(_t520 + 0x4ad2)) == 0) {
									goto L144;
								}
								goto L18;
							}
							__eflags =  *((intOrPtr*)(_t520 + 8)) -  *((intOrPtr*)(_t520 + 0x1c));
							if( *((intOrPtr*)(_t520 + 8)) >=  *((intOrPtr*)(_t520 + 0x1c))) {
								goto L145;
							}
							goto L16;
							L19:
							_t526 =  *((intOrPtr*)(_t686 + 0x4b3c));
							__eflags = (_t526 - _t628 & _t673) - 0x1004;
							if((_t526 - _t628 & _t673) >= 0x1004) {
								L24:
								_t674 =  *(_t725 + 0x10);
								_t367 = E011DA89D(_t674);
								_t368 =  *(_t520 + 0xb4);
								_t630 = _t367 & 0x0000fffe;
								__eflags = _t630 -  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4));
								if(_t630 >=  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4))) {
									_t528 = 0xf;
									_t369 = _t368 + 1;
									 *(_t725 + 0x28) = _t528;
									__eflags = _t369 - _t528;
									if(_t369 >= _t528) {
										L32:
										_t696 = _t674[1] + _t528;
										_t697 = _t696 & 0x00000007;
										 *_t674 =  *_t674 + (_t696 >> 3);
										 *(_t725 + 0x1c) =  *_t674;
										_t373 =  *(_t725 + 0x28);
										_t674[1] = _t697;
										_t529 = 0x10;
										_t532 =  *((intOrPtr*)(_t520 + 0x74 + _t373 * 4)) + (_t630 -  *((intOrPtr*)(_t520 + 0x30 + _t373 * 4)) >> _t529 - _t373);
										__eflags = _t532 -  *((intOrPtr*)(_t520 + 0x30));
										asm("sbb eax, eax");
										_t374 = _t373 & _t532;
										__eflags = _t374;
										_t524 =  *(_t725 + 0x10);
										_t633 =  *(_t520 + 0xcb8 + _t374 * 2) & 0x0000ffff;
										_t375 =  *(_t725 + 0x1c);
										L33:
										_t634 = _t633 & 0x0000ffff;
										__eflags = _t634 - 0x100;
										if(_t634 >= 0x100) {
											__eflags = _t634 - 0x106;
											if(_t634 < 0x106) {
												__eflags = _t634 - 0x100;
												if(_t634 != 0x100) {
													__eflags = _t634 - 0x101;
													if(_t634 != 0x101) {
														_t635 = _t634 + 0xfffffefe;
														__eflags = _t635;
														_t534 = _t686 + (_t635 + 0x18) * 4;
														_t698 =  *_t534;
														 *(_t725 + 0x28) = _t698;
														if(_t635 == 0) {
															L117:
															 *(_t686 + 0x60) = _t698;
															_t699 =  *(_t725 + 0x10);
															_t376 = E011DA89D(_t699);
															_t377 =  *(_t520 + 0x2d78);
															_t637 = _t376 & 0x0000fffe;
															__eflags = _t637 -  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4));
															if(_t637 >=  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4))) {
																_t676 = 0xf;
																_t378 = _t377 + 1;
																__eflags = _t378 - _t676;
																if(_t378 >= _t676) {
																	L125:
																	_t537 = _t699[1] + _t676;
																	_t538 = _t537 & 0x00000007;
																	_t699[1] = _t538;
																	 *_t699 =  *_t699 + (_t537 >> 3);
																	_t381 =  *_t699;
																	 *(_t725 + 0x34) = _t538;
																	_t539 = 0x10;
																	 *(_t725 + 0x30) = _t381;
																	_t542 =  *((intOrPtr*)(_t520 + 0x2d38 + _t676 * 4)) + (_t637 -  *((intOrPtr*)(_t520 + 0x2cf4 + _t676 * 4)) >> _t539 - _t676);
																	__eflags = _t542 -  *((intOrPtr*)(_t520 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t382 = _t381 & _t542;
																	__eflags = _t382;
																	_t383 =  *(_t520 + 0x397c + _t382 * 2) & 0x0000ffff;
																	L126:
																	_t677 = _t383 & 0x0000ffff;
																	__eflags = _t677 - 8;
																	if(_t677 >= 8) {
																		_t702 = (_t677 >> 2) - 1;
																		_t681 = ((_t677 & 0x00000003 | 0x00000004) << _t702) + 2;
																		__eflags = _t702;
																		if(_t702 != 0) {
																			_t411 = E011DA89D( *(_t725 + 0x10));
																			_t644 =  *(_t725 + 0x10);
																			_t549 = 0x10;
																			_t681 = _t681 + (_t411 >> _t549 - _t702);
																			_t552 =  *(_t725 + 0x34) + _t702;
																			_t553 = _t552 & 0x00000007;
																			__eflags = _t553;
																			 *_t644 = (_t552 >> 3) +  *(_t725 + 0x30);
																			_t644[1] = _t553;
																		}
																	} else {
																		_t681 = _t677 + 2;
																	}
																	_t640 =  *(_t686 + 0x7c);
																	_t544 =  *(_t725 + 0x28);
																	_t385 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	_t704 = _t640 - _t544;
																	 *(_t686 + 0x74) = _t681;
																	__eflags = _t704 - _t385;
																	if(_t704 >= _t385) {
																		L140:
																		_t524 =  *(_t725 + 0x10);
																		_t363 =  *(_t725 + 0x18);
																		__eflags = _t681;
																		if(_t681 == 0) {
																			goto L11;
																		}
																		_t388 =  *(_t686 + 0xe6dc);
																		do {
																			_t389 = _t388 & _t704;
																			_t704 = _t704 + 1;
																			 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t640)) =  *((intOrPtr*)(_t389 +  *((intOrPtr*)(_t686 + 0x4b40))));
																			_t388 =  *(_t686 + 0xe6dc);
																			_t640 =  *(_t686 + 0x7c) + 0x00000001 & _t388;
																			 *(_t686 + 0x7c) = _t640;
																			_t681 = _t681 - 1;
																			__eflags = _t681;
																		} while (_t681 != 0);
																		goto L35;
																	} else {
																		__eflags = _t640 - _t385;
																		if(_t640 >= _t385) {
																			goto L140;
																		}
																		_t391 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t521 = _t391 + _t704;
																		_t710 = _t391 + _t640;
																		_t643 = 8;
																		 *(_t686 + 0x7c) = _t640 + _t681;
																		__eflags = _t681 - _t643;
																		if(_t681 < _t643) {
																			L84:
																			_t363 =  *(_t725 + 0x18);
																			_t524 =  *(_t725 + 0x10);
																			__eflags = _t681;
																			if(_t681 == 0) {
																				L10:
																				_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																				L11:
																				_t705 =  *(_t725 + 0x14);
																				continue;
																				do {
																					do {
																						_t673 =  *(_t686 + 0xe6dc);
																						_t628 =  *(_t686 + 0x7c) & _t673;
																						 *(_t686 + 0x7c) = _t628;
																						_t525 =  *_t524;
																						__eflags = _t525 -  *(_t725 + 0x2c);
																						if(_t525 <  *(_t725 + 0x2c)) {
																							goto L19;
																						}
																						goto L13;
																					} while (_t681 == 0);
																					_t646 =  *(_t686 + 0x7c);
																					_t561 =  *(_t686 + 0x60);
																					_t421 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																					_t709 = _t646 - _t561;
																					__eflags = _t709 - _t421;
																					if(_t709 >= _t421) {
																						L112:
																						_t422 =  *(_t686 + 0xe6dc);
																						do {
																							_t423 = _t422 & _t709;
																							_t709 = _t709 + 1;
																							 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t423 +  *((intOrPtr*)(_t686 + 0x4b40))));
																							_t422 =  *(_t686 + 0xe6dc);
																							_t646 =  *(_t686 + 0x7c) + 0x00000001 & _t422;
																							 *(_t686 + 0x7c) = _t646;
																							_t681 = _t681 - 1;
																							__eflags = _t681;
																						} while (_t681 != 0);
																						L35:
																						_t524 =  *(_t725 + 0x10);
																						_t363 =  *(_t725 + 0x18);
																						goto L11;
																					}
																					__eflags = _t646 - _t421;
																					if(_t646 >= _t421) {
																						goto L112;
																					}
																					_t425 =  *((intOrPtr*)(_t686 + 0x4b40));
																					_t521 = _t425 + _t709;
																					_t710 = _t425 + _t646;
																					_t649 = 8;
																					 *(_t686 + 0x7c) = _t646 + _t681;
																					__eflags = _t681 - _t649;
																					if(_t681 < _t649) {
																						goto L84;
																					}
																					__eflags = _t561 - _t681;
																					if(_t561 >= _t681) {
																						_t428 = _t681 >> 3;
																						__eflags = _t428;
																						 *(_t725 + 0x34) = _t428;
																						_t688 = _t428;
																						do {
																							E011F0320(_t710, _t521, _t649);
																							_t725 = _t725 + 0xc;
																							_t649 = 8;
																							_t521 = _t521 + _t649;
																							_t710 = _t710 + _t649;
																							_t681 = _t681 - _t649;
																							_t688 = _t688 - 1;
																							__eflags = _t688;
																						} while (_t688 != 0);
																						L83:
																						_t686 =  *(_t725 + 0x24);
																						goto L84;
																					}
																					_t564 = _t681 >> 3;
																					__eflags = _t564;
																					do {
																						_t681 = _t681 - _t649;
																						 *_t710 =  *_t521;
																						 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																						 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																						 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																						 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																						 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																						 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																						_t437 =  *((intOrPtr*)(_t521 + 7));
																						_t521 = _t521 + _t649;
																						 *((char*)(_t710 + 7)) = _t437;
																						_t710 = _t710 + _t649;
																						_t564 = _t564 - 1;
																						__eflags = _t564;
																					} while (_t564 != 0);
																					goto L84;
																					L92:
																					_t524 =  *(_t725 + 0x10);
																					_t705 =  *(_t725 + 0x14);
																					_t363 =  *(_t725 + 0x18);
																					__eflags = _t681;
																				} while (_t681 == 0);
																				_t463 =  *(_t686 + 0xe6dc);
																				_t716 =  *(_t725 + 0x34);
																				do {
																					_t464 = _t463 & _t716;
																					_t716 = _t716 + 1;
																					 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t658)) =  *((intOrPtr*)(_t464 +  *((intOrPtr*)(_t686 + 0x4b40))));
																					_t463 =  *(_t686 + 0xe6dc);
																					_t658 =  *(_t686 + 0x7c) + 0x00000001 & _t463;
																					 *(_t686 + 0x7c) = _t658;
																					_t681 = _t681 - 1;
																					__eflags = _t681;
																				} while (_t681 != 0);
																				goto L35;
																			}
																			 *_t710 =  *_t521;
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 1;
																			if(_t681 <= 1) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 2;
																			if(_t681 <= 2) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 3;
																			if(_t681 <= 3) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 4;
																			if(_t681 <= 4) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 5;
																			if(_t681 <= 5) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 6;
																			if(_t681 <= 6) {
																				goto L10;
																			}
																			_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			goto L35;
																		}
																		__eflags = _t544 - _t681;
																		if(_t544 >= _t681) {
																			_t401 = _t681 >> 3;
																			__eflags = _t401;
																			 *(_t725 + 0x34) = _t401;
																			_t687 = _t401;
																			do {
																				E011F0320(_t710, _t521, _t643);
																				_t725 = _t725 + 0xc;
																				_t643 = 8;
																				_t521 = _t521 + _t643;
																				_t710 = _t710 + _t643;
																				_t681 = _t681 - _t643;
																				_t687 = _t687 - 1;
																				__eflags = _t687;
																			} while (_t687 != 0);
																			goto L83;
																		}
																		_t547 = _t681 >> 3;
																		__eflags = _t547;
																		do {
																			_t681 = _t681 - _t643;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t410 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t643;
																			 *((char*)(_t710 + 7)) = _t410;
																			_t710 = _t710 + _t643;
																			_t547 = _t547 - 1;
																			__eflags = _t547;
																		} while (_t547 != 0);
																		goto L84;
																	}
																}
																_t555 = _t520 + (_t378 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t637 -  *_t555;
																	if(_t637 <  *_t555) {
																		break;
																	}
																	_t378 = _t378 + 1;
																	_t555 = _t555 + 4;
																	__eflags = _t378 - 0xf;
																	if(_t378 < 0xf) {
																		continue;
																	}
																	goto L125;
																}
																_t676 = _t378;
																goto L125;
															}
															_t556 = 0x10;
															_t645 = _t637 >> _t556 - _t377;
															_t559 = ( *(_t645 + _t520 + 0x2d7c) & 0x000000ff) + _t699[1];
															 *_t699 =  *_t699 + (_t559 >> 3);
															_t560 = _t559 & 0x00000007;
															 *(_t725 + 0x30) =  *_t699;
															_t699[1] = _t560;
															_t383 =  *(_t520 + 0x317c + _t645 * 2) & 0x0000ffff;
															 *(_t725 + 0x34) = _t560;
															goto L126;
														} else {
															goto L116;
														}
														do {
															L116:
															 *_t534 =  *(_t534 - 4);
															_t534 = _t534 - 4;
															_t635 = _t635 - 1;
															__eflags = _t635;
														} while (_t635 != 0);
														goto L117;
													}
													_t681 =  *(_t686 + 0x74);
													_t705 =  *(_t725 + 0x14);
													_t363 =  *(_t725 + 0x18);
													__eflags = _t681;
												}
												_push(_t725 + 0x38);
												_t439 = E011E3F9D(_t686, _t524);
												__eflags = _t439;
												if(_t439 == 0) {
													goto L145;
												}
												_t441 = E011E253E(_t686, _t725 + 0x38);
												__eflags = _t441;
												if(_t441 == 0) {
													goto L145;
												}
												goto L35;
											}
											_t682 = _t634 - 0x106;
											__eflags = _t682 - 8;
											if(_t682 >= 8) {
												_t444 = (_t682 >> 2) - 1;
												 *(_t725 + 0x34) = _t444;
												_t681 = ((_t682 & 0x00000003 | 0x00000004) << _t444) + 2;
												__eflags = _t444;
												if(_t444 == 0) {
													L39:
													_t445 =  *(_t725 + 0x10);
													L40:
													_t446 = E011DA89D(_t445);
													_t447 =  *(_t520 + 0xfa0);
													_t651 = _t446 & 0x0000fffe;
													__eflags = _t651 -  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4));
													if(_t651 >=  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4))) {
														_t711 = 0xf;
														_t448 = _t447 + 1;
														 *(_t725 + 0x28) = _t711;
														__eflags = _t448 - _t711;
														if(_t448 >= _t711) {
															L50:
															_t569 =  *(_t725 + 0x10);
															_t713 = _t569[1] +  *(_t725 + 0x2c);
															_t714 = _t713 & 0x00000007;
															 *_t569 =  *_t569 + (_t713 >> 3);
															 *(_t725 + 0x24) =  *_t569;
															_t452 =  *(_t725 + 0x2c);
															_t569[1] = _t714;
															_t570 = 0x10;
															 *(_t725 + 0x1c) = _t714;
															_t573 =  *((intOrPtr*)(_t520 + 0xf60 + _t452 * 4)) + (_t651 -  *((intOrPtr*)(_t520 + 0xf1c + _t452 * 4)) >> _t570 - _t452);
															__eflags = _t573 -  *((intOrPtr*)(_t520 + 0xf1c));
															asm("sbb eax, eax");
															_t453 = _t452 & _t573;
															__eflags = _t453;
															_t454 =  *(_t520 + 0x1ba4 + _t453 * 2) & 0x0000ffff;
															L51:
															_t654 = _t454 & 0x0000ffff;
															__eflags = _t654 - 4;
															if(_t654 >= 4) {
																_t457 = (_t654 >> 1) - 1;
																 *(_t725 + 0x30) = _t457;
																_t575 = ((_t654 & 0x00000001 | 0x00000002) << _t457) + 1;
																 *(_t725 + 0x34) = _t575;
																_t715 = _t575;
																 *(_t725 + 0x28) = _t715;
																__eflags = _t457;
																if(_t457 == 0) {
																	L70:
																	__eflags = _t715 - 0x100;
																	if(_t715 > 0x100) {
																		_t681 = _t681 + 1;
																		__eflags = _t715 - 0x2000;
																		if(_t715 > 0x2000) {
																			_t681 = _t681 + 1;
																			__eflags = _t715 - 0x40000;
																			if(_t715 > 0x40000) {
																				_t681 = _t681 + 1;
																				__eflags = _t681;
																			}
																		}
																	}
																	 *(_t686 + 0x6c) =  *(_t686 + 0x68);
																	 *(_t686 + 0x68) =  *(_t686 + 0x64);
																	 *(_t686 + 0x64) =  *(_t686 + 0x60);
																	 *(_t686 + 0x60) = _t715;
																	_t658 =  *(_t686 + 0x7c);
																	_t577 = _t658 - _t715;
																	_t462 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	 *(_t686 + 0x74) = _t681;
																	 *(_t725 + 0x34) = _t577;
																	__eflags = _t577 - _t462;
																	if(_t577 >= _t462) {
																		goto L92;
																	} else {
																		__eflags = _t658 - _t462;
																		if(_t658 >= _t462) {
																			goto L92;
																		}
																		_t466 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t710 = _t466 + _t658;
																		_t521 = _t466 + _t577;
																		_t661 = 8;
																		 *(_t686 + 0x7c) = _t658 + _t681;
																		__eflags = _t681 - _t661;
																		if(_t681 < _t661) {
																			goto L84;
																		}
																		__eflags =  *(_t725 + 0x28) - _t681;
																		if( *(_t725 + 0x28) >= _t681) {
																			_t469 = _t681 >> 3;
																			__eflags = _t469;
																			 *(_t725 + 0x34) = _t469;
																			_t689 = _t469;
																			do {
																				E011F0320(_t710, _t521, _t661);
																				_t725 = _t725 + 0xc;
																				_t661 = 8;
																				_t521 = _t521 + _t661;
																				_t710 = _t710 + _t661;
																				_t681 = _t681 - _t661;
																				_t689 = _t689 - 1;
																				__eflags = _t689;
																			} while (_t689 != 0);
																			goto L83;
																		}
																		_t580 = _t681 >> 3;
																		__eflags = _t580;
																		do {
																			_t681 = _t681 - _t661;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t478 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t661;
																			 *((char*)(_t710 + 7)) = _t478;
																			_t710 = _t710 + _t661;
																			_t580 = _t580 - 1;
																			__eflags = _t580;
																		} while (_t580 != 0);
																		goto L84;
																	}
																}
																__eflags = _t457 - 4;
																if(__eflags < 0) {
																	_t479 = E011E8934( *(_t725 + 0x10));
																	_t662 =  *(_t725 + 0x10);
																	_t582 = 0x20;
																	_t585 =  *(_t725 + 0x1c) +  *(_t725 + 0x30);
																	_t715 = (_t479 >> _t582 -  *(_t725 + 0x30)) +  *(_t725 + 0x34);
																	_t586 = _t585 & 0x00000007;
																	__eflags = _t586;
																	 *_t662 = (_t585 >> 3) +  *(_t725 + 0x20);
																	_t662[1] = _t586;
																	L69:
																	 *(_t725 + 0x28) = _t715;
																	goto L70;
																}
																if(__eflags <= 0) {
																	_t483 =  *(_t725 + 0x10);
																} else {
																	_t499 = E011E8934( *(_t725 + 0x10));
																	_t500 =  *(_t725 + 0x30);
																	_t604 = 0x24;
																	_t607 =  *(_t725 + 0x1c) + _t500 + 0xfffffffc;
																	_t715 = (_t499 >> _t604 - _t500 << 4) +  *(_t725 + 0x34);
																	_t669 =  *(_t725 + 0x20) + (_t607 >> 3);
																	_t483 =  *(_t725 + 0x10);
																	_t608 = _t607 & 0x00000007;
																	 *(_t725 + 0x20) = _t669;
																	 *(_t725 + 0x1c) = _t608;
																	 *_t483 = _t669;
																	_t483[1] = _t608;
																}
																_t484 = E011DA89D(_t483);
																_t485 =  *(_t520 + 0x1e8c);
																_t664 = _t484 & 0x0000fffe;
																__eflags = _t664 -  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4));
																if(_t664 >=  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4))) {
																	_t588 = 0xf;
																	_t486 = _t485 + 1;
																	 *(_t725 + 0x28) = _t588;
																	__eflags = _t486 - _t588;
																	if(_t486 >= _t588) {
																		L66:
																		_t690 =  *(_t725 + 0x10);
																		_t590 = ( *(_t725 + 0x10))[1] +  *(_t725 + 0x2c);
																		 *_t690 =  *_t690 + (_t590 >> 3);
																		_t690[1] = _t590 & 0x00000007;
																		_t491 =  *(_t725 + 0x2c);
																		_t592 = 0x10;
																		_t595 =  *((intOrPtr*)(_t520 + 0x1e4c + _t491 * 4)) + (_t664 -  *((intOrPtr*)(_t520 + 0x1e08 + _t491 * 4)) >> _t592 - _t491);
																		__eflags = _t595 -  *((intOrPtr*)(_t520 + 0x1e08));
																		asm("sbb eax, eax");
																		_t492 = _t491 & _t595;
																		__eflags = _t492;
																		_t493 =  *(_t520 + 0x2a90 + _t492 * 2) & 0x0000ffff;
																		goto L67;
																	}
																	_t597 = _t520 + (_t486 + 0x783) * 4;
																	while(1) {
																		__eflags = _t664 -  *_t597;
																		if(_t664 <  *_t597) {
																			break;
																		}
																		_t486 = _t486 + 1;
																		_t597 = _t597 + 4;
																		__eflags = _t486 - 0xf;
																		if(_t486 < 0xf) {
																			continue;
																		}
																		goto L66;
																	}
																	 *(_t725 + 0x28) = _t486;
																	goto L66;
																} else {
																	_t691 =  *(_t725 + 0x10);
																	_t598 = 0x10;
																	_t667 = _t664 >> _t598 - _t485;
																	_t601 = ( *(_t667 + _t520 + 0x1e90) & 0x000000ff) +  *(_t725 + 0x1c);
																	 *_t691 = (_t601 >> 3) +  *(_t725 + 0x20);
																	_t691[1] = _t601 & 0x00000007;
																	_t493 =  *(_t520 + 0x2290 + _t667 * 2) & 0x0000ffff;
																	L67:
																	_t686 =  *(_t725 + 0x24);
																	_t715 = _t715 + (_t493 & 0x0000ffff);
																	goto L69;
																}
															}
															_t715 = _t654 + 1;
															goto L69;
														}
														_t610 = _t520 + (_t448 + 0x3c8) * 4;
														while(1) {
															__eflags = _t651 -  *_t610;
															if(_t651 <  *_t610) {
																break;
															}
															_t448 = _t448 + 1;
															_t610 = _t610 + 4;
															__eflags = _t448 - _t711;
															if(_t448 < _t711) {
																continue;
															}
															goto L50;
														}
														 *(_t725 + 0x28) = _t448;
														goto L50;
													}
													_t611 = 0x10;
													_t670 = _t651 >> _t611 - _t447;
													_t614 = ( *(_t670 + _t520 + 0xfa4) & 0x000000ff) + _t697;
													_t723 =  *(_t725 + 0x1c) + (_t614 >> 3);
													_t506 =  *(_t725 + 0x10);
													_t615 = _t614 & 0x00000007;
													 *(_t725 + 0x20) = _t723;
													 *(_t725 + 0x1c) = _t615;
													 *_t506 = _t723;
													_t506[1] = _t615;
													_t454 =  *(_t520 + 0x13a4 + _t670 * 2) & 0x0000ffff;
													goto L51;
												}
												_t507 = E011DA89D( *(_t725 + 0x10));
												_t724 = _t697 +  *(_t725 + 0x34);
												_t617 = 0x10;
												_t681 = _t681 + (_t507 >> _t617 -  *(_t725 + 0x34));
												_t620 =  *(_t725 + 0x1c) + (_t724 >> 3);
												_t445 =  *(_t725 + 0x10);
												_t697 = _t724 & 0x00000007;
												 *(_t725 + 0x1c) = _t620;
												 *_t445 = _t620;
												_t445[1] = _t697;
												goto L40;
											}
											 *(_t725 + 0x1c) = _t375;
											_t681 = _t682 + 2;
											__eflags = _t681;
											goto L39;
										}
										 *( *((intOrPtr*)(_t686 + 0x4b40)) +  *(_t686 + 0x7c)) = _t634;
										_t72 = _t686 + 0x7c;
										 *_t72 =  *(_t686 + 0x7c) + 1;
										__eflags =  *_t72;
										goto L35;
									}
									_t623 = _t520 + (_t369 + 0xd) * 4;
									while(1) {
										__eflags = _t630 -  *_t623;
										if(_t630 <  *_t623) {
											break;
										}
										_t369 = _t369 + 1;
										_t623 = _t623 + 4;
										__eflags = _t369 - 0xf;
										if(_t369 < 0xf) {
											continue;
										}
										_t528 =  *(_t725 + 0x28);
										goto L32;
									}
									_t528 = _t369;
									 *(_t725 + 0x28) = _t369;
									goto L32;
								}
								_t624 = 0x10;
								_t671 = _t630 >> _t624 - _t368;
								_t524 = _t674;
								_t707 = ( *(_t671 + _t520 + 0xb8) & 0x000000ff) + _t524[1];
								 *_t524 =  *_t524 + (_t707 >> 3);
								_t697 = _t707 & 0x00000007;
								_t375 =  *_t524;
								_t524[1] = _t697;
								_t633 =  *(_t520 + 0x4b8 + _t671 * 2) & 0x0000ffff;
								 *(_t725 + 0x1c) = _t375;
								goto L33;
							}
							__eflags = _t526 - _t628;
							if(_t526 == _t628) {
								goto L24;
							}
							E011E5202(_t686);
							__eflags =  *((intOrPtr*)(_t686 + 0x4c5c)) -  *((intOrPtr*)(_t686 + 0x4c4c));
							if(__eflags > 0) {
								L6:
								return 0;
							}
							if(__eflags < 0) {
								goto L24;
							}
							__eflags =  *((intOrPtr*)(_t686 + 0x4c58)) -  *((intOrPtr*)(_t686 + 0x4c48));
							if( *((intOrPtr*)(_t686 + 0x4c58)) >  *((intOrPtr*)(_t686 + 0x4c48))) {
								goto L6;
							}
							goto L24;
						}
					}
					L5:
					 *((char*)(_t520 + 0x4ad0)) = 1;
					goto L6;
				}
				 *((char*)(_t520 + 0x2c)) = 1;
				_push(_t520 + 0x30);
				_push(_t672);
				_push(_t692);
				if(E011E43BF(__ecx) == 0) {
					goto L5;
				} else {
					goto L4;
				}
			}

0x011e77f3
0x011e77f9
0x011e77ff
0x011e7803
0x011e7807
0x011e780a
0x011e780e
0x011e7825
0x011e7829
0x011e782c
0x011e7833
0x011e784d
0x011e784f
0x011e7852
0x011e7856
0x011e785a
0x011e785e
0x011e7860
0x011e7862
0x011e7862
0x011e7866
0x011e7874
0x011e7877
0x011e787d
0x011e787f
0x011e7882
0x011e7884
0x011e7888
0x00000000
0x00000000
0x011e788a
0x011e788a
0x011e788c
0x011e81e3
0x00000000
0x011e81e3
0x011e7892
0x011e78a0
0x011e78a0
0x011e78a2
0x011e78b1
0x011e78b1
0x011e78b7
0x011e81dc
0x011e81dc
0x00000000
0x011e81dc
0x00000000
0x011e78b7
0x011e78a4
0x011e78ab
0x00000000
0x00000000
0x00000000
0x011e78ab
0x011e7897
0x011e789a
0x00000000
0x00000000
0x00000000
0x011e78bd
0x011e78bd
0x011e78c9
0x011e78ce
0x011e7901
0x011e7901
0x011e7907
0x011e790e
0x011e7914
0x011e791a
0x011e791e
0x011e7953
0x011e7954
0x011e7955
0x011e7959
0x011e795b
0x011e797c
0x011e797f
0x011e7983
0x011e7989
0x011e798d
0x011e7991
0x011e7995
0x011e799a
0x011e79a7
0x011e79a9
0x011e79ac
0x011e79ae
0x011e79ae
0x011e79b0
0x011e79b4
0x011e79bc
0x011e79c0
0x011e79c0
0x011e79c8
0x011e79ca
0x011e79e8
0x011e79ee
0x011e7e80
0x011e7e82
0x011e7eb2
0x011e7eb8
0x011e7fb2
0x011e7fb2
0x011e7fbb
0x011e7fbe
0x011e7fc0
0x011e7fc4
0x011e7fd3
0x011e7fd3
0x011e7fd6
0x011e7fdc
0x011e7fe3
0x011e7fe9
0x011e7fef
0x011e7ff6
0x011e802f
0x011e8030
0x011e8031
0x011e8033
0x011e804f
0x011e8052
0x011e8056
0x011e8059
0x011e805f
0x011e8069
0x011e806c
0x011e8072
0x011e8075
0x011e8082
0x011e8084
0x011e808a
0x011e808c
0x011e808c
0x011e808e
0x011e8096
0x011e8096
0x011e8099
0x011e809c
0x011e80ae
0x011e80b3
0x011e80b6
0x011e80b8
0x011e80be
0x011e80c3
0x011e80c9
0x011e80d2
0x011e80d4
0x011e80df
0x011e80df
0x011e80e2
0x011e80e4
0x011e80e4
0x011e809e
0x011e809e
0x011e809e
0x011e80e7
0x011e80f2
0x011e80f6
0x011e80fb
0x011e80fd
0x011e8100
0x011e8102
0x011e819e
0x011e819e
0x011e81a2
0x011e81a6
0x011e81a8
0x00000000
0x00000000
0x011e81ae
0x011e81b4
0x011e81ba
0x011e81bc
0x011e81c0
0x011e81c6
0x011e81cd
0x011e81cf
0x011e81d2
0x011e81d2
0x011e81d2
0x00000000
0x011e8108
0x011e8108
0x011e810a
0x00000000
0x00000000
0x011e8110
0x011e8118
0x011e811b
0x011e8121
0x011e8122
0x011e8125
0x011e8127
0x011e7daa
0x011e7daa
0x011e7dae
0x011e7db2
0x011e7db4
0x011e786c
0x011e786c
0x011e7870
0x011e7870
0x011e7870
0x011e7874
0x011e7874
0x011e7877
0x011e787d
0x011e787f
0x011e7882
0x011e7884
0x011e7888
0x00000000
0x00000000
0x00000000
0x011e7888
0x011e7ed1
0x011e7edc
0x011e7edf
0x011e7ee4
0x011e7ee6
0x011e7ee8
0x011e7f84
0x011e7f84
0x011e7f8a
0x011e7f90
0x011e7f92
0x011e7f96
0x011e7f9c
0x011e7fa3
0x011e7fa5
0x011e7fa8
0x011e7fa8
0x011e7fa8
0x011e79db
0x011e79db
0x011e79df
0x00000000
0x011e79df
0x011e7eee
0x011e7ef0
0x00000000
0x00000000
0x011e7ef6
0x011e7efe
0x011e7f01
0x011e7f07
0x011e7f08
0x011e7f0b
0x011e7f0d
0x00000000
0x00000000
0x011e7f13
0x011e7f15
0x011e7f5d
0x011e7f5d
0x011e7f60
0x011e7f64
0x011e7f66
0x011e7f69
0x011e7f6e
0x011e7f73
0x011e7f74
0x011e7f76
0x011e7f78
0x011e7f7a
0x011e7f7a
0x011e7f7a
0x011e7da6
0x011e7da6
0x00000000
0x011e7da6
0x011e7f19
0x011e7f19
0x011e7f1c
0x011e7f1e
0x011e7f20
0x011e7f26
0x011e7f2c
0x011e7f32
0x011e7f38
0x011e7f3e
0x011e7f44
0x011e7f47
0x011e7f4a
0x011e7f4c
0x011e7f4f
0x011e7f51
0x011e7f51
0x011e7f51
0x00000000
0x011e7e3a
0x011e7e3a
0x011e7e3e
0x011e7e42
0x011e7e46
0x011e7e46
0x011e7e4e
0x011e7e54
0x011e7e58
0x011e7e5e
0x011e7e60
0x011e7e64
0x011e7e6a
0x011e7e71
0x011e7e73
0x011e7e76
0x011e7e76
0x011e7e76
0x00000000
0x011e7e7b
0x011e7dbc
0x011e7dbf
0x011e7dc3
0x011e7dc6
0x00000000
0x00000000
0x011e7dcf
0x011e7dd2
0x011e7dd6
0x011e7dd9
0x00000000
0x00000000
0x011e7de2
0x011e7de5
0x011e7de9
0x011e7dec
0x00000000
0x00000000
0x011e7df5
0x011e7df8
0x011e7dfc
0x011e7dff
0x00000000
0x00000000
0x011e7e08
0x011e7e0b
0x011e7e0f
0x011e7e12
0x00000000
0x00000000
0x011e7e1b
0x011e7e1e
0x011e7e22
0x011e7e25
0x00000000
0x00000000
0x011e7e2e
0x011e7e32
0x00000000
0x011e7e32
0x011e812d
0x011e812f
0x011e8177
0x011e8177
0x011e817a
0x011e817e
0x011e8180
0x011e8183
0x011e8188
0x011e818d
0x011e818e
0x011e8190
0x011e8192
0x011e8194
0x011e8194
0x011e8194
0x00000000
0x011e8199
0x011e8133
0x011e8133
0x011e8136
0x011e8138
0x011e813a
0x011e8140
0x011e8146
0x011e814c
0x011e8152
0x011e8158
0x011e815e
0x011e8161
0x011e8164
0x011e8166
0x011e8169
0x011e816b
0x011e816b
0x011e816b
0x00000000
0x011e8170
0x011e8102
0x011e803b
0x011e803e
0x011e803e
0x011e8040
0x00000000
0x00000000
0x011e8042
0x011e8043
0x011e8046
0x011e8049
0x00000000
0x00000000
0x00000000
0x011e804b
0x011e804d
0x00000000
0x011e804d
0x011e7ffa
0x011e7ffd
0x011e8007
0x011e800f
0x011e8012
0x011e8018
0x011e801c
0x011e801f
0x011e8027
0x00000000
0x00000000
0x00000000
0x00000000
0x011e7fc6
0x011e7fc6
0x011e7fc9
0x011e7fcb
0x011e7fce
0x011e7fce
0x011e7fce
0x00000000
0x011e7fc6
0x011e7ebe
0x011e7ec1
0x011e7ec5
0x011e7ec9
0x011e7ec9
0x011e7e88
0x011e7e8c
0x011e7e91
0x011e7e93
0x00000000
0x00000000
0x011e7ea0
0x011e7ea5
0x011e7ea7
0x00000000
0x00000000
0x00000000
0x011e7ead
0x011e79f4
0x011e79fa
0x011e79fd
0x011e7a74
0x011e7a77
0x011e7a7d
0x011e7a80
0x011e7a82
0x011e7a06
0x011e7a06
0x011e7a0a
0x011e7a0c
0x011e7a13
0x011e7a19
0x011e7a1f
0x011e7a26
0x011e7abe
0x011e7abf
0x011e7ac0
0x011e7ac4
0x011e7ac6
0x011e7ae3
0x011e7ae3
0x011e7aec
0x011e7af2
0x011e7af8
0x011e7afc
0x011e7b00
0x011e7b04
0x011e7b07
0x011e7b0a
0x011e7b1e
0x011e7b20
0x011e7b26
0x011e7b28
0x011e7b28
0x011e7b2a
0x011e7b32
0x011e7b32
0x011e7b35
0x011e7b38
0x011e7b4c
0x011e7b4f
0x011e7b55
0x011e7b58
0x011e7b5c
0x011e7b5e
0x011e7b62
0x011e7b64
0x011e7cc9
0x011e7cc9
0x011e7ccf
0x011e7cd1
0x011e7cd2
0x011e7cd8
0x011e7cda
0x011e7cdb
0x011e7ce1
0x011e7ce3
0x011e7ce3
0x011e7ce3
0x011e7ce1
0x011e7cd8
0x011e7ce7
0x011e7ced
0x011e7cf3
0x011e7cf6
0x011e7cf9
0x011e7d04
0x011e7d06
0x011e7d0b
0x011e7d0e
0x011e7d12
0x011e7d14
0x00000000
0x011e7d1a
0x011e7d1a
0x011e7d1c
0x00000000
0x00000000
0x011e7d22
0x011e7d2a
0x011e7d2d
0x011e7d33
0x011e7d34
0x011e7d37
0x011e7d39
0x00000000
0x00000000
0x011e7d3b
0x011e7d3f
0x011e7d84
0x011e7d84
0x011e7d87
0x011e7d8b
0x011e7d8d
0x011e7d90
0x011e7d95
0x011e7d9a
0x011e7d9b
0x011e7d9d
0x011e7d9f
0x011e7da1
0x011e7da1
0x011e7da1
0x00000000
0x011e7d8d
0x011e7d43
0x011e7d43
0x011e7d46
0x011e7d48
0x011e7d4a
0x011e7d50
0x011e7d56
0x011e7d5c
0x011e7d62
0x011e7d68
0x011e7d6e
0x011e7d71
0x011e7d74
0x011e7d76
0x011e7d79
0x011e7d7b
0x011e7d7b
0x011e7d7b
0x00000000
0x011e7d80
0x011e7d14
0x011e7b6a
0x011e7b6d
0x011e7c94
0x011e7c99
0x011e7ca1
0x011e7cac
0x011e7cb0
0x011e7cbd
0x011e7cbd
0x011e7cc0
0x011e7cc2
0x011e7cc5
0x011e7cc5
0x00000000
0x011e7cc5
0x011e7b73
0x011e7bbc
0x011e7b75
0x011e7b79
0x011e7b84
0x011e7b8a
0x011e7b96
0x011e7b9b
0x011e7ba4
0x011e7ba6
0x011e7baa
0x011e7bad
0x011e7bb1
0x011e7bb5
0x011e7bb7
0x011e7bb7
0x011e7bc2
0x011e7bc9
0x011e7bcf
0x011e7bd5
0x011e7bdc
0x011e7c14
0x011e7c15
0x011e7c16
0x011e7c1a
0x011e7c1c
0x011e7c3a
0x011e7c3e
0x011e7c47
0x011e7c53
0x011e7c57
0x011e7c5a
0x011e7c5e
0x011e7c71
0x011e7c73
0x011e7c79
0x011e7c7b
0x011e7c7b
0x011e7c7d
0x00000000
0x011e7c7d
0x011e7c24
0x011e7c27
0x011e7c27
0x011e7c29
0x00000000
0x00000000
0x011e7c2b
0x011e7c2c
0x011e7c2f
0x011e7c32
0x00000000
0x00000000
0x00000000
0x011e7c34
0x011e7c36
0x00000000
0x011e7bde
0x011e7bde
0x011e7be4
0x011e7be7
0x011e7bf1
0x011e7c01
0x011e7c05
0x011e7c08
0x011e7c85
0x011e7c85
0x011e7c8c
0x00000000
0x011e7c8c
0x011e7bdc
0x011e7b3a
0x00000000
0x011e7b3a
0x011e7ace
0x011e7ad1
0x011e7ad1
0x011e7ad3
0x00000000
0x00000000
0x011e7ad5
0x011e7ad6
0x011e7ad9
0x011e7adb
0x00000000
0x00000000
0x00000000
0x011e7add
0x011e7adf
0x00000000
0x011e7adf
0x011e7a2e
0x011e7a31
0x011e7a3b
0x011e7a46
0x011e7a48
0x011e7a4c
0x011e7a4f
0x011e7a53
0x011e7a57
0x011e7a59
0x011e7a5c
0x00000000
0x011e7a5c
0x011e7a88
0x011e7a8d
0x011e7a93
0x011e7a9e
0x011e7aa5
0x011e7aa7
0x011e7aab
0x011e7aae
0x011e7ab2
0x011e7ab4
0x00000000
0x011e7ab4
0x011e79ff
0x011e7a03
0x011e7a03
0x00000000
0x011e7a03
0x011e79d5
0x011e79d8
0x011e79d8
0x011e79d8
0x00000000
0x011e79d8
0x011e7960
0x011e7963
0x011e7963
0x011e7965
0x00000000
0x00000000
0x011e7967
0x011e7968
0x011e796b
0x011e796e
0x00000000
0x00000000
0x011e7970
0x00000000
0x011e7970
0x011e7976
0x011e7978
0x00000000
0x011e7978
0x011e7922
0x011e7925
0x011e7927
0x011e7931
0x011e7939
0x011e793b
0x011e793e
0x011e7940
0x011e7943
0x011e794b
0x00000000
0x011e794b
0x011e78d0
0x011e78d2
0x00000000
0x00000000
0x011e78d6
0x011e78e1
0x011e78e7
0x011e783c
0x00000000
0x011e783c
0x011e78ed
0x00000000
0x00000000
0x011e78f5
0x011e78fb
0x00000000
0x00000000
0x00000000
0x011e78fb
0x011e7874
0x011e7835
0x011e7835
0x00000000
0x011e7835
0x011e7813
0x011e7817
0x011e7818
0x011e7819
0x011e7821
0x00000000
0x011e7823
0x00000000
0x011e7823

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 48e707d80e1f5f37830ca38d9e8a786fb4f25974f59f92c8bfe946adb430842a
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: 656237716087458FCB1DCF6CC8949B9BBE1BF85304F08896DE99A8B386D330E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011DF461 Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E011DF461(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t434;
				intOrPtr _t436;
				intOrPtr _t441;
				void* _t446;
				intOrPtr _t448;
				signed int _t451;
				void* _t453;
				signed int _t459;
				signed int _t465;
				signed int _t471;
				signed int _t478;
				signed int _t481;
				signed int _t488;
				signed int _t511;
				signed int _t518;
				signed int _t525;
				signed int _t545;
				signed int _t554;
				signed int _t563;
				signed int* _t591;
				signed int _t592;
				signed int _t596;
				signed int _t599;
				signed int _t600;
				signed int* _t601;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				signed int _t607;
				signed int* _t608;
				signed int _t609;
				signed int* _t675;
				signed int* _t746;
				signed int _t757;
				signed int _t774;
				signed int _t778;
				signed int _t782;
				signed int _t783;
				signed int _t787;
				signed int _t788;
				signed int _t792;
				signed int _t797;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int* _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t822;
				signed int _t826;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int* _t840;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int* _t850;
				signed int _t853;
				signed int _t857;
				signed int _t858;
				signed int* _t862;
				signed int _t863;
				signed int _t865;
				signed int _t866;
				signed int _t870;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t887;
				signed int _t888;
				signed int* _t889;
				signed int _t890;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				signed int _t900;
				signed int _t902;
				signed int _t903;
				signed int* _t904;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				signed int _t910;
				signed int _t911;

				_t912 =  &_v40;
				if(_a16 == 0) {
					_t840 = _a8;
					_v20 = _t840;
					E011F0320(_t840, _a12, 0x40);
					_t912 =  &(( &_v40)[3]);
				} else {
					_t840 = _a12;
					_v20 = _t840;
				}
				_t850 = _a4;
				_t592 = _t850[1];
				_t894 =  *_t850;
				_v28 = _t850[2];
				_v24 = _t850[3];
				_v32 = _t592;
				_v36 = 0;
				_t434 = E011F68E4( *_t840);
				asm("rol edx, 0x5");
				 *_t840 = _t434;
				_t435 = _t840;
				_t596 = (_t592 & (_v24 ^ _v28) ^ _v24) + _t894 + _t434 + _t850[4] + 0x5a827999;
				_v16 = _t840;
				_t853 = _v32;
				asm("ror esi, 0x2");
				_v32 =  &(_t840[3]);
				do {
					_t436 = E011F68E4(_t435[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t436;
					asm("ror ebp, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_v28 ^ _t853) & _t894 ^ _v28) + _t596 + _t436;
					_t441 = E011F68E4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t441;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_t853 ^ _t894) & _t596 ^ _t853) + _v24 + _t441;
					_t446 = E011F68E4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t446;
					asm("ror dword [esp+0x2c], 0x2");
					_t853 = _t853 + ((_t596 ^ _t894) & _v24 ^ _t894) + _v28 + 0x5a827999 + _t446;
					_t448 = E011F68E4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t448;
					_t451 = _v36 + 5;
					asm("ror dword [esp+0x2c], 0x2");
					_v36 = _t451;
					_t894 = _t894 + ((_t596 ^ _v24) & _v28 ^ _t596) + _t853 + _t448 + 0x5a827999;
					_v16 =  &(_t840[_t451]);
					_t453 = E011F68E4(_t840[_t451]);
					_t912 =  &(_t912[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t453;
					_t435 = _v16;
					asm("ror esi, 0x2");
					_t596 = _t596 + 0x5a827999 + ((_v24 ^ _v28) & _t853 ^ _v24) + _t894 + _t453;
				} while (_v36 != 0xf);
				_t774 = _t840[0xe] ^ _t840[9] ^ _t840[1] ^ _t840[3];
				_v32 = _t853;
				_t857 = _t840[0xd] ^ _t840[8] ^  *_t840 ^ _t840[2];
				asm("rol ecx, 0x5");
				asm("rol esi, 1");
				asm("rol edx, 1");
				asm("ror ebp, 0x2");
				_t840[1] = _t774;
				_t459 = ((_v28 ^ _v32) & _t894 ^ _v28) + _t596 + _t857 + _v24 + 0x5a827999;
				 *_t840 = _t857;
				_v40 = _t459;
				asm("rol ecx, 0x5");
				_t778 = _t840[0xf] ^ _t840[0xa] ^ _t840[4] ^ _t840[2];
				_t465 = ((_v32 ^ _t894) & _t596 ^ _v32) + _t459 + _t774 + _v28 + 0x5a827999;
				_v36 = _t465;
				asm("ror ebx, 0x2");
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror dword [esp+0x10], 0x2");
				_t840[2] = _t778;
				_t471 = ((_t596 ^ _t894) & _v40 ^ _t894) + _t465 + _t778 + _v32 + 0x5a827999;
				_v32 = _t471;
				asm("rol ecx, 0x5");
				_t782 = _t840[0xb] ^ _t840[5] ^ _t857 ^ _t840[3];
				_t858 = _v40;
				asm("rol edx, 1");
				_t840[3] = _t782;
				_v24 = _t596;
				asm("ror dword [esp+0x18], 0x2");
				_t783 = 0x11;
				_v28 = ((_t596 ^ _t858) & _v36 ^ _t596) + _t471 + 0x5a827999 + _t782 + _t894;
				_v16 = _t783;
				do {
					_t96 = _t783 + 5; // 0x16
					_t478 = _t96;
					_t97 = _t783 - 5; // 0xc
					_v8 = _t478;
					_t99 = _t783 + 3; // 0x14
					_t896 = _t99 & 0x0000000f;
					_v12 = _t896;
					_t599 = _t478 & 0x0000000f;
					asm("rol ecx, 0x5");
					_t787 = _t840[_t97 & 0x0000000f] ^ _t840[_t783 & 0x0000000f] ^ _t840[_t896] ^ _t840[_t599];
					_t481 = _v16;
					asm("rol edx, 1");
					_t840[_t896] = _t787;
					_t897 = _v32;
					asm("ror ebp, 0x2");
					_v32 = _t897;
					_t862 = _v20;
					_v24 = _v24 + 0x6ed9eba1 + (_t858 ^ _v36 ^ _t897) + _v28 + _t787;
					_t788 = 0xf;
					_t899 = _t481 + 0x00000004 & _t788;
					_t842 = _t481 + 0x00000006 & _t788;
					_t792 =  *(_t862 + (_t481 - 0x00000004 & _t788) * 4) ^  *(_t862 + (_t481 + 0x00000001 & _t788) * 4) ^  *(_t862 + _t899 * 4) ^  *(_t862 + _t842 * 4);
					asm("rol edx, 1");
					 *(_t862 + _t899 * 4) = _t792;
					_t863 = _v28;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v28 = _t863;
					_t488 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v36 ^ _v32 ^ _t863) + _v24 + _t792;
					_t865 = _t488 + 0x00000007 & 0x0000000f;
					_t675 = _v20;
					_t797 = _v20[_t488 - 0x00000003 & 0x0000000f] ^  *(_t675 + (_t488 + 0x00000002 & 0x0000000f) * 4) ^  *(_t675 + _t865 * 4) ^  *(_t675 + _t599 * 4);
					asm("rol edx, 1");
					 *(_t675 + _t599 * 4) = _t797;
					_t600 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t600;
					_t601 = _v20;
					_v36 = _v36 + 0x6ed9eba1 + (_t600 ^ _v32 ^ _v28) + _v40 + _t797;
					asm("rol ecx, 0x5");
					_t801 =  *(_t601 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t601 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t601 + _t842 * 4) ^  *(_t601 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t601 + _t842 * 4) = _t801;
					_t602 = _v24;
					_t843 = _v40;
					asm("ror edi, 0x2");
					_v40 = _t843;
					_t840 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t602 ^ _t843 ^ _v28) + _v36 + _t801;
					_t805 = _t840[_v16 - 0x00000007 & 0x0000000f] ^ _t840[_v16 - 0x00000001 & 0x0000000f] ^ _t840[_t865] ^ _t840[_t899];
					_t900 = _v36;
					asm("rol edx, 1");
					asm("rol ecx, 0x5");
					_t840[_t865] = _t805;
					_t858 = _v40;
					_t783 = _v8;
					asm("ror ebp, 0x2");
					_v36 = _t900;
					_v16 = _t783;
					_v28 = _v28 + 0x6ed9eba1 + (_t602 ^ _t858 ^ _t900) + _v32 + _t805;
				} while (_t783 + 3 <= 0x23);
				_t866 = 0x25;
				_v16 = _t866;
				while(1) {
					_t205 = _t866 + 5; // 0x2a
					_t511 = _t205;
					_t206 = _t866 - 5; // 0x20
					_v4 = _t511;
					_t208 = _t866 + 3; // 0x28
					_t807 = _t208 & 0x0000000f;
					_v8 = _t807;
					_t902 = _t511 & 0x0000000f;
					_t870 = _t840[_t206 & 0x0000000f] ^ _t840[_t866 & 0x0000000f] ^ _t840[_t902] ^ _t840[_t807];
					asm("rol esi, 1");
					_t840[_t807] = _t870;
					asm("ror dword [esp+0x1c], 0x2");
					asm("rol edx, 0x5");
					_t871 = 0xf;
					_v24 = _v28 - 0x70e44324 + ((_v36 | _v32) & _v40 | _v36 & _v32) + _t870 + _t602;
					_t518 = _v16;
					_t604 = _t518 + 0x00000006 & _t871;
					_t810 = _t518 + 0x00000004 & _t871;
					_v12 = _t810;
					_t875 = _t840[_t518 - 0x00000004 & _t871] ^ _t840[_t518 + 0x00000001 & _t871] ^ _t840[_t810] ^ _t840[_t604];
					asm("rol esi, 1");
					_t840[_t810] = _t875;
					_t844 = _v28;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v28 = _t844;
					_t812 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v32 | _t844) & _v36 | _v32 & _t844) + _t875 + _v40;
					_t525 = _v16;
					_t846 = _t525 + 0x00000007 & 0x0000000f;
					_t879 =  *(_t812 + (_t525 - 0x00000003 & 0x0000000f) * 4) ^  *(_t812 + (_t525 + 0x00000002 & 0x0000000f) * 4) ^  *(_t812 + _t846 * 4) ^  *(_t812 + _t902 * 4);
					asm("rol esi, 1");
					 *(_t812 + _t902 * 4) = _t879;
					asm("rol edx, 0x5");
					_t903 = _v24;
					asm("ror ebp, 0x2");
					_t815 = _v40 + 0x8f1bbcdc + ((_t903 | _v28) & _v32 | _t903 & _v28) + _t879 + _v36;
					_v24 = _t903;
					_t904 = _v20;
					_v36 = _t815;
					asm("rol edx, 0x5");
					_t883 =  *(_t904 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t904 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t904 + _v8 * 4) ^  *(_t904 + _t604 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t604 * 4) = _t883;
					_t602 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_t816 = _t815 + ((_t602 | _v40) & _v28 | _t602 & _v40) + 0x8f1bbcdc + _t883 + _v32;
					_v32 = _t816;
					asm("rol edx, 0x5");
					_t887 =  *(_t904 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t904 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t904 + _v12 * 4) ^  *(_t904 + _t846 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t846 * 4) = _t887;
					_t905 = _v36;
					asm("ror ebp, 0x2");
					_v36 = _t905;
					_t309 = _t816 - 0x70e44324; // -4294967294
					_t866 = _v4;
					_v28 = _t309 + ((_v40 | _t905) & _t602 | _v40 & _t905) + _t887 + _v28;
					_v16 = _t866;
					if(_t866 + 3 > 0x37) {
						break;
					}
					_t840 = _v20;
				}
				_t817 = 0x39;
				_v16 = _t817;
				_t847 = _t602;
				do {
					_t315 = _t817 + 5; // 0x3e
					_t545 = _t315;
					_v8 = _t545;
					_t317 = _t817 + 3; // 0x3c
					_t318 = _t817 - 5; // 0x34
					_t888 = 0xf;
					_t907 = _t317 & _t888;
					_t606 = _t545 & _t888;
					_t889 = _v20;
					_v4 = _t907;
					_t821 =  *(_t889 + (_t318 & _t888) * 4) ^  *(_t889 + (_t817 & _t888) * 4) ^  *(_t889 + _t907 * 4) ^  *(_t889 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t907 * 4) = _t821;
					_t908 = _v32;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v32 = _t908;
					_v24 = (_v40 ^ _v36 ^ _t908) + _t821 + _t847 + _v28 + 0xca62c1d6;
					_t554 = _v16;
					_t822 = 0xf;
					_t849 = _t554 + 0x00000006 & _t822;
					_t910 = _t554 + 0x00000004 & _t822;
					_t826 =  *(_t889 + (_t554 - 0x00000004 & _t822) * 4) ^  *(_t889 + (_t554 + 0x00000001 & _t822) * 4) ^  *(_t889 + _t910 * 4) ^  *(_t889 + _t849 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t910 * 4) = _t826;
					_t890 = _v28;
					asm("rol ecx, 0x5");
					_v40 = (_v36 ^ _v32 ^ _t890) + _t826 + _v40 + _v24 + 0xca62c1d6;
					_t563 = _v16;
					asm("ror esi, 0x2");
					_v28 = _t890;
					_t892 = _t563 + 0x00000007 & 0x0000000f;
					_t746 = _v20;
					_t831 = _v20[_t563 - 0x00000003 & 0x0000000f] ^  *(_t746 + (_t563 + 0x00000002 & 0x0000000f) * 4) ^  *(_t746 + _t892 * 4) ^  *(_t746 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t746 + _t606 * 4) = _t831;
					_t607 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t607;
					_t608 = _v20;
					_v36 = (_t607 ^ _v32 ^ _v28) + _t831 + _v36 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t835 = _t608[_v16 - 0x00000008 & 0x0000000f] ^ _t608[_v16 + 0xfffffffe & 0x0000000f] ^ _t608[_v4] ^ _t608[_t849];
					asm("rol edx, 1");
					_t608[_t849] = _t835;
					_t847 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v32 = (_t847 ^ _v40 ^ _v28) + _t835 + _v32 + _v36 + 0xca62c1d6;
					_t839 = _t608[_v16 - 0x00000007 & 0x0000000f] ^ _t608[_v16 - 0x00000001 & 0x0000000f] ^ _t608[_t892] ^ _t608[_t910];
					_t911 = _v36;
					asm("rol edx, 1");
					_t608[_t892] = _t839;
					_t609 = _v40;
					_t893 = _v32;
					asm("ror ebp, 0x2");
					_t817 = _v8;
					asm("rol ecx, 0x5");
					_v36 = _t911;
					_t757 = _t893 + 0xca62c1d6 + (_t847 ^ _t609 ^ _t911) + _t839 + _v28;
					_v16 = _t817;
					_v28 = _t757;
				} while (_t817 + 3 <= 0x4b);
				_t591 = _a4;
				_t591[1] = _t591[1] + _t893;
				_t591[2] = _t591[2] + _t911;
				_t591[3] = _t591[3] + _t609;
				 *_t591 =  *_t591 + _t757;
				_t591[4] = _t591[4] + _t847;
				return _t591;
			}

0x011df461
0x011df46d
0x011df479
0x011df483
0x011df488
0x011df48d
0x011df46f
0x011df46f
0x011df473
0x011df473
0x011df490
0x011df499
0x011df49c
0x011df49e
0x011df4a8
0x011df4ae
0x011df4b2
0x011df4b6
0x011df4ce
0x011df4da
0x011df4de
0x011df4e0
0x011df4e2
0x011df4e6
0x011df4ea
0x011df4ed
0x011df4f1
0x011df4f4
0x011df4ff
0x011df504
0x011df51e
0x011df523
0x011df52e
0x011df53b
0x011df540
0x011df554
0x011df55b
0x011df565
0x011df572
0x011df57b
0x011df58b
0x011df597
0x011df599
0x011df5a4
0x011df5a9
0x011df5ac
0x011df5c0
0x011df5c7
0x011df5ce
0x011df5d7
0x011df5db
0x011df5df
0x011df5ea
0x011df5ed
0x011df5f0
0x011df5fc
0x011df60e
0x011df611
0x011df613
0x011df62d
0x011df630
0x011df646
0x011df649
0x011df64c
0x011df650
0x011df654
0x011df661
0x011df664
0x011df666
0x011df668
0x011df674
0x011df694
0x011df697
0x011df699
0x011df69f
0x011df6a2
0x011df6a8
0x011df6b1
0x011df6ba
0x011df6cd
0x011df6d1
0x011df6d7
0x011df6da
0x011df6df
0x011df6eb
0x011df6f5
0x011df6fa
0x011df702
0x011df707
0x011df708
0x011df70c
0x011df710
0x011df714
0x011df714
0x011df717
0x011df71a
0x011df721
0x011df726
0x011df72b
0x011df732
0x011df73c
0x011df745
0x011df748
0x011df74c
0x011df750
0x011df753
0x011df75b
0x011df76b
0x011df774
0x011df778
0x011df781
0x011df784
0x011df786
0x011df798
0x011df7a3
0x011df7a5
0x011df7a8
0x011df7ae
0x011df7b3
0x011df7c6
0x011df7cc
0x011df7d0
0x011df7e0
0x011df7e9
0x011df7f3
0x011df7f6
0x011df7f8
0x011df7ff
0x011df805
0x011df814
0x011df821
0x011df827
0x011df82f
0x011df850
0x011df853
0x011df856
0x011df85a
0x011df85d
0x011df863
0x011df86f
0x011df87c
0x011df880
0x011df88a
0x011df8a3
0x011df8aa
0x011df8ae
0x011df8b0
0x011df8b3
0x011df8b8
0x011df8be
0x011df8c6
0x011df8d3
0x011df8d9
0x011df8e0
0x011df8e4
0x011df8ef
0x011df8f0
0x011df8fa
0x011df8fa
0x011df8fa
0x011df8fd
0x011df900
0x011df907
0x011df90c
0x011df911
0x011df918
0x011df926
0x011df93d
0x011df93f
0x011df94a
0x011df94f
0x011df952
0x011df95b
0x011df95f
0x011df966
0x011df96b
0x011df972
0x011df982
0x011df98b
0x011df98d
0x011df990
0x011df9a4
0x011df9ab
0x011df9ae
0x011df9b8
0x011df9be
0x011df9c2
0x011df9d2
0x011df9e1
0x011df9e4
0x011df9e6
0x011df9ed
0x011df9f0
0x011dfa0c
0x011dfa19
0x011dfa1b
0x011dfa1f
0x011dfa26
0x011dfa2d
0x011dfa46
0x011dfa4a
0x011dfa4c
0x011dfa50
0x011dfa64
0x011dfa7b
0x011dfa80
0x011dfa87
0x011dfa9e
0x011dfaa8
0x011dfaaa
0x011dfaae
0x011dfaba
0x011dfabf
0x011dfac7
0x011dfacd
0x011dfad3
0x011dfad7
0x011dfae1
0x00000000
0x00000000
0x011df8f6
0x011df8f6
0x011dfae9
0x011dfaea
0x011dfaee
0x011dfaf0
0x011dfaf0
0x011dfaf0
0x011dfaf5
0x011dfaf9
0x011dfafe
0x011dfb03
0x011dfb08
0x011dfb0a
0x011dfb0c
0x011dfb10
0x011dfb1f
0x011dfb2e
0x011dfb30
0x011dfb33
0x011dfb3b
0x011dfb40
0x011dfb49
0x011dfb4f
0x011dfb53
0x011dfb57
0x011dfb5e
0x011dfb60
0x011dfb73
0x011dfb82
0x011dfb84
0x011dfb87
0x011dfb8f
0x011dfba2
0x011dfba6
0x011dfbaa
0x011dfbad
0x011dfbbd
0x011dfbc6
0x011dfbd0
0x011dfbd3
0x011dfbd5
0x011dfbdc
0x011dfbe0
0x011dfbf5
0x011dfbfe
0x011dfc02
0x011dfc06
0x011dfc28
0x011dfc34
0x011dfc37
0x011dfc39
0x011dfc3c
0x011dfc4a
0x011dfc57
0x011dfc74
0x011dfc77
0x011dfc7b
0x011dfc7d
0x011dfc80
0x011dfc86
0x011dfc8e
0x011dfc97
0x011dfc9b
0x011dfca4
0x011dfca8
0x011dfcaa
0x011dfcb1
0x011dfcb5
0x011dfcbe
0x011dfcc2
0x011dfcc5
0x011dfcc8
0x011dfccb
0x011dfccd
0x011dfcd7

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 8df648dfb828165442473d4661b0a7114c31fd46af86a02337b406cadd2e35be
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 10523C72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE59597255D334EA1ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 011E7153 Relevance: .5, Instructions: 536
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E011E7153(signed int __ecx) {
				void* __ebp;
				void* _t220;
				signed int* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t233;
				signed int _t234;
				signed short _t235;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				unsigned int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed short _t276;
				signed int _t277;
				signed int _t281;
				signed int _t282;
				unsigned int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed short _t293;
				unsigned int _t298;
				signed int _t303;
				unsigned int _t305;
				signed int _t310;
				signed short _t311;
				signed int _t316;
				intOrPtr* _t321;
				signed int* _t322;
				unsigned int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				void* _t349;
				signed int _t352;
				signed int _t353;
				unsigned int _t356;
				signed int _t357;
				void* _t358;
				signed int _t361;
				signed int _t362;
				void* _t365;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t376;
				signed int _t379;
				unsigned int _t382;
				signed int _t383;
				void* _t384;
				signed int _t387;
				void* _t390;
				unsigned int _t393;
				signed int _t394;
				unsigned int _t397;
				void* _t399;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				void* _t411;
				signed int _t415;
				signed int _t416;
				intOrPtr* _t418;
				void* _t419;
				void* _t422;
				signed int _t425;
				intOrPtr* _t429;
				void* _t430;
				signed int* _t436;
				unsigned int _t438;
				unsigned int _t442;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				unsigned int _t451;
				unsigned int _t455;
				signed int _t458;
				unsigned int _t459;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed int _t464;
				signed int* _t465;
				signed char _t466;
				signed int* _t468;
				signed int* _t470;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				void* _t479;

				_t466 =  *(_t479 + 0x44);
				 *(_t479 + 0x30) = __ecx;
				_t321 = _t466 + 0x18;
				_t465 = _t466 + 4;
				if( *((char*)(_t466 + 0x2c)) != 0) {
					L2:
					_t344 =  *_t321;
					_t220 =  *((intOrPtr*)(_t466 + 0x24)) + _t344;
					if( *_t465 <= _t220) {
						 *(_t466 + 0x4ad8) =  *(_t466 + 0x4ad8) & 0x00000000;
						_t223 =  *((intOrPtr*)(_t466 + 0x20)) - 1 + _t344;
						_t436 =  *((intOrPtr*)(_t466 + 0x4acc)) - 0x10;
						 *(_t479 + 0x1c) = _t223;
						 *(_t479 + 0x18) = _t436;
						__eflags = _t223 - _t436;
						if(_t223 >= _t436) {
							_t468 = _t436;
							 *(_t479 + 0x14) = _t436;
						} else {
							_t468 = _t223;
							 *(_t479 + 0x14) = _t468;
						}
						_t322 = _t466 + 0x4ad4;
						while(1) {
							_t345 =  *_t465;
							 *(_t479 + 0x10) = _t322;
							__eflags = _t345 - _t468;
							if(_t345 < _t468) {
								goto L15;
							}
							__eflags = _t345 - _t223;
							if(__eflags > 0) {
								L93:
								return _t223;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t345 - _t436;
								if(_t345 < _t436) {
									L14:
									_t223 = _t466 + 0x4ad4;
									_t322 = _t223;
									 *(_t479 + 0x10) = _t223;
									__eflags = _t345 -  *((intOrPtr*)(_t466 + 0x4acc));
									if(_t345 >=  *((intOrPtr*)(_t466 + 0x4acc))) {
										L92:
										 *((char*)(_t466 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t466 + 0x4ad2));
								if( *((char*)(_t466 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t223 =  *(_t466 + 8);
							__eflags = _t223 -  *((intOrPtr*)(_t466 + 0x1c));
							if(_t223 >=  *((intOrPtr*)(_t466 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t346 =  *(_t466 + 0x4adc);
							__eflags =  *(_t466 + 0x4ad8) - _t346 - 8;
							if( *(_t466 + 0x4ad8) > _t346 - 8) {
								_t316 = _t346 + _t346;
								 *(_t466 + 0x4adc) = _t316;
								_push(_t316 * 0xc);
								_push( *_t322);
								_t477 = E011F3E3E(_t346, _t436);
								__eflags = _t477;
								if(_t477 == 0) {
									E011D6CA7(0x1211098);
								}
								 *_t322 = _t477;
							}
							_t225 =  *(_t466 + 0x4ad8);
							_t470 = _t225 * 0xc +  *_t322;
							 *(_t479 + 0x2c) = _t470;
							 *(_t466 + 0x4ad8) = _t225 + 1;
							_t227 = E011DA89D(_t465);
							_t228 =  *(_t466 + 0xb4);
							_t438 = _t227 & 0x0000fffe;
							__eflags = _t438 -  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4));
							if(_t438 >=  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4))) {
								_t348 = 0xf;
								_t229 = _t228 + 1;
								 *(_t479 + 0x28) = _t348;
								__eflags = _t229 - _t348;
								if(_t229 >= _t348) {
									L27:
									_t324 = _t465[1] + _t348;
									_t325 = _t324 & 0x00000007;
									 *_t465 =  *_t465 + (_t324 >> 3);
									 *(_t479 + 0x18) =  *_t465;
									_t233 =  *(_t479 + 0x28);
									_t465[1] = _t325;
									_t349 = 0x10;
									_t352 =  *((intOrPtr*)(_t466 + 0x74 + _t233 * 4)) + (_t438 -  *((intOrPtr*)(_t466 + 0x30 + _t233 * 4)) >> _t349 - _t233);
									__eflags = _t352 -  *((intOrPtr*)(_t466 + 0x30));
									asm("sbb eax, eax");
									_t234 = _t233 & _t352;
									__eflags = _t234;
									_t235 =  *(_t466 + 0xcb8 + _t234 * 2) & 0x0000ffff;
									goto L28;
								}
								_t429 = _t466 + 0x34 + _t229 * 4;
								while(1) {
									__eflags = _t438 -  *_t429;
									if(_t438 <  *_t429) {
										break;
									}
									_t229 = _t229 + 1;
									_t429 = _t429 + 4;
									__eflags = _t229 - 0xf;
									if(_t229 < 0xf) {
										continue;
									}
									_t348 =  *(_t479 + 0x28);
									goto L27;
								}
								_t348 = _t229;
								 *(_t479 + 0x28) = _t229;
								goto L27;
							} else {
								_t430 = 0x10;
								_t464 = _t438 >> _t430 - _t228;
								_t342 = ( *(_t464 + _t466 + 0xb8) & 0x000000ff) + _t465[1];
								 *_t465 =  *_t465 + (_t342 >> 3);
								_t325 = _t342 & 0x00000007;
								 *(_t479 + 0x18) =  *_t465;
								_t465[1] = _t325;
								_t235 =  *(_t466 + 0x4b8 + _t464 * 2) & 0x0000ffff;
								L28:
								_t353 = _t235 & 0x0000ffff;
								__eflags = _t353 - 0x100;
								if(_t353 >= 0x100) {
									__eflags = _t353 - 0x106;
									if(_t353 < 0x106) {
										__eflags = _t353 - 0x100;
										if(_t353 != 0x100) {
											__eflags = _t353 - 0x101;
											if(_t353 != 0x101) {
												_t237 = 3;
												 *_t470 = _t237;
												_t470[2] = _t353 - 0x102;
												_t239 = E011DA89D(_t465);
												_t240 =  *(_t466 + 0x2d78);
												_t442 = _t239 & 0x0000fffe;
												__eflags = _t442 -  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4));
												if(_t442 >=  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4))) {
													_t326 = 0xf;
													_t241 = _t240 + 1;
													__eflags = _t241 - _t326;
													if(_t241 >= _t326) {
														L86:
														_t356 = _t465[1] + _t326;
														_t357 = _t356 & 0x00000007;
														_t465[1] = _t357;
														_t243 = _t356 >> 3;
														 *_t465 =  *_t465 + _t243;
														 *(_t479 + 0x30) = _t357;
														_t358 = 0x10;
														_t361 =  *((intOrPtr*)(_t466 + 0x2d38 + _t326 * 4)) + (_t442 -  *((intOrPtr*)(_t466 + 0x2cf4 + _t326 * 4)) >> _t358 - _t326);
														__eflags = _t361 -  *((intOrPtr*)(_t466 + 0x2cf4));
														asm("sbb eax, eax");
														_t244 = _t243 & _t361;
														__eflags = _t244;
														_t245 =  *(_t466 + 0x397c + _t244 * 2) & 0x0000ffff;
														L87:
														_t246 = _t245 & 0x0000ffff;
														__eflags = _t246 - 8;
														if(_t246 >= 8) {
															_t362 = 3;
															_t329 = (_t246 >> 2) - 1;
															_t445 = ((_t246 & _t362 | 0x00000004) << _t329) + 2;
															 *(_t479 + 0x2c) = _t445;
															__eflags = _t329;
															if(_t329 != 0) {
																_t250 = E011DA89D(_t465);
																_t365 = 0x10;
																_t445 =  *(_t479 + 0x2c) + (_t250 >> _t365 - _t329);
																_t368 =  *(_t479 + 0x30) + _t329;
																 *_t465 =  *_t465 + (_t368 >> 3);
																_t369 = _t368 & 0x00000007;
																__eflags = _t369;
																_t465[1] = _t369;
															}
														} else {
															_t445 = _t246 + 2;
														}
														_t470[1] = _t445;
														L33:
														_t322 =  *(_t479 + 0x10);
														L34:
														_t436 =  *(_t479 + 0x1c);
														_t223 =  *(_t479 + 0x20);
														_t468 =  *(_t479 + 0x14);
														continue;
													}
													_t371 = _t466 + 0x2cf8 + _t241 * 4;
													while(1) {
														__eflags = _t442 -  *_t371;
														if(_t442 <  *_t371) {
															break;
														}
														_t241 = _t241 + 1;
														_t371 = _t371 + 4;
														__eflags = _t241 - 0xf;
														if(_t241 < 0xf) {
															continue;
														}
														goto L86;
													}
													_t326 = _t241;
													goto L86;
												}
												_t372 = 0x10;
												_t447 = _t442 >> _t372 - _t240;
												_t331 = ( *(_t447 + _t466 + 0x2d7c) & 0x000000ff) + _t465[1];
												 *_t465 =  *_t465 + (_t331 >> 3);
												_t332 = _t331 & 0x00000007;
												_t465[1] = _t332;
												_t245 =  *(_t466 + 0x317c + _t447 * 2) & 0x0000ffff;
												 *(_t479 + 0x30) = _t332;
												goto L87;
											}
											 *_t470 = 2;
											goto L33;
										}
										_push(_t479 + 0x38);
										E011E3F9D( *((intOrPtr*)(_t479 + 0x34)), _t465);
										_t322 =  *(_t479 + 0x10);
										_t470[1] =  *(_t479 + 0x38) & 0x000000ff;
										_t470[2] =  *(_t479 + 0x3c);
										_t448 = 4;
										 *_t470 = _t448;
										_t260 =  *(_t466 + 0x4ad8);
										_t376 = _t260 * 0xc +  *_t322;
										 *(_t466 + 0x4ad8) = _t260 + 1;
										_t376[1] =  *(_t479 + 0x44) & 0x000000ff;
										 *_t376 = _t448;
										_t376[2] =  *(_t479 + 0x40);
										goto L34;
									}
									_t264 = _t353 - 0x106;
									__eflags = _t264 - 8;
									if(_t264 >= 8) {
										_t449 = 3;
										_t379 = (_t264 >> 2) - 1;
										 *(_t479 + 0x30) = _t379;
										 *(_t479 + 0x24) = ((_t264 & _t449 | 0x00000004) << _t379) + 2;
										__eflags = _t379;
										if(_t379 != 0) {
											_t305 = E011DA89D(_t465);
											_t340 = _t325 +  *(_t479 + 0x30);
											_t422 = 0x10;
											 *(_t479 + 0x24) =  *(_t479 + 0x24) + (_t305 >> _t422 -  *(_t479 + 0x30));
											_t425 =  *(_t479 + 0x18) + (_t340 >> 3);
											_t325 = _t340 & 0x00000007;
											__eflags = _t325;
											 *(_t479 + 0x18) = _t425;
											 *_t465 = _t425;
											_t465[1] = _t325;
										}
									} else {
										 *(_t479 + 0x24) = _t264 + 2;
									}
									_t269 = E011DA89D(_t465);
									_t270 =  *(_t466 + 0xfa0);
									_t451 = _t269 & 0x0000fffe;
									__eflags = _t451 -  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4));
									if(_t451 >=  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4))) {
										_t333 = 0xf;
										_t271 = _t270 + 1;
										__eflags = _t271 - _t333;
										if(_t271 >= _t333) {
											L49:
											_t382 = _t465[1] + _t333;
											_t383 = _t382 & 0x00000007;
											_t465[1] = _t383;
											 *_t465 =  *_t465 + (_t382 >> 3);
											_t274 =  *_t465;
											 *(_t479 + 0x18) = _t383;
											_t384 = 0x10;
											 *(_t479 + 0x28) = _t274;
											_t387 =  *((intOrPtr*)(_t466 + 0xf60 + _t333 * 4)) + (_t451 -  *((intOrPtr*)(_t466 + 0xf1c + _t333 * 4)) >> _t384 - _t333);
											__eflags = _t387 -  *((intOrPtr*)(_t466 + 0xf1c));
											asm("sbb eax, eax");
											_t275 = _t274 & _t387;
											__eflags = _t275;
											_t276 =  *(_t466 + 0x1ba4 + _t275 * 2) & 0x0000ffff;
											goto L50;
										}
										_t418 = _t466 + 0xf20 + _t271 * 4;
										while(1) {
											__eflags = _t451 -  *_t418;
											if(_t451 <  *_t418) {
												break;
											}
											_t271 = _t271 + 1;
											_t418 = _t418 + 4;
											__eflags = _t271 - 0xf;
											if(_t271 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t333 = _t271;
										goto L49;
									} else {
										_t419 = 0x10;
										_t459 = _t451 >> _t419 - _t270;
										 *(_t479 + 0x30) = _t459;
										_t461 = ( *(_t459 + _t466 + 0xfa4) & 0x000000ff) + _t325;
										_t303 = (_t461 >> 3) +  *(_t479 + 0x18);
										_t462 = _t461 & 0x00000007;
										 *(_t479 + 0x28) = _t303;
										 *_t465 = _t303;
										_t465[1] = _t462;
										 *(_t479 + 0x18) = _t462;
										_t276 =  *(_t466 + 0x13a4 +  *(_t479 + 0x30) * 2) & 0x0000ffff;
										L50:
										_t277 = _t276 & 0x0000ffff;
										__eflags = _t277 - 4;
										if(_t277 >= 4) {
											_t473 = (_t277 >> 1) - 1;
											_t281 = ((_t277 & 0x00000001 | 0x00000002) << _t473) + 1;
											 *(_t479 + 0x30) = _t281;
											_t334 = _t281;
											__eflags = _t473;
											if(_t473 == 0) {
												L68:
												_t470 =  *(_t479 + 0x2c);
												L69:
												_t282 =  *(_t479 + 0x24);
												__eflags = _t334 - 0x100;
												if(_t334 > 0x100) {
													_t282 = _t282 + 1;
													__eflags = _t334 - 0x2000;
													if(_t334 > 0x2000) {
														_t282 = _t282 + 1;
														__eflags = _t334 - 0x40000;
														if(_t334 > 0x40000) {
															_t282 = _t282 + 1;
															__eflags = _t282;
														}
													}
												}
												 *_t470 = 1;
												_t470[1] = _t282;
												_t470[2] = _t334;
												goto L33;
											}
											__eflags = _t473 - 4;
											if(__eflags < 0) {
												_t283 = E011E8934(_t465);
												_t390 = 0x20;
												_t334 = (_t283 >> _t390 - _t473) +  *(_t479 + 0x30);
												_t393 =  *(_t479 + 0x18) + _t473;
												_t394 = _t393 & 0x00000007;
												__eflags = _t394;
												 *_t465 = (_t393 >> 3) +  *(_t479 + 0x28);
												_t465[1] = _t394;
												goto L68;
											}
											if(__eflags <= 0) {
												_t474 =  *(_t479 + 0x28);
											} else {
												_t298 = E011E8934(_t465);
												_t411 = 0x24;
												_t334 = (_t298 >> _t411 - _t473 << 4) +  *(_t479 + 0x30);
												_t415 =  *(_t479 + 0x18) + 0xfffffffc + _t473;
												_t474 =  *(_t479 + 0x28) + (_t415 >> 3);
												_t416 = _t415 & 0x00000007;
												 *_t465 = _t474;
												 *(_t479 + 0x18) = _t416;
												_t465[1] = _t416;
											}
											_t287 = E011DA89D(_t465);
											_t288 =  *(_t466 + 0x1e8c);
											_t455 = _t287 & 0x0000fffe;
											__eflags = _t455 -  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4));
											if(_t455 >=  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4))) {
												_t475 = 0xf;
												_t289 = _t288 + 1;
												__eflags = _t289 - _t475;
												if(_t289 >= _t475) {
													L65:
													_t397 = _t465[1] + _t475;
													_t465[1] = _t397 & 0x00000007;
													_t291 = _t397 >> 3;
													 *_t465 =  *_t465 + _t291;
													_t399 = 0x10;
													_t402 =  *((intOrPtr*)(_t466 + 0x1e4c + _t475 * 4)) + (_t455 -  *((intOrPtr*)(_t466 + 0x1e08 + _t475 * 4)) >> _t399 - _t475);
													__eflags = _t402 -  *((intOrPtr*)(_t466 + 0x1e08));
													asm("sbb eax, eax");
													_t292 = _t291 & _t402;
													__eflags = _t292;
													_t293 =  *(_t466 + 0x2a90 + _t292 * 2) & 0x0000ffff;
													goto L66;
												}
												_t404 = _t466 + 0x1e0c + _t289 * 4;
												while(1) {
													__eflags = _t455 -  *_t404;
													if(_t455 <  *_t404) {
														break;
													}
													_t289 = _t289 + 1;
													_t404 = _t404 + 4;
													__eflags = _t289 - 0xf;
													if(_t289 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t475 = _t289;
												goto L65;
											} else {
												_t405 = 0x10;
												_t458 = _t455 >> _t405 - _t288;
												_t408 = ( *(_t458 + _t466 + 0x1e90) & 0x000000ff) +  *(_t479 + 0x18);
												 *_t465 = (_t408 >> 3) + _t474;
												_t465[1] = _t408 & 0x00000007;
												_t293 =  *(_t466 + 0x2290 + _t458 * 2) & 0x0000ffff;
												L66:
												_t334 = _t334 + (_t293 & 0x0000ffff);
												goto L68;
											}
										}
										_t334 = _t277 + 1;
										goto L69;
									}
								}
								__eflags =  *(_t466 + 0x4ad8) - 1;
								if( *(_t466 + 0x4ad8) <= 1) {
									L35:
									 *_t470 =  *_t470 & 0x00000000;
									_t470[2] = _t353;
									_t470[1] = 0;
									goto L33;
								}
								__eflags =  *(_t470 - 0xc);
								if( *(_t470 - 0xc) != 0) {
									goto L35;
								}
								_t310 =  *(_t470 - 8) & 0x0000ffff;
								_t463 = 3;
								__eflags = _t310 - _t463;
								if(_t310 >= _t463) {
									goto L35;
								}
								_t311 = _t310 + 1;
								 *(_t470 - 8) = _t311;
								 *((_t311 & 0x0000ffff) + _t470 - 4) = _t353;
								_t72 = _t466 + 0x4ad8;
								 *_t72 =  *(_t466 + 0x4ad8) - 1;
								__eflags =  *_t72;
								goto L33;
							}
						}
					}
					L3:
					 *((char*)(_t466 + 0x4ad0)) = 1;
					return _t220;
				}
				 *((char*)(_t466 + 0x2c)) = 1;
				_push(_t466 + 0x30);
				_push(_t321);
				_push(_t465);
				_t220 = E011E43BF(__ecx);
				if(_t220 == 0) {
					goto L3;
				}
				goto L2;
			}

0x011e7158
0x011e715d
0x011e7165
0x011e7168
0x011e716b
0x011e7180
0x011e7183
0x011e7185
0x011e7189
0x011e71a1
0x011e71a8
0x011e71aa
0x011e71ad
0x011e71b1
0x011e71b6
0x011e71b8
0x011e71c2
0x011e71c4
0x011e71ba
0x011e71ba
0x011e71bc
0x011e71bc
0x011e71c8
0x011e71ce
0x011e71ce
0x011e71d0
0x011e71d4
0x011e71d6
0x00000000
0x00000000
0x011e71d8
0x011e71da
0x011e77b6
0x00000000
0x011e77b6
0x011e71e0
0x011e71ee
0x011e71ee
0x011e71f0
0x011e71ff
0x011e71ff
0x011e7205
0x011e7207
0x011e720b
0x011e7211
0x011e77af
0x011e77af
0x00000000
0x011e77af
0x00000000
0x011e7211
0x011e71f2
0x011e71f9
0x00000000
0x00000000
0x00000000
0x011e71f9
0x011e71e2
0x011e71e5
0x011e71e8
0x00000000
0x00000000
0x00000000
0x011e7217
0x011e7217
0x011e7220
0x011e7226
0x011e7228
0x011e722b
0x011e7234
0x011e7235
0x011e723c
0x011e7240
0x011e7242
0x011e7249
0x011e7249
0x011e724e
0x011e724e
0x011e7250
0x011e725b
0x011e725e
0x011e7262
0x011e7268
0x011e726f
0x011e7275
0x011e727b
0x011e727f
0x011e72b2
0x011e72b3
0x011e72b4
0x011e72b8
0x011e72ba
0x011e72db
0x011e72de
0x011e72e2
0x011e72e8
0x011e72ec
0x011e72f0
0x011e72f4
0x011e72f9
0x011e7306
0x011e7308
0x011e730b
0x011e730d
0x011e730d
0x011e730f
0x00000000
0x011e730f
0x011e72bf
0x011e72c2
0x011e72c2
0x011e72c4
0x00000000
0x00000000
0x011e72c6
0x011e72c7
0x011e72ca
0x011e72cd
0x00000000
0x00000000
0x011e72cf
0x00000000
0x011e72cf
0x011e72d5
0x011e72d7
0x00000000
0x011e7281
0x011e7283
0x011e7286
0x011e7290
0x011e7298
0x011e729a
0x011e729f
0x011e72a3
0x011e72a6
0x011e7317
0x011e7317
0x011e731f
0x011e7321
0x011e7374
0x011e737a
0x011e7630
0x011e7632
0x011e7686
0x011e768c
0x011e769c
0x011e769d
0x011e76a8
0x011e76ab
0x011e76b2
0x011e76b8
0x011e76be
0x011e76c5
0x011e76f6
0x011e76f7
0x011e76f8
0x011e76fa
0x011e7716
0x011e7719
0x011e771d
0x011e7720
0x011e7723
0x011e7726
0x011e772f
0x011e7735
0x011e7741
0x011e7743
0x011e7749
0x011e774b
0x011e774b
0x011e774d
0x011e7755
0x011e7755
0x011e7758
0x011e775b
0x011e7769
0x011e776c
0x011e7774
0x011e7777
0x011e777b
0x011e777d
0x011e7781
0x011e778c
0x011e7795
0x011e7797
0x011e779e
0x011e77a0
0x011e77a0
0x011e77a3
0x011e77a3
0x011e775d
0x011e775d
0x011e775d
0x011e77a6
0x011e7350
0x011e7350
0x011e7354
0x011e7354
0x011e7358
0x011e735c
0x00000000
0x011e735c
0x011e7702
0x011e7705
0x011e7705
0x011e7707
0x00000000
0x00000000
0x011e7709
0x011e770a
0x011e770d
0x011e7710
0x00000000
0x00000000
0x00000000
0x011e7712
0x011e7714
0x00000000
0x011e7714
0x011e76c9
0x011e76cc
0x011e76d6
0x011e76de
0x011e76e0
0x011e76e3
0x011e76e6
0x011e76ee
0x00000000
0x011e76ee
0x011e768e
0x00000000
0x011e768e
0x011e763c
0x011e763e
0x011e7648
0x011e764c
0x011e7654
0x011e7659
0x011e765a
0x011e765d
0x011e7666
0x011e7669
0x011e7674
0x011e767c
0x011e767e
0x00000000
0x011e767e
0x011e7380
0x011e7386
0x011e7389
0x011e73a0
0x011e73a6
0x011e73af
0x011e73b3
0x011e73b7
0x011e73b9
0x011e73bd
0x011e73c2
0x011e73c8
0x011e73cf
0x011e73dc
0x011e73de
0x011e73de
0x011e73e1
0x011e73e5
0x011e73e7
0x011e73e7
0x011e738b
0x011e7396
0x011e7396
0x011e73ec
0x011e73f3
0x011e73f9
0x011e73ff
0x011e7406
0x011e7446
0x011e7447
0x011e7448
0x011e744a
0x011e7466
0x011e7469
0x011e746d
0x011e7470
0x011e7476
0x011e747f
0x011e7481
0x011e7487
0x011e748a
0x011e7497
0x011e7499
0x011e749f
0x011e74a1
0x011e74a1
0x011e74a3
0x00000000
0x011e74a3
0x011e7452
0x011e7455
0x011e7455
0x011e7457
0x00000000
0x00000000
0x011e7459
0x011e745a
0x011e745d
0x011e7460
0x00000000
0x00000000
0x00000000
0x011e7462
0x011e7464
0x00000000
0x011e7408
0x011e740a
0x011e740d
0x011e740f
0x011e741b
0x011e7422
0x011e7426
0x011e7429
0x011e742d
0x011e7433
0x011e7436
0x011e743a
0x011e74ab
0x011e74ab
0x011e74ae
0x011e74b1
0x011e74c5
0x011e74ca
0x011e74cb
0x011e74cf
0x011e74d1
0x011e74d3
0x011e75fa
0x011e75fa
0x011e75fe
0x011e75fe
0x011e7602
0x011e7608
0x011e760a
0x011e760b
0x011e7611
0x011e7613
0x011e7614
0x011e761a
0x011e761c
0x011e761c
0x011e761c
0x011e761a
0x011e7611
0x011e761d
0x011e7624
0x011e7628
0x00000000
0x011e7628
0x011e74d9
0x011e74dc
0x011e75d1
0x011e75da
0x011e75e3
0x011e75e7
0x011e75f2
0x011e75f2
0x011e75f5
0x011e75f7
0x00000000
0x011e75f7
0x011e74e2
0x011e751d
0x011e74e4
0x011e74e6
0x011e74ef
0x011e74fe
0x011e7502
0x011e750d
0x011e750f
0x011e7512
0x011e7514
0x011e7518
0x011e7518
0x011e7523
0x011e752a
0x011e7530
0x011e7536
0x011e753d
0x011e756d
0x011e756e
0x011e756f
0x011e7571
0x011e758d
0x011e7590
0x011e7597
0x011e759a
0x011e759d
0x011e75a8
0x011e75b4
0x011e75b6
0x011e75bc
0x011e75be
0x011e75be
0x011e75c0
0x00000000
0x011e75c0
0x011e7579
0x011e757c
0x011e757c
0x011e757e
0x00000000
0x00000000
0x011e7580
0x011e7581
0x011e7584
0x011e7587
0x00000000
0x00000000
0x00000000
0x011e7589
0x011e758b
0x00000000
0x011e753f
0x011e7541
0x011e7544
0x011e754e
0x011e755c
0x011e755e
0x011e7561
0x011e75c8
0x011e75cb
0x00000000
0x011e75cb
0x011e753d
0x011e74b3
0x00000000
0x011e74b3
0x011e7406
0x011e7323
0x011e732a
0x011e7365
0x011e7365
0x011e736b
0x011e736e
0x00000000
0x011e736e
0x011e732c
0x011e7330
0x00000000
0x00000000
0x011e7332
0x011e7338
0x011e7339
0x011e733c
0x00000000
0x00000000
0x011e733e
0x011e733f
0x011e7346
0x011e734a
0x011e734a
0x011e734a
0x00000000
0x011e734a
0x011e727f
0x011e71ce
0x011e718b
0x011e718b
0x00000000
0x011e718b
0x011e7170
0x011e7174
0x011e7175
0x011e7176
0x011e7177
0x011e717e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2591492f8e0415a92e69d916b051196f4cf7f80fc8639925c3eb8306dfd98ae5
Instruction ID: 978c14bdd52982e513ca4e0ec7ea053331913c0f1266d34dbe58d8e0dfde3d83
Opcode Fuzzy Hash: 2591492f8e0415a92e69d916b051196f4cf7f80fc8639925c3eb8306dfd98ae5
Instruction Fuzzy Hash: CE12D1B1604B068FD71DCF68C498A79B7E1FF88308F14492EE996C7681E334E595CB85

Uniqueness

Uniqueness Score: -1.00%

Function 011DC426 Relevance: .5, Instructions: 454
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E011DC426(signed char** __ecx) {
				void* __edi;
				void* _t188;
				signed int _t189;
				char _t192;
				void* _t197;
				void* _t198;
				signed int _t201;
				signed char _t202;
				void* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t216;
				signed char* _t217;
				void* _t218;
				intOrPtr _t222;
				signed char* _t225;
				signed char _t228;
				void* _t237;
				void* _t238;
				signed int _t239;
				signed int _t242;
				signed char* _t245;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				signed char* _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				char _t293;
				intOrPtr* _t295;
				signed char _t296;
				signed int _t301;
				signed int _t302;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed char* _t307;
				signed int _t308;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed char _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				unsigned int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t331;
				signed char _t332;
				signed char* _t333;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				signed int _t343;
				signed int _t344;
				signed char* _t345;
				signed int _t346;
				signed int _t348;
				intOrPtr _t350;
				signed int _t351;
				signed int _t354;
				void* _t358;
				signed int _t359;
				signed char* _t360;
				signed int _t361;
				void* _t362;
				void* _t363;

				_t349 = __ecx;
				_t188 =  *((intOrPtr*)(_t363 + 4)) - 1;
				if(_t188 == 0) {
					L84:
					_t189 =  *(_t349 + 0x14);
					_t295 =  *_t349;
					_t350 =  *((intOrPtr*)(_t349 + 0x1c));
					_t288 = _t189 - 4;
					if(_t288 > 0x3fffc) {
						L96:
						return 0;
					}
					_t338 = 0;
					_t192 = (_t189 & 0xffffff00 |  *((intOrPtr*)(_t363 + 0x64)) == 0x00000002) + 0xe8;
					 *((char*)(_t363 + 0x13)) = _t192;
					if(_t288 == 0) {
						L95:
						return 1;
					} else {
						goto L86;
					}
					do {
						L86:
						_t321 =  *_t295;
						_t295 = _t295 + 1;
						_t339 = _t338 + 1;
						_t350 = _t350 + 1;
						if(_t321 == 0xe8 || _t321 == _t192) {
							_t322 =  *_t295;
							if(_t322 >= 0) {
								if(_t322 - 0x1000000 < 0) {
									 *_t295 = _t322 - _t350;
								}
							} else {
								if(_t350 + _t322 >= 0) {
									 *_t295 = _t322 + 0x1000000;
								}
							}
							_t192 =  *((intOrPtr*)(_t363 + 0x13));
							_t295 = _t295 + 4;
							_t338 = _t339 + 4;
							_t350 = _t350 + 4;
						}
					} while (_t338 < _t288);
					goto L95;
				}
				_t197 = _t188 - 1;
				if(_t197 == 0) {
					goto L84;
				}
				_t198 = _t197 - 1;
				if(_t198 == 0) {
					_t289 =  *__ecx;
					_t340 = __ecx[5] - 0x15;
					if(_t340 > 0x3ffeb) {
						goto L96;
					}
					_t325 = __ecx[7] >> 4;
					 *(_t363 + 0x28) = _t325;
					if(_t340 == 0) {
						goto L95;
					}
					_t343 = (_t340 - 1 >> 4) + 1;
					 *(_t363 + 0x38) = _t343;
					do {
						_t201 =  *_t289 & 0x1f;
						if(_t201 < 0x10) {
							goto L82;
						}
						_t202 =  *((intOrPtr*)(_t201 + 0x120e078));
						if(_t202 == 0) {
							goto L82;
						}
						_t344 =  *(_t363 + 0x28);
						_t296 = 0;
						_t326 = _t202 & 0x000000ff;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x40) = _t326;
						_t358 = 0x12;
						do {
							if((_t326 & 1) != 0) {
								_t168 = _t358 + 0x18; // 0x2a
								if(E011DC985(_t289, _t168, 4) == 5) {
									E011DC9D0(_t289, E011DC985(_t289, _t358, 0x14) - _t344 & 0x000fffff, _t358, 0x14);
								}
								_t326 =  *(_t363 + 0x3c);
								_t296 =  *(_t363 + 0x2c);
							}
							_t296 = _t296 + 1;
							_t358 = _t358 + 0x29;
							 *(_t363 + 0x2c) = _t296;
						} while (_t358 <= 0x64);
						_t343 =  *(_t363 + 0x38);
						_t325 =  *(_t363 + 0x28);
						L82:
						_t289 =  &(_t289[0x10]);
						_t325 = _t325 + 1;
						_t343 = _t343 - 1;
						 *(_t363 + 0x28) = _t325;
						 *(_t363 + 0x38) = _t343;
					} while (_t343 != 0);
					goto L95;
				}
				_t212 = _t198 - 1;
				if(_t212 == 0) {
					_t213 = __ecx[1];
					_t345 = __ecx[5];
					 *(_t363 + 0x18) = _t213;
					_t290 = _t213 - 3;
					if(_t345 - 3 > 0x1fffd || _t290 > _t345) {
						goto L96;
					} else {
						_t215 = __ecx[2];
						 *(_t363 + 0x20) = _t215;
						if(_t215 > 2) {
							goto L96;
						}
						_t216 =  *__ecx;
						 *(_t363 + 0x14) = _t216;
						_t359 = 3;
						_t351 =  &(_t345[_t216]);
						_t217 = 0;
						 *(_t363 + 0x24) = _t351;
						_t301 = _t351 - _t290;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x28) = _t301;
						do {
							_t291 = 0;
							if(_t217 >= _t345) {
								goto L65;
							}
							_t327 =  *(_t363 + 0x18);
							_t360 =  &(_t217[_t301]);
							_t302 =  *(_t363 + 0x14);
							_t225 =  *(_t363 + 0x18) + 0xfffffffd - _t351;
							 *(_t363 + 0x34) = _t225;
							do {
								if( &(_t225[_t360]) >= _t327) {
									 *(_t363 + 0x3c) =  *_t360 & 0x000000ff;
									 *(_t363 + 0x3c) =  *(_t360 - 3) & 0x000000ff;
									 *(_t363 + 0x44) = E011F614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff));
									 *(_t363 + 0x38) = E011F614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t237 = E011F614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t304 =  *((intOrPtr*)(_t363 + 0x4c));
									_t363 = _t363 + 0xc;
									_t332 =  *(_t363 + 0x2c);
									if(_t304 > _t332 || _t304 > _t237) {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
										_t291 =  *(_t363 + 0x3c);
										if(_t332 > _t237) {
											_t291 =  *(_t363 + 0x38);
										}
									} else {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
									}
								}
								_t228 = _t291 -  *_t302;
								_t302 = _t302 + 1;
								(_t360 - 3)[_t327] = _t228;
								_t360 =  &(_t360[3]);
								_t291 = _t228 & 0x000000ff;
								 *(_t363 + 0x14) = _t302;
								_t225 =  *(_t363 + 0x34);
							} while ( &(( *(_t363 + 0x34))[_t360]) < _t345);
							_t217 =  *(_t363 + 0x30);
							_t301 =  *(_t363 + 0x28);
							_t351 =  *(_t363 + 0x24);
							_t359 = 3;
							L65:
							_t217 =  &(_t217[1]);
							 *(_t363 + 0x30) = _t217;
						} while (_t217 < _t359);
						_t328 =  *(_t363 + 0x20);
						_t218 = _t345 - 2;
						if(_t328 >= _t218) {
							goto L95;
						}
						_t306 = _t328 + 2 + _t351;
						_t331 = (_t218 - _t328 - 1) / _t359 + 1;
						do {
							_t222 =  *((intOrPtr*)(_t306 - 1));
							 *((intOrPtr*)(_t306 - 2)) =  *((intOrPtr*)(_t306 - 2)) + _t222;
							 *_t306 =  *_t306 + _t222;
							_t306 = _t306 + _t359;
							_t331 = _t331 - 1;
						} while (_t331 != 0);
						goto L95;
					}
				}
				_t238 = _t212 - 1;
				if(_t238 == 0) {
					_t307 = __ecx[5];
					_t333 =  *__ecx;
					_t239 = __ecx[1];
					 *(_t363 + 0x30) = _t333;
					 *(_t363 + 0x34) = _t307;
					 *(_t363 + 0x38) = _t239;
					 *(_t363 + 0x40) =  &(_t333[_t307]);
					if(_t307 > 0x20000 || _t239 > 0x80 || _t239 == 0) {
						goto L96;
					} else {
						_t346 = 0;
						 *(_t363 + 0x3c) = 0;
						if(_t239 == 0) {
							goto L95;
						} else {
							goto L20;
						}
						do {
							L20:
							 *(_t363 + 0x24) =  *(_t363 + 0x24) & 0x00000000;
							 *(_t363 + 0x20) =  *(_t363 + 0x20) & 0x00000000;
							_t354 = 0;
							 *(_t363 + 0x1c) =  *(_t363 + 0x1c) & 0x00000000;
							_t292 = 0;
							 *(_t363 + 0x18) =  *(_t363 + 0x18) & 0x00000000;
							_t361 = 0;
							 *(_t363 + 0x20) = 0;
							E011EFFF0(_t346, _t363 + 0x44, 0, 0x1c);
							 *(_t363 + 0x38) =  *(_t363 + 0x38) & 0;
							_t363 = _t363 + 0xc;
							 *(_t363 + 0x28) = _t346;
							if(_t346 >=  *(_t363 + 0x34)) {
								_t242 =  *(_t363 + 0x38);
								goto L49;
							} else {
								goto L21;
							}
							do {
								L21:
								_t308 =  *(_t363 + 0x20);
								 *(_t363 + 0x18) = _t308 -  *(_t363 + 0x1c);
								_t245 =  *(_t363 + 0x30);
								 *(_t363 + 0x1c) = _t308;
								_t335 =  *_t245;
								 *(_t363 + 0x30) =  &(_t245[1]);
								_t314 = ( *(_t363 + 0x18) * _t354 + _t361 *  *(_t363 + 0x18) + _t292 *  *(_t363 + 0x20) +  *(_t363 + 0x24) * 0x00000008 >> 0x00000003 & 0x000000ff) - (_t335 & 0x000000ff);
								 *( *(_t363 + 0x28) +  *(_t363 + 0x40)) = _t314;
								_t357 = _t335 << 3;
								 *(_t363 + 0x24) = _t314 -  *(_t363 + 0x24);
								 *(_t363 + 0x28) = _t314;
								 *((intOrPtr*)(_t363 + 0x48)) =  *((intOrPtr*)(_t363 + 0x48)) + E011F614A(_t335, _t335 << 3);
								 *((intOrPtr*)(_t363 + 0x50)) =  *((intOrPtr*)(_t363 + 0x50)) + E011F614A(_t335, (_t335 << 3) -  *(_t363 + 0x20));
								 *((intOrPtr*)(_t363 + 0x58)) =  *((intOrPtr*)(_t363 + 0x58)) + E011F614A(_t335,  *(_t363 + 0x24) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x60)) =  *((intOrPtr*)(_t363 + 0x60)) + E011F614A(_t335, (_t335 << 3) -  *(_t363 + 0x24));
								 *((intOrPtr*)(_t363 + 0x68)) =  *((intOrPtr*)(_t363 + 0x68)) + E011F614A(_t335,  *(_t363 + 0x28) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x70)) =  *((intOrPtr*)(_t363 + 0x70)) + E011F614A(_t335, _t357 -  *(_t363 + 0x18));
								 *((intOrPtr*)(_t363 + 0x78)) =  *((intOrPtr*)(_t363 + 0x78)) + E011F614A(_t335, _t357 +  *(_t363 + 0x18));
								_t363 = _t363 + 0x1c;
								if(( *(_t363 + 0x2c) & 0x0000001f) != 0) {
									_t354 =  *(_t363 + 0x14);
								} else {
									_t336 =  *(_t363 + 0x44);
									_t277 = 0;
									 *(_t363 + 0x44) =  *(_t363 + 0x44) & 0;
									_t318 = 1;
									do {
										if( *(_t363 + 0x44 + _t318 * 4) < _t336) {
											_t336 =  *(_t363 + 0x44 + _t318 * 4);
											_t277 = _t318;
										}
										 *(_t363 + 0x44 + _t318 * 4) =  *(_t363 + 0x44 + _t318 * 4) & 0x00000000;
										_t318 = _t318 + 1;
									} while (_t318 < 7);
									_t354 =  *(_t363 + 0x14);
									_t278 = _t277 - 1;
									if(_t278 == 0) {
										if(_t292 >= 0xfffffff0) {
											_t292 = _t292 - 1;
										}
										goto L46;
									}
									_t279 = _t278 - 1;
									if(_t279 == 0) {
										if(_t292 < 0x10) {
											_t292 = _t292 + 1;
										}
										goto L46;
									}
									_t280 = _t279 - 1;
									if(_t280 == 0) {
										if(_t361 >= 0xfffffff0) {
											_t361 = _t361 - 1;
										}
										goto L46;
									}
									_t281 = _t280 - 1;
									if(_t281 == 0) {
										if(_t361 < 0x10) {
											_t361 = _t361 + 1;
										}
										goto L46;
									}
									_t282 = _t281 - 1;
									if(_t282 == 0) {
										if(_t354 < 0xfffffff0) {
											goto L46;
										}
										_t354 = _t354 - 1;
										L34:
										 *(_t363 + 0x14) = _t354;
										goto L46;
									}
									if(_t282 != 1 || _t354 >= 0x10) {
										goto L46;
									} else {
										_t354 = _t354 + 1;
										goto L34;
									}
								}
								L46:
								_t242 =  *(_t363 + 0x38);
								_t316 =  *(_t363 + 0x28) + _t242;
								 *(_t363 + 0x2c) =  *(_t363 + 0x2c) + 1;
								 *(_t363 + 0x28) = _t316;
							} while (_t316 <  *(_t363 + 0x34));
							_t346 =  *(_t363 + 0x3c);
							L49:
							_t346 = _t346 + 1;
							 *(_t363 + 0x3c) = _t346;
						} while (_t346 < _t242);
						goto L95;
					}
				}
				if(_t238 != 1) {
					goto L95;
				}
				_t319 = __ecx[5];
				_t362 = 0;
				_t337 = __ecx[1];
				 *(_t363 + 0x28) = _t319;
				 *(_t363 + 0x2c) = _t319 + _t319;
				if(_t319 > 0x20000 || _t337 > 0x400 || _t337 == 0) {
					goto L96;
				} else {
					_t286 = _t337;
					 *(_t363 + 0x24) = _t337;
					do {
						_t293 = 0;
						_t348 = _t319;
						if(_t319 <  *(_t363 + 0x2c)) {
							_t320 =  *(_t363 + 0x2c);
							goto L12;
							L12:
							_t287 =  *_t349;
							_t293 = _t293 -  *((intOrPtr*)(_t287 + _t362));
							_t362 = _t362 + 1;
							 *((char*)(_t287 + _t348)) = _t293;
							_t348 = _t348 + _t337;
							if(_t348 < _t320) {
								goto L12;
							} else {
								_t319 =  *(_t363 + 0x28);
								_t286 =  *(_t363 + 0x24);
								goto L14;
							}
						}
						L14:
						_t319 = _t319 + 1;
						_t286 = _t286 - 1;
						 *(_t363 + 0x28) = _t319;
						 *(_t363 + 0x24) = _t286;
					} while (_t286 != 0);
					goto L95;
				}
			}

0x011dc430
0x011dc433
0x011dc436
0x011dc90a
0x011dc90a
0x011dc90d
0x011dc90f
0x011dc912
0x011dc91b
0x011dc979
0x00000000
0x011dc979
0x011dc925
0x011dc927
0x011dc929
0x011dc92f
0x011dc975
0x00000000
0x00000000
0x00000000
0x00000000
0x011dc931
0x011dc931
0x011dc931
0x011dc933
0x011dc934
0x011dc935
0x011dc939
0x011dc93f
0x011dc943
0x011dc95e
0x011dc962
0x011dc962
0x011dc945
0x011dc94a
0x011dc952
0x011dc952
0x011dc94a
0x011dc964
0x011dc968
0x011dc96b
0x011dc96e
0x011dc96e
0x011dc971
0x00000000
0x011dc931
0x011dc43c
0x011dc43f
0x00000000
0x00000000
0x011dc445
0x011dc448
0x011dc847
0x011dc849
0x011dc852
0x00000000
0x00000000
0x011dc85b
0x011dc85e
0x011dc864
0x00000000
0x00000000
0x011dc86e
0x011dc86f
0x011dc873
0x011dc876
0x011dc87c
0x00000000
0x00000000
0x011dc87e
0x011dc886
0x00000000
0x00000000
0x011dc888
0x011dc88c
0x011dc88e
0x011dc893
0x011dc897
0x011dc89b
0x011dc89c
0x011dc8a3
0x011dc8a7
0x011dc8b6
0x011dc8d1
0x011dc8d1
0x011dc8d6
0x011dc8da
0x011dc8da
0x011dc8de
0x011dc8df
0x011dc8e2
0x011dc8e6
0x011dc8eb
0x011dc8ef
0x011dc8f3
0x011dc8f3
0x011dc8f6
0x011dc8f7
0x011dc8fa
0x011dc8fe
0x011dc8fe
0x00000000
0x011dc908
0x011dc44e
0x011dc451
0x011dc6ee
0x011dc6f1
0x011dc6f4
0x011dc6f8
0x011dc703
0x00000000
0x011dc711
0x011dc711
0x011dc714
0x011dc71b
0x00000000
0x00000000
0x011dc721
0x011dc723
0x011dc729
0x011dc72a
0x011dc72d
0x011dc731
0x011dc735
0x011dc737
0x011dc73b
0x011dc73f
0x011dc73f
0x011dc743
0x00000000
0x00000000
0x011dc749
0x011dc74d
0x011dc754
0x011dc75b
0x011dc75d
0x011dc761
0x011dc765
0x011dc76f
0x011dc776
0x011dc782
0x011dc797
0x011dc79b
0x011dc7a0
0x011dc7a4
0x011dc7a7
0x011dc7ad
0x011dc7bd
0x011dc7c3
0x011dc7c7
0x011dc7cb
0x011dc7cd
0x011dc7cd
0x011dc7b3
0x011dc7b3
0x011dc7b7
0x011dc7b7
0x011dc7ad
0x011dc7d3
0x011dc7d5
0x011dc7d6
0x011dc7da
0x011dc7dd
0x011dc7e6
0x011dc7ec
0x011dc7ec
0x011dc7f6
0x011dc7fa
0x011dc7fe
0x011dc804
0x011dc805
0x011dc805
0x011dc806
0x011dc80a
0x011dc812
0x011dc816
0x011dc81b
0x00000000
0x00000000
0x011dc826
0x011dc82d
0x011dc830
0x011dc830
0x011dc833
0x011dc836
0x011dc838
0x011dc83a
0x011dc83a
0x00000000
0x011dc83f
0x011dc703
0x011dc457
0x011dc45a
0x011dc4d6
0x011dc4d9
0x011dc4db
0x011dc4de
0x011dc4e4
0x011dc4e8
0x011dc4ec
0x011dc4f6
0x00000000
0x011dc50f
0x011dc50f
0x011dc511
0x011dc517
0x00000000
0x00000000
0x00000000
0x00000000
0x011dc51d
0x011dc51d
0x011dc51d
0x011dc526
0x011dc52b
0x011dc52d
0x011dc532
0x011dc534
0x011dc539
0x011dc53f
0x011dc543
0x011dc548
0x011dc54c
0x011dc54f
0x011dc557
0x011dc6d8
0x00000000
0x00000000
0x00000000
0x00000000
0x011dc55d
0x011dc55d
0x011dc55d
0x011dc56b
0x011dc56f
0x011dc573
0x011dc580
0x011dc583
0x011dc5a9
0x011dc5af
0x011dc5be
0x011dc5c2
0x011dc5c6
0x011dc5cf
0x011dc5df
0x011dc5ef
0x011dc5ff
0x011dc60f
0x011dc61d
0x011dc62a
0x011dc62e
0x011dc636
0x011dc6b2
0x011dc638
0x011dc638
0x011dc63c
0x011dc63e
0x011dc644
0x011dc645
0x011dc649
0x011dc64b
0x011dc64f
0x011dc64f
0x011dc651
0x011dc656
0x011dc657
0x011dc65c
0x011dc660
0x011dc663
0x011dc6ad
0x011dc6af
0x011dc6af
0x00000000
0x011dc6ad
0x011dc665
0x011dc668
0x011dc6a5
0x011dc6a7
0x011dc6a7
0x00000000
0x011dc6a5
0x011dc66a
0x011dc66d
0x011dc69d
0x011dc69f
0x011dc69f
0x00000000
0x011dc69d
0x011dc66f
0x011dc672
0x011dc695
0x011dc697
0x011dc697
0x00000000
0x011dc695
0x011dc674
0x011dc677
0x011dc68d
0x00000000
0x00000000
0x011dc68f
0x011dc684
0x011dc684
0x00000000
0x011dc684
0x011dc67c
0x00000000
0x011dc683
0x011dc683
0x00000000
0x011dc683
0x011dc67c
0x011dc6b6
0x011dc6ba
0x011dc6be
0x011dc6c0
0x011dc6c4
0x011dc6c8
0x011dc6d2
0x011dc6dc
0x011dc6dc
0x011dc6dd
0x011dc6e1
0x00000000
0x011dc6e9
0x011dc4f6
0x011dc45f
0x00000000
0x00000000
0x011dc465
0x011dc468
0x011dc46a
0x011dc46d
0x011dc474
0x011dc47e
0x00000000
0x011dc498
0x011dc498
0x011dc49a
0x011dc49e
0x011dc49e
0x011dc4a0
0x011dc4a6
0x011dc4a8
0x011dc4a8
0x011dc4ac
0x011dc4ac
0x011dc4ae
0x011dc4b1
0x011dc4b2
0x011dc4b5
0x011dc4b9
0x00000000
0x011dc4bb
0x011dc4bb
0x011dc4bf
0x00000000
0x011dc4bf
0x011dc4b9
0x011dc4c3
0x011dc4c3
0x011dc4c4
0x011dc4c7
0x011dc4cb
0x011dc4cb
0x00000000
0x011dc49e

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051a68df579e24f05ee527054dcd5d556a73b4892e837a8fa3ab60e93eefcff2
Instruction ID: e7af6e6c8503721be742b2447a679b743c3fd5868e794e70cd3968036531e101
Opcode Fuzzy Hash: 051a68df579e24f05ee527054dcd5d556a73b4892e837a8fa3ab60e93eefcff2
Instruction Fuzzy Hash: 8FF18B716083018FC71DCF28C59466ABBE5EFCA328F154E2EE68597395E730E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 011E6CDC Relevance: .3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E011E6CDC(signed int __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t176;
				signed int _t179;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t206;
				void* _t217;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t242;
				intOrPtr* _t244;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t257;
				signed int _t265;
				intOrPtr* _t269;
				intOrPtr _t272;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t283;
				signed int _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t289;
				void* _t290;
				void* _t292;

				_t223 = __ecx;
				E011E359E(__ecx, __edx);
				E011E4D0A(__ecx,  *((intOrPtr*)(_t290 + 0x244)));
				_t282 = _t223 + 0x18;
				_t249 = 0;
				 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				if( *(_t223 + 0x1c) +  *(_t223 + 0x1c) == 0) {
					 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				} else {
					_t247 = 0;
					do {
						_t220 =  *_t282;
						_t247 = _t247 + 0x4ae4;
						_t249 = _t249 + 1;
						 *((char*)(_t220 + _t247 - 0x13)) = 0;
						 *((char*)(_t220 + _t247 - 0x11)) = 0;
					} while (_t249 <  *(_t223 + 0x1c) +  *(_t223 + 0x1c));
				}
				_t226 = 5;
				memcpy( *_t282 + 0x18, _t223 + 0x8c, _t226 << 2);
				E011F0320( *_t282 + 0x30, _t223 + 0xa0, 0x4a9c);
				_t292 = _t290 + 0x18;
				 *(_t292 + 0x30) = 0;
				_t265 = 0;
				 *((char*)(_t292 + 0x1b)) = 0;
				 *((char*)(_t292 + 0x13)) = 0;
				while(1) {
					L6:
					_t272 = 0;
					 *((intOrPtr*)(_t292 + 0x1c)) = 0;
					while(1) {
						L7:
						_push(0x00400000 - _t265 & 0xfffffff0);
						_push( *((intOrPtr*)(_t223 + 0x20)) + _t265);
						_t166 = E011DD114( *_t223);
						 *((intOrPtr*)(_t292 + 0x34)) = _t166;
						if(_t166 < 0) {
							break;
						}
						_t265 = _t265 + _t166;
						 *(_t292 + 0x2c) = _t265;
						if(_t265 != 0) {
							if(_t166 <= 0 || _t265 >= 0x400) {
								if(_t272 >= _t265) {
									goto L69;
								} else {
									while(1) {
										_t252 = 0;
										 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
										 *(_t292 + 0x24) = 0;
										_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
										if(_t176 != 0) {
										}
										L13:
										_t235 = 0;
										 *((intOrPtr*)(_t292 + 0x20)) = 0;
										while(1) {
											_t280 =  *_t282 + _t235;
											 *(_t292 + 0x30) = _t252;
											_t29 = _t280 + 4; // 0x4
											_t236 = _t29;
											 *_t280 = _t223;
											if( *((char*)(_t280 + 0x4ad3)) == 0) {
												goto L16;
											}
											L15:
											 *(_t280 + 0x4acc) = _t265;
											L18:
											_t42 = _t280 + 0x18; // 0x18
											_t285 = _t42;
											 *((char*)(_t280 + 0x4ad3)) = 0;
											 *(_t280 + 0x4ae0) = _t252;
											 *((char*)(_t280 + 0x4ad2)) = _t176 & 0xffffff00 |  *((intOrPtr*)(_t292 + 0x34)) == 0x00000000;
											if( *((char*)(_t280 + 0x14)) != 0) {
												L23:
												if( *((char*)(_t292 + 0x1b)) != 0 ||  *_t285 > 0x20000) {
													 *((char*)(_t280 + 0x4ad1)) = 1;
													 *((char*)(_t292 + 0x1b)) = 1;
												} else {
													 *(_t292 + 0x28) =  *(_t292 + 0x28) + 1;
												}
												_t287 =  *((intOrPtr*)(_t292 + 0x1c)) +  *((intOrPtr*)(_t280 + 0x24)) +  *_t285;
												_t252 = _t252 + 1;
												 *((intOrPtr*)(_t292 + 0x1c)) = _t287;
												_t235 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
												 *(_t292 + 0x24) = _t252;
												 *((intOrPtr*)(_t292 + 0x20)) = _t235;
												_t217 = _t265 - _t287;
												if(_t217 < 0 ||  *((char*)(_t280 + 0x28)) == 0) {
													if(_t217 >= 0x400) {
														_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
														if(_t252 < _t176) {
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t280 =  *_t282 + _t235;
															 *(_t292 + 0x30) = _t252;
															_t29 = _t280 + 4; // 0x4
															_t236 = _t29;
															 *_t280 = _t223;
															if( *((char*)(_t280 + 0x4ad3)) == 0) {
																goto L16;
															}
														}
													}
												}
											} else {
												_push(_t285);
												_push(_t236);
												 *((char*)(_t280 + 0x14)) = 1;
												if(E011E3E0B(_t223) == 0 ||  *((char*)(_t280 + 0x29)) == 0 &&  *((char*)(_t223 + 0xe662)) == 0) {
													 *((char*)(_t292 + 0x13)) = 1;
												} else {
													_t252 =  *(_t292 + 0x24);
													 *((char*)(_t223 + 0xe662)) = 1;
													goto L23;
												}
											}
											break;
											L16:
											E011DA85A(_t236,  *((intOrPtr*)(_t223 + 0x20)) +  *((intOrPtr*)(_t292 + 0x1c)));
											_t33 = _t280 + 4; // 0x4
											_t236 = _t33;
											 *((intOrPtr*)(_t236 + 4)) = 0;
											_t176 = _t265 -  *((intOrPtr*)(_t292 + 0x1c));
											__eflags = _t176;
											 *_t236 = 0;
											 *(_t280 + 0x4acc) = _t176;
											if(_t176 != 0) {
												 *((char*)(_t280 + 0x4ad0)) = 0;
												 *((char*)(_t280 + 0x14)) = 0;
												 *((char*)(_t280 + 0x2c)) = 0;
												_t252 =  *(_t292 + 0x24);
												goto L18;
											}
											break;
										}
										L33:
										_t232 =  *(_t292 + 0x28);
										_t275 = _t232 /  *(_t223 + 0x1c);
										_t179 = _t232;
										__eflags = _t179 %  *(_t223 + 0x1c);
										if(_t179 %  *(_t223 + 0x1c) != 0) {
											_t275 = _t275 + 1;
											__eflags = _t275;
										}
										_t283 = 0;
										__eflags = _t232;
										if(_t232 != 0) {
											_t269 =  *((intOrPtr*)(_t292 + 0x14));
											_t257 = 0;
											_t202 = _t275 * 0x4ae4;
											__eflags = _t202;
											 *((intOrPtr*)(_t292 + 0x20)) = 0;
											 *(_t292 + 0x38) = _t202;
											_t203 = _t292 + 0x40;
											do {
												_t258 = _t257 +  *_t269;
												_t244 = _t203;
												 *((intOrPtr*)(_t292 + 0x3c)) = _t203 + 8;
												_t206 =  *(_t292 + 0x28) - _t283;
												 *_t244 = _t257 +  *_t269;
												__eflags = _t275 - _t206;
												if(_t275 < _t206) {
													_t206 = _t275;
												}
												__eflags =  *(_t292 + 0x24) - 1;
												 *(_t244 + 4) = _t206;
												if( *(_t292 + 0x24) != 1) {
													E011E0F86( *((intOrPtr*)(_t223 + 0x14)), E011E77C0, _t244);
												} else {
													E011E7153(_t223, _t258);
												}
												_t283 = _t283 + _t275;
												_t257 =  *((intOrPtr*)(_t292 + 0x20)) +  *(_t292 + 0x38);
												_t203 =  *((intOrPtr*)(_t292 + 0x3c));
												 *((intOrPtr*)(_t292 + 0x20)) = _t257;
												__eflags = _t283 -  *(_t292 + 0x28);
											} while (_t283 <  *(_t292 + 0x28));
											_t265 =  *(_t292 + 0x2c);
										}
										_t284 =  *(_t292 + 0x24);
										__eflags = _t284;
										if(_t284 == 0) {
											_t272 =  *((intOrPtr*)(_t292 + 0x1c));
											goto L68;
										} else {
											E011E11CF( *((intOrPtr*)(_t223 + 0x14)));
											_t276 = 0;
											__eflags = _t284;
											if(_t284 == 0) {
												L55:
												__eflags =  *((char*)(_t292 + 0x13));
												if( *((char*)(_t292 + 0x13)) == 0) {
													_t182 =  *((intOrPtr*)(_t292 + 0x1c));
													_t278 = _t265 - _t182;
													__eflags = _t278 - 0x400;
													if(_t278 < 0x400) {
														__eflags = _t278;
														if(__eflags >= 0) {
															if(__eflags > 0) {
																__eflags = _t182 +  *((intOrPtr*)(_t223 + 0x20));
																E011F0320( *((intOrPtr*)(_t223 + 0x20)), _t182 +  *((intOrPtr*)(_t223 + 0x20)), _t278);
																_t292 = _t292 + 0xc;
															}
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t265 = _t278;
															goto L6;
														}
													} else {
														_t282 =  *((intOrPtr*)(_t292 + 0x14));
														_t272 = _t182;
														__eflags = _t272 - _t265;
														if(_t272 >= _t265) {
															goto L7;
														} else {
															_t252 = 0;
															 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
															 *(_t292 + 0x24) = 0;
															_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
															if(_t176 != 0) {
															}
															goto L33;
														}
													}
												}
											} else {
												_t185 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t292 + 0x20)) = 0;
												do {
													_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14)))) + _t185;
													__eflags =  *((char*)(_t289 + 0x4ad1));
													if( *((char*)(_t289 + 0x4ad1)) != 0) {
														L50:
														_t186 = E011E77EF(_t223, _t289);
														__eflags = _t186;
														if(_t186 != 0) {
															goto L51;
														}
													} else {
														_t201 = E011E390D(_t223, _t289);
														__eflags = _t201;
														if(_t201 != 0) {
															__eflags =  *((char*)(_t289 + 0x4ad1));
															if( *((char*)(_t289 + 0x4ad1)) == 0) {
																L51:
																__eflags =  *((char*)(_t289 + 0x4ad0));
																if( *((char*)(_t289 + 0x4ad0)) == 0) {
																	__eflags =  *((char*)(_t289 + 0x4ad3));
																	if( *((char*)(_t289 + 0x4ad3)) != 0) {
																		_t241 =  *((intOrPtr*)(_t223 + 0x20));
																		_t189 =  *((intOrPtr*)(_t289 + 0x10)) -  *((intOrPtr*)(_t223 + 0x20)) +  *(_t289 + 4);
																		__eflags = _t265 - _t189;
																		if(_t265 > _t189) {
																			_t265 = _t265 - _t189;
																			 *(_t292 + 0x38) = _t265;
																			E011F0320(_t241, _t189 + _t241, _t265);
																			_t292 = _t292 + 0xc;
																			 *((intOrPtr*)(_t289 + 0x18)) =  *((intOrPtr*)(_t289 + 0x18)) +  *(_t289 + 0x20) -  *(_t289 + 4);
																			 *(_t289 + 0x24) =  *(_t289 + 0x24) & 0x00000000;
																			 *(_t289 + 0x20) =  *(_t289 + 0x20) & 0x00000000;
																			 *(_t289 + 4) =  *(_t289 + 4) & 0x00000000;
																			 *((intOrPtr*)(_t289 + 0x10)) =  *((intOrPtr*)(_t223 + 0x20));
																			__eflags = _t276;
																			if(_t276 != 0) {
																				_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
																				E011F0320(_t196, _t289, 0x4ae4);
																				_t242 =  *((intOrPtr*)(_t292 + 0x20));
																				_t292 = _t292 + 0xc;
																				 *((intOrPtr*)( *_t242 + 0x4ad4)) =  *((intOrPtr*)(_t196 + 0x4ad4));
																				 *((intOrPtr*)( *_t242 + 0x4adc)) =  *((intOrPtr*)(_t196 + 0x4adc));
																				_t265 =  *(_t292 + 0x2c);
																				 *((char*)(_t289 + 0x4ad3)) = 0;
																			}
																			_t272 = 0;
																			 *((intOrPtr*)(_t292 + 0x1c)) = 0;
																			L68:
																			_t282 =  *((intOrPtr*)(_t292 + 0x14));
																			goto L69;
																		}
																	} else {
																		__eflags =  *((char*)(_t289 + 0x28));
																		if( *((char*)(_t289 + 0x28)) == 0) {
																			goto L54;
																		}
																	}
																}
															} else {
																goto L50;
															}
														}
													}
													goto L70;
													L54:
													_t276 = _t276 + 1;
													_t185 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
													 *((intOrPtr*)(_t292 + 0x20)) = _t185;
													__eflags = _t276 -  *(_t292 + 0x24);
												} while (_t276 <  *(_t292 + 0x24));
												goto L55;
											}
										}
										goto L70;
									}
								}
							} else {
								L69:
								__eflags =  *((char*)(_t292 + 0x13));
								if( *((char*)(_t292 + 0x13)) == 0) {
									continue;
								}
							}
						}
						break;
					}
					L70:
					 *(_t223 + 0x7c) =  *(_t223 + 0x7c) &  *(_t223 + 0xe6dc);
					E011E5202(_t223);
					_t250 =  *(_t292 + 0x30) * 0x4ae4;
					_t230 = 5;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
					__eflags = _t170 + _t250 + 0x30;
					return E011F0320(memcpy(_t223 + 0x8c, _t250 + 0x18 + _t170, _t230 << 2), _t170 + _t250 + 0x30, 0x4a9c);
				}
			}

0x011e6ce6
0x011e6ce8
0x011e6cf6
0x011e6cfe
0x011e6d01
0x011e6d03
0x011e6d09
0x011e6d2c
0x011e6d0b
0x011e6d0b
0x011e6d0d
0x011e6d0d
0x011e6d10
0x011e6d16
0x011e6d17
0x011e6d1c
0x011e6d26
0x011e6d2a
0x011e6d3b
0x011e6d4b
0x011e6d54
0x011e6d5b
0x011e6d5e
0x011e6d62
0x011e6d64
0x011e6d68
0x011e6d6c
0x011e6d6c
0x011e6d6c
0x011e6d6e
0x011e6d72
0x011e6d72
0x011e6d7e
0x011e6d84
0x011e6d85
0x011e6d8a
0x011e6d90
0x00000000
0x00000000
0x011e6d96
0x011e6d98
0x011e6d9c
0x011e6da4
0x011e6db4
0x00000000
0x00000000
0x011e6dba
0x011e6dbd
0x011e6dbf
0x011e6dc3
0x011e6dc7
0x011e6dc9
0x011e6dc9
0x011e6dcf
0x011e6dcf
0x011e6dd1
0x011e6dd5
0x011e6dd8
0x011e6dda
0x011e6de5
0x011e6de5
0x011e6de8
0x011e6dea
0x00000000
0x00000000
0x011e6dec
0x011e6dec
0x011e6e2d
0x011e6e32
0x011e6e32
0x011e6e35
0x011e6e3f
0x011e6e49
0x011e6e4f
0x011e6e80
0x011e6e85
0x011e6e96
0x011e6e9d
0x011e6e90
0x011e6e90
0x011e6e90
0x011e6eb0
0x011e6eb2
0x011e6eb3
0x011e6eb7
0x011e6ebd
0x011e6ec3
0x011e6ec7
0x011e6ec9
0x011e6ed6
0x011e6edb
0x011e6edf
0x011e6ee1
0x011e6dd8
0x011e6dda
0x011e6de5
0x011e6de5
0x011e6de8
0x011e6dea
0x00000000
0x00000000
0x011e6dea
0x011e6edf
0x011e6ed6
0x011e6e51
0x011e6e51
0x011e6e52
0x011e6e55
0x011e6e60
0x011e6eea
0x011e6e75
0x011e6e75
0x011e6e79
0x00000000
0x011e6e79
0x011e6e60
0x00000000
0x011e6df4
0x011e6dfc
0x011e6e03
0x011e6e03
0x011e6e08
0x011e6e0b
0x011e6e0b
0x011e6e0f
0x011e6e11
0x011e6e17
0x011e6e1d
0x011e6e23
0x011e6e26
0x011e6e29
0x00000000
0x011e6e29
0x00000000
0x011e6e17
0x011e6eef
0x011e6eef
0x011e6efc
0x011e6efe
0x011e6f03
0x011e6f05
0x011e6f07
0x011e6f07
0x011e6f07
0x011e6f08
0x011e6f0a
0x011e6f0c
0x011e6f0e
0x011e6f12
0x011e6f14
0x011e6f14
0x011e6f1a
0x011e6f1e
0x011e6f22
0x011e6f26
0x011e6f26
0x011e6f28
0x011e6f2d
0x011e6f35
0x011e6f37
0x011e6f39
0x011e6f3b
0x011e6f3d
0x011e6f3d
0x011e6f3f
0x011e6f44
0x011e6f47
0x011e6f5c
0x011e6f49
0x011e6f4c
0x011e6f4c
0x011e6f65
0x011e6f67
0x011e6f6b
0x011e6f6f
0x011e6f73
0x011e6f73
0x011e6f79
0x011e6f79
0x011e6f7d
0x011e6f81
0x011e6f83
0x011e70eb
0x00000000
0x011e6f89
0x011e6f8c
0x011e6f91
0x011e6f93
0x011e6f95
0x011e700b
0x011e700b
0x011e7010
0x011e7016
0x011e701c
0x011e701e
0x011e7024
0x011e70ca
0x011e70cc
0x011e70ce
0x011e70d3
0x011e70d8
0x011e70dd
0x011e70dd
0x011e70e0
0x011e70e4
0x00000000
0x011e70e4
0x011e702a
0x011e702a
0x011e702e
0x011e7030
0x011e7032
0x00000000
0x011e7038
0x011e6dbd
0x011e6dbf
0x011e6dc3
0x011e6dc7
0x011e6dc9
0x011e6dc9
0x00000000
0x011e6dc9
0x011e7032
0x011e7024
0x011e6f97
0x011e6f97
0x011e6f97
0x011e6f99
0x011e6f9d
0x011e6fa3
0x011e6fa5
0x011e6fac
0x011e6fc7
0x011e6fca
0x011e6fcf
0x011e6fd1
0x00000000
0x00000000
0x011e6fae
0x011e6fb1
0x011e6fb6
0x011e6fb8
0x011e6fbe
0x011e6fc5
0x011e6fd7
0x011e6fd7
0x011e6fde
0x011e6fe4
0x011e6feb
0x011e7040
0x011e7045
0x011e7048
0x011e704a
0x011e7050
0x011e7057
0x011e705b
0x011e7063
0x011e7069
0x011e706c
0x011e7070
0x011e7077
0x011e707b
0x011e707e
0x011e7080
0x011e708c
0x011e709b
0x011e70a0
0x011e70a4
0x011e70a9
0x011e70b1
0x011e70b7
0x011e70bb
0x011e70bb
0x011e70c2
0x011e70c4
0x011e70ef
0x011e70ef
0x00000000
0x011e70ef
0x011e6fed
0x011e6fed
0x011e6ff1
0x00000000
0x00000000
0x011e6ff1
0x011e6feb
0x00000000
0x00000000
0x00000000
0x011e6fc5
0x011e6fb8
0x00000000
0x011e6ff7
0x011e6ffb
0x011e6ffc
0x011e7001
0x011e7005
0x011e7005
0x00000000
0x011e6f9d
0x011e6f95
0x00000000
0x011e6f83
0x011e6dba
0x011e70f3
0x011e70f3
0x011e70f3
0x011e70f8
0x00000000
0x00000000
0x011e70f8
0x011e6da4
0x00000000
0x011e6d9c
0x011e70fe
0x011e7106
0x011e7109
0x011e710e
0x011e7122
0x011e7128
0x011e7132
0x011e7150
0x011e7150

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6965d244a60cf5fe59de022f2b3b485a729a1625c3c36173343a3e8852adb0df
Instruction ID: 7a543a649d8c210bd27411c09931dc6174567e70a12c7ed90c749dbb2fba3dad
Opcode Fuzzy Hash: 6965d244a60cf5fe59de022f2b3b485a729a1625c3c36173343a3e8852adb0df
Instruction Fuzzy Hash: B4D11571A087418FDB18CF68C84875BBBE1FF99308F48456DE9899B382D334E944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 011DE9B7 Relevance: .3, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E011DE9B7(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t220;
				intOrPtr _t227;
				void* _t250;
				signed char _t252;
				signed int _t300;
				signed int* _t303;
				signed char _t346;
				unsigned int _t348;
				signed int _t351;
				unsigned int _t354;
				signed int* _t357;
				signed int _t361;
				signed int _t366;
				signed int _t370;
				signed int _t374;
				signed char _t376;
				signed int* _t380;
				signed int _t387;
				signed int _t392;
				intOrPtr _t394;
				signed char _t395;
				signed char _t396;
				signed char _t397;
				unsigned int _t399;
				signed int _t402;
				unsigned int _t405;
				unsigned int _t407;
				unsigned int _t408;
				signed int _t409;
				signed int _t414;
				unsigned int _t415;
				unsigned int _t416;
				signed int _t418;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				void* _t430;
				void* _t431;

				_t407 =  *(_t430 + 0x6c);
				_t425 = __ecx;
				 *((intOrPtr*)(_t430 + 0x24)) = __ecx;
				if(_t407 != 0) {
					_t408 = _t407 >> 4;
					 *(_t430 + 0x6c) = _t408;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t430 + 0x38)) = __ecx + 8;
						E011F0320(_t430 + 0x5c, __ecx + 8, 0x10);
						_t431 = _t430 + 0xc;
						if(_t408 == 0) {
							L13:
							return E011F0320( *((intOrPtr*)(_t431 + 0x38)), _t431 + 0x58, 0x10);
						}
						_t392 =  *(_t431 + 0x68);
						 *(_t431 + 0x24) = _t392 + 8;
						_t227 =  *((intOrPtr*)(_t431 + 0x78));
						_t394 = _t392 - _t227 - 8;
						 *((intOrPtr*)(_t431 + 0x34)) = _t394;
						_t357 = _t227 + 8;
						 *(_t431 + 0x28) = _t357;
						do {
							_t414 =  *(_t425 + 4);
							 *(_t431 + 0x30) = _t357 + _t394;
							E011DE985(_t431 + 0x54, _t357 + _t394, (_t414 << 4) + 0x18 + _t425);
							_t395 =  *(_t431 + 0x4c);
							 *(_t431 + 0x10) =  *(0x12161c8 + (_t395 & 0x000000ff) * 4) ^  *(0x1216dc8 + ( *(_t431 + 0x53) & 0x000000ff) * 4) ^  *(0x12169c8 + ( *(_t431 + 0x56) & 0x000000ff) * 4);
							_t346 =  *(_t431 + 0x58);
							_t361 =  *(_t431 + 0x10) ^  *(0x12165c8 + (_t346 & 0x000000ff) * 4);
							 *(_t431 + 0x10) = _t361;
							 *(_t431 + 0x3c) = _t361;
							_t396 =  *(_t431 + 0x50);
							_t366 =  *(0x12165c8 + (_t395 & 0x000000ff) * 4) ^  *(0x12161c8 + (_t396 & 0x000000ff) * 4) ^  *(0x1216dc8 + ( *(_t431 + 0x57) & 0x000000ff) * 4) ^  *(0x12169c8 + ( *(_t431 + 0x5a) & 0x000000ff) * 4);
							 *(_t431 + 0x1c) = _t366;
							 *(_t431 + 0x40) = _t366;
							_t397 =  *(_t431 + 0x54);
							 *(_t431 + 0x14) =  *(0x12169c8 + ( *(_t431 + 0x4e) & 0x000000ff) * 4) ^  *(0x12165c8 + (_t396 & 0x000000ff) * 4);
							_t370 =  *(_t431 + 0x14) ^  *(0x12161c8 + (_t397 & 0x000000ff) * 4) ^  *(0x1216dc8 + ( *(_t431 + 0x5b) & 0x000000ff) * 4);
							 *(_t431 + 0x14) = _t370;
							 *(_t431 + 0x44) = _t370;
							 *(_t431 + 0x18) =  *(0x1216dc8 + ( *(_t431 + 0x4f) & 0x000000ff) * 4) ^  *(0x12169c8 + ( *(_t431 + 0x52) & 0x000000ff) * 4);
							_t374 =  *(_t431 + 0x18) ^  *(0x12165c8 + (_t397 & 0x000000ff) * 4) ^  *(0x12161c8 + (_t346 & 0x000000ff) * 4);
							_t250 = _t414 - 1;
							 *(_t431 + 0x18) = _t374;
							 *(_t431 + 0x48) = _t374;
							if(_t250 <= 1) {
								goto L9;
							}
							_t409 =  *(_t431 + 0x1c);
							_t422 = (_t250 + 2 << 4) + _t425;
							_t426 =  *(_t431 + 0x10);
							 *(_t431 + 0x18) = _t422;
							 *(_t431 + 0x20) = _t250 - 1;
							do {
								_t405 =  *_t422 ^  *(_t431 + 0x14);
								 *(_t431 + 0x10) =  *(_t422 - 8) ^ _t426;
								 *(_t431 + 0x1c) =  *(_t422 + 4) ^ _t374;
								_t354 =  *(_t422 - 4) ^ _t409;
								_t423 =  *(_t431 + 0x1c);
								_t426 =  *(0x12169c8 + (_t405 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x12165c8 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1216dc8 + (_t354 >> 0x18) * 4) ^  *(0x12161c8 + ( *(_t431 + 0x10) & 0x000000ff) * 4);
								 *(_t431 + 0x3c) = _t426;
								_t409 =  *(0x12169c8 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x12165c8 + ( *(_t431 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1216dc8 + (_t405 >> 0x18) * 4) ^  *(0x12161c8 + (_t354 & 0x000000ff) * 4);
								 *(_t431 + 0x40) = _t409;
								_t387 =  *(0x12165c8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x12169c8 + ( *(_t431 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1216dc8 + (_t423 >> 0x18) * 4) ^  *(0x12161c8 + (_t405 & 0x000000ff) * 4);
								 *(_t431 + 0x14) = _t387;
								 *(_t431 + 0x44) = _t387;
								_t422 =  *(_t431 + 0x18) - 0x10;
								 *(_t431 + 0x18) = _t422;
								_t374 =  *(0x12169c8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x12165c8 + (_t405 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1216dc8 + ( *(_t431 + 0x10) >> 0x18) * 4) ^  *(0x12161c8 + (_t423 & 0x000000ff) * 4);
								_t132 = _t431 + 0x20;
								 *_t132 =  *(_t431 + 0x20) - 1;
								 *(_t431 + 0x48) = _t374;
							} while ( *_t132 != 0);
							 *(_t431 + 0x1c) = _t409;
							_t408 =  *(_t431 + 0x74);
							 *(_t431 + 0x10) = _t426;
							_t425 =  *((intOrPtr*)(_t431 + 0x2c));
							 *(_t431 + 0x18) = _t374;
							L9:
							_t252 =  *(_t425 + 0x28) ^  *(_t431 + 0x10);
							 *(_t431 + 0x20) = _t252;
							 *(_t431 + 0x4c) = _t252;
							_t376 =  *(_t425 + 0x34) ^  *(_t431 + 0x18);
							 *(_t431 + 0x3c) =  *((intOrPtr*)((_t252 & 0x000000ff) + 0x12150c8));
							_t399 =  *(_t425 + 0x30) ^  *(_t431 + 0x14);
							_t348 =  *(_t425 + 0x2c) ^  *(_t431 + 0x1c);
							 *((char*)(_t431 + 0x3d)) =  *((intOrPtr*)((_t376 >> 0x00000008 & 0x000000ff) + 0x12150c8));
							_t415 =  *(_t431 + 0x20);
							 *(_t431 + 0x54) = _t399;
							 *(_t431 + 0x50) = _t348;
							 *((char*)(_t431 + 0x3e)) =  *((intOrPtr*)((_t399 >> 0x00000010 & 0x000000ff) + 0x12150c8));
							 *(_t431 + 0x58) = _t376;
							 *((char*)(_t431 + 0x3f)) =  *((intOrPtr*)((_t348 >> 0x18) + 0x12150c8));
							 *(_t431 + 0x40) =  *((intOrPtr*)((_t348 & 0x000000ff) + 0x12150c8));
							 *((char*)(_t431 + 0x41)) =  *((intOrPtr*)((_t415 >> 0x00000008 & 0x000000ff) + 0x12150c8));
							 *((char*)(_t431 + 0x42)) =  *((intOrPtr*)((_t376 >> 0x00000010 & 0x000000ff) + 0x12150c8));
							 *((char*)(_t431 + 0x43)) =  *((intOrPtr*)((_t399 >> 0x18) + 0x12150c8));
							 *(_t431 + 0x44) =  *((intOrPtr*)((_t399 & 0x000000ff) + 0x12150c8));
							 *((char*)(_t431 + 0x45)) =  *((intOrPtr*)((_t348 >> 0x00000008 & 0x000000ff) + 0x12150c8));
							_t416 = _t415 >> 0x18;
							 *((char*)(_t431 + 0x46)) =  *((intOrPtr*)((_t415 >> 0x00000010 & 0x000000ff) + 0x12150c8));
							 *((char*)(_t431 + 0x47)) =  *((intOrPtr*)((_t376 >> 0x18) + 0x12150c8));
							 *(_t431 + 0x48) =  *((intOrPtr*)((_t376 & 0x000000ff) + 0x12150c8));
							_t402 =  *(_t425 + 0x18) ^  *(_t431 + 0x3c);
							 *((char*)(_t431 + 0x49)) =  *((intOrPtr*)((_t399 >> 0x00000008 & 0x000000ff) + 0x12150c8));
							 *((char*)(_t431 + 0x4a)) =  *((intOrPtr*)((_t348 >> 0x00000010 & 0x000000ff) + 0x12150c8));
							_t186 = _t416 + 0x12150c8; // 0x30d56a09
							 *((char*)(_t431 + 0x4b)) =  *_t186;
							_t300 =  *(_t425 + 0x24) ^  *(_t431 + 0x48);
							_t418 =  *(_t425 + 0x1c) ^  *(_t431 + 0x40);
							_t351 =  *(_t425 + 0x20) ^  *(_t431 + 0x44);
							 *(_t431 + 0x20) = _t300;
							if( *((char*)(_t425 + 1)) != 0) {
								_t402 = _t402 ^  *(_t431 + 0x5c);
								_t418 = _t418 ^  *(_t431 + 0x60);
								_t351 = _t351 ^  *(_t431 + 0x64);
								 *(_t431 + 0x20) = _t300 ^  *(_t431 + 0x68);
							}
							 *(_t431 + 0x5c) =  *( *(_t431 + 0x30));
							_t303 =  *(_t431 + 0x24);
							 *(_t431 + 0x60) =  *(_t303 - 4);
							 *(_t431 + 0x64) =  *_t303;
							 *(_t431 + 0x68) = _t303[1];
							_t380 =  *(_t431 + 0x28);
							 *(_t431 + 0x24) =  &(_t303[4]);
							 *(_t380 - 8) = _t402;
							_t380[1] =  *(_t431 + 0x20);
							_t394 =  *((intOrPtr*)(_t431 + 0x34));
							 *(_t380 - 4) = _t418;
							 *_t380 = _t351;
							_t357 =  &(_t380[4]);
							_t408 = _t408 - 1;
							 *(_t431 + 0x28) = _t357;
							 *(_t431 + 0x74) = _t408;
						} while (_t408 != 0);
						goto L13;
					}
					return E011DEE7A( *((intOrPtr*)(_t430 + 0x70)), _t408,  *((intOrPtr*)(_t430 + 0x70)));
				}
				return _t220;
			}

0x011de9bc
0x011de9c0
0x011de9c2
0x011de9c8
0x011de9ce
0x011de9d5
0x011de9d9
0x011de9f4
0x011de9fd
0x011dea02
0x011dea07
0x011dee5f
0x00000000
0x011dee6f
0x011dea0d
0x011dea16
0x011dea1a
0x011dea20
0x011dea23
0x011dea27
0x011dea2a
0x011dea2e
0x011dea2e
0x011dea35
0x011dea48
0x011dea4d
0x011dea73
0x011dea77
0x011dea82
0x011dea89
0x011dea8d
0x011dea94
0x011deaba
0x011deac6
0x011deaca
0x011dead8
0x011deae3
0x011deafa
0x011deb06
0x011deb0a
0x011deb21
0x011deb36
0x011deb3d
0x011deb40
0x011deb44
0x011deb4b
0x00000000
0x00000000
0x011deb51
0x011deb5b
0x011deb5d
0x011deb62
0x011deb66
0x011deb6a
0x011deb71
0x011deb75
0x011deb81
0x011deb85
0x011deb87
0x011debbc
0x011debdc
0x011debf6
0x011dec19
0x011dec36
0x011dec3d
0x011dec41
0x011dec70
0x011dec73
0x011dec77
0x011dec7e
0x011dec7e
0x011dec83
0x011dec83
0x011dec8d
0x011dec91
0x011dec95
0x011dec99
0x011dec9d
0x011deca1
0x011deca4
0x011deca8
0x011decac
0x011decb6
0x011decc3
0x011deccf
0x011decd6
0x011dece0
0x011decec
0x011decf0
0x011decf4
0x011decfe
0x011ded07
0x011ded11
0x011ded1e
0x011ded30
0x011ded42
0x011ded51
0x011ded61
0x011ded76
0x011ded82
0x011ded8b
0x011ded9a
0x011deda7
0x011dedb1
0x011dedbb
0x011dedc8
0x011dedcc
0x011dedd2
0x011deddf
0x011dede3
0x011dede7
0x011dedef
0x011dedf3
0x011dedf5
0x011dedf9
0x011dedfd
0x011dee05
0x011dee05
0x011dee0f
0x011dee13
0x011dee1a
0x011dee20
0x011dee2a
0x011dee2e
0x011dee32
0x011dee36
0x011dee3d
0x011dee40
0x011dee44
0x011dee47
0x011dee49
0x011dee4c
0x011dee4f
0x011dee53
0x011dee53
0x00000000
0x011dee5e
0x00000000
0x011de9e4
0x011dee77

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71462997010f3fb16d8f20cd0b8d78b859d93c55ed183a2aa3b9dbadb269477
Instruction ID: b17e5ce66c65a0b8febbc4a7b35a32db4da36eb874965168ffe42b4fdb66aa2e
Opcode Fuzzy Hash: e71462997010f3fb16d8f20cd0b8d78b859d93c55ed183a2aa3b9dbadb269477
Instruction Fuzzy Hash: 5CE159745083988FC314CF69E48446EBFF1AFAA310F46099EF9C497342C635EA19DB92

Uniqueness

Uniqueness Score: -1.00%

Function 011E4088 Relevance: .3, Instructions: 270
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E011E4088(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t121;
				signed int _t130;
				signed int _t139;
				signed int _t140;
				signed int _t149;
				signed int _t151;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t158;
				intOrPtr* _t167;
				signed int _t170;
				void* _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t181;
				void* _t184;
				signed int _t185;
				intOrPtr* _t186;
				void* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t193;
				signed int _t198;
				void* _t201;

				_t179 = __edx;
				_t187 = __ecx;
				_t186 = __ecx + 4;
				if( *_t186 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19 || E011E4DC4(__ecx) != 0) {
					E011DA881(_t186,  ~( *(_t187 + 8)) & 0x00000007);
					_t82 = E011DA898(_t186);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t187 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E011EFFF0(_t186, _t187 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E011DA881(_t186, 2);
						do {
							 *(_t201 + 0x14) = E011DA898(_t186) >> 0xc;
							E011DA881(_t186, 4);
							_t87 =  *(_t201 + 0x10);
							__eflags = _t87 - 0xf;
							if(_t87 != 0xf) {
								 *(_t201 + _t139 + 0x14) = _t87;
								goto L15;
							}
							_t188 = E011DA898(_t186) >> 0x0000000c & 0x000000ff;
							E011DA881(_t186, 4);
							__eflags = _t188;
							if(_t188 != 0) {
								_t189 = _t188 + 2;
								__eflags = _t189;
								while(1) {
									_t189 = _t189 - 1;
									__eflags = _t139 - 0x14;
									if(_t139 >= 0x14) {
										break;
									}
									 *(_t201 + _t139 + 0x14) = 0;
									_t139 = _t139 + 1;
									__eflags = _t189;
									if(_t189 != 0) {
										continue;
									}
									break;
								}
								_t139 = _t139 - 1;
								goto L15;
							}
							 *(_t201 + _t139 + 0x14) = 0xf;
							L15:
							_t139 = _t139 + 1;
							__eflags = _t139 - 0x14;
						} while (_t139 < 0x14);
						_push(0x14);
						_t190 = _t187 + 0x3c50;
						_push(_t190);
						_push(_t201 + 0x1c);
						E011E3797();
						_t140 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84)) - 5) {
								L19:
								_t92 = E011DA89D(_t186);
								_t93 =  *(_t190 + 0x84);
								_t181 = _t92 & 0x0000fffe;
								__eflags = _t181 -  *((intOrPtr*)(_t190 + 4 + _t93 * 4));
								if(_t181 >=  *((intOrPtr*)(_t190 + 4 + _t93 * 4))) {
									_t149 = 0xf;
									_t94 = _t93 + 1;
									 *(_t201 + 0x10) = _t149;
									__eflags = _t94 - _t149;
									if(_t94 >= _t149) {
										L27:
										_t151 =  *(_t186 + 4) +  *(_t201 + 0x10);
										 *_t186 =  *_t186 + (_t151 >> 3);
										_t97 =  *(_t201 + 0x10);
										 *(_t186 + 4) = _t151 & 0x00000007;
										_t153 = 0x10;
										_t156 =  *((intOrPtr*)(_t190 + 0x44 + _t97 * 4)) + (_t181 -  *((intOrPtr*)(_t190 + _t97 * 4)) >> _t153 - _t97);
										__eflags = _t156 -  *_t190;
										asm("sbb eax, eax");
										_t98 = _t97 & _t156;
										__eflags = _t98;
										_t157 =  *(_t190 + 0xc88 + _t98 * 2) & 0x0000ffff;
										L28:
										_t184 = 0x10;
										__eflags = _t157 - _t184;
										if(_t157 >= _t184) {
											_t99 = 0x12;
											__eflags = _t157 - _t99;
											if(__eflags >= 0) {
												_t158 = _t186;
												if(__eflags != 0) {
													_t193 = (E011DA898(_t158) >> 9) + 0xb;
													__eflags = _t193;
													_push(7);
												} else {
													_t193 = (E011DA898(_t158) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t101);
												E011DA881(_t186, _t101);
												while(1) {
													_t193 = _t193 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) = 0;
													_t140 = _t140 + 1;
													__eflags = _t193;
													if(_t193 != 0) {
														continue;
													}
													L44:
													_t190 = _t187 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t157 - _t184;
											_t167 = _t186;
											if(_t157 != _t184) {
												_t198 = (E011DA898(_t167) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E011DA898(_t167) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t121);
											E011DA881(_t186, _t121);
											__eflags = _t140;
											if(_t140 == 0) {
												goto L47;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t201 + _t140 + 0x27));
													_t140 = _t140 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t140 + _t187 + 0xe4c8)) + _t157 & 0x0000000f;
										_t140 = _t140 + 1;
										goto L45;
									}
									_t170 = 4 + _t94 * 4 + _t190;
									__eflags = _t170;
									while(1) {
										__eflags = _t181 -  *_t170;
										if(_t181 <  *_t170) {
											break;
										}
										_t94 = _t94 + 1;
										_t170 = _t170 + 4;
										__eflags = _t94 - 0xf;
										if(_t94 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t94;
									goto L27;
								}
								_t171 = 0x10;
								_t185 = _t181 >> _t171 - _t93;
								_t174 = ( *(_t185 + _t190 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t174 >> 3);
								 *(_t186 + 4) = _t174 & 0x00000007;
								_t157 =  *(_t190 + 0x488 + _t185 * 2) & 0x0000ffff;
								goto L28;
							}
							_t130 = E011E4DC4(_t187);
							__eflags = _t130;
							if(_t130 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t140 - 0x194;
						} while (_t140 < 0x194);
						L46:
						 *((char*)(_t187 + 0xe661)) = 1;
						__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84));
						if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84))) {
							_push(0x12b);
							_push(_t187 + 0xa0);
							_push(_t201 + 0x30);
							E011E3797();
							_push(0x3c);
							_push(_t187 + 0xf8c);
							_push(_t201 + 0x15b);
							E011E3797();
							_push(0x11);
							_push(_t187 + 0x1e78);
							_push(_t201 + 0x197);
							E011E3797();
							_push(0x1c);
							_push(_t187 + 0x2d64);
							_push(_t201 + 0x1a8);
							E011E3797();
							E011F0320(_t187 + 0xe4c8, _t201 + 0x2c, 0x194);
							return 1;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t187 + 0xe65c)) = 1;
					return E011E2F75(_t179, _t205, _t187, _t187 + 0xe4c4);
				} else {
					L47:
					return 0;
				}
			}

0x011e4088
0x011e4091
0x011e409a
0x011e40a2
0x011e40bc
0x011e40c3
0x011e40c8
0x011e40cd
0x011e40f1
0x011e40f3
0x011e40f9
0x011e40ff
0x011e4105
0x011e410a
0x011e4119
0x011e411e
0x011e411e
0x011e4125
0x011e412a
0x011e4138
0x011e413c
0x011e4141
0x011e4145
0x011e4147
0x011e4180
0x00000000
0x011e4180
0x011e4157
0x011e415a
0x011e415f
0x011e4161
0x011e416a
0x011e416a
0x011e416d
0x011e416d
0x011e416e
0x011e4171
0x00000000
0x00000000
0x011e4173
0x011e4178
0x011e4179
0x011e417b
0x00000000
0x00000000
0x00000000
0x011e417b
0x011e417d
0x00000000
0x011e417d
0x011e4163
0x011e4184
0x011e4184
0x011e4185
0x011e4185
0x011e418a
0x011e418c
0x011e4194
0x011e4199
0x011e419a
0x011e419f
0x011e419f
0x011e41a1
0x011e41aa
0x011e41ac
0x011e41bd
0x011e41bf
0x011e41c6
0x011e41cc
0x011e41d2
0x011e41d6
0x011e4203
0x011e4204
0x011e4205
0x011e4209
0x011e420b
0x011e4229
0x011e422c
0x011e4238
0x011e423a
0x011e423e
0x011e4243
0x011e4250
0x011e4252
0x011e4255
0x011e4257
0x011e4257
0x011e4259
0x011e4261
0x011e4263
0x011e4264
0x011e4267
0x011e4280
0x011e4281
0x011e4284
0x011e42d2
0x011e42d4
0x011e42f1
0x011e42f1
0x011e42f4
0x011e42d6
0x011e42e0
0x011e42e3
0x011e42e3
0x011e42f6
0x011e42fa
0x011e42ff
0x011e42ff
0x011e4300
0x011e4306
0x00000000
0x00000000
0x011e4308
0x011e430d
0x011e430e
0x011e4310
0x00000000
0x00000000
0x011e4312
0x011e4312
0x00000000
0x011e4312
0x00000000
0x011e42ff
0x011e4286
0x011e4289
0x011e428b
0x011e42a8
0x011e42a8
0x011e42ab
0x011e428d
0x011e4297
0x011e429a
0x011e429a
0x011e42ad
0x011e42b1
0x011e42b6
0x011e42b8
0x00000000
0x011e42ba
0x011e42ba
0x011e42ba
0x011e42bb
0x011e42c1
0x00000000
0x00000000
0x011e42c7
0x011e42cb
0x011e42cc
0x011e42ce
0x00000000
0x00000000
0x00000000
0x011e42d0
0x00000000
0x011e42ba
0x011e42b8
0x011e4274
0x011e4278
0x00000000
0x011e4278
0x011e4214
0x011e4214
0x011e4216
0x011e4216
0x011e4218
0x00000000
0x00000000
0x011e421a
0x011e421b
0x011e421e
0x011e4221
0x00000000
0x00000000
0x00000000
0x011e4223
0x011e4225
0x00000000
0x011e4225
0x011e41da
0x011e41dd
0x011e41e7
0x011e41ef
0x011e41f4
0x011e41f7
0x00000000
0x011e41f7
0x011e41b0
0x011e41b5
0x011e41b7
0x00000000
0x00000000
0x00000000
0x011e4318
0x011e4318
0x011e4318
0x011e4324
0x011e4326
0x011e432d
0x011e4333
0x011e4339
0x011e4346
0x011e434b
0x011e434c
0x011e4351
0x011e435b
0x011e4363
0x011e4364
0x011e4369
0x011e4373
0x011e437b
0x011e437c
0x011e4381
0x011e438b
0x011e4393
0x011e4394
0x011e43aa
0x00000000
0x011e43b2
0x00000000
0x011e4333
0x011e40d5
0x00000000
0x011e4335
0x011e4335
0x00000000
0x011e4335

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 99032475e784740525b666c008504cfb408b1ba2d43033f51cef5f156cce5fb9
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: A0917AB0204B468BDB2DEFA8E898BBE77D5EF60304F04092CD996C7681DB74E545C352

Uniqueness

Uniqueness Score: -1.00%

Function 011E43BF Relevance: .2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E011E43BF(void* __ecx) {
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				char _t90;
				signed int _t94;
				void* _t97;
				signed int _t108;
				unsigned int _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				signed int _t134;
				signed int _t136;
				void* _t138;
				signed int _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;
				intOrPtr* _t153;
				intOrPtr* _t156;
				void* _t157;
				signed int _t160;
				unsigned int _t165;
				void* _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t175;
				void* _t177;
				void* _t178;

				_t177 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t178 + 8)) + 0x11)) != 0) {
					_t175 =  *((intOrPtr*)(_t178 + 0x1dc));
					__eflags =  *((char*)(_t175 + 8));
					if( *((char*)(_t175 + 8)) != 0) {
						L5:
						_t171 = 0;
						__eflags = 0;
						do {
							_t112 = E011DA898(_t175) >> 0xc;
							E011DA881(_t175, 4);
							__eflags = _t112 - 0xf;
							if(_t112 != 0xf) {
								 *(_t178 + _t171 + 0x18) = _t112;
								goto L14;
							}
							_t127 = E011DA898(_t175) >> 0x0000000c & 0x000000ff;
							E011DA881(_t175, 4);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 = _t127 + 2;
								__eflags = _t128;
								while(1) {
									_t128 = _t128 - 1;
									__eflags = _t171 - 0x14;
									if(_t171 >= 0x14) {
										break;
									}
									 *(_t178 + _t171 + 0x18) = 0;
									_t171 = _t171 + 1;
									__eflags = _t128;
									if(_t128 != 0) {
										continue;
									}
									break;
								}
								_t171 = _t171 - 1;
								goto L14;
							}
							 *(_t178 + _t171 + 0x18) = 0xf;
							L14:
							_t171 = _t171 + 1;
							__eflags = _t171 - 0x14;
						} while (_t171 < 0x14);
						_push(0x14);
						_t114 =  *((intOrPtr*)(_t178 + 0x1e8)) + 0x3bb0;
						_push(_t114);
						_push(_t178 + 0x18);
						 *((intOrPtr*)(_t178 + 0x20)) = _t114;
						E011E3797();
						_t172 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t175 + 8));
							if( *((char*)(_t175 + 8)) != 0) {
								L19:
								_t70 = E011DA89D(_t175);
								_t71 =  *(_t114 + 0x84);
								_t165 = _t70 & 0x0000fffe;
								__eflags = _t165 -  *((intOrPtr*)(_t114 + 4 + _t71 * 4));
								if(_t165 >=  *((intOrPtr*)(_t114 + 4 + _t71 * 4))) {
									_t134 = 0xf;
									_t72 = _t71 + 1;
									 *(_t178 + 0x10) = _t134;
									__eflags = _t72 - _t134;
									if(_t72 >= _t134) {
										L27:
										_t136 =  *(_t175 + 4) +  *(_t178 + 0x10);
										 *_t175 =  *_t175 + (_t136 >> 3);
										_t75 =  *(_t178 + 0x10);
										 *(_t175 + 4) = _t136 & 0x00000007;
										_t138 = 0x10;
										_t141 =  *((intOrPtr*)(_t114 + 0x44 + _t75 * 4)) + (_t165 -  *((intOrPtr*)(_t114 + _t75 * 4)) >> _t138 - _t75);
										__eflags = _t141 -  *_t114;
										asm("sbb eax, eax");
										_t76 = _t75 & _t141;
										__eflags = _t76;
										_t77 =  *(_t114 + 0xc88 + _t76 * 2) & 0x0000ffff;
										L28:
										_t142 = 0x10;
										__eflags = _t77 - _t142;
										if(_t77 >= _t142) {
											_t168 = 0x12;
											__eflags = _t77 - _t168;
											if(__eflags >= 0) {
												_t143 = _t175;
												if(__eflags != 0) {
													_t117 = (E011DA898(_t143) >> 9) + 0xb;
													__eflags = _t117;
													_push(7);
												} else {
													_t117 = (E011DA898(_t143) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t79);
												E011DA881(_t175, _t79);
												while(1) {
													_t117 = _t117 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) = 0;
													_t172 = _t172 + 1;
													__eflags = _t117;
													if(_t117 != 0) {
														continue;
													}
													L44:
													_t114 =  *((intOrPtr*)(_t178 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t77 - _t142;
											_t153 = _t175;
											if(_t77 != _t142) {
												_t124 = (E011DA898(_t153) >> 9) + 0xb;
												__eflags = _t124;
												_push(7);
											} else {
												_t124 = (E011DA898(_t153) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t97);
											E011DA881(_t175, _t97);
											__eflags = _t172;
											if(_t172 == 0) {
												L48:
												_t90 = 0;
												L50:
												return _t90;
											} else {
												while(1) {
													_t124 = _t124 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) =  *((intOrPtr*)(_t178 + _t172 + 0x2b));
													_t172 = _t172 + 1;
													__eflags = _t124;
													if(_t124 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t178 + _t172 + 0x2c) = _t77;
										_t172 = _t172 + 1;
										goto L45;
									}
									_t156 = _t114 + (_t72 + 1) * 4;
									while(1) {
										__eflags = _t165 -  *_t156;
										if(_t165 <  *_t156) {
											break;
										}
										_t72 = _t72 + 1;
										_t156 = _t156 + 4;
										__eflags = _t72 - 0xf;
										if(_t72 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t178 + 0x10) = _t72;
									goto L27;
								}
								_t157 = 0x10;
								_t169 = _t165 >> _t157 - _t71;
								_t160 = ( *(_t169 + _t114 + 0x88) & 0x000000ff) +  *(_t175 + 4);
								 *_t175 =  *_t175 + (_t160 >> 3);
								 *(_t175 + 4) = _t160 & 0x00000007;
								_t77 =  *(_t114 + 0x488 + _t169 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84)) - 5;
							if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E011E4E52(_t177);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t172 - 0x1ae;
						} while (_t172 < 0x1ae);
						L46:
						 *((char*)(_t177 + 0xe662)) = 1;
						__eflags =  *((char*)(_t175 + 8));
						if( *((char*)(_t175 + 8)) != 0) {
							L49:
							_t118 =  *((intOrPtr*)(_t178 + 0x1e8));
							_push(0x132);
							_push(_t118);
							_push(_t178 + 0x2c);
							E011E3797();
							_push(0x40);
							_push(_t118 + 0xeec);
							_push(_t178 + 0x166);
							E011E3797();
							_t147 = 0x10;
							_push(_t147);
							_push(_t118 + 0x1dd8);
							_push(_t178 + 0x1a6);
							E011E3797();
							_push(0x2c);
							_push(_t118 + 0x2cc4);
							_push(_t178 + 0x1b6);
							E011E3797();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84));
						if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t175 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t175 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t108 = E011E4E52(__ecx);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L48;
					}
					goto L5;
				}
				return 1;
			}

0x011e43ce
0x011e43d0
0x011e43db
0x011e43e3
0x011e43e7
0x011e4403
0x011e4403
0x011e4403
0x011e4405
0x011e4412
0x011e4415
0x011e441a
0x011e441d
0x011e4456
0x00000000
0x011e4456
0x011e442d
0x011e4430
0x011e4435
0x011e4437
0x011e4440
0x011e4440
0x011e4443
0x011e4443
0x011e4444
0x011e4447
0x00000000
0x00000000
0x011e4449
0x011e444e
0x011e444f
0x011e4451
0x00000000
0x00000000
0x00000000
0x011e4451
0x011e4453
0x00000000
0x011e4453
0x011e4439
0x011e445a
0x011e445a
0x011e445b
0x011e445b
0x011e446b
0x011e446d
0x011e4475
0x011e4476
0x011e4477
0x011e447b
0x011e4480
0x011e4480
0x011e4482
0x011e4482
0x011e4486
0x011e44a4
0x011e44a6
0x011e44ad
0x011e44b3
0x011e44b9
0x011e44bd
0x011e44ea
0x011e44eb
0x011e44ec
0x011e44f0
0x011e44f2
0x011e450d
0x011e4510
0x011e451c
0x011e451e
0x011e4522
0x011e4527
0x011e4533
0x011e4535
0x011e4537
0x011e4539
0x011e4539
0x011e453b
0x011e4543
0x011e4545
0x011e4546
0x011e4549
0x011e4557
0x011e4558
0x011e455b
0x011e45a9
0x011e45ab
0x011e45c8
0x011e45c8
0x011e45cb
0x011e45ad
0x011e45b7
0x011e45ba
0x011e45ba
0x011e45cd
0x011e45d1
0x011e45d6
0x011e45d6
0x011e45d7
0x011e45dd
0x00000000
0x00000000
0x011e45df
0x011e45e4
0x011e45e5
0x011e45e7
0x00000000
0x00000000
0x011e45e9
0x011e45e9
0x00000000
0x011e45e9
0x00000000
0x011e45d6
0x011e455d
0x011e4560
0x011e4562
0x011e457f
0x011e457f
0x011e4582
0x011e4564
0x011e456e
0x011e4571
0x011e4571
0x011e4584
0x011e4588
0x011e458d
0x011e458f
0x011e4610
0x011e4610
0x011e4679
0x00000000
0x011e4591
0x011e4591
0x011e4591
0x011e4592
0x011e4598
0x00000000
0x00000000
0x011e459e
0x011e45a2
0x011e45a3
0x011e45a5
0x00000000
0x00000000
0x00000000
0x011e45a7
0x00000000
0x011e4591
0x011e458f
0x011e454b
0x011e454f
0x00000000
0x011e454f
0x011e44f7
0x011e44fa
0x011e44fa
0x011e44fc
0x00000000
0x00000000
0x011e44fe
0x011e44ff
0x011e4502
0x011e4505
0x00000000
0x00000000
0x00000000
0x011e4507
0x011e4509
0x00000000
0x011e4509
0x011e44c1
0x011e44c4
0x011e44ce
0x011e44d6
0x011e44db
0x011e44de
0x00000000
0x011e44de
0x011e4491
0x011e4493
0x00000000
0x00000000
0x011e4497
0x011e449c
0x011e449e
0x00000000
0x00000000
0x00000000
0x011e45ed
0x011e45ed
0x011e45ed
0x011e45f9
0x011e45f9
0x011e4600
0x011e4604
0x011e4614
0x011e4614
0x011e461f
0x011e4624
0x011e4625
0x011e4628
0x011e462d
0x011e4637
0x011e463f
0x011e4640
0x011e4647
0x011e4648
0x011e4651
0x011e4659
0x011e465a
0x011e465f
0x011e4667
0x011e466f
0x011e4672
0x011e4677
0x00000000
0x011e4677
0x011e4608
0x011e460e
0x00000000
0x00000000
0x00000000
0x011e460e
0x011e43f2
0x011e43f4
0x00000000
0x00000000
0x011e43f6
0x011e43fb
0x011e43fd
0x00000000
0x00000000
0x00000000
0x011e43fd
0x00000000

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: f74fc89be7fd4d5fb083b8e0b43fe0ab3694ed5ea700c172861c2213a27ee758
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 1A815D71704B468BDB2DDEE8D8D8BBD37D4AF95308F04092DE986CBE82DB7484858752

Uniqueness

Uniqueness Score: -1.00%

Function 011F51C9 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 84%

			E011F51C9(void* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				void* _t103;
				signed int _t109;
				unsigned int _t111;
				signed char _t113;
				unsigned int _t121;
				void* _t122;
				signed int _t123;
				short _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t122 = __edi;
				_t52 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t52 ^ _t130;
				_t129 = __ecx;
				_t101 = 0;
				_t121 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t103 = 0x58;
				_t133 = _t54 - 0x64;
				if(_t133 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E011F5BFB(_t129);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t129 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t129 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									return E011EFBBC(_t57, _t101, _v8 ^ _t130, _t121, _t122, _t129);
								}
								_t121 =  *(_t129 + 0x20);
								_push(_t122);
								_v16 = _t101;
								_t60 = _t121 >> 4;
								_v12 = _t101;
								_t123 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t109 =  *(_t129 + 0x32) & 0x0000ffff;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L48:
										_t62 = _t121 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t109 - 0x61;
											if(_t109 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t124 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t130 + _t101 * 2 - 0xc)) = _t124;
													__eflags = _t109 - _t65;
													if(_t109 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t130 + _t101 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t127 =  *((intOrPtr*)(_t129 + 0x24)) -  *((intOrPtr*)(_t129 + 0x38)) - _t101;
														__eflags = _t121 & 0x0000000c;
														if((_t121 & 0x0000000c) == 0) {
															E011F4490(_t129 + 0x448, 0x20, _t127, _t129 + 0x18);
															_t131 = _t131 + 0x10;
														}
														E011F5F16(_t129 + 0x448,  &_v16, _t101, _t129 + 0x18,  *((intOrPtr*)(_t129 + 0xc)));
														_t111 =  *(_t129 + 0x20);
														_t101 = _t129 + 0x18;
														_t75 = _t111 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t113 = _t111 >> 2;
															__eflags = _t113 & 0x00000001;
															if((_t113 & 0x00000001) == 0) {
																E011F4490(_t129 + 0x448, 0x30, _t127, _t101);
																_t131 = _t131 + 0x10;
															}
														}
														E011F5DF8(_t129, 0);
														__eflags =  *_t101;
														if( *_t101 >= 0) {
															_t78 =  *(_t129 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E011F4490(_t129 + 0x448, 0x20, _t127, _t101);
															}
														}
														_pop(_t122);
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t109 - _t86;
													if(_t109 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t128 = 0x41;
											__eflags = _t109 - _t128;
											if(_t109 == _t128) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t109 - _t88;
									if(_t109 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t121 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t121;
									if((1 & _t121) == 0) {
										_t92 = _t121 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t123;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E011F5993(_t129, _t122, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E011F5B70(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E011F56F9(_t101, _t129);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t129 + 0x20;
						 *_t3 =  *(_t129 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E011F5ADD(__ecx, _t121);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E011F5B51(__ecx);
					goto L10;
				}
				if(_t133 == 0) {
					goto L27;
				}
				_t134 = _t54 - _t103;
				if(_t134 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E011F553C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E011F58FB(_t129, __eflags, _t101);
					goto L10;
				}
				if(_t134 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t121) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x011f51c9
0x011f51d1
0x011f51d8
0x011f51dd
0x011f51df
0x011f51e3
0x011f51e6
0x011f51ea
0x011f51eb
0x011f51ee
0x011f525b
0x011f525e
0x011f52ad
0x011f52ad
0x011f52b0
0x011f521c
0x011f521e
0x011f5223
0x011f5225
0x011f52cb
0x011f52ce
0x011f5414
0x011f5414
0x011f5416
0x011f5425
0x011f5425
0x011f52d4
0x011f52d9
0x011f52dc
0x011f52df
0x011f52e3
0x011f52e9
0x011f52ea
0x011f52ec
0x011f5316
0x011f5316
0x011f531a
0x011f531d
0x011f5327
0x011f5329
0x011f532c
0x011f532e
0x011f5334
0x011f5334
0x011f5336
0x011f5336
0x011f5339
0x011f5347
0x011f5347
0x011f5349
0x011f534b
0x011f534c
0x011f534e
0x011f5354
0x011f5356
0x011f5357
0x011f535c
0x011f535f
0x011f536d
0x011f536d
0x011f536f
0x011f536f
0x011f537a
0x011f537c
0x011f5381
0x011f5381
0x011f5384
0x011f538a
0x011f538c
0x011f538f
0x011f539f
0x011f53a4
0x011f53a4
0x011f53b9
0x011f53be
0x011f53c1
0x011f53c6
0x011f53c9
0x011f53cb
0x011f53cd
0x011f53d0
0x011f53d3
0x011f53e0
0x011f53e5
0x011f53e5
0x011f53d3
0x011f53ec
0x011f53f1
0x011f53f4
0x011f53f9
0x011f53fc
0x011f53fe
0x011f540b
0x011f5410
0x011f53fe
0x011f5413
0x00000000
0x011f5413
0x011f5363
0x011f5364
0x011f5367
0x00000000
0x00000000
0x011f5369
0x00000000
0x011f5369
0x011f5350
0x011f5352
0x00000000
0x00000000
0x00000000
0x011f5352
0x011f533d
0x011f533e
0x011f5341
0x00000000
0x00000000
0x011f5343
0x00000000
0x011f5343
0x00000000
0x011f5330
0x011f5321
0x011f5322
0x011f5325
0x00000000
0x00000000
0x00000000
0x011f5325
0x011f52f0
0x011f52f3
0x011f52f5
0x011f5300
0x011f5302
0x011f530a
0x011f530c
0x011f530e
0x00000000
0x00000000
0x011f5310
0x011f5314
0x011f5314
0x00000000
0x011f5314
0x011f5304
0x011f52f9
0x011f52f9
0x011f52fa
0x00000000
0x011f52fa
0x011f52f7
0x00000000
0x011f52f7
0x011f522b
0x011f522b
0x00000000
0x011f522b
0x011f52b7
0x011f52b7
0x011f52ba
0x011f528c
0x011f528c
0x011f528d
0x011f528f
0x011f5291
0x00000000
0x011f5291
0x011f52bc
0x011f52bf
0x00000000
0x00000000
0x011f52c5
0x011f5234
0x011f5234
0x00000000
0x011f5234
0x011f5260
0x011f52a3
0x00000000
0x011f52a3
0x011f5262
0x011f5265
0x011f5298
0x011f529a
0x00000000
0x011f529a
0x011f5267
0x011f526a
0x011f5288
0x011f5288
0x011f5288
0x011f5288
0x00000000
0x011f5288
0x011f526c
0x011f526f
0x011f5281
0x00000000
0x011f5281
0x011f5271
0x011f5274
0x00000000
0x00000000
0x011f5278
0x00000000
0x011f5278
0x011f51f0
0x00000000
0x00000000
0x011f51f6
0x011f51f8
0x011f5238
0x011f5238
0x011f523b
0x011f5254
0x00000000
0x011f5254
0x011f523d
0x011f523d
0x011f5240
0x00000000
0x00000000
0x011f5243
0x011f5246
0x00000000
0x00000000
0x011f5248
0x011f524b
0x00000000
0x011f524b
0x011f51fa
0x011f5232
0x00000000
0x011f5232
0x011f51fe
0x00000000
0x00000000
0x011f5207
0x00000000
0x00000000
0x011f520c
0x00000000
0x00000000
0x011f5211
0x00000000
0x00000000
0x011f521a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f7f3e496159a08216af7974592f21860c70047a4748dc233ce6d9ecfd91a4f
Instruction ID: 3aa6bcbb4836b532418dc573e393e0f2b4486522792dc787e64f91de9b7968bf
Opcode Fuzzy Hash: 80f7f3e496159a08216af7974592f21860c70047a4748dc233ce6d9ecfd91a4f
Instruction Fuzzy Hash: BB618839A0470A97EBFC996C68947BE3797EB52344F04071EF743DF282D351D5428612

Uniqueness

Uniqueness Score: -1.00%

Function 011F4F9A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E011F4F9A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E011F5B88(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E011F4464(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E011F5E83(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E011F4464(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E011F5D51(_t119, _t113, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E011F4464(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E011F5993(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E011F5B70(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E011F559F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E011F5ADD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E011F5B51(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E011F54D9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E011F586B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x011f4f9f
0x011f4fa2
0x011f4fa6
0x011f4fa9
0x011f4fad
0x011f4fb0
0x011f501e
0x011f5021
0x011f5070
0x011f5070
0x011f5073
0x011f4fe0
0x011f4fe2
0x011f4fe7
0x011f4fe9
0x011f508e
0x011f5092
0x011f509b
0x011f50a0
0x011f50a1
0x011f50a5
0x011f50a7
0x011f50ac
0x011f50af
0x011f50b1
0x011f50da
0x011f50da
0x011f50dd
0x011f50e0
0x011f50e7
0x011f50e9
0x011f50ec
0x011f50ee
0x011f50f2
0x011f50f2
0x011f50f5
0x011f5100
0x011f5100
0x011f5102
0x011f5102
0x011f5104
0x011f510a
0x011f510a
0x011f510f
0x011f5112
0x011f511d
0x011f511d
0x011f511f
0x011f511f
0x011f512a
0x011f512e
0x011f512e
0x011f5131
0x011f5137
0x011f5139
0x011f513c
0x011f514c
0x011f5151
0x011f5151
0x011f5166
0x011f516b
0x011f516e
0x011f5173
0x011f5176
0x011f5178
0x011f517a
0x011f517d
0x011f5180
0x011f518d
0x011f5192
0x011f5192
0x011f5180
0x011f5199
0x011f519e
0x011f51a1
0x011f51a6
0x011f51a9
0x011f51ab
0x011f51b8
0x011f51bd
0x011f51ab
0x011f51c0
0x011f51c3
0x011f51c8
0x011f51c8
0x011f5114
0x011f5117
0x00000000
0x00000000
0x011f5119
0x00000000
0x011f5119
0x011f5106
0x011f5108
0x00000000
0x00000000
0x00000000
0x011f5108
0x011f50f7
0x011f50fa
0x00000000
0x00000000
0x011f50fc
0x00000000
0x011f50fc
0x011f50f0
0x011f50f0
0x011f50f0
0x00000000
0x011f50f0
0x011f50e2
0x011f50e5
0x00000000
0x00000000
0x00000000
0x011f50e5
0x011f50b5
0x011f50b8
0x011f50ba
0x011f50c2
0x011f50c4
0x011f50ce
0x011f50d0
0x011f50d2
0x00000000
0x00000000
0x011f50d4
0x011f50d8
0x011f50d8
0x00000000
0x011f50d8
0x011f50c6
0x00000000
0x011f50c6
0x011f50bc
0x00000000
0x011f50bc
0x011f5094
0x00000000
0x011f5094
0x011f4fef
0x011f4fef
0x00000000
0x011f4fef
0x011f507a
0x011f507a
0x011f507d
0x011f504f
0x011f504f
0x011f5050
0x011f5052
0x011f5054
0x00000000
0x011f5054
0x011f507f
0x011f5082
0x00000000
0x00000000
0x011f5088
0x011f4ff7
0x011f4ff7
0x00000000
0x011f4ff7
0x011f5023
0x011f5066
0x00000000
0x011f5066
0x011f5025
0x011f5028
0x011f505b
0x011f505d
0x00000000
0x011f505d
0x011f502a
0x011f502d
0x011f504b
0x011f504b
0x011f504b
0x011f504b
0x00000000
0x011f504b
0x011f502f
0x011f5032
0x011f5044
0x00000000
0x011f5044
0x011f5034
0x011f5037
0x00000000
0x00000000
0x011f503b
0x00000000
0x011f503b
0x011f4fb2
0x00000000
0x00000000
0x011f4fb8
0x011f4fbb
0x011f4ffb
0x011f4ffb
0x011f4ffe
0x011f5017
0x00000000
0x011f5017
0x011f5000
0x011f5000
0x011f5003
0x00000000
0x00000000
0x011f5006
0x011f5009
0x00000000
0x00000000
0x011f500b
0x011f500e
0x00000000
0x011f500e
0x011f4fbd
0x011f4ff6
0x00000000
0x011f4ff6
0x011f4fc2
0x00000000
0x00000000
0x011f4fcb
0x00000000
0x00000000
0x011f4fd0
0x00000000
0x00000000
0x011f4fd5
0x00000000
0x00000000
0x011f4fde
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 5268bd7d6746de75667cedb719efae9842c6a189b3b674e5921c5bce3bc64304
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: FF518A7020474A57EFBC852C8458BBF6BCB9B52608F08091DDB87CBA82D705E546C3E3

Uniqueness

Uniqueness Score: -1.00%

Function 011DEFE2 Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E011DEFE2(intOrPtr __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t94;
				signed int _t113;
				signed int _t116;
				signed int _t117;
				signed char _t120;
				signed int* _t121;
				signed int* _t122;
				signed int _t123;
				signed int* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int* _t128;
				void* _t130;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int* _t139;
				signed int* _t142;
				void* _t145;
				void* _t167;

				_t134 = _a4 - 6;
				_v48 = __ecx;
				_v40 = _t134;
				_t94 = E011F0320( &_v32, _a4, 0x20);
				_t145 =  &_v48 + 0xc;
				_t117 = 0;
				_t126 = 0;
				_t127 = 0;
				if(_t134 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t128 = 0x120e198;
						do {
							_t120 = _v32 ^  *(( *(_t145 + 0x1d + _t134 * 4) & 0x000000ff) + 0x120e098);
							_v32 = _t120;
							_v31 = _v31 ^  *(( *(_t145 + 0x1e + _t134 * 4) & 0x000000ff) + 0x120e098);
							_v30 = _v30 ^  *(( *(_t145 + 0x1f + _t134 * 4) & 0x000000ff) + 0x120e098);
							_v29 = _v29 ^  *(( *(_t145 + 0x1c + _t134 * 4) & 0x000000ff) + 0x120e098);
							_t94 =  *_t128 ^ _t120;
							_v32 = _t94;
							_v36 =  &(_t128[0]);
							if(_t134 == 8) {
								_t121 =  &_v28;
								_v44 = 3;
								do {
									_t130 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t55 =  &_v44;
									 *_t55 = _v44 - 1;
								} while ( *_t55 != 0);
								_t122 =  &_v12;
								_v44 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0x120e098);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0x120e098);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0x120e098);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0x120e098);
								do {
									_t131 = 4;
									do {
										_t94 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t94;
										_t122 =  &(_t122[0]);
										_t131 = _t131 - 1;
									} while (_t131 != 0);
									_t76 =  &_v44;
									 *_t76 = _v44 - 1;
								} while ( *_t76 != 0);
								goto L28;
							} else {
								if(_t134 > 1) {
									_t124 =  &_v28;
									_v44 = _t134 - 1;
									do {
										_t132 = 4;
										do {
											_t94 =  *((intOrPtr*)(_t124 - 4));
											 *_t124 =  *_t124 ^ _t94;
											_t124 =  &(_t124[0]);
											_t132 = _t132 - 1;
										} while (_t132 != 0);
										_t50 =  &_v44;
										 *_t50 = _v44 - 1;
									} while ( *_t50 != 0);
								}
								_t131 = 0;
								if(_t134 <= 0) {
									L37:
									_t167 = _t117 - _a4;
								} else {
									L28:
									while(_t117 <= _a4) {
										if(_t131 < _t134) {
											_t139 =  &(( &_v32)[_t131]);
											while(_t126 < 4) {
												_t123 = _t126 + _t117 * 4;
												_t113 =  *_t139;
												_t131 = _t131 + 1;
												_t139 =  &_a4;
												_t126 = _t126 + 1;
												 *(_v48 + 0x18 + _t123 * 4) = _t113;
												_t134 = _v40;
												if(_t131 < _t134) {
													continue;
												}
												break;
											}
										}
										if(_t126 == 4) {
											_t117 = _t117 + 1;
										}
										_t90 = _t126 - 4; // -4
										_t94 =  ~_t90;
										asm("sbb eax, eax");
										_t126 = _t126 & _t94;
										if(_t131 < _t134) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
								}
							}
							L38:
							_t128 = _v36;
						} while (_t167 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t127 < _t134) {
							_t142 =  &(( &_v32)[_t127]);
							while(_t126 < 4) {
								_t125 = _t126 + _t117 * 4;
								_t116 =  *_t142;
								_t127 = _t127 + 1;
								_t142 =  &_a4;
								_t126 = _t126 + 1;
								 *(_v48 + 0x18 + _t125 * 4) = _t116;
								_t134 = _v40;
								if(_t127 < _t134) {
									continue;
								}
								break;
							}
						}
						if(_t126 == 4) {
							_t117 = _t117 + 1;
						}
						_t18 = _t126 - 4; // -4
						_t94 =  ~_t18;
						asm("sbb eax, eax");
						_t126 = _t126 & _t94;
						if(_t127 < _t134) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t94;
			}

0x011deff8
0x011deffb
0x011df000
0x011df004
0x011df009
0x011df00c
0x011df00e
0x011df010
0x011df014
0x011df062
0x011df065
0x011df06b
0x011df070
0x011df079
0x011df07f
0x011df08e
0x011df09d
0x011df0ac
0x011df0b2
0x011df0b5
0x011df0b9
0x011df0c0
0x011df0f3
0x011df0f7
0x011df0ff
0x011df101
0x011df102
0x011df105
0x011df107
0x011df108
0x011df108
0x011df10d
0x011df10d
0x011df10d
0x011df119
0x011df11d
0x011df12b
0x011df13a
0x011df149
0x011df158
0x011df15c
0x011df15e
0x011df15f
0x011df15f
0x011df162
0x011df164
0x011df165
0x011df165
0x011df16a
0x011df16a
0x011df16a
0x00000000
0x011df0c2
0x011df0c5
0x011df0ca
0x011df0ce
0x011df0d2
0x011df0d4
0x011df0d5
0x011df0d5
0x011df0d8
0x011df0da
0x011df0db
0x011df0db
0x011df0e0
0x011df0e0
0x011df0e0
0x011df0d2
0x011df0e7
0x011df0eb
0x011df1b9
0x011df1b9
0x011df0f1
0x00000000
0x011df171
0x011df178
0x011df17e
0x011df182
0x011df18b
0x011df18e
0x011df191
0x011df192
0x011df195
0x011df196
0x011df19a
0x011df1a0
0x00000000
0x00000000
0x00000000
0x011df1a0
0x011df1a2
0x011df1a9
0x011df1ab
0x011df1ab
0x011df1ac
0x011df1af
0x011df1b1
0x011df1b3
0x011df1b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011df1b7
0x011df171
0x011df0eb
0x011df1bc
0x011df1bc
0x011df1bc
0x011df070
0x00000000
0x011df016
0x011df021
0x011df027
0x011df02b
0x011df034
0x011df037
0x011df03a
0x011df03b
0x011df03e
0x011df03f
0x011df043
0x011df049
0x00000000
0x00000000
0x00000000
0x011df049
0x011df04b
0x011df052
0x011df054
0x011df054
0x011df055
0x011df058
0x011df05a
0x011df05c
0x011df060
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011df060
0x011df016
0x011df1cd
0x011df1cd

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9297d6daee6970cc38f524b6d639f42a1329e8440e5a47f734677d2edf04930c
Instruction ID: d2bc6070663f0b92a8bd7dbaff127b220ca1143051235905296789d39eb00d31
Opcode Fuzzy Hash: 9297d6daee6970cc38f524b6d639f42a1329e8440e5a47f734677d2edf04930c
Instruction Fuzzy Hash: 0151C1315083D64ED71ACF38C54446EBFE1AE9B218F4A499DE4DA5B243C321D78BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 011E00B7 Relevance: .1, Instructions: 141
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E011E00B7() {
				signed int _t81;
				signed int _t96;
				signed int _t98;
				signed int* _t99;
				unsigned int* _t100;
				void* _t101;
				unsigned int _t103;
				signed int _t108;
				unsigned int _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t130;
				signed int _t131;
				signed int* _t132;
				signed int _t133;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t149;
				void* _t151;

				_t130 =  *(_t151 + 0x148);
				_t133 = 0;
				_t99 =  &(_t130[0xa]);
				do {
					 *((intOrPtr*)(_t151 + 0x48 + _t133 * 4)) = E011F68E4( *_t99);
					_t99 =  &(_t99[1]);
					_t133 = _t133 + 1;
				} while (_t133 < 0x10);
				_t100 = _t151 + 0x80;
				_t148 = 0x30;
				do {
					_t103 =  *(_t100 - 0x34);
					_t122 =  *_t100;
					asm("rol esi, 0xe");
					_t100 =  &(_t100[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t100[1] = (_t103 ^ _t103 ^ _t103 >> 0x00000003) + (_t122 ^ _t122 ^ _t122 >> 0x0000000a) +  *((intOrPtr*)(_t100 - 0x3c)) +  *((intOrPtr*)(_t100 - 0x18));
					_t148 = _t148 - 1;
				} while (_t148 != 0);
				_t81 =  *_t130;
				_t101 = 0;
				_t108 = _t130[1];
				_t124 = _t130[2];
				_t140 = _t130[5];
				_t149 = _t130[4];
				 *(_t151 + 0x20) = _t81;
				 *(_t151 + 0x2c) = _t81;
				 *(_t151 + 0x28) = _t130[3];
				 *(_t151 + 0x10) = _t130[6];
				_t131 =  *(_t151 + 0x20);
				 *(_t151 + 0x14) = _t108;
				 *(_t151 + 0x18) = _t124;
				 *(_t151 + 0x1c) = _t140;
				 *(_t151 + 0x24) = _t130[7];
				do {
					 *(_t151 + 0x40) =  *(_t151 + 0x10);
					asm("rol eax, 0x7");
					 *(_t151 + 0x3c) = _t140;
					asm("ror esi, 0xb");
					 *(_t151 + 0x30) = _t108;
					 *(_t151 + 0x34) = _t124;
					_t125 =  *(_t151 + 0x1c);
					asm("ror eax, 0x6");
					 *(_t151 + 0x1c) = _t149;
					 *(_t151 + 0x38) = _t149;
					_t40 = _t101 + 0x1203b28; // 0x428a2f98
					_t146 = (_t149 ^ _t149 ^ _t149) + ( !_t149 &  *(_t151 + 0x10) ^ _t125 & _t149) +  *_t40 +  *((intOrPtr*)(_t151 + _t101 + 0x44));
					_t101 = _t101 + 4;
					_t147 = _t146 +  *(_t151 + 0x24);
					 *(_t151 + 0x24) =  *(_t151 + 0x10);
					_t149 =  *(_t151 + 0x28) + _t147;
					 *(_t151 + 0x10) = _t125;
					asm("rol eax, 0xa");
					asm("ror edx, 0xd");
					 *(_t151 + 0x20) = _t131;
					asm("ror eax, 0x2");
					 *(_t151 + 0x28) =  *(_t151 + 0x18);
					_t96 =  *(_t151 + 0x14);
					_t108 = _t131;
					 *(_t151 + 0x18) = _t96;
					 *(_t151 + 0x14) = _t108;
					_t131 = (_t131 ^ _t131 ^ _t131) + (( *(_t151 + 0x18) ^  *(_t151 + 0x14)) & _t131 ^  *(_t151 + 0x18) &  *(_t151 + 0x14)) + _t147;
					_t140 =  *(_t151 + 0x1c);
					_t124 = _t96;
				} while (_t101 < 0x100);
				_t98 =  *(_t151 + 0x2c) + _t131;
				_t132 =  *(_t151 + 0x148);
				_t132[1] = _t132[1] + _t108;
				_t132[2] = _t132[2] +  *(_t151 + 0x30);
				_t132[3] = _t132[3] +  *(_t151 + 0x34);
				_t132[5] = _t132[5] +  *(_t151 + 0x38);
				_t132[6] = _t132[6] +  *(_t151 + 0x3c);
				_t132[4] = _t132[4] + _t149;
				_t132[7] = _t132[7] +  *(_t151 + 0x40);
				 *_t132 = _t98;
				return _t98;
			}

0x011e00c1
0x011e00c8
0x011e00ca
0x011e00cd
0x011e00d4
0x011e00d8
0x011e00db
0x011e00dd
0x011e00e4
0x011e00eb
0x011e00ec
0x011e00ec
0x011e00f1
0x011e00f5
0x011e00f8
0x011e00fb
0x011e0109
0x011e010c
0x011e011e
0x011e0121
0x011e0121
0x011e0126
0x011e0128
0x011e012a
0x011e012d
0x011e0130
0x011e0133
0x011e0136
0x011e013a
0x011e0141
0x011e0148
0x011e014f
0x011e0153
0x011e0157
0x011e015b
0x011e015f
0x011e0163
0x011e0167
0x011e016d
0x011e0170
0x011e0176
0x011e017b
0x011e017f
0x011e0185
0x011e018b
0x011e0198
0x011e019e
0x011e01ae
0x011e01b4
0x011e01b8
0x011e01bb
0x011e01bf
0x011e01c3
0x011e01c5
0x011e01cb
0x011e01d0
0x011e01d5
0x011e01db
0x011e01f8
0x011e01fc
0x011e0200
0x011e0202
0x011e0206
0x011e020a
0x011e020d
0x011e0211
0x011e0213
0x011e0223
0x011e0225
0x011e022c
0x011e0233
0x011e023a
0x011e0241
0x011e0248
0x011e024b
0x011e0252
0x011e0255
0x011e0261

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e52b302bcf429f620390336b1080d0db4dd551ea0561d207ab95229eaf2b738
Instruction ID: 5914b5310563eac45a15399f1bf33627be9242b8f6e043af029d9345075c531e
Opcode Fuzzy Hash: 2e52b302bcf429f620390336b1080d0db4dd551ea0561d207ab95229eaf2b738
Instruction Fuzzy Hash: 8851DFB1A087119FC748CF19D88055AFBE1FB88314F058A2EE899E3340D734E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 011E3E0B Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E011E3E0B(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E011E4E52(__ecx) != 0) {
					E011DA881(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E011DA898(_t88) >> 8;
					E011DA881(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L12;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E011DA898(_t88) >> 8;
					E011DA881(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L8:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L12;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E011DA898(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L8;
				} else {
					L12:
					return 0;
				}
			}

0x011e3e11
0x011e3e15
0x011e3e18
0x011e3e1c
0x011e3e1e
0x011e3e22
0x011e3e28
0x011e3e4f
0x011e3e62
0x011e3e66
0x011e3e6f
0x011e3e7a
0x011e3e7b
0x011e3e82
0x00000000
0x00000000
0x011e3e8f
0x011e3e92
0x011e3ea3
0x011e3ea7
0x011e3eb0
0x011e3eeb
0x011e3eeb
0x011e3efb
0x011e3f08
0x00000000
0x00000000
0x011e3f0a
0x011e3f0c
0x011e3f0f
0x011e3f12
0x011e3f18
0x011e3f1c
0x011e3f1e
0x011e3f1e
0x011e3f20
0x011e3f30
0x011e3f35
0x00000000
0x011e3f35
0x011e3eb2
0x011e3eb6
0x011e3eb8
0x011e3ec4
0x011e3ec6
0x011e3ecc
0x011e3ece
0x011e3ed9
0x011e3edb
0x011e3ede
0x011e3ede
0x011e3ee3
0x011e3ee7
0x00000000
0x011e3f3a
0x011e3f3a
0x00000000
0x011e3f3a

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: b9f34ad3308fe3d5c3b94a53bfffedd202d19efa3d73fa327c4fe13713a4d27e
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 1431E0B1614B568FCB18DF68D85126ABBE0FF95205F00492DE8D9C7341CB38E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 011EC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E011EC73F(void* __edx, void* __edi) {
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t293;
				intOrPtr _t297;
				long _t308;
				void* _t311;
				signed int _t312;
				void* _t316;

				E011EEB78(0x1202b20, _t316);
				_t232 = E011EEC50(0x1b888);
				if( *((intOrPtr*)(_t316 + 0xc)) == 0) {
					L180:
					 *[fs:0x0] =  *((intOrPtr*)(_t316 - 0xc));
					return _t232;
				}
				_push(0x1000);
				_push(_t316 - 0x15);
				_push(_t316 - 0xd);
				_push(_t316 - 0x588c);
				_push(_t316 - 0xf894);
				_push( *((intOrPtr*)(_t316 + 0xc)));
				_t232 = E011EB314(__edi, _t316);
				_t297 = _t232;
				 *((intOrPtr*)(_t316 + 0xc)) = _t297;
				if(_t297 != 0) {
					_t293 =  *((intOrPtr*)(_t316 + 0x10));
					_push(__edi);
					do {
						_t237 = _t316 - 0x588c;
						_t311 = _t316 - 0x1b894;
						_t308 = 6;
						goto L4;
						L6:
						while(E011E1FBB(_t316 - 0xf894,  *((intOrPtr*)(0x120e744 + _t312 * 4))) != 0) {
							_t312 = _t312 + 1;
							if(_t312 < 0xe) {
								continue;
							} else {
								goto L178;
							}
						}
						if(_t312 > 0xd) {
							goto L178;
						}
						switch( *((intOrPtr*)(_t312 * 4 +  &M011ED41B))) {
							case 0:
								__eflags = _t293 - 2;
								if(_t293 == 2) {
									_t308 = 0x800;
									E011EA64D(_t316 - 0x788c, 0x800);
									E011DA544(E011DBDF3(__eflags, _t316 - 0x788c, _t316 - 0x588c, _t316 - 0xd894, 0x800), _t293, _t316 - 0x8894, _t312);
									 *(_t316 - 4) = 0;
									E011DA67E(_t316 - 0x8894, _t316 - 0xd894);
									E011D6EDB(_t316 - 0x388c);
									while(1) {
										_push(0);
										_t255 = E011DA5D1(_t316 - 0x8894, _t316 - 0x388c);
										__eflags = _t255;
										if(_t255 == 0) {
											break;
										}
										SetFileAttributesW(_t316 - 0x388c, 0);
										__eflags =  *(_t316 - 0x2880);
										if(__eflags == 0) {
											L18:
											_t259 = GetFileAttributesW(_t316 - 0x388c);
											__eflags = _t259 - 0xffffffff;
											if(_t259 == 0xffffffff) {
												continue;
											}
											_t261 = DeleteFileW(_t316 - 0x388c);
											__eflags = _t261;
											if(_t261 != 0) {
												continue;
											} else {
												_t314 = 0;
												_push(0);
												goto L22;
												L22:
												E011D4092(_t316 - 0x1044, _t308, L"%s.%d.tmp", _t316 - 0x388c);
												_t318 = _t318 + 0x14;
												_t266 = GetFileAttributesW(_t316 - 0x1044);
												__eflags = _t266 - 0xffffffff;
												if(_t266 != 0xffffffff) {
													_t314 = _t314 + 1;
													__eflags = _t314;
													_push(_t314);
													goto L22;
												} else {
													_t269 = MoveFileW(_t316 - 0x388c, _t316 - 0x1044);
													__eflags = _t269;
													if(_t269 != 0) {
														MoveFileExW(_t316 - 0x1044, 0, 4);
													}
													continue;
												}
											}
										}
										E011DB991(__eflags, _t316 - 0x788c, _t316 - 0x1044, _t308);
										E011DB690(__eflags, _t316 - 0x1044, _t308);
										_t315 = E011F3E13(_t316 - 0x788c);
										__eflags = _t315 - 4;
										if(_t315 < 4) {
											L16:
											_t280 = E011DBDB4(_t316 - 0x588c);
											__eflags = _t280;
											if(_t280 != 0) {
												break;
											}
											L17:
											_t283 = E011F3E13(_t316 - 0x388c);
											__eflags = 0;
											 *((short*)(_t316 + _t283 * 2 - 0x388a)) = 0;
											E011EFFF0(_t308, _t316 - 0x44, 0, 0x1e);
											_t318 = _t318 + 0x10;
											 *((intOrPtr*)(_t316 - 0x40)) = 3;
											_push(0x14);
											_pop(_t286);
											 *((short*)(_t316 - 0x34)) = _t286;
											 *((intOrPtr*)(_t316 - 0x3c)) = _t316 - 0x388c;
											_push(_t316 - 0x44);
											 *0x123307c();
											goto L18;
										}
										_t291 = E011F3E13(_t316 - 0x1044);
										__eflags = _t315 - _t291;
										if(_t315 > _t291) {
											goto L17;
										}
										goto L16;
									}
									 *(_t316 - 4) =  *(_t316 - 4) | 0xffffffff;
									E011DA55A(_t316 - 0x8894);
								}
								goto L178;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E011F3E13(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x122fc94);
									__eax = E011F3E3E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										__eax = E011F7686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L011F3E2E(__esi);
									}
								}
								goto L178;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
								}
								goto L178;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L178;
								}
								__eflags =  *0x121a472 - __di;
								if( *0x121a472 != __di) {
									goto L178;
								}
								__eax = 0;
								__edi = __ebp - 0x588c;
								_push(0x22);
								 *(__ebp - 0x1044) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x588c) - __ax;
								if( *(__ebp - 0x588c) == __ax) {
									__edi = __ebp - 0x588a;
								}
								__eax = E011F3E13(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L178;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1044 = E011E0602(__ebp - 0x1044, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1044;
											__eax = E011F279B(__ebp - 0x1044, __ebp - 0x1044);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1044;
											__edi = 0x121a472;
											E011E0602(0x121a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
											__eax = E011EB1BE(__ebp - 0x1044, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044);
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x121a472);
											__eax = __ebp - 0x1044;
											__eax = E011F3E49(__ebp - 0x1044, 0x121a472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
											}
											goto L178;
										}
										L53:
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x1233028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1044;
												_push(__ebp - 0x1044);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0x1233024();
												_push( *(__ebp - 0x1c));
												 *0x1233008() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1044) = __cx;
											}
											__eflags =  *(__ebp - 0x1044) - __bx;
											if( *(__ebp - 0x1044) != __bx) {
												__eax = __ebp - 0x1044;
												__eax = E011F3E13(__ebp - 0x1044);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1044 = E011E05DA(__eflags, __ebp - 0x1044, "\\", __esi);
												}
											}
											__esi = E011F3E13(__edi);
											__eax = __ebp - 0x1044;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1044 = E011E05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L53;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L178;
									} else {
										__ebp - 0x1044 = E011E0602(__ebp - 0x1044, __edi, 0x800);
										goto L65;
									}
								}
							case 4:
								__eflags =  *0x121a46c - 1;
								__eflags = __eax - 0x121a46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__edx + 7) & __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0x1218457 = __cl;
									 *0x1218460 = 1;
									goto L178;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x1218457 = __cl;
									L81:
									 *0x1218460 = __cl;
									goto L178;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L178;
								}
								 *0x1218457 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0x121c577 = 1;
								__edi = 1;
								__eax = __ebp - 0x588c;
								__eflags =  *(__ebp - 0x588c) - 0x3c;
								__ebx = __esi;
								 *(__ebp - 0x14) = __eax;
								if( *(__ebp - 0x588c) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
											goto L178;
										}
										__eflags = __ebx - 6;
										if(__ebx != 6) {
											goto L178;
										}
										__ecx = 0;
										__eflags = 0;
										_push(0);
										L105:
										_push(__edi);
										_push(__eax);
										_push( *(__ebp + 8));
										__eax = E011ED78F(__ebp);
										goto L178;
									}
									__eflags = __ebx - 9;
									if(__ebx != 9) {
										goto L178;
									}
									_push(1);
									goto L105;
								}
								__eax = __ebp - 0x588a;
								_push(0x3e);
								_push(__ebp - 0x588a);
								__eax = E011F22C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									L98:
									__eax =  *(__ebp - 0x14);
									goto L99;
								}
								_t111 = __eax + 2; // 0x2
								__ecx = _t111;
								 *(__ebp - 0x14) = _t111;
								__ecx = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x10c;
								_push(0x64);
								_push(__ebp - 0x10c);
								__eax = __ebp - 0x588a;
								_push(__ebp - 0x588a);
								__eax = E011EAF98();
								 *(__ebp - 0x20) = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									goto L98;
								}
								__esi = __eax;
								while(1) {
									__eflags =  *(__ebp - 0x10c);
									if( *(__ebp - 0x10c) == 0) {
										goto L98;
									}
									__eax = __ebp - 0x10c;
									__eax = E011E1FBB(__ebp - 0x10c, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x10c;
									__eax = E011E1FBB(__ebp - 0x10c, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x10c;
									__eax = E011E1FBB(__ebp - 0x10c, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x10c;
									_push(__ebp - 0x10c);
									_push(__esi);
									__esi = E011EAF98();
									__eflags = __esi;
									if(__esi != 0) {
										continue;
									} else {
										goto L98;
									}
								}
								goto L98;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x121a46c - __edi;
										if( *0x121a46c == __edi) {
											 *0x121a46c = 2;
										}
										 *0x1219468 = 1;
									}
									goto L178;
								}
								__eax = __ebp - 0x788c;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
								__eax = E011DB690(__eflags, __ebp - 0x788c, 0x800);
								__ebx = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x120e724);
									__ebp - 0x788c = E011D4092(0x121946a, __edi, L"%s%s%u", __ebp - 0x788c);
									__eax = E011DA231(0x121946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x121946a);
								__eflags =  *(__ebp - 0x588c) - __bx;
								if( *(__ebp - 0x588c) == __bx) {
									goto L178;
								}
								__eflags =  *0x121c575 - __bl;
								if( *0x121c575 != __bl) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x444) = __ax;
								__eax = __ebp - 0x588c;
								_push(0x2c);
								_push(__ebp - 0x588c);
								__eax = E011F22C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L122:
									__eflags =  *(__ebp - 0x444) - __bx;
									if( *(__ebp - 0x444) == __bx) {
										__ebp - 0x1b894 = __ebp - 0x588c;
										E011E0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
										__ebp - 0x444 = E011E0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
									}
									__ebp - 0x588c = E011EADD2(__ebp - 0x588c);
									__eax = 0;
									 *(__ebp - 0x488c) = __ax;
									__ebp - 0x444 = __ebp - 0x588c;
									__eax = E011EA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
									__eflags = __eax - 6;
									if(__eax != 6) {
										__eax = 0;
										 *0x1218454 = 1;
										 *0x121946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
									}
									goto L178;
								}
								__ax =  *(__ebp - 0x588c);
								__esi = __ebx;
								__eflags = __ax;
								if(__ax == 0) {
									goto L122;
								}
								__ecx = __ax & 0x0000ffff;
								while(1) {
									__eflags = __cx - 0x40;
									if(__cx == 0x40) {
										break;
									}
									__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
									__esi =  &(__esi->i);
									__ecx = __eax;
									__eflags = __ax;
									if(__ax != 0) {
										continue;
									}
									goto L122;
								}
								__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
								__ebp - 0x444 = E011E0602(__ebp - 0x444, __ebp - 0x444, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x588c) = __ax;
								goto L122;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x588c) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x588c;
										_push(__ebp - 0x588c);
										__eax = E011F7625(__ebx, __edi);
										_pop(__ecx);
										 *0x122fc9c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x122fc98 = E011EB48E(__ecx, __edx, __eflags);
								}
								 *0x121c576 = 1;
								goto L178;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x2844) = __ax;
								__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
								__eax = E011F79E9( *(__ebp - 0x1b894) & 0x0000ffff);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									 *(__ebp - 0x14) = 2;
									__eax = 0x122cb82;
								} else {
									__eflags = __eax - 0x54;
									if(__eax == 0x54) {
										 *(__ebp - 0x14) = 7;
										__eax = 0x122bb82;
									} else {
										 *(__ebp - 0x14) = 0x10;
										__eax = 0x122db82;
									}
								}
								__esi = 0x800;
								__ebp - 0x2844 = E011E0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
								__eax = 0;
								 *(__ebp - 0x9894) = __ax;
								 *(__ebp - 0x1844) = __ax;
								__ebp - 0x19894 = __ebp - 0x688c;
								__eax = E011E0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x688c) - __bx;
								if( *(__ebp - 0x688c) != __bx) {
									__ebp - 0x688c = E011DA231(__ebp - 0x688c);
									__eflags = __al;
									if(__al != 0) {
										goto L163;
									}
									__ax =  *(__ebp - 0x688c);
									__esi = __ebp - 0x688c;
									__ebx = __edi;
									__eflags = __ax;
									if(__ax == 0) {
										__esi = 0x800;
										goto L163;
									}
									__edi = __ax & 0x0000ffff;
									do {
										_push(0x20);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di == __ax) {
											L149:
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x688c = E011DA231(__ebp - 0x688c);
											__eflags = __al;
											if(__al == 0) {
												L158:
												__esi->i = __di;
												goto L159;
											}
											__ebp - 0x688c = E011DA243(__ebp - 0x688c);
											__eax = E011DA28F(__eax);
											__eflags = __al;
											if(__al != 0) {
												goto L158;
											}
											_push(0x2f);
											_pop(__ecx);
											__eax =  &(__esi->i);
											__ebx = __esi;
											__eflags = __di - __cx;
											if(__di != __cx) {
												_push(0x20);
												__esi = __eax;
												_pop(__eax);
												while(1) {
													__eflags = __esi->i - __ax;
													if(__esi->i != __ax) {
														break;
													}
													__esi =  &(__esi->i);
													__eflags = __esi;
												}
												__ecx = __ebp - 0x1844;
												__eax = __esi;
												__edx = 0x400;
												L157:
												__eax = E011E0602(__ecx, __eax, __edx);
												 *__ebx = __di;
												goto L159;
											}
											 *(__ebp - 0x1844) = __cx;
											__edx = 0x3ff;
											__ecx = __ebp - 0x1842;
											goto L157;
										}
										_push(0x2f);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di != __ax) {
											goto L159;
										}
										goto L149;
										L159:
										__esi =  &(__esi->i);
										__eax = __esi->i & 0x0000ffff;
										__edi = __esi->i & 0x0000ffff;
										__eflags = __ax;
									} while (__ax != 0);
									__esi = 0x800;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										 *__ebx = __ax;
									}
									goto L163;
								} else {
									__ebp - 0x19892 = __ebp - 0x688c;
									E011E0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
									_push(__ebx);
									_push(__ebp - 0x688a);
									__eax = E011F22C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1844 = E011E0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
									}
									L163:
									__eflags =  *((short*)(__ebp - 0x11894));
									if( *((short*)(__ebp - 0x11894)) != 0) {
										__ebp - 0x9894 = __ebp - 0x11894;
										__eax = E011DB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
									}
									__ebp - 0xb894 = __ebp - 0x688c;
									__eax = E011DB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
									__eflags =  *(__ebp - 0x2844);
									if(__eflags == 0) {
										__ebp - 0x2844 = E011EB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
									}
									__ebp - 0x2844 = E011DB690(__eflags, __ebp - 0x2844, __esi);
									__eflags =  *((short*)(__ebp - 0x17894));
									if(__eflags != 0) {
										__ebp - 0x17894 = __ebp - 0x2844;
										E011E05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
										__eax = E011DB690(__eflags, __ebp - 0x2844, __esi);
									}
									__ebp - 0x2844 = __ebp - 0xc894;
									__eax = E011E0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
									__eflags =  *(__ebp - 0x13894);
									__eax = __ebp - 0x13894;
									if(__eflags == 0) {
										__eax = __ebp - 0x19894;
									}
									__ebp - 0x2844 = E011E05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
									__eax = __ebp - 0x2844;
									__eflags = E011DB92D(__ebp - 0x2844);
									if(__eflags == 0) {
										L173:
										__ebp - 0x2844 = E011E05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
										goto L174;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L174:
											__ebx = 0;
											__ebp - 0x2844 = E011DA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
											__ebp - 0xb894 = __ebp - 0xa894;
											E011E0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
											__eax = E011DC2E4(__eflags, __ebp - 0xa894);
											__esi =  *(__ebp - 0x1844) & 0x0000ffff;
											__eax = __ebp - 0x1844;
											__edx =  *(__ebp - 0x9894) & 0x0000ffff;
											__edi = __ebp - 0xa894;
											__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
											asm("sbb esi, esi");
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
											__eax = __ebp - 0x9894;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
											__eax = __ebp - 0x15894;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
											 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
											asm("sbb eax, eax");
											 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
											__ebp - 0xb894 = E011EA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
											__eflags =  *(__ebp - 0xc894) - __bx;
											if( *(__ebp - 0xc894) != __bx) {
												_push(0);
												__eax = __ebp - 0xc894;
												_push(__ebp - 0xc894);
												_push(5);
												_push(0x1000);
												__eax =  *0x123308c();
											}
											goto L178;
										}
										goto L173;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x121a470 = 1;
								}
								goto L178;
							case 0xb:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eax = E011F79E9( *(__ebp - 0x588c) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x1218461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x1218462 = 1;
									} else {
										__eax = 0;
										 *0x1218461 = __al;
										 *0x1218462 = __al;
									}
								}
								goto L178;
							case 0xc:
								 *0x1227b7a = 1;
								__eax = __eax + 0x1227b7a;
								_t125 = __esi + 0x39;
								 *_t125 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t125;
								__ebp = 0xffffa774;
								if( *_t125 != 0) {
									_t127 = __ebp - 0x588c; // 0xffff4ee8
									__eax = _t127;
									 *0x120e728 = E011E1FA7(_t127);
								}
								goto L178;
						}
						L4:
						_push(0x1000);
						_push(_t311);
						_push(_t237);
						_t237 = E011EAF98();
						_t311 = _t311 + 0x2000;
						_t308 = _t308 - 1;
						if(_t308 != 0) {
							goto L4;
						} else {
							_t312 = _t308;
							goto L6;
						}
						L178:
						_push(0x1000);
						_t221 = _t316 - 0x15; // 0xffffa75f
						_t222 = _t316 - 0xd; // 0xffffa767
						_t223 = _t316 - 0x588c; // 0xffff4ee8
						_t224 = _t316 - 0xf894; // 0xfffeaee0
						_push( *((intOrPtr*)(_t316 + 0xc)));
						_t232 = E011EB314(_t308, _t316);
						_t293 =  *((intOrPtr*)(_t316 + 0x10));
						 *((intOrPtr*)(_t316 + 0xc)) = _t232;
					} while (_t232 != 0);
				}
			}

0x011ec744
0x011ec74e
0x011ec757
0x011ed40d
0x011ed410
0x011ed418
0x011ed418
0x011ec75d
0x011ec765
0x011ec769
0x011ec770
0x011ec777
0x011ec778
0x011ec77b
0x011ec780
0x011ec782
0x011ec787
0x011ec78e
0x011ec792
0x011ec793
0x011ec795
0x011ec79b
0x011ec7a1
0x011ec7a1
0x00000000
0x011ec7bb
0x011ec7d2
0x011ec7d6
0x00000000
0x011ec7d8
0x00000000
0x011ec7d8
0x011ec7d6
0x011ec7e0
0x00000000
0x00000000
0x011ec7e6
0x00000000
0x011ec7ed
0x011ec7f0
0x011ec7f6
0x011ec803
0x011ec829
0x011ec83d
0x011ec840
0x011ec84b
0x011ec98f
0x011ec98f
0x011ec99d
0x011ec9a2
0x011ec9a4
0x00000000
0x00000000
0x011ec85d
0x011ec863
0x011ec869
0x011ec90f
0x011ec916
0x011ec91c
0x011ec91f
0x00000000
0x00000000
0x011ec928
0x011ec92e
0x011ec930
0x00000000
0x011ec932
0x011ec932
0x011ec934
0x011ec935
0x011ec939
0x011ec94d
0x011ec952
0x011ec95c
0x011ec962
0x011ec965
0x011ec937
0x011ec937
0x011ec938
0x00000000
0x011ec967
0x011ec975
0x011ec97b
0x011ec97d
0x011ec989
0x011ec989
0x00000000
0x011ec97d
0x011ec965
0x011ec930
0x011ec87e
0x011ec88b
0x011ec89c
0x011ec89f
0x011ec8a2
0x011ec8b5
0x011ec8bc
0x011ec8c1
0x011ec8c3
0x00000000
0x00000000
0x011ec8c9
0x011ec8d0
0x011ec8d5
0x011ec8da
0x011ec8e6
0x011ec8eb
0x011ec8ee
0x011ec8f5
0x011ec8f7
0x011ec8f8
0x011ec902
0x011ec908
0x011ec909
0x00000000
0x011ec909
0x011ec8ab
0x011ec8b1
0x011ec8b3
0x00000000
0x00000000
0x00000000
0x011ec8b3
0x011ec9aa
0x011ec9b4
0x011ec9b4
0x00000000
0x00000000
0x011ec9be
0x011ec9c0
0x011eca13
0x011eca18
0x011eca21
0x011eca22
0x011eca28
0x011eca2d
0x011eca30
0x011eca32
0x011eca44
0x011eca49
0x011eca4a
0x011eca4a
0x011eca4b
0x011eca4d
0x011eca54
0x011eca59
0x011eca4d
0x00000000
0x00000000
0x011eca5f
0x011eca61
0x011eca71
0x011eca71
0x00000000
0x00000000
0x011eca7c
0x011eca7e
0x00000000
0x00000000
0x011eca84
0x011eca8b
0x00000000
0x00000000
0x011eca91
0x011eca93
0x011eca99
0x011eca9b
0x011ecaa2
0x011ecaa3
0x011ecaaa
0x011ecaac
0x011ecaac
0x011ecab3
0x011ecab8
0x011ecabe
0x011ecac0
0x00000000
0x011ecac6
0x011ecac6
0x011ecac9
0x011ecacb
0x011ecacc
0x011ecacf
0x011ecaf8
0x011ecafb
0x011ecbe0
0x011ecbe9
0x011ecbee
0x011ecbee
0x011ecbf0
0x011ecbf0
0x011ecbf2
0x011ecbf4
0x011ecbfb
0x011ecc00
0x011ecc01
0x011ecc02
0x011ecc04
0x011ecc06
0x011ecc0a
0x011ecc0c
0x011ecc0c
0x011ecc0e
0x011ecc0e
0x011ecc0a
0x011ecc12
0x011ecc18
0x011ecc25
0x011ecc2c
0x011ecc3c
0x011ecc46
0x011ecc54
0x011ecc5a
0x011ecc62
0x011ecc67
0x011ecc68
0x011ecc69
0x011ecc6b
0x011ecc7f
0x011ecc7f
0x00000000
0x011ecc6b
0x011ecb01
0x011ecb01
0x011ecb04
0x011ecb11
0x011ecb11
0x011ecb14
0x011ecb16
0x011ecb17
0x011ecb19
0x011ecb1a
0x011ecb1f
0x011ecb24
0x011ecb2a
0x011ecb2c
0x011ecb2e
0x011ecb31
0x011ecb38
0x011ecb39
0x011ecb3f
0x011ecb40
0x011ecb43
0x011ecb44
0x011ecb45
0x011ecb4a
0x011ecb4d
0x011ecb53
0x011ecb5c
0x011ecb5f
0x011ecb64
0x011ecb66
0x011ecb68
0x011ecb6a
0x011ecb6a
0x011ecb6c
0x011ecb6c
0x011ecb6e
0x011ecb6e
0x011ecb76
0x011ecb7d
0x011ecb7f
0x011ecb86
0x011ecb8c
0x011ecb8e
0x011ecb8f
0x011ecb97
0x011ecba6
0x011ecba6
0x011ecb97
0x011ecbb1
0x011ecbb3
0x011ecbc2
0x011ecbc8
0x011ecbce
0x011ecbd9
0x011ecbd9
0x00000000
0x011ecbce
0x011ecb06
0x011ecb0b
0x00000000
0x00000000
0x00000000
0x011ecb0b
0x011ecad1
0x011ecad5
0x00000000
0x00000000
0x011ecad7
0x011ecada
0x011ecadc
0x011ecadf
0x00000000
0x011ecae5
0x011ecaee
0x00000000
0x011ecaee
0x011ecadf
0x00000000
0x011ecc8a
0x011ecc8b
0x011ecc90
0x011ecc92
0x011ecc95
0x011ecc95
0x00000000
0x011ecccb
0x011eccd2
0x011eccd4
0x011eccd4
0x011eccd6
0x011ecd05
0x011ecd05
0x011ecd0b
0x00000000
0x011ecd0b
0x011eccd8
0x011eccd8
0x011eccdb
0x011eccf4
0x011eccfa
0x011eccfa
0x00000000
0x011eccfa
0x011eccdd
0x011eccdd
0x011ecce0
0x00000000
0x00000000
0x011ecce2
0x011ecce2
0x011ecce5
0x00000000
0x00000000
0x011ecceb
0x00000000
0x00000000
0x011ecd58
0x011ecd5a
0x011ecd61
0x011ecd62
0x011ecd68
0x011ecd70
0x011ecd72
0x011ecd75
0x011ece25
0x011ece25
0x011ece29
0x011ece38
0x011ece3c
0x00000000
0x00000000
0x011ece42
0x011ece45
0x00000000
0x00000000
0x011ece4b
0x011ece4b
0x011ece4d
0x011ece4e
0x011ece4e
0x011ece4f
0x011ece50
0x011ece53
0x00000000
0x011ece53
0x011ece2b
0x011ece2e
0x00000000
0x00000000
0x011ece34
0x00000000
0x011ece34
0x011ecd7b
0x011ecd81
0x011ecd83
0x011ecd84
0x011ecd89
0x011ecd8a
0x011ecd8b
0x011ecd8d
0x011ece22
0x011ece22
0x00000000
0x011ece22
0x011ecd93
0x011ecd93
0x011ecd96
0x011ecd99
0x011ecd9b
0x011ecd9e
0x011ecda4
0x011ecda6
0x011ecda7
0x011ecdad
0x011ecdae
0x011ecdb3
0x011ecdb6
0x011ecdb8
0x00000000
0x00000000
0x011ecdba
0x011ecdbc
0x011ecdbc
0x011ecdc4
0x00000000
0x00000000
0x011ecdcb
0x011ecdd2
0x011ecdd7
0x011ecdde
0x011ecde0
0x011ecde2
0x011ecde9
0x011ecdee
0x011ecdf0
0x011ecdf2
0x011ecdf4
0x011ecdf4
0x011ecdfa
0x011ece01
0x011ece06
0x011ece08
0x011ece0a
0x011ece0c
0x011ece0c
0x011ece0d
0x011ece0f
0x011ece15
0x011ece16
0x011ece1c
0x011ece1e
0x011ece20
0x00000000
0x00000000
0x00000000
0x00000000
0x011ece20
0x00000000
0x00000000
0x011ece87
0x011ece8a
0x011ed009
0x011ed00c
0x011ed012
0x011ed018
0x011ed01a
0x011ed01a
0x011ed024
0x011ed024
0x00000000
0x011ed00c
0x011ece90
0x011ece96
0x011ecea4
0x011eceab
0x011eceb0
0x011eceb2
0x011eceb4
0x011eceb9
0x011eceb9
0x011eced1
0x011ecede
0x011ecee3
0x011ecee5
0x00000000
0x00000000
0x011eceb7
0x011eceb7
0x011eceb8
0x011eceb8
0x011ecef1
0x011ecef7
0x011ecefe
0x00000000
0x00000000
0x011ecf04
0x011ecf0a
0x00000000
0x00000000
0x011ecf10
0x011ecf12
0x011ecf19
0x011ecf1f
0x011ecf21
0x011ecf22
0x011ecf27
0x011ecf28
0x011ecf29
0x011ecf2b
0x011ecf7b
0x011ecf7b
0x011ecf82
0x011ecf90
0x011ecfa1
0x011ecfaf
0x011ecfaf
0x011ecfbb
0x011ecfc0
0x011ecfc2
0x011ecfd2
0x011ecfdc
0x011ecfe1
0x011ecfe4
0x011ecfef
0x011ecff1
0x011ecff8
0x011ecffe
0x011ecffe
0x00000000
0x011ecfe4
0x011ecf2d
0x011ecf34
0x011ecf36
0x011ecf39
0x00000000
0x00000000
0x011ecf3b
0x011ecf3e
0x011ecf3e
0x011ecf42
0x00000000
0x00000000
0x011ecf44
0x011ecf4c
0x011ecf4d
0x011ecf4f
0x011ecf52
0x00000000
0x00000000
0x00000000
0x011ecf54
0x011ecf61
0x011ecf6c
0x011ecf71
0x011ecf71
0x011ecf73
0x00000000
0x00000000
0x011ed030
0x011ed033
0x011ed035
0x011ed03c
0x011ed03e
0x011ed044
0x011ed045
0x011ed04a
0x011ed04b
0x011ed04b
0x011ed050
0x011ed053
0x011ed059
0x011ed059
0x011ed05e
0x00000000
0x00000000
0x011ed06a
0x011ed06d
0x00000000
0x00000000
0x011ed073
0x011ed075
0x011ed07c
0x011ed084
0x011ed08a
0x011ed08d
0x011ed0b0
0x011ed0b7
0x011ed08f
0x011ed08f
0x011ed092
0x011ed0a2
0x011ed0a9
0x011ed094
0x011ed094
0x011ed09b
0x011ed09b
0x011ed092
0x011ed0bc
0x011ed0ca
0x011ed0cf
0x011ed0d1
0x011ed0d8
0x011ed0e7
0x011ed0ee
0x011ed0f3
0x011ed0f5
0x011ed0f6
0x011ed0fd
0x011ed150
0x011ed155
0x011ed157
0x00000000
0x00000000
0x011ed15d
0x011ed164
0x011ed16a
0x011ed16c
0x011ed16f
0x011ed221
0x00000000
0x011ed221
0x011ed175
0x011ed178
0x011ed178
0x011ed17a
0x011ed17b
0x011ed17e
0x011ed188
0x011ed188
0x011ed18a
0x011ed194
0x011ed199
0x011ed19b
0x011ed1fd
0x011ed1fd
0x00000000
0x011ed1fd
0x011ed1a4
0x011ed1aa
0x011ed1af
0x011ed1b1
0x00000000
0x00000000
0x011ed1b3
0x011ed1b5
0x011ed1b6
0x011ed1b9
0x011ed1bb
0x011ed1be
0x011ed1d4
0x011ed1d6
0x011ed1d8
0x011ed1de
0x011ed1de
0x011ed1e1
0x00000000
0x00000000
0x011ed1db
0x011ed1db
0x011ed1db
0x011ed1e3
0x011ed1e9
0x011ed1eb
0x011ed1f0
0x011ed1f3
0x011ed1f8
0x00000000
0x011ed1f8
0x011ed1c0
0x011ed1c7
0x011ed1cc
0x00000000
0x011ed1cc
0x011ed180
0x011ed182
0x011ed183
0x011ed186
0x00000000
0x00000000
0x00000000
0x011ed200
0x011ed200
0x011ed203
0x011ed206
0x011ed208
0x011ed208
0x011ed211
0x011ed216
0x011ed218
0x011ed21a
0x011ed21c
0x011ed21c
0x00000000
0x011ed0ff
0x011ed107
0x011ed113
0x011ed119
0x011ed11a
0x011ed11b
0x011ed120
0x011ed121
0x011ed122
0x011ed124
0x011ed12a
0x011ed12c
0x011ed13f
0x011ed13f
0x011ed226
0x011ed226
0x011ed22e
0x011ed238
0x011ed23f
0x011ed23f
0x011ed24c
0x011ed253
0x011ed258
0x011ed260
0x011ed26c
0x011ed26c
0x011ed279
0x011ed27e
0x011ed286
0x011ed290
0x011ed29d
0x011ed2a4
0x011ed2a4
0x011ed2b1
0x011ed2b8
0x011ed2bd
0x011ed2c5
0x011ed2cb
0x011ed2cd
0x011ed2cd
0x011ed2e2
0x011ed2e7
0x011ed2f3
0x011ed2f5
0x011ed306
0x011ed313
0x00000000
0x011ed2f7
0x011ed302
0x011ed304
0x011ed318
0x011ed318
0x011ed324
0x011ed331
0x011ed33d
0x011ed344
0x011ed349
0x011ed350
0x011ed356
0x011ed35d
0x011ed363
0x011ed36a
0x011ed36c
0x011ed36e
0x011ed370
0x011ed372
0x011ed378
0x011ed37a
0x011ed37c
0x011ed37e
0x011ed384
0x011ed386
0x011ed390
0x011ed393
0x011ed399
0x011ed3a8
0x011ed3ad
0x011ed3b4
0x011ed3b6
0x011ed3b7
0x011ed3bd
0x011ed3be
0x011ed3c0
0x011ed3c5
0x011ed3c5
0x00000000
0x011ed3b4
0x00000000
0x011ed304
0x011ed2f5
0x00000000
0x011ed3cd
0x011ed3d0
0x011ed3d2
0x011ed3d2
0x00000000
0x00000000
0x011ecd17
0x011ecd1f
0x011ecd25
0x011ecd28
0x011ecd4c
0x011ecd2a
0x011ecd2a
0x011ecd2d
0x011ecd40
0x011ecd2f
0x011ecd2f
0x011ecd31
0x011ecd36
0x011ecd36
0x011ecd2d
0x00000000
0x00000000
0x011ece5d
0x011ece5e
0x011ece63
0x011ece63
0x011ece63
0x011ece66
0x011ece6b
0x011ece71
0x011ece71
0x011ece7d
0x011ece7d
0x00000000
0x00000000
0x011ec7a2
0x011ec7a2
0x011ec7a7
0x011ec7a8
0x011ec7a9
0x011ec7ae
0x011ec7b4
0x011ec7b7
0x00000000
0x011ec7b9
0x011ec7b9
0x00000000
0x011ec7b9
0x011ed3d9
0x011ed3d9
0x011ed3de
0x011ed3e2
0x011ed3e6
0x011ed3ed
0x011ed3f4
0x011ed3f7
0x011ed3fc
0x011ed3ff
0x011ed402
0x011ed40c

APIs

__EH_prolog.LIBCMT ref: 011EC744

Part of subcall function 011EB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 011EB3FB

_wcslen.LIBCMT ref: 011ECA0A
_wcslen.LIBCMT ref: 011ECA13
SetWindowTextW.USER32(?,?), ref: 011ECA71
_wcslen.LIBCMT ref: 011ECAB3
_wcsrchr.LIBVCRUNTIME ref: 011ECBFB
GetDlgItem.USER32(?,00000066), ref: 011ECC36
SetWindowTextW.USER32(00000000,?), ref: 011ECC46
SendMessageW.USER32(00000000,00000143,00000000,0121A472), ref: 011ECC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 011ECC7F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 011ECB1A
ProgramFilesDir, xrefs: 011ECB45
<br>, xrefs: 011EC9D4
%s.%d.tmp, xrefs: 011EC940

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: a113cc201c6505dedacdd5332f2c44fad7613b19620b585909d564e0db47d359
Instruction ID: 2836fa45917061e4acbbcd88191913691242d2dd9e1939ae0521dc2312832efb
Opcode Fuzzy Hash: a113cc201c6505dedacdd5332f2c44fad7613b19620b585909d564e0db47d359
Instruction Fuzzy Hash: 01E166B2900619AADF29DBE4ED88EEE77FCAF14354F4441A5F645E3040EB749A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 011DE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E011DE2E8(struct HWND__* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				char _v0;
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t95;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				signed int _t145;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				void* _t178;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;
				signed int _t221;

				_t178 = __edx;
				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E011D4092( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E011E1DA7( &_v2208,  &_v2288, 0x50);
				_t95 = E011F3E90( &_v2300);
				_t187 = _v8;
				_t155 = 0;
				_v2376 = _t95;
				_t210 =  *0x120e720 - _t155; // 0x64
				if(_t210 <= 0) {
					L8:
					_t156 = E011DD81C(_t155, _t203, _t178, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t169 - _t179;
					if(_v0 == 0) {
						if(_t156 != 0) {
							_t158 = 0x64;
							asm("cdq");
							_t134 = _v2292 * _v2368.top;
							_t160 = _t179 * _v2368.right / _t158 + _v2352.right;
							_v2324 = _t160;
							asm("cdq");
							_t186 = _t134 % _v2352.top;
							_v2352.left = _t134 / _v2352.top + _t205;
							asm("cdq");
							asm("cdq");
							_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
							_t163 = (_t169 - _t160 - _t186 >> 1) + _v2352.bottom;
							if(_t163 < 0) {
								_t163 = 0;
							}
							if(_t201 < 0) {
								_t201 = 0;
							}
							_t145 =  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204;
							_t221 = _t145;
							 *0x1233150(_t187, 0, _t163, _t201, _v2324, _v2352.left, _t145);
							GetWindowRect(_t187,  &_v2368);
							_t156 = _v2393;
						}
						if(E011DD89C(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
					}
					_t206 = _t205 - GetSystemMetrics(8);
					_t106 = GetWindow(_t187, 5);
					_t188 = _t106;
					_v2368.bottom = _t188;
					if(_t156 == 0) {
						L23:
						return _t106;
					} else {
						_t157 = 0;
						while(_t188 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L23;
							}
							GetWindowRect(_t188,  &_v2320);
							_t170 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x1233150(_t188, 0, (_t194 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t193, 0x204);
							_t106 = GetWindow(_t188, 2);
							_t188 = _t106;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L23;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L23;
					}
				} else {
					_t202 = 0x120e274;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0x1204788
							_t150 = E011F6740( &_v2288,  *_t9, _t95);
							_t208 = _t208 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t202[1]); // 0x1204788
								if(E011DD9F0(_t155, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t95 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t155 -  *0x120e720; // 0x64
					} while (_t214 < 0);
					goto L8;
				}
			}

0x011de2e8
0x011de300
0x011de30a
0x011de30e
0x011de313
0x011de325
0x011de32f
0x011de334
0x011de33b
0x011de33e
0x011de342
0x011de348
0x011de3a5
0x011de3bd
0x011de3c5
0x011de3c9
0x011de3d5
0x011de3e7
0x011de3ee
0x011de3f2
0x011de3f5
0x011de3fd
0x011de40b
0x011de40f
0x011de417
0x011de424
0x011de427
0x011de430
0x011de435
0x011de43b
0x011de43f
0x011de440
0x011de446
0x011de450
0x011de457
0x011de460
0x011de464
0x011de468
0x011de46a
0x011de46a
0x011de46e
0x011de470
0x011de470
0x011de483
0x011de483
0x011de496
0x011de4a2
0x011de4a8
0x011de4a8
0x011de4d0
0x011de4db
0x011de4db
0x011de4d0
0x011de4ec
0x011de4ee
0x011de4f4
0x011de4f6
0x011de4fc
0x011de5ae
0x011de5ae
0x011de502
0x011de502
0x011de59c
0x011de509
0x011de50f
0x00000000
0x00000000
0x011de51b
0x011de525
0x011de53a
0x011de53f
0x011de542
0x011de558
0x011de560
0x011de562
0x011de563
0x011de56b
0x011de57d
0x011de584
0x011de58d
0x011de593
0x011de595
0x011de599
0x00000000
0x00000000
0x011de59b
0x011de59b
0x011de59b
0x00000000
0x011de59c
0x011de34a
0x011de34a
0x011de34f
0x011de352
0x011de355
0x011de35d
0x011de362
0x011de367
0x011de378
0x011de382
0x011de38f
0x011de38f
0x011de382
0x011de395
0x011de395
0x011de399
0x011de39a
0x011de39d
0x011de39d
0x00000000
0x011de34f

APIs

_swprintf.LIBCMT ref: 011DE30E

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

Part of subcall function 011E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01211030,00000200,011DD928,00000000,?,00000050,01211030), ref: 011E1DC4

_strlen.LIBCMT ref: 011DE32F
SetDlgItemTextW.USER32(?,0120E274,?), ref: 011DE38F
GetWindowRect.USER32(?,?), ref: 011DE3C9
GetClientRect.USER32(?,?), ref: 011DE3D5
GetWindowLongW.USER32(?,000000F0), ref: 011DE475
GetWindowRect.USER32(?,?), ref: 011DE4A2
SetWindowTextW.USER32(?,?), ref: 011DE4DB
GetSystemMetrics.USER32(00000008), ref: 011DE4E3
GetWindow.USER32(?,00000005), ref: 011DE4EE
GetWindowRect.USER32(00000000,?), ref: 011DE51B
GetWindow.USER32(00000000,00000002), ref: 011DE58D

Strings

CAPTION, xrefs: 011DE4BD
d, xrefs: 011DE3F5
$%s:, xrefs: 011DE302

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: d5b9987c7eea9e78c4dcd523e7687ec30167ddd1fd5ba51816c6fd082455d6cd
Instruction ID: 8115d2304587f4d33eff49d8f908263a6b2b1d7ca6dd2c8053b54f49659380c1
Opcode Fuzzy Hash: d5b9987c7eea9e78c4dcd523e7687ec30167ddd1fd5ba51816c6fd082455d6cd
Instruction Fuzzy Hash: 8281AF72208301AFD725DFA8DD88A6BBBF9FB88714F04091DFA84D7280D734E9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 011FCB22 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011FCB22(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t2 = _t74 + 0x88; // 0x720043
				_t25 =  *_t2;
				if(_t25 != 0 && _t25 != 0x120eea0) {
					_t3 = _t74 + 0x7c; // 0x654d7463
					_t45 =  *_t3;
					if(_t45 != 0 &&  *_t45 == 0) {
						_t4 = _t74 + 0x84; // 0x0
						_t46 =  *_t4;
						if(_t46 != 0 &&  *_t46 == 0) {
							E011F8DCC(_t46);
							_t5 = _t74 + 0x88; // 0x720043
							E011FC701( *_t5);
						}
						_t6 = _t74 + 0x80; // 0x79726f6d
						_t47 =  *_t6;
						if(_t47 != 0 &&  *_t47 == 0) {
							E011F8DCC(_t47);
							_t7 = _t74 + 0x88; // 0x720043
							E011FC7FF( *_t7);
						}
						_t8 = _t74 + 0x7c; // 0x654d7463
						E011F8DCC( *_t8);
						_t9 = _t74 + 0x88; // 0x720043
						E011F8DCC( *_t9);
					}
				}
				_t10 = _t74 + 0x8c; // 0x700079
				_t26 =  *_t10;
				if(_t26 != 0 &&  *_t26 == 0) {
					_t11 = _t74 + 0x90; // 0x500074
					E011F8DCC( *_t11 - 0xfe);
					_t12 = _t74 + 0x94; // 0x6f0072
					E011F8DCC( *_t12 - 0x80);
					_t13 = _t74 + 0x98; // 0x650074
					E011F8DCC( *_t13 - 0x80);
					_t14 = _t74 + 0x8c; // 0x700079
					E011F8DCC( *_t14);
				}
				_t15 = _t74 + 0x9c; // 0x740063
				E011FCC95( *_t15);
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0x1203ad4
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x1203a5c
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x120e968) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E011F8DCC(_t31);
							E011F8DCC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x0
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E011F8DCC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E011F8DCC(_t74);
			}

0x011fcb2a
0x011fcb2e
0x011fcb2e
0x011fcb36
0x011fcb3f
0x011fcb3f
0x011fcb44
0x011fcb4b
0x011fcb4b
0x011fcb53
0x011fcb5b
0x011fcb60
0x011fcb66
0x011fcb6c
0x011fcb6d
0x011fcb6d
0x011fcb75
0x011fcb7d
0x011fcb82
0x011fcb88
0x011fcb8e
0x011fcb8f
0x011fcb92
0x011fcb97
0x011fcb9d
0x011fcba3
0x011fcb44
0x011fcba4
0x011fcba4
0x011fcbac
0x011fcbb3
0x011fcbbf
0x011fcbc4
0x011fcbd2
0x011fcbd7
0x011fcbe0
0x011fcbe5
0x011fcbeb
0x011fcbf0
0x011fcbf3
0x011fcbf9
0x011fcc01
0x011fcc02
0x011fcc02
0x011fcc08
0x011fcc0b
0x011fcc0b
0x011fcc0e
0x011fcc15
0x011fcc17
0x011fcc1b
0x011fcc23
0x011fcc2a
0x011fcc30
0x011fcc31
0x011fcc31
0x011fcc38
0x011fcc3a
0x011fcc3a
0x011fcc3f
0x011fcc47
0x011fcc4c
0x011fcc4d
0x011fcc4d
0x011fcc50
0x011fcc53
0x011fcc56
0x011fcc59
0x011fcc59
0x011fcc6b

APIs

___free_lconv_mon.LIBCMT ref: 011FCB66

Part of subcall function 011FC701: _free.LIBCMT ref: 011FC71E
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC730
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC742
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC754
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC766
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC778
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC78A
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC79C
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC7AE
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC7C0
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC7D2
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC7E4
Part of subcall function 011FC701: _free.LIBCMT ref: 011FC7F6

_free.LIBCMT ref: 011FCB5B

Part of subcall function 011F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34), ref: 011F8DE2
Part of subcall function 011F8DCC: GetLastError.KERNEL32(01203A34,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34,01203A34), ref: 011F8DF4

_free.LIBCMT ref: 011FCB7D
_free.LIBCMT ref: 011FCB92
_free.LIBCMT ref: 011FCB9D
_free.LIBCMT ref: 011FCBBF
_free.LIBCMT ref: 011FCBD2
_free.LIBCMT ref: 011FCBE0
_free.LIBCMT ref: 011FCBEB
_free.LIBCMT ref: 011FCC23
_free.LIBCMT ref: 011FCC2A
_free.LIBCMT ref: 011FCC47
_free.LIBCMT ref: 011FCC5F

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 33c7400812ae13913bb176fecc2520301a7516c81d8542f497301d60391ed52f
Instruction ID: fc73cd6558ac53b23203b0e75c4e24f70c4de595f3e1fafb6ad0147fb788bcab
Opcode Fuzzy Hash: 33c7400812ae13913bb176fecc2520301a7516c81d8542f497301d60391ed52f
Instruction Fuzzy Hash: A8316D3160070E9FEB29AA3CD844F5ABBE9EF51294F14482DE758D7191DF31E880EB90

Uniqueness

Uniqueness Score: -1.00%

Function 011F96F1 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011F96F1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x1206430) {
					E011F8DCC(_t52);
					_t26 = _a4;
				}
				E011F8DCC( *((intOrPtr*)(_t26 + 0x3c)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x30)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x34)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x38)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x28)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x2c)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x40)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x44)));
				E011F8DCC( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E011F95A9(5,  &_v8);
				_v8 =  &_a4;
				return E011F95F9(4,  &_v8);
			}

0x011f96f7
0x011f96fa
0x011f9702
0x011f9705
0x011f970a
0x011f970d
0x011f9711
0x011f971c
0x011f9727
0x011f9732
0x011f973d
0x011f9748
0x011f9753
0x011f975e
0x011f976c
0x011f9774
0x011f977d
0x011f9785
0x011f9799

APIs

_free.LIBCMT ref: 011F9705

Part of subcall function 011F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34), ref: 011F8DE2
Part of subcall function 011F8DCC: GetLastError.KERNEL32(01203A34,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34,01203A34), ref: 011F8DF4

_free.LIBCMT ref: 011F9711
_free.LIBCMT ref: 011F971C
_free.LIBCMT ref: 011F9727
_free.LIBCMT ref: 011F9732
_free.LIBCMT ref: 011F973D
_free.LIBCMT ref: 011F9748
_free.LIBCMT ref: 011F9753
_free.LIBCMT ref: 011F975E
_free.LIBCMT ref: 011F976C

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: be8d037bfb961d3985b71da949b0a2351d7fc350be7b7663a15227f2b1542a30
Instruction ID: 19b3439cb13c6cd083de89d8da5f50ec2335820bba4378f947ef56854328fede
Opcode Fuzzy Hash: be8d037bfb961d3985b71da949b0a2351d7fc350be7b7663a15227f2b1542a30
Instruction Fuzzy Hash: 6B11C87611050ABFCB09EF54C880DDD3BB5EF25298B5155A9FB088F271DB32DE509B84

Uniqueness

Uniqueness Score: -1.00%

Function 011F2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E011F2E31(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t261;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E011F3DAA(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E011F8D24(_t270, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if(__eflags == 0) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E011F2AEC(_t271, _t275, _t296, _t301, _t315, __eflags);
						__eflags =  *(_t202 + 8);
						if(__eflags != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E011F2AEC(_t271, _t275, _t296, 0, _t315, __eflags);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E011F0961(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E011F0894(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E011F2DB1(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E011F8D24(_t271, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						_t342 = _t270[0x1c];
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E011F2AEC(_t270, _t275, _t296, _t301, 0, _t342);
							_t343 =  *((intOrPtr*)(_t224 + 0x10));
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E011F2AEC(_t270, _t275, _t296, _t301, 0, _t343) + 0x10);
								_t259 = E011F2AEC(_t270, _t275, _t296, _t301, 0, _t343);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0) {
									goto L67;
								} else {
									if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
										L16:
										_t261 = E011F2AEC(_t270, _t275, _t296, _t301, _t315, _t350);
										_t351 =  *((intOrPtr*)(_t261 + 0x1c)) - _t315;
										if( *((intOrPtr*)(_t261 + 0x1c)) == _t315) {
											L23:
											_t296 = _v8;
											_t275 = _v12;
											L24:
											_v52 = _t301;
											_v48 = 0;
											__eflags =  *_t270 - 0xe06d7363;
											if( *_t270 != 0xe06d7363) {
												L57:
												__eflags = _t301[3];
												if(__eflags <= 0) {
													goto L60;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L67;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t275);
														_push(_t301);
														_push(_a16);
														_push(_t296);
														_push(_a8);
														_push(_t270);
														L68();
														_t332 = _t332 + 0x20;
														goto L60;
													}
												}
											} else {
												__eflags = _t270[0x10] - 3;
												if(_t270[0x10] != 3) {
													goto L57;
												} else {
													__eflags = _t270[0x14] - 0x19930520;
													if(_t270[0x14] == 0x19930520) {
														L29:
														_t315 = _a32;
														__eflags = _t301[3];
														if(_t301[3] > 0) {
															_push(_a28);
															E011F0894(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
															_t296 = _v64;
															_t332 = _t332 + 0x18;
															_t247 = _v68;
															_v44 = _t247;
															_v16 = _t296;
															__eflags = _t296 - _v56;
															if(_t296 < _v56) {
																_t290 = _t296 * 0x14;
																__eflags = _t290;
																_v32 = _t290;
																do {
																	_t291 = 5;
																	_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																	_t332 = _t332 + 0xc;
																	__eflags = _v104 - _t250;
																	if(_v104 <= _t250) {
																		__eflags = _t250 - _v100;
																		if(_t250 <= _v100) {
																			_t294 = 0;
																			_v20 = 0;
																			__eflags = _v92;
																			if(_v92 != 0) {
																				_t299 = _t270[0x1c];
																				_t251 =  *((intOrPtr*)(_t299 + 0xc));
																				_t252 = _t251 + 4;
																				__eflags = _t252;
																				_v36 = _t252;
																				_t253 = _v88;
																				_v40 =  *_t251;
																				_v24 = _t253;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t327 = _v40;
																					_t314 = _v36;
																					__eflags = _t327;
																					if(_t327 <= 0) {
																						goto L40;
																					} else {
																						while(1) {
																							_push(_t299);
																							_push( *_t314);
																							_t254 =  &_v84;
																							_push(_t254);
																							L87();
																							_t332 = _t332 + 0xc;
																							__eflags = _t254;
																							if(_t254 != 0) {
																								break;
																							}
																							_t299 = _t270[0x1c];
																							_t327 = _t327 - 1;
																							_t314 = _t314 + 4;
																							__eflags = _t327;
																							if(_t327 > 0) {
																								continue;
																							} else {
																								_t294 = _v20;
																								_t253 = _v24;
																								goto L40;
																							}
																							goto L43;
																						}
																						_push(_a24);
																						_push(_v28);
																						E011F2DB1(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																						_t332 = _t332 + 0x30;
																					}
																					L43:
																					_t296 = _v16;
																					goto L44;
																					L40:
																					_t294 = _t294 + 1;
																					_t253 = _t253 + 0x10;
																					_v20 = _t294;
																					_v24 = _t253;
																					__eflags = _t294 - _v92;
																				} while (_t294 != _v92);
																				goto L43;
																			}
																		}
																	}
																	L44:
																	_t296 = _t296 + 1;
																	_t247 = _v44;
																	_t290 = _v32 + 0x14;
																	_v16 = _t296;
																	_v32 = _t290;
																	__eflags = _t296 - _v56;
																} while (_t296 < _v56);
																_t301 = _a20;
																_t315 = _a32;
															}
														}
														__eflags = _a24;
														if(__eflags != 0) {
															_push(1);
															E011F0150(_t270, _t301, _t315, __eflags);
															_t275 = _t270;
														}
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(__eflags < 0) {
															L60:
															_t224 = E011F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
															__eflags =  *(_t224 + 0x1c);
															if( *(_t224 + 0x1c) != 0) {
																goto L67;
															} else {
																goto L61;
															}
														} else {
															_t228 = _t301[8] >> 2;
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	_push(_t301[7]);
																	_t229 = E011F384A(_t270, _t301, _t315, _t270);
																	_pop(_t275);
																	__eflags = _t229;
																	if(__eflags == 0) {
																		goto L64;
																	} else {
																		goto L60;
																	}
																} else {
																	goto L54;
																}
															} else {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	goto L60;
																} else {
																	__eflags = _a28;
																	if(__eflags != 0) {
																		goto L60;
																	} else {
																		L54:
																		 *(E011F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
																		_t237 = E011F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
																		_t286 = _v8;
																		 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																		goto L62;
																	}
																}
															}
														}
													} else {
														__eflags = _t270[0x14] - 0x19930521;
														if(_t270[0x14] == 0x19930521) {
															goto L29;
														} else {
															__eflags = _t270[0x14] - 0x19930522;
															if(_t270[0x14] != 0x19930522) {
																goto L57;
															} else {
																goto L29;
															}
														}
													}
												}
											}
										} else {
											_v16 =  *((intOrPtr*)(E011F2AEC(_t270, _t275, _t296, _t301, _t315, _t351) + 0x1c));
											_t264 = E011F2AEC(_t270, _t275, _t296, _t301, _t315, _t351);
											_push(_v16);
											 *(_t264 + 0x1c) = _t315;
											_t265 = E011F384A(_t270, _t301, _t315, _t270);
											_pop(_t286);
											if(_t265 != 0) {
												goto L23;
											} else {
												_t301 = _v16;
												_t353 =  *_t301 - _t315;
												if( *_t301 <= _t315) {
													L62:
													E011F7AF4(_t270, _t286, _t296, _t301, _t315, __eflags);
												} else {
													while(1) {
														_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
														if(E011F34D3( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x120efb4) != 0) {
															goto L63;
														}
														_t315 = _t315 + 0x10;
														_t269 = _v20 + 1;
														_v20 = _t269;
														_t353 = _t269 -  *_t301;
														if(_t269 >=  *_t301) {
															goto L62;
														} else {
															continue;
														}
														goto L63;
													}
												}
												L63:
												_push(1);
												_push(_t270);
												E011F0150(_t270, _t301, _t315, __eflags);
												_t275 =  &_v64;
												E011F34BB( &_v64);
												E011F238D( &_v64, 0x120c284);
												L64:
												 *(E011F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
												_t231 = E011F2AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
												_t275 = _v8;
												 *(_t231 + 0x14) = _v8;
												__eflags = _t315;
												if(_t315 == 0) {
													_t315 = _a8;
												}
												E011F0A87(_t275, _t315, _t270);
												E011F374A(_a8, _a16, _t301);
												_t234 = E011F3907(_t301);
												_t332 = _t332 + 0x10;
												_push(_t234);
												E011F36C1(_t270, _t275, _t296, _t301, _t315, __eflags);
												goto L67;
											}
										}
									} else {
										_t350 = _t270[0x1c] - _t315;
										if(_t270[0x1c] == _t315) {
											goto L67;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}

0x011f2e31
0x011f2e38
0x011f2e3a
0x011f2e43
0x011f2e49
0x011f2e51
0x011f2e53
0x011f2e56
0x011f2e5c
0x011f31d0
0x011f31d0
0x011f31d5
0x011f31d7
0x011f31d9
0x011f31dc
0x011f31dd
0x011f31e0
0x011f31e6
0x011f3305
0x011f31ec
0x011f31ec
0x011f31ed
0x011f31ee
0x011f31f5
0x011f31f8
0x011f31fb
0x011f3201
0x011f3203
0x011f3208
0x011f320b
0x011f320d
0x011f3213
0x011f3215
0x011f321b
0x011f3230
0x011f3235
0x011f3238
0x011f323a
0x011f3301
0x00000000
0x011f3302
0x011f323a
0x011f321b
0x011f3213
0x011f320b
0x011f3240
0x011f3243
0x011f3246
0x011f3249
0x011f324c
0x011f3252
0x011f3264
0x011f3269
0x011f326c
0x011f326f
0x011f3272
0x011f3275
0x011f3278
0x011f327b
0x00000000
0x00000000
0x011f3281
0x011f3281
0x011f3284
0x011f3287
0x011f3296
0x011f3297
0x011f3297
0x011f3299
0x011f329c
0x00000000
0x00000000
0x011f329e
0x011f32a1
0x00000000
0x00000000
0x011f32af
0x011f32b1
0x011f32b4
0x011f32b6
0x011f32be
0x011f32be
0x011f32c1
0x011f32c3
0x011f32c5
0x011f32e1
0x011f32e6
0x011f32e9
0x011f32e9
0x00000000
0x011f32c1
0x011f32b8
0x011f32bc
0x00000000
0x00000000
0x00000000
0x011f32ec
0x011f32ef
0x011f32f0
0x011f32f3
0x011f32f6
0x011f32f9
0x011f32fc
0x011f32fc
0x00000000
0x011f3287
0x011f3306
0x011f330b
0x011f330c
0x011f330f
0x011f3312
0x011f3313
0x011f3314
0x011f3315
0x011f3318
0x011f331a
0x011f3392
0x011f3394
0x011f3394
0x011f331c
0x011f331c
0x011f331f
0x011f3322
0x00000000
0x011f3324
0x011f3324
0x011f3327
0x011f332a
0x011f3331
0x011f3331
0x011f3334
0x011f3336
0x011f3338
0x011f336a
0x011f336a
0x011f336d
0x011f3374
0x011f3374
0x011f3377
0x011f337a
0x011f3381
0x011f3381
0x011f3384
0x011f338b
0x011f338d
0x011f338d
0x011f3386
0x011f3386
0x011f3389
0x00000000
0x00000000
0x011f3389
0x011f337c
0x011f337c
0x011f337f
0x00000000
0x00000000
0x011f337f
0x011f336f
0x011f336f
0x011f3372
0x00000000
0x00000000
0x011f3372
0x011f338e
0x011f333a
0x011f333a
0x011f333a
0x011f333d
0x011f333d
0x011f333f
0x011f3341
0x00000000
0x00000000
0x011f3343
0x011f3345
0x011f3359
0x011f3359
0x011f3347
0x011f3347
0x011f334a
0x011f334d
0x00000000
0x011f334f
0x011f334f
0x011f3352
0x011f3355
0x011f3357
0x00000000
0x00000000
0x00000000
0x00000000
0x011f3357
0x011f334d
0x011f3362
0x011f3362
0x011f3364
0x00000000
0x011f3366
0x011f3366
0x011f3366
0x00000000
0x011f3364
0x011f335d
0x011f335f
0x011f335f
0x00000000
0x011f335f
0x011f332c
0x011f332c
0x011f332f
0x00000000
0x00000000
0x00000000
0x00000000
0x011f332f
0x011f332a
0x011f3322
0x011f3395
0x011f3399
0x011f3399
0x011f2e6b
0x011f2e6b
0x011f2e74
0x011f2f71
0x011f2f71
0x011f2f74
0x00000000
0x011f2ea3
0x011f2ea3
0x011f2ea5
0x011f2ea8
0x00000000
0x011f2eae
0x011f2eae
0x011f2eb3
0x011f2eb6
0x011f316a
0x011f316e
0x011f2ebc
0x011f2ec1
0x011f2ec4
0x011f2ec9
0x011f2ed0
0x011f2ed5
0x00000000
0x011f2edb
0x011f2ee1
0x011f2f0d
0x011f2f0d
0x011f2f12
0x011f2f15
0x011f2f79
0x011f2f79
0x011f2f7c
0x011f2f7f
0x011f2f81
0x011f2f84
0x011f2f87
0x011f2f8d
0x011f3139
0x011f3139
0x011f313c
0x00000000
0x011f313e
0x011f313e
0x011f3141
0x00000000
0x011f3147
0x011f3147
0x011f314a
0x011f314d
0x011f314e
0x011f314f
0x011f3152
0x011f3153
0x011f3156
0x011f3157
0x011f315c
0x00000000
0x011f315c
0x011f3141
0x011f2f93
0x011f2f93
0x011f2f97
0x00000000
0x011f2f9d
0x011f2f9d
0x011f2fa4
0x011f2fbc
0x011f2fbc
0x011f2fbf
0x011f2fc2
0x011f2fc8
0x011f2fd8
0x011f2fdd
0x011f2fe0
0x011f2fe3
0x011f2fe6
0x011f2fe9
0x011f2fec
0x011f2fef
0x011f2ff5
0x011f2ff5
0x011f2ff8
0x011f2ffb
0x011f300a
0x011f300b
0x011f300b
0x011f300d
0x011f3010
0x011f3016
0x011f3019
0x011f301f
0x011f3021
0x011f3024
0x011f3027
0x011f302d
0x011f3030
0x011f3035
0x011f3035
0x011f3038
0x011f303b
0x011f303e
0x011f3041
0x011f3044
0x011f3049
0x011f304a
0x011f304b
0x011f304c
0x011f304d
0x011f3050
0x011f3053
0x011f3055
0x00000000
0x011f3057
0x011f3057
0x011f3057
0x011f3058
0x011f305a
0x011f305d
0x011f305e
0x011f3063
0x011f3066
0x011f3068
0x00000000
0x00000000
0x011f306a
0x011f306d
0x011f306e
0x011f3071
0x011f3073
0x00000000
0x011f3075
0x011f3075
0x011f3078
0x00000000
0x011f3078
0x00000000
0x011f3073
0x011f308c
0x011f3092
0x011f30af
0x011f30b4
0x011f30b4
0x011f30b7
0x011f30b7
0x00000000
0x011f307b
0x011f307b
0x011f307c
0x011f307f
0x011f3082
0x011f3085
0x011f3085
0x00000000
0x011f308a
0x011f3027
0x011f3019
0x011f30ba
0x011f30bd
0x011f30be
0x011f30c1
0x011f30c4
0x011f30c7
0x011f30ca
0x011f30ca
0x011f30d3
0x011f30d6
0x011f30d6
0x011f2fef
0x011f30d9
0x011f30dd
0x011f30df
0x011f30e2
0x011f30e8
0x011f30e8
0x011f30f0
0x011f30f5
0x011f315f
0x011f315f
0x011f3164
0x011f3168
0x00000000
0x00000000
0x00000000
0x00000000
0x011f30f7
0x011f30fa
0x011f30fd
0x011f3101
0x011f310f
0x011f3111
0x011f3128
0x011f312c
0x011f3132
0x011f3133
0x011f3135
0x00000000
0x011f3137
0x00000000
0x011f3137
0x00000000
0x00000000
0x00000000
0x011f3103
0x011f3103
0x011f3105
0x00000000
0x011f3107
0x011f3107
0x011f310b
0x00000000
0x011f310d
0x011f3113
0x011f3118
0x011f311b
0x011f3120
0x011f3123
0x00000000
0x011f3123
0x011f310b
0x011f3105
0x011f3101
0x011f2fa6
0x011f2fa6
0x011f2fad
0x00000000
0x011f2faf
0x011f2faf
0x011f2fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x011f2fb6
0x011f2fad
0x011f2fa4
0x011f2f97
0x011f2f17
0x011f2f1f
0x011f2f22
0x011f2f27
0x011f2f2b
0x011f2f2e
0x011f2f34
0x011f2f37
0x00000000
0x011f2f39
0x011f2f39
0x011f2f3c
0x011f2f3e
0x011f316f
0x011f316f
0x00000000
0x011f2f44
0x011f2f4c
0x011f2f57
0x00000000
0x00000000
0x011f2f60
0x011f2f63
0x011f2f64
0x011f2f67
0x011f2f69
0x00000000
0x011f2f6f
0x00000000
0x011f2f6f
0x00000000
0x011f2f69
0x011f2f44
0x011f3174
0x011f3174
0x011f3176
0x011f3177
0x011f317e
0x011f3181
0x011f318f
0x011f3194
0x011f3199
0x011f319c
0x011f31a1
0x011f31a4
0x011f31a7
0x011f31a9
0x011f31ab
0x011f31ab
0x011f31b0
0x011f31bc
0x011f31c2
0x011f31c7
0x011f31ca
0x011f31cb
0x00000000
0x011f31cb
0x011f2f37
0x011f2f04
0x011f2f04
0x011f2f07
0x00000000
0x00000000
0x00000000
0x00000000
0x011f2f07
0x011f2ee1
0x011f2ed5
0x011f2eb6
0x011f2ea8
0x011f2e74

APIs

type_info::operator==.LIBVCRUNTIME ref: 011F2F50
___TypeMatch.LIBVCRUNTIME ref: 011F305E
_UnwindNestedFrames.LIBCMT ref: 011F31B0
CallUnexpected.LIBVCRUNTIME ref: 011F31CB
_abort.LIBCMT ref: 011F31D0

Strings

csm, xrefs: 011F2E6E
csm, xrefs: 011F2EDB
csm, xrefs: 011F2F87

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 351c1b0542b96a6c46227846bb9938b964173fc8c69390864944e53c59fac22c
Instruction ID: 02408dba70283fab3b481c9499ddd382e9a80d7f713d69a716af185f647d9a44
Opcode Fuzzy Hash: 351c1b0542b96a6c46227846bb9938b964173fc8c69390864944e53c59fac22c
Instruction Fuzzy Hash: B5B1697181020AEFCF2DDFA8C8809AEBBB5FF14314F14415EEA256B252D735DA51CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011D6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E011D6FA5(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E011EEB78(0x120279e, _t253);
				E011EEC50(0x30a8);
				if( *0x1211023 == 0) {
					E011D7A9C(L"SeRestorePrivilege");
					E011D7A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0x1211023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E011D13BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E011E0602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E011F3E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E011F6088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E011F6088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E011F6066(_t199, _t236);
				_t112 = E011F3E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L12:
					E011DA0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E011DA231(_t200) != 0) {
						_t186 = E011DA28F(E011DA243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E011DA1E0();
						} else {
							E011DA18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L21;
						}
						_t201 = 0;
						E011D2021(__eflags, 0x14, 0, _t200);
						E011D6D83(0x1211098, 9);
						goto L42;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L21:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L27:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E011F6066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E011F6066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L28:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E011D9556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E011D7A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E011D9DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E011D9620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E011DA4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E011D959A(_t253 - 0x30b4);
											goto L42;
										}
										CloseHandle(_t239);
										E011D2021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L33:
											__eflags = E011E07BC();
											if(__eflags == 0) {
												E011D15C6(_t253 - 0x7c, 0x18);
												E011E15FE(_t253 - 0x7c);
											}
											L35:
											E011D6DCB(0x1211098, __eflags);
											E011D6D83(0x1211098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											goto L38;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L35;
										}
										goto L33;
									}
									E011D6C23(_t200);
									E011D6D83(0x1211098, 9);
									goto L38;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L38;
								}
								goto L27;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E011F6066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E011F6066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L28;
						}
						E011D6C23(_t200);
						goto L38;
					}
				} else {
					if( *(_t253 - 0xd) != 0) {
						L38:
						_t201 = 0;
						L42:
						E011D15FB(_t253 - 0x2c);
						 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
						return _t201;
					}
					_t190 = E011DBCC3(_t244 + 0x1104);
					_t269 = _t190;
					if(_t190 != 0) {
						goto L38;
					}
					_push(_t244 + 0x1104);
					_push(_t200);
					_push(_t244 + 0x28);
					_push(_t237);
					if(E011D7861(_t269) == 0) {
						goto L38;
					}
					goto L12;
				}
			}

0x011d6faa
0x011d6fb4
0x011d6fc0
0x011d6fc7
0x011d6fd1
0x011d6fd6
0x011d6fd6
0x011d6fe5
0x011d6fe8
0x011d6fed
0x011d6ff0
0x011d7007
0x011d701a
0x011d701d
0x011d7025
0x011d7031
0x011d7036
0x011d703b
0x011d703e
0x011d7043
0x011d7045
0x011d7045
0x011d704d
0x011d7057
0x011d705c
0x011d7061
0x011d7065
0x011d7066
0x011d706d
0x011d7073
0x011d7073
0x011d7061
0x011d7078
0x011d7084
0x011d7089
0x011d708f
0x011d7092
0x011d709c
0x011d70d6
0x011d70e1
0x011d70ee
0x011d70f7
0x011d70fc
0x011d70ff
0x011d7108
0x011d7101
0x011d7101
0x011d7101
0x011d70ff
0x011d7114
0x011d71e1
0x011d71e3
0x00000000
0x00000000
0x011d71ea
0x011d71ef
0x011d71fb
0x00000000
0x011d7127
0x011d7139
0x011d7142
0x011d7155
0x011d715b
0x011d715b
0x011d7161
0x011d7164
0x011d7205
0x011d7208
0x011d7213
0x011d7216
0x011d7219
0x011d721f
0x011d7222
0x011d7228
0x011d722b
0x011d7239
0x011d723f
0x011d724d
0x011d7255
0x011d7258
0x011d725f
0x011d7274
0x011d7280
0x011d7280
0x011d7283
0x011d7286
0x011d729e
0x011d72a0
0x011d72a3
0x011d72de
0x011d72e0
0x011d735d
0x011d7369
0x011d736d
0x011d7372
0x011d7375
0x011d7386
0x011d7399
0x011d73ac
0x011d73b7
0x011d73c2
0x011d73c7
0x011d73ce
0x011d73d4
0x011d73d4
0x011d73df
0x011d73e1
0x00000000
0x011d73e1
0x011d72e3
0x011d72ee
0x011d72f3
0x011d72f9
0x011d72fc
0x011d7305
0x011d730a
0x011d730c
0x011d7313
0x011d731b
0x011d731b
0x011d7320
0x011d7327
0x011d7330
0x011d7335
0x011d7338
0x011d7339
0x011d7340
0x011d734a
0x011d7342
0x011d7342
0x011d7342
0x00000000
0x011d7340
0x011d72fe
0x011d7303
0x00000000
0x00000000
0x00000000
0x011d7303
0x011d72ad
0x011d72b6
0x00000000
0x011d72b6
0x011d720a
0x011d720d
0x00000000
0x00000000
0x00000000
0x011d720d
0x011d716d
0x011d7170
0x011d7176
0x011d7179
0x011d717f
0x011d7182
0x011d7190
0x011d7196
0x011d71a4
0x011d71ac
0x011d71af
0x011d71b6
0x011d71cb
0x00000000
0x011d71d0
0x011d714a
0x00000000
0x011d714a
0x011d709e
0x011d70a2
0x011d7350
0x011d7350
0x011d73e6
0x011d73e9
0x011d73f6
0x011d73fe
0x011d73fe
0x011d70af
0x011d70b4
0x011d70b6
0x00000000
0x00000000
0x011d70c2
0x011d70c3
0x011d70c7
0x011d70c8
0x011d70d0
0x00000000
0x00000000
0x00000000
0x011d70d0

APIs

__EH_prolog.LIBCMT ref: 011D6FAA
_wcslen.LIBCMT ref: 011D7013
_wcslen.LIBCMT ref: 011D7084

Part of subcall function 011D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 011D7AAB
Part of subcall function 011D7A9C: GetLastError.KERNEL32 ref: 011D7AF1
Part of subcall function 011D7A9C: CloseHandle.KERNEL32(?), ref: 011D7B00

Strings

SeRestorePrivilege, xrefs: 011D6FC2
UNC\, xrefs: 011D7051
\??\, xrefs: 011D702B
SeCreateSymbolicLinkPrivilege, xrefs: 011D6FCC

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 9debf334c9a58d65177da29f3420783e9560be6d11f717ff8e79dcd434b44c81
Instruction ID: f20fb2ffd4c5ba122e03facadff9ff11b33b18ec39ab3932d6f67e0d645579c2
Opcode Fuzzy Hash: 9debf334c9a58d65177da29f3420783e9560be6d11f717ff8e79dcd434b44c81
Instruction Fuzzy Hash: 4C4124B1D04355BAEB2AEB789C81FEE776CAF2420CF000549EA45A31C2DB74A648C721

Uniqueness

Uniqueness Score: -1.00%

Function 011E9711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E011E9711(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				void* _t29;
				intOrPtr* _t36;
				void* _t43;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t68;
				long _t70;
				void* _t72;
				void* _t73;

				_t58 = __edx;
				_t42 = _t43;
				if( *((intOrPtr*)(_t43 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t72 + 8) =  *(_t72 + 8) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 0x18));
				 *((char*)(_t72 + 0x13)) = E011E95AA(_t60);
				_push(0x200 + E011F3E13(_t60) * 2);
				_t24 = E011F3E33(_t43);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E011F6066(_t64, L"<html>");
				E011F7686(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E011F7686(_t64, L"utf-8\"></head>");
				_t73 = _t72 + 0x18;
				_t68 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E011E1FDD(_t77, _t68, L"<html>", 6);
					 *((char*)(_t73 + 0x12)) = _t29 == 0;
					if(_t29 == 0) {
						_t60 = _t68 + 0xc;
					}
					E011F7686(_t64, _t60);
					if( *((char*)(_t73 + 0x1a)) == 0) {
						E011F7686(_t64, L"</html>");
					}
					_t81 =  *((char*)(_t73 + 0x13));
					if( *((char*)(_t73 + 0x13)) == 0) {
						_push(_t64);
						_t64 = E011E9955(_t58, _t81);
					}
					_t70 = 9 + E011F3E13(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t70);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t70 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L011F3E2E(_t64);
					_t24 =  *0x1233180(_t62, 1, _t73 + 0x14);
					if(_t24 >= 0) {
						E011E95EB( *((intOrPtr*)(_t42 + 0x10)));
						_t36 =  *((intOrPtr*)(_t73 + 0x10));
						 *0x1203278(_t36,  *((intOrPtr*)(_t73 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t68 = _t68 + 2;
					_t77 =  *_t68 - _t28;
				} while ( *_t68 == _t28);
				goto L4;
			}

0x011e9711
0x011e9714
0x011e971a
0x011e985f
0x011e985f
0x011e9720
0x011e9727
0x011e9732
0x011e9742
0x011e9743
0x011e9748
0x011e974e
0x011e985a
0x00000000
0x011e985b
0x011e975b
0x011e9766
0x011e9771
0x011e9776
0x011e9779
0x011e977d
0x011e9781
0x011e978c
0x011e9794
0x011e979b
0x011e97a2
0x011e97a4
0x011e97a4
0x011e97a9
0x011e97b5
0x011e97bd
0x011e97c3
0x011e97c4
0x011e97c9
0x011e97cb
0x011e97d3
0x011e97d3
0x011e97df
0x011e97eb
0x011e97ef
0x011e97f9
0x011e980e
0x011e981b
0x011e9810
0x011e9810
0x011e9815
0x011e9815
0x011e980e
0x011e981f
0x011e982d
0x011e9836
0x011e9841
0x011e9846
0x011e9852
0x011e9858
0x011e9858
0x00000000
0x00000000
0x00000000
0x00000000
0x011e9783
0x011e9783
0x011e9783
0x011e9786
0x011e9786
0x00000000

APIs

_wcslen.LIBCMT ref: 011E9736
_wcslen.LIBCMT ref: 011E97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 011E97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 011E9806

Strings

utf-8"></head>, xrefs: 011E976B
</html>, xrefs: 011E97B7
<html>, xrefs: 011E9755, 011E978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 011E9760

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: a49e0eaddb857a5f8cbe95317e5c4fe5c3c4a6aeb3b92a83901bc895df5845e2
Instruction ID: edf4a5c9d3e96260aa6b23e1bbed5a7ef2459a4ab7894b4b5c923872714aed45
Opcode Fuzzy Hash: a49e0eaddb857a5f8cbe95317e5c4fe5c3c4a6aeb3b92a83901bc895df5845e2
Instruction Fuzzy Hash: BD316C7250471A7EE72DBFA59C09F5F7BDCAF61228F10010DF601961D2EB649508C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 011EB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E011EB5C0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E011D1316(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					_push(_t34);
					E011ED69E(_t29, __edx, __eflags, __fp0);
					_t9 =  *0x1227b7c;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0x122ec84;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x122fc9c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0x12330c4(0xf));
					 *0x12330c0(_t34);
					_t30 =  *0x1218444; // 0x116fccc
					E011E9ED5(_t30, __eflags,  *0x121102c, _t37,  *0x122fc98, 0, 0);
					L011F3E2E( *0x122fc9c);
					L011F3E2E( *0x122fc98);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x011eb5c0
0x011eb5c1
0x011eb5c7
0x011eb5ce
0x011eb5e7
0x011eb6d3
0x011eb6d5
0x00000000
0x011eb6d5
0x011eb5ed
0x011eb5f3
0x011eb61f
0x011eb620
0x011eb625
0x011eb62a
0x011eb62c
0x011eb637
0x011eb637
0x011eb63d
0x011eb642
0x011eb644
0x011eb650
0x011eb650
0x011eb656
0x011eb65b
0x011eb65d
0x011eb661
0x011eb661
0x011eb676
0x011eb67e
0x011eb694
0x011eb69b
0x011eb6a1
0x011eb6b6
0x011eb6c1
0x011eb6cc
0x00000000
0x011eb6d2
0x011eb5f8
0x011eb607
0x00000000
0x011eb607
0x011eb5fd
0x011eb600
0x011eb61b
0x011eb60f
0x011eb610
0x00000000
0x011eb610
0x011eb605
0x011eb60e
0x00000000
0x011eb60e
0x00000000

APIs

Part of subcall function 011D1316: GetDlgItem.USER32(00000000,00003021), ref: 011D135A
Part of subcall function 011D1316: SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

EndDialog.USER32(?,00000001), ref: 011EB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 011EB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 011EB650
SetWindowTextW.USER32(?,?), ref: 011EB661
GetDlgItem.USER32(?,00000065), ref: 011EB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 011EB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 011EB694

Strings

LICENSEDLG, xrefs: 011EB5D4

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: a34d5c99f4fa9ab3e6701b1a97dc91a1f78c98bc10f75c0e10f1cea0c1d7c590
Instruction ID: f7113932c67e4aec1e220f921b973a33c6f9dee5e7d7658b77a711d8d9480a9c
Opcode Fuzzy Hash: a34d5c99f4fa9ab3e6701b1a97dc91a1f78c98bc10f75c0e10f1cea0c1d7c590
Instruction Fuzzy Hash: 2221B432608215BBE2399EA9FD4DF7B7BBCFB4A745F010008FB4196088CB6295019B35

Uniqueness

Uniqueness Score: -1.00%

Function 011ED69E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E011ED69E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t9;
				void* _t19;
				void* _t26;
				void* _t28;
				void* _t30;
				struct HWND__* _t33;
				struct HWND__* _t36;
				void* _t40;
				void* _t49;

				_t49 = __fp0;
				_t40 = __eflags;
				_t28 = __edx;
				E011EEC50(0x1018);
				_t9 = E011EA5C6(_t40);
				if(_t9 == 0) {
					L12:
					return _t9;
				}
				_t9 = GetWindow(_a4124, 5);
				_t33 = _t9;
				_t30 = 0;
				_t36 = _t33;
				if(_t33 == 0) {
					L11:
					goto L12;
				}
				while(_t30 < 0x200) {
					GetClassNameW(_t33,  &_a24, 0x800);
					if(E011E1FBB( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t33, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t26 = SendMessageW(_t33, 0x173, 0, 0);
						if(_t26 != 0) {
							GetObjectW(_t26, 0x18,  &_v0);
							_t19 = E011EA605(_v4);
							SendMessageW(_t33, 0x172, 0, E011EA80C(_t28, _t49, _t26, E011EA5E4(_v12), _t19));
							 *0x1233054(_t26);
						}
					}
					_t9 = GetWindow(_t33, 2);
					_t33 = _t9;
					if(_t33 != _t36) {
						_t30 = _t30 + 1;
						if(_t33 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x011ed69e
0x011ed69e
0x011ed69e
0x011ed6a3
0x011ed6a8
0x011ed6af
0x011ed786
0x011ed78c
0x011ed78c
0x011ed6c1
0x011ed6c7
0x011ed6c9
0x011ed6cb
0x011ed6cf
0x011ed783
0x00000000
0x011ed785
0x011ed6d6
0x011ed6ed
0x011ed704
0x011ed726
0x011ed72a
0x011ed734
0x011ed73e
0x011ed75d
0x011ed764
0x011ed764
0x011ed72a
0x011ed76d
0x011ed773
0x011ed777
0x011ed779
0x011ed77c
0x00000000
0x00000000
0x011ed77c
0x00000000
0x011ed777
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 011ED6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 011ED6ED

Part of subcall function 011E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,011DC116,00000000,.exe,?,?,00000800,?,?,?,011E8E3C), ref: 011E1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 011ED709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 011ED720
GetObjectW.GDI32(00000000,00000018,?), ref: 011ED734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 011ED75D
GetWindow.USER32(00000000,00000002), ref: 011ED76D

Strings

STATIC, xrefs: 011ED6F3

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Window$MessageSend$ClassCompareLongNameObjectString
String ID: STATIC
API String ID: 2673288236-1882779555
Opcode ID: 2ef41ed29f7b1519d23dad95de7d99a50bd17097809c1af38d65610c18051a57
Instruction ID: 93926ec2fc100e273ae7d722af7bc1244f5e8277b34898f962aa0c1337b5c93b
Opcode Fuzzy Hash: 2ef41ed29f7b1519d23dad95de7d99a50bd17097809c1af38d65610c18051a57
Instruction Fuzzy Hash: 17112732580F517BEB31ABF4BC4DFAFBAECBF54719F004120FA91A2085D764CA0546A1

Uniqueness

Uniqueness Score: -1.00%

Function 011EFD10 Relevance: 13.7, APIs: 9, Instructions: 154
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E011EFD10(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				int _t53;
				char* _t58;
				int _t59;
				void* _t60;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				void* _t74;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_t69 = __edx;
				_push(0xfffffffe);
				_push(0x120c130);
				_push(E011F2900);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0x120e7ac; // 0xc166b63b
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(__ebx);
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t69 =  &(_t61[1]);
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t34 = _t62 + 1;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E011EFCF0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E011EFCF0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E011F3E33(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E01202010(_t49);
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E011EFCF0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										L011F3E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E011EFCF0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0x12056f8;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0x1203278(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										L011F3E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										_t53 = _t59;
										goto L2;
									}
								}
							}
						}
					}
				} else {
					_t53 = 0;
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t74);
					_pop(_t78);
					_pop(_t60);
					return E011EFBBC(_t53, _t60, _v32 ^ _t79, _t69, _t74, _t78);
				}
			}

0x011efd10
0x011efd13
0x011efd15
0x011efd1a
0x011efd25
0x011efd26
0x011efd29
0x011efd2e
0x011efd31
0x011efd33
0x011efd36
0x011efd37
0x011efd38
0x011efd39
0x011efd3d
0x011efd43
0x011efd46
0x011efd4b
0x011efd70
0x011efd72
0x011efd75
0x011efd75
0x011efd77
0x011efd78
0x011efd7c
0x011efd7e
0x011efd81
0x011efd89
0x011efe4d
0x011efe52
0x00000000
0x011efd8f
0x011efd9f
0x011efda1
0x011efda6
0x011efe57
0x011efe57
0x011efe5f
0x011efe64
0x011efe64
0x011efe6a
0x00000000
0x011efdac
0x011efdac
0x011efdb3
0x011efdbc
0x011efdd4
0x011efdd5
0x011efdda
0x011efddd
0x011efddf
0x011efde2
0x011efdbe
0x011efdbe
0x011efdc3
0x011efdc6
0x011efdc8
0x011efdcb
0x011efdcb
0x011efe08
0x011efe43
0x011efe48
0x00000000
0x011efe0a
0x011efe14
0x011efe1c
0x011efe6f
0x011efe75
0x011efe78
0x011efe7d
0x011efe7d
0x011efe80
0x011efe88
0x011efe8d
0x011efe8d
0x011efe93
0x011efe98
0x011efe99
0x011efe9a
0x011efe9b
0x011efe9c
0x011efe9d
0x011efe9e
0x011efe9f
0x011efea0
0x011efea3
0x011efea6
0x011efea7
0x011efea9
0x011efeb2
0x011efeb5
0x011efeb8
0x011efebb
0x011efec4
0x011efecf
0x011efed5
0x011efed7
0x011efedc
0x011efe1e
0x011efe1f
0x011efe25
0x011efe2d
0x011efe30
0x011efe35
0x011efe35
0x011efe3a
0x00000000
0x011efe3c
0x011efe3c
0x00000000
0x011efe3c
0x011efe3a
0x011efe1c
0x011efe08
0x011efda6
0x011efd4d
0x011efd4d
0x011efd4f
0x011efd55
0x011efd5d
0x011efd5e
0x011efd5f
0x011efd6d
0x011efd6d

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,C166B63B,00000001,00000000,00000000,?,?,011DAF6C,ROOT\CIMV2), ref: 011EFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,011DAF6C,ROOT\CIMV2), ref: 011EFE14
SysAllocString.OLEAUT32(00000000), ref: 011EFE1F
_com_issue_error.COMSUPP ref: 011EFE48
_com_issue_error.COMSUPP ref: 011EFE52
GetLastError.KERNEL32(80070057,C166B63B,00000001,00000000,00000000,?,?,011DAF6C,ROOT\CIMV2), ref: 011EFE57
_com_issue_error.COMSUPP ref: 011EFE6A
GetLastError.KERNEL32(00000000,?,?,011DAF6C,ROOT\CIMV2), ref: 011EFE80
_com_issue_error.COMSUPP ref: 011EFE93

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 90c1a03efa6b259c642652bf1ccd7e79da5f80cbf6be50f076aba36c22de84ef
Instruction ID: f371f3e068f96443b0a5723fc534b704e56b8a3db2e384b91e05521d10c05d2d
Opcode Fuzzy Hash: 90c1a03efa6b259c642652bf1ccd7e79da5f80cbf6be50f076aba36c22de84ef
Instruction Fuzzy Hash: 41412971A00616AFDB19DFA8D84CBAEBBE8FF48B14F10422DED15E7281D735A501C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 011DAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E011DAF24() {
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed char _t70;
				intOrPtr* _t72;
				signed char** _t75;
				signed char** _t76;
				signed char* _t77;
				intOrPtr* _t78;
				void* _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				signed char _t92;
				signed char _t98;
				signed char _t105;
				signed char _t108;
				signed char* _t118;
				signed char _t119;
				signed char _t127;
				signed char _t139;
				void* _t147;
				void* _t149;
				void* _t155;
				void* _t162;

				E011EEB78(0x1202919, _t162);
				_push(_t162 - 0x14);
				_push(0x120574c);
				_t105 = 0;
				_push(1);
				_push(0);
				_push(0x120581c);
				 *((intOrPtr*)(_t162 - 0x14)) = 0;
				if( *0x1233188() >= 0) {
					_push(L"ROOT\\CIMV2");
					 *((intOrPtr*)(_t162 - 0x10)) = 0;
					_t63 =  *((intOrPtr*)(E011DAE2D(_t162 - 0x20)));
					 *(_t162 - 4) = 0;
					if(_t63 == 0) {
						_t108 = 0;
					} else {
						_t108 =  *_t63;
					}
					_t64 =  *((intOrPtr*)(_t162 - 0x14));
					 *0x1203278(_t64, _t108, _t105, _t105, _t105, _t105, _t105, _t105, _t162 - 0x10, _t147);
					_t66 =  *((intOrPtr*)( *_t64 + 0xc))();
					 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
					_t149 = _t66;
					_t110 =  *(_t162 - 0x20);
					if( *(_t162 - 0x20) != 0) {
						E011DAEF6(_t110);
					}
					if(_t149 < 0) {
						L21:
						_t67 =  *((intOrPtr*)(_t162 - 0x14));
						 *0x1203278(_t67);
						 *((intOrPtr*)( *((intOrPtr*)( *_t67 + 8))))();
						_t70 = 0;
					} else {
						_push(_t105);
						_push(_t105);
						_push(3);
						_push(3);
						_push(_t105);
						_push(_t105);
						_push(0xa);
						_push( *((intOrPtr*)(_t162 - 0x10)));
						if( *0x1233184() < 0) {
							L20:
							_t72 =  *((intOrPtr*)(_t162 - 0x10));
							 *0x1203278(_t72);
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
							goto L21;
						} else {
							_push("SELECT * FROM Win32_OperatingSystem");
							 *(_t162 - 0x18) = _t105;
							_t75 = E011DADDB(_t162 - 0x28);
							_push("WQL");
							 *(_t162 - 4) = 1;
							_t76 = E011DADDB(_t162 - 0x20);
							_t118 =  *_t75;
							 *(_t162 - 4) = 2;
							if(_t118 == 0) {
								_t139 = _t105;
							} else {
								_t139 =  *_t118;
							}
							_t77 =  *_t76;
							if(_t77 == 0) {
								_t119 = _t105;
							} else {
								_t119 =  *_t77;
							}
							_t78 =  *((intOrPtr*)(_t162 - 0x10));
							 *0x1203278(_t78, _t119, _t139, 0x30, _t105, _t162 - 0x18);
							_t80 =  *((intOrPtr*)( *_t78 + 0x50))();
							_t121 =  *(_t162 - 0x20);
							_t155 = _t80;
							if( *(_t162 - 0x20) != 0) {
								E011DAEF6(_t121);
								 *(_t162 - 0x20) = _t105;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t122 =  *((intOrPtr*)(_t162 - 0x28));
							if( *((intOrPtr*)(_t162 - 0x28)) != 0) {
								E011DAEF6(_t122);
							}
							if(_t155 >= 0) {
								_t81 =  *(_t162 - 0x18);
								 *(_t162 - 0x1c) = _t105;
								 *(_t162 - 0x24) = _t105;
								if(_t81 != 0) {
									while(1) {
										 *0x1203278(_t81, 0xffffffff, 1, _t162 - 0x1c, _t162 - 0x24);
										 *((intOrPtr*)( *_t81 + 0x10))();
										if( *(_t162 - 0x24) == 0) {
											goto L26;
										}
										_t92 =  *(_t162 - 0x1c);
										 *0x1203278(_t92, L"Name", 0, _t162 - 0x38, 0, 0);
										 *((intOrPtr*)( *_t92 + 0x10))();
										_t105 = _t105 | E011F23F9( *((intOrPtr*)( *_t92 + 0x10))) & 0xffffff00 | _t95 != 0x00000000;
										__imp__#9(_t162 - 0x38,  *((intOrPtr*)(_t162 - 0x30)), L"Windows 10");
										_t98 =  *(_t162 - 0x1c);
										 *0x1203278(_t98);
										 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
										_t81 =  *(_t162 - 0x18);
										if(_t81 != 0) {
											continue;
										}
										goto L26;
									}
								}
								L26:
								_t82 =  *((intOrPtr*)(_t162 - 0x10));
								 *0x1203278(_t82);
								 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 8))))();
								_t85 =  *((intOrPtr*)(_t162 - 0x14));
								 *0x1203278(_t85);
								 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
								_t127 =  *(_t162 - 0x18);
								 *0x1203278(_t127);
								 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))();
								_t70 = _t105;
							} else {
								goto L20;
							}
						}
					}
				} else {
					_t70 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t162 - 0xc));
				return _t70;
			}

0x011daf29
0x011daf38
0x011daf39
0x011daf3f
0x011daf41
0x011daf42
0x011daf43
0x011daf48
0x011daf53
0x011daf5c
0x011daf64
0x011daf6c
0x011daf6e
0x011daf73
0x011daf79
0x011daf75
0x011daf75
0x011daf75
0x011daf7b
0x011daf90
0x011daf96
0x011daf99
0x011daf9d
0x011daf9f
0x011dafa4
0x011dafa6
0x011dafa6
0x011dafad
0x011db05b
0x011db05b
0x011db066
0x011db06c
0x011db06e
0x011dafb3
0x011dafb3
0x011dafb4
0x011dafb5
0x011dafb7
0x011dafb9
0x011dafba
0x011dafbb
0x011dafbd
0x011dafc8
0x011db048
0x011db048
0x011db053
0x011db059
0x00000000
0x011dafca
0x011dafca
0x011dafd2
0x011dafd5
0x011dafdc
0x011dafe4
0x011dafe7
0x011dafec
0x011dafee
0x011daff4
0x011daffa
0x011daff6
0x011daff6
0x011daff6
0x011daffc
0x011db000
0x011db006
0x011db002
0x011db002
0x011db002
0x011db008
0x011db01a
0x011db020
0x011db023
0x011db026
0x011db02a
0x011db02c
0x011db031
0x011db031
0x011db034
0x011db038
0x011db03d
0x011db03f
0x011db03f
0x011db046
0x011db075
0x011db078
0x011db07b
0x011db080
0x011db084
0x011db096
0x011db09c
0x011db0a2
0x00000000
0x00000000
0x011db0a4
0x011db0b9
0x011db0bf
0x011db0d5
0x011db0dc
0x011db0e2
0x011db0ed
0x011db0f3
0x011db0f5
0x011db0fa
0x00000000
0x00000000
0x00000000
0x011db0fa
0x011db084
0x011db0fc
0x011db0fc
0x011db107
0x011db10d
0x011db10f
0x011db11a
0x011db120
0x011db122
0x011db12d
0x011db133
0x011db135
0x00000000
0x00000000
0x00000000
0x011db046
0x011dafc8
0x011daf55
0x011daf55
0x011daf55
0x011db13d
0x011db145

APIs

__EH_prolog.LIBCMT ref: 011DAF29

Strings

WQL, xrefs: 011DAFDC
ROOT\CIMV2, xrefs: 011DAF5C
Name, xrefs: 011DB0B0
SELECT * FROM Win32_OperatingSystem, xrefs: 011DAFCA
Windows 10, xrefs: 011DB0C2

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: cac4659d2d66f36c946bca1862e8ef5fd67d117c593444c109204cdd511ee211
Instruction ID: 862b97f6f97ca75d1d37beda1b964ce9af73b3338a017e6fa5d954a7e0e67014
Opcode Fuzzy Hash: cac4659d2d66f36c946bca1862e8ef5fd67d117c593444c109204cdd511ee211
Instruction Fuzzy Hash: 32718F71A00219EFDF19DFA9D899DAEBBB9FF49714B04025DE513A7290CB30AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 011ED78F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E011ED78F(void* __ebp, char _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				long _v12;
				void* __edi;
				int _t47;
				signed int _t50;
				void* _t51;
				signed short* _t53;
				long _t64;
				signed int _t71;
				void* _t72;
				signed short _t73;
				int _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t78;
				char _t80;
				signed int _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				signed short* _t87;
				struct HWND__* _t88;
				void* _t89;
				void* _t92;

				_t89 = __ebp;
				_t47 = E011EEC50(0x1040);
				_t87 = _a4168;
				_t74 = 0;
				if( *_t87 == 0) {
					L54:
					return _t47;
				}
				_t47 = E011F3E13(_t87);
				if(_t47 >= 0x7f6) {
					goto L54;
				} else {
					_t80 = 0x3c;
					E011EFFF0(_t80,  &_a4, 0, _t80);
					_t78 = _a4176;
					_t92 = _t92 + 0xc;
					_a4 = _t80;
					_a8 = 0x1c0;
					if(_t78 != 0) {
						_a8 = 0x5c0;
					}
					_t50 =  *_t87 & 0x0000ffff;
					_push(_t89);
					_t76 = 0x22;
					_t81 = _t50;
					_t77 = _t74;
					if(_t50 != _t76) {
						_t90 = _t87;
						_a20 = _t87;
						goto L16;
					} else {
						_t90 =  &(_t87[1]);
						_a20 =  &(_t87[1]);
						L6:
						_t51 = 0x22;
						if(_t81 != _t51) {
							L13:
							_t82 = 0x20;
							_t53 =  &(( &(_t87[1]))[_t77]);
							if(_t87[_t77] == _t82) {
								_t87[_t77] = 0;
								L48:
								_a24 = _t53;
								L18:
								if(_t53 == 0 ||  *_t53 == _t74) {
									if(_t78 == 0 &&  *0x121b472 != _t74) {
										_a24 = 0x121b472;
									}
								}
								_a32 = _a4172;
								_t84 = E011DB92D(_t90);
								if(_t84 != 0 && E011E1FBB(_t84, L".inf") == 0) {
									_a16 = L"Install";
								}
								if(E011DA231(_a20) != 0) {
									E011DB6C4(_a20,  &_a64, 0x800);
									_a8 =  &_a52;
								}
								_t47 =  *0x1233078( &_a4);
								if(_t47 != 0) {
									_t88 = _a4160;
									if( *0x1219468 != _t74 || _a4172 != _t74 ||  *0x1227b7a != _t74) {
										if(_t88 != 0) {
											_push(_t88);
											if( *0x12330a8() != 0) {
												ShowWindow(_t88, _t74);
												_t74 = 1;
											}
										}
										 *0x12330a4(_a56, 0x7d0);
										E011EDC3B(_a48);
										if( *0x1227b7a != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
											_t64 = _v12;
											if(_t64 >  *0x122fca4) {
												 *0x122fca4 = _t64;
											}
											 *0x1227b7b = 1;
										}
									}
									CloseHandle(_a48);
									if(_t84 == 0 || E011E1FBB(_t84, L".exe") != 0) {
										_t47 = _a4164;
										if( *0x1219468 != 0 && _t47 == 0 &&  *0x1227b7a == _t47) {
											 *0x122fca8 = 0x1b58;
										}
									} else {
										_t47 = _a4164;
									}
									if(_t74 != 0 && _t47 != 0) {
										_t47 = ShowWindow(_t88, 1);
									}
								}
								goto L54;
							}
							if( *_t53 == 0x2f) {
								goto L48;
							}
							_t77 = _t77 + 1;
							_t50 = _t87[_t77] & 0x0000ffff;
							_t81 = _t50;
							L16:
							if(_t50 != 0) {
								goto L6;
							}
							_t53 = _a24;
							goto L18;
						} else {
							while(1) {
								_t77 = _t77 + 1;
								_t71 = _t87[_t77] & 0x0000ffff;
								_t86 = _t71;
								if(_t71 == 0) {
									break;
								}
								_t72 = 0x22;
								if(_t86 == _t72) {
									_t73 = 0x20;
									_t87[_t77] = _t73;
									goto L13;
								}
							}
							goto L13;
						}
					}
				}
			}

0x011ed78f
0x011ed794
0x011ed79b
0x011ed7a2
0x011ed7a7
0x011ed9ea
0x011ed9f0
0x011ed9f0
0x011ed7ae
0x011ed7b9
0x00000000
0x011ed7bf
0x011ed7c2
0x011ed7ca
0x011ed7cf
0x011ed7d6
0x011ed7d9
0x011ed7dd
0x011ed7e7
0x011ed7e9
0x011ed7e9
0x011ed7f1
0x011ed7f4
0x011ed7f7
0x011ed7fb
0x011ed7fd
0x011ed7ff
0x011ed812
0x011ed814
0x00000000
0x011ed801
0x011ed801
0x011ed804
0x011ed808
0x011ed80a
0x011ed80e
0x011ed837
0x011ed839
0x011ed83d
0x011ed844
0x011ed9c2
0x011ed9c6
0x011ed9c6
0x011ed864
0x011ed866
0x011ed86f
0x011ed87a
0x011ed87a
0x011ed86f
0x011ed88a
0x011ed893
0x011ed898
0x011ed8a9
0x011ed8a9
0x011ed8bc
0x011ed8cc
0x011ed8d5
0x011ed8d5
0x011ed8de
0x011ed8e6
0x011ed8ec
0x011ed8f9
0x011ed90e
0x011ed910
0x011ed919
0x011ed91d
0x011ed923
0x011ed923
0x011ed919
0x011ed92e
0x011ed938
0x011ed944
0x011ed963
0x011ed96d
0x011ed96f
0x011ed96f
0x011ed974
0x011ed974
0x011ed944
0x011ed97f
0x011ed987
0x011ed99f
0x011ed9a6
0x011ed9b4
0x011ed9b4
0x011ed9cf
0x011ed9cf
0x011ed9cf
0x011ed9d8
0x011ed9e1
0x011ed9e1
0x011ed9d8
0x00000000
0x011ed9e7
0x011ed84e
0x00000000
0x00000000
0x011ed854
0x011ed855
0x011ed859
0x011ed85b
0x011ed85e
0x00000000
0x00000000
0x011ed860
0x00000000
0x011ed810
0x011ed822
0x011ed822
0x011ed823
0x011ed827
0x011ed82c
0x00000000
0x00000000
0x011ed81c
0x011ed820
0x011ed832
0x011ed833
0x00000000
0x011ed833
0x011ed820
0x00000000
0x011ed82e
0x011ed80e
0x011ed7ff

APIs

_wcslen.LIBCMT ref: 011ED7AE
ShowWindow.USER32(?,00000000), ref: 011ED91D
GetExitCodeProcess.KERNEL32 ref: 011ED959
CloseHandle.KERNEL32(?), ref: 011ED97F
ShowWindow.USER32(?,00000001), ref: 011ED9E1

Strings

.inf, xrefs: 011ED89A
.exe, xrefs: 011ED989

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
String ID: .exe$.inf
API String ID: 783751319-3750412487
Opcode ID: 98e67e34c39a1367259e30fc8df178a0a716945eea5eddc9ef5150090dceb1d6
Instruction ID: 154c912d7096d8d85728f1d36673b8e0a3bd6f0613cc9057f50bd6b1e6cd1974
Opcode Fuzzy Hash: 98e67e34c39a1367259e30fc8df178a0a716945eea5eddc9ef5150090dceb1d6
Instruction Fuzzy Hash: B251C171408B80AAEF39DFE8B84CBABBBF5AF42744F04041DEAC597195E7718584CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011D9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E011D9382() {
				void* _t32;
				short _t33;
				long _t35;
				void* _t40;
				short _t42;
				void* _t66;
				intOrPtr _t69;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E011EEB78(0x12028b1, _t84);
				E011EEC50(0x503c);
				_t82 =  *(_t84 + 8);
				_t32 = _t84 - 0x4048;
				__imp__GetLongPathNameW(_t82, _t32, 0x800, _t76, _t81, _t66);
				if(_t32 == 0 || _t32 >= 0x800) {
					L20:
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetShortPathNameW(_t82, _t84 - 0x5048, 0x800);
					if(_t35 == 0) {
						goto L20;
					} else {
						_t91 = _t35 - 0x800;
						if(_t35 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E011DC29A(_t91, _t84 - 0x4048);
							_t78 = E011DC29A(_t91, _t84 - 0x5048);
							_t69 = 0;
							if( *_t39 == 0) {
								goto L20;
							} else {
								_t40 = E011E1FBB( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t40;
								if(_t40 == 0) {
									goto L20;
								} else {
									_t42 = E011E1FBB(E011DC29A(_t93, _t82), _t78);
									if(_t42 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t42;
										_t79 = 0;
										while(1) {
											_t95 = _t42;
											if(_t42 != 0) {
												break;
											}
											E011E0602(_t84 - 0x1010, _t82, 0x800);
											E011D4092(E011DC29A(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E011DA231(_t84 - 0x1010) == 0) {
												_t42 =  *(_t84 - 0x1010);
											} else {
												_t42 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t42;
												if(_t42 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E011E0602(_t84 - 0x3048, _t82, 0x800);
										_push(0x800);
										E011DC310(_t98, _t84 - 0x3048,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3048, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E011D9556(_t84 - 0x2048);
											 *((intOrPtr*)(_t84 - 4)) = _t69;
											if(E011DA231(_t82) == 0) {
												_t69 = E011D966E(_t84 - 0x2048, _t82, 0x12);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3048);
											if(_t69 != 0) {
												E011D9620(_t84 - 0x2048);
												E011D974E(_t84 - 0x2048);
											}
											E011D959A(_t84 - 0x2048);
											_t33 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t33;
			}

0x011d9387
0x011d9391
0x011d9398
0x011d939b
0x011d93aa
0x011d93b2
0x011d9543
0x011d9543
0x011d9543
0x011d93c0
0x011d93c9
0x011d93d1
0x00000000
0x011d93d7
0x011d93d7
0x011d93d9
0x00000000
0x011d93df
0x011d93eb
0x011d93fa
0x011d93fc
0x011d9401
0x00000000
0x011d9407
0x011d940b
0x011d9410
0x011d9412
0x00000000
0x011d9418
0x011d9420
0x011d9427
0x00000000
0x011d942d
0x011d942d
0x011d9434
0x011d9436
0x011d9436
0x011d9439
0x00000000
0x00000000
0x011d9448
0x011d9465
0x011d946a
0x011d947b
0x011d9488
0x011d947d
0x011d947d
0x011d947f
0x011d947f
0x011d948f
0x011d9498
0x00000000
0x011d949a
0x011d949a
0x011d949d
0x00000000
0x00000000
0x00000000
0x00000000
0x011d949d
0x00000000
0x011d9498
0x011d94b1
0x011d94b6
0x011d94c1
0x011d94dc
0x00000000
0x011d94de
0x011d94e4
0x011d94ea
0x011d94f4
0x011d9504
0x011d9504
0x011d9514
0x011d951c
0x011d9524
0x011d952f
0x011d952f
0x011d953a
0x011d953f
0x011d953f
0x011d94dc
0x011d9427
0x011d9412
0x011d9401
0x011d93d9
0x011d93d1
0x011d9545
0x011d954b
0x011d9553

APIs

__EH_prolog.LIBCMT ref: 011D9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 011D93AA
GetShortPathNameW.KERNEL32 ref: 011D93C9

Part of subcall function 011DC29A: _wcslen.LIBCMT ref: 011DC2A2

Part of subcall function 011E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,011DC116,00000000,.exe,?,?,00000800,?,?,?,011E8E3C), ref: 011E1FD1

_swprintf.LIBCMT ref: 011D9465

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

MoveFileW.KERNEL32(?,?), ref: 011D94D4
MoveFileW.KERNEL32(?,?), ref: 011D9514

Strings

rtmp%d, xrefs: 011D944E

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 588522689fefa767f33175c47fefebc8b01c79820b24068f1bf16d86704ba0c4
Instruction ID: 1adbe6091a3fa8b2f2b3f46ed30618a3ea743f4acfe8f427b8a1a5b0ef935f10
Opcode Fuzzy Hash: 588522689fefa767f33175c47fefebc8b01c79820b24068f1bf16d86704ba0c4
Instruction Fuzzy Hash: 1541A77190125DAADF25EBA0CC54EDE777CBF55348F4048BAA609E3051DB388B89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 011E9ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E011E9ED5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E011E9C04(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L011F3E2E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E011F7625(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E011F7625(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0x1233108(0,  *0x1233154(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0x1233110( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0x1233118(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x1233154(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0x123310c( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E011E9CFE(_t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L011F3E2E(_t67);
							}
						}
					}
				}
				return _t44;
			}

0x011e9ede
0x011e9ee2
0x011e9ee8
0x011e9eeb
0x011e9eee
0x011e9efa
0x011e9f03
0x011e9f08
0x011e9f0d
0x011e9f13
0x011e9f19
0x011e9f1d
0x011e9f15
0x011e9f15
0x011e9f15
0x011e9f28
0x011e9f2b
0x011e9f31
0x011e9f35
0x011e9f2d
0x011e9f2d
0x011e9f2d
0x011e9f3b
0x011e9f44
0x011e9f5b
0x011e9f65
0x011e9f6a
0x011e9f6a
0x011e9f70
0x011e9f7e
0x011e9fab
0x011e9fb1
0x011e9fb8
0x011e9ff2
0x011e9ff4
0x011e9ff9
0x00000000
0x011ea002
0x011e9fba
0x011e9fbc
0x011e9fc3
0x011e9fc6
0x011e9fcd
0x011e9fd2
0x011e9fd6
0x011e9fdb
0x011e9fe3
0x00000000
0x011e9fef
0x011e9fd6
0x011e9fc6
0x011e9fbc
0x011ea00e

APIs

ShowWindow.USER32(?,00000000), ref: 011E9EEE
GetWindowRect.USER32(?,00000000), ref: 011E9F44
ShowWindow.USER32(?,00000005,00000000), ref: 011E9FDB
SetWindowTextW.USER32(?,00000000), ref: 011E9FE3
ShowWindow.USER32(00000000,00000005), ref: 011E9FF9

Strings

RarHtmlClassName, xrefs: 011E9FA5
w, xrefs: 011EA002

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName$w
API String ID: 3937224194-3518879347
Opcode ID: cd4db755060e7cded2332a89f3c5b7953afd98df460c215b31ed5f60a3a32505
Instruction ID: 1e706847f0363d895e542fc3c4f71937158e3bab9cc1b0db1736052071bcb18c
Opcode Fuzzy Hash: cd4db755060e7cded2332a89f3c5b7953afd98df460c215b31ed5f60a3a32505
Instruction Fuzzy Hash: A041BF32404214AFDB299FA8AC4CB2B7FF8FF48715F004559F9899A14ACB74D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011E1218 Relevance: 12.1, APIs: 8, Instructions: 125
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E011E1218(intOrPtr* __ecx, long __edx, void* __ebp, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				intOrPtr* _v68;
				struct _FILETIME _v76;
				intOrPtr _v80;
				signed int _t78;
				long _t82;
				signed int _t87;
				signed int _t92;
				void* _t93;
				long _t94;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int* _t99;
				void* _t100;
				signed int _t101;

				_t100 = __ebp;
				_t94 = __edx;
				_t97 = __ecx;
				_v68 = __ecx;
				_v80 = E011EF1E0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76.dwLowDateTime = _t94;
				if(E011DB146() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v76);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v76.dwLowDateTime = 0 - _v56.dwLowDateTime + _v76.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v76.dwHighDateTime = _v76.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v76);
				}
				_push(_t100);
				FileTimeToSystemTime( &_v76,  &_v48);
				_t99 = _a4;
				_t92 = _v48.wDay & 0x0000ffff;
				_t101 = _v48.wMonth & 0x0000ffff;
				_t95 = _v48.wYear & 0x0000ffff;
				_t99[3] = _v48.wHour & 0x0000ffff;
				_t87 = _t92 - 1;
				_t99[4] = _v48.wMinute & 0x0000ffff;
				_t99[5] = _v48.wSecond & 0x0000ffff;
				_t99[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t99 = _v48.wYear & 0x0000ffff;
				_t99[1] = _t101;
				_t99[2] = _t92;
				_t99[8] = _t87;
				_v76.dwLowDateTime = 1;
				if(_t101 > 1) {
					_t96 = _t87;
					_t98 = 0x120e1a8;
					_t93 = 4;
					while(1) {
						_t87 = _t96;
						if(_t93 > 0x30) {
							break;
						}
						_t93 = _t93 + 4;
						_t87 =  *_t98 + _t96;
						_t82 = _v76.dwLowDateTime + 1;
						_t99[8] = _t87;
						_t98 = _t98 + 4;
						_v76.dwLowDateTime = _t82;
						_t96 = _t87;
						if(_t82 < _t101) {
							continue;
						}
						break;
					}
					_t97 = _v68;
					_t95 = _v48.wYear & 0x0000ffff;
				}
				if(_t101 > 2 && E011E13A4(_t95) != 0) {
					_t99[8] = _t87 + 1;
				}
				_t78 = E011EF250( *_t97,  *((intOrPtr*)(_t97 + 4)), 0x3b9aca00, 0);
				_t99[6] = _t78;
				return _t78;
			}

0x011e1218
0x011e1218
0x011e121e
0x011e1225
0x011e1233
0x011e1237
0x011e1245
0x011e1263
0x011e1274
0x011e1284
0x011e1294
0x011e12a6
0x011e12ae
0x011e12b4
0x011e12ba
0x011e12be
0x011e12c0
0x011e1247
0x011e1251
0x011e1251
0x011e12c4
0x011e12cf
0x011e12d5
0x011e12de
0x011e12e3
0x011e12e8
0x011e12ed
0x011e12f5
0x011e12f8
0x011e1300
0x011e1308
0x011e130e
0x011e1310
0x011e1313
0x011e1316
0x011e1319
0x011e131f
0x011e1323
0x011e1325
0x011e132a
0x011e132b
0x011e132b
0x011e1330
0x00000000
0x00000000
0x011e1334
0x011e133b
0x011e133d
0x011e133e
0x011e1341
0x011e1344
0x011e1348
0x011e134c
0x00000000
0x00000000
0x00000000
0x011e134c
0x011e134e
0x011e1352
0x011e1352
0x011e135b
0x011e136a
0x011e136a
0x011e1379
0x011e137f
0x011e1387

APIs

__aulldiv.LIBCMT ref: 011E122E

Part of subcall function 011DB146: GetVersionExW.KERNEL32(?), ref: 011DB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 011E1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 011E1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 011E1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 011E1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 011E1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 011E12CF
__aullrem.LIBCMT ref: 011E1379

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 725521910e873f2c2b780f235dd85387bc4a15c38477168e69c07921bc88c15e
Instruction ID: 6db94744cdad68076d3525d7995691f2dd113382c49beda61cf12f1b99f613b3
Opcode Fuzzy Hash: 725521910e873f2c2b780f235dd85387bc4a15c38477168e69c07921bc88c15e
Instruction Fuzzy Hash: 674107B1508706AFC714DFA5D88896BFBF9FB88314F048A2EF596C2200E734E549CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011D2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E011D2210(intOrPtr __ecx, signed int __edx, signed char _a3, signed char _a4, signed int _a5, signed int _a6, signed int _a7, signed char _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, char _a28, char _a36, char _a48, char _a52, char _a160, char _a172, intOrPtr _a8368, intOrPtr _a8372, intOrPtr _a8376) {
				char _v4;
				signed char _v5;
				char _v12;
				char _v16;
				signed char _t135;
				char _t138;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t165;
				signed int _t176;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed char _t221;
				signed char _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr _t240;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				signed char _t263;
				signed int _t264;
				signed int _t266;
				intOrPtr _t273;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t306;
				intOrPtr _t311;
				signed int _t313;
				intOrPtr _t315;
				signed char _t318;
				char _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				intOrPtr* _t334;
				signed int _t337;
				signed int _t338;
				intOrPtr _t340;
				void* _t341;
				signed int _t345;
				signed int _t348;
				signed int _t361;

				_t313 = __edx;
				E011EEC50(0x20ac);
				_t315 = _a8368;
				_a12 = __ecx;
				_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _a8372;
				if(_t135 <  *(_t315 + 0x1c)) {
					L96:
					return _t135;
				}
				 *(_t315 + 0x1c) = _t135;
				if(_a8372 >= 2) {
					_t240 = _a8376;
					while(1) {
						_t135 = E011DCCFB();
						_t244 = _t135;
						_t345 = _t313;
						if(_t345 < 0 || _t345 <= 0 && _t244 == 0) {
							break;
						}
						_t318 =  *(_t315 + 0x1c);
						_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t318;
						if(_t135 == 0) {
							break;
						}
						_t348 = _t313;
						if(_t348 > 0 || _t348 >= 0 && _t244 > _t135) {
							break;
						} else {
							_a8 = _t318 + _t244;
							_t138 = E011DCCFB();
							_t337 = _t313;
							_t319 = _t138;
							_t313 = _a8;
							_t247 = _t313 -  *(_t315 + 0x1c);
							_a20 = _t247;
							if( *((intOrPtr*)(_t240 + 4)) == 1 && _t319 == 1 && _t337 == 0) {
								 *((char*)(_t240 + 0x1e)) = _t138;
								_t234 = E011DCCFB();
								_a16 = _t234;
								if((_t234 & 0x00000001) != 0) {
									_t237 = E011DCCFB();
									if((_t237 | _t313) != 0) {
										_t311 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x20)) = _t237 +  *((intOrPtr*)(_t311 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)(_t311 + 0x6cbc));
									}
									_t234 = _a16;
								}
								if((_t234 & 0x00000002) != 0) {
									_t235 = E011DCCFB();
									if((_t235 | _t313) != 0) {
										_t306 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x30)) = _t235 +  *((intOrPtr*)(_t306 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)(_t306 + 0x6cbc));
									}
								}
								_t247 = _a20;
								_t313 = _a8;
							}
							if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
								_t361 = _t337;
								if(_t361 > 0 || _t361 >= 0 && _t319 > 7) {
									goto L94;
								} else {
									_t320 = _t319 - 1;
									if(_t320 == 0) {
										_t140 = E011DCCFB();
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = E011DCCFB();
											 *(_t240 + 0x10c1) = _t141 & 0x00000001;
											 *(_t240 + 0x10ca) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E011DCBAF(_t315) & 0x000000ff;
											 *(_t240 + 0x10ec) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												E011D4092( &_a28, 0x14, L"xc%u", _t145);
												_t341 = _t341 + 0x10;
												E011D403D(_a12, _t240 + 0x28,  &_a28);
											}
											E011DCC5D(_t315, _t240 + 0x10a1, 0x10);
											E011DCC5D(_t315, _t240 + 0x10b1, 0x10);
											__eflags =  *(_t240 + 0x10c1);
											if( *(_t240 + 0x10c1) != 0) {
												_t321 = _t240 + 0x10c2;
												E011DCC5D(_t315, _t321, 8);
												E011DCC5D(_t315,  &_a16, 4);
												E011E0016( &_a52);
												_push(8);
												_push(_t321);
												_push( &_a48);
												E011E005C();
												_push( &_v4);
												E011DFF33( &_a36);
												_t162 = E011F0C4A( &_v16,  &_v12, 4);
												_t341 = _t341 + 0xc;
												asm("sbb al, al");
												__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
												 *(_t240 + 0x10c1) =  ~_t162 + 1;
												if( *((intOrPtr*)(_t240 + 4)) == 3) {
													_t165 = E011F0C4A(_t321, 0x12036a8, 8);
													_t341 = _t341 + 0xc;
													__eflags = _t165;
													if(_t165 == 0) {
														 *(_t240 + 0x10c1) = _t165;
													}
												}
											}
											 *((char*)(_t240 + 0x10a0)) = 1;
											 *((intOrPtr*)(_t240 + 0x109c)) = 5;
											 *((char*)(_t240 + 0x109b)) = 1;
										} else {
											E011D4092( &_a28, 0x14, L"x%u", _t140);
											_t341 = _t341 + 0x10;
											E011D403D(_a12, _t240 + 0x28,  &_a28);
										}
										goto L94;
									}
									_t322 = _t320 - 1;
									if(_t322 == 0) {
										_t176 = E011DCCFB();
										__eflags = _t176;
										if(_t176 != 0) {
											goto L94;
										}
										_push(0x20);
										 *((intOrPtr*)(_t240 + 0x1070)) = 3;
										_push(_t240 + 0x1074);
										L37:
										E011DCC5D(_t315);
										goto L94;
									}
									_t323 = _t322 - 1;
									if(_t323 == 0) {
										__eflags = _t247 - 5;
										if(_t247 < 5) {
											goto L94;
										}
										_t179 = E011DCCFB();
										_a3 = _t179;
										_t180 = _t179 & 0x00000001;
										_t263 = _a3;
										_a4 = _t180;
										_t313 = _t263 & 0x00000002;
										__eflags = _t313;
										_a5 = _t313;
										if(_t313 != 0) {
											_t279 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E011E15BB(_t240 + 0x1040, E011DCC3D(_t279, __eflags), _t313);
											} else {
												E011E158F(_t240 + 0x1040, E011DCBFB(_t279), 0);
											}
											_t263 = _a3;
											_t180 = _a4;
										}
										_t264 = _t263 & 0x00000004;
										__eflags = _t264;
										_a6 = _t264;
										if(_t264 != 0) {
											_t326 = _t240 + 0x1048;
											_t276 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E011E15BB(_t326, E011DCC3D(_t276, __eflags), _t313);
											} else {
												E011E158F(_t326, E011DCBFB(_t276), 0);
											}
										}
										_t181 = _a3;
										_t266 = _t181 & 0x00000008;
										__eflags = _t266;
										_a7 = _t266;
										if(_t266 == 0) {
											__eflags = _a4;
											if(_a4 == 0) {
												goto L94;
											}
											goto L72;
										} else {
											__eflags = _a4;
											_t325 = _t240 + 0x1050;
											_t273 = _t315;
											if(__eflags == 0) {
												E011E15BB(_t325, E011DCC3D(_t273, __eflags), _t313);
												goto L94;
											}
											E011E158F(_t325, E011DCBFB(_t273), 0);
											_t181 = _v5;
											L72:
											__eflags = _t181 & 0x00000010;
											if((_t181 & 0x00000010) != 0) {
												__eflags = _a5;
												if(_a5 == 0) {
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
												} else {
													_t188 = E011DCBFB(_t315);
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
													_t189 = _t188 & 0x3fffffff;
													__eflags = _t189 - 0x3b9aca00;
													if(_t189 < 0x3b9aca00) {
														E011E1208(_t240 + 0x1040, _t189, 0);
													}
												}
												__eflags = _a6;
												if(_a6 != 0) {
													_t186 = E011DCBFB(_t315) & _t338;
													__eflags = _t186 - _t324;
													if(_t186 < _t324) {
														E011E1208(_t240 + 0x1048, _t186, 0);
													}
												}
												__eflags = _a7;
												if(_a7 != 0) {
													_t183 = E011DCBFB(_t315) & _t338;
													__eflags = _t183 - _t324;
													if(_t183 < _t324) {
														E011E1208(_t240 + 0x1050, _t183, 0);
													}
												}
											}
											goto L94;
										}
									}
									_t327 = _t323 - 1;
									if(_t327 == 0) {
										__eflags = _t247 - 1;
										if(_t247 >= 1) {
											E011DCCFB();
											__eflags = E011DCCFB();
											if(__eflags != 0) {
												 *((char*)(_t240 + 0x10f3)) = 1;
												E011D4092( &_a28, 0x14, L";%u", _t204);
												_t341 = _t341 + 0x10;
												E011E05DA(__eflags, _t240 + 0x28,  &_a28, 0x800);
											}
										}
										goto L94;
									}
									_t328 = _t327 - 1;
									if(_t328 == 0) {
										 *((intOrPtr*)(_t240 + 0x1100)) = E011DCCFB();
										 *(_t240 + 0x2104) = E011DCCFB() & 0x00000001;
										_t329 = E011DCCFB();
										_a172 = 0;
										__eflags = _t329 - 0x1fff;
										if(_t329 < 0x1fff) {
											E011DCC5D(_t315,  &_a172, _t329);
											 *((char*)(_t341 + _t329 + 0xbc)) = 0;
										}
										E011DC335( &_a172,  &_a172, 0x2000);
										_push(0x800);
										_push(_t240 + 0x1104);
										_push( &_a160);
										E011E1C3B();
										goto L94;
									}
									_t330 = _t328 - 1;
									if(_t330 == 0) {
										_t221 = E011DCCFB();
										_a16 = _t221;
										_t339 = _t240 + 0x2108;
										 *(_t240 + 0x2106) = _t221 >> 0x00000002 & 0x00000001;
										 *(_t240 + 0x2107) = _t221 >> 0x00000003 & 0x00000001;
										 *((char*)(_t240 + 0x2208)) = 0;
										 *((char*)(_t240 + 0x2108)) = 0;
										__eflags = _t221 & 0x00000001;
										if((_t221 & 0x00000001) != 0) {
											_t332 = E011DCCFB();
											__eflags = _t332 - 0xff;
											if(_t332 >= 0xff) {
												_t332 = 0xff;
											}
											E011DCC5D(_t315, _t339, _t332);
											_t221 = _a8;
											 *((char*)(_t332 + _t240 + 0x2108)) = 0;
										}
										__eflags = _t221 & 0x00000002;
										if((_t221 & 0x00000002) != 0) {
											_t331 = E011DCCFB();
											__eflags = _t331 - 0xff;
											if(_t331 >= 0xff) {
												_t331 = 0xff;
											}
											E011DCC5D(_t315, _t240 + 0x2208, _t331);
											 *((char*)(_t331 + _t240 + 0x2208)) = 0;
										}
										__eflags =  *(_t240 + 0x2106);
										if( *(_t240 + 0x2106) != 0) {
											 *((intOrPtr*)(_t240 + 0x2308)) = E011DCCFB();
										}
										__eflags =  *(_t240 + 0x2107);
										if( *(_t240 + 0x2107) != 0) {
											 *((intOrPtr*)(_t240 + 0x230c)) = E011DCCFB();
										}
										 *((char*)(_t240 + 0x2105)) = 1;
										goto L94;
									}
									if(_t330 != 1) {
										goto L94;
									}
									_t340 = _t247;
									if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t315 + 0x18)) - _t313 == 1) {
										_t340 = _t247 + 1;
									}
									_t334 = _t240 + 0x1028;
									E011D20BD(_t334, _t340);
									_push(_t340);
									_push( *_t334);
									goto L37;
								}
							} else {
								L94:
								_t248 = _a8;
								 *(_t315 + 0x1c) = _t248;
								_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t248;
								if(_t135 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}

0x011d2210
0x011d2215
0x011d221b
0x011d2222
0x011d2229
0x011d2233
0x011d2862
0x011d2868
0x011d2868
0x011d2241
0x011d2244
0x011d224b
0x011d2254
0x011d2256
0x011d225b
0x011d225d
0x011d225f
0x00000000
0x00000000
0x011d2272
0x011d2275
0x011d2277
0x00000000
0x00000000
0x011d227d
0x011d227f
0x00000000
0x011d228f
0x011d2294
0x011d2298
0x011d229d
0x011d229f
0x011d22a1
0x011d22a7
0x011d22ae
0x011d22b2
0x011d22bf
0x011d22c2
0x011d22c7
0x011d22cd
0x011d22d1
0x011d22da
0x011d22dc
0x011d22ec
0x011d22ee
0x011d22f1
0x011d22f1
0x011d22f4
0x011d22f4
0x011d22fa
0x011d22fe
0x011d2307
0x011d2309
0x011d2319
0x011d231b
0x011d231e
0x011d231e
0x011d2307
0x011d2321
0x011d2325
0x011d2325
0x011d232d
0x011d2339
0x011d233b
0x00000000
0x011d234c
0x011d234c
0x011d234f
0x011d26f3
0x011d26f8
0x011d26fa
0x011d272a
0x011d2738
0x011d2740
0x011d274b
0x011d274e
0x011d2754
0x011d2757
0x011d2766
0x011d2773
0x011d277b
0x011d277b
0x011d278b
0x011d279b
0x011d27a0
0x011d27a7
0x011d27af
0x011d27b8
0x011d27c6
0x011d27d0
0x011d27d5
0x011d27d7
0x011d27dc
0x011d27dd
0x011d27e6
0x011d27ec
0x011d27fd
0x011d2802
0x011d2807
0x011d280b
0x011d280f
0x011d2815
0x011d281f
0x011d2824
0x011d2827
0x011d2829
0x011d282b
0x011d282b
0x011d2829
0x011d2815
0x011d2831
0x011d2838
0x011d2842
0x011d26fc
0x011d2709
0x011d2716
0x011d271e
0x011d271e
0x00000000
0x011d26fa
0x011d2355
0x011d2358
0x011d26cc
0x011d26d1
0x011d26d3
0x00000000
0x00000000
0x011d26d9
0x011d26e1
0x011d26eb
0x011d23ad
0x011d23af
0x00000000
0x011d23af
0x011d235e
0x011d2361
0x011d2556
0x011d2559
0x00000000
0x00000000
0x011d2561
0x011d2566
0x011d256a
0x011d256c
0x011d2572
0x011d2576
0x011d2576
0x011d2579
0x011d257d
0x011d257f
0x011d2581
0x011d2583
0x011d25a7
0x011d2585
0x011d2593
0x011d2593
0x011d25ac
0x011d25b0
0x011d25b0
0x011d25b4
0x011d25b4
0x011d25b7
0x011d25bb
0x011d25bd
0x011d25c3
0x011d25c5
0x011d25c7
0x011d25e3
0x011d25c9
0x011d25d3
0x011d25d3
0x011d25c7
0x011d25e8
0x011d25ee
0x011d25ee
0x011d25f1
0x011d25f5
0x011d262e
0x011d2633
0x00000000
0x00000000
0x00000000
0x011d25f7
0x011d25f7
0x011d25fc
0x011d2602
0x011d2604
0x011d2624
0x00000000
0x011d2624
0x011d2610
0x011d2615
0x011d2639
0x011d2639
0x011d263b
0x011d2641
0x011d2646
0x011d266f
0x011d2674
0x011d2648
0x011d264a
0x011d264f
0x011d2654
0x011d2659
0x011d265b
0x011d265d
0x011d2668
0x011d2668
0x011d265d
0x011d2679
0x011d267e
0x011d2687
0x011d2689
0x011d268b
0x011d2696
0x011d2696
0x011d268b
0x011d269b
0x011d26a0
0x011d26ad
0x011d26af
0x011d26b1
0x011d26c0
0x011d26c0
0x011d26b1
0x011d26a0
0x00000000
0x011d263b
0x011d25f5
0x011d2367
0x011d236a
0x011d2503
0x011d2506
0x011d250e
0x011d251a
0x011d251c
0x011d252c
0x011d2536
0x011d253b
0x011d254c
0x011d254c
0x011d251c
0x00000000
0x011d2506
0x011d2370
0x011d2373
0x011d248e
0x011d249d
0x011d24a8
0x011d24aa
0x011d24b2
0x011d24b8
0x011d24c5
0x011d24ca
0x011d24ca
0x011d24e0
0x011d24e5
0x011d24f0
0x011d24f8
0x011d24f9
0x00000000
0x011d24f9
0x011d2379
0x011d237c
0x011d23bb
0x011d23c2
0x011d23c9
0x011d23d2
0x011d23e0
0x011d23e6
0x011d23ed
0x011d23f1
0x011d23f3
0x011d23fc
0x011d2403
0x011d2405
0x011d2407
0x011d2407
0x011d240d
0x011d2412
0x011d2416
0x011d2416
0x011d241e
0x011d2420
0x011d2429
0x011d2430
0x011d2432
0x011d2434
0x011d2434
0x011d2440
0x011d2445
0x011d2445
0x011d244d
0x011d2454
0x011d245d
0x011d245d
0x011d2463
0x011d246a
0x011d2473
0x011d2473
0x011d2479
0x00000000
0x011d2479
0x011d2381
0x00000000
0x00000000
0x011d238b
0x011d238d
0x011d2399
0x011d2399
0x011d239c
0x011d23a5
0x011d23aa
0x011d23ab
0x00000000
0x011d23ab
0x011d2849
0x011d2849
0x011d2849
0x011d284d
0x011d2853
0x011d2858
0x00000000
0x00000000
0x00000000
0x011d2858
0x011d232d
0x011d227f
0x011d2860

APIs

_swprintf.LIBCMT ref: 011D2536

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

Part of subcall function 011E05DA: _wcslen.LIBCMT ref: 011E05E0

Strings

xc%u, xrefs: 011D275A
x%u, xrefs: 011D26FD
;%u, xrefs: 011D2523

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: d4fabe2bc4cd8c04bc938f27f5e2f90aa186a68690ad57dbbfdc1ac4dc3167c2
Instruction ID: a7cf9be80c401baedf22521c2df68dc1aa3e39ba336359223c7edf6e83e32b5b
Opcode Fuzzy Hash: d4fabe2bc4cd8c04bc938f27f5e2f90aa186a68690ad57dbbfdc1ac4dc3167c2
Instruction Fuzzy Hash: 4DF190716083425BDB1DDF2884D4BFE7BD66FA5304F08097DEE969B282CB709445C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011E9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E011E9CFE(void* __eflags, signed short* _a4) {
				signed int* _v4;
				intOrPtr _v8;
				void* __ecx;
				signed int* _t17;
				signed int _t18;
				void* _t21;
				void* _t22;
				void* _t24;
				signed short _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed short* _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				void* _t33;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed short _t45;
				signed int _t47;
				short _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed short* _t53;
				signed int* _t55;
				short* _t56;
				short* _t57;
				signed short* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int* _t77;

				_t58 = _a4;
				_push(2 + E011F3E13(_t58) * 2);
				_t17 = E011F3E33(_t38);
				_t59 = _t17;
				_v4 = _t59;
				if(_t59 == 0) {
					return _t17;
				}
				_t18 = E011E95AA(_t58);
				_t42 =  *_t58 & 0x0000ffff;
				_t36 = _t18;
				_t55 = _t59;
				if(_t42 == 0) {
					L47:
					return _t59;
				} else {
					_push(0xd);
					_push(0x20);
					_v8 = 0x3e;
					do {
						_t43 = _t42 & 0x0000ffff;
						while(_t43 != 0x3c) {
							if(_t36 == 0) {
								L11:
								_t36 = 0;
								__eflags = 0;
								if(0 == 0) {
									L20:
									_t27 =  *_t58 & 0x0000ffff;
									__eflags = _t27;
									if(__eflags == 0) {
										L27:
										_t28 =  *_t58 & 0x0000ffff;
										_t52 = 0x20;
										_t43 = _t28;
										_t72 = _t28;
										_t26 = 0xd;
										if(_t28 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t27 - _t52;
									if(__eflags != 0) {
										L24:
										 *_t55 = _t27;
										L25:
										_t55 =  &(_t55[0]);
										L26:
										_t58 =  &(_t58[1]);
										goto L27;
									}
									__eflags = _t55 - _t59;
									if(__eflags == 0) {
										goto L24;
									}
									__eflags =  *((intOrPtr*)(_t55 - 2)) - _t52;
									if(__eflags == 0) {
										goto L26;
									}
									goto L24;
								}
								__eflags = _t43 - 0x26;
								if(_t43 != 0x26) {
									goto L20;
								}
								_t29 = 0;
								__eflags = 0;
								do {
									_t53 = _t29 + _t58;
									_t47 =  *_t53 & 0x0000ffff;
									__eflags = _t47;
									if(_t47 == 0) {
										break;
									}
									__eflags = _t47 - 0x3b;
									if(_t47 == 0x3b) {
										_t8 =  &(_t53[1]); // 0x22
										_t58 = _t8;
										_t36 = 1;
									}
									_t29 = _t29 + 2;
									__eflags = _t29 - 0x28;
								} while (_t29 < 0x28);
								__eflags = _t36;
								if(__eflags != 0) {
									goto L27;
								}
								_t52 = 0x20;
								goto L20;
							}
							if(_t43 == _t26) {
								L8:
								if(_t55 == _t59 ||  *((intOrPtr*)(_t55 - 2)) != _t52) {
									 *_t55 = _t52;
									goto L25;
								} else {
									goto L26;
								}
							}
							_t30 = 0xa;
							if(_t43 != _t30) {
								goto L11;
							}
							goto L8;
						}
						_t21 = E011E1FDD(_t72, _t58, L"</p>", 4);
						_t36 = _t36 & 0xffffff00 | _t21 == 0x00000000;
						_t74 = _t21;
						if(_t21 == 0 || E011E1FDD(_t74, _t58, L"<br>", 4) == 0) {
							_t44 = 0xd;
							_t22 = 2;
							 *_t55 = _t44;
							_t56 = _t55 + _t22;
							_t49 = 0xa;
							 *_t56 = _t49;
							_t55 = _t56 + _t22;
							if(_t36 != 0) {
								 *_t55 = _t44;
								_t57 = _t55 + _t22;
								 *_t57 = _t49;
								_t55 = _t57 + _t22;
								_t77 = _t55;
							}
						}
						 *_t55 = 0;
						_t24 = E011E1FDD(_t77, _t58, L"<style>", 7);
						_t45 =  *_t58 & 0x0000ffff;
						_t50 = _t45;
						if(_t24 != 0) {
							_t51 = _t45;
							__eflags = _t45;
							if(_t45 == 0) {
								L44:
								_t25 = _t51 & 0x0000ffff;
								__eflags = _t51 - _v8;
								if(__eflags == 0) {
									_t58 =  &(_t58[1]);
									__eflags = _t58;
									_t25 =  *_t58 & 0x0000ffff;
								}
								goto L46;
							}
							_t60 = _v8;
							while(1) {
								_t51 = _t45 & 0x0000ffff;
								__eflags = _t45 - _t60;
								if(_t45 == _t60) {
									break;
								}
								_t58 =  &(_t58[1]);
								_t31 =  *_t58 & 0x0000ffff;
								_t45 = _t31;
								_t51 = _t31;
								__eflags = _t31;
								if(_t31 != 0) {
									continue;
								}
								break;
							}
							_t59 = _v4;
							goto L44;
						} else {
							_t32 = _t50;
							_t79 = _t45;
							if(_t45 == 0) {
								L38:
								_t25 = _t32 & 0x0000ffff;
								goto L46;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t33 = E011E1FDD(_t79, _t58, L"</style>", 8);
								_t58 =  &(_t58[1]);
								if(_t33 == 0) {
									break;
								}
								_t32 =  *_t58 & 0x0000ffff;
								if(_t32 != 0) {
									continue;
								}
								goto L38;
							}
							_t58 =  &(_t58[7]);
							__eflags = _t58;
							_t32 =  *_t58 & 0x0000ffff;
							goto L38;
						}
						L46:
						_t52 = 0x20;
						_t42 = _t25 & 0x0000ffff;
						_t26 = 0xd;
					} while (_t25 != 0);
					goto L47;
				}
			}

0x011e9d02
0x011e9d16
0x011e9d17
0x011e9d1c
0x011e9d1e
0x011e9d26
0x011e9ecb
0x011e9ecb
0x011e9d30
0x011e9d35
0x011e9d38
0x011e9d3a
0x011e9d3f
0x011e9ec3
0x00000000
0x011e9d45
0x011e9d45
0x011e9d48
0x011e9d4b
0x011e9d53
0x011e9d53
0x011e9d56
0x011e9d62
0x011e9d80
0x011e9d80
0x011e9d82
0x011e9d84
0x011e9db2
0x011e9db2
0x011e9db5
0x011e9db8
0x011e9dd2
0x011e9dd2
0x011e9dd7
0x011e9dda
0x011e9ddc
0x011e9ddf
0x011e9de0
0x00000000
0x00000000
0x00000000
0x011e9de0
0x011e9dba
0x011e9dbd
0x011e9dc9
0x011e9dc9
0x011e9dcc
0x011e9dcc
0x011e9dcf
0x011e9dcf
0x00000000
0x011e9dcf
0x011e9dbf
0x011e9dc1
0x00000000
0x00000000
0x011e9dc3
0x011e9dc7
0x00000000
0x00000000
0x00000000
0x011e9dc7
0x011e9d86
0x011e9d8a
0x00000000
0x00000000
0x011e9d8c
0x011e9d8c
0x011e9d8e
0x011e9d8e
0x011e9d91
0x011e9d94
0x011e9d97
0x00000000
0x00000000
0x011e9d99
0x011e9d9c
0x011e9d9e
0x011e9d9e
0x011e9da1
0x011e9da1
0x011e9da3
0x011e9da6
0x011e9da6
0x011e9dab
0x011e9dad
0x00000000
0x00000000
0x011e9db1
0x00000000
0x011e9db1
0x011e9d67
0x011e9d71
0x011e9d73
0x011e9d7b
0x00000000
0x00000000
0x00000000
0x00000000
0x011e9d73
0x011e9d6b
0x011e9d6f
0x00000000
0x00000000
0x00000000
0x011e9d6f
0x011e9dee
0x011e9df5
0x011e9df8
0x011e9dfa
0x011e9e0f
0x011e9e12
0x011e9e13
0x011e9e16
0x011e9e1a
0x011e9e1b
0x011e9e1e
0x011e9e22
0x011e9e24
0x011e9e27
0x011e9e29
0x011e9e2c
0x011e9e2c
0x011e9e2c
0x011e9e22
0x011e9e38
0x011e9e3b
0x011e9e40
0x011e9e43
0x011e9e47
0x011e9e7b
0x011e9e7d
0x011e9e80
0x011e9ea1
0x011e9ea1
0x011e9ea4
0x011e9ea9
0x011e9eab
0x011e9eab
0x011e9eae
0x011e9eae
0x00000000
0x011e9ea9
0x011e9e82
0x011e9e86
0x011e9e86
0x011e9e89
0x011e9e8c
0x00000000
0x00000000
0x011e9e8e
0x011e9e91
0x011e9e94
0x011e9e96
0x011e9e98
0x011e9e9b
0x00000000
0x00000000
0x00000000
0x011e9e9b
0x011e9e9d
0x00000000
0x011e9e49
0x011e9e49
0x011e9e4b
0x011e9e4e
0x011e9e76
0x011e9e76
0x00000000
0x00000000
0x00000000
0x00000000
0x011e9e50
0x011e9e50
0x011e9e58
0x011e9e5d
0x011e9e62
0x00000000
0x00000000
0x011e9e64
0x011e9e6c
0x00000000
0x00000000
0x00000000
0x011e9e6e
0x011e9e70
0x011e9e70
0x011e9e73
0x00000000
0x011e9e73
0x011e9eb1
0x011e9eb3
0x011e9eb6
0x011e9ebc
0x011e9ebc
0x00000000
0x011e9d53

APIs

_wcslen.LIBCMT ref: 011E9D0A

Strings

<br>, xrefs: 011E9DFE
</style>, xrefs: 011E9E52
</p>, xrefs: 011E9DE8
<style>, xrefs: 011E9E30
>, xrefs: 011E9D4B

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: fa6afcbb8cb62740eb209b36452d2c0c481c0958d4c9b124c08597edcd5f6e9d
Instruction ID: b4466a82f368c9185f98848763de6f667108fa394bc283b0262b7edff098c6d0
Opcode Fuzzy Hash: fa6afcbb8cb62740eb209b36452d2c0c481c0958d4c9b124c08597edcd5f6e9d
Instruction Fuzzy Hash: 17519E56700B7B95EB3C6ADD9C1977A73E0EFA0658F58051AEFC18B1C1FB6688808361

Uniqueness

Uniqueness Score: -1.00%

Function 011FF68D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E011FF68D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				signed int _t128;
				signed char* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;

				_t78 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t78 ^ _t131;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t129 = _a12;
				_v52 = _t129;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1232290 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t129;
				_t86 = GetConsoleCP();
				_t130 = _a4;
				_v60 = _t86;
				 *_t130 = 0;
				 *((intOrPtr*)(_t130 + 4)) = 0;
				 *((intOrPtr*)(_t130 + 8)) = 0;
				while(_t129 < _v40) {
					_v28 = 0;
					_v31 =  *_t129;
					_t128 =  *(0x1232290 + _v48 * 4);
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						_t92 = E011FA767(_t115, _t128);
						_t128 = 0x8000;
						if(( *(_t92 + ( *_t129 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t129);
							goto L8;
						} else {
							if(_t129 >= _v40) {
								_t128 = _v48;
								 *((char*)( *((intOrPtr*)(0x1232290 + _t128 * 4)) + _t115 + 0x2e)) =  *_t129;
								 *( *((intOrPtr*)(0x1232290 + _t128 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x1232290 + _t128 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
							} else {
								_t112 = E011F930D( &_v28, _t129, 2);
								_t132 = _t132 + 0xc;
								if(_t112 != 0xffffffff) {
									_t129 =  &(_t129[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E011F930D();
						_t132 = _t132 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t129 =  &(_t129[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t130 = GetLastError();
								} else {
									 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 8)) - _v52 + _t129;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t130 + 8)) =  *((intOrPtr*)(_t130 + 8)) + 1;
													 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E011EFBBC(_t130, _t115, _v8 ^ _t131, _t128, _t129, _t130);
			}

0x011ff695
0x011ff69c
0x011ff69f
0x011ff6a7
0x011ff6ab
0x011ff6b7
0x011ff6ba
0x011ff6bd
0x011ff6c4
0x011ff6cc
0x011ff6cf
0x011ff6d5
0x011ff6db
0x011ff6e0
0x011ff6e2
0x011ff6e5
0x011ff6ea
0x011ff6f4
0x011ff6fb
0x011ff6fe
0x011ff705
0x011ff70c
0x011ff727
0x011ff72f
0x011ff738
0x011ff75e
0x011ff760
0x00000000
0x011ff73a
0x011ff73d
0x011ff804
0x011ff810
0x011ff81b
0x011ff820
0x011ff743
0x011ff74a
0x011ff74f
0x011ff755
0x011ff75b
0x00000000
0x011ff75b
0x011ff755
0x011ff73d
0x011ff70e
0x011ff712
0x011ff715
0x011ff71b
0x011ff71d
0x011ff720
0x011ff724
0x011ff761
0x011ff764
0x011ff765
0x011ff76a
0x011ff770
0x011ff776
0x011ff785
0x011ff78b
0x011ff791
0x011ff796
0x011ff7b2
0x011ff825
0x011ff82b
0x011ff7b4
0x011ff7bc
0x011ff7c5
0x011ff7cb
0x00000000
0x011ff7cd
0x011ff7cf
0x011ff7d2
0x011ff7eb
0x00000000
0x011ff7ed
0x011ff7f1
0x011ff7f3
0x011ff7f6
0x00000000
0x011ff7f6
0x011ff7f1
0x011ff7eb
0x011ff7cb
0x011ff7c5
0x011ff7b2
0x011ff796
0x011ff770
0x00000000
0x011ff7f9
0x011ff7f9
0x011ff82d
0x011ff83f

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,011FFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 011FF6CF
__fassign.LIBCMT ref: 011FF74A
__fassign.LIBCMT ref: 011FF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 011FF78B
WriteFile.KERNEL32(?,00000000,00000000,011FFE02,00000000,?,?,?,?,?,?,?,?,?,011FFE02,00000000), ref: 011FF7AA
WriteFile.KERNEL32(?,00000000,00000001,011FFE02,00000000,?,?,?,?,?,?,?,?,?,011FFE02,00000000), ref: 011FF7E3

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6332e65b7492308c097bab21397869d7240a18e99de1c5783861fe0aef053c0b
Instruction ID: 2a883eef450b26f496ab032ce1ef0480963dd54b228a57da419d39db2018b88e
Opcode Fuzzy Hash: 6332e65b7492308c097bab21397869d7240a18e99de1c5783861fe0aef053c0b
Instruction Fuzzy Hash: 6651A3B690024A9FDB14CFA8D885AEEFBF4FF09310F14415EE655E7281E770A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011F2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E011F2900(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E01202567(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x120e7ac;
				E011F28C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x120e7ac);
				E011F396C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E011F3AF0(_t77, 0xfffffffe, _t96, 0x120e7ac);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E011F3A90(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E011F28C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x12058dc;
											if(__eflags != 0) {
												_t72 = E01202090(__eflags, 0x12058dc);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x12058dc; // 0x11f0150
													 *0x1203278(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E011F3AD0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E011F3AF0(_t64, _t93, _t96, 0x120e7ac);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E011F28C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E011F3AB0();
										asm("int3");
										__eflags = E011F3B07();
										if(__eflags != 0) {
											_t67 = E011F2B8C(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E011F3B43();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x011f2900
0x011f2907
0x011f290b
0x011f290c
0x011f2912
0x011f291e
0x011f2920
0x011f2926
0x011f2926
0x011f292f
0x011f2931
0x011f2934
0x011f2937
0x011f293f
0x011f2944
0x011f2947
0x011f294a
0x011f2951
0x011f29ad
0x011f29b0
0x011f29b8
0x011f29bf
0x00000000
0x011f29bf
0x00000000
0x011f2953
0x011f2953
0x011f2959
0x011f295f
0x011f2965
0x011f29d0
0x011f29d9
0x011f2967
0x011f2967
0x011f2967
0x011f296d
0x011f2970
0x011f2973
0x011f2976
0x011f2979
0x011f297e
0x011f2994
0x00000000
0x011f2980
0x011f2980
0x011f2982
0x011f2987
0x011f2989
0x011f298c
0x011f298e
0x011f29a4
0x011f29c4
0x011f29c4
0x011f29c8
0x00000000
0x011f2990
0x011f2990
0x011f29da
0x011f29dd
0x011f29e3
0x011f29e5
0x011f29ec
0x011f29f3
0x011f29f8
0x011f29fb
0x011f29fd
0x011f29ff
0x011f2a0c
0x011f2a12
0x011f2a14
0x011f2a17
0x011f2a17
0x011f2a1a
0x011f2a1a
0x011f29ec
0x011f2a20
0x011f2a22
0x011f2a27
0x011f2a2a
0x011f2a2d
0x011f2a35
0x011f2a39
0x011f2a3e
0x011f2a3e
0x011f2a41
0x011f2a45
0x011f2a48
0x011f2a55
0x011f2a58
0x011f2a5d
0x011f2a63
0x011f2a65
0x011f2a6a
0x011f2a6f
0x011f2a71
0x011f2a7c
0x011f2a73
0x011f2a73
0x00000000
0x011f2a73
0x011f2a67
0x011f2a67
0x011f2a67
0x011f2a69
0x011f2a69
0x011f2992
0x00000000
0x011f2992
0x011f2990
0x011f298e
0x00000000
0x011f2997
0x011f2997
0x011f2999
0x011f29a0
0x00000000
0x011f29a2
0x00000000
0x011f29a0
0x011f2965
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 011F2937
___except_validate_context_record.LIBVCRUNTIME ref: 011F293F
_ValidateLocalCookies.LIBCMT ref: 011F29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 011F29F3
_ValidateLocalCookies.LIBCMT ref: 011F2A48

Strings

csm, xrefs: 011F29DD

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 37905d7c238351ee8ddaf3db86e678338e820c50de5db23e88039d8ef6c218b8
Instruction ID: b8e85a5414aa33a089f24c48a82acd60ad21dd88aa51e1120e3df9e3f81b914d
Opcode Fuzzy Hash: 37905d7c238351ee8ddaf3db86e678338e820c50de5db23e88039d8ef6c218b8
Instruction Fuzzy Hash: A441E330A00219AFCF19DF68C884A9EBFB1BF44368F148159EA15AB392D731DA55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011E9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E011E9955(void* __edx, void* __eflags) {
				void* __ecx;
				signed int _t25;
				void* _t29;
				signed int _t30;
				intOrPtr _t31;
				void* _t35;
				signed int _t38;
				signed int _t45;
				void* _t51;
				signed short* _t52;
				void* _t53;
				signed short* _t55;
				signed short* _t57;
				signed short* _t58;
				void* _t59;
				void* _t60;

				_t57 =  *(_t59 + 0x10);
				_push(0x200 + E011F3E13(_t57) * 0xc);
				_t52 = E011F3E33(0x200 + E011F3E13(_t57) * 0xc);
				 *(_t59 + 0x10) = _t52;
				if(_t52 != 0) {
					E011F6066(_t52, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t38 = E011F3E13(_t52);
					_t60 = _t59 + 0xc;
					_t25 =  *_t57 & 0x0000ffff;
					_t55 = _t57;
					if(_t25 == 0) {
						L19:
						_t52[_t38] = 0;
						L011F3E2E(_t57);
						return _t52;
					}
					_t45 = _t25;
					 *((intOrPtr*)(_t60 + 0x18)) = 0x20;
					_t29 = 0xd;
					_t51 = 0xa;
					do {
						if(_t45 != _t29 || _t55[1] != _t51 || _t55[2] != _t29 || _t55[3] != _t51) {
							if(_t55 <= _t57) {
								L17:
								_t52[_t38] = _t45;
								_t38 = _t38 + 1;
								goto L18;
							}
							_t31 =  *((intOrPtr*)(_t60 + 0x14));
							if(_t45 != _t31 ||  *((intOrPtr*)(_t55 - 2)) != _t31) {
								goto L17;
							} else {
								E011F6066( &(_t52[_t38]), L"&nbsp;");
								_t38 = _t38 + 6;
								goto L16;
							}
						} else {
							_t58 =  &(_t52[_t38]);
							_t53 = 0xa;
							while(_t55[3] == _t53) {
								E011F6066(_t58, L"<br>");
								_t55 =  &(_t55[2]);
								_t38 = _t38 + 4;
								_t35 = 0xd;
								_t58 =  &(_t58[4]);
								if(_t55[2] == _t35) {
									continue;
								}
								break;
							}
							_t52 =  *(_t60 + 0x10);
							_t55 =  &(_t55[1]);
							_t57 =  *(_t60 + 0x1c);
							L16:
							_t51 = 0xa;
						}
						L18:
						_t55 =  &(_t55[1]);
						_t30 =  *_t55 & 0x0000ffff;
						_t45 = _t30;
						_t29 = 0xd;
					} while (_t30 != 0);
					goto L19;
				}
				return _t57;
			}

0x011e9958
0x011e996c
0x011e9972
0x011e9974
0x011e997c
0x011e998d
0x011e9998
0x011e999a
0x011e999d
0x011e99a1
0x011e99a6
0x011e9a4f
0x011e9a52
0x011e9a56
0x00000000
0x011e9a5f
0x011e99ae
0x011e99b0
0x011e99b8
0x011e99bb
0x011e99bc
0x011e99bf
0x011e9a0d
0x011e9a36
0x011e9a36
0x011e9a3a
0x00000000
0x011e9a3a
0x011e9a0f
0x011e9a16
0x00000000
0x011e9a1e
0x011e9a27
0x011e9a2e
0x00000000
0x011e9a2e
0x011e99d3
0x011e99d5
0x011e99d8
0x011e99d9
0x011e99e5
0x011e99ec
0x011e99ef
0x011e99f4
0x011e99f5
0x011e99fc
0x00000000
0x00000000
0x00000000
0x011e99fc
0x011e99fe
0x011e9a02
0x011e9a05
0x011e9a31
0x011e9a33
0x011e9a33
0x011e9a3b
0x011e9a3b
0x011e9a40
0x011e9a43
0x011e9a48
0x011e9a48
0x00000000
0x011e99bc
0x00000000

APIs

_wcslen.LIBCMT ref: 011E995E
_wcslen.LIBCMT ref: 011E9993

Strings

<br>, xrefs: 011E99DF
 , xrefs: 011E9A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 011E9987
, xrefs: 011E99B0

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 534ade4c8c008b901b62e1762f4824a001ad49afdc9a0a7a7663fe86ad912cab
Instruction ID: fd4ec527c96ae180f5b596ab084cbb661f5843896ed2cd59229f844f8c655e9f
Opcode Fuzzy Hash: 534ade4c8c008b901b62e1762f4824a001ad49afdc9a0a7a7663fe86ad912cab
Instruction Fuzzy Hash: CA31707264474A96DE3DEFD89C45B7A73E4EFD0328F60841FE59647281FB90A940C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 011FC8A4 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011FC8A4(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E011FC868(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x1203a50
					E011FC868(_t2, 7);
					_t3 = _t45 + 0x38; // 0x1203a6c
					E011FC868(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x1203a9c
					E011FC868(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x1203acc
					E011FC868(_t5, 2);
					_t6 = _t45 + 0xa0; // 0x65004d
					E011F8DCC( *_t6);
					_t7 = _t45 + 0xa4; // 0x6f006d
					E011F8DCC( *_t7);
					_t8 = _t45 + 0xa8; // 0x790072
					E011F8DCC( *_t8);
					_t9 = _t45 + 0xb4; // 0x1203ae8
					E011FC868(_t9, 7);
					_t10 = _t45 + 0xd0; // 0x1203b04
					E011FC868(_t10, 7);
					_t11 = _t45 + 0xec; // 0x1203b20
					E011FC868(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x1203b50
					E011FC868(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x1203b80
					E011FC868(_t13, 2);
					_t14 = _t45 + 0x154; // 0x983e5152
					E011F8DCC( *_t14);
					_t15 = _t45 + 0x158; // 0xa831c66d
					E011F8DCC( *_t15);
					_t16 = _t45 + 0x15c; // 0xb00327c8
					E011F8DCC( *_t16);
					_t17 = _t45 + 0x160; // 0xbf597fc7
					return E011F8DCC( *_t17);
				}
				return _t18;
			}

0x011fc8aa
0x011fc8af
0x011fc8b8
0x011fc8bd
0x011fc8c3
0x011fc8c8
0x011fc8ce
0x011fc8d3
0x011fc8d9
0x011fc8de
0x011fc8e7
0x011fc8ec
0x011fc8f2
0x011fc8f7
0x011fc8fd
0x011fc902
0x011fc908
0x011fc90d
0x011fc916
0x011fc91b
0x011fc924
0x011fc92c
0x011fc935
0x011fc93a
0x011fc943
0x011fc948
0x011fc951
0x011fc956
0x011fc95c
0x011fc961
0x011fc967
0x011fc96c
0x011fc972
0x011fc977
0x00000000
0x011fc982
0x011fc987

APIs

Part of subcall function 011FC868: _free.LIBCMT ref: 011FC891

_free.LIBCMT ref: 011FC8F2

Part of subcall function 011F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34), ref: 011F8DE2
Part of subcall function 011F8DCC: GetLastError.KERNEL32(01203A34,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34,01203A34), ref: 011F8DF4

_free.LIBCMT ref: 011FC8FD
_free.LIBCMT ref: 011FC908
_free.LIBCMT ref: 011FC95C
_free.LIBCMT ref: 011FC967
_free.LIBCMT ref: 011FC972
_free.LIBCMT ref: 011FC97D

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: c34f95e21503ceaf566d791e97221360507c7148f74b1b9c675a5c48ceed1268
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 101136B1580B0AB6E624B771CC05FCB7BAC9F25B18F404C1DB39D66091D775B909A790

Uniqueness

Uniqueness Score: -1.00%

Function 011EE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E011EE5EE() {
				intOrPtr _t3;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t15;

				_t3 =  *0x1231cd8;
				if(_t3 == 1) {
					L11:
					return 0;
				}
				if(_t3 != 0) {
					return 1;
				}
				_t15 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t15 != 0) {
					_t7 = GetProcAddress(_t15, "AcquireSRWLockExclusive");
					if(_t7 == 0) {
						goto L3;
					}
					 *0x1231cdc = _t7;
					_t10 = GetProcAddress(_t15, "ReleaseSRWLockExclusive");
					if(_t10 == 0) {
						goto L3;
					}
					 *0x1231ce0 = _t10;
					L7:
					asm("lock cmpxchg [edx], ecx");
					if(0 != 0 || _t15 != 1) {
						return 0xbadbad;
					} else {
						goto L11;
					}
				}
				L3:
				_t15 = 1;
				goto L7;
			}

0x011ee5ee
0x011ee5fa
0x011ee65f
0x00000000
0x011ee65f
0x011ee5fe
0x00000000
0x011ee65b
0x011ee60b
0x011ee60f
0x011ee61b
0x011ee623
0x00000000
0x00000000
0x011ee62b
0x011ee630
0x011ee638
0x00000000
0x00000000
0x011ee63a
0x011ee63f
0x011ee648
0x011ee64e
0x00000000
0x00000000
0x00000000
0x00000000
0x011ee64e
0x011ee611
0x011ee611
0x00000000

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,011EE669,011EE5CC,011EE86D), ref: 011EE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 011EE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 011EE630

Strings

KERNEL32.DLL, xrefs: 011EE600
AcquireSRWLockExclusive, xrefs: 011EE615
ReleaseSRWLockExclusive, xrefs: 011EE625

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 14c8bc575cb72330d946744e6357a93d2e657742b9638ab70d16ae733e8b3804
Instruction ID: 16c1a273f9cdb8fe7d1d5b7d44e1920f927f5cecf8e9212a745f10029c417b5c
Opcode Fuzzy Hash: 14c8bc575cb72330d946744e6357a93d2e657742b9638ab70d16ae733e8b3804
Instruction Fuzzy Hash: ADF0F631753A625F5F3B8EE9788C5662AD97A0D641B010A3EDA05D3142EB10C8644F92

Uniqueness

Uniqueness Score: -1.00%

Function 011E146A Relevance: 9.1, APIs: 6, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E011E146A(signed int* __ecx, void* __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				signed int _t56;
				signed int _t70;
				signed int _t72;
				signed int _t77;
				signed int _t85;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int* _t93;

				_t89 = _a4;
				_t93 = __ecx;
				_v48.wYear =  *_t89;
				_v48.wMonth =  *((intOrPtr*)(_t89 + 4));
				_v48.wDay =  *((intOrPtr*)(_t89 + 8));
				_v48.wHour =  *((intOrPtr*)(_t89 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t89 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t89 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					_t90 = 0;
					_t77 = 0;
				} else {
					if(E011DB146() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t70 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, esi");
						asm("adc eax, esi");
						_t85 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, esi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t70 = _v72.dwHighDateTime.dwLowDateTime;
						_t85 = _v72.dwLowDateTime;
					}
					_t92 = 0x64;
					_t72 = _t85;
					_t77 = _t70 * _t92 + (_t72 * _t92 >> 0x20);
					_t90 = _t72 * _t92;
				}
				 *_t93 = _t90;
				_a4 = _t77;
				_t56 =  *((intOrPtr*)(_t89 + 0x18)) + _t90;
				asm("adc ecx, ebx");
				 *_t93 = _t56;
				_a4 = 0;
				return _t56;
			}

0x011e1471
0x011e1475
0x011e147a
0x011e1483
0x011e148c
0x011e1495
0x011e149e
0x011e14a7
0x011e14ae
0x011e14b3
0x011e14ca
0x011e156c
0x011e156e
0x011e14d0
0x011e14da
0x011e1500
0x011e1513
0x011e1523
0x011e1533
0x011e153f
0x011e1545
0x011e154d
0x011e1553
0x011e1555
0x011e1559
0x011e14dc
0x011e14e6
0x011e14ec
0x011e14f0
0x011e14f0
0x011e155d
0x011e1562
0x011e1566
0x011e1568
0x011e1568
0x011e1570
0x011e1575
0x011e157b
0x011e157e
0x011e1580
0x011e1584
0x011e158c

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 011E14C2

Part of subcall function 011DB146: GetVersionExW.KERNEL32(?), ref: 011DB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 011E14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 011E1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 011E1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 011E1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 011E1533

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 62e03328a35f711c785f70f038ed99076faecc97c718fb4d54ca171cc4f96591
Instruction ID: 0958c0db89f0a5ab120b4c61f2cf0b497ca68cb529d030c006b120332100b75a
Opcode Fuzzy Hash: 62e03328a35f711c785f70f038ed99076faecc97c718fb4d54ca171cc4f96591
Instruction Fuzzy Hash: CA31F775108306AFC704DFA8D88899BBBF8BF9C614F044A1EF999D3210E730D549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 011F2AFA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E011F2AFA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0x120e7d0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E011F3CCD(_t13, __eflags,  *0x120e7d0);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E011F3D08(_t14, __eflags,  *0x120e7d0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = E011F8DC1(_t16);
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E011F3D08(_t18, __eflags,  *0x120e7d0, 0);
								} else {
									_t8 = E011F3D08(_t18, __eflags,  *0x120e7d0, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L011F3E2E(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x011f2afa
0x011f2b01
0x011f2b14
0x011f2b1b
0x011f2b1d
0x011f2b1e
0x011f2b21
0x011f2b3a
0x011f2b3a
0x011f2b23
0x011f2b23
0x011f2b25
0x011f2b2f
0x011f2b35
0x011f2b36
0x011f2b38
0x011f2b3f
0x011f2b48
0x011f2b4b
0x011f2b4c
0x011f2b4e
0x011f2b62
0x011f2b62
0x011f2b6b
0x011f2b50
0x011f2b57
0x011f2b5d
0x011f2b5e
0x011f2b60
0x011f2b74
0x011f2b76
0x011f2b76
0x00000000
0x00000000
0x00000000
0x011f2b60
0x011f2b79
0x00000000
0x00000000
0x00000000
0x011f2b38
0x011f2b25
0x011f2b81
0x011f2b8b
0x011f2b03
0x011f2b05
0x011f2b05

APIs

GetLastError.KERNEL32(?,?,011F2AF1,011F02FC,011EFA34), ref: 011F2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 011F2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 011F2B2F
SetLastError.KERNEL32(00000000,011F2AF1,011F02FC,011EFA34), ref: 011F2B81

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 675eb41b95d5289c1f6a66acdfcf3ddca43d028b39f63dbeaca8100df9ad9889
Instruction ID: 662ac803e55f03f6f672cfd3e0f7e1e1fa760aa329dd1879f9fbbad19a9f2d22
Opcode Fuzzy Hash: 675eb41b95d5289c1f6a66acdfcf3ddca43d028b39f63dbeaca8100df9ad9889
Instruction Fuzzy Hash: 4A01FC3211D7166EA63E1D797C4895E2E59FF116B8F61073DEB24450E5EF71C8409344

Uniqueness

Uniqueness Score: -1.00%

Function 011F97E5 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E011F97E5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0x120e7fc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E011FB136(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E011FAEB1(_t20, _t25, _t31, __eflags,  *0x120e7fc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E011F9649(_t25, _t31, 0x1232288);
							E011F8DCC(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E011F8DCC();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E011F8D24(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x120e7fc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E011FB136(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E011FAEB1(_t21, _t27, _t32, __eflags,  *0x120e7fc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E011F9649(_t27, _t32, 0x1232288);
									E011F8DCC(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E011F8DCC();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E011FAE5B(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E011FAE5B(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x011f97e5
0x011f97e5
0x011f97e5
0x011f97e8
0x011f97ef
0x011f97f1
0x011f97f6
0x011f97f9
0x011f9807
0x011f980e
0x011f9813
0x011f9816
0x011f9819
0x011f982b
0x011f9830
0x011f9832
0x011f983d
0x011f9844
0x011f9849
0x011f984c
0x011f984e
0x00000000
0x00000000
0x00000000
0x00000000
0x011f9834
0x011f9834
0x00000000
0x011f9834
0x011f981b
0x011f981b
0x011f981c
0x011f981c
0x011f9821
0x011f985c
0x011f985d
0x011f9863
0x011f9868
0x011f986b
0x011f986c
0x011f986d
0x011f9874
0x011f9876
0x011f9878
0x011f987d
0x011f9880
0x011f988e
0x011f989a
0x011f989d
0x011f98a0
0x011f98b2
0x011f98b7
0x011f98b9
0x011f98c4
0x011f98ca
0x011f98d2
0x011f98d4
0x00000000
0x00000000
0x00000000
0x00000000
0x011f98bb
0x011f98bb
0x00000000
0x011f98bb
0x011f98a2
0x011f98a2
0x011f98a3
0x011f98a3
0x011f98d6
0x011f98d7
0x011f98d7
0x011f9882
0x011f9888
0x011f988c
0x011f98df
0x011f98e0
0x011f98e6
0x00000000
0x00000000
0x00000000
0x011f988c
0x011f98ed
0x011f98ed
0x011f97fb
0x011f9801
0x011f9805
0x011f9850
0x011f9851
0x011f985b
0x00000000
0x00000000
0x00000000
0x011f9805

APIs

GetLastError.KERNEL32(?,01211030,011F4674,01211030,?,?,011F3F73,00000050,?,01211030,00000200), ref: 011F97E9
_free.LIBCMT ref: 011F981C
_free.LIBCMT ref: 011F9844
SetLastError.KERNEL32(00000000,?,01211030,00000200), ref: 011F9851
SetLastError.KERNEL32(00000000,?,01211030,00000200), ref: 011F985D
_abort.LIBCMT ref: 011F9863

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 02126ea2db3622e37de6b9313b16fb059df9068d2041b3c9b5cfd90e8c35e039
Instruction ID: a905f9e95ffcbe67ab7ed8100aff8821389062dd0474c26147cfd5578faef2d5
Opcode Fuzzy Hash: 02126ea2db3622e37de6b9313b16fb059df9068d2041b3c9b5cfd90e8c35e039
Instruction Fuzzy Hash: 5BF0C83614461EAAD72F7639BC0CB1F2A669FE177DF25022CF71892196FF3084018665

Uniqueness

Uniqueness Score: -1.00%

Function 011EDC3B Relevance: 9.0, APIs: 6, Instructions: 42
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EDC3B(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x011edc47
0x011edc54
0x011edc59
0x011edc69
0x011edc72
0x011edc7c
0x011edc86
0x011edc86
0x011edc91
0x011edc97
0x00000000
0x011edc9b
0x011edc9e

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 011EDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 011EDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 011EDC72
TranslateMessage.USER32(?), ref: 011EDC7C
DispatchMessageW.USER32(?), ref: 011EDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 011EDC91

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: ab07b7d0f7fb71041cae28abc9355d09094afb6de44bbc93a7dd040c7e0ca8cb
Instruction ID: f1651b1309b989f6ff74cdc8920b406800f9eba687ce2b053345507c9a94c849
Opcode Fuzzy Hash: ab07b7d0f7fb71041cae28abc9355d09094afb6de44bbc93a7dd040c7e0ca8cb
Instruction Fuzzy Hash: 64F01972A01219BACA31AAE5EC4CDCBBFADEF41691B004111B50AD2045D6659146C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 011DC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DC0C5(short* _a4, char _a12) {
				signed short* _v4;
				void* __ebp;
				intOrPtr* _t20;
				signed short* _t24;
				char _t27;
				char _t30;
				signed short* _t31;
				short _t32;
				signed int _t33;
				short _t34;
				signed short* _t37;
				char _t39;
				char _t40;
				char _t41;
				intOrPtr _t44;
				void* _t47;
				void* _t48;
				short* _t54;
				intOrPtr* _t56;
				signed short _t57;
				short* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed short* _t63;
				short _t66;
				signed short _t67;

				_t58 = _a4;
				_t20 = E011DB92D(_t58);
				_t44 = _a4;
				_t59 = _t20;
				_t68 = _t59;
				if(_t59 != 0) {
					__eflags =  *((intOrPtr*)(_t59 + 2));
					if( *((intOrPtr*)(_t59 + 2)) == 0) {
						L7:
						__eflags = _t44 - (_t59 - _t58 >> 1);
						E011E0602(_t59, L".rar", _t44 - (_t59 - _t58 >> 1));
					} else {
						_t40 = E011E1FBB(_t59, L".exe");
						__eflags = _t40;
						if(_t40 == 0) {
							goto L7;
						} else {
							_t41 = E011E1FBB(_t59, L".sfx");
							__eflags = _t41;
							if(_t41 == 0) {
								goto L7;
							}
						}
					}
				} else {
					E011E05DA(_t68, _t58, L".rar", _t44);
					_t59 = E011DB92D(_t58);
					if(_t59 == 0) {
						L2:
						 *_t58 = 0;
						return 0;
					}
				}
				_t24 = 0x2e;
				_v4 = _t24;
				__eflags =  *_t59 - _t24;
				if( *_t59 != _t24) {
					goto L2;
				}
				__eflags =  *((intOrPtr*)(_t59 + 2));
				if( *((intOrPtr*)(_t59 + 2)) == 0) {
					goto L2;
				}
				__eflags = _a12;
				if(__eflags != 0) {
					_t12 = _t59 + 4; // 0x4
					_t65 = _t12;
					_t27 = E011E047A( *_t12 & 0x0000ffff);
					__eflags = _t27;
					if(_t27 == 0) {
						L30:
						return E011E0602(_t65, L"00", _t44 - (_t59 - _t58 >> 1) - 2);
					}
					_t30 = E011E047A( *(_t59 + 6) & 0x0000ffff);
					__eflags = _t30;
					if(_t30 == 0) {
						goto L30;
					}
					_t31 = E011F3E13(_t59);
					_t47 = 0x3a;
					_t14 = _t31 - 1; // -1
					_t54 = _t59 + _t14 * 2;
					 *_t54 =  *_t54 + 1;
					__eflags =  *_t54 - _t47;
					if( *_t54 == _t47) {
						_t66 = 0x30;
						while(1) {
							__eflags = _t54 - _t58;
							if(_t54 <= _t58) {
								break;
							}
							_t33 =  *(_t54 - 2) & 0x0000ffff;
							_t62 = _t33;
							__eflags = _t33 - _v4;
							if(_t33 == _v4) {
								break;
							}
							 *_t54 = _t66;
							_t34 = _t62 + 1;
							_t54 = _t54 + 0xfffffffe;
							 *_t54 = _t34;
							__eflags = _t34 - _t47;
							if(_t34 == _t47) {
								continue;
							}
							return _t34;
						}
						_t32 = 0x61;
						 *_t54 = _t32;
						return _t32;
					}
				} else {
					_t31 = E011DBA1E(0, __eflags, _t58);
					_t63 = _t31;
					_t48 = 0x3a;
					 *_t63 =  *_t63 + 1;
					__eflags =  *_t63 - _t48;
					if( *_t63 == _t48) {
						_t67 = 0x30;
						while(1) {
							_v4 = _t63;
							 *_t63 = _t67;
							_t63 = _t63 - 2;
							__eflags = _t63 - _t58;
							if(_t63 < _t58) {
								break;
							}
							_t39 = E011E047A( *_t63 & 0x0000ffff);
							__eflags = _t39;
							if(_t39 == 0) {
								break;
							}
							 *_t63 =  *_t63 + 1;
							__eflags =  *_t63 - _t48;
							if( *_t63 == _t48) {
								continue;
							}
							return _t39;
						}
						_t56 = _t58 + E011F3E13(_t58) * 2;
						while(1) {
							__eflags = _t56 - _t63;
							if(_t56 == _t63) {
								break;
							}
							 *((short*)(_t56 + 2)) =  *_t56;
							_t56 = _t56 - 2;
							__eflags = _t56;
						}
						_t37 = _v4;
						_t57 = 0x31;
						 *_t37 = _t57;
						return _t37;
					}
				}
				return _t31;
			}

0x011dc0ca
0x011dc0cf
0x011dc0d4
0x011dc0d8
0x011dc0dc
0x011dc0de
0x011dc105
0x011dc109
0x011dc129
0x011dc131
0x011dc13a
0x011dc10b
0x011dc111
0x011dc116
0x011dc118
0x00000000
0x011dc11a
0x011dc120
0x011dc125
0x011dc127
0x00000000
0x00000000
0x011dc127
0x011dc118
0x011dc0e0
0x011dc0e7
0x011dc0f2
0x011dc0f6
0x011dc0f8
0x011dc0fa
0x00000000
0x011dc0fa
0x011dc0f6
0x011dc141
0x011dc142
0x011dc146
0x011dc149
0x00000000
0x00000000
0x011dc14b
0x011dc14f
0x00000000
0x00000000
0x011dc151
0x011dc156
0x011dc1bf
0x011dc1bf
0x011dc1c7
0x011dc1cc
0x011dc1ce
0x011dc22f
0x00000000
0x011dc23f
0x011dc1d5
0x011dc1da
0x011dc1dc
0x00000000
0x00000000
0x011dc1df
0x011dc1e7
0x011dc1e8
0x011dc1eb
0x011dc1ee
0x011dc1f1
0x011dc1f4
0x011dc1fc
0x011dc1fd
0x011dc1fd
0x011dc1ff
0x00000000
0x00000000
0x011dc201
0x011dc205
0x011dc207
0x011dc20c
0x00000000
0x00000000
0x011dc20e
0x011dc211
0x011dc214
0x011dc217
0x011dc21a
0x011dc21d
0x00000000
0x00000000
0x00000000
0x011dc21d
0x011dc226
0x011dc227
0x00000000
0x011dc227
0x011dc158
0x011dc159
0x011dc15e
0x011dc162
0x011dc163
0x011dc166
0x011dc169
0x011dc16d
0x011dc16e
0x011dc16e
0x011dc172
0x011dc175
0x011dc178
0x011dc17a
0x00000000
0x00000000
0x011dc180
0x011dc185
0x011dc187
0x00000000
0x00000000
0x011dc189
0x011dc18c
0x011dc18f
0x00000000
0x00000000
0x00000000
0x011dc18f
0x011dc19d
0x011dc1ac
0x011dc1ac
0x011dc1ae
0x00000000
0x00000000
0x011dc1a5
0x011dc1a9
0x011dc1a9
0x011dc1a9
0x011dc1b0
0x011dc1b6
0x011dc1b7
0x00000000
0x011dc1b7
0x011dc169
0x011dc102

APIs

Part of subcall function 011E05DA: _wcslen.LIBCMT ref: 011E05E0

Part of subcall function 011DB92D: _wcsrchr.LIBVCRUNTIME ref: 011DB944

_wcslen.LIBCMT ref: 011DC197
_wcslen.LIBCMT ref: 011DC1DF

Strings

.rar, xrefs: 011DC0E1, 011DC134
.exe, xrefs: 011DC10B
.sfx, xrefs: 011DC11A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 829ef6654fe07c3419112188f3dbd307c5030b4f06e1f017be538f1ed2cab912
Instruction ID: 4ff73045ca3b0dff029685c30ed027ae64e587cefffb72bb6b3464dd4ae35d9e
Opcode Fuzzy Hash: 829ef6654fe07c3419112188f3dbd307c5030b4f06e1f017be538f1ed2cab912
Instruction Fuzzy Hash: 0B41592654072299D73EAF788845B7BB7E4FF56748F140E0EF9C26B080EB604981C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 011ECE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E011ECE87(intOrPtr __ebx, void* __ecx, void* __edx) {
				intOrPtr _t225;
				void* _t226;
				signed int _t292;
				void* _t294;
				signed int _t295;
				void* _t299;

				L0:
				while(1) {
					L0:
					if(__ebx != 1) {
						goto L123;
					}
					L107:
					__eax = __ebp - 0x788c;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
					__eax = E011DB690(__eflags, __ebp - 0x788c, 0x800);
					__ebx = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L109:
						_push( *0x120e724);
						__ebp - 0x788c = E011D4092(0x121946a, __edi, L"%s%s%u", __ebp - 0x788c);
						__eax = E011DA231(0x121946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L108:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L110:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x121946a);
					__eflags =  *(__ebp - 0x588c) - __bx;
					if( *(__ebp - 0x588c) == __bx) {
						while(1) {
							L175:
							_push(0x1000);
							_t213 = _t299 - 0x15; // 0xffffa75f
							_t214 = _t299 - 0xd; // 0xffffa767
							_t215 = _t299 - 0x588c; // 0xffff4ee8
							_t216 = _t299 - 0xf894; // 0xfffeaee0
							_push( *((intOrPtr*)(_t299 + 0xc)));
							_t225 = E011EB314(0x800, _t299);
							_t277 =  *((intOrPtr*)(_t299 + 0x10));
							 *((intOrPtr*)(_t299 + 0xc)) = _t225;
							if(_t225 != 0) {
								_t226 = _t299 - 0x588c;
								_t294 = _t299 - 0x1b894;
								_t292 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E011E1FBB(_t299 - 0xf894,  *((intOrPtr*)(0x120e744 + _t295 * 4))) != 0) {
								_t295 = _t295 + 1;
								if(_t295 < 0xe) {
									continue;
								} else {
									goto L175;
								}
							}
							__eflags = _t295 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t295 * 4 +  &M011ED41B))) {
								case 0:
									L9:
									__eflags = _t277 - 2;
									if(_t277 == 2) {
										E011EA64D(_t299 - 0x788c, 0x800);
										E011DA544(E011DBDF3(__eflags, _t299 - 0x788c, _t299 - 0x588c, _t299 - 0xd894, 0x800), _t277, _t299 - 0x8894, _t295);
										 *(_t299 - 4) = 0;
										E011DA67E(_t299 - 0x8894, _t299 - 0xd894);
										E011D6EDB(_t299 - 0x388c);
										while(1) {
											L23:
											_push(0);
											_t240 = E011DA5D1(_t299 - 0x8894, _t299 - 0x388c);
											__eflags = _t240;
											if(_t240 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t299 - 0x388c, 0);
											__eflags =  *(_t299 - 0x2880);
											if(__eflags == 0) {
												L16:
												_t244 = GetFileAttributesW(_t299 - 0x388c);
												__eflags = _t244 - 0xffffffff;
												if(_t244 == 0xffffffff) {
													continue;
												}
												L17:
												_t246 = DeleteFileW(_t299 - 0x388c);
												__eflags = _t246;
												if(_t246 != 0) {
													continue;
												} else {
													_t297 = 0;
													_push(0);
													goto L20;
													L20:
													E011D4092(_t299 - 0x1044, 0x800, L"%s.%d.tmp", _t299 - 0x388c);
													_t301 = _t301 + 0x14;
													_t251 = GetFileAttributesW(_t299 - 0x1044);
													__eflags = _t251 - 0xffffffff;
													if(_t251 != 0xffffffff) {
														_t297 = _t297 + 1;
														__eflags = _t297;
														_push(_t297);
														goto L20;
													} else {
														_t254 = MoveFileW(_t299 - 0x388c, _t299 - 0x1044);
														__eflags = _t254;
														if(_t254 != 0) {
															MoveFileExW(_t299 - 0x1044, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E011DB991(__eflags, _t299 - 0x788c, _t299 - 0x1044, 0x800);
											E011DB690(__eflags, _t299 - 0x1044, 0x800);
											_t298 = E011F3E13(_t299 - 0x788c);
											__eflags = _t298 - 4;
											if(_t298 < 4) {
												L14:
												_t265 = E011DBDB4(_t299 - 0x588c);
												__eflags = _t265;
												if(_t265 != 0) {
													break;
												}
												L15:
												_t268 = E011F3E13(_t299 - 0x388c);
												__eflags = 0;
												 *((short*)(_t299 + _t268 * 2 - 0x388a)) = 0;
												E011EFFF0(0x800, _t299 - 0x44, 0, 0x1e);
												_t301 = _t301 + 0x10;
												 *((intOrPtr*)(_t299 - 0x40)) = 3;
												_push(0x14);
												_pop(_t271);
												 *((short*)(_t299 - 0x34)) = _t271;
												 *((intOrPtr*)(_t299 - 0x3c)) = _t299 - 0x388c;
												_push(_t299 - 0x44);
												 *0x123307c();
												goto L16;
											}
											L13:
											_t276 = E011F3E13(_t299 - 0x1044);
											__eflags = _t298 - _t276;
											if(_t298 > _t276) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t299 - 4) =  *(_t299 - 4) | 0xffffffff;
										E011DA55A(_t299 - 0x8894);
									}
									goto L175;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									} else {
										__eax =  *0x122fc94;
										__eflags = __eax;
										__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *0x122fc94;
											_pop(__ecx);
											_pop(__ecx);
										}
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E011EB48E(__ecx, __edx, __eflags);
											__eax =  *0x122fc94;
										} else {
											__esi = __ebp - 0x588c;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L33:
										__eax = E011F3E13(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x122fc94);
										__eax = E011F3E3E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax == 0) {
											L37:
											__eflags = __bh;
											if(__bh == 0) {
												__eax = L011F3E2E(__esi);
											}
											goto L175;
										}
										L34:
										 *0x122fc94 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										L36:
										__eax = E011F7686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
										goto L37;
									}
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
									}
									goto L175;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									}
									L42:
									__eflags =  *0x121a472 - __di;
									if( *0x121a472 != __di) {
										goto L175;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x588c;
									_push(0x22);
									 *(__ebp - 0x1044) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x588c) - __ax;
									if( *(__ebp - 0x588c) == __ax) {
										__edi = __ebp - 0x588a;
									}
									__eax = E011F3E13(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L175;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1044 = E011E0602(__ebp - 0x1044, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1044;
												__eax = E011F279B(__ebp - 0x1044, __ebp - 0x1044);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1044;
												__edi = 0x121a472;
												E011E0602(0x121a472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
												__eax = E011EB1BE(__ebp - 0x1044, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044);
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x121a472);
												__eax = __ebp - 0x1044;
												__eax = E011F3E49(__ebp - 0x1044, 0x121a472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
												}
												goto L175;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x1233028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1044;
													_push(__ebp - 0x1044);
													__eax = __ebp - 0x24;
													_push(__ebp - 0x24);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0x1233024();
													_push( *(__ebp - 0x1c));
													 *0x1233008() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1044) = __cx;
												}
												__eflags =  *(__ebp - 0x1044) - __bx;
												if( *(__ebp - 0x1044) != __bx) {
													__eax = __ebp - 0x1044;
													__eax = E011F3E13(__ebp - 0x1044);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1044 = E011E05DA(__eflags, __ebp - 0x1044, "\\", __esi);
													}
												}
												__esi = E011F3E13(__edi);
												__eax = __ebp - 0x1044;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1044 = E011E05DA(__eflags, __ebp - 0x1044, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L51;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L175;
										}
										L49:
										__ebp - 0x1044 = E011E0602(__ebp - 0x1044, __edi, 0x800);
										goto L63;
									}
								case 4:
									L68:
									__eflags =  *0x121a46c - 1;
									__eflags = __eax - 0x121a46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__edx + 7) & __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x1218457 = __cl;
										 *0x1218460 = 1;
										goto L175;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0x1218457 = __cl;
										L79:
										 *0x1218460 = __cl;
										goto L175;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L175;
									}
									L77:
									 *0x1218457 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0x121c577 = 1;
									__edi = 1;
									__eax = __ebp - 0x588c;
									__eflags =  *(__ebp - 0x588c) - 0x3c;
									__ebx = __esi;
									 *(__ebp - 0x14) = __eax;
									if( *(__ebp - 0x588c) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
												goto L175;
											}
											L101:
											__eflags = __ebx - 6;
											if(__ebx != 6) {
												goto L175;
											}
											L102:
											__ecx = 0;
											__eflags = 0;
											_push(0);
											L103:
											_push(__edi);
											_push(__eax);
											_push( *(__ebp + 8));
											__eax = E011ED78F(__ebp);
											goto L175;
										}
										L98:
										__eflags = __ebx - 9;
										if(__ebx != 9) {
											goto L175;
										}
										L99:
										_push(1);
										goto L103;
									}
									L87:
									__eax = __ebp - 0x588a;
									_push(0x3e);
									_push(__ebp - 0x588a);
									__eax = E011F22C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										L96:
										__eax =  *(__ebp - 0x14);
										goto L97;
									}
									L88:
									_t103 = __eax + 2; // 0x2
									__ecx = _t103;
									 *(__ebp - 0x14) = _t103;
									__ecx = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x10c;
									_push(0x64);
									_push(__ebp - 0x10c);
									__eax = __ebp - 0x588a;
									_push(__ebp - 0x588a);
									__eax = E011EAF98();
									 *(__ebp - 0x20) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L96;
									}
									L89:
									__esi = __eax;
									while(1) {
										L90:
										__eflags =  *(__ebp - 0x10c);
										if( *(__ebp - 0x10c) == 0) {
											goto L96;
										}
										L91:
										__eax = __ebp - 0x10c;
										__eax = E011E1FBB(__ebp - 0x10c, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x10c;
										__eax = E011E1FBB(__ebp - 0x10c, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x10c;
										__eax = E011E1FBB(__ebp - 0x10c, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x10c;
										_push(__ebp - 0x10c);
										_push(__esi);
										__esi = E011EAF98();
										__eflags = __esi;
										if(__esi != 0) {
											continue;
										} else {
											goto L96;
										}
									}
									goto L96;
								case 7:
									goto L0;
								case 8:
									L127:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x588c) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x588c;
											_push(__ebp - 0x588c);
											__eax = E011F7625(__ebx, __edi);
											_pop(__ecx);
											 *0x122fc9c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x122fc98 = E011EB48E(__ecx, __edx, __eflags);
									}
									 *0x121c576 = 1;
									goto L175;
								case 9:
									L132:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L175;
									}
									L133:
									__eax = 0;
									 *(__ebp - 0x2844) = __ax;
									__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
									__eax = E011F79E9( *(__ebp - 0x1b894) & 0x0000ffff);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										 *(__ebp - 0x14) = 2;
										__eax = 0x122cb82;
									} else {
										__eflags = __eax - 0x54;
										if(__eax == 0x54) {
											 *(__ebp - 0x14) = 7;
											__eax = 0x122bb82;
										} else {
											 *(__ebp - 0x14) = 0x10;
											__eax = 0x122db82;
										}
									}
									__esi = 0x800;
									__ebp - 0x2844 = E011E0602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
									__eax = 0;
									 *(__ebp - 0x9894) = __ax;
									 *(__ebp - 0x1844) = __ax;
									__ebp - 0x19894 = __ebp - 0x688c;
									__eax = E011E0602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x688c) - __bx;
									if( *(__ebp - 0x688c) != __bx) {
										L141:
										__ebp - 0x688c = E011DA231(__ebp - 0x688c);
										__eflags = __al;
										if(__al != 0) {
											goto L160;
										}
										L142:
										__ax =  *(__ebp - 0x688c);
										__esi = __ebp - 0x688c;
										__ebx = __edi;
										__eflags = __ax;
										if(__ax == 0) {
											L159:
											__esi = 0x800;
											goto L160;
										}
										L143:
										__edi = __ax & 0x0000ffff;
										do {
											L144:
											_push(0x20);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di == __ax) {
												L146:
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x688c = E011DA231(__ebp - 0x688c);
												__eflags = __al;
												if(__al == 0) {
													L155:
													__esi->i = __di;
													goto L156;
												}
												L147:
												__ebp - 0x688c = E011DA243(__ebp - 0x688c);
												__eax = E011DA28F(__eax);
												__eflags = __al;
												if(__al != 0) {
													goto L155;
												}
												L148:
												_push(0x2f);
												_pop(__ecx);
												__eax =  &(__esi->i);
												__ebx = __esi;
												__eflags = __di - __cx;
												if(__di != __cx) {
													L150:
													_push(0x20);
													__esi = __eax;
													_pop(__eax);
													while(1) {
														L152:
														__eflags = __esi->i - __ax;
														if(__esi->i != __ax) {
															break;
														}
														L151:
														__esi =  &(__esi->i);
														__eflags = __esi;
													}
													L153:
													__ecx = __ebp - 0x1844;
													__eax = __esi;
													__edx = 0x400;
													L154:
													__eax = E011E0602(__ecx, __eax, __edx);
													 *__ebx = __di;
													goto L156;
												}
												L149:
												 *(__ebp - 0x1844) = __cx;
												__edx = 0x3ff;
												__ecx = __ebp - 0x1842;
												goto L154;
											}
											L145:
											_push(0x2f);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di != __ax) {
												goto L156;
											}
											goto L146;
											L156:
											__esi =  &(__esi->i);
											__eax = __esi->i & 0x0000ffff;
											__edi = __esi->i & 0x0000ffff;
											__eflags = __ax;
										} while (__ax != 0);
										__esi = 0x800;
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											 *__ebx = __ax;
										}
										goto L160;
									} else {
										L139:
										__ebp - 0x19892 = __ebp - 0x688c;
										E011E0602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
										_push(__ebx);
										_push(__ebp - 0x688a);
										__eax = E011F22C6(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1844 = E011E0602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
										}
										L160:
										__eflags =  *((short*)(__ebp - 0x11894));
										if( *((short*)(__ebp - 0x11894)) != 0) {
											__ebp - 0x9894 = __ebp - 0x11894;
											__eax = E011DB6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
										}
										__ebp - 0xb894 = __ebp - 0x688c;
										__eax = E011DB6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
										__eflags =  *(__ebp - 0x2844);
										if(__eflags == 0) {
											__ebp - 0x2844 = E011EB425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
										}
										__ebp - 0x2844 = E011DB690(__eflags, __ebp - 0x2844, __esi);
										__eflags =  *((short*)(__ebp - 0x17894));
										if(__eflags != 0) {
											__ebp - 0x17894 = __ebp - 0x2844;
											E011E05DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
											__eax = E011DB690(__eflags, __ebp - 0x2844, __esi);
										}
										__ebp - 0x2844 = __ebp - 0xc894;
										__eax = E011E0602(__ebp - 0xc894, __ebp - 0x2844, __esi);
										__eflags =  *(__ebp - 0x13894);
										__eax = __ebp - 0x13894;
										if(__eflags == 0) {
											__eax = __ebp - 0x19894;
										}
										__ebp - 0x2844 = E011E05DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
										__eax = __ebp - 0x2844;
										__eflags = E011DB92D(__ebp - 0x2844);
										if(__eflags == 0) {
											L170:
											__ebp - 0x2844 = E011E05DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
											goto L171;
										} else {
											L169:
											__eflags = __eax;
											if(__eflags == 0) {
												L171:
												__ebx = 0;
												__ebp - 0x2844 = E011DA0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
												__ebp - 0xb894 = __ebp - 0xa894;
												E011E0602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
												__eax = E011DC2E4(__eflags, __ebp - 0xa894);
												__esi =  *(__ebp - 0x1844) & 0x0000ffff;
												__eax = __ebp - 0x1844;
												__edx =  *(__ebp - 0x9894) & 0x0000ffff;
												__edi = __ebp - 0xa894;
												__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
												asm("sbb esi, esi");
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
												__eax = __ebp - 0x9894;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
												__eax = __ebp - 0x15894;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
												 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
												asm("sbb eax, eax");
												 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
												__ebp - 0xb894 = E011EA48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
												__eflags =  *(__ebp - 0xc894) - __bx;
												if( *(__ebp - 0xc894) != __bx) {
													_push(0);
													__eax = __ebp - 0xc894;
													_push(__ebp - 0xc894);
													_push(5);
													_push(0x1000);
													__eax =  *0x123308c();
												}
												goto L175;
											}
											goto L170;
										}
									}
								case 0xa:
									L173:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x121a470 = 1;
									}
									goto L175;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eax = E011F79E9( *(__ebp - 0x588c) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x1218461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x1218462 = 1;
										} else {
											__eax = 0;
											 *0x1218461 = __al;
											 *0x1218462 = __al;
										}
									}
									goto L175;
								case 0xc:
									L104:
									 *0x1227b7a = 1;
									__eax = __eax + 0x1227b7a;
									_t117 = __esi + 0x39;
									 *_t117 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t117;
									__ebp = 0xffffa774;
									if( *_t117 != 0) {
										_t119 = __ebp - 0x588c; // 0xffff4ee8
										__eax = _t119;
										 *0x120e728 = E011E1FA7(_t119);
									}
									goto L175;
							}
							L2:
							_push(0x1000);
							_push(_t294);
							_push(_t226);
							_t226 = E011EAF98();
							_t294 = _t294 + 0x2000;
							_t292 = _t292 - 1;
							if(_t292 != 0) {
								goto L2;
							} else {
								_t295 = _t292;
								goto L4;
							}
						}
						L176:
						 *[fs:0x0] =  *((intOrPtr*)(_t299 - 0xc));
						return _t225;
					}
					L111:
					__eflags =  *0x121c575 - __bl;
					if( *0x121c575 != __bl) {
						goto L175;
					}
					L112:
					__eax = 0;
					 *(__ebp - 0x444) = __ax;
					__eax = __ebp - 0x588c;
					_push(__ebp - 0x588c);
					__eax = E011F22C6(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L119:
						__eflags =  *(__ebp - 0x444) - __bx;
						if( *(__ebp - 0x444) == __bx) {
							__ebp - 0x1b894 = __ebp - 0x588c;
							E011E0602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
							__ebp - 0x444 = E011E0602(__ebp - 0x444, __ebp - 0x19894, 0x200);
						}
						__ebp - 0x588c = E011EADD2(__ebp - 0x588c);
						__eax = 0;
						 *(__ebp - 0x488c) = __ax;
						__ebp - 0x444 = __ebp - 0x588c;
						__eax = E011EA7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
						__eflags = __eax - 6;
						if(__eax != 6) {
							__eax = 0;
							 *0x1218454 = 1;
							 *0x121946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
						}
						goto L175;
					}
					L113:
					__ax =  *(__ebp - 0x588c);
					__esi = __ebx;
					__eflags = __ax;
					if(__ax == 0) {
						goto L119;
					}
					L114:
					__ecx = __ax & 0x0000ffff;
					while(1) {
						L115:
						__eflags = __cx - 0x40;
						if(__cx == 0x40) {
							break;
						}
						L116:
						__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
						__esi =  &(__esi->i);
						__ecx = __eax;
						__eflags = __ax;
						if(__ax != 0) {
							continue;
						}
						L117:
						goto L119;
					}
					L118:
					__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
					__ebp - 0x444 = E011E0602(__ebp - 0x444, __ebp - 0x444, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x588c) = __ax;
					goto L119;
					L123:
					__eflags = __ebx - 7;
					if(__ebx == 7) {
						__eflags =  *0x121a46c - 0x800;
						if( *0x121a46c == 0x800) {
							 *0x121a46c = 2;
						}
						 *0x1219468 = 1;
					}
					goto L175;
				}
			}

0x011ece87
0x011ece87
0x011ece87
0x011ece8a
0x00000000
0x00000000
0x011ece90
0x011ece90
0x011ece96
0x011ecea4
0x011eceab
0x011eceb0
0x011eceb2
0x011eceb4
0x011eceb9
0x011eceb9
0x011eceb9
0x011eced1
0x011ecede
0x011ecee3
0x011ecee5
0x00000000
0x00000000
0x011eceb7
0x011eceb7
0x011eceb7
0x011eceb8
0x011eceb8
0x011ecee7
0x011ecef1
0x011ecef7
0x011ecefe
0x011ed3d9
0x011ed3d9
0x011ed3d9
0x011ed3de
0x011ed3e2
0x011ed3e6
0x011ed3ed
0x011ed3f4
0x011ed3f7
0x011ed3fc
0x011ed3ff
0x011ed404
0x011ec795
0x011ec79b
0x011ec7a1
0x011ec7a1
0x00000000
0x00000000
0x00000000
0x00000000
0x011ec7bb
0x011ec7d2
0x011ec7d6
0x00000000
0x011ec7d8
0x00000000
0x011ec7d8
0x011ec7d6
0x011ec7dd
0x011ec7e0
0x00000000
0x00000000
0x011ec7e6
0x011ec7e6
0x00000000
0x011ec7ed
0x011ec7ed
0x011ec7f0
0x011ec803
0x011ec829
0x011ec83d
0x011ec840
0x011ec84b
0x011ec98f
0x011ec98f
0x011ec98f
0x011ec99d
0x011ec9a2
0x011ec9a4
0x00000000
0x00000000
0x011ec855
0x011ec85d
0x011ec863
0x011ec869
0x011ec90f
0x011ec916
0x011ec91c
0x011ec91f
0x00000000
0x00000000
0x011ec921
0x011ec928
0x011ec92e
0x011ec930
0x00000000
0x011ec932
0x011ec932
0x011ec934
0x011ec935
0x011ec939
0x011ec94d
0x011ec952
0x011ec95c
0x011ec962
0x011ec965
0x011ec937
0x011ec937
0x011ec938
0x00000000
0x011ec967
0x011ec975
0x011ec97b
0x011ec97d
0x011ec989
0x011ec989
0x00000000
0x011ec97d
0x011ec965
0x011ec930
0x011ec86f
0x011ec87e
0x011ec88b
0x011ec89c
0x011ec89f
0x011ec8a2
0x011ec8b5
0x011ec8bc
0x011ec8c1
0x011ec8c3
0x00000000
0x00000000
0x011ec8c9
0x011ec8d0
0x011ec8d5
0x011ec8da
0x011ec8e6
0x011ec8eb
0x011ec8ee
0x011ec8f5
0x011ec8f7
0x011ec8f8
0x011ec902
0x011ec908
0x011ec909
0x00000000
0x011ec909
0x011ec8a4
0x011ec8ab
0x011ec8b1
0x011ec8b3
0x00000000
0x00000000
0x00000000
0x011ec8b3
0x011ec9aa
0x011ec9aa
0x011ec9b4
0x011ec9b4
0x00000000
0x00000000
0x011ec9be
0x011ec9be
0x011ec9c0
0x00000000
0x011ec9c6
0x011ec9c6
0x011ec9cb
0x011ec9cd
0x011ec9d0
0x011ec9d2
0x011ec9df
0x011ec9e4
0x011ec9e5
0x011ec9e5
0x011ec9e6
0x011ec9e9
0x011ec9eb
0x011ec9f5
0x011ec9f8
0x011ec9fe
0x011eca00
0x011ec9ed
0x011ec9ed
0x011ec9ed
0x011eca05
0x011eca07
0x011eca10
0x011eca10
0x011eca12
0x011eca13
0x011eca18
0x011eca21
0x011eca22
0x011eca28
0x011eca2d
0x011eca30
0x011eca32
0x011eca4b
0x011eca4b
0x011eca4d
0x011eca54
0x011eca59
0x00000000
0x011eca4d
0x011eca34
0x011eca34
0x011eca39
0x011eca3b
0x011eca3d
0x011eca3d
0x011eca3f
0x011eca3f
0x011eca42
0x011eca44
0x011eca49
0x011eca4a
0x00000000
0x011eca4a
0x00000000
0x011eca5f
0x011eca5f
0x011eca61
0x011eca71
0x011eca71
0x00000000
0x00000000
0x011eca7c
0x011eca7c
0x011eca7e
0x00000000
0x00000000
0x011eca84
0x011eca84
0x011eca8b
0x00000000
0x00000000
0x011eca91
0x011eca91
0x011eca93
0x011eca99
0x011eca9b
0x011ecaa2
0x011ecaa3
0x011ecaaa
0x011ecaac
0x011ecaac
0x011ecab3
0x011ecab8
0x011ecabe
0x011ecac0
0x00000000
0x011ecac6
0x011ecac6
0x011ecac6
0x011ecac9
0x011ecacb
0x011ecacc
0x011ecacf
0x011ecaf8
0x011ecaf8
0x011ecafb
0x011ecbe0
0x011ecbe9
0x011ecbee
0x011ecbee
0x011ecbf0
0x011ecbf0
0x011ecbf2
0x011ecbf4
0x011ecbfb
0x011ecc00
0x011ecc01
0x011ecc02
0x011ecc04
0x011ecc06
0x011ecc0a
0x011ecc0c
0x011ecc0c
0x011ecc0e
0x011ecc0e
0x011ecc0a
0x011ecc12
0x011ecc18
0x011ecc25
0x011ecc2c
0x011ecc3c
0x011ecc46
0x011ecc54
0x011ecc5a
0x011ecc62
0x011ecc67
0x011ecc68
0x011ecc69
0x011ecc6b
0x011ecc7f
0x011ecc7f
0x00000000
0x011ecc6b
0x011ecb01
0x011ecb01
0x011ecb04
0x011ecb11
0x011ecb11
0x011ecb14
0x011ecb16
0x011ecb17
0x011ecb19
0x011ecb1a
0x011ecb1f
0x011ecb24
0x011ecb2a
0x011ecb2c
0x011ecb2e
0x011ecb31
0x011ecb38
0x011ecb39
0x011ecb3f
0x011ecb40
0x011ecb43
0x011ecb44
0x011ecb45
0x011ecb4a
0x011ecb4d
0x011ecb53
0x011ecb5c
0x011ecb5f
0x011ecb64
0x011ecb66
0x011ecb68
0x011ecb6a
0x011ecb6a
0x011ecb6c
0x011ecb6c
0x011ecb6e
0x011ecb6e
0x011ecb76
0x011ecb7d
0x011ecb7f
0x011ecb86
0x011ecb8c
0x011ecb8e
0x011ecb8f
0x011ecb97
0x011ecba6
0x011ecba6
0x011ecb97
0x011ecbb1
0x011ecbb3
0x011ecbc2
0x011ecbc8
0x011ecbce
0x011ecbd9
0x011ecbd9
0x00000000
0x011ecbce
0x011ecb06
0x011ecb06
0x011ecb0b
0x00000000
0x00000000
0x00000000
0x011ecb0b
0x011ecad1
0x011ecad1
0x011ecad5
0x00000000
0x00000000
0x011ecad7
0x011ecad7
0x011ecada
0x011ecadc
0x011ecadf
0x00000000
0x00000000
0x011ecae5
0x011ecaee
0x00000000
0x011ecaee
0x00000000
0x011ecc8a
0x011ecc8a
0x011ecc8b
0x011ecc90
0x011ecc92
0x011ecc95
0x011ecc95
0x00000000
0x011ecccb
0x011ecccb
0x011eccd2
0x011eccd4
0x011eccd4
0x011eccd6
0x011ecd05
0x011ecd05
0x011ecd0b
0x00000000
0x011ecd0b
0x011eccd8
0x011eccd8
0x011eccd8
0x011eccdb
0x011eccf4
0x011eccf4
0x011eccfa
0x011eccfa
0x00000000
0x011eccfa
0x011eccdd
0x011eccdd
0x011eccdd
0x011ecce0
0x00000000
0x00000000
0x011ecce2
0x011ecce2
0x011ecce2
0x011ecce5
0x00000000
0x00000000
0x011ecceb
0x011ecceb
0x00000000
0x00000000
0x011ecd58
0x011ecd58
0x011ecd5a
0x011ecd61
0x011ecd62
0x011ecd68
0x011ecd70
0x011ecd72
0x011ecd75
0x011ece25
0x011ece25
0x011ece29
0x011ece38
0x011ece38
0x011ece3c
0x00000000
0x00000000
0x011ece42
0x011ece42
0x011ece45
0x00000000
0x00000000
0x011ece4b
0x011ece4b
0x011ece4b
0x011ece4d
0x011ece4e
0x011ece4e
0x011ece4f
0x011ece50
0x011ece53
0x00000000
0x011ece53
0x011ece2b
0x011ece2b
0x011ece2e
0x00000000
0x00000000
0x011ece34
0x011ece34
0x00000000
0x011ece34
0x011ecd7b
0x011ecd7b
0x011ecd81
0x011ecd83
0x011ecd84
0x011ecd89
0x011ecd8a
0x011ecd8b
0x011ecd8d
0x011ece22
0x011ece22
0x00000000
0x011ece22
0x011ecd93
0x011ecd93
0x011ecd93
0x011ecd96
0x011ecd99
0x011ecd9b
0x011ecd9e
0x011ecda4
0x011ecda6
0x011ecda7
0x011ecdad
0x011ecdae
0x011ecdb3
0x011ecdb6
0x011ecdb8
0x00000000
0x00000000
0x011ecdba
0x011ecdba
0x011ecdbc
0x011ecdbc
0x011ecdbc
0x011ecdc4
0x00000000
0x00000000
0x011ecdc6
0x011ecdcb
0x011ecdd2
0x011ecdd7
0x011ecdde
0x011ecde0
0x011ecde2
0x011ecde9
0x011ecdee
0x011ecdf0
0x011ecdf2
0x011ecdf4
0x011ecdf4
0x011ecdfa
0x011ece01
0x011ece06
0x011ece08
0x011ece0a
0x011ece0c
0x011ece0c
0x011ece0d
0x011ece0f
0x011ece15
0x011ece16
0x011ece1c
0x011ece1e
0x011ece20
0x00000000
0x00000000
0x00000000
0x00000000
0x011ece20
0x00000000
0x00000000
0x00000000
0x00000000
0x011ed030
0x011ed030
0x011ed033
0x011ed035
0x011ed03c
0x011ed03e
0x011ed044
0x011ed045
0x011ed04a
0x011ed04b
0x011ed04b
0x011ed050
0x011ed053
0x011ed059
0x011ed059
0x011ed05e
0x00000000
0x00000000
0x011ed06a
0x011ed06a
0x011ed06d
0x00000000
0x00000000
0x011ed073
0x011ed073
0x011ed075
0x011ed07c
0x011ed084
0x011ed08a
0x011ed08d
0x011ed0b0
0x011ed0b7
0x011ed08f
0x011ed08f
0x011ed092
0x011ed0a2
0x011ed0a9
0x011ed094
0x011ed094
0x011ed09b
0x011ed09b
0x011ed092
0x011ed0bc
0x011ed0ca
0x011ed0cf
0x011ed0d1
0x011ed0d8
0x011ed0e7
0x011ed0ee
0x011ed0f3
0x011ed0f5
0x011ed0f6
0x011ed0fd
0x011ed149
0x011ed150
0x011ed155
0x011ed157
0x00000000
0x00000000
0x011ed15d
0x011ed15d
0x011ed164
0x011ed16a
0x011ed16c
0x011ed16f
0x011ed221
0x011ed221
0x00000000
0x011ed221
0x011ed175
0x011ed175
0x011ed178
0x011ed178
0x011ed178
0x011ed17a
0x011ed17b
0x011ed17e
0x011ed188
0x011ed188
0x011ed18a
0x011ed194
0x011ed199
0x011ed19b
0x011ed1fd
0x011ed1fd
0x00000000
0x011ed1fd
0x011ed19d
0x011ed1a4
0x011ed1aa
0x011ed1af
0x011ed1b1
0x00000000
0x00000000
0x011ed1b3
0x011ed1b3
0x011ed1b5
0x011ed1b6
0x011ed1b9
0x011ed1bb
0x011ed1be
0x011ed1d4
0x011ed1d4
0x011ed1d6
0x011ed1d8
0x011ed1de
0x011ed1de
0x011ed1de
0x011ed1e1
0x00000000
0x00000000
0x011ed1db
0x011ed1db
0x011ed1db
0x011ed1db
0x011ed1e3
0x011ed1e3
0x011ed1e9
0x011ed1eb
0x011ed1f0
0x011ed1f3
0x011ed1f8
0x00000000
0x011ed1f8
0x011ed1c0
0x011ed1c0
0x011ed1c7
0x011ed1cc
0x00000000
0x011ed1cc
0x011ed180
0x011ed180
0x011ed182
0x011ed183
0x011ed186
0x00000000
0x00000000
0x00000000
0x011ed200
0x011ed200
0x011ed203
0x011ed206
0x011ed208
0x011ed208
0x011ed211
0x011ed216
0x011ed218
0x011ed21a
0x011ed21c
0x011ed21c
0x00000000
0x011ed0ff
0x011ed0ff
0x011ed107
0x011ed113
0x011ed119
0x011ed11a
0x011ed11b
0x011ed120
0x011ed121
0x011ed122
0x011ed124
0x011ed12a
0x011ed12c
0x011ed13f
0x011ed13f
0x011ed226
0x011ed226
0x011ed22e
0x011ed238
0x011ed23f
0x011ed23f
0x011ed24c
0x011ed253
0x011ed258
0x011ed260
0x011ed26c
0x011ed26c
0x011ed279
0x011ed27e
0x011ed286
0x011ed290
0x011ed29d
0x011ed2a4
0x011ed2a4
0x011ed2b1
0x011ed2b8
0x011ed2bd
0x011ed2c5
0x011ed2cb
0x011ed2cd
0x011ed2cd
0x011ed2e2
0x011ed2e7
0x011ed2f3
0x011ed2f5
0x011ed306
0x011ed313
0x00000000
0x011ed2f7
0x011ed2f7
0x011ed302
0x011ed304
0x011ed318
0x011ed318
0x011ed324
0x011ed331
0x011ed33d
0x011ed344
0x011ed349
0x011ed350
0x011ed356
0x011ed35d
0x011ed363
0x011ed36a
0x011ed36c
0x011ed36e
0x011ed370
0x011ed372
0x011ed378
0x011ed37a
0x011ed37c
0x011ed37e
0x011ed384
0x011ed386
0x011ed390
0x011ed393
0x011ed399
0x011ed3a8
0x011ed3ad
0x011ed3b4
0x011ed3b6
0x011ed3b7
0x011ed3bd
0x011ed3be
0x011ed3c0
0x011ed3c5
0x011ed3c5
0x00000000
0x011ed3b4
0x00000000
0x011ed304
0x011ed2f5
0x00000000
0x011ed3cd
0x011ed3cd
0x011ed3d0
0x011ed3d2
0x011ed3d2
0x00000000
0x00000000
0x011ecd17
0x011ecd17
0x011ecd1f
0x011ecd25
0x011ecd28
0x011ecd4c
0x011ecd2a
0x011ecd2a
0x011ecd2d
0x011ecd40
0x011ecd2f
0x011ecd2f
0x011ecd31
0x011ecd36
0x011ecd36
0x011ecd2d
0x00000000
0x00000000
0x011ece5d
0x011ece5d
0x011ece5e
0x011ece63
0x011ece63
0x011ece63
0x011ece66
0x011ece6b
0x011ece71
0x011ece71
0x011ece7d
0x011ece7d
0x00000000
0x00000000
0x011ec7a2
0x011ec7a2
0x011ec7a7
0x011ec7a8
0x011ec7a9
0x011ec7ae
0x011ec7b4
0x011ec7b7
0x00000000
0x011ec7b9
0x011ec7b9
0x00000000
0x011ec7b9
0x011ec7b7
0x011ed40a
0x011ed410
0x011ed418
0x011ed418
0x011ecf04
0x011ecf04
0x011ecf0a
0x00000000
0x00000000
0x011ecf10
0x011ecf10
0x011ecf12
0x011ecf19
0x011ecf21
0x011ecf22
0x011ecf27
0x011ecf28
0x011ecf29
0x011ecf2b
0x011ecf7b
0x011ecf7b
0x011ecf82
0x011ecf90
0x011ecfa1
0x011ecfaf
0x011ecfaf
0x011ecfbb
0x011ecfc0
0x011ecfc2
0x011ecfd2
0x011ecfdc
0x011ecfe1
0x011ecfe4
0x011ecfef
0x011ecff1
0x011ecff8
0x011ecffe
0x011ecffe
0x00000000
0x011ecfe4
0x011ecf2d
0x011ecf2d
0x011ecf34
0x011ecf36
0x011ecf39
0x00000000
0x00000000
0x011ecf3b
0x011ecf3b
0x011ecf3e
0x011ecf3e
0x011ecf3e
0x011ecf42
0x00000000
0x00000000
0x011ecf44
0x011ecf44
0x011ecf4c
0x011ecf4d
0x011ecf4f
0x011ecf52
0x00000000
0x00000000
0x011ecf54
0x00000000
0x011ecf54
0x011ecf56
0x011ecf61
0x011ecf6c
0x011ecf71
0x011ecf71
0x011ecf73
0x00000000
0x011ed009
0x011ed009
0x011ed00c
0x011ed012
0x011ed018
0x011ed01a
0x011ed01a
0x011ed024
0x011ed024
0x00000000
0x011ed00c

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 011ECE9D

Part of subcall function 011DB690: _wcslen.LIBCMT ref: 011DB696

_swprintf.LIBCMT ref: 011ECED1

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

SetDlgItemTextW.USER32(?,00000066,0121946A), ref: 011ECEF1
EndDialog.USER32(?,00000001), ref: 011ECFFE

Strings

%s%s%u, xrefs: 011ECEC6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: c559705a78429b0f47c9a774ffad096c120c50c4d832a0d4e93dd59be10a4c47
Instruction ID: 0cad7794d4e190d27c2efd846a5d9b390b8fdf8af25bf786629ba2382ea7a1c7
Opcode Fuzzy Hash: c559705a78429b0f47c9a774ffad096c120c50c4d832a0d4e93dd59be10a4c47
Instruction Fuzzy Hash: 3B4174B1940659AADF29DBD4DC48BEE77FCEB14344F408096E909E7041EF708A848FA1

Uniqueness

Uniqueness Score: -1.00%

Function 011DBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E011DBB03(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				void* _t32;
				long _t34;
				void* _t40;
				void* _t55;
				signed short* _t62;
				void* _t65;
				intOrPtr _t67;
				signed short* _t68;
				intOrPtr _t69;

				E011EEC50(0x1000);
				_t68 = _a4;
				_t70 =  *_t68;
				if( *_t68 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				E011DBC98(_t70, _t68);
				_t65 = E011F3E13(_t68);
				_t32 = E011DBCC3(_t68);
				_t71 = _t32;
				if(_t32 == 0) {
					_t34 = GetCurrentDirectoryW(0x7ff,  &_v4100);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L21;
					}
					__eflags = _t34 - 0x7ff;
					if(_t34 > 0x7ff) {
						goto L21;
					}
					__eflags = E011DBD9D( *_t68 & 0x0000ffff);
					if(__eflags == 0) {
						E011DB690(__eflags,  &_v4100, 0x800);
						_t40 = E011F3E13( &_v4100);
						_t67 = _a12;
						__eflags = _t67 - _t40 + _t65 + 4;
						if(_t67 <= _t40 + _t65 + 4) {
							goto L21;
						}
						E011E0602(_a8, L"\\\\?\\", _t67);
						E011E05DA(__eflags, _a8,  &_v4100, _t67);
						__eflags =  *_t68 - 0x2e;
						if(__eflags == 0) {
							__eflags = E011DBD9D(_t68[1] & 0x0000ffff);
							if(__eflags != 0) {
								_t68 =  &(_t68[2]);
							}
						}
						L16:
						_push(_t67);
						L5:
						_push(_t68);
						L6:
						_push(_a8);
						E011E05DA(_t73);
						return 1;
					}
					_t14 = _t65 + 6; // 0x6
					_t67 = _a12;
					__eflags = _t67 - _t14;
					if(_t67 <= _t14) {
						goto L21;
					}
					E011E0602(_a8, L"\\\\?\\", _t67);
					__eflags = 0;
					_v4096 = 0;
					E011E05DA(0, _a8,  &_v4100, _t67);
					goto L16;
				}
				if(E011DBC98(_t71, _t68) == 0) {
					_t55 = 0x5c;
					__eflags =  *_t68 - _t55;
					if( *_t68 != _t55) {
						goto L21;
					}
					_t62 =  &(_t68[1]);
					__eflags =  *_t62 - _t55;
					if( *_t62 != _t55) {
						goto L21;
					}
					_t69 = _a12;
					_t10 = _t65 + 6; // 0x6
					__eflags = _t69 - _t10;
					if(_t69 <= _t10) {
						goto L21;
					}
					E011E0602(_a8, L"\\\\?\\", _t69);
					E011E05DA(__eflags, _a8, L"UNC", _t69);
					_push(_t69);
					_push(_t62);
					goto L6;
				}
				_t2 = _t65 + 4; // 0x4
				_t73 = _a12 - _t2;
				if(_a12 <= _t2) {
					goto L21;
				} else {
					E011E0602(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L5;
				}
			}

0x011dbb0b
0x011dbb12
0x011dbb16
0x011dbb1a
0x011dbc84
0x011dbc84
0x00000000
0x011dbc84
0x011dbb21
0x011dbb2e
0x011dbb30
0x011dbb35
0x011dbb37
0x011dbbc5
0x011dbbcb
0x011dbbcd
0x00000000
0x00000000
0x011dbbd3
0x011dbbd5
0x00000000
0x00000000
0x011dbbe4
0x011dbbe6
0x011dbc2f
0x011dbc3b
0x011dbc45
0x011dbc49
0x011dbc4b
0x00000000
0x00000000
0x011dbc56
0x011dbc66
0x011dbc6b
0x011dbc6f
0x011dbc7b
0x011dbc7d
0x011dbc7f
0x011dbc7f
0x011dbc7d
0x011dbc1d
0x011dbc1d
0x011dbb62
0x011dbb62
0x011dbb63
0x011dbb63
0x011dbb66
0x00000000
0x011dbb6b
0x011dbbe8
0x011dbbeb
0x011dbbee
0x011dbbf0
0x00000000
0x00000000
0x011dbbff
0x011dbc04
0x011dbc06
0x011dbc18
0x00000000
0x011dbc18
0x011dbb41
0x011dbb74
0x011dbb75
0x011dbb78
0x00000000
0x00000000
0x011dbb7e
0x011dbb81
0x011dbb84
0x00000000
0x00000000
0x011dbb8a
0x011dbb8d
0x011dbb90
0x011dbb92
0x00000000
0x00000000
0x011dbba1
0x011dbbaf
0x011dbbb4
0x011dbbb5
0x00000000
0x011dbbb5
0x011dbb43
0x011dbb46
0x011dbb49
0x00000000
0x011dbb4f
0x011dbb5a
0x011dbb5f
0x00000000
0x011dbb5f

APIs

_wcslen.LIBCMT ref: 011DBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,011DA275,?,?,00000800,?,011DA23A,?,011D755C), ref: 011DBBC5
_wcslen.LIBCMT ref: 011DBC3B

Strings

UNC, xrefs: 011DBBA7
\\?\, xrefs: 011DBB52, 011DBB99, 011DBBF7, 011DBC4E

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 41975591f4b073348b97470c8d15b1ace3062bceb04dff5ef61b65cb5a3cf329
Instruction ID: 580a27f2c144652e0904842ec375514fa9aea6fe029ac1bcae040c2a09397d98
Opcode Fuzzy Hash: 41975591f4b073348b97470c8d15b1ace3062bceb04dff5ef61b65cb5a3cf329
Instruction Fuzzy Hash: D041153550421ABACF39AF65CC04EEF77B9BF5A798F024125F916A3140EB74D980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 011ED600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E011ED600(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E011D1316(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0x122fcb4 = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0x122fcb4);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0x122fcb4, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x011ed601
0x011ed606
0x011ed60b
0x011ed610
0x011ed628
0x011ed68a
0x00000000
0x011ed68c
0x011ed62a
0x011ed630
0x011ed66f
0x011ed675
0x011ed684
0x00000000
0x011ed684
0x011ed635
0x011ed644
0x00000000
0x011ed644
0x011ed63a
0x011ed63d
0x011ed661
0x011ed667
0x011ed64a
0x011ed64b
0x00000000
0x011ed64b
0x011ed642
0x011ed648
0x00000000
0x011ed648
0x00000000

APIs

Part of subcall function 011D1316: GetDlgItem.USER32(00000000,00003021), ref: 011D135A
Part of subcall function 011D1316: SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

EndDialog.USER32(?,00000001), ref: 011ED64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 011ED661
SetDlgItemTextW.USER32(?,00000066,?), ref: 011ED675
SetDlgItemTextW.USER32(?,00000068), ref: 011ED684

Strings

RENAMEDLG, xrefs: 011ED618

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 8425b303b046798a7fb5181d341339642d1ab227801ced71951cedfc50723019
Instruction ID: 8940c6ab52dee7f773a10121b93f205f16f1747c7f15f2d62387a1b3db246243
Opcode Fuzzy Hash: 8425b303b046798a7fb5181d341339642d1ab227801ced71951cedfc50723019
Instruction Fuzzy Hash: 3A01B533284610BAE6398FE8BE0DF5ABBADBB5EB01F010501F345A6085C7A295048F66

Uniqueness

Uniqueness Score: -1.00%

Function 011F7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,011F7E24,00000000,?,011F7DC4,00000000,0120C300,0000000C,011F7F1B,00000000,00000002), ref: 011F7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 011F7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,011F7E24,00000000,?,011F7DC4,00000000,0120C300,0000000C,011F7F1B,00000000,00000002), ref: 011F7EC9

Strings

mscoree.dll, xrefs: 011F7E8C
CorExitProcess, xrefs: 011F7E9E

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 968e810f58d0bdf89f5e3ab27aced66d0ba8029e1043fbadf31fa5cf542de530
Instruction ID: 45a4cb696b88af402e9331c37f5d636b73dead4a49612adceaeda3f7f04733b5
Opcode Fuzzy Hash: 968e810f58d0bdf89f5e3ab27aced66d0ba8029e1043fbadf31fa5cf542de530
Instruction Fuzzy Hash: 58F04431900218BFDB26DFA5EC0DB9EBFB5FB44715F054259E905A2196DB309D40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011DF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DF2C5(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E011E081B(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x011df2c6
0x011df2cc
0x011df2d3
0x011df2d8
0x011df2dc
0x011df2f1
0x011df2f4
0x011df2fa
0x011df2fa
0x011df2fd
0x00000000
0x011df2fd
0x011df302

APIs

Part of subcall function 011E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 011E0836
Part of subcall function 011E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,011DF2D8,Crypt32.dll,00000000,011DF35C,?,?,011DF33E,?,?,?), ref: 011E0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 011DF2E4
GetProcAddress.KERNEL32(012181C8,CryptUnprotectMemory), ref: 011DF2F4

Strings

Crypt32.dll, xrefs: 011DF2CE
CryptUnprotectMemory, xrefs: 011DF2EA
CryptProtectMemory, xrefs: 011DF2DE

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 301ca392e6dad729bbff033d66c6988892f4ec8c49c4e4cb4f76f949e23f6d23
Instruction ID: dca3157d1ff19f6175c6606c332439e98a1c22a55450784027a8f9bee5b1a58f
Opcode Fuzzy Hash: 301ca392e6dad729bbff033d66c6988892f4ec8c49c4e4cb4f76f949e23f6d23
Instruction Fuzzy Hash: 32E04F71D21B12AED732DF7AA84CB017AD47F18704B14891EE0DA93646DBB4D0818B50

Uniqueness

Uniqueness Score: -1.00%

Function 011F2BDA Relevance: 7.7, APIs: 5, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E011F2BDA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed char _t81;
				signed char _t84;
				signed int _t85;
				signed int _t86;
				signed int _t97;
				signed char _t99;
				signed int* _t100;
				signed char* _t103;
				signed int _t109;
				void* _t113;

				_push(0x10);
				_push(0x120c248);
				E011EF5F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t113 + 0x10);
				_t81 = _t52[4];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t99 = _t52[8];
					if(_t99 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t109 =  *(_t113 + 0xc);
						if(_t84 >= 0) {
							_t109 = _t109 + 0xc + _t99;
						}
						 *(_t113 - 4) = _t75;
						_t103 =  *(_t113 + 0x14);
						if(_t84 >= 0 || ( *_t103 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t113 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t103 & 0x00000001;
								if(( *_t103 & 0x00000001) == 0) {
									_t85 =  *(_t54 + 0x18);
									__eflags = _t103[0x18] - _t75;
									if(_t103[0x18] != _t75) {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												__eflags =  *_t103 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t103 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t113 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												E011F0320(_t109, E011F027C(_t85,  &(_t103[8])), _t103[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t109;
										if(_t109 == 0) {
											goto L32;
										} else {
											E011F0320(_t109,  *(_t54 + 0x18), _t103[0x14]);
											__eflags = _t103[0x14] - 4;
											if(_t103[0x14] == 4) {
												__eflags =  *_t109;
												if( *_t109 != 0) {
													_push( &(_t103[8]));
													_push( *_t109);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t97 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x123205c; // 0x0
							 *((intOrPtr*)(_t113 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x1203278();
								_t97 =  *((intOrPtr*)(_t113 - 0x1c))();
								L12:
								if(_t97 == 0 || _t109 == 0) {
									L32:
									E011F8D24(_t75, _t99, _t103, _t109);
									asm("int3");
									_push(8);
									_push(0x120c268);
									E011EF5F0(_t75, _t103, _t109);
									_t100 =  *(_t113 + 0x10);
									_t86 =  *(_t113 + 0xc);
									__eflags =  *_t100;
									if(__eflags >= 0) {
										_t105 = _t86 + 0xc + _t100[2];
										__eflags = _t86 + 0xc + _t100[2];
									} else {
										_t105 = _t86;
									}
									 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
									_t110 =  *(_t113 + 0x14);
									_push( *(_t113 + 0x14));
									_push(_t100);
									_push(_t86);
									_t77 =  *((intOrPtr*)(_t113 + 8));
									_push( *((intOrPtr*)(_t113 + 8)));
									_t58 = E011F2BDA(_t77, _t105, _t110, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E011F38E4(_t105, _t110[0x18], E011F027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E011F38F4(_t105, _t110[0x18], E011F027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])), 1);
										}
									}
									 *(_t113 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t61;
								} else {
									 *_t109 = _t97;
									_push( &(_t103[8]));
									_push(_t97);
									L21:
									 *_t109 = E011F027C();
									L29:
									 *(_t113 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x011f2bda
0x011f2bdc
0x011f2be1
0x011f2be6
0x011f2be8
0x011f2beb
0x011f2bf0
0x011f2d00
0x011f2d00
0x011f2d00
0x00000000
0x011f2bff
0x011f2bff
0x011f2c04
0x011f2c0e
0x011f2c10
0x011f2c15
0x011f2c1a
0x011f2c1a
0x011f2c1c
0x011f2c1f
0x011f2c24
0x011f2c46
0x011f2c46
0x011f2c49
0x011f2c4c
0x011f2c6a
0x011f2c6d
0x011f2cac
0x011f2caf
0x011f2cb2
0x011f2cd7
0x011f2cd9
0x00000000
0x011f2cdb
0x011f2cdb
0x011f2cdd
0x00000000
0x011f2cdf
0x011f2cdf
0x011f2ce4
0x011f2ce8
0x011f2ce8
0x011f2ce9
0x00000000
0x011f2ce9
0x011f2cdd
0x011f2cb4
0x011f2cb4
0x011f2cb6
0x00000000
0x011f2cb8
0x011f2cb8
0x011f2cba
0x00000000
0x011f2cbc
0x011f2ccd
0x00000000
0x011f2cd2
0x011f2cba
0x011f2cb6
0x011f2c6f
0x011f2c6f
0x011f2c73
0x00000000
0x011f2c79
0x011f2c79
0x011f2c7b
0x00000000
0x011f2c81
0x011f2c88
0x011f2c90
0x011f2c94
0x011f2c96
0x011f2c99
0x011f2c9e
0x011f2c9f
0x00000000
0x011f2c9f
0x011f2c99
0x00000000
0x011f2c94
0x011f2c7b
0x011f2c73
0x011f2c4e
0x011f2c4e
0x00000000
0x011f2c4e
0x011f2c2b
0x011f2c2b
0x011f2c30
0x011f2c35
0x00000000
0x011f2c37
0x011f2c39
0x011f2c42
0x011f2c51
0x011f2c53
0x011f2d12
0x011f2d12
0x011f2d17
0x011f2d18
0x011f2d1a
0x011f2d1f
0x011f2d24
0x011f2d27
0x011f2d2a
0x011f2d2d
0x011f2d36
0x011f2d36
0x011f2d2f
0x011f2d2f
0x011f2d2f
0x011f2d39
0x011f2d3d
0x011f2d40
0x011f2d41
0x011f2d42
0x011f2d43
0x011f2d46
0x011f2d4f
0x011f2d4f
0x011f2d52
0x011f2d88
0x011f2d54
0x011f2d54
0x011f2d54
0x011f2d57
0x011f2d6e
0x011f2d6e
0x011f2d57
0x011f2d8d
0x011f2d97
0x011f2da3
0x011f2c61
0x011f2c61
0x011f2c66
0x011f2c67
0x011f2ca1
0x011f2ca8
0x011f2cec
0x011f2cec
0x011f2cf3
0x011f2d02
0x011f2d05
0x011f2d11
0x011f2d11
0x011f2c53
0x011f2c35
0x00000000
0x00000000
0x00000000
0x011f2c04

APIs

___AdjustPointer.LIBCMT ref: 011F2CA1
___AdjustPointer.LIBCMT ref: 011F2CC4
_abort.LIBCMT ref: 011F2D12
___AdjustPointer.LIBCMT ref: 011F2D60

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: b9ee6f8d85e447e7a62a890c0650c489b9559ec7d41eda8694a0abc04946b771
Instruction ID: 20649b1006466bd44630480302216e363708a2881e0c4e98a16ba604d43cff8f
Opcode Fuzzy Hash: b9ee6f8d85e447e7a62a890c0650c489b9559ec7d41eda8694a0abc04946b771
Instruction Fuzzy Hash: C351E372601612AFEB2D8F98D844BAABBA5FF54314F24452DEF05476E1E731E980C790

Uniqueness

Uniqueness Score: -1.00%

Function 011FBF30 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E011FBF30() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E011FBEF9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E011F8E06(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E011F8DCC(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x011fbf3f
0x011fbf45
0x011fbf9d
0x011fbf9d
0x011fbf47
0x011fbf48
0x011fbf4d
0x011fbf56
0x011fbf5c
0x011fbf62
0x011fbf67
0x00000000
0x011fbf69
0x011fbf6f
0x011fbf74
0x011fbf92
0x011fbf8c
0x011fbf8c
0x011fbf8e
0x011fbf8e
0x011fbf95
0x011fbf9a
0x011fbf67
0x011fbfa1
0x011fbfa4
0x011fbfa4
0x011fbfb2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 011FBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 011FBF5C

Part of subcall function 011F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,011FCA2C,00000000,?,011F6CBE,?,00000008,?,011F91E0,?,?,?), ref: 011F8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 011FBF82
_free.LIBCMT ref: 011FBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 011FBFA4

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3df67cfd9da1faf2d8175456d12006deb9dc24c66b7dbe00bc819906b40edffc
Instruction ID: 2bf6e35d2a67bf1320e2af4c50431e5af206f667e8faa9ae337bcce392a87906
Opcode Fuzzy Hash: 3df67cfd9da1faf2d8175456d12006deb9dc24c66b7dbe00bc819906b40edffc
Instruction Fuzzy Hash: E501F7726096117F3339597AAC4CC7BAE7DEEC6AA0315022DFB05C2105EF71CC0286B6

Uniqueness

Uniqueness Score: -1.00%

Function 011F9869 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E011F9869(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				void* _t17;
				long _t18;

				_t11 = __ecx;
				_t18 = GetLastError();
				_t10 = 0;
				_t2 =  *0x120e7fc; // 0x6
				_t21 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t17 = E011FB136(_t11, 1, 0x364);
					_pop(_t13);
					if(_t17 != 0) {
						_t4 = E011FAEB1(_t10, _t13, _t17, __eflags,  *0x120e7fc, _t17);
						__eflags = _t4;
						if(_t4 != 0) {
							E011F9649(_t13, _t17, 0x1232288);
							E011F8DCC(_t10);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t17);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E011F8DCC();
						L8:
						SetLastError(_t18);
					}
				} else {
					_t17 = E011FAE5B(0, _t11, _t16, _t21, _t2);
					if(_t17 != 0) {
						L9:
						SetLastError(_t18);
						_t10 = _t17;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x011f9869
0x011f9874
0x011f9876
0x011f9878
0x011f987d
0x011f9880
0x011f988e
0x011f989a
0x011f989d
0x011f98a0
0x011f98b2
0x011f98b7
0x011f98b9
0x011f98c4
0x011f98ca
0x011f98d2
0x011f98d4
0x00000000
0x00000000
0x00000000
0x00000000
0x011f98bb
0x011f98bb
0x00000000
0x011f98bb
0x011f98a2
0x011f98a2
0x011f98a3
0x011f98a3
0x011f98d6
0x011f98d7
0x011f98d7
0x011f9882
0x011f9888
0x011f988c
0x011f98df
0x011f98e0
0x011f98e6
0x00000000
0x00000000
0x00000000
0x011f988c
0x011f98ed

APIs

GetLastError.KERNEL32(?,01211030,00000200,011F91AD,011F617E,?,?,?,?,011DD984,?,?,?,00000004,011DD710,?), ref: 011F986E
_free.LIBCMT ref: 011F98A3
_free.LIBCMT ref: 011F98CA
SetLastError.KERNEL32(00000000,01203A34,00000050,01211030), ref: 011F98D7
SetLastError.KERNEL32(00000000,01203A34,00000050,01211030), ref: 011F98E0

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 18a158ee323fff14562aec69dc15734de0c46fc4137b471e7ade0b9ff3bc5a26
Instruction ID: 7c3051f90f5726306290fe7c9f69fb050376d21c851558c5565935d5782a1a46
Opcode Fuzzy Hash: 18a158ee323fff14562aec69dc15734de0c46fc4137b471e7ade0b9ff3bc5a26
Instruction Fuzzy Hash: 4401F43614560EEBD32FB669BC88B1B252AEFD16BCF26023DF70592182EB3488014321

Uniqueness

Uniqueness Score: -1.00%

Function 011E0EED Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E011E0EED(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				long* _t20;
				void** _t26;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(0x1202641);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E011E11CF(__ecx);
				_t20 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t26 = _t28 + 4;
					do {
						E011E0FE4(_t22, _t30,  *_t26);
						CloseHandle( *_t26);
						_t20 = _t20 + 1;
						_t26 =  &(_t26[1]);
					} while (_t20 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x011e0eed
0x011e0ef6
0x011e0ef8
0x011e0efd
0x011e0efe
0x011e0f08
0x011e0f0a
0x011e0f0f
0x011e0f11
0x011e0f21
0x011e0f2d
0x011e0f2f
0x011e0f32
0x011e0f34
0x011e0f3b
0x011e0f41
0x011e0f42
0x011e0f45
0x011e0f32
0x011e0f54
0x011e0f60
0x011e0f6c
0x011e0f77
0x011e0f80

APIs

Part of subcall function 011E11CF: ResetEvent.KERNEL32(?), ref: 011E11E1
Part of subcall function 011E11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 011E11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 011E0F21
CloseHandle.KERNEL32(?,?), ref: 011E0F3B
DeleteCriticalSection.KERNEL32(?), ref: 011E0F54
CloseHandle.KERNEL32(?), ref: 011E0F60
CloseHandle.KERNEL32(?), ref: 011E0F6C

Part of subcall function 011E0FE4: WaitForSingleObject.KERNEL32(?,000000FF,011E1206,?), ref: 011E0FEA
Part of subcall function 011E0FE4: GetLastError.KERNEL32(?), ref: 011E0FF6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 2e7edd0c7d735966e0bf04cb6c3ec7ca60ed1001263ba8d0f395a5a718bc4f4d
Instruction ID: dc072d74a693a146dd3f0f8ffd81015db613a6ab14149a0a360dc75203737e1c
Opcode Fuzzy Hash: 2e7edd0c7d735966e0bf04cb6c3ec7ca60ed1001263ba8d0f395a5a718bc4f4d
Instruction Fuzzy Hash: 45015E72101B44EFC736DBA4E888BC6BBEAFB08710F004A29F26A92155CBB57955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011FC7FF Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E011FC7FF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x120eea0; // 0x120ee94
					if(_t23 != 0) {
						E011F8DCC(_t7);
					}
					_t2 = _t21 + 4; // 0x732524
					_t24 =  *_t2 -  *0x120eea4; // 0x12326fc
					if(_t24 != 0) {
						E011F8DCC(_t8);
					}
					_t3 = _t21 + 8; // 0x732540
					_t25 =  *_t3 -  *0x120eea8; // 0x12326fc
					if(_t25 != 0) {
						E011F8DCC(_t9);
					}
					_t4 = _t21 + 0x30; // 0x4f0049
					_t26 =  *_t4 -  *0x120eed0; // 0x120ee98
					if(_t26 != 0) {
						E011F8DCC(_t10);
					}
					_t5 = _t21 + 0x34; // 0x4e
					_t6 =  *_t5;
					_t27 = _t6 -  *0x120eed4; // 0x1232700
					if(_t27 != 0) {
						return E011F8DCC(_t6);
					}
				}
				return _t6;
			}

0x011fc805
0x011fc80a
0x011fc80e
0x011fc814
0x011fc817
0x011fc81c
0x011fc81d
0x011fc820
0x011fc826
0x011fc829
0x011fc82e
0x011fc82f
0x011fc832
0x011fc838
0x011fc83b
0x011fc840
0x011fc841
0x011fc844
0x011fc84a
0x011fc84d
0x011fc852
0x011fc853
0x011fc853
0x011fc856
0x011fc85c
0x00000000
0x011fc864
0x011fc85c
0x011fc867

APIs

_free.LIBCMT ref: 011FC817

Part of subcall function 011F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34), ref: 011F8DE2
Part of subcall function 011F8DCC: GetLastError.KERNEL32(01203A34,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34,01203A34), ref: 011F8DF4

_free.LIBCMT ref: 011FC829
_free.LIBCMT ref: 011FC83B
_free.LIBCMT ref: 011FC84D
_free.LIBCMT ref: 011FC85F

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea44d89b793c76ed0fc48b062aad2f507fb2588a4de735f7b9fed83292bd9edd
Instruction ID: a46746e2593964d8506ca0e7fe309bd7ed9f95fc02b75a8c77dcacd0670c8fba
Opcode Fuzzy Hash: ea44d89b793c76ed0fc48b062aad2f507fb2588a4de735f7b9fed83292bd9edd
Instruction Fuzzy Hash: A5F06232504609ABD729DA6CF088D0E7BE9AE10674B590C1DF308D7586CB70FC80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 011E1FDD Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011E1FDD(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t10;
				int _t22;
				int _t23;

				_t10 = E011F3E13(_a4);
				_t23 = _a12;
				if(_t10 + 1 >= _t23) {
					_t22 = _t23;
				} else {
					_t4 = E011F3E13(_a4) + 1; // 0x1
					_t22 = _t4;
				}
				if(E011F3E13(_a8) + 1 < _t23) {
					_t7 = E011F3E13(_a8) + 1; // 0x1
					_t23 = _t7;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t22, _a8, _t23) - 2;
			}

0x011e1fe5
0x011e1fea
0x011e1ff1
0x011e2001
0x011e1ff3
0x011e1ffc
0x011e1ffc
0x011e1ffc
0x011e200f
0x011e201a
0x011e201a
0x011e201a
0x011e203b

APIs

_wcslen.LIBCMT ref: 011E1FE5
_wcslen.LIBCMT ref: 011E1FF6
_wcslen.LIBCMT ref: 011E2006
_wcslen.LIBCMT ref: 011E2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,011DB371,?,?,00000000,?,?,?), ref: 011E202F

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: b24bef41a99805f9a73d2176110fd03a6ade5b633e69cb48b0e3b77e0ed43d97
Instruction ID: 3651bc170393db8f93f70924f2715c3423f3ebf27b5b9e86ee3c49e8ba027d05
Opcode Fuzzy Hash: b24bef41a99805f9a73d2176110fd03a6ade5b633e69cb48b0e3b77e0ed43d97
Instruction Fuzzy Hash: 30F09032018024BFCF2A6F90EC08DCE3F26EF51770B118409F62A5B0A2CB72D561D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 011F8900 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E011F8900(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x120ee90; // 0x3622590
					if(_t7 != 0x120ec70) {
						E011F8DCC(_t7);
						 *0x120ee90 = 0x120ec70;
					}
				}
				E011F8DCC( *0x1232280);
				 *0x1232280 = 0;
				E011F8DCC( *0x1232284);
				 *0x1232284 = 0;
				E011F8DCC( *0x12326d0);
				 *0x12326d0 = 0;
				E011F8DCC( *0x12326d4);
				 *0x12326d4 = 0;
				return 1;
			}

0x011f8909
0x011f890d
0x011f890f
0x011f891b
0x011f891e
0x011f8924
0x011f8924
0x011f891b
0x011f8930
0x011f893d
0x011f8943
0x011f894e
0x011f8954
0x011f895f
0x011f8965
0x011f896d
0x011f8976

APIs

_free.LIBCMT ref: 011F891E

Part of subcall function 011F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34), ref: 011F8DE2
Part of subcall function 011F8DCC: GetLastError.KERNEL32(01203A34,?,011FC896,01203A34,00000000,01203A34,00000000,?,011FC8BD,01203A34,00000007,01203A34,?,011FCCBA,01203A34,01203A34), ref: 011F8DF4

_free.LIBCMT ref: 011F8930
_free.LIBCMT ref: 011F8943
_free.LIBCMT ref: 011F8954
_free.LIBCMT ref: 011F8965

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6a7e4fc3f45dbe053901eb45fdbd5e7e90bb403ef8ed2f050ad1388ecc04af65
Instruction ID: ffa5390977648ea3aa2cdca554cff8d81505ec7e5242f5cea203ccabfacc7d34
Opcode Fuzzy Hash: 6a7e4fc3f45dbe053901eb45fdbd5e7e90bb403ef8ed2f050ad1388ecc04af65
Instruction Fuzzy Hash: 56F0FE71810A27DFC76A6F18F8094093FB1FF357683010A0AF61456299D7314981EF81

Uniqueness

Uniqueness Score: -1.00%

Function 011F7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E011F7F6E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E011FBB30(_t52);
					GetModuleFileNameA(0, 0x1232128, 0x104);
					_t49 =  *0x12326d8; // 0x36132f0
					 *0x12326e0 = 0x1232128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x1232128;
					}
					_v8 = 0;
					_v16 = 0;
					E011F8092(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E011F8207(_v8, _v16, 1);
					if(_t64 != 0) {
						E011F8092(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E011FB643(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x12326cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x12326d0 = _t59;
									L16:
									E011F8DCC(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x12326cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x12326d0 = _t43;
						goto L10;
					} else {
						_t44 = E011F91A8();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E011F8DCC(_t64);
						return _t50;
					}
				} else {
					_t45 = E011F91A8();
					_t65 = 0x16;
					 *_t45 = _t65;
					E011F9087();
					return _t65;
				}
			}

0x011f7f6e
0x011f7f7b
0x011f7f9b
0x011f7fae
0x011f7fb4
0x011f7fba
0x011f7fc2
0x011f7fc9
0x011f7fc9
0x011f7fce
0x011f7fd5
0x011f7fdc
0x011f7fee
0x011f7ff5
0x011f8014
0x011f8020
0x011f803b
0x011f803e
0x011f8045
0x011f804b
0x011f8052
0x011f8055
0x011f8057
0x011f805b
0x011f8065
0x011f8065
0x011f8067
0x011f806d
0x011f8070
0x011f8072
0x011f8078
0x011f8079
0x011f807f
0x00000000
0x00000000
0x00000000
0x00000000
0x011f805d
0x011f805d
0x011f805d
0x011f8060
0x011f8061
0x00000000
0x011f805d
0x011f804d
0x00000000
0x011f804d
0x011f8026
0x011f802b
0x011f802d
0x011f802f
0x00000000
0x011f7ff7
0x011f7ff7
0x011f7ffc
0x011f7ffe
0x011f7fff
0x011f8034
0x011f8034
0x011f8082
0x011f8083
0x00000000
0x011f808c
0x011f7f83
0x011f7f83
0x011f7f8a
0x011f7f8b
0x011f7f8d
0x00000000
0x011f7f92

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\6Sy6PrInNl.exe,00000104), ref: 011F7FAE
_free.LIBCMT ref: 011F8079
_free.LIBCMT ref: 011F8083

Strings

C:\Users\user\Desktop\6Sy6PrInNl.exe, xrefs: 011F7FA5, 011F7FAC, 011F7FDB, 011F8013

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\6Sy6PrInNl.exe
API String ID: 2506810119-3030471739
Opcode ID: 9cf95ab02de404f58e0fe88f7f29746e09362134570811f8e506fd7b7899e432
Instruction ID: 35c7ccffd81bcf1ac01f2295a6021481d844fdfa2157fd8024f89326f6fb1c3b
Opcode Fuzzy Hash: 9cf95ab02de404f58e0fe88f7f29746e09362134570811f8e506fd7b7899e432
Instruction Fuzzy Hash: 4231D2B1A00619EFDB29EF99D884D9EBBFCEF95314F50406EEA0497200D7718A40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011F31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E011F31D6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				_t132 =  *_t96 - 0x80000003;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E011F2AEC(_t96, __ecx, __edx, _t113, _t121, _t132);
					_t133 =  *((intOrPtr*)(_t75 + 8));
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E011F2AEC(_t96, __ecx, __edx, 0, _t121, _t133) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E011F0961(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E011F0894(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E011F2DB1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E011F8D24(_t96, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x011f31d6
0x011f31d6
0x011f31dd
0x011f31e0
0x011f31e6
0x011f3305
0x011f31ec
0x011f31ec
0x011f31ed
0x011f31ee
0x011f31f5
0x011f31f8
0x011f31fb
0x011f3201
0x011f320b
0x011f3230
0x011f3235
0x011f323a
0x011f3301
0x00000000
0x011f3302
0x011f323a
0x011f320b
0x011f3240
0x011f3243
0x011f3246
0x011f324c
0x011f3252
0x011f3264
0x011f3269
0x011f326c
0x011f326f
0x011f3272
0x011f3275
0x011f327b
0x011f3281
0x011f3284
0x011f3287
0x011f3296
0x011f3297
0x011f3297
0x011f329c
0x011f32af
0x011f32b1
0x011f32b6
0x011f32c1
0x011f32c3
0x011f32c5
0x011f32e1
0x011f32e6
0x011f32e9
0x011f32e9
0x011f32c1
0x011f32b6
0x011f32ef
0x011f32f0
0x011f32f3
0x011f32f6
0x011f32f9
0x011f32fc
0x011f3287
0x00000000
0x011f327b
0x011f3306
0x011f330b
0x011f330f
0x011f3312
0x011f3313
0x011f3314
0x011f3315
0x011f3318
0x011f331a
0x011f3392
0x011f3394
0x011f3394
0x011f331c
0x011f331c
0x011f331f
0x011f3322
0x00000000
0x011f3324
0x011f3324
0x011f3327
0x011f332a
0x011f3331
0x011f3331
0x011f3334
0x011f3336
0x011f3338
0x011f336a
0x011f336a
0x011f336d
0x011f3374
0x011f3374
0x011f3377
0x011f337a
0x011f3381
0x011f3381
0x011f3384
0x011f338b
0x011f338d
0x011f338d
0x011f3386
0x011f3386
0x011f3389
0x00000000
0x00000000
0x011f3389
0x011f337c
0x011f337c
0x011f337f
0x00000000
0x00000000
0x011f337f
0x011f336f
0x011f336f
0x011f3372
0x00000000
0x00000000
0x011f3372
0x011f338e
0x011f333a
0x011f333a
0x011f333a
0x011f333d
0x011f333d
0x011f333f
0x011f3341
0x00000000
0x00000000
0x011f3343
0x011f3345
0x011f3359
0x011f3359
0x011f3347
0x011f3347
0x011f334a
0x011f334d
0x00000000
0x011f334f
0x011f334f
0x011f3352
0x011f3355
0x011f3357
0x00000000
0x00000000
0x00000000
0x00000000
0x011f3357
0x011f334d
0x011f3362
0x011f3362
0x011f3364
0x00000000
0x011f3366
0x011f3366
0x011f3366
0x00000000
0x011f3364
0x011f335d
0x011f335f
0x011f335f
0x00000000
0x011f335f
0x011f332c
0x011f332c
0x011f332f
0x00000000
0x00000000
0x00000000
0x00000000
0x011f332f
0x011f332a
0x011f3322
0x011f3395
0x011f3399
0x011f3399

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 011F31FB
_abort.LIBCMT ref: 011F3306

Strings

RCC, xrefs: 011F3215
MOC, xrefs: 011F320D

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: d2dcae10347c7cc8a88b18eaa4b3be14030354333ee051208abd455399653cf2
Instruction ID: f55add7f1e148a0264c0a6516fb47830ce1148102e375e15667528b3896307c9
Opcode Fuzzy Hash: d2dcae10347c7cc8a88b18eaa4b3be14030354333ee051208abd455399653cf2
Instruction Fuzzy Hash: 2F413B75900209AFDF1ADF98CD81AEEBBB5FF48304F188159FA14A7251D335E990DB50

Uniqueness

Uniqueness Score: -1.00%

Function 011D7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E011D7401(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t31;
				long _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				void* _t62;
				void* _t63;
				void* _t66;

				_t62 = __esi;
				_t48 = __ebx;
				E011EEB78(0x12027b7, _t66);
				E011EEC50(0x1060);
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				 *((intOrPtr*)(_t66 - 0x1c)) = 0;
				 *((intOrPtr*)(_t66 - 0x18)) = 0;
				 *((intOrPtr*)(_t66 - 0x14)) = 0;
				 *((char*)(_t66 - 0x10)) = 0;
				_t59 =  *((intOrPtr*)(_t66 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				_push(_t66 - 0x20);
				if(E011D3BBA( *((intOrPtr*)(_t66 + 8))) != 0) {
					if( *0x1211022 == 0) {
						if(E011D7A9C(L"SeSecurityPrivilege") != 0) {
							 *0x1211021 = 1;
						}
						E011D7A9C(L"SeRestorePrivilege");
						 *0x1211022 = 1;
					}
					_push(_t62);
					_t63 = 7;
					if( *0x1211021 != 0) {
						_t63 = 0xf;
					}
					_push(_t48);
					_t49 =  *((intOrPtr*)(_t66 - 0x20));
					_push(_t49);
					_push(_t63);
					_push( *((intOrPtr*)(_t66 + 0xc)));
					if( *0x1233000() == 0) {
						if(E011DBB03( *((intOrPtr*)(_t66 + 0xc)), _t66 - 0x106c, 0x800) == 0) {
							L10:
							E011D2021(_t75, 0x52, _t59 + 0x32,  *((intOrPtr*)(_t66 + 0xc)));
							_t38 = GetLastError();
							E011D6DCB(0x1211098, _t75);
							if(_t38 == 5 && E011E07BC() == 0) {
								E011D15C6(_t66 - 0x6c, 0x18);
								E011E15FE(_t66 - 0x6c);
							}
							E011D6D83(0x1211098, 1);
						} else {
							_t45 =  *0x1233000(_t66 - 0x106c, _t63, _t49);
							_t75 = _t45;
							if(_t45 == 0) {
								goto L10;
							}
						}
					}
				}
				_t31 =  *((intOrPtr*)(_t66 - 0x20));
				 *((intOrPtr*)(_t66 - 4)) = 2;
				if(_t31 != 0) {
					if( *((char*)(_t66 - 0x10)) != 0) {
						E011DF445(_t31,  *((intOrPtr*)(_t66 - 0x18)));
						_t31 =  *((intOrPtr*)(_t66 - 0x20));
					}
					_t31 = L011F3E2E(_t31);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t31;
			}

0x011d7401
0x011d7401
0x011d7406
0x011d7410
0x011d7418
0x011d741b
0x011d741e
0x011d7421
0x011d7424
0x011d7427
0x011d742c
0x011d742d
0x011d742e
0x011d7434
0x011d743c
0x011d7449
0x011d7457
0x011d7459
0x011d7459
0x011d7465
0x011d746a
0x011d746a
0x011d7478
0x011d747b
0x011d747c
0x011d7480
0x011d7480
0x011d7481
0x011d7482
0x011d7485
0x011d7486
0x011d7487
0x011d7492
0x011d74aa
0x011d74bf
0x011d74c8
0x011d74cd
0x011d74dc
0x011d74e4
0x011d74f4
0x011d74fc
0x011d74fc
0x011d7505
0x011d74ac
0x011d74b5
0x011d74bb
0x011d74bd
0x00000000
0x00000000
0x011d74bd
0x011d74aa
0x011d750b
0x011d750c
0x011d750f
0x011d7519
0x011d751f
0x011d7525
0x011d752a
0x011d752a
0x011d752e
0x011d7533
0x011d7537
0x011d753f

APIs

__EH_prolog.LIBCMT ref: 011D7406

Part of subcall function 011D3BBA: __EH_prolog.LIBCMT ref: 011D3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 011D74CD

Part of subcall function 011D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 011D7AAB
Part of subcall function 011D7A9C: GetLastError.KERNEL32 ref: 011D7AF1
Part of subcall function 011D7A9C: CloseHandle.KERNEL32(?), ref: 011D7B00

Strings

SeRestorePrivilege, xrefs: 011D7460
SeSecurityPrivilege, xrefs: 011D744B

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: c47a98815be687133a2e870112afd7695ee1f9c3756a7844726301dd7a203cdd
Instruction ID: 30a211e5254ef6ba38cbaab4a374e393e2560885fbf7cf7ec2d97614f0d2ffee
Opcode Fuzzy Hash: c47a98815be687133a2e870112afd7695ee1f9c3756a7844726301dd7a203cdd
Instruction Fuzzy Hash: AA31A871E00259AEEF2AEBA8DC48BEE7FB9BF15308F044015E945A72C5CB748644C761

Uniqueness

Uniqueness Score: -1.00%

Function 011EAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E011EAD10(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E011D1316(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x1231cb8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x1231cb8), ( *0x1231cb8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E011DC29A(__eflags,  *( *0x1231cb8));
					_t22 = E011D1100(_t30, E011DE617(0x8e),  *( *0x1231cb8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x1231cb8));
					goto L13;
				}
				goto L6;
			}

0x011ead11
0x011ead16
0x011ead1b
0x011ead20
0x011ead38
0x011eadc8
0x011eadca
0x00000000
0x011eadca
0x011ead3e
0x011ead44
0x011eadb7
0x011eadb9
0x011eadbf
0x011eadc2
0x00000000
0x011eadc2
0x011ead49
0x011ead5d
0x00000000
0x011ead5d
0x011ead4e
0x011ead51
0x011eadad
0x011eadb3
0x011ead97
0x011ead98
0x00000000
0x011ead98
0x011ead53
0x011ead56
0x011ead95
0x00000000
0x011ead95
0x011ead5b
0x011ead6a
0x011ead83
0x011ead88
0x011ead8a
0x00000000
0x00000000
0x011ead91
0x00000000
0x011ead91
0x00000000

APIs

Part of subcall function 011D1316: GetDlgItem.USER32(00000000,00003021), ref: 011D135A
Part of subcall function 011D1316: SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

EndDialog.USER32(?,00000001), ref: 011EAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 011EADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 011EADC2

Strings

ASKNEXTVOL, xrefs: 011EAD28

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 6001deb077f9c8fe42c89541f05d09147df21068f015c679dfe671b8e2f73dee
Instruction ID: 2716f0999f9a7644d00f5125ba19d7a687d60c7d5f9da4c7e9d464c5c8cdbb0a
Opcode Fuzzy Hash: 6001deb077f9c8fe42c89541f05d09147df21068f015c679dfe671b8e2f73dee
Instruction Fuzzy Hash: 30118E32240600BFE72A9FACBC4CFAE7BA9BF4A742F010510F241DB094CB6299158722

Uniqueness

Uniqueness Score: -1.00%

Function 011DD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E011DD8EC(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				void* _t22;
				intOrPtr _t26;
				signed int* _t30;
				void* _t33;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 = __ebx;
				_t47 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t45 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) <= 0) {
					L12:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t47 + 0x5c)) =  *((intOrPtr*)(_t47 + 0x6c));
					 *((char*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0x60)) = _t47 + 8;
					if( *((intOrPtr*)(_t47 + 0x74)) != 0) {
						E011E1DA7( *((intOrPtr*)(_t47 + 0x74)), _t47 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t47 + 0x70));
					if(_t26 == 0) {
						E011E05A7(_t47 + 8, "s", 0x50);
					} else {
						_t33 = _t26 - 1;
						if(_t33 == 0) {
							_push(_t47 - 0x48);
							_push("$%s");
							goto L8;
						} else {
							if(_t33 == 1) {
								_push(_t47 - 0x48);
								_push("@%s");
								L8:
								_push(0x50);
								_push(_t47 + 8);
								E011DE5B1();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E011F6159(_t41, _t42, _t43, _t45, _t47 + 0x58,  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0x18)), 4, E011DD710);
					if(_t30 == 0) {
						goto L12;
					} else {
						_t20 = 0x120e278 +  *_t30 * 0xc; // 0x1204788
						E011F67C0( *((intOrPtr*)(_t47 + 0x78)),  *_t20,  *((intOrPtr*)(_t47 + 0x7c)));
						_t22 = 1;
					}
				}
				return _t22;
			}

0x011dd8ec
0x011dd8ec
0x011dd8ec
0x011dd8ed
0x011dd8f1
0x011dd8f8
0x011dd8fe
0x011dd9a6
0x011dd9a6
0x011dd904
0x011dd90b
0x011dd911
0x011dd915
0x011dd918
0x011dd923
0x011dd923
0x011dd92b
0x011dd92e
0x011dd969
0x011dd930
0x011dd930
0x011dd933
0x011dd948
0x011dd949
0x00000000
0x011dd935
0x011dd938
0x011dd93d
0x011dd93e
0x011dd94e
0x011dd951
0x011dd953
0x011dd954
0x011dd959
0x011dd959
0x011dd938
0x011dd933
0x011dd97f
0x011dd989
0x00000000
0x011dd98b
0x011dd991
0x011dd99a
0x011dd9a2
0x011dd9a2
0x011dd989
0x011dd9ad

APIs

__fprintf_l.LIBCMT ref: 011DD954
_strncpy.LIBCMT ref: 011DD99A

Part of subcall function 011E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01211030,00000200,011DD928,00000000,?,00000050,01211030), ref: 011E1DC4

Strings

@%s, xrefs: 011DD93E
$%s, xrefs: 011DD949

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: a6b261828a21237770dcb009cf3bacae04f627527ee811d8f183e09de8ae0c5a
Instruction ID: a86c79b712072c67d7494411630a57fe0d9966dc52b52bea7c08703c72913fb7
Opcode Fuzzy Hash: a6b261828a21237770dcb009cf3bacae04f627527ee811d8f183e09de8ae0c5a
Instruction Fuzzy Hash: CC219032840648AEEF2DEEE8DC45FDE7BA9AF05304F040516FA10961E2F372D648CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011E0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E011E0E46(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 <= _t23) {
					if(_t11 == 0) {
						 *__ecx = 1;
						_t11 = 1;
					}
				} else {
					 *__ecx = _t23;
					_t11 = _t23;
				}
				_t25[0x41] = 0;
				if(_t11 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x1211098);
					E011D6C31(E011D6C36(_t19), 0x1211098, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x011e0e46
0x011e0e46
0x011e0e4e
0x011e0e54
0x011e0e56
0x011e0e5a
0x011e0e64
0x011e0e66
0x011e0e68
0x011e0e68
0x011e0e5c
0x011e0e5c
0x011e0e5e
0x011e0e5e
0x011e0e6c
0x011e0e74
0x011e0e76
0x011e0e76
0x011e0e78
0x011e0e7e
0x011e0e85
0x011e0e99
0x011e0e9f
0x011e0ea5
0x011e0eb1
0x011e0eb7
0x011e0ec1
0x011e0ecd
0x011e0ecd
0x011e0ed3
0x011e0edb
0x011e0ee1
0x011e0eea

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,011DAC5A,00000008,?,00000000,?,011DD22D,?,00000000), ref: 011E0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,011DAC5A,00000008,?,00000000,?,011DD22D,?,00000000), ref: 011E0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,011DAC5A,00000008,?,00000000,?,011DD22D,?,00000000), ref: 011E0E9F

Strings

Thread pool initialization failed., xrefs: 011E0EB7

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: b5ac52aaf5bea4566680a28e1d45d69802963804f504a9ef1a980935183d10bf
Instruction ID: 89bc6f5960f7ebb8b53977c9141d801eebdf548224bb393259f3e33a44009592
Opcode Fuzzy Hash: b5ac52aaf5bea4566680a28e1d45d69802963804f504a9ef1a980935183d10bf
Instruction Fuzzy Hash: DF1154B1740B199FD3359F7AAC889A7FBDCFB69644F14482EF1DAC2201D7B159408B50

Uniqueness

Uniqueness Score: -1.00%

Function 011EDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EDCDD(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t15;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0x122ec88 = _a12;
				 *0x122ec8c = _a16;
				 *0x1218464 = _a20;
				if( *0x1218460 == 0) {
					if( *0x1218457 == 0) {
						_t19 = E011EC220;
						_t15 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x121102c, _t15,  *0x1218458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x1211028, L"RENAMEDLG",  *0x1218450, E011ED600, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x011edced
0x011edcf5
0x011edcfb
0x011edd00
0x011edd0d
0x011edd17
0x011edd1c
0x011edd46
0x011edd5d
0x011edd62
0x00000000
0x00000000
0x011edd44
0x00000000
0x00000000
0x011edd44
0x00000000
0x011edd68
0x00000000
0x011edd11
0x00000000

Strings

REPLACEFILEDLG, xrefs: 011EDD1C, 011EDD50
RENAMEDLG, xrefs: 011EDD31

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 03b962245d1903e674cf59201c4af1a385f4604f59c00636fef03f45519c46c7
Instruction ID: ed34a5d477c14374d24b566040e636c87249d64ef821d2586eb468febf9bd897
Opcode Fuzzy Hash: 03b962245d1903e674cf59201c4af1a385f4604f59c00636fef03f45519c46c7
Instruction Fuzzy Hash: 0A01B535604644AFDF3ACEE8FC4CA5E7FE5F718254B000029F905C3255CB328850DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011F9A1E Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E011F9A1E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E011F4636(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E011EEE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E011EEE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E011EFFF0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E011EEE10( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E01202260();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E01202260();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E01202260();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E011F9D21(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E01202430(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E011F91A8();
					_t183 = 0x22;
					 *_t129 = _t183;
					E011F9087();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x011f9a1e
0x011f9a29
0x011f9a30
0x011f9a32
0x011f9a32
0x011f9a34
0x011f9a3d
0x011f9a3f
0x011f9a44
0x011f9a4a
0x011f9a60
0x011f9a65
0x011f9a68
0x011f9a75
0x011f9a7a
0x011f9ace
0x011f9ad6
0x011f9ad8
0x011f9ada
0x011f9add
0x011f9add
0x011f9add
0x011f9ae3
0x011f9aeb
0x011f9afe
0x011f9b01
0x011f9b03
0x011f9b06
0x011f9b07
0x011f9b28
0x011f9b2b
0x011f9b2b
0x011f9b09
0x011f9b09
0x011f9b0b
0x011f9b16
0x011f9b16
0x011f9b18
0x011f9b1f
0x011f9b1a
0x011f9b1a
0x011f9b1a
0x011f9b18
0x011f9b2c
0x011f9b2e
0x011f9b2f
0x011f9b32
0x011f9b34
0x011f9b3e
0x011f9b48
0x011f9b36
0x011f9b36
0x011f9b36
0x011f9b4d
0x011f9b4d
0x011f9b52
0x011f9b55
0x011f9b60
0x011f9b60
0x011f9b60
0x011f9b60
0x011f9b64
0x011f9b6b
0x011f9b6c
0x011f9b6f
0x011f9b72
0x011f9b72
0x011f9b74
0x00000000
0x00000000
0x011f9b8c
0x011f9b93
0x011f9b97
0x011f9b9a
0x011f9b9d
0x011f9b9f
0x011f9b9f
0x011f9b9f
0x011f9ba1
0x011f9ba4
0x011f9ba7
0x011f9ba9
0x011f9bb1
0x011f9bb7
0x011f9bba
0x011f9bbd
0x011f9bbe
0x011f9bc1
0x011f9bc4
0x011f9bc4
0x011f9bc9
0x011f9bcc
0x00000000
0x00000000
0x011f9be4
0x011f9be9
0x011f9bed
0x00000000
0x00000000
0x011f9bf1
0x011f9bf4
0x011f9bf5
0x011f9bf5
0x011f9bf7
0x011f9bfa
0x00000000
0x00000000
0x011f9bfc
0x011f9bff
0x011f9c06
0x011f9c09
0x011f9c0c
0x011f9c22
0x011f9c22
0x011f9c22
0x011f9c0e
0x011f9c0e
0x011f9c10
0x011f9c13
0x011f9c1e
0x011f9c15
0x011f9c18
0x011f9c18
0x011f9c13
0x00000000
0x011f9c0c
0x011f9c01
0x011f9c01
0x011f9c03
0x011f9c03
0x011f9b57
0x011f9b57
0x011f9b5a
0x011f9c25
0x011f9c25
0x011f9c27
0x011f9c29
0x011f9c2c
0x011f9c2d
0x011f9c2e
0x011f9c2f
0x011f9c37
0x011f9c37
0x011f9c37
0x011f9c39
0x011f9c3c
0x011f9c3f
0x011f9c41
0x011f9c41
0x011f9c43
0x011f9c55
0x011f9c59
0x011f9c5c
0x011f9c63
0x011f9c6b
0x011f9c6b
0x011f9c6e
0x011f9c70
0x011f9c81
0x011f9c81
0x011f9c85
0x011f9c85
0x011f9c88
0x011f9c8a
0x011f9c8d
0x00000000
0x011f9c72
0x011f9c72
0x011f9c78
0x011f9c78
0x011f9c7c
0x011f9c8f
0x011f9c8f
0x011f9c93
0x011f9c94
0x011f9c96
0x011f9c98
0x011f9cd9
0x011f9cd9
0x011f9cdb
0x011f9ce8
0x011f9ce8
0x011f9cea
0x011f9cec
0x011f9ced
0x011f9cee
0x011f9cf5
0x011f9cf8
0x011f9cfa
0x011f9cfa
0x011f9cfb
0x011f9cfd
0x011f9d00
0x011f9d00
0x011f9d02
0x011f9d04
0x00000000
0x011f9d04
0x011f9cdd
0x011f9cdf
0x00000000
0x00000000
0x011f9ce1
0x00000000
0x00000000
0x011f9ce3
0x011f9ce6
0x00000000
0x00000000
0x00000000
0x011f9ce6
0x011f9c9f
0x011f9ca5
0x011f9ca5
0x011f9ca7
0x011f9ca8
0x011f9ca9
0x011f9caa
0x011f9cb1
0x011f9cb4
0x011f9cb6
0x011f9cb7
0x011f9cb9
0x011f9cc6
0x011f9cc6
0x011f9cc8
0x011f9cca
0x011f9ccb
0x011f9ccc
0x011f9cd3
0x011f9cd6
0x011f9cd8
0x011f9cd8
0x00000000
0x011f9cd8
0x011f9cbb
0x011f9cbb
0x011f9cbd
0x00000000
0x00000000
0x011f9cbf
0x00000000
0x00000000
0x011f9cc1
0x011f9cc4
0x00000000
0x00000000
0x00000000
0x011f9cc4
0x011f9ca1
0x011f9ca3
0x00000000
0x00000000
0x00000000
0x011f9ca3
0x011f9c74
0x011f9c76
0x00000000
0x00000000
0x00000000
0x011f9c76
0x011f9c70
0x00000000
0x011f9b5a
0x011f9b55
0x011f9a7c
0x011f9a7e
0x00000000
0x011f9a80
0x011f9a96
0x011f9a9b
0x011f9a9d
0x011f9aa9
0x011f9aaf
0x011f9ab0
0x011f9ab2
0x011f9ab4
0x011f9abf
0x011f9abf
0x011f9ac2
0x011f9ac4
0x011f9ac4
0x011f9ac7
0x011f9a9f
0x011f9a9f
0x011f9a9f
0x00000000
0x011f9a9d
0x011f9a4c
0x011f9a4c
0x011f9a53
0x011f9a54
0x011f9a56
0x011f9d08
0x011f9d0c
0x011f9d11
0x011f9d11
0x011f9d20
0x011f9d20

APIs

_strrchr.LIBCMT ref: 011F9AA9
__alldvrm.LIBCMT ref: 011F9CAA
__alldvrm.LIBCMT ref: 011F9CCC

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: 7e6b975db4035fa841e9f2798ea86fe2b608ba537de9db5394d1d24862955115
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 1AA1497190468E9FEB2EEF18C8907AEBFE5EF51318F1841ADE6859B281C3358941C751

Uniqueness

Uniqueness Score: -1.00%

Function 011DA354 Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E011DA354(void* __edx) {
				signed char _t41;
				void* _t42;
				void* _t53;
				signed char _t70;
				void* _t78;
				signed int* _t79;
				signed int* _t80;
				void* _t81;
				signed int* _t82;
				void* _t83;

				_t78 = __edx;
				E011EEC50(0x1024);
				_t80 =  *(_t83 + 0x1038);
				_t70 = 1;
				if(_t80 == 0) {
					L2:
					 *(_t83 + 0x11) = 0;
					L3:
					_t79 =  *(_t83 + 0x1040);
					if(_t79 == 0) {
						L5:
						 *(_t83 + 0x13) = 0;
						L6:
						_t82 =  *(_t83 + 0x1044);
						if(_t82 == 0) {
							L8:
							 *(_t83 + 0x12) = 0;
							L9:
							_t41 = E011DA243( *(_t83 + 0x1038));
							 *(_t83 + 0x18) = _t41;
							if(_t41 == 0xffffffff || (_t70 & _t41) == 0) {
								_t70 = 0;
							} else {
								E011DA4ED( *((intOrPtr*)(_t83 + 0x103c)), 0);
							}
							_t42 = CreateFileW( *(_t83 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t83 + 0x14) = _t42;
							if(_t42 != 0xffffffff) {
								L16:
								if( *(_t83 + 0x11) != 0) {
									E011E138A(_t80, _t78, _t83 + 0x1c);
								}
								if( *(_t83 + 0x13) != 0) {
									E011E138A(_t79, _t78, _t83 + 0x2c);
								}
								if( *(_t83 + 0x12) != 0) {
									E011E138A(_t82, _t78, _t83 + 0x24);
								}
								_t81 =  *(_t83 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t81,  ~( *(_t83 + 0x1b) & 0x000000ff) & _t83 + 0x00000030,  ~( *(_t83 + 0x16) & 0x000000ff) & _t83 + 0x00000024,  ~( *(_t83 + 0x11) & 0x000000ff) & _t83 + 0x0000001c);
								_t53 = CloseHandle(_t81);
								if(_t70 != 0) {
									_t53 = E011DA4ED( *((intOrPtr*)(_t83 + 0x103c)),  *(_t83 + 0x18));
								}
								goto L24;
							} else {
								_t53 = E011DBB03( *(_t83 + 0x1040), _t83 + 0x38, 0x800);
								if(_t53 == 0) {
									L24:
									return _t53;
								}
								_t53 = CreateFileW(_t83 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t83 + 0x14) = _t53;
								if(_t53 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t83 + 0x12) = _t70;
						if(( *_t82 | _t82[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t83 + 0x13) = _t70;
					if(( *_t79 | _t79[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t83 + 0x11) = 1;
				if(( *_t80 | _t80[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x011da354
0x011da359
0x011da365
0x011da36c
0x011da370
0x011da37d
0x011da37d
0x011da381
0x011da381
0x011da38a
0x011da397
0x011da397
0x011da39b
0x011da39b
0x011da3a4
0x011da3b2
0x011da3b2
0x011da3b6
0x011da3bd
0x011da3c2
0x011da3c9
0x011da3df
0x011da3cf
0x011da3d8
0x011da3d8
0x011da3fa
0x011da400
0x011da407
0x011da451
0x011da456
0x011da45f
0x011da45f
0x011da469
0x011da472
0x011da472
0x011da47c
0x011da485
0x011da485
0x011da495
0x011da499
0x011da4a9
0x011da4b9
0x011da4bf
0x011da4c6
0x011da4ce
0x011da4db
0x011da4db
0x00000000
0x011da409
0x011da41a
0x011da421
0x011da4e4
0x011da4ea
0x011da4ea
0x011da43e
0x011da444
0x011da44b
0x00000000
0x00000000
0x00000000
0x011da44b
0x011da407
0x011da3ac
0x011da3b0
0x00000000
0x00000000
0x00000000
0x011da3b0
0x011da391
0x011da395
0x00000000
0x00000000
0x00000000
0x011da395
0x011da377
0x011da37b
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,011D7F69,?,?,?), ref: 011DA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,011D7F69,?), ref: 011DA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,011D7F69,?,?,?,?,?,?,?), ref: 011DA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,011D7F69,?,?,?,?,?,?,?,?,?,?), ref: 011DA4C6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 5898a4772b1d093c0cdf2411e76217cc9df711e10c5278786b316ed09abc8e56
Instruction ID: 14b6b87cfe3998bddb7a4ae48c20395974fc7164e9d3cc7d4f790e85f45604fd
Opcode Fuzzy Hash: 5898a4772b1d093c0cdf2411e76217cc9df711e10c5278786b316ed09abc8e56
Instruction Fuzzy Hash: 5441B13124C381AAE739DE28EC49FAEBBE5AF95704F08091DB6D1931C0D7B49648DB52

Uniqueness

Uniqueness Score: -1.00%

Function 011D1100 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E011D1100(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1114;
				char _v1116;
				void* __edi;
				signed int _t44;
				signed int _t52;
				intOrPtr _t67;
				short* _t80;
				void* _t83;
				char _t84;
				signed int _t85;
				void* _t87;
				signed int _t97;

				_t79 = _a16;
				_t81 =  &_v1116;
				if(_a16 != 0) {
					E011E0602( &_v1116, _t79, 0x200);
					_t87 =  &_v1114 + E011F3E13( &_v1116) * 2;
					E011E0602(_t87, _t79, 0x200 - (_t87 -  &_v1116 >> 1));
					_t81 = _t87 + E011F3E13(_t87) * 2 + 2;
				}
				E011E0602(_t81, E011DE617(0xa3), 0x200 - (_t81 -  &_v1116 >> 1));
				_t83 = _t81 + E011F3E13(_t81) * 2 + 2;
				E011E0602(_t83, 0x12035f0, 0x200 - (_t83 -  &_v1116 >> 1));
				_t44 = E011F3E13(_t83);
				 *((short*)(_t83 + 2 + _t44 * 2)) = 0;
				_t84 = 0x58;
				E011EFFF0(_t79,  &_v92, 0, _t84);
				_t67 = _a20;
				_t80 = _a12;
				_v88 = _a4;
				_v84 =  *0x1211028;
				_v80 =  &_v1116;
				_v44 = _a8;
				_v92 = _t84;
				_v64 = _t80;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_t67 == 0) {
					_t52 =  *0x1233044();
				} else {
					_t52 =  *0x123303c();
				}
				_t85 = _t52;
				if(_t85 == 0) {
					_t52 =  *0x1233040();
					if(_t52 == 0x3002) {
						 *_t80 = 0;
						_push( &_v92);
						if(_t67 == 0) {
							_t52 =  *0x1233044();
						} else {
							_t52 =  *0x123303c();
						}
						_t85 = _t52;
					}
					_t97 = _t85;
				}
				return _t52 & 0xffffff00 | _t97 != 0x00000000;
			}

0x011d110c
0x011d110f
0x011d111c
0x011d1123
0x011d1137
0x011d114d
0x011d115c
0x011d115c
0x011d117c
0x011d1191
0x011d11a3
0x011d11a9
0x011d11b2
0x011d11ba
0x011d11be
0x011d11c9
0x011d11cc
0x011d11cf
0x011d11d7
0x011d11e0
0x011d11e6
0x011d11ec
0x011d11ef
0x011d11f2
0x011d11f9
0x011d1200
0x011d1203
0x011d120d
0x011d1205
0x011d1205
0x011d1205
0x011d1213
0x011d1217
0x011d1219
0x011d1224
0x011d1228
0x011d122e
0x011d1231
0x011d123b
0x011d1233
0x011d1233
0x011d1233
0x011d1241
0x011d1241
0x011d1243
0x011d1243
0x011d124c

APIs

_wcslen.LIBCMT ref: 011D112B
_wcslen.LIBCMT ref: 011D1153
_wcslen.LIBCMT ref: 011D1182
_wcslen.LIBCMT ref: 011D11A9

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e9c199f743b0c938de8f2b26d6cb3935af1701fed934089b518e1f9bf7b3a1f4
Instruction ID: 4b927ee8e353e061babbc7683bdb715868ddbadf6c05738d6cfe95747477d367
Opcode Fuzzy Hash: e9c199f743b0c938de8f2b26d6cb3935af1701fed934089b518e1f9bf7b3a1f4
Instruction Fuzzy Hash: D041B471A0066A9BCB29EF789C099EEBBB8EF14310F100019FD45F7245DB30AE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 011FC988 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E011FC988(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t54;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t66;
				short* _t67;
				signed int _t68;
				short* _t69;

				_t65 = __edx;
				_t34 =  *0x120e7ac; // 0xc166b63b
				_v8 = _t34 ^ _t68;
				E011F4636(_t55,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t54 =  *(_v24 + 8);
					_t57 = _t54;
					_a24 = _t54;
				}
				_t66 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E011EFBBC(_t66, _t55, _v8 ^ _t68, _t65, _t66, _t67);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t67 = 0;
					L11:
					if(_t67 != 0) {
						E011EFFF0(_t66, _t67, _t66, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t67, _v12);
						if(_t46 != 0) {
							_t66 = GetStringTypeW(_a8, _t67, _t46, _a20);
						}
					}
					L14:
					E011FABC3(_t67);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t67 = E011F8E06(_t63, _t48 & _t63);
					if(_t67 == 0) {
						goto L14;
					}
					 *_t67 = 0xdddd;
					L9:
					_t67 =  &(_t67[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E01202010(_t48 & _t63);
				_t67 = _t69;
				if(_t67 == 0) {
					goto L14;
				}
				 *_t67 = 0xcccc;
				goto L9;
			}

0x011fc988
0x011fc990
0x011fc997
0x011fc9a3
0x011fc9a8
0x011fc9ad
0x011fc9b2
0x011fc9b5
0x011fc9b7
0x011fc9b7
0x011fc9bc
0x011fc9d5
0x011fc9db
0x011fc9e0
0x011fca7f
0x011fca83
0x011fca88
0x011fca88
0x011fcaa4
0x011fcaa4
0x011fc9e6
0x011fc9ee
0x011fc9f2
0x011fca3e
0x011fca40
0x011fca42
0x011fca47
0x011fca5e
0x011fca66
0x011fca76
0x011fca76
0x011fca66
0x011fca78
0x011fca79
0x00000000
0x011fca7e
0x011fc9f9
0x011fc9fb
0x011fc9fd
0x011fca05
0x011fca22
0x011fca2c
0x011fca31
0x00000000
0x00000000
0x011fca33
0x011fca39
0x011fca39
0x00000000
0x011fca39
0x011fca09
0x011fca0d
0x011fca12
0x011fca16
0x00000000
0x00000000
0x011fca18
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,011F91E0,?,00000000,?,00000001,?,?,00000001,011F91E0,?), ref: 011FC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 011FCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,011F6CBE,?), ref: 011FCA70
__freea.LIBCMT ref: 011FCA79

Part of subcall function 011F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,011FCA2C,00000000,?,011F6CBE,?,00000008,?,011F91E0,?,?,?), ref: 011F8E38

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3b7938542d08835a1716b71ec1e02c8dd0ee5ff9edda7bfb652365529954a7dc
Instruction ID: 26e5ed6f3224e1092fdcfcb7aa8f6a460ccd5e7afb4507cf2d34fc099a1ad688
Opcode Fuzzy Hash: 3b7938542d08835a1716b71ec1e02c8dd0ee5ff9edda7bfb652365529954a7dc
Instruction Fuzzy Hash: 0031AE72A0021AABDF29CF68DC44EAE7BA5EF41210B05426CEE05E6290E735DD54DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 011EA663 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011EA663() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0x1218430 = GetDeviceCaps(_t5, 0x58);
					 *0x1218434 = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x011ea666
0x011ea66c
0x011ea670
0x011ea67e
0x011ea68c
0x00000000
0x011ea691
0x011ea698

APIs

GetDC.USER32(00000000), ref: 011EA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 011EA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 011EA683
ReleaseDC.USER32(00000000,00000000), ref: 011EA691

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 23d43ada9b64cfb6f3a06da5280e586c1f69304fef0e1d725d1cdd20c63b5625
Instruction ID: cf6dd2de3dadbddb929dafe025067832264f70831063a8a147e30bf9a188aea5
Opcode Fuzzy Hash: 23d43ada9b64cfb6f3a06da5280e586c1f69304fef0e1d725d1cdd20c63b5625
Instruction Fuzzy Hash: C3E0EC31A82B21A7D2719B64B84DB8B7E54FB15B62F010105FA059A188DB6486008FA0

Uniqueness

Uniqueness Score: -1.00%

Function 011FB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E011FB1B8(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				void* _t155;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				void* _t202;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				void* _t214;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t197;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t157 = _t159;
							do {
								_t183 =  *_t195;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t195 = _t195 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t208;
							} while (_t144 != _t208);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t209 = E011F8207(_t190, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t150;
							if(_t197 == _t150) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t197;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E011FF101(_t163, _t191, _v20 - _t191 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E011F9097();
										asm("int3");
										_t219 = _t223;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t200;
										if(_t166 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t150);
											_t50 = _t200 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t211 = E011FB136(_t166, _t153, 1);
											_t168 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t200;
												_t108 = E011FF101(_t168, _t211 + _t200, _t153, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E011FB587(_a12, _t192, __eflags, _t211);
													E011F8DCC(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t200);
												_t139 = E011FF101(_t168, _t211, _t153, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E011F9097();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0x120e7ac; // 0xc166b63b
													_v116 = _t111 ^ _t220;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E011FF150(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E011EFFF0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t154, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t213,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t193 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E011F6310(_t154, _t193 + _t178 * 4, _t131 - _t178, 4, E011FB1A0);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t154);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													_pop(_t202);
													_pop(_t214);
													__eflags = _v16 ^ _t220;
													_pop(_t155);
													return E011EFBBC(_t124, _t155, _v16 ^ _t220, _t193, _t202, _t214);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t191 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t150;
								} while (_t197 != _t150);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E011F8DCC(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E011FF110( *_t206,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t146;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t159 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E011FB562( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t147 = E011F91A8();
					_t217 = 0x16;
					 *_t147 = _t217;
					E011F9087();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}

0x011fb1bd
0x011fb1c0
0x011fb1c6
0x011fb1de
0x011fb1e1
0x011fb1e5
0x011fb1e7
0x011fb1e9
0x011fb1eb
0x011fb1ee
0x011fb1f1
0x011fb1f4
0x011fb1f6
0x011fb24e
0x011fb24e
0x011fb254
0x011fb256
0x011fb261
0x011fb265
0x011fb267
0x011fb26a
0x011fb26e
0x011fb26e
0x011fb270
0x011fb272
0x011fb274
0x011fb276
0x011fb276
0x011fb278
0x011fb27b
0x011fb27e
0x011fb27e
0x011fb280
0x011fb281
0x011fb281
0x011fb28c
0x011fb28e
0x011fb291
0x011fb292
0x011fb295
0x011fb295
0x011fb299
0x011fb29c
0x011fb29f
0x011fb29f
0x011fb2ad
0x011fb2af
0x011fb2b2
0x011fb2b4
0x011fb2be
0x011fb2c1
0x011fb2c4
0x011fb2c6
0x011fb2c9
0x011fb2cb
0x011fb31b
0x011fb31e
0x011fb31e
0x011fb320
0x00000000
0x011fb2cd
0x011fb2cf
0x011fb2cf
0x011fb2d1
0x011fb2d4
0x011fb2d4
0x011fb2d9
0x011fb2dc
0x011fb2dc
0x011fb2de
0x011fb2df
0x011fb2df
0x011fb2e3
0x011fb2e6
0x011fb2e6
0x011fb2e9
0x011fb2ec
0x011fb2f9
0x011fb2fe
0x011fb301
0x011fb303
0x011fb33d
0x011fb33e
0x011fb33f
0x011fb340
0x011fb341
0x011fb342
0x011fb347
0x011fb34b
0x011fb34d
0x011fb34e
0x011fb351
0x011fb351
0x011fb354
0x011fb354
0x011fb356
0x011fb357
0x011fb357
0x011fb360
0x011fb361
0x011fb364
0x011fb367
0x011fb36a
0x011fb36c
0x011fb373
0x011fb375
0x011fb378
0x011fb382
0x011fb385
0x011fb386
0x011fb388
0x011fb39c
0x011fb39c
0x011fb39f
0x011fb3a9
0x011fb3ae
0x011fb3b1
0x011fb3b3
0x00000000
0x011fb3b5
0x011fb3b9
0x011fb3c2
0x011fb3c8
0x00000000
0x011fb3cb
0x011fb38a
0x011fb38a
0x011fb390
0x011fb395
0x011fb398
0x011fb39a
0x011fb3d1
0x011fb3d3
0x011fb3d4
0x011fb3d5
0x011fb3d6
0x011fb3d7
0x011fb3d8
0x011fb3dd
0x011fb3e0
0x011fb3e1
0x011fb3e3
0x011fb3e9
0x011fb3f0
0x011fb3f3
0x011fb3f6
0x011fb3f7
0x011fb3fa
0x011fb3fb
0x011fb3fe
0x011fb3ff
0x011fb420
0x011fb420
0x011fb422
0x00000000
0x00000000
0x011fb407
0x011fb409
0x011fb40b
0x011fb40d
0x011fb40f
0x011fb411
0x011fb413
0x011fb41e
0x00000000
0x011fb41e
0x011fb413
0x011fb40f
0x00000000
0x011fb40b
0x011fb424
0x011fb426
0x011fb429
0x011fb442
0x011fb442
0x011fb444
0x011fb447
0x011fb457
0x011fb459
0x011fb459
0x011fb449
0x011fb449
0x011fb44c
0x00000000
0x011fb44e
0x011fb44e
0x011fb451
0x00000000
0x011fb453
0x011fb453
0x011fb453
0x011fb451
0x011fb44c
0x011fb467
0x011fb46b
0x011fb479
0x011fb47e
0x011fb493
0x011fb495
0x011fb49b
0x011fb49e
0x011fb4d0
0x011fb4d0
0x011fb4d5
0x011fb4db
0x011fb4db
0x011fb4e2
0x011fb4fc
0x011fb4fc
0x011fb4fd
0x011fb503
0x011fb509
0x011fb50a
0x011fb50b
0x011fb510
0x011fb513
0x011fb515
0x00000000
0x00000000
0x00000000
0x00000000
0x011fb4e4
0x011fb4e4
0x011fb4ea
0x011fb4ec
0x00000000
0x011fb4ee
0x011fb4ee
0x011fb4f1
0x00000000
0x011fb4f3
0x011fb4f3
0x011fb4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x011fb4fa
0x011fb4f1
0x011fb4ec
0x00000000
0x011fb517
0x011fb51f
0x011fb525
0x011fb527
0x011fb527
0x011fb52f
0x011fb534
0x011fb53c
0x011fb53f
0x011fb541
0x011fb555
0x011fb55a
0x011fb4a0
0x011fb4a0
0x011fb4a1
0x011fb4a2
0x011fb4a3
0x011fb4a4
0x011fb4ac
0x011fb4ac
0x011fb4ac
0x011fb4ae
0x011fb4b1
0x011fb4b4
0x011fb4b4
0x011fb4ba
0x011fb42b
0x011fb42b
0x011fb42e
0x011fb430
0x00000000
0x011fb432
0x011fb432
0x011fb435
0x011fb436
0x011fb437
0x011fb438
0x011fb43d
0x011fb430
0x011fb4bc
0x011fb4bf
0x011fb4c0
0x011fb4c1
0x011fb4c3
0x011fb4cc
0x00000000
0x00000000
0x00000000
0x011fb39a
0x011fb36e
0x011fb370
0x011fb3cc
0x011fb3d0
0x011fb3d0
0x00000000
0x00000000
0x00000000
0x00000000
0x011fb305
0x011fb308
0x011fb30b
0x011fb30e
0x011fb311
0x011fb314
0x011fb317
0x011fb317
0x00000000
0x011fb2d4
0x011fb2b6
0x011fb2b6
0x011fb322
0x011fb324
0x00000000
0x011fb329
0x011fb1f8
0x011fb1f8
0x011fb1fb
0x011fb204
0x011fb207
0x011fb20e
0x011fb210
0x011fb229
0x011fb22a
0x011fb22b
0x011fb22d
0x011fb232
0x011fb212
0x011fb212
0x011fb215
0x011fb216
0x011fb218
0x011fb21a
0x011fb21c
0x011fb221
0x011fb221
0x011fb235
0x011fb237
0x011fb239
0x00000000
0x00000000
0x011fb23f
0x011fb242
0x011fb244
0x011fb246
0x00000000
0x011fb248
0x011fb248
0x011fb24b
0x00000000
0x011fb24b
0x00000000
0x011fb246
0x011fb32a
0x011fb32d
0x011fb332
0x00000000
0x011fb335
0x011fb1c8
0x011fb1c8
0x011fb1cf
0x011fb1d0
0x011fb1d2
0x011fb1d7
0x011fb336
0x011fb33a
0x011fb33a
0x00000000

APIs

_free.LIBCMT ref: 011FB324

Part of subcall function 011F9097: IsProcessorFeaturePresent.KERNEL32(00000017,011F9086,00000050,01203A34,?,011DD710,00000004,01211030,?,?,011F9093,00000000,00000000,00000000,00000000,00000000), ref: 011F9099
Part of subcall function 011F9097: GetCurrentProcess.KERNEL32(C0000417,01203A34,00000050,01211030), ref: 011F90BB
Part of subcall function 011F9097: TerminateProcess.KERNEL32(00000000), ref: 011F90C2

Strings

*?, xrefs: 011FB1FB
., xrefs: 011FB4DB

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 441b8110cbef1f84aed615d3e9b56262213ea1527a60ec891818f1c2a9a724c5
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: 66518175E0810AAFDF19DFA8C880AADBBB5FF58314F24416DDA54E7340E735AA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011D75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E011D75DE(void* __ecx) {
				void* __esi;
				char _t55;
				signed int _t58;
				void* _t62;
				signed int _t63;
				signed int _t69;
				signed int _t86;
				void* _t91;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				E011EEB78(0x12027e9, _t108);
				E011EEC50(0x60f8);
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E011E0602(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t82 =  *((intOrPtr*)(_t108 + 8));
					E011D77DF(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4094, 0x800);
					_t113 =  *((short*)(_t108 - 0x4094)) - 0x3a;
					if( *((short*)(_t108 - 0x4094)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E011E05DA(__eflags, _t108 - 0x1014, _t108 - 0x4094, _t101);
							E011D6EDB(_t108 - 0x3094);
							_push(0);
							_t55 = E011DA56D(_t108 - 0x3094, __eflags, _t106, _t108 - 0x3094);
							_t86 =  *(_t108 - 0x208c);
							 *((char*)(_t108 - 0xd)) = _t55;
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = _t86 & 0xfffffffe;
								E011DA4ED(_t106, _t86 & 0xfffffffe);
							}
							E011D9556(_t108 - 0x204c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t58 = E011D9F1A(_t108 - 0x204c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t58;
							if(_t58 != 0) {
								_push(0);
								_push(_t108 - 0x204c);
								_push(0);
								_t69 = E011D3BBA(_t82);
								__eflags = _t69;
								if(_t69 != 0) {
									E011D9620(_t108 - 0x204c);
								}
							}
							E011D9556(_t108 - 0x50cc);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t63 = E011D98E0(_t108 - 0x50cc, _t106, _t106, 5);
								__eflags = _t63;
								if(_t63 != 0) {
									SetFileTime( *(_t108 - 0x50c4), _t108 - 0x206c, _t108 - 0x2064, _t108 - 0x205c);
								}
							}
							E011DA4ED(_t106,  *(_t108 - 0x208c));
							E011D959A(_t108 - 0x50cc);
							_t91 = _t108 - 0x204c;
						} else {
							E011D9556(_t108 - 0x6104);
							_push(1);
							_push(_t108 - 0x6104);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E011D3BBA(_t82);
							_t91 = _t108 - 0x6104;
						}
						_t62 = E011D959A(_t91);
					} else {
						E011D2021(_t113, 0x53, _t82 + 0x32, _t106);
						_t62 = E011D6D83(0x1211098, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t62;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E011E0602(_t108 - 0x1014, 0x12037a0, 0x802);
					E011E05DA(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x011d75e3
0x011d75ed
0x011d75f4
0x011d75fd
0x011d762c
0x011d762c
0x011d763a
0x011d763f
0x011d763f
0x011d764f
0x011d7654
0x011d765c
0x011d767b
0x011d767f
0x011d76bc
0x011d76c7
0x011d76d4
0x011d76d7
0x011d76dc
0x011d76e2
0x011d76e5
0x011d76e8
0x011d76ea
0x011d76ef
0x011d76ef
0x011d76fa
0x011d7707
0x011d7715
0x011d771a
0x011d771c
0x011d771e
0x011d7727
0x011d7728
0x011d7729
0x011d772e
0x011d7730
0x011d7738
0x011d7738
0x011d7730
0x011d7743
0x011d7748
0x011d774c
0x011d7750
0x011d775b
0x011d7760
0x011d7762
0x011d777f
0x011d777f
0x011d7762
0x011d778c
0x011d7797
0x011d779c
0x011d7681
0x011d7687
0x011d768c
0x011d7696
0x011d7697
0x011d769a
0x011d769d
0x011d76a2
0x011d76a2
0x011d77a2
0x011d765e
0x011d7665
0x011d7671
0x011d7671
0x011d77ad
0x011d77b5
0x011d77b5
0x011d75ff
0x011d7603
0x00000000
0x011d7605
0x011d7605
0x011d7617
0x011d7625
0x00000000
0x011d7625

APIs

__EH_prolog.LIBCMT ref: 011D75E3

Part of subcall function 011E05DA: _wcslen.LIBCMT ref: 011E05E0

Part of subcall function 011DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 011DA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 011D777F

Part of subcall function 011DA4ED: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,011DA325,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA501
Part of subcall function 011DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,011DA325,?,?,?,011DA175,?,00000001,00000000,?,?), ref: 011DA532

Strings

:, xrefs: 011D7654

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 29faf3e37ba92fb932d66398aabf73bf0886f5b631b57b92e81716c885be2ce5
Instruction ID: 7f64bc87c47a5af1c7364a35d201d17378ee50b96ef7058a58f5630dac28b9d9
Opcode Fuzzy Hash: 29faf3e37ba92fb932d66398aabf73bf0886f5b631b57b92e81716c885be2ce5
Instruction Fuzzy Hash: 6C419271801559A9EB39EB64CC98EEEB77CAF65308F4040D6E609A3091DB745F84CF71

Uniqueness

Uniqueness Score: -1.00%

Function 011EB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E011EB48E(void* __ecx, void* __edx, void* __eflags, char _a3, char _a4, char _a7, char _a8, intOrPtr* _a8200) {
				void* __edi;
				void* __ebp;
				intOrPtr _t20;
				short* _t31;
				intOrPtr* _t33;
				signed int _t41;
				intOrPtr* _t42;
				void* _t44;

				E011EEC50(0x2004);
				_push(0x80000);
				_t42 = E011F3E33(__ecx);
				if(_t42 == 0) {
					E011D6CA7(0x1211098);
				}
				_t33 = _a8200;
				 *_t42 = 0;
				_t41 = 0;
				while(1) {
					_push(0x1000);
					_push( &_a3);
					_push(0);
					_push(0);
					_push( &_a4);
					_push( *_t33);
					_t20 = E011EB314(_t41, 0);
					 *_t33 = _t20;
					if(_t20 == 0) {
						break;
					}
					if( *_t42 != 0 || _a8 != 0x7b) {
						if(_a8 == 0x7d || E011F3E13( &_a8) + _t41 > 0x3fffb) {
							break;
						} else {
							E011F7686(_t42,  &_a8);
							_t41 = E011F3E13(_t42);
							_t44 = _t44 + 0xc;
							if(_t41 == 0) {
								L11:
								if(_a7 == 0) {
									E011F6066(_t42 + _t41 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t41 - 1; // -1
							_t31 = _t42 + _t6 * 2;
							while( *_t31 == 0x20) {
								_t31 = _t31 - 2;
								_t41 = _t41 - 1;
								if(_t41 != 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}

0x011eb493
0x011eb49c
0x011eb4a6
0x011eb4ab
0x011eb4b2
0x011eb4b2
0x011eb4b7
0x011eb4c2
0x011eb4c5
0x011eb537
0x011eb537
0x011eb540
0x011eb541
0x011eb542
0x011eb547
0x011eb548
0x011eb54a
0x011eb54f
0x011eb553
0x00000000
0x00000000
0x011eb4cc
0x011eb4dc
0x00000000
0x011eb4f2
0x011eb4f8
0x011eb503
0x011eb505
0x011eb50a
0x011eb520
0x011eb525
0x011eb530
0x011eb536
0x00000000
0x011eb525
0x011eb50c
0x011eb50f
0x011eb512
0x011eb518
0x011eb51b
0x011eb51e
0x00000000
0x00000000
0x00000000
0x011eb51e
0x00000000
0x011eb512
0x00000000
0x00000000
0x00000000
0x011eb4cc
0x011eb565

APIs

_wcslen.LIBCMT ref: 011EB4E3
_wcslen.LIBCMT ref: 011EB4FE

Strings

}, xrefs: 011EB4D6

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 69c7cb4edf5e33b5e1f6baf074dafc25ad6e064007c136813ce8dc2aa9a883d3
Instruction ID: 8da12c8d1aa919982073d830572a8ee6e0f92b2b9961ab39438884e918ace43b
Opcode Fuzzy Hash: 69c7cb4edf5e33b5e1f6baf074dafc25ad6e064007c136813ce8dc2aa9a883d3
Instruction Fuzzy Hash: 022126729097175AD739EBA8D848E6BB3ECDF50714F00042EE740C3141E764D94883A6

Uniqueness

Uniqueness Score: -1.00%

Function 011DF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 011DF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 011DF2E4
Part of subcall function 011DF2C5: GetProcAddress.KERNEL32(012181C8,CryptUnprotectMemory), ref: 011DF2F4

GetCurrentProcessId.KERNEL32(?,?,?,011DF33E), ref: 011DF3D2

Strings

CryptProtectMemory failed, xrefs: 011DF389
CryptUnprotectMemory failed, xrefs: 011DF3CA

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 703ba93516cf72676c76f2b9994a285303cb551610d78e65367c57d3c7fbe070
Instruction ID: a42bb05b1aa86dda368060093b79a19abe2b3e79ff81eb74cb1bf0ba59bf7a05
Opcode Fuzzy Hash: 703ba93516cf72676c76f2b9994a285303cb551610d78e65367c57d3c7fbe070
Instruction Fuzzy Hash: E7110A32A0821A7FDB2EDF25E84866E3B54FF10660B064205EC425B245DF309F43C791

Uniqueness

Uniqueness Score: -1.00%

Function 011DB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E011DB991(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				short _t13;
				signed int _t14;
				short* _t19;
				signed int _t20;
				void* _t22;
				signed short* _t26;
				signed int _t28;
				signed int _t30;

				_t19 = _a8;
				_t26 = _a4;
				 *_t19 = 0;
				_t10 = E011DBC98(__eflags, _t26);
				_t20 =  *_t26 & 0x0000ffff;
				if(_t10 != 0) {
					return E011D4092(_t19, _a12, L"%c:\\", _t20);
				}
				_t28 = 0x5c;
				__eflags = _t20 - _t28;
				if(_t20 == _t28) {
					__eflags = _t26[1] - _t28;
					if(_t26[1] == _t28) {
						_push(_t28);
						_push( &(_t26[2]));
						_t10 = E011F22C6(_t20);
						_pop(_t22);
						__eflags = _t10;
						if(_t10 != 0) {
							_push(_t28);
							_push(_t10 + 2);
							_t13 = E011F22C6(_t22);
							__eflags = _t13;
							if(_t13 == 0) {
								_t14 = E011F3E13(_t26);
							} else {
								_t14 = (_t13 - _t26 >> 1) + 1;
							}
							__eflags = _t14 - _a12;
							asm("sbb esi, esi");
							_t30 = _t28 & _t14;
							E011F60C2(_t19, _t26, _t30);
							_t10 = 0;
							__eflags = 0;
							 *((short*)(_t19 + _t30 * 2)) = 0;
						}
					}
				}
				return _t10;
			}

0x011db992
0x011db999
0x011db99e
0x011db9a1
0x011db9a6
0x011db9ab
0x00000000
0x011db9bd
0x011db9c5
0x011db9c6
0x011db9c9
0x011db9cb
0x011db9cf
0x011db9d4
0x011db9d5
0x011db9d6
0x011db9dc
0x011db9dd
0x011db9df
0x011db9e4
0x011db9e5
0x011db9e6
0x011db9ed
0x011db9ef
0x011db9f9
0x011db9f1
0x011db9f5
0x011db9f5
0x011db9ff
0x011dba03
0x011dba05
0x011dba0a
0x011dba12
0x011dba12
0x011dba14
0x011dba14
0x011db9df
0x011db9cf
0x00000000

APIs

_swprintf.LIBCMT ref: 011DB9B8

Part of subcall function 011D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D40A5

Strings

%c:\, xrefs: 011DB9AE

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 6dd4570b09b087e9fd80090e8ab15930d4f994eadd5af775f5172ab729fbcc7c
Instruction ID: d721bdf488f74bbeeae2265e66584a1a929038e80fb0096bffd9a392f982a7bb
Opcode Fuzzy Hash: 6dd4570b09b087e9fd80090e8ab15930d4f994eadd5af775f5172ab729fbcc7c
Instruction Fuzzy Hash: 8501F56350831269AA3DAB798C40D6BA7ACEFA65B0B45450EE546D7081FB30D440C2B6

Uniqueness

Uniqueness Score: -1.00%

Function 011EB6DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E011EB6DD(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t13;
				void* _t15;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0x1211028, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t24 != 0) {
					L2:
					GetObjectW(_t24, 0x18,  &_v28);
					L4:
					if(E011EA5C6(_t31) != 0) {
						if(_t21 != 0) {
							_t28 = E011EA6C2(0x66);
							if(_t28 != 0) {
								 *0x1233054(_t24);
								_t24 = _t28;
							}
						}
						_t13 = E011EA605(_v20);
						_t15 = E011EA80C(_t23, _t35, _t24, E011EA5E4(_v24), _t13);
						 *0x1233054(_t24);
						_t24 = _t15;
					}
					return _t24;
				}
				_t24 = E011EA6C2(0x65);
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
					goto L4;
				}
				goto L2;
			}

0x011eb6dd
0x011eb6dd
0x011eb6f3
0x011eb6f7
0x011eb6fc
0x011eb70b
0x011eb712
0x011eb728
0x011eb72f
0x011eb734
0x011eb73d
0x011eb741
0x011eb744
0x011eb74a
0x011eb74a
0x011eb741
0x011eb74f
0x011eb75f
0x011eb767
0x011eb76d
0x011eb76f
0x011eb775
0x011eb775
0x011eb705
0x011eb707
0x011eb709
0x011eb71a
0x011eb721
0x00000000
0x011eb721
0x00000000

APIs

LoadBitmapW.USER32(00000065), ref: 011EB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 011EB712

Part of subcall function 011EA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,011EB73D,00000066), ref: 011EA6D5
Part of subcall function 011EA6C2: SizeofResource.KERNEL32(00000000,?,?,?,011EB73D,00000066), ref: 011EA6EC
Part of subcall function 011EA6C2: LoadResource.KERNEL32(00000000,?,?,?,011EB73D,00000066), ref: 011EA703
Part of subcall function 011EA6C2: LockResource.KERNEL32(00000000,?,?,?,011EB73D,00000066), ref: 011EA712
Part of subcall function 011EA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,011EB73D,00000066), ref: 011EA72D
Part of subcall function 011EA6C2: GlobalLock.KERNEL32 ref: 011EA73E
Part of subcall function 011EA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 011EA7A7
Part of subcall function 011EA6C2: GlobalUnlock.KERNEL32(00000000), ref: 011EA7C6
Part of subcall function 011EA6C2: GlobalFree.KERNEL32 ref: 011EA7CD

Strings

], xrefs: 011EB71A

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: GlobalResource$BitmapLoadLock$AllocCreateFindFreeFromGdipObjectSizeofUnlock
String ID: ]
API String ID: 1245295032-3352871620
Opcode ID: 1cc06217998142875ddd1f34e75d6ba2b493d35f685f1352b342860057199e0b
Instruction ID: c429de6329bca6d273d59f0365bd9feac21dfd7224f3154944d7dcaa7dabae01
Opcode Fuzzy Hash: 1cc06217998142875ddd1f34e75d6ba2b493d35f685f1352b342860057199e0b
Instruction Fuzzy Hash: 6A01DB36D84D1267D72677F86C4CA7F7EF9AFC1756F090011EA00A7284DF3189054760

Uniqueness

Uniqueness Score: -1.00%

Function 011E101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E011E101F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x1211098 > 0) {
					_t18 = 0x121109c;
					do {
						_t22 = CreateThread(0, 0x10000, E011E1160, 0x1211098, 0,  &_v4);
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x1211098);
							E011D6C36(0x1211098);
							E011D6C31(E011D6DCB(0x1211098, _t25), 0x1211098, 0x1211098, 2);
						}
						 *_t18 = _t22;
						 *0x0121119C =  *((intOrPtr*)(0x121119c)) + 1;
						_t8 =  *0x12181e0; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x1211098);
					return _t8;
				}
				return _t5;
			}

0x011e1024
0x011e1028
0x011e102c
0x011e102f
0x011e1049
0x011e104b
0x011e104d
0x011e104f
0x011e1054
0x011e1059
0x011e1071
0x011e1071
0x011e1076
0x011e1078
0x011e107e
0x011e1085
0x011e108a
0x011e108a
0x011e1090
0x011e1091
0x011e1094
0x00000000
0x011e1099
0x011e109d

APIs

CreateThread.KERNEL32 ref: 011E1043
SetThreadPriority.KERNEL32(?,00000000), ref: 011E108A

Part of subcall function 011D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D6C54

Strings

CreateThread failed, xrefs: 011E104F

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 0c73cca552e09b84d994876c1e83d9c007d89d4e1dcd0125df875d3cc3a4d833
Instruction ID: 4feae3fcc5f864b3af0010f4204d24e40a0533d8c4e48b1fe4fbdd4dc2e6efe0
Opcode Fuzzy Hash: 0c73cca552e09b84d994876c1e83d9c007d89d4e1dcd0125df875d3cc3a4d833
Instruction Fuzzy Hash: B0014E75740309BFD338DF74AC54B7A77D9FB60650F20001DFB4652188CBB068448320

Uniqueness

Uniqueness Score: -1.00%

Function 011D1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E011D1316(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E011DE2C1(0x1211030, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E011DE2E8(0x1211030, __edx, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x1233154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x12035f4);
								}
							}
						}
					}
				}
				return 0;
			}

0x011d131d
0x011d1380
0x011d131f
0x011d131f
0x011d1326
0x011d133c
0x011d1345
0x011d134a
0x011d1352
0x011d135a
0x011d1362
0x011d1370
0x011d1370
0x011d1362
0x011d1352
0x011d1345
0x011d1326
0x011d1388

APIs

Part of subcall function 011DE2E8: _swprintf.LIBCMT ref: 011DE30E
Part of subcall function 011DE2E8: _strlen.LIBCMT ref: 011DE32F
Part of subcall function 011DE2E8: SetDlgItemTextW.USER32(?,0120E274,?), ref: 011DE38F
Part of subcall function 011DE2E8: GetWindowRect.USER32(?,?), ref: 011DE3C9
Part of subcall function 011DE2E8: GetClientRect.USER32(?,?), ref: 011DE3D5

GetDlgItem.USER32(00000000,00003021), ref: 011D135A
SetWindowTextW.USER32(00000000,012035F4), ref: 011D1370

Strings

0, xrefs: 011D1319

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f7a40ed1662151f820bc69e9a9f1cfefa1d5a35a1715346b347f5f23723a7dee
Instruction ID: 1bd17886e99918f32e32b92e0dd4becde2451eb644e573323bed66ed0c627dbf
Opcode Fuzzy Hash: f7a40ed1662151f820bc69e9a9f1cfefa1d5a35a1715346b347f5f23723a7dee
Instruction Fuzzy Hash: 36F0AF3021838CBAEF1E8F65980DBEA3FA8BF14265F048204FE8454595CF78C590EB10

Uniqueness

Uniqueness Score: -1.00%

Function 011E0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E011E0FE4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E011D6C31(E011D6C36(_t6, 0x1211098, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x1211098, 0x1211098, 2);
				}
				return _t2;
			}

0x011e0fe4
0x011e0fea
0x011e0ff3
0x011e0ffc
0x00000000
0x011e101b
0x011e101c

APIs

WaitForSingleObject.KERNEL32(?,000000FF,011E1206,?), ref: 011E0FEA
GetLastError.KERNEL32(?), ref: 011E0FF6

Part of subcall function 011D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 011D6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 011E0FFF

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: dbe9b450ba06e759f55f591cb1fca1d1123f8c7b62e18f9478f7fd8281e6a59c
Instruction ID: 7b969fb85b67e8bff77071f507caf8f77a65b3e2b9e5099843076533bf028d63
Opcode Fuzzy Hash: dbe9b450ba06e759f55f591cb1fca1d1123f8c7b62e18f9478f7fd8281e6a59c
Instruction Fuzzy Hash: 3ED02E32A085317AC626B338AC0CD6E3D45AB32331F604708F638602EACB300A418392

Uniqueness

Uniqueness Score: -1.00%

Function 011DE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DE29E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x011de2a1
0x011de2b1
0x011de2b9
0x011de2bb
0x00000000
0x011de2bb
0x011de2c0

APIs

GetModuleHandleW.KERNEL32(00000000,?,011DDA55,?), ref: 011DE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,011DDA55,?), ref: 011DE2B1

Strings

RTL, xrefs: 011DE2AB

Memory Dump Source

Source File: 00000000.00000002.575172153.00000000011D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000000.00000002.575168754.00000000011D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575191966.0000000001203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575199872.000000000120E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575205877.0000000001215000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575214530.0000000001232000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575219477.0000000001233000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575226612.0000000001253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575235637.0000000001276000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.575240431.0000000001278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_6Sy6PrInNl.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e86f9a4812e8fe615b9c7afdd198273d36f13824097160fde618edaa3c7ba4db
Instruction ID: d9ad7b978f76349ceef66cf4465a50d5f64707aa569dd1ab813209eb988bba77
Opcode Fuzzy Hash: e86f9a4812e8fe615b9c7afdd198273d36f13824097160fde618edaa3c7ba4db
Instruction Fuzzy Hash: 42C012316427106EEB32E76A7C4DB836E596B00B12F09064CB281EA6CADAA5C48087A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6Sy6PrInNl.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 6Sy6PrInNl.exePID: 2800, Parent PID: 1244

General

Chronological Activities

Disassembly

Analysis Process: 6Sy6PrInNl.exePID: 2800, Parent PID: 1244COMMON

Execution Graph

Graph

Executed Functions

Function 011EDF1E Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 195filesleeptimeCOMMON

Control-flow Graph

Function 011EA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON

Windows Analysis Report
6Sy6PrInNl.exe

Function 011EDF1E Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Function 011EA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 011DA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Function 011D848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Function 011EF9D5 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 011EB7E0 Relevance: 98.7, APIs: 46, Strings: 10, Instructions: 731
windowfilesleepCOMMON

Function 011E0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Function 011DDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663
COMMON

Function 011ED4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 011FA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Function 011F3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Function 011EABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Function 011D98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Function 011EB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Function 011E15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197
COMMON

Function 011EB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 011EAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Function 011EDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Function 011D9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Function 011FAD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Function 011DA2B2 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Function 011FB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 011EDDA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
COMMON

Function 011FAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Function 011FAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Function 011FADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Function 011EE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Function 011FBBF0 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Function 011D9A74 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Function 011FBA27 Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Function 011D1E50 Relevance: 3.1, APIs: 2, Instructions: 86
COMMON

Function 011D966E Relevance: 3.1, APIs: 2, Instructions: 82
fileCOMMON

Function 011FA3D0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 011D9E80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Function 011F8E54 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Function 011E109E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Function 011DA1E0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Function 011DA243 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Function 011EDEC2 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Function 011E081B Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Function 011EA3B9 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Function 011F2B8C Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Function 011D12F1 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Function 011D1A04 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Function 011D3BBA Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Function 011D8284 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 011D13E1 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 011D13DC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 011EB093 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Function 011FAC98 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Function 011DCE40 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 011D9215 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 011FB136 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 011F3C0D Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMONLIBRARYCODE

Function 011F8E06 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 011D5ABD Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Function 011D9620 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Function 011DA56D Relevance: 1.5, APIs: 1, Instructions: 27
COMMON